Re: [Freeipa-devel] [PATCH] bind-dyndb-ldap: Add new ldap_hostname option (ticket #1931)
On 10/12/2011 08:08 PM, Rob Crittenden wrote: Adam Tkac wrote: Hello all, please see attached patch for bind-dyndb-ldap, it should solve (at least from bind-dyndb-ldap side) ticket #1931. It adds new ldap_hostname option and ipa-server-install utility should set this option when /bin/hostname is different from --hostname parameter. Comments are welcomed. Regards, Adam ACK, this looks fine to me. rob Thanks for the review, pushed to bind-dyndb-ldap master. Regards, Adam ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Fri, 14 Oct 2011, Simo Sorce wrote: Attached a rebased patch with the modifications needed to apply it on master. Everything seem to work on master but I haven't tested ipa-2-1 so this is a partial ACK of the original patch as well. A bit of bad news, I restarted the machine and I am having issue properly restarting services. This patch is still better than nothing as otherwise nothing works at all on f16, but we need to work out why starting services is unreliable. Ok found the issue and it is a bug in the conversion to systemd. I opened ticket #1990 for this. Attached find a rebased patch that fixes enough of the bug to let the server work (they keytab part), but it doesn't address the ulimit part. KRB5_KTNAME was missing but LimitNOFile is available -- it is now modified in dirsrv@.service file directly. The code in ipapython/platform/fedora16.py goes to a great length to enable that by copying file to /etc/systemd/system, modifying the config, and relinking all dirsrv instances to it. That's how systemd is organized. Now, I think I found actual issue preventing proper restarts. wait_for_socket() only considered 'connection refused' as valid error when unable to connect and waiting up until timeout is gone. Unfortunately, directory services start a bit slower than we had hoped and by the time we attempt to connect to local AF_UNIX socket, there is no actual socket on file system yet so we get: Oct 17 06:48:36 vm-114 ipactl[954]: Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 2] No such file or directory Oct 17 06:48:36 vm-114 ipactl[954]: Shutting down Oct 17 06:48:36 vm-114 ipactl[954]: Starting Directory Service After applying attached patch I now have fully working FreeIPA 2.1 git on Fedora 16. -- / Alexander Bokovoy From cb5583ad8023d87fdbf863cd65032d0f11108bc0 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 17 Oct 2011 14:17:07 +0300 Subject: [PATCH 4/4] Spin for connection success also when socket is not (yet) available We were spinning for socket connection if attempt to connect returned errno 111 (connection refused). However, it is not enough for local AF_UNIX sockets as heavy applications might not be able to start yet and therefore the whole path might be missing. So spin for errno 2 (no such file or directory) as well. Partial fix for https://fedorahosted.org/freeipa/ticket/1990 --- ipaserver/install/installutils.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 5cfc8f0376e25d9eb25206d54ac5bbea47aca9b2..0a36c354e1d2f901bfdef51c151d035ba8ee64ca 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -507,7 +507,7 @@ def wait_for_open_socket(socket_name, timeout=0): s.close() break; except socket.error, e: -if e.errno == 111: # 111: Connection refused +if e.errno in (2,111): # 111: Connection refused, 2: File not found if timeout and time.time() op_timeout: # timeout exceeded raise e time.sleep(1) -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 026 Fixed: Unable to add external user for RunAs User for Sudo
https://fedorahosted.org/freeipa/ticket/1987
--
Petr Vobornik
From 931b27dbb54ace65e2213ffed718ee04ace5fc07 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Mon, 17 Oct 2011 11:48:03 +0200
Subject: [PATCH] Fixed: Unable to add external user for RunAs User for Sudo
rules
https://fedorahosted.org/freeipa/ticket/1987
There is no way to add root or any external user as a RunAs User for a Sudo
Rule.
