Re: [Freeipa-devel] [PATCH] 884 migration context and logging
On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
rob
Looks good, its just difficult to set up a proper environment for
reproduction. So far, I found just this problem:
[Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi
(pid=32705): Exception occurred processing WSGI script
'/usr/share/ipa/migration/migration.py'.
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most
recent call last):
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 127, in application
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
bind(form_data['username'].value, form_data['password'].value)
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 107, in bind
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
logging.error('migration bind failed: %s' % convert_exception(e))
Martin
Just missed saving the exception as a variable, should work now.
rob
Works fine, tested on multiple-suffix LDAP server. We should be also
fine when anonymous access is not allowed (Simo was dealing with this in
ipa-client-install in #1881) since migration.py binds via socket.
I have just one suggestion - instead of searching for correct naming
context on your own, you may want to use a function get_ipa_basedn() I
implemented for ipa-client-install (#1868). This will do all the checks
and return you just the IPA baseDN:
https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 877 prompt for current password
On Mon, 2011-10-03 at 15:16 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-09-19 at 09:03 -0400, Rob Crittenden wrote: Jan Cholasta wrote: On 16.9.2011 21:16, Rob Crittenden wrote: Prompt for the current password when changing your own password using ipa passwd. I had to jump through several hoops with this: - Added a new sortorder option so the Current password is prompted first IMO something like before='password' would be more readable and probably less error-prone than sortorder=-1. The params are sorted numerically based on whether they are required, have a default, etc. A negative value means it will appear first. This is intended to be generic enough without having to worry about nested resolution (A before B, B before C, C before A). - Pass a magic value for current_password if changing someone else's password NOTE: This breaks the API for passwd. There is no way around it. I have this as a minor update as it won't cause older clients to blow up too badly, but their passwd command won't work. rob Honza Generally, it works fine except for the case when user passes its own user name. Do we want to support the following way? # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: f...@idm.lab.bos.redhat.com Valid starting ExpiresService principal 09/23/11 09:48:05 09/24/11 09:48:05 krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com # ipa passwd fbar New Password: Enter New Password again to verify: ipa: ERROR: Insufficient access: Invalid credentials Maybe we could throw an error when user passes its own principal to ipa passwd command. After all, this argument is for changing _other_ user passwords. Martin Fixed. The username wasn't being normalized into a principal until after the default was set (where we determine whether to prompt for current password). rob I don't think this is the correct patch :-) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 51 Add a function for formatting network locations
Add a function for formatting network locations of the form host:port
for use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in
square brackets (RFC 2732).
https://fedorahosted.org/freeipa/ticket/1869
In the ticket it is suggested to create a host name and network address
objects; I have created a new ticket for 3.0 to do that:
https://fedorahosted.org/freeipa/ticket/1917
Honza
--
Jan Cholasta
From 8e541046eac53fe5f341da7b2c6460f586d17b74 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Fri, 30 Sep 2011 10:09:55 +0200
Subject: [PATCH] Add a function for formatting network locations of the form
host:port for use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in square
brackets (RFC 2732).
ticket 1869
---
install/tools/ipa-csreplica-manage|8
install/tools/ipa-replica-conncheck |4 ++--
install/tools/ipa-replica-install |6 +++---
install/tools/ipa-server-install |2 +-
ipa-client/ipa-install/ipa-client-install | 14 +++---
ipa-client/ipaclient/ipadiscovery.py |8
ipalib/rpc.py |4 ++--
ipapython/dogtag.py |6 +++---
ipapython/ipautil.py | 18 ++
ipaserver/install/bindinstance.py |2 +-
ipaserver/install/cainstance.py | 10 +-
ipaserver/install/dsinstance.py |2 +-
ipaserver/install/replication.py |6 +++---
ipaserver/ipaldap.py |7 ---
tests/test_ipaserver/test_ldap.py |2 +-
15 files changed, 59 insertions(+), 40 deletions(-)
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index 39d5056..c33f3bc 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -111,7 +111,7 @@ class CSReplicationManager(replication.ReplicationManager):
dn = 'cn=%s,cn=mapping tree,cn=config' % esc1_suffix
# TODO: should we detect proto/port somehow ?
mod = [(ldap.MOD_DELETE, 'nsslapd-referral',
-'ldap://%s:%s/%s' % (hostname, PORT, esc2_suffix))]
+'ldap://%s/%s' % (ipautil.format_netloc(hostname, PORT), esc2_suffix))]
try:
self.conn.modify_s(dn, mod)
@@ -226,7 +226,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
except errors.NotFound:
sys.exit('%s' has no replication agreement for '%s' % (replica1, replica2))
except ldap.SERVER_DOWN, e:
-sys.exit(Unable to connect to %s:%d: %s % (replica1, PORT, convert_error(e)))
+sys.exit(Unable to connect to %s: %s % (ipautil.format_netloc(replica1, PORT), convert_error(e)))
except Exception, e:
sys.exit(Failed to get data from '%s': %s % (replica1, convert_error(e)))
@@ -322,7 +322,7 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
except ldap.NO_SUCH_OBJECT:
sys.exit('%s does not have a CA configured.' % replica2)
except ldap.SERVER_DOWN, e:
-sys.exit(Unable to connect to %s:636: %s % (replica2, convert_error(e)))
+sys.exit(Unable to connect to %s: %s % (ipautil.format_netloc(replica2, 636), convert_error(e)))
except Exception, e:
sys.exit(Failed to get data from '%s': %s % (replica1, convert_error(e)))
@@ -337,7 +337,7 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
except ldap.NO_SUCH_OBJECT:
sys.exit(Cannot find replica '%s' % replica1)
except ldap.SERVER_DOWN, e:
-sys.exit(Unable to connect to %s:%d %s % (replica1, PORT, convert_error(e)))
+sys.exit(Unable to connect to %s %s % (ipautil.format_netloc(replica1, PORT), convert_error(e)))
except Exception, e:
sys.exit(Failed to get data from '%s': %s % (replica1, convert_error(e)))
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index ac1817e..65d7ef5 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -201,8 +201,8 @@ def configure_krb5_conf(realm, kdc, filename):
#the following are necessary only if DNS discovery does not work
#[realms]
-realms_info =[{'name':'kdc', 'type':'option', 'value':kdc+':88'},
- {'name':'admin_server', 'type':'option', 'value':kdc+':749'}]
+realms_info =[{'name':'kdc', 'type':'option', 'value':ipautil.format_netloc(kdc, 88)},
+ {'name':'admin_server', 'type':'option', 'value':ipautil.format_netloc(kdc, 749)}]
realms = [{'name':realm, 'type':'subsection', 'value':realms_info}]
opts.append({'name':'realms', 'type':'section', 'value':realms})
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 6238044..960cca6 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -230,7
Re: [Freeipa-devel] [PATCH] 133 Be more clear about selfsign option
On 3.10.2011 12:36, Martin Kosek wrote: Installing IPA server --selfsign option is currently a one-way ticket to server with limited certificate capabilities. Make sure that user really want to install it by implementing the following steps: - moving the option to the bottom of certificate options section - adding a warning to ipa-server-install man page - adding a warning to ipa-server-install help - adding a warning to ipa-server-install configuration summary when one runs ipa-server-install https://fedorahosted.org/freeipa/ticket/1908 ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 135 Install tools crash when password prompt is interrupted
