Re: [Freeipa-devel] Design discussion: autofs integration
On Fri, Dec 09, 2011 at 08:01:44AM +0800, Ian Kent wrote: On Thu, 2011-12-08 at 17:52 +0100, Jakub Hrozek wrote: Hi, I have created a wiki page summarizing my design proposal on integrating SSSD with automounter: https://fedorahosted.org/sssd/wiki/DesignDocs/AutofsIntegration Feedback is much appreciated - a reply to this email would probably work best. The target of this work is 1.8 Thanks for writing this summary, it's excellent. There's not much I have to say about it because it is already quite thorough. One thing I dislike about the discussion, and while I let it pass in bugs and mailing list discussions, I think it is wrong to put it in public design documents. The statement autofs abuses the nsswitch.conf configuration file I find a little offensive. autofs uses that configuration file and parses only the automount entry using the same semantic behavior as nss, so the word abuse is wrong and a little rude IMHO. I'm sorry -- I didn't mean to offend you and perhaps abuse was a strong word. I've changed the design docs. That said, I'm still not convinced that it is a good idea to use another application's config file. My main concern is that users often mistakenly think that there is a standard glibc interface defined. Also, when the shared config file changes (not that it's likely that nsswitch would change drastically), you're in trouble -- for instance, sudo suffered recently when Fedora changed from using ldap.conf to nslcd.conf In the section The LDAP schema used by autofs which talks about schema it is probably worth mentioning the difficulty with the cn attribute being case insensitive. That introduces problems because key names (essentially directory names) are case sensitive and I believe that is the main reason RFC2307bis (as it relates to autofs) was adopted. Good point, I've included that in the design page. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 56] ticket 2172 - If make rpms fails so will the next make
On Thu, 2011-12-08 at 08:34 +0100, Martin Kosek wrote: On Wed, 2011-12-07 at 20:39 -0500, John Dennis wrote: If make rpms fails it doesn't clean up the rpmbuild directory it created. The next make-lint will also fail because it finds files under rpmbuild. make-lint is invoked by make rpms, a vicous cycle. The patch contains two sets of changes Include rpmbuild in the IGNORE_PATHS list of make-lint. Fix the Makefile to use $(RPMBUILD) consistently, there were a number of hardcoded uses of rpmbuild as a direcotry. ACK. Pushed to master, ipa-2-1. Martin John send me a patch to remove old $(RPMBUILD) before it is filled with new content for rpmbuild (attached). I found it quite useful. Pushed under one-liner rule. Martin From 7100e01a226132504ddb9f80aca55e057566df9b Mon Sep 17 00:00:00 2001 From: John Dennis jden...@redhat.com Date: Fri, 9 Dec 2011 10:00:27 +0100 Subject: [PATCH] Remove old RPMROOT contents before it is used for rpmbuild --- Makefile |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/Makefile b/Makefile index 9db0ff5c1f0adea4a85659c5c3a3919011a30282..af50558c1ad6b354f10d80aa374b3e60ec4c2a05 100644 --- a/Makefile +++ b/Makefile @@ -161,6 +161,7 @@ tarballs: local-archive rm -rf dist/$(TARBALL_PREFIX) rpmroot: + rm -rf $(RPMBUILD) mkdir -p $(RPMBUILD)/BUILD mkdir -p $(RPMBUILD)/RPMS mkdir -p $(RPMBUILD)/SOURCES -- 1.7.7.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Support for Bind forward zones
I have prepared an initial support for forward zones. There is still an open question about global forwarder. The current solution consists in creating forward root zone: 1) `ipa dnszone-add .` 2) addForwarder.ldif: dn: idnsname=.,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com changetype: modify add: idnsForwarders idnsForwarders: 10.16.255.2 (use your own one) 3) `ldapmodify -Y GSSAPI -f addForwarder.ldif` https://fedorahosted.org/freeipa/ticket/2108 https://bugzilla.redhat.com/show_bug.cgi?id=754433 JiriFrom 02b928e944e0ec6de5d9e97f89a8edfb8a25d360 Mon Sep 17 00:00:00 2001 From: Jiri Kuncar jkun...@redhat.com Date: Fri, 9 Dec 2011 03:47:03 -0500 Subject: [PATCH 2/2] Schema update (added idnsAllowSyncPTR, idnsForwardPolicy, idnsForwarders). Signed-off-by: Jiri Kuncar jkun...@redhat.com --- doc/schema | 27 ++- 1 files changed, 26 insertions(+), 1 deletions(-) diff --git a/doc/schema b/doc/schema index b959f76..a2bbf6b 100644 --- a/doc/schema +++ b/doc/schema @@ -243,6 +243,29 @@ attributetype ( 2.16.840.1.113730.3.8.5.12 EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +attributetype ( 2.16.840.1.113730.3.8.5.13 + NAME 'idnsAllowSyncPTR' + DESC 'permit synchronization of PTR records' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) + +attributetype ( 2.16.840.1.113730.3.8.5.14 + NAME 'idnsForwardPolicy' + DESC 'forward policy: only or first' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 2.16.840.1.113730.3.8.5.15 + NAME 'idnsForwarders' + DESC 'list of forwarders' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + MULTI-VALUE ) + objectclass ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' @@ -266,4 +289,6 @@ objectclass ( 2.16.840.1.113730.3.8.6.1 idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) - MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer ) ) + MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ + idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders + ) ) -- 1.7.7.1 From 3ae3b350acf1d2317f2e2a18ec277fe81f5bd7a2 Mon Sep 17 00:00:00 2001 From: Jiri Kuncar jkun...@redhat.com Date: Thu, 8 Dec 2011 10:58:43 -0500 Subject: [PATCH 1/2] Support bind forward zones. Use idnsForwardPolicy and idnsForwarders to set up zone in LDAP. Signed-off-by: Jiri Kuncar jkun...