---
install/ui/sudo.js |2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/install/ui/sudo.js b/install/ui/sudo.js
index 8228951c30a71c1e0fb93f0477fa7e07079b27ba..af625661edc799f7dedeeaae44aed8e281e7ebf9 100644
--- a/install/ui/sudo.js
+++ b/install/ui/sudo.js
@@ -912,6 +912,7 @@ IPA.sudo.rule_details_runas_section = function(spec) {
id: that.entity.name+'-runasruser_user',
name: 'ipasudorunas_user',
entity: that.entity,
+external: 'ipasudorunasextuser',
add_method: 'add_runasuser',
remove_method: 'remove_runasuser',
add_title: IPA.messages.association.add.ipasudorunas,
@@ -946,6 +947,7 @@ IPA.sudo.rule_details_runas_section = function(spec) {
id: that.entity.name+'-runasgroup_group',
name: 'ipasudorunasgroup_group',
entity: that.entity,
+external: 'ipasudorunasextgroup',
add_method: 'add_runasgroup',
remove_method: 'remove_runasgroup',
add_title: IPA.messages.association.add.ipasudorunasgroup,
--
1.7.6.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 026 Fixed: Unable to add external user for RunAs User for Sudo
On Mon, 17 Oct 2011, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/1987 -- Petr Vobornik From 931b27dbb54ace65e2213ffed718ee04ace5fc07 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Mon, 17 Oct 2011 11:48:03 +0200 Subject: [PATCH] Fixed: Unable to add external user for RunAs User for Sudo rules https://fedorahosted.org/freeipa/ticket/1987 There is no way to add root or any external user as a RunAs User for a Sudo Rule. ACK. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 152 Enable automember for upgraded servers
automember functionality is depends on predefined data is in LDAP. Since we add it for fresh installs only, automember cannot be used for upgraded servers. Make sure that automember LDAP data is added during upgrade too. https://fedorahosted.org/freeipa/ticket/1992 From dbdf55fcdc6ab1ac5f25a619e8b4f5af0d3f28a9 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Mon, 17 Oct 2011 13:56:21 +0200 Subject: [PATCH] Enable automember for upgraded servers automember functionality is depends on predefined data is in LDAP. Since we add it for fresh installs only, automember cannot be used for upgraded servers. Make sure that automember LDAP data is added during upgrade too. https://fedorahosted.org/freeipa/ticket/1992 --- install/updates/40-automember.update | 22 ++ install/updates/Makefile.am |1 + 2 files changed, 23 insertions(+), 0 deletions(-) create mode 100644 install/updates/40-automember.update diff --git a/install/updates/40-automember.update b/install/updates/40-automember.update new file mode 100644 index ..27aa3028eedc5853af924630fb1179264f62cdd8 --- /dev/null +++ b/install/updates/40-automember.update @@ -0,0 +1,22 @@ +# Add all supported automember LDAP objects +dn: cn=Auto Membership Plugin,cn=plugins,cn=config +addifnew: nsslapd-pluginConfigArea: 'cn=automember,cn=etc,$SUFFIX' + +dn: cn=automember,cn=etc,$SUFFIX +default: objectClass: top +default: objectClass: nsContainer +default: cn: automember + +dn: cn=Hostgroup,cn=automember,cn=etc,$SUFFIX +default: objectclass: autoMemberDefinition +default: cn: Hostgroup +default: autoMemberScope: cn=computers,cn=accounts,$SUFFIX +default: autoMemberFilter: objectclass=ipaHost +default: autoMemberGroupingAttr: member:dn + +dn: cn=Group,cn=automember,cn=etc,$SUFFIX +default: objectclass: autoMemberDefinition +default: cn: Group +default: autoMemberScope: cn=users,cn=accounts,$SUFFIX +default: autoMemberFilter: objectclass=posixAccount +default: autoMemberGroupingAttr: member:dn diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 99b7c56c70750aad26743c7928d3ed133c5274a6..df4ccda44ac38caeb907f2b396c325791e7845d5 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -20,6 +20,7 @@ app_DATA =\ 21-replicas_container.update \ 40-delegation.update \ 40-dns.update \ + 40-automember.update \ 45-roles.update \ 50-lockout-policy.update \ 50-groupuuid.update \ -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 153 Improve hostgroup/netgroup collision checks
On Mon, 2011-10-17 at 10:22 -0400, Rob Crittenden wrote: Martin Kosek wrote: When the NGP plugin is enabled, a managed netgroup is created for every hostgroup. We already check that netgroup with the same name does not exist and provide a meaningful error message. However, this error message was also printed when a duplicate hostgroup existed. This patch checks for duplicate hostgroup existence first and netgroup on the second place. It also makes sure that when NGP plugin is (temporarily) disabled, a colliding netgroup cannot be created. https://fedorahosted.org/freeipa/ticket/1914 NACK, you should use self.obj.handle_duplicate_entry and/or self.obj.already_exists_msg for reporting errors. See my patch 898 for an example of this. rob I was thinking about this too. My motivation was to add a bit of information why we reported a colliding hostgroup/netgroup, that they share a common namespace. I was afraid that the error netgroup ... already exists when user tries to add a colliding hostgroup may rise questions. If we go your way, we may want to add a second check I included in my patch - test that when adding a new netgroup, a hostgroup of the same name does not exist. This would prevent name space collisions if user decides to enable NGP plugin again. Additionally, the DuplicateEntry exception you are rising in your patch may be simplified: self.api.Object['netgroup'].handle_duplicate_entry(keys[-1]) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 153 Improve hostgroup/netgroup collision checks
Martin Kosek wrote: On Mon, 2011-10-17 at 10:22 -0400, Rob Crittenden wrote: Martin Kosek wrote: When the NGP plugin is enabled, a managed netgroup is created for every hostgroup. We already check that netgroup with the same name does not exist and provide a meaningful error message. However, this error message was also printed when a duplicate hostgroup existed. This patch checks for duplicate hostgroup existence first and netgroup on the second place. It also makes sure that when NGP plugin is (temporarily) disabled, a colliding netgroup cannot be created. https://fedorahosted.org/freeipa/ticket/1914 NACK, you should use self.obj.handle_duplicate_entry and/or self.obj.already_exists_msg for reporting errors. See my patch 898 for an example of this. rob I was thinking about this too. My motivation was to add a bit of information why we reported a colliding hostgroup/netgroup, that they share a common namespace. I was afraid that the error netgroup ... already exists when user tries to add a colliding hostgroup may rise questions. If we go your way, we may want to add a second check I included in my patch - test that when adding a new netgroup, a hostgroup of the same name does not exist. This would prevent name space collisions if user decides to enable NGP plugin again. Additionally, the DuplicateEntry exception you are rising in your patch may be simplified: self.api.Object['netgroup'].handle_duplicate_entry(keys[-1]) Martin Ok, I see where you were going now. ACK to your patch as-is. Go ahead and push to ipa-2-1 and master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 153 Improve hostgroup/netgroup collision checks
On Mon, 2011-10-17 at 10:56 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-10-17 at 10:22 -0400, Rob Crittenden wrote: Martin Kosek wrote: When the NGP plugin is enabled, a managed netgroup is created for every hostgroup. We already check that netgroup with the same name does not exist and provide a meaningful error message. However, this error message was also printed when a duplicate hostgroup existed. This patch checks for duplicate hostgroup existence first and netgroup on the second place. It also makes sure that when NGP plugin is (temporarily) disabled, a colliding netgroup cannot be created. https://fedorahosted.org/freeipa/ticket/1914 NACK, you should use self.obj.handle_duplicate_entry and/or self.obj.already_exists_msg for reporting errors. See my patch 898 for an example of this. rob I was thinking about this too. My motivation was to add a bit of information why we reported a colliding hostgroup/netgroup, that they share a common namespace. I was afraid that the error netgroup ... already exists when user tries to add a colliding hostgroup may rise questions. If we go your way, we may want to add a second check I included in my patch - test that when adding a new netgroup, a hostgroup of the same name does not exist. This would prevent name space collisions if user decides to enable NGP plugin again. Additionally, the DuplicateEntry exception you are rising in your patch may be simplified: self.api.Object['netgroup'].handle_duplicate_entry(keys[-1]) Martin Ok, I see where you were going now. ACK to your patch as-is. Go ahead and push to ipa-2-1 and master. rob Ok, thanks. Pushed to master, ipa-2-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Mon, 2011-10-17 at 14:21 +0300, Alexander Bokovoy wrote: On Fri, 14 Oct 2011, Simo Sorce wrote: Attached a rebased patch with the modifications needed to apply it on master. Everything seem to work on master but I haven't tested ipa-2-1 so this is a partial ACK of the original patch as well. A bit of bad news, I restarted the machine and I am having issue properly restarting services. This patch is still better than nothing as otherwise nothing works at all on f16, but we need to work out why starting services is unreliable. Ok found the issue and it is a bug in the conversion to systemd. I opened ticket #1990 for this. Attached find a rebased patch that fixes enough of the bug to let the server work (they keytab part), but it doesn't address the ulimit part. KRB5_KTNAME was missing but LimitNOFile is available -- it is now modified in dirsrv@.service file directly. The code in ipapython/platform/fedora16.py goes to a great length to enable that by copying file to /etc/systemd/system, modifying the config, and relinking all dirsrv instances to it. That's how systemd is organized. Now, I think I found actual issue preventing proper restarts. wait_for_socket() only considered 'connection refused' as valid error when unable to connect and waiting up until timeout is gone. Unfortunately, directory services start a bit slower than we had hoped and by the time we attempt to connect to local AF_UNIX socket, there is no actual socket on file system yet so we get: Oct 17 06:48:36 vm-114 ipactl[954]: Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 2] No such file or directory Oct 17 06:48:36 vm-114 ipactl[954]: Shutting down Oct 17 06:48:36 vm-114 ipactl[954]: Starting Directory Service After applying attached patch I now have fully working FreeIPA 2.1 git on Fedora 16. ACk, fixes my startup issue as well. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 026 Fixed: Unable to add external user for RunAs User for Sudo
On 10/17/2011 10:12 AM, Alexander Bokovoy wrote: On Mon, 17 Oct 2011, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/1987 -- Petr Vobornik From 931b27dbb54ace65e2213ffed718ee04ace5fc07 Mon Sep 17 00:00:00 2001 From: Petr Vobornikpvobo...@redhat.com Date: Mon, 17 Oct 2011 11:48:03 +0200 Subject: [PATCH] Fixed: Unable to add external user for RunAs User for Sudo rules https://fedorahosted.org/freeipa/ticket/1987 There is no way to add root or any external user as a RunAs User for a Sudo Rule. ACK. Pushed to master and ipa-2-1. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] change to interface used to provide certificates
On Fri, Oct 14, 2011 at 11:23:27PM -0400, John Dennis wrote: Importing and exporting certs via the web UI and command line are not common operations. The only significant impact changing to requiring PEM input would be on our automated tests which would have to make sure they supplied PEM format. Comments? Questions? If we're talking about the cert_request RPC, then this impacts certmonger, so I need to know (and would prefer to know sooner rather than later) if it needs to change its expectations. Cheers, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 023 Circular entity dependency
On 10/10/2011 10:13 AM, Petr Vobornik wrote:
https://fedorahosted.org/freeipa/ticket/1531
(3.0 Core Effort Iteration 01 September Y11 Release)
Implemented solution:
* all entities are created on application start
* dependant objects (facets and dialogs) are created at once on their
first use in entity.
Note(patch naming): patch 022 was second part of 021, but the file name
was wrong(021-1)
Some comments/issues:
1. One of the goals of this bug is to remove the temporary workaround in
IPA.search_facet.create_content(). We should now be able to call the
initialize_table_columns() during facet initialization.
2. Using lazy-loading to create entities, facets, and dialogs makes
object creations a little bit unpredictable. This is probably fine for
now, but if there's a problem the other option is to create all objects
during application initialization. We can use a loop to create all
entities first, then use another loop to create all dependent objects in
each entity.
3. Another goal is to replace entity names used in spec (see
other_entity nested_entity spec properties) with the actual entity
objects. In this case it might be better to use the loops described in
#2. This can be done separately.
4. In the original code, when creating a facet for indirect association
it will try to find the corresponding direct facet and use it instead of
creating a new one. In the new code, the indirect facet will always be
created, but since there is no indirect facet group the facet will never
appear. It would be better if we can avoid unnecessary creation of
indirect facets.
5. In entity.js:201, the use of entity.title for the breadcrumb tooltip
might not be appropriate because usually the title is plural whereas the
breadcrumb points to a single object. It would be better to use the
entity.metadata.label_singular.
6. Invoking a method by concatenating the method name dynamically such
as prepare_facet type_spec will work, but it's more error prone and
will clutter up the namespace. It would be better to store the methods
in a map like this:
that.map.put('search', function(spec) {
...
});
and use it like this:
var method = that.map.get('search');
method(spec);
This can be done separately.
7. The code in entity.js:474,998,1000 should have a deeper indentation
because it's a continuation of the previous line.
8. The facet_specs and dialog_specs lists can be replaced with
ordered_map. It already has a method to find an element by its name.
This can be done separately.
--
Endi S. Dewata
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