When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916 From 5818782a4c7b5fda146c4b3f9e67ea850ba27b07 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 4 Oct 2011 10:42:59 +0200 Subject: [PATCH] Install tools crash when password prompt is interrupted When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916 --- install/tools/ipa-ca-install |2 + install/tools/ipa-compat-manage |2 + install/tools/ipa-csreplica-manage|7 +++- install/tools/ipa-dns-install |2 + install/tools/ipa-ldap-updater|2 + install/tools/ipa-managed-entries |2 + install/tools/ipa-nis-manage |2 + install/tools/ipa-replica-conncheck |8 - install/tools/ipa-replica-install |2 + install/tools/ipa-replica-manage |7 +++- install/tools/ipa-replica-prepare |2 + install/tools/ipa-server-certinstall |8 +++-- install/tools/ipa-server-install |7 ipa-client/ipa-install/ipa-client-install | 13 +++- ipaserver/install/installutils.py | 45 +++- 15 files changed, 79 insertions(+), 32 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 37fa6269b91dcd1174225a93ac5974ddc04e5d3a..bfb947bcd7428f81ce43eb396f95ab0d04c9499f 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -98,6 +98,8 @@ def main(): dirman_password = get_dirman_password() except KeyboardInterrupt: sys.exit(0) +if dirman_password is None: +sys.exit(\nDirectory Manager password required) if not options.admin_password and not options.skip_conncheck and \ options.unattended: diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index 07531fddcdb3d211abb2360482551073fcbc3c00..898a797cf0fa10be288522a224a5ef7befaaf59b 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -100,6 +100,8 @@ def main(): dirman_password = pw.strip() else: dirman_password = get_dirman_password() +if dirman_password is None: +sys.exit(\nDirectory Manager password required) api.bootstrap(context='cli', debug=options.debug) api.finalize() diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 39d5056544966cd8a4077076a9f00b63dcc2119a..abfc117bae8491dcc04e93d5207faf20421a33c1 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -22,7 +22,7 @@ import sys import os -import getpass, ldap, krbV +import ldap, krbV import logging from ipapython import ipautil @@ -400,7 +400,10 @@ def main(): if options.dirman_passwd: dirman_passwd = options.dirman_passwd else: -dirman_passwd = getpass.getpass(Directory Manager password: ) +dirman_passwd = installutils.read_password(Directory Manager, confirm=False, +validate=False, retry=False) +if dirman_passwd is None: +sys.exit(\nDirectory Manager password required) options.dirman_passwd = dirman_passwd diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 9869eae8b143ee10e15fc811f9c1ab25aee77544..d81b6a2e804a815d5bece8426a286e3190f6dee3 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -128,6 +128,8 @@ def main(): dm_password = options.dm_password or read_password(Directory Manager, confirm=False, validate=False) +if dm_password is None: +sys.exit(\nDirectory Manager password required) bind = bindinstance.BindInstance(fstore, dm_password) # try the connection diff --git a/install/tools/ipa-ldap-updater b/install/tools/ipa-ldap-updater index 5b63c120ec83a03fa0cc7ba9aab1cb60bda23e31..6ecb8c155d723f5e0c9c234c0e1ddb1f3150ca4a 100755 --- a/install/tools/ipa-ldap-updater +++ b/install/tools/ipa-ldap-updater @@ -96,6 +96,8 @@ def main(): else: if (options.ask_password or not options.ldapi) and not options.upgrade: dirman_password = get_dirman_password() +if dirman_password is None: +sys.exit(\nDirectory Manager password required) files = [] if len(args) 0: diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries index
[Freeipa-devel] [PATCH] 136 Fix ipa-managed-entries password option long form
https://fedorahosted.org/freeipa/ticket/1913 From 5485ef8811c1e97dcbc7e462a8c814bb80f8de17 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 4 Oct 2011 10:52:47 +0200 Subject: [PATCH] Fix ipa-managed-entries password option long form https://fedorahosted.org/freeipa/ticket/1913 --- install/tools/ipa-managed-entries |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries index 9b3f54714c2809fffecc92d428328d110a9fdc64..36a0afba6f59767306855bd3a2ba9d327ad54bd5 100755 --- a/install/tools/ipa-managed-entries +++ b/install/tools/ipa-managed-entries @@ -54,7 +54,7 @@ def parse_options(): parser.add_option(-l, --list, dest=list_managed_entries, action=store_true, help=DN for the Managed Entry Definition) -parser.add_option(-p, dest=dirman_password, +parser.add_option(-p, --password, dest=dirman_password, help=Directory Manager password) config.add_standard_options(parser) -- 1.7.6.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on all connections with SSF1
On 27.9.2011 10:15, Sumit Bose wrote: Hi, currently the change password plugin does not check if the connection is coming from a local LDAPI socket and denies password change requests via LDAPI. This patch changes the check to just look at the overall SSF of the connection which covers all types of connection. There is a similar check in ipa_enrollment.c. But I think enrollments via LDAPI does not make much sense so it does not need to be changed. IMHO it should be changed anyway, for the sake of consistency. This patch should fix https://fedorahosted.org/freeipa/ticket/1877. bye, Sumit The patch has trailing whitespace on lines 20 and 32-35 and needs to be rebased. Tested the patch with ldappasswd over ldap/ldaps/ldapi - works as expected. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 133 Be more clear about selfsign option
On Tue, 2011-10-04 at 10:34 +0200, Jan Cholasta wrote: On 3.10.2011 12:36, Martin Kosek wrote: Installing IPA server --selfsign option is currently a one-way ticket to server with limited certificate capabilities. Make sure that user really want to install it by implementing the following steps: - moving the option to the bottom of certificate options section - adding a warning to ipa-server-install man page - adding a warning to ipa-server-install help - adding a warning to ipa-server-install configuration summary when one runs ipa-server-install https://fedorahosted.org/freeipa/ticket/1908 ACK. Honza Pushed to master, ipa-2-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0016 Setup and restore ntp configuration on the
client
Reply-To:
Hi,
attached patch addresses ticket #1770.
--
/ Alexander Bokovoy
From 6bb9520e2398a22c0264276171714ea5d201f83a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Tue, 4 Oct 2011 13:56:12 +0300
Subject: [PATCH] Setup and restore ntp configuration on the client side
properly
When setting up the client-side NTP configuration, make sure that
/etc/ntp/step-tickers
point to IPA NTP server as well.
When restoring the client during ipa-client-install --uninstall, make sure NTP
configuration
is fully restored and NTP service is disabled if it was disabled before the
installation.
https://fedorahosted.org/freeipa/ticket/1770
---
ipa-client/ipa-install/ipa-client-install | 19 ++-
ipa-client/ipaclient/ntpconf.py | 52
2 files changed, 55 insertions(+), 16 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install
b/ipa-client/ipa-install/ipa-client-install
index
76f7f1913c804053edb8b90979286a0592fa5737..85f94074bfede3106b39e4d603d99d93930def5b
100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -331,6 +331,23 @@ def uninstall(options, env, quiet=False):
emit_quiet(quiet, Reboot command failed to exceute. +
str(e))
return CLIENT_UNINSTALL_ERROR
+ntp_configured = statestore.has_state('ntp')
+if ntp_configured:
+ntp_enabled = statestore.restore_state('ntp', 'enabled')
+ntp_step_tickers = statestore.restore_state('ntp', 'step-tickers')
+
+restored = fstore.restore_file(/etc/ntp.conf)
+restored |= fstore.restore_file(/etc/sysconfig/ntpd)
+if ntp_step_tickers:
+ restored |= fstore.restore_file(/etc/ntp/step-tickers)
+
+if not ntp_enabled:
+ ipaservices.knownservices.ntp.stop()
+ ipaservices.knownservices.ntp.disable()
+else:
+ if restored:
+ ipaservices.knownservices.ntp.restart()
+
# Remove the IPA configuration file
try:
os.remove(/etc/ipa/default.conf)
@@ -1102,7 +1119,7 @@ def install(options, env, fstore, statestore):
ntp_server = options.ntp_server
else:
ntp_server = cli_server
-ipaclient.ntpconf.config_ntp(ntp_server, fstore)
+ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
print NTP enabled
print Client configuration complete.