@redhat.com --- src/ldap_helper.c | 61 +++- 1 files changed, 59 insertions(+), 2 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index b60cf11..5b8d241 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -31,6 +31,7 @@ #include dns/zone.h #include dns/zt.h #include dns/byaddr.h +#include dns/forward.h #include isc/buffer.h #include isc/lex.h @@ -771,6 +772,61 @@ ldap_parse_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst, CHECK(discard_from_cache(inst-cache, name)); create: + + /* + * Fetch forwarders. + * Forwarding has top priority hence when the forwarders are properly + * set up all others attributes are ignored. + */ + result = ldap_entry_getvalues(entry, idnsForwarders, values); + if (result == ISC_R_SUCCESS) { + log_debug(2, Setting forwarders for %s, dn); + + ldap_value_t *value; + isc_sockaddrlist_t addrs; + ISC_LIST_INIT(addrs); + + /* Clean old fwdtable. */ + (void)dns_fwdtable_delete(inst-view-fwdtable, name); + for (value = HEAD(values); + value != NULL; + value = NEXT(value, link)) { + in_addr_t ip; + if ((ip = inet_addr(value-value)) == 0) { +log_bug(Could not convert IP address from string '%s'., value-value); +continue; + } + isc_sockaddr_t address; + /* TODO Parse port. */ + isc_sockaddr_fromin(address, (const struct in_addr *) ip, 53); + ISC_LINK_INIT(address, link); + ISC_LIST_APPEND(addrs, address, link); + log_debug(5, Adding forwarder %s for %s, value-value, dn); + } + + /* + * Fetch forward policy. + */ + dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_first; /* first is default option. */ + result = ldap_entry_getvalues(entry, idnsForwardPolicy, values); + if (result == ISC_R_SUCCESS) { + value = HEAD(values); + /* + * fwdpolicy: only or first (default) + */ + if (value != NULL value-value != NULL strcmp(value-value, only) == 0) { +fwdpolicy = dns_fwdpolicy_only; + } + } + log_debug(5, Forward policy: %d, fwdpolicy); + + /* Set forward table up. */ + CHECK(dns_fwdtable_add(inst-view-fwdtable, name, addrs, fwdpolicy)); + + /* DO NOT CHANGE ANYTHING ELSE after forwarders are set up! */ + goto cleanup; + } + /* * Check if we are already serving given zone. */ @@ -869,7 +925,8 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst) ldap_entry_t *entry; char *attrs[] = { idnsName,
Re: [Freeipa-devel] Support for Bind forward zones
On Fri, 2011-12-09 at 04:11 -0500, Jiri Kuncar wrote: I have prepared an initial support for forward zones. There is still an open question about global forwarder. The current solution consists in creating forward root zone: 1) `ipa dnszone-add .` 2) addForwarder.ldif: dn: idnsname=.,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com changetype: modify add: idnsForwarders idnsForwarders: 10.16.255.2 (use your own one) 3) `ldapmodify -Y GSSAPI -f addForwarder.ldif` https://fedorahosted.org/freeipa/ticket/2108 https://bugzilla.redhat.com/show_bug.cgi?id=754433 Jiri I have been thinking about that and as we discussed today I don't like abusing a real DNS root zone for purpose of storing bind-dyndb-ldap global. I see 2 issues with this approach: 1) User has to create a real root DNS zone . with all MUST attributes (SOA, NS records etc.) even though these values are being ignored in bind-dyndb-ldap. 2) With expansion of bind-dyndb-ldap abilities I expect more (global or per-zone) settings to show up. For example any settings related to DNSSEC (keys, etc.). And I don't think we want to place all these to the root zone LDAP object and extend idnsZone objectClass every time we add a global bind-dyndb-ldap setting stored in LDAP. This is my idea of what could be done: 1) Introduce a new objectClass idnsConfigObject which would hold all bind-dyndb-ldap global settings attributes. I would add the following attributes: * idnsAllowSyncPTR: global settings with semantics of sync_ptr in named.conf. * dnsForwardPolicy * idnsForwarders * idnsZoneRefresh (zone_refresh argument in named.conf) * idnsPersistentSearch (psearch argument in named.conf) 2) Create a config object in FreeIPA (in replicated space): cn=dns,cn=etc,$SUFFIX 3) Add a support for this global settings object to bind-dyndb-ldap and create a config option in named.conf pointing to the global config base DN: dynamic-db ipa { ... arg config_base cn=dns,cn=etc,dc=example,dc=com; ... }; 4) Add API for global DNS config to FreeIPA server. Example commands: $ ipa dnsconfig-show $ ipa dnsconfig-mod --forwarders=10.0.0.1,10.0.0.2 --forward-policy=only Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Support for Bind forward zones
On Fri, 09 Dec 2011, Martin Kosek wrote: This is my idea of what could be done: 1) Introduce a new objectClass idnsConfigObject which would hold all bind-dyndb-ldap global settings attributes. I would add the following attributes: * idnsAllowSyncPTR: global settings with semantics of sync_ptr in named.conf. * dnsForwardPolicy * idnsForwarders * idnsZoneRefresh (zone_refresh argument in named.conf) * idnsPersistentSearch (psearch argument in named.conf) 2) Create a config object in FreeIPA (in replicated space): cn=dns,cn=etc,$SUFFIX 3) Add a support for this global settings object to bind-dyndb-ldap and create a config option in named.conf pointing to the global config base DN: dynamic-db ipa { ... arg config_base cn=dns,cn=etc,dc=example,dc=com; ... }; 4) Add API for global DNS config to FreeIPA server. Example commands: $ ipa dnsconfig-show $ ipa dnsconfig-mod --forwarders=10.0.0.1,10.0.0.2 --forward-policy=only I agree with the latter approach. Looks cleaner and also allows to properly handle replicated DNS setup. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 913 Fix pylint failures on F-16
On Thu, 08 Dec 2011, Nalin Dahyabhai wrote: On Thu, Dec 08, 2011 at 04:14:38PM -0500, Rob Crittenden wrote: A few things need to be updated to make the ipa-2-1 branch build in F-16 with pylint. I've updated the example to use the object's default_attribute list instead of using output_params(), this is preferred anyway I also replaced a few instances of add_s() with addEntry() Ack: pylint is happy on my F-17 box. Pushed to ipa-2-1. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 052 Better displaying of long names in tables and facet headers
On 12/09/2011 08:17 AM, Endi Sukma Dewata wrote: On 12/8/2011 8:31 AM, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/1890 This is an improvement, so it's ACKed. There are some other issues, they can be done separately: Pushed to master. Attaching new patch which addresses following issues: 1. Create an HBAC service with a very long name. Open an HBAC rule, add the service, it will widen the table. Same problem with sudo rule. The table wasn't set as 'scrollable'. I didn't find a reason why cell width calculation should be different for scrollable and 'normal', so I unified it and it fixes the problem. 2. Open the HBAC service you created in #1, the facet header is too long it messes up the tabs. The service name here should be trimmed as well. The pkey in facet group header is now limited to 20 chars. It would be probably good enough for normal names. It may overlap with with next facet group if current facet group has 1 facet with short name, but I think it isn't a problem now. 3. Delete the HBAC service you created in #1 from command line. Reload the page in #2, it will pop up an error dialog. The content of the dialog should wrap as well. Error dialog now uses word-wrap. 4. The limit_text() could be useful outside of IPA.facet_header, so it can be made an independent function. Moved to ipa.js. 5. The limit_text() returns a string up to max_length+3 because of the additional '...'. It's better to include the '...' in the calculation so the output is not longer than the expected max_length. Fixed. 6. In widget.js:1104 what are the constants 4 and 14? Can they be combined? Added comments to code. They shouldn't be combined because one applies only if the table is selectable. But thanks for pointing it out - there was actually a little error - the '14' should be in ?: statement and both of the weren't entirely correct. - Fixed 7. When a column has a width set, there is a line (widget.js:1098): width += 16; Why is it there? I'd rather subtract it. -- Petr Vobornik From ca2ce8099ef836d1d09949a111baef0823998e25 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 9 Dec 2011 14:13:17 +0100 Subject: [PATCH] Additional better displaying of long names - facet group headers, error dialog, non-scrollable tables, can manage long names Size calculation of scrollable and non-scrollable tables was united. Now these types of tables differ only by style. https://fedorahosted.org/freeipa/ticket/1821 --- install/ui/facet.js | 23 ++- install/ui/ipa.css | 18 +- install/ui/ipa.js| 13 + install/ui/widget.js | 48 +--- 4 files changed, 53 insertions(+), 49 deletions(-) diff --git a/install/ui/facet.js b/install/ui/facet.js index df5743b1cf7ffe2d9df1905808f6e9dfc92be8ea..4128b0562fa8d3095cd746ab460ba4f887e05196 100644 --- a/install/ui/facet.js +++ b/install/ui/facet.js @@ -193,24 +193,11 @@ IPA.facet_header = function(spec) { } }; -that.limit_text = function(value, max_length) { - -if (!value) return ''; - -var limited_text = value; - -if (value.length value.length max_length + 3) { -limited_text = value.substring(0, max_length)+'...'; -} - -return limited_text; -}; - that.set_pkey = function(value) { if (!value) return; -var limited_value = that.limit_text(value, 60); +var limited_value = IPA.limit_text(value, 60); if (!that.facet.disable_breadcrumb) { var breadcrumb = []; @@ -234,13 +221,13 @@ IPA.facet_header = function(spec) { } that.path.empty(); -var key_max_lenght = 60/breadcrumb.length; +var key_max_lenght = 60 / breadcrumb.length; for (var i=0; ibreadcrumb.length; i++) { var item = breadcrumb[i]; var entity_key = item.text(); -var limited_entity_key = that.limit_text(entity_key, key_max_lenght); +var limited_entity_key = IPA.limit_text(entity_key, key_max_lenght); item.text(limited_entity_key); that.path.append(' raquo; '); @@ -379,13 +366,15 @@ IPA.facet_header = function(spec) { var label = facet_group.label; if (pkey label) { -label = label.replace('${primary_key}', pkey); +var limited_pkey = IPA.limit_text(pkey, 20); +label = label.replace('${primary_key}', limited_pkey); } else { label = ''; } var label_container = $('.facet-group-label', span); label_container.text(label); +if (pkey) label_container.attr('title', pkey); var facets = facet_group.facets.values; for (var j=0;
Re: [Freeipa-devel] Support for Bind forward zones
On Fri, 2011-12-09 at 12:33 +0200, Alexander Bokovoy wrote: On Fri, 09 Dec 2011, Martin Kosek wrote: This is my idea of what could be done: 1) Introduce a new objectClass idnsConfigObject which would hold all bind-dyndb-ldap global settings attributes. I would add the following attributes: * idnsAllowSyncPTR: global settings with semantics of sync_ptr in named.conf. * dnsForwardPolicy * idnsForwarders * idnsZoneRefresh (zone_refresh argument in named.conf) * idnsPersistentSearch (psearch argument in named.conf) 2) Create a config object in FreeIPA (in replicated space): cn=dns,cn=etc,$SUFFIX 3) Add a support for this global settings object to bind-dyndb-ldap and create a config option in named.conf pointing to the global config base DN: dynamic-db ipa { ... arg config_base cn=dns,cn=etc,dc=example,dc=com; ... }; 4) Add API for global DNS config to FreeIPA server. Example commands: $ ipa dnsconfig-show $ ipa dnsconfig-mod --forwarders=10.0.0.1,10.0.0.2 --forward-policy=only I agree with the latter approach. Looks cleaner and also allows to properly handle replicated DNS setup. Me too, except for the location of the configuration, I think it should stay in the root node of the DNS data for simplicity. But this is a very minor point. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] minor cleanup
Simo Sorce wrote: Straightforward cleanup. Simo. ACK, works for me. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Design discussion: autofs integration
On Thu, 2011-12-08 at 17:52 +0100, Jakub Hrozek wrote: Hi, I have created a wiki page summarizing my design proposal on integrating SSSD with automounter: https://fedorahosted.org/sssd/wiki/DesignDocs/AutofsIntegration Feedback is much appreciated - a reply to this email would probably work best. The target of this work is 1.8 Thanks for writing this summary, it's excellent. There's not much I have to say about it because it is already quite thorough. One thing I dislike about the discussion, and while I let it pass in bugs and mailing list discussions, I think it is wrong to put it in public design documents. The statement autofs abuses the nsswitch.conf configuration file I find a little offensive. autofs uses that configuration file and parses only the automount entry using the same semantic behavior as nss, so the word abuse is wrong and a little rude IMHO. In the section The LDAP schema used by autofs which talks about schema it is probably worth mentioning the difficulty with the cn attribute being case insensitive. That introduces problems because key names (essentially directory names) are case sensitive and I believe that is the main reason RFC2307bis (as it relates to autofs) was adopted. Ian ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 327 Fixed problem loading DNS records.
On 12/09/2011 08:51 AM, Endi Sukma Dewata wrote: The DNS records list page was not loaded correctly due to a recent change in HBAC Test. The page has been updated to use the load_all() to show all records in the zone. Ticket #388 ACK and pushed to master The HBAC test page is completed, right? Can I add all commit ids to trac and close the ticket? -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 326 Added HBAC Test input validation.
On 12/08/2011 03:44 AM, Endi Sukma Dewata wrote: The HBAC Test pages have been modified to validate required input before executing the test. Ticket #388 ACK and pushed to master - it's an improvement Possible future enhancement: I would rather see more specific error message. The message should contain which values are missing. In this implementation if user misses to fill more than one value, he is informed only about the first missing value (by redirection to the its facet) for the others he has to check by hand (or realize it in mind) or by couple trial-error runs. In details facet it is fine because invalid or missing values are highlighted by validation messages near widgets. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 325 Fixed matched/unmatched checkboxes in HBAC Test
On 12/08/2011 03:15 AM, Endi Sukma Dewata wrote: The checkboxes in HBAC Test run page have been fixed to show/hide matched or unmatched rules. The New Test button has been fixed to deselect the inputs in all facets. The test data has been updated as well. Ticket #388 ACK and pushed to master Existing minor issue which can be fixed later: 1) matched checkbox has name 'disabled' -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 5 User-add random password support
On 11/29/2011 10:31 AM, Martin Kosek wrote: On Thu, 2011-11-24 at 17:51 +0100, Ondrej Hamada wrote: On 11/24/2011 03:54 PM, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/1979 I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used the 'random' option will be ignored. Functionally, it works OK. I would just like to propose few improvements: 1) Minor API version in VERSION file should be bumped since you add a new option 2) We should add some tests exercising this new functionality so that we can detect regressions early 3) (optional) I am thinking if the passwords we generate are not very user friendly. I would love to see user's face when he is told that his new password is 5QU;8l2%]y? . While this is may be OK for hosts bulk passwords which are only manipulated by admins, we may want to develop more user friendly passwords in the user plugin. Martin https://fedorahosted.org/freeipa/ticket/1979 I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used the 'random' option will be ignored. Two test cases were added to unit test's module test_user_plugin.py - they test creating and modifying user with random password. Two fuzzy tests were added: test for password(string that doesn't start or end with whitespace and doesn't containt other whitespace than ' ') and for whatever string(because of krbextradata). I've slightly modified ipa_generate_password in order to make passwords for users more user-friendly(reduce number of non-letters). It has two optional parameters now - first one is string of characters that should be used for generating the passwd and second one is length of password. If none parameter is set default values will be used so there's no need to modify other plugins that use random password generator. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 19ca0f9e64861a10f940492bd2824f7885348a72 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Fri, 9 Dec 2011 15:41:41 +0100 Subject: [PATCH] User-add random password support I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used the 'random' option will be ignored. Two test cases were added to unit test's module test_user_plugin.py - they test creating and modifying user with random password. Two fuzzy tests were added: test for password(string that doesn't start or end with whitespace and doesn't containt other whitespace than ' ') and for whatever string(because of krbextradata). I've slightly modified ipa_generate_password in order to make passwords for users more user-friendly(reduce number of non-letters). It has two optional parameters now - first one is string of characters that should be used for generating the passwd and second one is length of password. If none parameter is set default values will be used so there's no need to modify other plugins that use random password generator. https://fedorahosted.org/freeipa/ticket/1979 --- API.txt |6 +- VERSION |2 +- ipalib/plugins/user.py| 35 + ipapython/ipautil.py | 32 ++-- tests/test_xmlrpc/test_user_plugin.py | 128 - tests/test_xmlrpc/xmlrpc_test.py |7 ++ 6 files changed, 198 insertions(+), 12 deletions(-) diff --git a/API.txt b/API.txt index ed8b5553d25fbf242d49fbb338401dfd27491091..befb484eddd9316b221010c941cbb07d3b9ec3ce 100644 --- a/API.txt +++ b/API.txt @@ -2766,7 +2766,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', None) command: user_add -args: 1,31,3 +args: 1,32,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, required=True) option: Str('givenname', attribute=True, cli_name='first', multivalue=False, required=True) option: Str('sn', attribute=True, cli_name='last', multivalue=False, required=True) @@ -2779,6 +2779,7 @@ option: Str('loginshell', attribute=True, cli_name='shell', default=u'/bin/sh', option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='principal', multivalue=False, required=False) option: Str('mail', attribute=True, cli_name='email', multivalue=True,
Re: [Freeipa-devel] [PATCH] 906 Add SELinux user mapping framework.
