Re: [Freeipa-devel] [PATCH] 10 --no-reverse option in ipa-replica-install is not honoured
Dne 25.1.2012 17:50, Ondrej Hamada napsal(a): https://fedorahosted.org/freeipa/ticket/2161 The option '--no-reverse' was not honoured in replica-install because of wrongly placed condition checking. NACK The --no-reverse options means do not create new reverse zone if there is no existing suitable reverse zone. Your patch changes the semantics of the option to do not use any reverse zone. One problem I see is that the name of the option is misleading. It should probably be changed to --no-new-reverse. Anyway, the ticket should IMO be closed as invalid. It is a case of people not reading documentation and then being surprised why things don't work the way they assumed. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 178+179 Add missing managing hosts filtering options
On Thu, 2012-01-26 at 00:07 -0600, Endi Sukma Dewata wrote: On 12/13/2011 8:13 AM, Martin Kosek wrote: Host object has a virtual attribute managing containing all hosts it manages (governed by managedBy attribute). This patch also adds standard membership filtering options: --man-hosts=HOSTS: Only hosts managing _all_ HOSTS are returned --not-man-hosts=HOSTS: Only hosts which do not manage _any_ host in HOSTS are returned https://fedorahosted.org/freeipa/ticket/1675 ACK, it works for me. I'll update the UI to use the new option. I take that back. It's NACK. Patch #178 causes the dnszone-find --forward-only to return the reverse zone. Good catch, thanks. Fixed. Sorry for the delay. I applied 178-2 and rebased 179-2 into 179-3 (patch attached). It works except for one issue, when the host has no managedby, calling host-find with either of these options will generate an internal error. # ipa host-add test.example.com --force - Added host test.example.com - Host name: test.example.com Principal name: host/test.example@example.com Password: False Keytab: False Managed by: test.example.com # ipa host-remove-managedby test.example.com --hosts=test.example.com Host name: test.example.com Principal name: host/test.example@example.com --- Number of members removed 1 --- # ipa host-find --man-hosts=test.example.com ipa: ERROR: an internal error has occurred The above command should have returned no hosts. # ipa host-find --not-man-hosts=test.example.com ipa: ERROR: an internal error has occurred The above command should have returned all hosts. Thanks for the review Endi and a good catch. I rebased the patches and fixed this issue. Martin From 363107d725ec581fa24e518d1786c13125e432b5 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 8 Dec 2011 17:34:26 +0100 Subject: [PATCH 1/2] Fix ldap2 combine_filters for ldap2.MATCH_NONE ! is a unary LDAP filter operator and cannot be treated in the same way as binary operators (, |). Otherwise, an invalid LDAP filter is created. https://fedorahosted.org/freeipa/ticket/1675 --- ipaserver/plugins/ldap2.py | 24 ++-- 1 files changed, 10 insertions(+), 14 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 0698034591328d9fef60cc83f7d09a1c79f675ce..dbe6084f02f5e43d165d9b609f2642f1f8e6ffe1 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -575,6 +575,10 @@ class ldap2(CrudBackend, Encoder): assert isinstance(filters, (list, tuple)) filters = [f for f in filters if f] +if filters and rules == self.MATCH_NONE: # unary operator +return '(%s%s)' % (self.MATCH_NONE, + self.combine_filters(filters, self.MATCH_ANY)) + if len(filters) 1: flt = '(%s' % rules else: @@ -603,19 +607,10 @@ class ldap2(CrudBackend, Encoder): False - forbid trailing filter wildcard when exact=False if isinstance(value, (list, tuple)): -flts = [] -if rules == self.MATCH_NONE: -for v in value: -flts.append( -self.make_filter_from_attr(attr, v, exact=exact, +make_filter_rules = self.MATCH_ANY if rules == self.MATCH_NONE else rules +flts = [ self.make_filter_from_attr(attr, v, exact=exact, leading_wildcard=leading_wildcard, -trailing_wildcard=trailing_wildcard) -) -return '(!%s)' % self.combine_filters(flts) -for v in value: -flts.append(self.make_filter_from_attr(attr, v, rules, exact, -leading_wildcard=leading_wildcard, -trailing_wildcard=trailing_wildcard)) +trailing_wildcard=trailing_wildcard) for v in value ] return self.combine_filters(flts, rules) elif value is not None: value = _ldap_filter.escape_filter_chars(value) @@ -651,11 +646,12 @@ class ldap2(CrudBackend, Encoder): ldap2.MATCH_ALL - match entries that match all attributes ldap2.MATCH_ANY - match entries that match any of attribute +make_filter_rules = self.MATCH_ANY if rules == self.MATCH_NONE else rules flts = [] if attrs_list is None: for (k, v) in entry_attrs.iteritems(): flts.append( -self.make_filter_from_attr(k, v, rules, exact, +self.make_filter_from_attr(k, v, make_filter_rules, exact, leading_wildcard, trailing_wildcard) ) else: @@ -663,7 +659,7 @@