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index
3042005f41ea3ed6c8fee739b9cf2b833a8d6d59..f63e5f9795efc38e0843f9e14f51ef286d1ddebc
100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -20,6 +20,7 @@
from ipapython import ipautil
from ipapython import services as ipaservices
import shutil
+import os
ntp_conf = # Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
@@ -80,30 +81,51 @@ SYNC_HWCLOCK=yes
# Additional options for ntpdate
NTPDATE_OPTIONS=
+ntp_step_tickers = # Use IPA-provided NTP server for initial time
+$SERVER
+
+def __backup_config(path, fstore = None):
+if fstore:
+fstore.backup_file(path)
+else:
+shutil.copy(path, %s.ipasave % (path))
-def config_ntp(server_fqdn, fstore = None):
+def __write_config(path, content):
+fd = open(path, w)
+fd.write(content)
+fd.close()
+
+def config_ntp(server_fqdn, fstore = None, sysstore = None):
+path_step_tickers = /etc/ntp/step-tickers
+path_ntp_conf = /etc/ntp.conf
+path_ntp_sysconfig = /etc/sysconfig/ntpd
sub_dict = { }
sub_dict[SERVER] = server_fqdn
nc = ipautil.template_str(ntp_conf, sub_dict)
+config_step_tickers = False
-if fstore:
-fstore.backup_file(/etc/ntp.conf)
-else:
-shutil.copy(/etc/ntp.conf, /etc/ntp.conf.ipasave)
-fd = open(/etc/ntp.conf, w)
-fd.write(nc)
-fd.close()
+if os.path.exists(path_step_tickers):
+config_step_tickers = True
+ns = ipautil.template_str(ntp_step_tickers, sub_dict)
+__backup_config(path_step_tickers, fstore)
+__write_config(path_step_tickers, ns)
+ipaservices.restore_context(path_step_tickers)
-if fstore:
-fstore.backup_file(/etc/sysconfig/ntpd)
-else:
-shutil.copy(/etc/sysconfig/ntpd, /etc/sysconfig/ntpd.ipasave)
+if sysstore:
+module = 'ntp'
+sysstore.backup_state(module, enabled,
ipaservices.knownservices.ntp.enabled())
+if config_step_tickers:
+sysstore.backup_state(module, step-tickers, True)
-fd = open(/etc/sysconfig/ntpd, w)
-fd.write(ntp_sysconfig)
-fd.close()
+__backup_config(path_ntp_conf, fstore)
+__write_config(path_ntp_conf, nc)
+ipaservices.restore_context(path_ntp_conf)
+
+__backup_config(path_ntp_sysconfig)
+__write_config(path_ntp_sysconfig, ntp_sysconfig)
[Freeipa-devel] [PATCH] 0017 Configure pam_krb5 only when sssd is not in use
Hi, attached patch fixes https://fedorahosted.org/freeipa/ticket/1775 -- / Alexander Bokovoy From e956fb4cb1738cb98d006973db0016868204c10c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 4 Oct 2011 14:33:36 +0300 Subject: [PATCH] Configure pam_krb5 on the client only if sssd is not configured https://fedorahosted.org/freeipa/ticket/1775 --- ipa-client/ipa-install/ipa-client-install | 15 --- 1 files changed, 8 insertions(+), 7 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 76f7f1913c804053edb8b90979286a0592fa5737..f8905641662aac17bb1164d49e84527aad4c3bf7 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1052,13 +1052,14 @@ def install(options, env, fstore, statestore): auth_config.execute() print message -#Modify pam to add pam_krb5 -auth_config.reset() -auth_config.enable(krb5).\ -add_option(update).\ -add_option(nostart) -auth_config.execute() -print Kerberos 5 enabled +if not options.sssd: +#Modify pam to add pam_krb5 only when sssd is not in use +auth_config.reset() +auth_config.enable(krb5).\ +add_option(update).\ +add_option(nostart) +auth_config.execute() +print Kerberos 5 enabled # Update non-SSSD LDAP configuration after authconfig calls as it would # change its configuration otherways -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 130 ipa-client assumes a single namingcontext
On Fri, 2011-09-30 at 16:15 -0400, Simo Sorce wrote: On Fri, 2011-09-30 at 16:02 -0400, Stephen Gallagher wrote: On Thu, 2011-09-29 at 15:20 +0200, Martin Kosek wrote: How to test: 1) Add new naming context (suffix) to your LDAP database with installed IPA (see attached LDIF). The server should return the new suffix as the first one. You can change with its base DN if it does not. 2) Install IPA client against the server. ipa-client-install should the LDAP server as the IPA one only if the patch is applied on the client --- When LDAP server contains more that one suffixes, the ipa client installation does not detect it as IPA server and fails to install. Fix ipa server discovery so that it correctly searches all naming contexts for the IPA one. https://fedorahosted.org/freeipa/ticket/1868 Tangentially related, it would be prudent for FreeIPA server installations to set not only namingContexts but also the defaultNamingContext. This way, clients autodetecting the ldap search base from the RootDSE will have an unambiguous way to do so (in the event that multiple namingContexts have been added) Please CC yourself here to be notified when this will be available in DS: https://bugzilla.redhat.com/show_bug.cgi?id=742317 I'd like to add some more information on this (which I also just opened as upstream ticket https://fedorahosted.org/freeipa/ticket/1919). Right now, FreeIPA is set up with a single namingContexts, which is the 'dc=example,dc=com' root of the LDAP tree. The problem is that this search domain encompasses both the standard cn=accounts and the cn=compat trees. This means that SSSD, if set up as an RFC2307bis client instead of a full ipa-client-install (which explicitly sets the search base to cn=accounts) cannot safely auto-detect the search base to use. I think that FreeIPA should ship with the following settings in the RootDSE: defaultNamingContext: cn=accounts,dc=example,dc=com namingContexts: dc=example,dc=com namingContexts: cn=accounts,dc=example,dc=com and if compat mode is also enabled: namingContexts: cn=compat,dc=example,dc=com This will allow us to auto-detect in a sane way, as well as allowing us to easily communicate to clients that compat mode is or is not enabled. signature.asc Description: This is a digitally signed message part ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 48/48] Ticket #1879 - IPAdmin undefined anonymous parameter lists
On 26.9.2011 21:52, John Dennis wrote: The IPAdmin class in ipaserver/ipaldap.py has methods with anonymous undefined parameter lists. For example: def getList(self,*args): In Python syntax this means you can call getList with any positional parameter list you want. This is bad because: 1) It's not true, *args gets passed to an ldap function with a well defined parameter list, so you really do have to call it with a defined parameter list. *args will let you pass anything, but once it gets passed to the ldap function it will blow up if the parameters do not match (what parameters are those you're wondering? see item 2). 2) The programmer does not know what the valid parameters are unless they are defined in the formal parameter list. 3) Without a formal parameter list automatic documentation generators cannot produce API documentation (see item 2) 4) The Python interpreter cannot validate the parameters being passed because there is no formal parameter list. Note, Python does not validate the type of parameters, but it does validate the correct number of postitional parameters are passed and only defined keyword parameters are passed. Bypassing the language support facilities leads to programming errors. 5) Without a formal parameter list program checkers such as pylint cannot validate the program which leads to progamming errors. 6) Without a formal parameter list which includes default keyword parameters it's not possible to use keyword arguments nor to know what their default values are (see item 2). One is forced to pass a keyword argument as a positional argument, plus you must then pass every keyword argument between the end of the positional argument list and keyword arg of interest even of the other keyword arguments are not of interest. This also demands you know what the default value of the intermediate keyword arguments are (see item 2) and hope they don't change. Also the *args anonymous tuple get passed into the error handling code so it can report what the called values were. But because the tuple is anonymous the error handler cannot not describe what it was passed. In addition the error handling code makes assumptions about the possible contents of the anonymous tuple based on current practice instead of actual defined values. Things like if the number of items in the tuple is 2 or less then the first tuple item must be a dn (Distinguished Name) or if the number of items in the tuple is greater than 2 then the 3rd item must be an ldap search filter. These are constructs which are not robust and will fail at some point in the future. This patch also fixes the use of IPAdmin.addEntry(). It was sometimes being called with (dn, modlist), sometimes a Entry object, or sometimes a Entity object. Now it's always called with either a Entry or Entity object and IPAdmin.addEntry() validates the type of the parameter passed. -- John Dennisjden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0018 Unroll StrEnum values when displaying help
Hi,
when help is displayed, for options that require values we show their
type. With string enumerations this does not really help to the user
as it is unclear what are the values of the enumeration.
Attached patch fixes it by providing nicer list of possible values.
https://fedorahosted.org/freeipa/ticket/1848
As result, instead of what is shown in the ticket:
[root@kungfupanda ~]# ipa help hbacrule-add
Purpose: Create a new HBAC rule.
Usage: ipa [global-options] hbacrule-add NAME [options]
Options:
-h, --helpshow this help message and exit
--usercat=STRENUM User category the rule applies to
--hostcat=STRENUM Host category the rule applies to
--srchostcat=STRENUM Source host category the rule applies to
--servicecat=STRENUM Service category the rule applies to
-
one would get following:
[root@kungfupanda ~]# ipa help hbacrule-add
Purpose: Create a new HBAC rule.
Usage: ipa [global-options] hbacrule-add NAME [options]
Options:
-h, --helpshow this help message and exit
--usercat=['all'] User category the rule applies to
--hostcat=['all'] Host category the rule applies to
--srchostcat=['all'] Source host category the rule applies to
--servicecat=['all'] Service category the rule applies to
It becomes even more reasonable with type or class options -- overall
we have 65 StrEnums in current set of options.
For example, in dnsrecord-add --class option was shown as
--class=STRENUM DNS class
With the patch attached it will be more understandable:
[root@host3 ~]# ipa help dnsrecord-add
Purpose: Add new DNS resource record.
Usage: ipa [global-options] dnsrecord-add DNSZONE NAME [options]
Options:
-h, --helpshow this help message and exit
--ttl=INT Time to live
--class=['IN', 'CS', 'CH', 'HS']
DNS class
--addattr=STR Add an attribute/value pair. Format is attr=value. The
attribute must be part of the schema.
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes, the command
replaces the values already present.
--
/ Alexander Bokovoy
From 911c0bbdbd137347e62e72384f1cd516d29dfec3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Tue, 4 Oct 2011 15:17:58 +0300
Subject: [PATCH] Unroll StrEnum values when displaying help
https://fedorahosted.org/freeipa/ticket/1848
---
ipalib/cli.py |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/ipalib/cli.py b/ipalib/cli.py
index
0a7d1a4cf30352198eebcc7ff65bcc16f948cda7..1c34d6939285b2dcae522c13be13dc4d9f23dc57
100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -48,7 +48,7 @@ import plugable
import util
from errors import PublicError, CommandError, HelpError, InternalError,
NoSuchNamespaceError, ValidationError, NotFound, NotConfiguredError
from constants import CLI_TAB
-from parameters import Password, Bytes, File, Str
+from parameters import Password, Bytes, File, Str, StrEnum
from text import _
from ipapython.version import API_VERSION
@@ -1008,8 +1008,11 @@ class cli(backend.Executioner):
kw['action'] = 'store_false'
else:
kw['action'] = 'store_true'
+elif isinstance(option, StrEnum):
+kw['metavar'] = metavar=map(lambda x: str(x), option.values)
else:
kw['metavar'] = metavar=option.__class__.__name__.upper()
+
if option.cli_short_name:
o = optparse.make_option('-%s' % option.cli_short_name, '--%s'
% to_cli(option.cli_name), **kw)
else:
--
1.7.6.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
Martin Kosek wrote:
On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
rob
Looks good, its just difficult to set up a proper environment for
reproduction. So far, I found just this problem:
[Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705):
Exception occurred processing WSGI script
'/usr/share/ipa/migration/migration.py'.
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent
call last):
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 127, in application
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
bind(form_data['username'].value, form_data['password'].value)
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 107, in bind
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
logging.error('migration bind failed: %s' % convert_exception(e))
Martin
Just missed saving the exception as a variable, should work now.
rob
Works fine, tested on multiple-suffix LDAP server. We should be also
fine when anonymous access is not allowed (Simo was dealing with this in
ipa-client-install in #1881) since migration.py binds via socket.
I have just one suggestion - instead of searching for correct naming
context on your own, you may want to use a function get_ipa_basedn() I
implemented for ipa-client-install (#1868). This will do all the checks
and return you just the IPA baseDN:
https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
Martin
Well, I did mine first so you should have copied from me :-)
I'll see if I can safely import that.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
On Tue, 2011-10-04 at 08:53 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
rob
Looks good, its just difficult to set up a proper environment for
reproduction. So far, I found just this problem:
[Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi
(pid=32705): Exception occurred processing WSGI script
'/usr/share/ipa/migration/migration.py'.
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most
recent call last):
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 127, in application
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
bind(form_data['username'].value, form_data['password'].value)
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 107, in bind
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
logging.error('migration bind failed: %s' % convert_exception(e))
Martin
Just missed saving the exception as a variable, should work now.
rob
Works fine, tested on multiple-suffix LDAP server. We should be also
fine when anonymous access is not allowed (Simo was dealing with this in
ipa-client-install in #1881) since migration.py binds via socket.
I have just one suggestion - instead of searching for correct naming
context on your own, you may want to use a function get_ipa_basedn() I
implemented for ipa-client-install (#1868). This will do all the checks
and return you just the IPA baseDN:
https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
Martin
Well, I did mine first so you should have copied from me :-)
I _did_ copy from you ;-) I just made a function for it so that it can
be reused.
I'll see if I can safely import that.
rob
Ok.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 877 prompt for current password
Martin Kosek wrote:
On Mon, 2011-10-03 at 15:16 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-09-19 at 09:03 -0400, Rob Crittenden wrote:
Jan Cholasta wrote:
On 16.9.2011 21:16, Rob Crittenden wrote:
Prompt for the current password when changing your own password using
ipa passwd.
I had to jump through several hoops with this:
- Added a new sortorder option so the Current password is prompted first
IMO something like before='password' would be more readable and
probably less error-prone than sortorder=-1.
The params are sorted numerically based on whether they are required,
have a default, etc. A negative value means it will appear first. This
is intended to be generic enough without having to worry about nested
resolution (A before B, B before C, C before A).
- Pass a magic value for current_password if changing someone else's
password
NOTE: This breaks the API for passwd. There is no way around it. I have
this as a minor update as it won't cause older clients to blow up too
badly, but their passwd command won't work.
rob
Honza
Generally, it works fine except for the case when user passes its own
user name. Do we want to support the following way?
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: f...@idm.lab.bos.redhat.com
Valid starting ExpiresService principal
09/23/11 09:48:05 09/24/11 09:48:05
krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com
# ipa passwd fbar
New Password:
Enter New Password again to verify:
ipa: ERROR: Insufficient access: Invalid credentials
Maybe we could throw an error when user passes its own principal to ipa
passwd command. After all, this argument is for changing _other_ user
passwords.
Martin
Fixed. The username wasn't being normalized into a principal until after
the default was set (where we determine whether to prompt for current
password).
rob
I don't think this is the correct patch :-)
Martin
Try this one.
From 2ad7acc2b9cb1f1bc67e6ef35788cae69ca54715 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Fri, 16 Sep 2011 15:08:17 -0400
Subject: [PATCH] Require current password when using passwd to change your
own password.
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.
I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.
Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.
The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.
https://fedorahosted.org/freeipa/ticket/1808
---
API.txt|5 +++--
VERSION|2 +-
ipalib/cli.py |6 --
ipalib/frontend.py |2 ++
ipalib/parameters.py |1 +
ipalib/plugins/passwd.py | 40 +---
ipaserver/plugins/ldap2.py | 11 +++
7 files changed, 59 insertions(+), 8 deletions(-)
diff --git a/API.txt b/API.txt
index ac6560b..10b3f86 100644
--- a/API.txt
+++ b/API.txt
@@ -1829,9 +1829,10 @@ output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly
output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('value', type 'unicode', The primary_key value of the entry, e.g. 'jdoe' for a user)
command: passwd
-args: 2,0,3
+args: 3,0,3
arg: Str('principal', validate_principal, autofill=True, cli_name='user', create_default=lambda, label=Gettext('User name', domain='ipa', localedir=None), normalizer=lambda, primary_key=True)
-arg: Password('password', label=Gettext('Password', domain='ipa', localedir=None))
+arg: Password('password', label=Gettext('New Password', domain='ipa', localedir=None))
+arg: Password('current_password', autofill=True, confirm=False, default_from=lambda, label=Gettext('Current Password', domain='ipa', localedir=None), sortorder=-1)
output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly description of action performed')
output: Output('result', type 'bool', 'True means the operation was successful')
output: Output('value', type 'unicode', The primary_key value of the entry, e.g. 'jdoe' for a user)
diff --git a/VERSION b/VERSION
index a838058..ff8f92b 100644
--- a/VERSION
+++ b/VERSION
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412
# #
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=11
+IPA_API_VERSION_MINOR=12
diff --git a/ipalib/cli.py b/ipalib/cli.py
index 0a7d1a4..86365e7 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -1048,12 +1048,14 @@ class
Re: [Freeipa-devel] [PATCH] 130 ipa-client assumes a single namingcontext
On Tue, 2011-10-04 at 08:03 -0400, Stephen Gallagher wrote: On Fri, 2011-09-30 at 16:15 -0400, Simo Sorce wrote: On Fri, 2011-09-30 at 16:02 -0400, Stephen Gallagher wrote: On Thu, 2011-09-29 at 15:20 +0200, Martin Kosek wrote: How to test: 1) Add new naming context (suffix) to your LDAP database with installed IPA (see attached LDIF). The server should return the new suffix as the first one. You can change with its base DN if it does not. 2) Install IPA client against the server. ipa-client-install should the LDAP server as the IPA one only if the patch is applied on the client --- When LDAP server contains more that one suffixes, the ipa client installation does not detect it as IPA server and fails to install. Fix ipa server discovery so that it correctly searches all naming contexts for the IPA one. https://fedorahosted.org/freeipa/ticket/1868 Tangentially related, it would be prudent for FreeIPA server installations to set not only namingContexts but also the defaultNamingContext. This way, clients autodetecting the ldap search base from the RootDSE will have an unambiguous way to do so (in the event that multiple namingContexts have been added) Please CC yourself here to be notified when this will be available in DS: https://bugzilla.redhat.com/show_bug.cgi?id=742317 I'd like to add some more information on this (which I also just opened as upstream ticket https://fedorahosted.org/freeipa/ticket/1919). Right now, FreeIPA is set up with a single namingContexts, which is the 'dc=example,dc=com' root of the LDAP tree. The problem is that this search domain encompasses both the standard cn=accounts and the cn=compat trees. This means that SSSD, if set up as an RFC2307bis client instead of a full ipa-client-install (which explicitly sets the search base to cn=accounts) cannot safely auto-detect the search base to use. I think that FreeIPA should ship with the following settings in the RootDSE: defaultNamingContext: cn=accounts,dc=example,dc=com namingContexts: dc=example,dc=com namingContexts: cn=accounts,dc=example,dc=com and if compat mode is also enabled: namingContexts: cn=compat,dc=example,dc=com This will allow us to auto-detect in a sane way, as well as allowing us to easily communicate to clients that compat mode is or is not enabled. No. The best way out here is to move cn=compat into it's base imho. We've had other issues in the past so I think we should really move cn=compat to it's own base called just 'cn=compat'. We should expose it as a namingContext of course so we should wait until DS implements the option to have defaultNamingContext. So we can point defaultNamingContext to the regualr base DN. We probably also need to make this configurable at this point as we need to not break existing setups at upgrade time (replicas need the info too at replication time, so this option should be something we have in the replicated tree imho). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 877 prompt for current password
On Tue, 2011-10-04 at 08:59 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-10-03 at 15:16 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-09-19 at 09:03 -0400, Rob Crittenden wrote: Jan Cholasta wrote: On 16.9.2011 21:16, Rob Crittenden wrote: Prompt for the current password when changing your own password using ipa passwd. I had to jump through several hoops with this: - Added a new sortorder option so the Current password is prompted first IMO something like before='password' would be more readable and probably less error-prone than sortorder=-1. The params are sorted numerically based on whether they are required, have a default, etc. A negative value means it will appear first. This is intended to be generic enough without having to worry about nested resolution (A before B, B before C, C before A). - Pass a magic value for current_password if changing someone else's password NOTE: This breaks the API for passwd. There is no way around it. I have this as a minor update as it won't cause older clients to blow up too badly, but their passwd command won't work. rob Honza Generally, it works fine except for the case when user passes its own user name. Do we want to support the following way? # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: f...@idm.lab.bos.redhat.com Valid starting ExpiresService principal 09/23/11 09:48:05 09/24/11 09:48:05 krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com # ipa passwd fbar New Password: Enter New Password again to verify: ipa: ERROR: Insufficient access: Invalid credentials Maybe we could throw an error when user passes its own principal to ipa passwd command. After all, this argument is for changing _other_ user passwords. Martin Fixed. The username wasn't being normalized into a principal until after the default was set (where we determine whether to prompt for current password). rob I don't think this is the correct patch :-) Martin Try this one. Yeah, this one is much better. ACK and pushed to master, ipa-2-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
Martin Kosek wrote:
On Tue, 2011-10-04 at 08:53 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
rob
Looks good, its just difficult to set up a proper environment for
reproduction. So far, I found just this problem:
[Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705):
Exception occurred processing WSGI script
'/usr/share/ipa/migration/migration.py'.
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent
call last):
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 127, in application
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
bind(form_data['username'].value, form_data['password'].value)
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 107, in bind
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
logging.error('migration bind failed: %s' % convert_exception(e))
Martin
Just missed saving the exception as a variable, should work now.
rob
Works fine, tested on multiple-suffix LDAP server. We should be also
fine when anonymous access is not allowed (Simo was dealing with this in
ipa-client-install in #1881) since migration.py binds via socket.
I have just one suggestion - instead of searching for correct naming
context on your own, you may want to use a function get_ipa_basedn() I
implemented for ipa-client-install (#1868). This will do all the checks
and return you just the IPA baseDN:
https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
Martin
Well, I did mine first so you should have copied from me :-)
I _did_ copy from you ;-) I just made a function for it so that it can
be reused.
I'll see if I can safely import that.
rob
Ok.
Martin
Done
From 5e26a10179605f7127febb5b1a557eff37d87db8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Mon, 26 Sep 2011 22:19:57 -0400
Subject: [PATCH] Migration: don't assume there is only one naming context,
add logging.
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
https://fedorahosted.org/freeipa/ticket/1834
https://fedorahosted.org/freeipa/ticket/1835
---
install/migration/invalid.html |2 +-
install/migration/migration.py | 47
2 files changed, 34 insertions(+), 15 deletions(-)
diff --git a/install/migration/invalid.html b/install/migration/invalid.html
index a641d1a..91de79f 100644
--- a/install/migration/invalid.html
+++ b/install/migration/invalid.html
@@ -35,7 +35,7 @@
pIf the problem persists, contact your administrator./p
/div
/div
- form id=login action= name=
+ form id=login action=migration.py method=post name=
ul
li
label for=usernameUsername:/label
diff --git a/install/migration/migration.py b/install/migration/migration.py
index ed6ade9..8edd678 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -25,10 +25,25 @@ import errno
import glob
import ldap
import wsgiref
+import logging
+from ipapython.ipautil import get_ipa_basedn
BASE_DN = ''
LDAP_URI = 'ldaps://localhost:636'
+def convert_exception(error):
+
+Convert an LDAP exception into something more readable.
+
+if not isinstance(error, ldap.TIMEOUT):
+desc = error.args[0]['desc'].strip()
+info = error.args[0].get('info', '').strip()
+else:
+desc = ''
+info = ''
+
+return '%s (%s)' % (desc, info)
+
def wsgi_redirect(start_response, loc):
start_response('302 Found', [('Location', loc)])
return []
@@ -44,39 +59,44 @@ def get_base_dn():
Retrieve LDAP server base DN.
+global BASE_DN
+
if BASE_DN:
return BASE_DN
try:
conn = ldap.initialize(LDAP_URI)
conn.simple_bind_s('', '')
-entries = conn.search_ext_s(
-'', scope=ldap.SCOPE_BASE, attrlist=['namingcontexts']
-)
-except ldap.LDAPError:
-return ''
-conn.unbind_s()
-try:
-return entries[0][1]['namingcontexts'][0]
-except (IndexError, KeyError):
+BASE_DN = get_ipa_basedn(conn)
+except ldap.LDAPError, e:
+logging.error('migration context search failed: %s' % e)
return ''
+finally:
+conn.unbind_s()
+
+return BASE_DN
def bind(username, password):
base_dn = get_base_dn()
if not base_dn:
+logging.error('migration
Re: [Freeipa-devel] Mozilla Specific User Certificate Generation code:
On 10/04/2011 09:32 AM, Rob Crittenden wrote: Adam Young wrote: It is possible to generate a Certificate signing request from the browser, if we use Mozilla specific code. I've mildly hacked the Mozilla sample code to work with JQuery and to display the CSR to the screen, instead of sending it right to the server. I'd see this working something like this: 1. add the certificate attribute to the user plugin. 2. On the user page, if the principal of the user selected matches the kerberos principal for the logged user, show the certificate control 3. The certificate control allows the user to request a new certificate. 4. If the user has a certificate, the certificate control allow the user to download the certificate. I have to look into the details, but the certificate shoud only be useable by default in the browser that originally requested it. However, it is fairly easy to export the certificate, along with the primary keys that generated its CSR, such that it would be usable elsewhere: For example https://ca.cern.ch/ca/Help/?kbid=040111 This seems like fairly simple to implement. We would not even have to extend the API. We keep the certificate request separate from the user until it is signed, and then add it to the user object. Thus it would be created as a side effect of: ipa cert-request --add --principal=abrad...@dev.example.com abradley.csr Yes, CRMF is how we'll eventually add user certificate support, but this is the easy part. On the server side we need to add support for multiple certificate profiles (your above request issues a server cert for the user abradley). We also need a way to manage a queue of requests. User certificates are a different beast from server certs and in many cases will require the intervention of a security officer, or some other 3rd party verification. rob Basic user certificates should probably be issued without security officer intervention, as they merely play the same role as the Kerberos credential. Where it gets tricky is if we deactivate a user, we should put the certificate on Hold, which means we need to update the CRLs we publish, but CS should handle this fairly easily. We would need to expand the Cert plugin to determine if a request is for a user certificate or a server certificate, but it has enough information do that already. However, there might be other certificates that we want to issue in the future. If I understand correctly, this work should be delegated to Certificate server, and the IPA Cert plugin needs to be expanded to track the certificate requests pending in the CS instance. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0018 Unroll StrEnum values when displaying help
Alexander Bokovoy wrote: Hi, when help is displayed, for options that require values we show their type. With string enumerations this does not really help to the user as it is unclear what are the values of the enumeration. Attached patch fixes it by providing nicer list of possible values. https://fedorahosted.org/freeipa/ticket/1848 As result, instead of what is shown in the ticket: [root@kungfupanda ~]# ipa help hbacrule-add Purpose: Create a new HBAC rule. Usage: ipa [global-options] hbacrule-add NAME [options] Options: -h, --helpshow this help message and exit --usercat=STRENUM User category the rule applies to --hostcat=STRENUM Host category the rule applies to --srchostcat=STRENUM Source host category the rule applies to --servicecat=STRENUM Service category the rule applies to - one would get following: [root@kungfupanda ~]# ipa help hbacrule-add Purpose: Create a new HBAC rule. Usage: ipa [global-options] hbacrule-add NAME [options] Options: -h, --helpshow this help message and exit --usercat=['all'] User category the rule applies to --hostcat=['all'] Host category the rule applies to --srchostcat=['all'] Source host category the rule applies to --servicecat=['all'] Service category the rule applies to It becomes even more reasonable with type or class options -- overall we have 65 StrEnums in current set of options. For example, in dnsrecord-add --class option was shown as --class=STRENUM DNS class With the patch attached it will be more understandable: [root@host3 ~]# ipa help dnsrecord-add Purpose: Add new DNS resource record. Usage: ipa [global-options] dnsrecord-add DNSZONE NAME [options] Options: -h, --helpshow this help message and exit --ttl=INT Time to live --class=['IN', 'CS', 'CH', 'HS'] DNS class --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. ack, pushed to master and ipa-2-1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
On Tue, 2011-10-04 at 09:26 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Tue, 2011-10-04 at 08:53 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
We can't assume that there will be only one naming context. Look at
each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
rob
Looks good, its just difficult to set up a proper environment for
reproduction. So far, I found just this problem:
[Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi
(pid=32705): Exception occurred processing WSGI script
'/usr/share/ipa/migration/migration.py'.
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most
recent call last):
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 127, in application
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
bind(form_data['username'].value, form_data['password'].value)
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 107, in bind
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
logging.error('migration bind failed: %s' % convert_exception(e))
Martin
Just missed saving the exception as a variable, should work now.
rob
Works fine, tested on multiple-suffix LDAP server. We should be also
fine when anonymous access is not allowed (Simo was dealing with this in
ipa-client-install in #1881) since migration.py binds via socket.
I have just one suggestion - instead of searching for correct naming
context on your own, you may want to use a function get_ipa_basedn() I
implemented for ipa-client-install (#1868). This will do all the checks
and return you just the IPA baseDN:
https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
Martin
Well, I did mine first so you should have copied from me :-)
I _did_ copy from you ;-) I just made a function for it so that it can
be reused.
I'll see if I can safely import that.
rob
Ok.
Martin
Done
ACK. Pushed to master, ipa-2-1.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 51 Add a function for formatting network locations
On 10/04/2011 04:07 AM, Jan Cholasta wrote: Looks good Jan, thank you. ACK -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 019 Disables gid field if not posix group in group adder dialog
https://fedorahosted.org/freeipa/ticket/1922
gidNumber is not an allowed attribute for a non-posix group. When
adding a non-posix group from the UI, unchecking the Is this a POSIX
group?: box should disable the GID: field.
--
Petr Vobornik
From 3e329f7f6e26cf839681c95d163625223fb2c546 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Tue, 4 Oct 2011 18:38:08 +0200
Subject: [PATCH] Disables gid field if not posix group in group adder dialog
https://fedorahosted.org/freeipa/ticket/1922
gidNumber is not an allowed attribute for a non-posix group. When adding a non-posix group from the UI, unchecking the Is this a POSIX group?: box should disable the GID: field.
---
install/ui/group.js | 29 -
install/ui/widget.js | 11 +++
2 files changed, 39 insertions(+), 1 deletions(-)
diff --git a/install/ui/group.js b/install/ui/group.js
index ad705eb21e4ed06298319110ca4822e86ec701dc..b4753a7ebbeead25ba6e17c8e7e306708606904d 100644
--- a/install/ui/group.js
+++ b/install/ui/group.js
@@ -88,6 +88,7 @@ IPA.entity_factories.group = function () {
}).
standard_association_facets().
adder_dialog({
+factory: IPA.group_adder_dialog,
fields: [
'cn',
'description',
@@ -115,4 +116,30 @@ IPA.group_nonposix_checkbox_widget = function (spec) {
};
return that;
-};
\ No newline at end of file
+};
+
+IPA.group_adder_dialog = function (spec) {
+
+spec = spec || {};
+
+var that = IPA.add_dialog(spec);
+
+var init = function() {
+
+var posix_field = that.get_field('nonposix');
+posix_field.value_changed.attach(that.on_posix_change);
+};
+
+that.on_posix_change = function (value) {
+
+var gid_field = that.get_field('gidnumber');
+if(value) {
+gid_field.reset();
+}
+gid_field.set_enabled(!value);
+};
+
+init();
+
+return that;
+};
diff --git a/install/ui/widget.js b/install/ui/widget.js
index f46d79e72309ce367a7f0b3f1fb1f974871ca402..b86f6e04c593f7fbe145f120865e622333092f8e 100644
--- a/install/ui/widget.js
+++ b/install/ui/widget.js
@@ -468,6 +468,15 @@ IPA.text_widget = function(spec) {
}
};
+that.set_enabled = function(value) {
+
+if(value) {
+that.input.removeAttr('disabled');
+} else {
+that.input.attr('disabled', 'disabled');
+}
+};
+
// methods that should be invoked by subclasses
that.text_load = that.load;
@@ -771,6 +780,7 @@ IPA.checkbox_widget = function (spec) {
// default value
that.checked = spec.checked || false;
+that.value_changed = IPA.observer();
that.create = function(container) {
@@ -785,6 +795,7 @@ IPA.checkbox_widget = function (spec) {
title: that.tooltip,
change: function() {
that.set_dirty(that.test_dirty());
+that.value_changed.notify(that.save(), that);
}
}).appendTo(container);
--
1.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 49 Work around pkisilent bugs
Jan Cholasta wrote: Work around pkisilent bugs. Check directory manager password for invalid characters. (https://bugzilla.redhat.com/show_bug.cgi?id=658641) Shell-escape pkisilent command-line arguments. (https://bugzilla.redhat.com/show_bug.cgi?id=741180) Once the bugs are fixed, the workarounds should be removed and pkisilent minimum required version should be bumped. https://fedorahosted.org/freeipa/ticket/1636 Honza Potential nack. The code here works I just found a couple more corner cases. Some special characters in the subject base also cause pkisilent to fail. ampersand is one. I wonder if we need to catch this as well. Tab in the password will cause a failure. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp configuration on the
On Tue, 04 Oct 2011, Jan Cholasta wrote:
On 4.10.2011 13:00, Alexander Bokovoy wrote:
client
Reply-To:
Hi,
attached patch addresses ticket #1770.
ipa-client-install fails with:
Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 1165, in module
sys.exit(main())
File /usr/sbin/ipa-client-install, line 1154, in main
rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 1122, in install
ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
File /usr/lib/python2.7/site-packages/ipaclient/ntpconf.py, line
118, in config_ntp
sysstore.backup_state(module, enabled,
ipaservices.knownservices.ntp.enabled())
File /usr/lib/python2.7/site-packages/ipalib/plugable.py, line
167, in __getattr__
raise AttributeError('no magic attribute %r' % name)
AttributeError: no magic attribute 'ntp'
Mea culpa. :(
Fixed patch attached.
--
/ Alexander Bokovoy
From 2de0c707424e735faf03fb786b98cbb3e3ee55da Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Tue, 4 Oct 2011 13:56:12 +0300
Subject: [PATCH] Setup and restore ntp configuration on the client side
properly
When setting up the client-side NTP configuration, make sure that
/etc/ntp/step-tickers
point to IPA NTP server as well.
When restoring the client during ipa-client-install --uninstall, make sure NTP
configuration
is fully restored and NTP service is disabled if it was disabled before the
installation.
https://fedorahosted.org/freeipa/ticket/1770
---
ipa-client/ipa-install/ipa-client-install | 19 ++-
ipa-client/ipaclient/ntpconf.py | 52
2 files changed, 55 insertions(+), 16 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install
b/ipa-client/ipa-install/ipa-client-install
index
76f7f1913c804053edb8b90979286a0592fa5737..4b6520f2c7ad67442f57a5d98d691912555c2c3c
100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -331,6 +331,23 @@ def uninstall(options, env, quiet=False):
emit_quiet(quiet, Reboot command failed to exceute. +
str(e))
return CLIENT_UNINSTALL_ERROR
+ntp_configured = statestore.has_state('ntp')
+if ntp_configured:
+ntp_enabled = statestore.restore_state('ntp', 'enabled')
+ntp_step_tickers = statestore.restore_state('ntp', 'step-tickers')
+
+restored = fstore.restore_file(/etc/ntp.conf)
+restored |= fstore.restore_file(/etc/sysconfig/ntpd)
+if ntp_step_tickers:
+ restored |= fstore.restore_file(/etc/ntp/step-tickers)
+
+if not ntp_enabled:
+ ipaservices.knownservices.ntpd.stop()
+ ipaservices.knownservices.ntpd.disable()
+else:
+ if restored:
+ ipaservices.knownservices.ntpd.restart()
+
# Remove the IPA configuration file
try:
os.remove(/etc/ipa/default.conf)
@@ -1102,7 +1119,7 @@ def install(options, env, fstore, statestore):
ntp_server = options.ntp_server
else:
ntp_server = cli_server
-ipaclient.ntpconf.config_ntp(ntp_server, fstore)
+ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
print NTP enabled
print Client configuration complete.
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index
3042005f41ea3ed6c8fee739b9cf2b833a8d6d59..cf203b90490f8268553229730cc2966d2c14f292
100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -20,6 +20,7 @@
from ipapython import ipautil
from ipapython import services as ipaservices
import shutil
+import os
ntp_conf = # Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
@@ -80,30 +81,51 @@ SYNC_HWCLOCK=yes
# Additional options for ntpdate
NTPDATE_OPTIONS=
+ntp_step_tickers = # Use IPA-provided NTP server for initial time
+$SERVER
+
+def __backup_config(path, fstore = None):
+if fstore:
+fstore.backup_file(path)
+else:
+shutil.copy(path, %s.ipasave % (path))
-def config_ntp(server_fqdn, fstore = None):
+def __write_config(path, content):
+fd = open(path, w)
+fd.write(content)
+fd.close()
+
+def config_ntp(server_fqdn, fstore = None, sysstore = None):
+path_step_tickers = /etc/ntp/step-tickers
+path_ntp_conf = /etc/ntp.conf
+path_ntp_sysconfig = /etc/sysconfig/ntpd
sub_dict = { }
sub_dict[SERVER] = server_fqdn
nc = ipautil.template_str(ntp_conf, sub_dict)
+config_step_tickers = False
-if fstore:
-fstore.backup_file(/etc/ntp.conf)
-else:
-shutil.copy(/etc/ntp.conf, /etc/ntp.conf.ipasave)
-fd = open(/etc/ntp.conf, w)
-fd.write(nc)
-fd.close()
+if os.path.exists(path_step_tickers):
+config_step_tickers = True
+ns =
Re: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp configuration on the
On 4.10.2011 20:53, Alexander Bokovoy wrote:
On Tue, 04 Oct 2011, Jan Cholasta wrote:
On 4.10.2011 13:00, Alexander Bokovoy wrote:
client
Reply-To:
Hi,
attached patch addresses ticket #1770.
ipa-client-install fails with:
Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 1165, inmodule
sys.exit(main())
File /usr/sbin/ipa-client-install, line 1154, in main
rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 1122, in install
ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
File /usr/lib/python2.7/site-packages/ipaclient/ntpconf.py, line
118, in config_ntp
sysstore.backup_state(module, enabled,
ipaservices.knownservices.ntp.enabled())
File /usr/lib/python2.7/site-packages/ipalib/plugable.py, line
167, in __getattr__
raise AttributeError('no magic attribute %r' % name)
AttributeError: no magic attribute 'ntp'
Mea culpa. :(
Fixed patch attached.
Now ipa-client-install --uninstall fails with:
Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 1165, in module
sys.exit(main())
File /usr/sbin/ipa-client-install, line 1147, in main
return uninstall(options, env)
File /usr/sbin/ipa-client-install, line 339, in uninstall
restored = fstore.restore_file(/etc/ntp.conf)
File /usr/lib/python2.7/site-packages/ipapython/sysrestore.py, line
158, in restore_file
raise ValueError(No such file name in the index)
ValueError: No such file name in the index
Honza
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp configuration on the
On Tue, 04 Oct 2011, Jan Cholasta wrote:
Now ipa-client-install --uninstall fails with:
Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 1165, in module
sys.exit(main())
File /usr/sbin/ipa-client-install, line 1147, in main
return uninstall(options, env)
File /usr/sbin/ipa-client-install, line 339, in uninstall
restored = fstore.restore_file(/etc/ntp.conf)
File /usr/lib/python2.7/site-packages/ipapython/sysrestore.py,
line 158, in restore_file
raise ValueError(No such file name in the index)
ValueError: No such file name in the index
Reproduced. This happens when the package freeipa-client is upgraded
after client is enrolled with previous version -- in such case there
is no backup state and therefore we can't restore.
Attached patch should fix it -- as we can ignore absent backup.
--
/ Alexander Bokovoy
From a37e9ff4a35c4c9784bf6a174ca8a4da37a43f51 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Tue, 4 Oct 2011 13:56:12 +0300
Subject: [PATCH] Setup and restore ntp configuration on the client side
properly
When setting up the client-side NTP configuration, make sure that
/etc/ntp/step-tickers
point to IPA NTP server as well.
When restoring the client during ipa-client-install --uninstall, make sure NTP
configuration
is fully restored and NTP service is disabled if it was disabled before the
installation.
https://fedorahosted.org/freeipa/ticket/1770
---
ipa-client/ipa-install/ipa-client-install | 26 ++-
ipa-client/ipaclient/ntpconf.py | 52
2 files changed, 62 insertions(+), 16 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install
b/ipa-client/ipa-install/ipa-client-install
index
76f7f1913c804053edb8b90979286a0592fa5737..b8d4867ab3df119132b7d9da35803e50bbd4ea51
100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -320,6 +320,30 @@ def uninstall(options, env, quiet=False):
# this is optional service, just log
logging.info(%s daemon is not installed, skip configuration %
(nslcd.service_name))
+ntp_configured = statestore.has_state('ntp')
+if ntp_configured:
+ntp_enabled = statestore.restore_state('ntp', 'enabled')
+ntp_step_tickers = statestore.restore_state('ntp', 'step-tickers')
+
+try:
+# Restore might fail due to file missing in backup
+# the reason for it might be that freeipa-client was updated
+# to this version but not unenrolled/enrolled again
+# In such case it is OK to fail
+restored = fstore.restore_file(/etc/ntp.conf)
+restored |= fstore.restore_file(/etc/sysconfig/ntpd)
+if ntp_step_tickers:
+ restored |= fstore.restore_file(/etc/ntp/step-tickers)
+except:
+pass
+
+if not ntp_enabled:
+ ipaservices.knownservices.ntpd.stop()
+ ipaservices.knownservices.ntpd.disable()
+else:
+ if restored:
+ ipaservices.knownservices.ntpd.restart()
+
if not options.unattended:
emit_quiet(quiet, The original nsswitch.conf configuration has been
restored.)
emit_quiet(quiet, You may need to restart services or reboot the
machine.)
@@ -1102,7 +1126,7 @@ def install(options, env, fstore, statestore):
ntp_server = options.ntp_server
else:
ntp_server = cli_server
-ipaclient.ntpconf.config_ntp(ntp_server, fstore)
+ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
print NTP enabled
print Client configuration complete.
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index
3042005f41ea3ed6c8fee739b9cf2b833a8d6d59..cf203b90490f8268553229730cc2966d2c14f292
100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -20,6 +20,7 @@
from ipapython import ipautil
from ipapython import services as ipaservices
import shutil
+import os
ntp_conf = # Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
@@ -80,30 +81,51 @@ SYNC_HWCLOCK=yes
# Additional options for ntpdate
NTPDATE_OPTIONS=
+ntp_step_tickers = # Use IPA-provided NTP server for initial time
+$SERVER
+
+def __backup_config(path, fstore = None):
+if fstore:
+fstore.backup_file(path)
+else:
+shutil.copy(path, %s.ipasave % (path))
-def config_ntp(server_fqdn, fstore = None):
+def __write_config(path, content):
+fd = open(path, w)
+fd.write(content)
+fd.close()
+
+def config_ntp(server_fqdn, fstore = None, sysstore = None):
+path_step_tickers = /etc/ntp/step-tickers
+path_ntp_conf = /etc/ntp.conf
+path_ntp_sysconfig = /etc/sysconfig/ntpd
sub_dict = { }
sub_dict[SERVER] = server_fqdn
nc =
[Freeipa-devel] [PATCH] tweaks to ipa-replica-prepare.1
I started reading this page, and the description for --pkinit_pin looked wrong. While in there, I figured it might be useful to note that the PKCS#12 files also contain the private keys. Nalin From 8fe270e43d7790dbd4210be9ff212ce410e3da69 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na...@redhat.com Date: Tue, 4 Oct 2011 18:29:45 -0400 Subject: [PATCH 2/2] - note that PKCS#12 files also contain private keys, and that the pkinit options refer to the KDC's credentials --- install/tools/man/ipa-replica-prepare.1 |9 ++--- 1 files changed, 6 insertions(+), 3 deletions(-) diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1 index c9cd544..7443483 100644 --- a/install/tools/man/ipa-replica-prepare.1 +++ b/install/tools/man/ipa-replica-prepare.1 @@ -34,10 +34,13 @@ Once the file has been created it will be named replica\-hostname. This file can .SH OPTIONS .TP \fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR -PKCS#12 file containing the Directory Server SSL Certificate +PKCS#12 file containing the Directory Server SSL Certificate and Private Key .TP \fB\-\-http_pkcs12\fR=\fIFILE\fR -PKCS#12 file containing the Apache Server SSL Certificate +PKCS#12 file containing the Apache Server SSL Certificate and Private Key +.TP +\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR +PKCS#12 file containing the Kerberos KDC Certificate and Private Key .TP \fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR The password of the Directory Server PKCS#12 file @@ -46,7 +49,7 @@ The password of the Directory Server PKCS#12 file The password of the Apache Server PKCS#12 file .TP \fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR -The password of the Apache Server PKCS#12 file +The password of the Kerberos KDC PKCS#12 file .TP \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR Directory Manager (existing master) password -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