On Thu, 08 Dec 2011, Rob Crittenden wrote: Other than those two minor points, the patch looks very good. I'm going to give it a run on Friday. I tested the patch and it works for me on a new install. On upgrade of existing installation I've got few errors during run of ipa-ldap-updater for SELinux schema changes. Unfortunately, didn't save the log as it was 2.1 - 2.99 upgrade as well. It turns out that other characters are just as troublesome and require escaping (space and \). Im going to leave it as $ unless someone comes up with something better that the shell isn't going to whine about. I fixed some other minor issues and rebased. Upgrading isn't really testable at this point yet, other things in 3.0 need to be addressed as well. We have a separate ticket to look into the schema updates so I've removed the update file for now. rob Rebased patch ACK. Pushed to master. I had to fix freeipa.spec.in to have proper samba4-devel dependency now that ipa-devel repository includes fixed samba4 package (instead of samba-4.0). -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 054 Reordered facets in ACI
Facets in ACI have new order: * Roles: members, privileges, settings * Privileges: permissions, settings, roles * Permissions: settings, privileges https://fedorahosted.org/freeipa/ticket/2104 -- Petr Vobornik From ba24db9491f2545f1ebe39e2e1b39aafadcaf997 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 9 Dec 2011 16:37:32 +0100 Subject: [PATCH] Reordered facets in ACI Facets in ACI have new order: * Roles: members, privileges, settings * Privileges: permissions, settings, roles * Permissions: settings, privileges https://fedorahosted.org/freeipa/ticket/2104 --- install/ui/aci.js |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index 30f5de792ef875f4aa04a16412cad796c4d821b2..c1f1ce9cc5546ea6d62461b299c1abf0bf0e9920 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -32,7 +32,7 @@ IPA.aci.permission_entity = function(spec) { that.init = function() { that.entity_init(); -that.builder.facet_groups([ 'privilege' , 'settings' ]). +that.builder.facet_groups(['settings', 'privilege']). search_facet({ columns: [ 'cn' ] }). @@ -207,7 +207,7 @@ IPA.aci.privilege_entity = function(spec) { that.init = function() { that.entity_init(); -that.builder.facet_groups([ 'role', 'settings', 'permission' ]). +that.builder.facet_groups(['permission', 'settings', 'role']). search_facet({ columns: [ 'cn', @@ -264,7 +264,7 @@ IPA.aci.role_entity = function(spec) { that.init = function() { that.entity_init(); -that.builder.facet_groups([ 'member', 'settings', 'privilege' ]). +that.builder.facet_groups(['member', 'privilege', 'settings']). search_facet({ columns: [ 'cn', -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 180 Add missing --pkey-only option for selfservice and
pkey-only functionality has to be implemented separately for these modules as they are based on crud.Search instead of standard LDAPSearch. Delegation commands were modified in the process to allow ACIs without 'memberof' as delegation ACIs. This check is no longer needed since delegation ACI prefixe ensures the ACI type. https://fedorahosted.org/freeipa/ticket/2092 From 594c1659b432ab191298a4cc08c933312891d3bc Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 9 Dec 2011 16:15:24 +0100 Subject: [PATCH] Add missing --pkey-only option for selfservice and delegation pkey-only functionality has to be implemented separately for these modules as they are based on crud.Search instead of standard LDAPSearch. Delegation commands were modified in the process to allow ACIs without 'memberof' as delegation ACIs. This check is no longer needed since delegation ACI prefixe ensures the ACI type. https://fedorahosted.org/freeipa/ticket/2092 --- API.txt |9 +++- VERSION |2 +- ipalib/plugins/aci.py| 11 - ipalib/plugins/baseldap.py | 12 +++-- ipalib/plugins/delegation.py | 56 -- ipalib/plugins/selfservice.py|3 + tests/test_xmlrpc/test_delegation_plugin.py | 16 +++ tests/test_xmlrpc/test_permission_plugin.py | 21 ++ tests/test_xmlrpc/test_selfservice_plugin.py | 15 +++ 9 files changed, 103 insertions(+), 42 deletions(-) diff --git a/API.txt b/API.txt index ed8b5553d25fbf242d49fbb338401dfd27491091..d2dd4cac779968fb7e6236dee89abdc443fbd0fe 100644 --- a/API.txt +++ b/API.txt @@ -27,7 +27,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('result', type 'bool', None) output: Output('value', type 'unicode', None) command: aci_find -args: 1,15,4 +args: 1,16,4 arg: Str('criteria?') option: Str('aciname', attribute=False, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) option: Str('permission', attribute=False, autofill=False, cli_name='permission', multivalue=False, query=True, required=False) @@ -41,6 +41,7 @@ option: Str('subtree', attribute=False, autofill=False, cli_name='subtree', mult option: Str('targetgroup', attribute=False, autofill=False, cli_name='targetgroup', multivalue=False, query=True, required=False) option: Bool('selfaci', attribute=False, autofill=False, cli_name='self', default=False, multivalue=False, query=True, required=False) option: StrEnum('aciprefix?', cli_name='prefix', multivalue=False, required=False, values=(u'permission', u'delegation', u'selfservice', u'none')) +option: Flag('pkey_only?', autofill=True, default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -558,13 +559,14 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('result', type 'bool', None) output: Output('value', type 'unicode', None) command: delegation_find -args: 1,8,4 +args: 1,9,4 arg: Str('criteria?') option: Str('aciname', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) option: Str('permissions', attribute=True, autofill=False, cli_name='permissions', csv=True, multivalue=True, query=True, required=False) option: Str('attrs', attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, query=True, required=False) option: Str('memberof', attribute=True, autofill=False, cli_name='membergroup', multivalue=False, query=True, required=False) option: Str('group', attribute=True, autofill=False, cli_name='group', multivalue=False, query=True, required=False) +option: Flag('pkey_only?', autofill=True, default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -2282,11 +2284,12 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('result', type 'bool', None) output: Output('value', type 'unicode', None) command: selfservice_find -args: 1,6,4 +args: 1,7,4 arg: Str('criteria?') option: Str('aciname', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False) option: Str('permissions', attribute=True, autofill=False, cli_name='permissions', csv=True, multivalue=True, query=True, required=False) option: Str('attrs', attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, query=True, required=False) +option: Flag('pkey_only?', autofill=True, default=False) option: Flag('all', autofill=True, cli_name='all', default=False,
Re: [Freeipa-devel] [PATCH] 899 more context with attribute in error message
Martin Kosek wrote: On Fri, 2011-10-21 at 15:28 -0400, Rob Crittenden wrote: Depending on the context and how you are using input (-- options or set/addattr) you might get a different attribute name in the error message. This patch tries to clear that up a bit. See the ticket for some test cases. rob I found few issues with this patch: 1) This patch cannot be applied. First chunk (frontend.py) was already pushed in other patch 2) Actually, this patch did not work for me: # ipa pwpolicy-mod --setattr=krbpwdmaxfailure=-1 ipa: ERROR: invalid 'krbpwdmaxfailure': must be at least 0 cli_name still did not show up. I also see that you did the change for Int onlu. I guess we should fix all parameters, for example StrEnum, etc.: # ipa sudorule-add foo --usercat=bar ipa: ERROR: invalid 'usercat': must be one of (u'all',) # ipa sudorule-add foo --setattr=usercategory=bar ipa: ERROR: invalid 'usercategory': must be one of (u'all',) Martin This must have gotten fixed by some other patch. This is the behavior we want. When using a named option we should return that in the error message. When using an attribute name we should return that. I think this ticket can be closed. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Check all LDAP servers during IPA discovery
Alexander Bokovoy wrote: On Fri, 02 Dec 2011, Rob Crittenden wrote: Alexander Bokovoy wrote: Hi, This is patch proposal, I haven't checked it with multiple servers setup yet. When discovering IPA LDAP servers through DNS records, look through all servers found until first success. A master might be not available or denied access due to anonymous binds disabled, for example, but replica may succeed. Ticket #1827 https://fedorahosted.org/freeipa/ticket/1827 Needs a rebase. This works fine but I wonder if someone specifies --server on the command-line if we should try only that server and fail if we can't connect. I can see someone using that so they can specify which server the client uses. Rebase attached. If --server is specified, DNS discovery is bypassed in search() and self.server will have the value of --server. That means the code I changed will still work as parse_items() accepts a single item as well. I don't see the --server code included in the patch. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] minor cleanup
On Fri, 2011-12-09 at 09:12 -0500, Rob Crittenden wrote: Simo Sorce wrote: Straightforward cleanup. Simo. ACK, works for me. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 5 User-add random password support
Ondrej Hamada wrote: On 11/29/2011 10:31 AM, Martin Kosek wrote: On Thu, 2011-11-24 at 17:51 +0100, Ondrej Hamada wrote: On 11/24/2011 03:54 PM, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/1979 I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used the 'random' option will be ignored. Functionally, it works OK. I would just like to propose few improvements: 1) Minor API version in VERSION file should be bumped since you add a new option 2) We should add some tests exercising this new functionality so that we can detect regressions early 3) (optional) I am thinking if the passwords we generate are not very user friendly. I would love to see user's face when he is told that his new password is 5QU;8l2%]y? . While this is may be OK for hosts bulk passwords which are only manipulated by admins, we may want to develop more user friendly passwords in the user plugin. Martin https://fedorahosted.org/freeipa/ticket/1979 I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used the 'random' option will be ignored. Two test cases were added to unit test's module test_user_plugin.py - they test creating and modifying user with random password. Two fuzzy tests were added: test for password(string that doesn't start or end with whitespace and doesn't containt other whitespace than ' ') and for whatever string(because of krbextradata). I've slightly modified ipa_generate_password in order to make passwords for users more user-friendly(reduce number of non-letters). It has two optional parameters now - first one is string of characters that should be used for generating the passwd and second one is length of password. If none parameter is set default values will be used so there's no need to modify other plugins that use random password generator. This is very, very close. I just have a couple of observations: 1. Would it be clearer if in user.py you set the character set to: string.digits + string.ascii_letters + '_,.@' ? I gather you are excluding most of the characters that would cause the shell grief on purpose, right? You can probably add in +, - and = though. 2. Indention in ipa_generate_password() is a bit off. 3. Rather than fuzzy_string() I think you should define something like fuzzy_dergeneralizedtime() that specifies the time format in those kerberos time attributes. krbextradata is probably fine as a string. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Check all LDAP servers during IPA discovery
On Fri, 09 Dec 2011, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 02 Dec 2011, Rob Crittenden wrote: Alexander Bokovoy wrote: Hi, This is patch proposal, I haven't checked it with multiple servers setup yet. When discovering IPA LDAP servers through DNS records, look through all servers found until first success. A master might be not available or denied access due to anonymous binds disabled, for example, but replica may succeed. Ticket #1827 https://fedorahosted.org/freeipa/ticket/1827 Needs a rebase. This works fine but I wonder if someone specifies --server on the command-line if we should try only that server and fail if we can't connect. I can see someone using that so they can specify which server the client uses. Rebase attached. If --server is specified, DNS discovery is bypassed in search() and self.server will have the value of --server. That means the code I changed will still work as parse_items() accepts a single item as well. I don't see the --server code included in the patch. Because it is not needed. search() method gets value of --server option passed as server named argument. If it is not None, the whole discovery is avoided and that value is assigned to self.server. self.server is then parsed via parse_items() and iterated over -- with a single iteration in the case --server is specified. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] [WIP] 172+173+175 Create per-type DNS API
Martin Kosek wrote: On Thu, 2011-12-01 at 17:18 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-11-28 at 17:35 +0100, Martin Kosek wrote: I have prepared a working prototype of the new structured DNS API. It may still have rough edges (and unit tests are not ready), but it will provide a base for discussion and for WebUI folks - so that they can start development of the new DNS WebUI API. The patch takes advantage of the DNS refactor I did in 172. For all supported non-DNSSEC RR types, the following commands are available: dnsrecordRRTYPE-show ZONE NAME dnsrecordRRTYPE-add ZONE NAME dnsrecordRRTYPE-mod ZONE NAME VALUE This is an example of the new API in action: # ipa dnsrecord-show example.com foo Record name: foo A record: 10.0.0.1 # ipa dnsrecordmx-add example.com foo --exchanger=foo.example.com. MX record: 0 foo.example.com. Preference: 0 Exchanger: foo.example.com. Number of entries returned 1 # ipa dnsrecordmx-add example.com foo --preference=1 --exchanger=foo.example.com. MX record: 0 foo.example.com. Preference: 0 Exchanger: foo.example.com. MX record: 1 foo.example.com. Preference: 1 Exchanger: foo.example.com. Number of entries returned 2 # ipa dnsrecordmx-show example.com foo MX record: 0 foo.example.com. Preference: 0 Exchanger: foo.example.com. MX record: 1 foo.example.com. Preference: 1 Exchanger: foo.example.com. Number of entries returned 2 There is an interactive wizard to help user modify a record without specifying an updated value first. If there is just one (MX) record, no wizard would be run. # ipa dnsrecordmx-mod example.com foo --preference=2 Which MX record would you like to modify? [1]: 0 foo.example.com. [2]: 1 foo.example.com. DNS record number: 2 MX record: 0 foo.example.com. Preference: 0 Exchanger: foo.example.com. MX record: 2 foo.example.com. Preference: 2 Exchanger: foo.example.com. Number of entries returned 2 # ipa dnsrecordmx-mod example.com foo 2 foo.example.com. --preference=3 MX record: 0 foo.example.com. Preference: 0 Exchanger: foo.example.com. MX record: 3 foo.example.com. Preference: 3 Exchanger: foo.example.com. Number of entries returned 2 There are few open questions I am still thinking about: 1) The commands return a list of structured records (just like *-find commands) instead of returning just one record. I thought that it may be more usable this way and consistent with dnsrecord-add/mod/show commands behavior which returns all records too. Otherwise, we would have to change the show command API and add VALUE argument, which would specify a value to be displayed: dnsrecordRRTYPE-show ZONE NAME VALUE 2) Raw DNS record value is in the output too. I though it would be useful to see the raw DNS record value + its parts at one place. 3) The commands are in format dnsrecordRRTYPE-cmd, for example dnsrecordmx-add. I think dnsrecord-mx-add may be more readable. If we want to go this way, I would have to bend the server framework a little which parses an LDAP object from the command name (LDAP object name is dnsrecordmx in this case). This is doable, although I am not sure if this does not have some implications in WebUI side. Martin I rebased both patches to the most recent master. Adding CSVs now works ok again (with the fix in 175): # ipa dnsrecord-mod example.com foo --a-rec=10.0.0.1,10.0.0.2 Record name: foo A record: 10.0.0.1, 10.0.0.2 Martin Rob, thank you for the review! What do you think about the 3 open questions I posted above? I think some abbreviations can be eliminated: siz - size alt - altitude Sure, this can be fixed. For MX record (and probably KX) you can make preference required. It should fill in without prompting since it has a default. This way it will show as required in the UI. Right, we don't want to run into issues we had with user fields. PTRRecord doc I think would read better as The hostname this reverse record points to Ok. Btw do you think it would be good to document this way all these new DNSRecord part parameters? As I checked with Petr, these would be shown in the UI - so the UI user would benefit from it. But it will require a lot of writing and RFC study :-) I'm not sure I follow the makeapi change. I see the new entry types in API.txt but this makeapi seems to suggest the DNS api is not checked. This fix is in validate_doc(), which tries to check that all our commands have proper __doc__ string. It fails with the new DNS API commands (dnsrecordmx-add etc.) because it cannot find class definitions in dns.py. This is expected as I generate all these
Re: [Freeipa-devel] [PATCH] 0033 Check all LDAP servers during IPA discovery
Alexander Bokovoy wrote: On Fri, 09 Dec 2011, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 02 Dec 2011, Rob Crittenden wrote: Alexander Bokovoy wrote: Hi, This is patch proposal, I haven't checked it with multiple servers setup yet. When discovering IPA LDAP servers through DNS records, look through all servers found until first success. A master might be not available or denied access due to anonymous binds disabled, for example, but replica may succeed. Ticket #1827 https://fedorahosted.org/freeipa/ticket/1827 Needs a rebase. This works fine but I wonder if someone specifies --server on the command-line if we should try only that server and fail if we can't connect. I can see someone using that so they can specify which server the client uses. Rebase attached. If --server is specified, DNS discovery is bypassed in search() and self.server will have the value of --server. That means the code I changed will still work as parse_items() accepts a single item as well. I don't see the --server code included in the patch. Because it is not needed. search() method gets value of --server option passed as server named argument. If it is not None, the whole discovery is avoided and that value is assigned to self.server. self.server is then parsed via parse_items() and iterated over -- with a single iteration in the case --server is specified. Ah, right you are. Works great, pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 052 Better displaying of long names in tables and facet headers
On 12/9/2011 7:29 AM, Petr Vobornik wrote: Attaching new patch which addresses following issues: ACK and pushed to master. 7. When a column has a width set, there is a line (widget.js:1098): width += 16; Why is it there? I'd rather subtract it. I used git blame to find this. According to revision c0eb2b60 it's supposed to widen the last column by 16px to accommodate the scroll bar. Not sure if it's the right solution, and the logic probably got lost in subsequent changes. Feel free to change it. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 054 Reordered facets in ACI
On 12/9/2011 9:43 AM, Petr Vobornik wrote: Facets in ACI have new order: * Roles: members, privileges, settings * Privileges: permissions, settings, roles * Permissions: settings, privileges https://fedorahosted.org/freeipa/ticket/2104 ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 325 Fixed matched/unmatched checkboxes in HBAC Test
On 12/9/2011 8:58 AM, Petr Vobornik wrote: Existing minor issue which can be fixed later: 1) matched checkbox has name 'disabled' Fixed and pushed to master under one-liner rule. -- Endi S. Dewata From 93aed745ec60f83ada4dc94f51e59c9e342a9847 Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata edew...@redhat.com Date: Fri, 9 Dec 2011 16:37:22 -0600 Subject: [PATCH] Fixed unmatched checkbox name. The name of the Unmatched checkbox in HBAC Test has been corrected. Ticket #388 --- install/ui/hbactest.js |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/ui/hbactest.js b/install/ui/hbactest.js index f2256a31c1aafb5a0c72a8233fc48ca33a7d9fa8..e5c59316f2b63c9c7a60eda279c27fe51d67c71e 100644 --- a/install/ui/hbactest.js +++ b/install/ui/hbactest.js @@ -586,7 +586,7 @@ IPA.hbac.test_run_facet = function(spec) { that.unmatched_checkbox = $('input/', { id: 'hbactest-rules-unmatched', type: 'checkbox', -name: 'disabled', +name: 'unmatched', checked: true, change: function() { that.show_unmatched = that.unmatched_checkbox.is(':checked'); -- 1.7.5.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 329 Fixed combobox icon position.
A recent CSS change inadvertently changes position of the combobox icon. This has been fixed now. Ticket #388 Pushed to master under one-liner rule. -- Endi S. Dewata From 3192474f7ef1d2e974c2a34e6d104b6e7ad92300 Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata edew...@redhat.com Date: Fri, 9 Dec 2011 15:26:19 -0600 Subject: [PATCH] Fixed combobox icon position. A recent CSS change inadvertently changes position of the combobox icon. This has been fixed now. Ticket #388 --- install/ui/ipa.css |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/ui/ipa.css b/install/ui/ipa.css index 529a08f14479d481e03947f5798ffd9b9956c378..b6e19885b32c8e071597cbc1d4a9471b1151c328 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -1213,7 +1213,7 @@ table.scrollable tbody { top: 0; bottom: 0; right: 0; -margin-top: -2px; +margin-top: 2px; margin-right: 4px; } -- 1.7.5.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 326 Added HBAC Test input validation.
On 12/9/2011 8:58 AM, Petr Vobornik wrote: Possible future enhancement: I would rather see more specific error message. The message should contain which values are missing. In this implementation if user misses to fill more than one value, he is informed only about the first missing value (by redirection to the its facet) for the others he has to check by hand (or realize it in mind) or by couple trial-error runs. In details facet it is fine because invalid or missing values are highlighted by validation messages near widgets. Agreed. Opened a new ticket: https://fedorahosted.org/freeipa/ticket/2182 -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 330 Fixed combobox search icon position.
A recent CSS change inadvertently changes position of the combobox search icon. This has been fixed now. Ticket #388 Pushed to master under one-liner rule. -- Endi S. Dewata From 1ea1ea205cbd6da4892a8668d5e91f26de6e4ecb Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata edew...@redhat.com Date: Fri, 9 Dec 2011 19:11:41 -0600 Subject: [PATCH] Fixed combobox search icon position. A recent CSS change inadvertently changes position of the combobox search icon. This has been fixed now. Ticket #388 --- install/ui/ipa.css |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/ui/ipa.css b/install/ui/ipa.css index fcfd8ac53d2b742589720500fefc0238818a3600..a739689f3e12e528993d497570f1ad0458e2158d 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -1256,7 +1256,7 @@ table.scrollable tbody { top: 0; bottom: 0; right: 0; -margin-top: -2px; +margin-top: 6px; margin-right: 3px; } -- 1.7.5.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 180 Add missing --pkey-only option for selfservice and
On 12/9/2011 9:47 AM, Martin Kosek wrote: pkey-only functionality has to be implemented separately for these modules as they are based on crud.Search instead of standard LDAPSearch. Delegation commands were modified in the process to allow ACIs without 'memberof' as delegation ACIs. This check is no longer needed since delegation ACI prefixe ensures the ACI type. https://fedorahosted.org/freeipa/ticket/2092 From UI perspective this is ACKed. I'm sending a patch to enable paging on these pages. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 331 Enabled paging on self-service permissions and delegations.
Paging has been enabled on self-service permissions and delegations list pages. The search facet's get_pkeys() has been fixed to handle non-array value. New test data files have been added as well. Ticket #2092 This patch depends on Martin's patch #180. -- Endi S. Dewata From e731e78e7c02cbf176722c8ba47c36f67dd7e9dd Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata edew...@redhat.com Date: Fri, 9 Dec 2011 18:12:25 -0600 Subject: [PATCH] Enabled paging on self-service permissions and delegations. Paging has been enabled on self-service permissions and delegations list pages. The search facet's get_pkeys() has been fixed to handle non-array value. New test data files have been added as well. Ticket #2092 --- install/ui/aci.js |2 - install/ui/search.js |7 ++- install/ui/test/data/delegation_find_pkeys.json | 14 install/ui/test/data/delegation_get_records.json | 30 + install/ui/test/data/selfservice_find_pkeys.json | 17 + install/ui/test/data/selfservice_get_records.json | 69 + 6 files changed, 135 insertions(+), 4 deletions(-) create mode 100644 install/ui/test/data/delegation_find_pkeys.json create mode 100644 install/ui/test/data/delegation_get_records.json create mode 100644 install/ui/test/data/selfservice_find_pkeys.json create mode 100644 install/ui/test/data/selfservice_get_records.json diff --git a/install/ui/aci.js b/install/ui/aci.js index c1f1ce9cc5546ea6d62461b299c1abf0bf0e9920..2e9d02c935ee74a3010964a0870cd7d77647bf37 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -315,7 +315,6 @@ IPA.aci.selfservice_entity = function(spec) { that.entity_init(); that.builder.search_facet({ -pagination: false, columns: [ 'aciname' ] }). details_facet({ @@ -357,7 +356,6 @@ IPA.aci.delegation_entity = function(spec) { that.entity_init(); that.builder.search_facet({ -pagination: false, columns: [ 'aciname' ] }). details_facet({ diff --git a/install/ui/search.js b/install/ui/search.js index ffeafd0b2390415c3f5d4d01ee1c1b8d39a38e12..264e8d14d58604085ee0759293e62f8d3b2fdb94 100644 --- a/install/ui/search.js +++ b/install/ui/search.js @@ -170,8 +170,11 @@ IPA.search_facet = function(spec) { var pkeys = []; for (var i=0; iresult.length; i++) { var record = result[i]; -var values = record[pkey_name]; -pkeys.push(values[0]); +var value = record[pkey_name]; +if (value instanceof Array) { +value = value[0]; +} +pkeys.push(value); } return pkeys; }; diff --git a/install/ui/test/data/delegation_find_pkeys.json b/install/ui/test/data/delegation_find_pkeys.json new file mode 100644 index ..502737565d58b1aa6b4e73a1a1f297f5b00370ba --- /dev/null +++ b/install/ui/test/data/delegation_find_pkeys.json @@ -0,0 +1,14 @@ +{ +error: null, +id: null, +result: { +count: 1, +result: [ +{ +aciname: Test Delegation +} +], +summary: 1 delegation matched, +truncated: false +} +} diff --git a/install/ui/test/data/delegation_get_records.json b/install/ui/test/data/delegation_get_records.json new file mode 100644 index ..3012b04a627184216b5bc52d2bf9adb667a1f986 --- /dev/null +++ b/install/ui/test/data/delegation_get_records.json @@ -0,0 +1,30 @@ +{ +error: null, +id: null, +result: { +count: 1, +results: [ +{ +error: null, +result: { +aciname: Test Delegation, +attrs: [ +cn, +displayname, +givenname, +initials, +sn, +title +], +group: editors, +memberof: ipausers, +permissions: [ +write +] +}, +summary: null, +value: Test Delegation +} +] +} +} diff --git a/install/ui/test/data/selfservice_find_pkeys.json b/install/ui/test/data/selfservice_find_pkeys.json new file mode 100644 index ..0aee1fe478e7e1cef7cf4617b355d0993151512d --- /dev/null +++ b/install/ui/test/data/selfservice_find_pkeys.json @@ -0,0 +1,17 @@ +{ +error: null, +id: null, +result: { +count: 2, +result: [ +{ +aciname: Self can write own password +}, +{ +aciname: User Self service +} +], +summary: 2