Re: [Freeipa-devel] [PATCH] 178+179 Add missing managing hosts filtering options
On 1/26/2012 6:48 AM, Martin Kosek wrote: Sorry for the delay. I applied 178-2 and rebased 179-2 into 179-3 (patch attached). It works except for one issue, when the host has no managedby, calling host-find with either of these options will generate an internal error. Thanks for the review Endi and a good catch. I rebased the patches and fixed this issue. I had to rebase 179 again (patch attached) due to a recent API.txt and VERSION change. ACK and pushed to master and ipa-2-2. -- Endi S. Dewata From f7ad9baf1390ea4f6178288616828a7b0bfae29c Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 26 Jan 2012 13:41:39 +0100 Subject: [PATCH 2/2] Add missing managing hosts filtering options Host object has a virtual attribute managing containing all hosts it manages (governed by managedBy attribute). This patch also adds standard membership filtering options: --man-hosts=HOSTS: Only hosts managing _all_ HOSTS are returned --not-man-hosts=HOSTS: Only hosts which do not manage _any_ host in HOSTS are returned https://fedorahosted.org/freeipa/ticket/1675 --- API.txt |4 ++- VERSION |2 +- ipalib/plugins/baseldap.py| 50 +--- ipalib/plugins/host.py| 47 +++ tests/test_xmlrpc/test_host_plugin.py | 33 + 5 files changed, 111 insertions(+), 25 deletions(-) diff --git a/API.txt b/API.txt index ebf23181ad8f5b8754394a351a4bff29affb8bd7..d87dfc3b2f62a21c3dc2092194b3f4463607d510 100644 --- a/API.txt +++ b/API.txt @@ -1697,7 +1697,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('result', type 'bool', None) output: Output('value', type 'unicode', None) command: host_find -args: 1,29,4 +args: 1,31,4 arg: Str('criteria?', noextrawhitespace=False) option: Str('fqdn', attribute=True, autofill=False, cli_name='hostname', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9][a-zA-Z0-9-\\.]{0,254}$', pattern_errmsg='may only include letters, numbers, and -', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) @@ -1728,6 +1728,8 @@ option: Str('enroll_by_user*', cli_name='enroll_by_users', csv=True) option: Str('not_enroll_by_user*', cli_name='not_enroll_by_users', csv=True) option: Str('man_by_host*', cli_name='man_by_hosts', csv=True) option: Str('not_man_by_host*', cli_name='not_man_by_hosts', csv=True) +option: Str('man_host*', cli_name='man_hosts', csv=True) +option: Str('not_man_host*', cli_name='not_man_hosts', csv=True) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) output: Output('count', type 'int', None) diff --git a/VERSION b/VERSION index 2afbba27df3864db51223e9c7dfa9b185a466853..12316e411e8c97619608a07d217d9adf5e509dbf 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=22 +IPA_API_VERSION_MINOR=23 diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 3d6480458a852ed43547384072def0d9ecca7e9d..f59a0d4106729573cfdbd8bdf2c407619eb051d5 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1595,6 +1595,31 @@ class LDAPSearch(BaseLDAPCommand, crud.Search): for arg in super(crud.Search, self).get_args(): yield arg +def get_member_options(self, attr): +for ldap_obj_name in self.obj.attribute_members[attr]: +ldap_obj = self.api.Object[ldap_obj_name] +relationship = self.obj.relationships.get( +attr, ['member', '', 'no_'] +) +doc = self.member_param_incl_doc % ( +self.obj.object_name_plural, relationship[0].lower(), +ldap_obj.object_name_plural +) +name = '%s%s' % (relationship[1], to_cli(ldap_obj_name)) +yield Str( +'%s*' % name, cli_name='%ss' % name, doc=doc, +label=ldap_obj.object_name, csv=True +) +doc = self.member_param_excl_doc % ( +self.obj.object_name_plural, relationship[0].lower(), +ldap_obj.object_name_plural +) +name = '%s%s' % (relationship[2], to_cli(ldap_obj_name)) +yield Str( +'%s*' % name, cli_name='%ss' % name, doc=doc, +label=ldap_obj.object_name, csv=True +) + def get_options(self): for option in super(LDAPSearch, self).get_options(): yield option @@ -1602,29 +1627,8 @@ class
[Freeipa-devel] [PATCH] Fixed host managed-by adder dialog.
The host managed-by adder dialog has been fixed to use the new --not-man-hosts option to filter out hosts that are already added. Ticket #1675 -- Endi S. Dewata From eae9ad84dc9d600c2ddcb3602b4020436d1e4fb2 Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata edew...@redhat.com Date: Fri, 9 Dec 2011 15:01:06 -0600 Subject: [PATCH] Fixed host managed-by adder dialog. The host managed-by adder dialog has been fixed to use the new --not-man-hosts option to filter out hosts that are already added. Ticket #1675 --- install/ui/association.js |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/install/ui/association.js b/install/ui/association.js index 2fbdb7ddec6baa5169732004ef7943f2eaf08930..58ed1a0fca1b62d0557dd0abbb9cba28ac4cdc13 100644 --- a/install/ui/association.js +++ b/install/ui/association.js @@ -207,6 +207,8 @@ IPA.association_adder_dialog = function(spec) { other_attribute_member = 'memberof'; else if (that.attribute_member == 'memberof') other_attribute_member = 'member'; +else if (that.attribute_member == 'managedby') +other_attribute_member = 'managing'; var relationship = relationships[other_attribute_member]; if (relationship) { -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 933 %ghost some UI files
Add a %ghost to some files installed by the UI so that they are owned by freeipa-server when the server is installed and they will be removed by rpm when the package is removed. rob From c845f6e61f136f553da190a860acd2b11a6a8bdd Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 26 Jan 2012 14:09:45 -0500 Subject: [PATCH] %ghost the UI files that we install/create on the fly https://fedorahosted.org/freeipa/ticket/1764 --- freeipa.spec.in | 11 +++ 1 files changed, 11 insertions(+), 0 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 6af41ffdaaea04270c86a2ea16c844c8cb5d88a6..7cccfee28e451c47f9698e72f36a9335d11a843d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -345,6 +345,12 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf +mkdir -p %{buildroot}%{_usr}/share/ipa/html/ +/bin/touch %{buildroot}%{_usr}/share/ipa/html/configure.jar +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con +/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html mkdir -p %{buildroot}%{_initrddir} %if 0%{?fedora} = 16 # Default to systemd initscripts for F16 and above @@ -529,6 +535,11 @@ fi %{_usr}/share/ipa/ipa.conf %{_usr}/share/ipa/ipa-rewrite.conf %{_usr}/share/ipa/ipa-pki-proxy.conf +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/preferences.html %dir %{_usr}/share/ipa/updates/ %{_usr}/share/ipa/updates/* %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 934 don't bind on TLS connect failure
In our installer LDAP library (also used by replication tools) we handle the case where the remote server hasn't started yet (wait_on_bind). What this doesn't handle is if the connection fails with SERVER_DOWN due to a TLS failure like hostname doesn't match the remote cert. Binding anyway causes a segfault in openldap. I've opened a bug against openldap, it shouldn't segfault. I also added this patch as a workaround. rob From e5949142f22abd716dd9f247e73c56ee43a5d4ac Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 26 Jan 2012 16:32:29 -0500 Subject: [PATCH] Don't try to bind on TLS failure We have bind code that can handle the case where a server hasn't come up yet. It needs to handle a real connection failure such as the TLS hostname not matching. If we try to bind anyway we end up with a segfault in openldap. https://fedorahosted.org/freeipa/ticket/2301 --- ipaserver/ipaldap.py |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py index e2b7486..a5a5307 100644 --- a/ipaserver/ipaldap.py +++ b/ipaserver/ipaldap.py @@ -346,7 +346,9 @@ class IPAdmin(IPAEntryLDAPObject): try: bind_func(*args, **kwargs) except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e: -if not timeout: +if not timeout or 'TLS' in e.args[0]['info']: +# No connection to continue on if we have a TLS failure +# https://bugzilla.redhat.com/show_bug.cgi?id=784989 raise e try: self.__wait_for_connection(timeout) -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel