Re: [Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
On 2.3.2012 04:56, Rob Crittenden wrote: Jan Cholasta wrote: On 29.2.2012 15:00, Martin Kosek wrote: On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote: On 29.2.2012 14:24, Martin Kosek wrote: On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote: On 28.2.2012 23:42, Rob Crittenden wrote: Jan Cholasta wrote: Hi, this patch configures the new SSH features of SSSD in ipa-client-install. To test it, you need to have SSSD 1.8.0 installed. Honza Is there a better name for 'GlobalKnownHostsFile2'? What do you mean? The option name or the file name? Either way, I don't think there is a better name. When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was an unknown option in all. It's in openssh in RHEL 6.0. Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file? It depends. Do we want to support clients with SSSD 1.8.0? How would you recommend testing this? Enroll a client and try to log into the IPA server? To test host authentication, you need an IPA host with SSH public keys set (which is done automatically in ipa-client-install, so any IPA host should work) and try to ssh into that host from other (actually, it can be the same) IPA host. You should not see The authenticity of host ... can't be estabilished ssh message. To test user authentication, you need an IPA user with SSH public keys set. To do that, you need to set the public keys using ipa user-mod. You should then be able to authenticate using your private key on any IPA host. rob Honza I get this exception when running ipa-client-install with your patch. # ipa-client-install --enable-dns-updates Discovery was successful! Hostname: vm-138.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-068.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for ad...@idm.lab.bos.redhat.com: Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1514, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1501, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1326, in install if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): File /usr/sbin/ipa-client-install, line 711, in configure_sssd_conf sssdconfig.activate_service('ssh') File /usr/lib/python2.7/site-packages/SSSDConfig.py, line 1516, in activate_service raise NoServiceError SSSDConfig.NoServiceError SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64 Martin Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain [ssh] section? sssd.api.conf did contain the ssh section: # grep -C 3 ssh /usr/share/sssd/sssd.api.conf # autofs service autofs_negative_timeout = int, None, false [ssh] # ssh service [provider] #Available provider types sssd.conf did not. Either case, we should not crash but handle the issue in some more friendly way. Martin Patch updated with more defensive code. Honza Needs a BuildRequires of sssd 1.8 or you get some pylint errors: ipa-client/ipa-install/ipa-client-install:712: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member ipa-client/ipa-install/ipa-client-install:723: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member ipa-client/ipa-install/ipa-client-install:734: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member Added. Host keys work fine. I wasn't able to get user ssh keys working but my server is still on F-15. I had a daily build of sssd (1.8.1) but it was missing /usr/libexec/sssd/sssd_ssh!? Too tired to work out why right now. F15 is not the problem, the SSSD package in ipa-devel is built without experimental features for some reason (in the patch I assumed that it always is, fixed that). Two more things: 1. You will need explicit test cases for QE to test positive and negative login cases (it would have sped me along too). Should that be part of the patch? 2. You need to beef up the commit message to describe what this does (e.g. configure for knownhost support). commit message space is cheap, be verbose. Done. rob Updated patch attached. Honza -- Jan Cholasta From 07f17587a1fb4d5e3f35710a0be428ef7bb13ddd Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 16 Feb 2012 04:21:56 -0500 Subject: [PATCH] Configure SSH features of SSSD in ipa-client-install. OpenSSH server (sshd) is configured to fetch user authorized keys from SSSD and OpenSSH client (ssh) is configured to use
Re: [Freeipa-devel] [PATCH] 918, 919 update sudo schema
On 1.3.2012 20:57, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: On 17.1.2012 04:55, Rob Crittenden wrote: Jan Cholasta wrote: Dne 13.1.2012 17:39, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 16:21, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 15:23, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 05:20, Rob Crittenden napsal(a): The sudo schema now defines sudoOrder, sudoNotBefore and sudoNotAfter but these weren't available in the sudorule plugin. I've added support for these. sudoOrder enforces uniqueness because duplicates are undefined. I also added support for a GeneralizedTime parameter type. This is similar to the existing AccessTime parameter but it only handles a single time value. You should parse the date/time part of the value with time.strptime(timestr, '%Y%m%d%H%M%S') instead of doing it manually, that way you'll get most of the validation for free. Yes but it gives a crappy error message, just saying that some data is left over not what is wrong. IMHO having a separate error message for every field in the time string (like you do in the patch) is an overkill, simple invalid time and/or unknown time format should suffice (we don't have errors like invalid 3rd octet for IP adresses either). Well, the work is done, hard to go back on a better error message. Also, it would be nice to be able to enter the value in more user-friendly format (e.g. 2011-12-14 13:01:25 +0100) and normalize that to LDAP generalized time. When dealing with time there are so many ways to input and display the same values this becomes difficult. I'd expect that the times for these two attributes will be relatively simple and I somehow doubt users are going to want seconds, leap seconds or fractions, but we'll need to consider how to do it for future consistency (otherwise we could have a case where time is entered in one format for some attributes and another for others). If we input in a nice way we need to output in the same way. We could make the preferred input/output time format user-configurable, defaulting to current locale time format. This format would be used for output. For input, we could go over a list of formats (first the user-configured format, then current locale format, then a handful of standard formats like -MM-DD HH:MM:SS) and use the first format that can be successfully used to parse the time string. See how far you get into the rabbit hole with even this simple format? I don't mind, as long as it is the right thing to do (IMHO) :) Anyway, I think this could be done on the client side, so we might use your patch without changes. However, I would prefer if the parameter class was more generic, so we could use it (hypothetically) to store time in some other way than LDAP generalized time attribute (at least name it DateTime please). Ok, I'm fine with that. Thanks. The LDAP GeneralizedTime needs to be either in GMT or include a differential. This gets us into the territory where the client could be in a different timezone than the server which leads us to why we dropped AccessTime in the first place. Speaking of time zones, the differential alone is not a sufficient time zone description, as it doesn't account for DST. Is there a way to store time in LDAP with full time zone name (just in case it's needed sometime in future)? There is no way to store DST in LDAP (probably for good reason). Oddly enough the older LDAP v3 RFC (2252) strongly recommends using only GMT but the RFC that obsoletes it (4517) does not include this. Thanks for the info. So I'd like the user to supply the timezone themselves so I don't have to guess (wrongly) and let them worry about differing timezones. We don't have to guess, IIRC there is a way to get the local timezone differential in both Python and JavaScript, so the client could supply it automatically if necessary. I was thinking more about non-IPA clients (like sudo and notBefore). I think this can still be done at least in CLI, but it could be done in a separate patch. Updated patches attached. rob Patch 919 doesn't cleanly apply on current master (neither does 916 BTW). Honza Rebased patch (and 916 too, separately). rob Patch 918: 1. LDAP generalized time allows you to omit minutes from time zone differential, your code treats such values as invalid 2. IMO a better pattern could be used, such as u'^([0-9]{2}){5,7}([.,][0-9]+)?([-+]([0-9]{2}){1,2}|Z)$' 3. 20120229000Z has malformed minutes, but the error message says Malformed seconds 4. 20120229000+ has malformed minutes, but the error message says Missing operator for differential or malformed time string 5. 20120229+ is valid generalized time, but it causes Missing operator for differential or malformed time string error 6. Invalid month/day combinations (such as 20120231Z) are treated as valid 7. When + or - is missing, the error message says
Re: [Freeipa-devel] [PATCH] 956 user lockout status
On Thu, 2012-03-01 at 16:26 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2012-02-29 at 11:20 +0100, Petr Viktorin wrote: On 02/27/2012 06:31 PM, Martin Kosek wrote: 4) Minor change: -except Exception: +except: Don't do that. It would for example disable Ctrl+C by trapping KeyboardInterrupt. PEP8 has a paragraph on this, search for 'except Exception:' Good to know, thanks. Rob, in that case please ignore issue #4. Martin Updated patch attached. rob This does not look like the right patch. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0012-13 Don't allow deleting required config options
On 02/29/2012 04:09 PM, Petr Viktorin wrote: On 02/29/2012 03:53 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 02/29/2012 11:14 AM, Jan Cholasta wrote: On 29.2.2012 11:09, Petr Viktorin wrote: On 02/28/2012 03:19 PM, Jan Cholasta wrote: On 28.2.2012 11:54, Petr Viktorin wrote: On 02/27/2012 10:44 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 02/20/2012 08:51 PM, Rob Crittenden wrote: Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/2159 says various config options are not marked Required, so entering an empty value for it will pass validation (and IPA will blow up later when it expects a string,not None). Forexample the following: $ ipa config-mod --groupsearch= fails with AttributeError: 'NoneType' object has no attribute 'split' There is a more general problem behind this, though: even if the attributes *are* marked as Required, an empty string will pass validation. This is because `None` is used in `Param.validate` to mean both No value supplied and Empty value supplied. The method currently assumes the former, and skips validation entirely for `None` values to optional parameters. For example, the following will delete membergroup, even though it's a required attribute : $ ipa delegation-add --attrs=street --group=editors \ --membergroup=admins td1 $ ipa delegation-mod --membergroup= td1 Note that some LDAPObjects handle this with a _check_empty_attrs function, so they aren't affected. That function is specific to LADP objects, though. So I needed to tackle this on a lower level. This patch solves the problem by * adding a 'nonempty' flag when a required parameter of a CRUD Update object is auto-converted to a non-required parameter * making the`validate` method aware of whether the parameter was supplied; and if it was, honor the nonempty flag. The second patch fixes https://fedorahosted.org/freeipa/ticket/2159 by marking required config options as required. This looks good but I think there are other things to protect in config as well such as the default e-mail domain. It is probably safe to say that everything in there is required. rob Let me just double-check this with you. According to code in the user plugin (around line 330), if the default e-mail domain is not set, users don't get an address auto-assigned. Do we really want to require user e-mails? ipaconfigstring (the password plugin flags) are a set (multivalue, not required). The rest of the values I left as not required are for optional features or limits: search results time limit, max. username length, password expiry notification. Currently if these are missing, the feature/limit is disabled (well, except for the time limit). But, there are also special values (0 or -1) that have the same effect as a missing value. Sometimes they're documented. So we want to enforce that users use these special values instead of removing the config entry? I think we want to enforce that these are defined. It will be confusing for users if these are not there at all. I don't think we need to show the special options, just declare that the attribute is required. rob Attaching updated patch 13. Only the default e-mail domain (https://fedorahosted.org/freeipa/ticket/2409) and ipaconfigstring are still optional. You have removed all the config-related defensive code in the patch, is this a good idea? What will happen if someone e.g. deletes a required config attribute directly from LDAP? Then IPA crashes. The defensive code wasn't there for all cases anyway, as ticket #2159 shows. If we want to protect against this it would probably be better to make the config class itself give the default when a required value is missing. This, and raise an error in cases where no default is available (the check should probably be done in ldap.get_ipa_config). Honza Would a better approach be to modify the LDAP schema to require these values? I think that may be a longer-term fix. I propose we keep the defensive code in for now and correct it in the future. rob Here is an updated patch 13 that does that. And here is patch 12 rebased against current master. -- Petr³ From 00e06fef644ee538a49b4443f100611e2f99c9a0 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 16 Feb 2012 07:11:56 -0500 Subject: [PATCH 12/17] Enforce that required attributes can't be set to None in CRUD Update The `required` parameter attribute didn't distinguish between cases where the parameter is not given and all, and where the parameter is given but empty. The case of updating a required attribute couldn't be validated properly, because when it is given but empty, validators don't run. This patch introduces a new flag, 'nonempty', that specifies the parameter can be missing (if not required), but it can't be None. This flag gets added automatically to required parameters in CRUD Update. --- ipalib/crud.py | 13 +++-- ipalib/frontend.py |2 +- ipalib/parameters.py |9
Re: [Freeipa-devel] [PATCH] 098 Forms based authentication UI
On 03/02/2012 12:39 AM, Rob Crittenden wrote: Petr Vobornik wrote: Support for forms based authentication was added to UI. It consist of: 1) new login page Page url is [ipa server]/ipa/ui/login.html Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown. 2) new enhanced error dialog - authorization_dialog. This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires. It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button. login.html uses same css styles as migration page - ipa-migration.css was merged into ipa.css. https://fedorahosted.org/freeipa/ticket/2450 Theoretically the login.html is not needed. Sometime later we should come up with a method how to i18n static pages and main page prior to authentication. ACK. It looks like ipa.js in master and ipa-2-2 have diverged slightly, I'll let you push this so you can make sure everything is ok. rob Pushed to master an ipa-2-2. ipa.js is same in master and ipa-2-2. Maybe you were confused by the fact that when I was recently pushing 14 batches at once, I pushed two pairs of patches in different order. (Is it bad?) The final code is the same though. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0100 Improved usability of login dialog
On 03/02/2012 12:39 AM, Rob Crittenden wrote: Petr Vobornik wrote: Usability was improved in Unauthorized/Login dialog. When the dialog is opened a link which switches to login form is focus so user can do following: 1) press enter (login form is displayed and username field is focused ) 2) type username 3) press tab 4) type password 5) press enter this sequence will execute login request. When filling form user can also press 'escape' to go back to previous form state. It's the same as if he would click on the 'back' button. https://fedorahosted.org/freeipa/ticket/2450 ACK Pushed to master an ipa-2-2. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 216 Remove memberPrincipal for deleted replicas
When a replica is deleted, its memberPrincipal entries in cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica is reinstalled and connected again, the installer would report an error with duplicate value in LDAP. This patch extends replica cleanup procedure to remove replica principal from s4u2proxy configuration. https://fedorahosted.org/freeipa/ticket/2451 From f570a521b668e8da3fc3da65457620744520ae97 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 2 Mar 2012 12:10:27 +0100 Subject: [PATCH] Remove memberPrincipal for deleted replicas When a replica is deleted, its memberPrincipal entries in cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica is reinstalled and connected again, the installer would report an error with duplicate value in LDAP. This patch extends replica cleanup procedure to remove replica principal from s4u2proxy configuration. https://fedorahosted.org/freeipa/ticket/2451 --- ipalib/constants.py |1 + ipaserver/install/replication.py | 33 +++-- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 3c63739faf67b3131e94d929e3c95e5af1d64e8b..dc32533ee9f4be7785b35ace1cd412c2fbaf11d0 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -100,6 +100,7 @@ DEFAULT_CONFIG = ( ('container_entitlements', 'cn=entitlements,cn=etc'), ('container_automember', 'cn=automember,cn=etc'), ('container_selinux', 'cn=usermap,cn=selinux'), +('container_s4u2proxy', 'cn=s4u2proxy,cn=etc'), # Ports, hosts, and URIs: # FIXME: let's renamed xmlrpc_uri to rpc_xml_uri diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 9247b58fc22a8492a8d27d0d596bdb8c8d14bb3c..fd94e45b966e36013c8f8628cb2fa2ac7b7c1d96 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -27,8 +27,7 @@ from ipaserver import ipaldap from ipapython import services as ipaservices import installutils from ldap import modlist -from ipalib import util -from ipalib import errors +from ipalib import api, util, errors from ipapython import ipautil from ipalib.dn import DN @@ -941,6 +940,36 @@ class ReplicationManager(object): else: err = e +# remove replica memberPrincipal from s4u2proxy configuration +dn1 = DN(u'cn=ipa-http-delegation', api.env.container_s4u2proxy, self.suffix) +member_principal1 = HTTP/%(fqdn)s@%(realm)s % dict(fqdn=replica, realm=realm) + +dn2 = DN(u'cn=ipa-ldap-delegation-targets', api.env.container_s4u2proxy, self.suffix) +member_principal2 = ldap/%(fqdn)s@%(realm)s % dict(fqdn=replica, realm=realm) + +for (dn, member_principal) in ((str(dn1), member_principal1), + (str(dn2), member_principal2)): +try: +ret = self.conn.search_s(dn, ldap.SCOPE_BASE, + '(objectclass=*)')[0] +principals = ret.data.get('memberPrincipal') + +if member_principal not in principals: +root_logger.debug(Replica (%s) memberPrincipal (%s) not found in %s % \ +(replica, member_principal, dn)) +continue + +principals.remove(member_principal) +mod = [(ldap.MOD_REPLACE, 'memberPrincipal', principals)] +self.conn.modify_s(dn, mod) +except ldap.LDAPError: +pass +except Exception, e: +if not force: +raise e +elif not err: +err = e + # delete master entry with all active services try: dn = 'cn=%s,cn=masters,cn=ipa,cn=etc,%s' % (replica, self.suffix) -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0019 Use reboot from /sbin
Commit message says it all. So does the ticket. https://fedorahosted.org/freeipa/ticket/2480 -- Petr³ From aad19e793e3ea882ef5069d678f9ba739b2e6eb4 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Fri, 2 Mar 2012 07:18:56 -0500 Subject: [PATCH] Use reboot from /sbin According to FHS, the reboot command should live in /sbin. Systems may also have a symlink in /usr/bin, but they don't have to. https://fedorahosted.org/freeipa/ticket/2480 --- ipa-client/ipa-install/ipa-client-install |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index f5c1efe0686020ce7cad79edfe19908ee3a55a30..7d405a8d7c17d8ec626d018eeda02bf234805dce 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -409,7 +409,7 @@ def uninstall(options, env, quiet=False): if not options.on_master: if user_input(Do you want to reboot the machine?, False): try: -run([/usr/bin/reboot]) +run([/sbin/reboot]) except Exception, e: emit_quiet(quiet, Reboot command failed to exceute. + str(e)) return CLIENT_UNINSTALL_ERROR -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0019 Use reboot from /sbin
On Fri, Mar 02, 2012 at 01:28:56PM +0100, Petr Viktorin wrote: Commit message says it all. So does the ticket. https://fedorahosted.org/freeipa/ticket/2480 -- Petr³ Does it matter? It the UsrMoved world, both are just symlinks to systemctl.. [root@vm-146 ~]# ll /sbin/reboot lrwxrwxrwx. 1 root root 16 Feb 29 16:25 /sbin/reboot - ../bin/systemctl [root@vm-146 ~]# ll /usr/sbin/reboot lrwxrwxrwx. 1 root root 16 Feb 29 16:25 /usr/sbin/reboot - ../bin/systemctl [root@vm-146 ~]# cat /etc/redhat-release Fedora release 18 (Rawhide) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0019 Use reboot from /sbin
On 03/02/2012 01:42 PM, Jakub Hrozek wrote: On Fri, Mar 02, 2012 at 01:28:56PM +0100, Petr Viktorin wrote: Commit message says it all. So does the ticket. https://fedorahosted.org/freeipa/ticket/2480 -- Petr³ Does it matter? It the UsrMoved world, both are just symlinks to systemctl.. [root@vm-146 ~]# ll /sbin/reboot lrwxrwxrwx. 1 root root 16 Feb 29 16:25 /sbin/reboot - ../bin/systemctl [root@vm-146 ~]# ll /usr/sbin/reboot lrwxrwxrwx. 1 root root 16 Feb 29 16:25 /usr/sbin/reboot - ../bin/systemctl [root@vm-146 ~]# cat /etc/redhat-release Fedora release 18 (Rawhide) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Things are different on Fedora 16: vm-084:~# ls -l /sbin/reboot lrwxrwxrwx. 1 root root 16 Mar 2 04:43 /sbin/reboot - ../bin/systemctl vm-084:~# ls -l /usr/bin/reboot ls: cannot access /usr/bin/reboot: No such file or directory vm-084:~# cat /etc/redhat-release Fedora release 16 (Verne) vm-084:~# vm-084:~# yum whatprovides /usr/bin/reboot Loaded plugins: product-id, subscription-manager Updating certificate-based repositories. usermode-1.108-1.fc16.x86_64 : Tools for certain user account management tasks Repo: Fedora-16-x86_64-Everything Matched from: Filename: /usr/bin/reboot usermode-1.108-1.fc16.x86_64 : Tools for certain user account management tasks Repo: fedora Matched from: Filename: /usr/bin/reboot Also, I expect other distros will follow FHS rather than UsrMove. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 217 Fix typos in ipa-replica-manage man page
On Fri, 2012-03-02 at 14:40 +0100, Martin Kosek wrote: ACK for patch fixing typos in ipa-replica-manage. I just had to fix it a little bit. Pushed to master, ipa-2-2. Martin Just a clarification - the original patch was linked to the bug in Bugzilla. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 956 user lockout status
Martin Kosek wrote: On Thu, 2012-03-01 at 16:26 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2012-02-29 at 11:20 +0100, Petr Viktorin wrote: On 02/27/2012 06:31 PM, Martin Kosek wrote: 4) Minor change: -except Exception: +except: Don't do that. It would for example disable Ctrl+C by trapping KeyboardInterrupt. PEP8 has a paragraph on this, search for 'except Exception:' Good to know, thanks. Rob, in that case please ignore issue #4. Martin Updated patch attached. rob This does not look like the right patch. Martin Right, it was just the new changes. All squashed together now. rob From 2d203a8939c8a7d52daf3fc0c5bd0b0e8eb697f4 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 14 Feb 2012 09:41:25 -0500 Subject: [PATCH] Add status command to retrieve user lockout status This information is not replicated so pull from all IPA masters and display the status across all servers. https://fedorahosted.org/freeipa/ticket/2162 --- API.txt| 10 + ipalib/plugins/user.py | 99 +++- 2 files changed, 108 insertions(+), 1 deletions(-) diff --git a/API.txt b/API.txt index 35dedee..9ba3ce4 100644 --- a/API.txt +++ b/API.txt @@ -3221,6 +3221,16 @@ option: Str('version?', exclude='webui') output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', None) +command: user_status +args: 1,3,4 +arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('summary', (type 'unicode', type 'NoneType'), None) +output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('count', type 'int', None) +output: Output('truncated', type 'bool', None) command: user_unlock args: 1,0,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, query=True, required=True) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 591132d..ca11315 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -18,7 +18,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see http://www.gnu.org/licenses/. -from time import gmtime, strftime +from time import gmtime, strftime, strptime import copy import string @@ -27,9 +27,13 @@ from ipalib import Flag, Int, Password, Str, Bool, Bytes from ipalib.plugins.baseldap import * from ipalib.request import context from ipalib import _, ngettext +from ipalib import output from ipapython.ipautil import ipa_generate_password import posixpath from ipalib.util import validate_sshpubkey, output_sshpubkey +if api.env.in_server and api.env.context in ['lite', 'server']: +from ipaserver.plugins.ldap2 import ldap2 +import os __doc__ = _( Users @@ -79,6 +83,21 @@ user_output_params = ( ), ) +status_output_params = ( +Str('server', +label=_('Server'), +), +Str('krbloginfailedcount', +label=_('Failed logins'), +), +Str('krblastsuccessfulauth', +label=_('Last successful authentication'), +), +Str('krblastfailedauth', +label=_('Last failed authentication'), +), + ) + # characters to be used for generating random user passwords user_pwdchars = string.digits + string.ascii_letters + '_,.@+-=' @@ -681,3 +700,81 @@ class user_unlock(LDAPQuery): ) api.register(user_unlock) + +class user_status(LDAPQuery): +__doc__ = _( +Lockout status of a user account + +An account may become locked if the password is entered incorrectly too +many times within a specific time period as controlled by password +policy. A locked account is a temporary condition and may be unlocked by +an administrator. + +This connects to each IPA master and displays the lockout status on +each one.) + +has_output = output.standard_list_of_entries +has_output_params = LDAPSearch.has_output_params + status_output_params + +def execute(self, *keys, **options): +ldap = self.obj.backend +dn = self.obj.get_dn(*keys, **options) +attr_list = ['krbloginfailedcount', 'krblastsuccessfulauth', 'krblastfailedauth'] + +
Re: [Freeipa-devel] [PATCH] 0019 Use reboot from /sbin
On Fri, Mar 02, 2012 at 02:08:38PM +0100, Petr Viktorin wrote: On 03/02/2012 01:42 PM, Jakub Hrozek wrote: On Fri, Mar 02, 2012 at 01:28:56PM +0100, Petr Viktorin wrote: Commit message says it all. So does the ticket. https://fedorahosted.org/freeipa/ticket/2480 -- Petr³ Does it matter? It the UsrMoved world, both are just symlinks to systemctl.. [root@vm-146 ~]# ll /sbin/reboot lrwxrwxrwx. 1 root root 16 Feb 29 16:25 /sbin/reboot - ../bin/systemctl [root@vm-146 ~]# ll /usr/sbin/reboot lrwxrwxrwx. 1 root root 16 Feb 29 16:25 /usr/sbin/reboot - ../bin/systemctl [root@vm-146 ~]# cat /etc/redhat-release Fedora release 18 (Rawhide) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Things are different on Fedora 16: vm-084:~# ls -l /sbin/reboot lrwxrwxrwx. 1 root root 16 Mar 2 04:43 /sbin/reboot - ../bin/systemctl vm-084:~# ls -l /usr/bin/reboot ls: cannot access /usr/bin/reboot: No such file or directory vm-084:~# cat /etc/redhat-release Fedora release 16 (Verne) vm-084:~# vm-084:~# yum whatprovides /usr/bin/reboot Loaded plugins: product-id, subscription-manager Updating certificate-based repositories. usermode-1.108-1.fc16.x86_64 : Tools for certain user account management tasks Repo: Fedora-16-x86_64-Everything Matched from: Filename: /usr/bin/reboot usermode-1.108-1.fc16.x86_64 : Tools for certain user account management tasks Repo: fedora Matched from: Filename: /usr/bin/reboot I see. Ack Also, I expect other distros will follow FHS rather than UsrMove. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 956 user lockout status
On Fri, 2012-03-02 at 08:46 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2012-03-01 at 16:26 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2012-02-29 at 11:20 +0100, Petr Viktorin wrote: On 02/27/2012 06:31 PM, Martin Kosek wrote: 4) Minor change: -except Exception: +except: Don't do that. It would for example disable Ctrl+C by trapping KeyboardInterrupt. PEP8 has a paragraph on this, search for 'except Exception:' Good to know, thanks. Rob, in that case please ignore issue #4. Martin Updated patch attached. rob This does not look like the right patch. Martin Right, it was just the new changes. All squashed together now. rob The new changes are ok, dates and default values are fine. But it seems like you squashed it with a wrong patch, its again raising an error when any master is not reachable (you can just interdiff 956-2 and 956-3 to see these malicious changes). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 918, 919 update sudo schema
Jan Cholasta wrote: On 1.3.2012 20:57, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: On 17.1.2012 04:55, Rob Crittenden wrote: Jan Cholasta wrote: Dne 13.1.2012 17:39, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 16:21, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 15:23, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 05:20, Rob Crittenden napsal(a): The sudo schema now defines sudoOrder, sudoNotBefore and sudoNotAfter but these weren't available in the sudorule plugin. I've added support for these. sudoOrder enforces uniqueness because duplicates are undefined. I also added support for a GeneralizedTime parameter type. This is similar to the existing AccessTime parameter but it only handles a single time value. You should parse the date/time part of the value with time.strptime(timestr, '%Y%m%d%H%M%S') instead of doing it manually, that way you'll get most of the validation for free. Yes but it gives a crappy error message, just saying that some data is left over not what is wrong. IMHO having a separate error message for every field in the time string (like you do in the patch) is an overkill, simple invalid time and/or unknown time format should suffice (we don't have errors like invalid 3rd octet for IP adresses either). Well, the work is done, hard to go back on a better error message. Also, it would be nice to be able to enter the value in more user-friendly format (e.g. 2011-12-14 13:01:25 +0100) and normalize that to LDAP generalized time. When dealing with time there are so many ways to input and display the same values this becomes difficult. I'd expect that the times for these two attributes will be relatively simple and I somehow doubt users are going to want seconds, leap seconds or fractions, but we'll need to consider how to do it for future consistency (otherwise we could have a case where time is entered in one format for some attributes and another for others). If we input in a nice way we need to output in the same way. We could make the preferred input/output time format user-configurable, defaulting to current locale time format. This format would be used for output. For input, we could go over a list of formats (first the user-configured format, then current locale format, then a handful of standard formats like -MM-DD HH:MM:SS) and use the first format that can be successfully used to parse the time string. See how far you get into the rabbit hole with even this simple format? I don't mind, as long as it is the right thing to do (IMHO) :) Anyway, I think this could be done on the client side, so we might use your patch without changes. However, I would prefer if the parameter class was more generic, so we could use it (hypothetically) to store time in some other way than LDAP generalized time attribute (at least name it DateTime please). Ok, I'm fine with that. Thanks. The LDAP GeneralizedTime needs to be either in GMT or include a differential. This gets us into the territory where the client could be in a different timezone than the server which leads us to why we dropped AccessTime in the first place. Speaking of time zones, the differential alone is not a sufficient time zone description, as it doesn't account for DST. Is there a way to store time in LDAP with full time zone name (just in case it's needed sometime in future)? There is no way to store DST in LDAP (probably for good reason). Oddly enough the older LDAP v3 RFC (2252) strongly recommends using only GMT but the RFC that obsoletes it (4517) does not include this. Thanks for the info. So I'd like the user to supply the timezone themselves so I don't have to guess (wrongly) and let them worry about differing timezones. We don't have to guess, IIRC there is a way to get the local timezone differential in both Python and JavaScript, so the client could supply it automatically if necessary. I was thinking more about non-IPA clients (like sudo and notBefore). I think this can still be done at least in CLI, but it could be done in a separate patch. Updated patches attached. rob Patch 919 doesn't cleanly apply on current master (neither does 916 BTW). Honza Rebased patch (and 916 too, separately). rob Patch 918: 1. LDAP generalized time allows you to omit minutes from time zone differential, your code treats such values as invalid 2. IMO a better pattern could be used, such as u'^([0-9]{2}){5,7}([.,][0-9]+)?([-+]([0-9]{2}){1,2}|Z)$' 3. 20120229000Z has malformed minutes, but the error message says Malformed seconds 4. 20120229000+ has malformed minutes, but the error message says Missing operator for differential or malformed time string 5. 20120229+ is valid generalized time, but it causes Missing operator for differential or malformed time string error 6. Invalid month/day combinations (such as 20120231Z) are treated as valid 7. When + or - is missing, the
Re: [Freeipa-devel] [PATCH] 216 Remove memberPrincipal for deleted replicas
On Fri, 2012-03-02 at 12:34 +0100, Martin Kosek wrote: +principals.remove(member_principal) +mod = [(ldap.MOD_REPLACE, 'memberPrincipal', principals)] Any special reason why you use a search and then a replace instead of a delete by value ? A delete by value seem a lot less error prone to me, and should give you the same resuls. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 956 user lockout status
Martin Kosek wrote: On Fri, 2012-03-02 at 08:46 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2012-03-01 at 16:26 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2012-02-29 at 11:20 +0100, Petr Viktorin wrote: On 02/27/2012 06:31 PM, Martin Kosek wrote: 4) Minor change: -except Exception: +except: Don't do that. It would for example disable Ctrl+C by trapping KeyboardInterrupt. PEP8 has a paragraph on this, search for 'except Exception:' Good to know, thanks. Rob, in that case please ignore issue #4. Martin Updated patch attached. rob This does not look like the right patch. Martin Right, it was just the new changes. All squashed together now. rob The new changes are ok, dates and default values are fine. But it seems like you squashed it with a wrong patch, its again raising an error when any master is not reachable (you can just interdiff 956-2 and 956-3 to see these malicious changes). Martin Added back and added another try/except block around connect to catch those as well. rob From f7daef251c1a506288318a6ec8e7e879dfce498f Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 14 Feb 2012 09:41:25 -0500 Subject: [PATCH] Add status command to retrieve user lockout status This information is not replicated so pull from all IPA masters and display the status across all servers. https://fedorahosted.org/freeipa/ticket/2162 --- API.txt| 10 ipalib/plugins/user.py | 113 +++- 2 files changed, 122 insertions(+), 1 deletions(-) diff --git a/API.txt b/API.txt index 35dedee..9ba3ce4 100644 --- a/API.txt +++ b/API.txt @@ -3221,6 +3221,16 @@ option: Str('version?', exclude='webui') output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', None) +command: user_status +args: 1,3,4 +arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Output('summary', (type 'unicode', type 'NoneType'), None) +output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('count', type 'int', None) +output: Output('truncated', type 'bool', None) command: user_unlock args: 1,0,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, query=True, required=True) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 591132d..64424e8 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -18,7 +18,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see http://www.gnu.org/licenses/. -from time import gmtime, strftime +from time import gmtime, strftime, strptime import copy import string @@ -27,9 +27,13 @@ from ipalib import Flag, Int, Password, Str, Bool, Bytes from ipalib.plugins.baseldap import * from ipalib.request import context from ipalib import _, ngettext +from ipalib import output from ipapython.ipautil import ipa_generate_password import posixpath from ipalib.util import validate_sshpubkey, output_sshpubkey +if api.env.in_server and api.env.context in ['lite', 'server']: +from ipaserver.plugins.ldap2 import ldap2 +import os __doc__ = _( Users @@ -79,6 +83,21 @@ user_output_params = ( ), ) +status_output_params = ( +Str('server', +label=_('Server'), +), +Str('krbloginfailedcount', +label=_('Failed logins'), +), +Str('krblastsuccessfulauth', +label=_('Last successful authentication'), +), +Str('krblastfailedauth', +label=_('Last failed authentication'), +), + ) + # characters to be used for generating random user passwords user_pwdchars = string.digits + string.ascii_letters + '_,.@+-=' @@ -681,3 +700,95 @@ class user_unlock(LDAPQuery): ) api.register(user_unlock) + +class user_status(LDAPQuery): +__doc__ = _( +Lockout status of a user account + +An account may become locked if the password is entered incorrectly too +many times within a specific time period as controlled by password +policy. A locked account is a temporary condition and may be unlocked by +an administrator. + +This
Re: [Freeipa-devel] [PATCH] 216 Remove memberPrincipal for deleted replicas
On Fri, 2012-03-02 at 09:39 -0500, Simo Sorce wrote: On Fri, 2012-03-02 at 12:34 +0100, Martin Kosek wrote: +principals.remove(member_principal) +mod = [(ldap.MOD_REPLACE, 'memberPrincipal', principals)] Any special reason why you use a search and then a replace instead of a delete by value ? A delete by value seem a lot less error prone to me, and should give you the same resuls. Simo. Hm, thanks, that's a good point and much better approach. Updated patch is attached. Martin From 1427ad4c03f883ddb99711e477671a7a4e4f7a95 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 2 Mar 2012 12:10:27 +0100 Subject: [PATCH] Remove memberPrincipal for deleted replicas When a replica is deleted, its memberPrincipal entries in cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica is reinstalled and connected again, the installer would report an error with duplicate value in LDAP. This patch extends replica cleanup procedure to remove replica principal from s4u2proxy configuration. https://fedorahosted.org/freeipa/ticket/2451 --- ipalib/constants.py |1 + ipaserver/install/replication.py | 24 ++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 3c63739faf67b3131e94d929e3c95e5af1d64e8b..dc32533ee9f4be7785b35ace1cd412c2fbaf11d0 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -100,6 +100,7 @@ DEFAULT_CONFIG = ( ('container_entitlements', 'cn=entitlements,cn=etc'), ('container_automember', 'cn=automember,cn=etc'), ('container_selinux', 'cn=usermap,cn=selinux'), +('container_s4u2proxy', 'cn=s4u2proxy,cn=etc'), # Ports, hosts, and URIs: # FIXME: let's renamed xmlrpc_uri to rpc_xml_uri diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 9247b58fc22a8492a8d27d0d596bdb8c8d14bb3c..7e89eeb47f50b1138e6cca078c05eab4468989e4 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -27,8 +27,7 @@ from ipaserver import ipaldap from ipapython import services as ipaservices import installutils from ldap import modlist -from ipalib import util -from ipalib import errors +from ipalib import api, util, errors from ipapython import ipautil from ipalib.dn import DN @@ -941,6 +940,27 @@ class ReplicationManager(object): else: err = e +# remove replica memberPrincipal from s4u2proxy configuration +dn1 = DN(u'cn=ipa-http-delegation', api.env.container_s4u2proxy, self.suffix) +member_principal1 = HTTP/%(fqdn)s@%(realm)s % dict(fqdn=replica, realm=realm) + +dn2 = DN(u'cn=ipa-ldap-delegation-targets', api.env.container_s4u2proxy, self.suffix) +member_principal2 = ldap/%(fqdn)s@%(realm)s % dict(fqdn=replica, realm=realm) + +for (dn, member_principal) in ((str(dn1), member_principal1), + (str(dn2), member_principal2)): +try: +mod = [(ldap.MOD_DELETE, 'memberPrincipal', member_principal)] +self.conn.modify_s(dn, mod) +except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE): +root_logger.debug(Replica (%s) memberPrincipal (%s) not found in %s % \ +(replica, member_principal, dn)) +except Exception, e: +if not force: +raise e +elif not err: +err = e + # delete master entry with all active services try: dn = 'cn=%s,cn=masters,cn=ipa,cn=etc,%s' % (replica, self.suffix) -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 216 Remove memberPrincipal for deleted replicas
On Fri, 2012-03-02 at 16:22 +0100, Martin Kosek wrote: On Fri, 2012-03-02 at 09:39 -0500, Simo Sorce wrote: On Fri, 2012-03-02 at 12:34 +0100, Martin Kosek wrote: +principals.remove(member_principal) +mod = [(ldap.MOD_REPLACE, 'memberPrincipal', principals)] Any special reason why you use a search and then a replace instead of a delete by value ? A delete by value seem a lot less error prone to me, and should give you the same resuls. Simo. Hm, thanks, that's a good point and much better approach. Updated patch is attached. Ack. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 956 user lockout status
On Fri, 2012-03-02 at 09:48 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2012-03-02 at 08:46 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2012-03-01 at 16:26 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2012-02-29 at 11:20 +0100, Petr Viktorin wrote: On 02/27/2012 06:31 PM, Martin Kosek wrote: 4) Minor change: -except Exception: +except: Don't do that. It would for example disable Ctrl+C by trapping KeyboardInterrupt. PEP8 has a paragraph on this, search for 'except Exception:' Good to know, thanks. Rob, in that case please ignore issue #4. Martin Updated patch attached. rob This does not look like the right patch. Martin Right, it was just the new changes. All squashed together now. rob The new changes are ok, dates and default values are fine. But it seems like you squashed it with a wrong patch, its again raising an error when any master is not reachable (you can just interdiff 956-2 and 956-3 to see these malicious changes). Martin Added back and added another try/except block around connect to catch those as well. rob ACK. Pushed to master, ipa-2-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 216 Remove memberPrincipal for deleted replicas
On Fri, 2012-03-02 at 10:30 -0500, Simo Sorce wrote: On Fri, 2012-03-02 at 16:22 +0100, Martin Kosek wrote: On Fri, 2012-03-02 at 09:39 -0500, Simo Sorce wrote: On Fri, 2012-03-02 at 12:34 +0100, Martin Kosek wrote: +principals.remove(member_principal) +mod = [(ldap.MOD_REPLACE, 'memberPrincipal', principals)] Any special reason why you use a search and then a replace instead of a delete by value ? A delete by value seem a lot less error prone to me, and should give you the same resuls. Simo. Hm, thanks, that's a good point and much better approach. Updated patch is attached. Ack. Simo. Pushed to master, ipa-2-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0019 Use reboot from /sbin
On Fri, 2012-03-02 at 14:59 +0100, Jakub Hrozek wrote: On Fri, Mar 02, 2012 at 02:08:38PM +0100, Petr Viktorin wrote: On 03/02/2012 01:42 PM, Jakub Hrozek wrote: On Fri, Mar 02, 2012 at 01:28:56PM +0100, Petr Viktorin wrote: Commit message says it all. So does the ticket. https://fedorahosted.org/freeipa/ticket/2480 -- Petr³ Does it matter? It the UsrMoved world, both are just symlinks to systemctl.. [root@vm-146 ~]# ll /sbin/reboot lrwxrwxrwx. 1 root root 16 Feb 29 16:25 /sbin/reboot - ../bin/systemctl [root@vm-146 ~]# ll /usr/sbin/reboot lrwxrwxrwx. 1 root root 16 Feb 29 16:25 /usr/sbin/reboot - ../bin/systemctl [root@vm-146 ~]# cat /etc/redhat-release Fedora release 18 (Rawhide) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Things are different on Fedora 16: vm-084:~# ls -l /sbin/reboot lrwxrwxrwx. 1 root root 16 Mar 2 04:43 /sbin/reboot - ../bin/systemctl vm-084:~# ls -l /usr/bin/reboot ls: cannot access /usr/bin/reboot: No such file or directory vm-084:~# cat /etc/redhat-release Fedora release 16 (Verne) vm-084:~# vm-084:~# yum whatprovides /usr/bin/reboot Loaded plugins: product-id, subscription-manager Updating certificate-based repositories. usermode-1.108-1.fc16.x86_64 : Tools for certain user account management tasks Repo: Fedora-16-x86_64-Everything Matched from: Filename: /usr/bin/reboot usermode-1.108-1.fc16.x86_64 : Tools for certain user account management tasks Repo: fedora Matched from: Filename: /usr/bin/reboot I see. Ack Also, I expect other distros will follow FHS rather than UsrMove. Pushed to master, ipa-2-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 918, 919 update sudo schema
Jan Cholasta wrote: On 1.3.2012 20:57, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: On 17.1.2012 04:55, Rob Crittenden wrote: Jan Cholasta wrote: Dne 13.1.2012 17:39, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 16:21, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 15:23, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 05:20, Rob Crittenden napsal(a): The sudo schema now defines sudoOrder, sudoNotBefore and sudoNotAfter but these weren't available in the sudorule plugin. I've added support for these. sudoOrder enforces uniqueness because duplicates are undefined. I also added support for a GeneralizedTime parameter type. This is similar to the existing AccessTime parameter but it only handles a single time value. You should parse the date/time part of the value with time.strptime(timestr, '%Y%m%d%H%M%S') instead of doing it manually, that way you'll get most of the validation for free. Yes but it gives a crappy error message, just saying that some data is left over not what is wrong. IMHO having a separate error message for every field in the time string (like you do in the patch) is an overkill, simple invalid time and/or unknown time format should suffice (we don't have errors like invalid 3rd octet for IP adresses either). Well, the work is done, hard to go back on a better error message. Also, it would be nice to be able to enter the value in more user-friendly format (e.g. 2011-12-14 13:01:25 +0100) and normalize that to LDAP generalized time. When dealing with time there are so many ways to input and display the same values this becomes difficult. I'd expect that the times for these two attributes will be relatively simple and I somehow doubt users are going to want seconds, leap seconds or fractions, but we'll need to consider how to do it for future consistency (otherwise we could have a case where time is entered in one format for some attributes and another for others). If we input in a nice way we need to output in the same way. We could make the preferred input/output time format user-configurable, defaulting to current locale time format. This format would be used for output. For input, we could go over a list of formats (first the user-configured format, then current locale format, then a handful of standard formats like -MM-DD HH:MM:SS) and use the first format that can be successfully used to parse the time string. See how far you get into the rabbit hole with even this simple format? I don't mind, as long as it is the right thing to do (IMHO) :) Anyway, I think this could be done on the client side, so we might use your patch without changes. However, I would prefer if the parameter class was more generic, so we could use it (hypothetically) to store time in some other way than LDAP generalized time attribute (at least name it DateTime please). Ok, I'm fine with that. Thanks. The LDAP GeneralizedTime needs to be either in GMT or include a differential. This gets us into the territory where the client could be in a different timezone than the server which leads us to why we dropped AccessTime in the first place. Speaking of time zones, the differential alone is not a sufficient time zone description, as it doesn't account for DST. Is there a way to store time in LDAP with full time zone name (just in case it's needed sometime in future)? There is no way to store DST in LDAP (probably for good reason). Oddly enough the older LDAP v3 RFC (2252) strongly recommends using only GMT but the RFC that obsoletes it (4517) does not include this. Thanks for the info. So I'd like the user to supply the timezone themselves so I don't have to guess (wrongly) and let them worry about differing timezones. We don't have to guess, IIRC there is a way to get the local timezone differential in both Python and JavaScript, so the client could supply it automatically if necessary. I was thinking more about non-IPA clients (like sudo and notBefore). I think this can still be done at least in CLI, but it could be done in a separate patch. Updated patches attached. rob Patch 919 doesn't cleanly apply on current master (neither does 916 BTW). Honza Rebased patch (and 916 too, separately). rob Patch 918: 1. LDAP generalized time allows you to omit minutes from time zone differential, your code treats such values as invalid 2. IMO a better pattern could be used, such as u'^([0-9]{2}){5,7}([.,][0-9]+)?([-+]([0-9]{2}){1,2}|Z)$' 3. 20120229000Z has malformed minutes, but the error message says Malformed seconds 4. 20120229000+ has malformed minutes, but the error message says Missing operator for differential or malformed time string 5. 20120229+ is valid generalized time, but it causes Missing operator for differential or malformed time string error 6. Invalid month/day combinations (such as 20120231Z) are treated as valid 7. When + or - is missing, the
Re: [Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
Jan Cholasta wrote: On 2.3.2012 04:56, Rob Crittenden wrote: Jan Cholasta wrote: On 29.2.2012 15:00, Martin Kosek wrote: On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote: On 29.2.2012 14:24, Martin Kosek wrote: On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote: On 28.2.2012 23:42, Rob Crittenden wrote: Jan Cholasta wrote: Hi, this patch configures the new SSH features of SSSD in ipa-client-install. To test it, you need to have SSSD 1.8.0 installed. Honza Is there a better name for 'GlobalKnownHostsFile2'? What do you mean? The option name or the file name? Either way, I don't think there is a better name. When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was an unknown option in all. It's in openssh in RHEL 6.0. Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file? It depends. Do we want to support clients with SSSD 1.8.0? How would you recommend testing this? Enroll a client and try to log into the IPA server? To test host authentication, you need an IPA host with SSH public keys set (which is done automatically in ipa-client-install, so any IPA host should work) and try to ssh into that host from other (actually, it can be the same) IPA host. You should not see The authenticity of host ... can't be estabilished ssh message. To test user authentication, you need an IPA user with SSH public keys set. To do that, you need to set the public keys using ipa user-mod. You should then be able to authenticate using your private key on any IPA host. rob Honza I get this exception when running ipa-client-install with your patch. # ipa-client-install --enable-dns-updates Discovery was successful! Hostname: vm-138.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-068.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for ad...@idm.lab.bos.redhat.com: Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1514, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1501, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1326, in install if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): File /usr/sbin/ipa-client-install, line 711, in configure_sssd_conf sssdconfig.activate_service('ssh') File /usr/lib/python2.7/site-packages/SSSDConfig.py, line 1516, in activate_service raise NoServiceError SSSDConfig.NoServiceError SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64 Martin Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain [ssh] section? sssd.api.conf did contain the ssh section: # grep -C 3 ssh /usr/share/sssd/sssd.api.conf # autofs service autofs_negative_timeout = int, None, false [ssh] # ssh service [provider] #Available provider types sssd.conf did not. Either case, we should not crash but handle the issue in some more friendly way. Martin Patch updated with more defensive code. Honza Needs a BuildRequires of sssd 1.8 or you get some pylint errors: ipa-client/ipa-install/ipa-client-install:712: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member ipa-client/ipa-install/ipa-client-install:723: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member ipa-client/ipa-install/ipa-client-install:734: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member Added. Host keys work fine. I wasn't able to get user ssh keys working but my server is still on F-15. I had a daily build of sssd (1.8.1) but it was missing /usr/libexec/sssd/sssd_ssh!? Too tired to work out why right now. F15 is not the problem, the SSSD package in ipa-devel is built without experimental features for some reason (in the patch I assumed that it always is, fixed that). Two more things: 1. You will need explicit test cases for QE to test positive and negative login cases (it would have sped me along too). Should that be part of the patch? Needs to be somewhere, attached here would have been fine. 2. You need to beef up the commit message to describe what this does (e.g. configure for knownhost support). commit message space is cheap, be verbose. Done. rob Updated patch attached. Honza ACK, pushed to master and ipa-2-2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 099 Removed CSV creation from UI
On 2/29/2012 12:08 PM, Petr Vobornik wrote: Creating CSV values in UI is unnecessary and error-prone because server converts them back to list. Possible problems with values containing commas may occur. All occurrences of CSV joining were therefore removed. https://fedorahosted.org/freeipa/ticket/2227 ACK. Pushed to master and ipa-2-2. Finally it's gone.. :) -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015 Only split CSV strings once (updated)
On 02/29/2012 07:13 PM, Petr Vobornik wrote: On 02/27/2012 02:01 PM, Petr Viktorin wrote: It seems I didn't communicate the problem and my solution clearly enough, so let me try again. (Also, I learned from the discussions!) Currently, both the client and the server parse CSV options. The client does *not* re-encode the CSV before sending; the parsing is really done twice. This means e.g. that you need 3 backslashes to escape a literal comma: after the client-side split, '\\\,' becomes '\,'; which after the server-side split becomes ','. Since CSV is specific to the command-line, and the client is responsible for translating command-line input to XML-RPC (which has its own syntax for lists), the ideal fix will be to move CSV processing entirely to the client. This will be a rather invasive change, mainly because some parts of the UI now expect the server-side parsing (but they don't escape CSV, so values containing commas or backslashes are broken). So it won't make it to the upcoming release. My patch provides a quick fix: when a call comes from the command-line client, disable the server-side parsing. I investigated all occurrences of CSV creation in Web UI. I removed them and UI is working fine. The patch is on the list: pvoborni 099. So your patch shouldn't affect UI if my patch is applied. I can't get away from moving split_csv() (which is not idempotent) out of normalize() (which is, and gets called lots of times); this is the patch's major change in therms of LOC. I'll note again that this only affects values with backslashes or double quotes. Exactly these options are currently broken (=need double escaping). The normal uses of CSV are completely unaffected. Attaching updated patch; the change vs. the original is that the don't parse again flag is now only set at the server, when a XMLRPC call is received, making the client fully forward-compatible (the flag doesn't get sent through the wire). The ticket is https://fedorahosted.org/freeipa/ticket/2227, but this patch is only the first step in fixing it. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The webUI patch is in, and also I heard this patch is not making it to the release anyway, so the workaround makes little sense. I'd like to go for the real fix. Meanwhile I found some other bugs (https://fedorahosted.org/freeipa/ticket/2482, https://fedorahosted.org/freeipa/ticket/2483) that prevent me from testing this throroughly. Self-NACK for now. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 918, 919 update sudo schema
On Fri, 2012-03-02 at 11:40 -0500, Rob Crittenden wrote: Jan Cholasta wrote: On 1.3.2012 20:57, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: On 17.1.2012 04:55, Rob Crittenden wrote: Jan Cholasta wrote: Dne 13.1.2012 17:39, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 16:21, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 15:23, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 05:20, Rob Crittenden napsal(a): The sudo schema now defines sudoOrder, sudoNotBefore and sudoNotAfter but these weren't available in the sudorule plugin. I've added support for these. sudoOrder enforces uniqueness because duplicates are undefined. I also added support for a GeneralizedTime parameter type. This is similar to the existing AccessTime parameter but it only handles a single time value. You should parse the date/time part of the value with time.strptime(timestr, '%Y%m%d%H%M%S') instead of doing it manually, that way you'll get most of the validation for free. Yes but it gives a crappy error message, just saying that some data is left over not what is wrong. IMHO having a separate error message for every field in the time string (like you do in the patch) is an overkill, simple invalid time and/or unknown time format should suffice (we don't have errors like invalid 3rd octet for IP adresses either). Well, the work is done, hard to go back on a better error message. Also, it would be nice to be able to enter the value in more user-friendly format (e.g. 2011-12-14 13:01:25 +0100) and normalize that to LDAP generalized time. When dealing with time there are so many ways to input and display the same values this becomes difficult. I'd expect that the times for these two attributes will be relatively simple and I somehow doubt users are going to want seconds, leap seconds or fractions, but we'll need to consider how to do it for future consistency (otherwise we could have a case where time is entered in one format for some attributes and another for others). If we input in a nice way we need to output in the same way. We could make the preferred input/output time format user-configurable, defaulting to current locale time format. This format would be used for output. For input, we could go over a list of formats (first the user-configured format, then current locale format, then a handful of standard formats like -MM-DD HH:MM:SS) and use the first format that can be successfully used to parse the time string. See how far you get into the rabbit hole with even this simple format? I don't mind, as long as it is the right thing to do (IMHO) :) Anyway, I think this could be done on the client side, so we might use your patch without changes. However, I would prefer if the parameter class was more generic, so we could use it (hypothetically) to store time in some other way than LDAP generalized time attribute (at least name it DateTime please). Ok, I'm fine with that. Thanks. The LDAP GeneralizedTime needs to be either in GMT or include a differential. This gets us into the territory where the client could be in a different timezone than the server which leads us to why we dropped AccessTime in the first place. Speaking of time zones, the differential alone is not a sufficient time zone description, as it doesn't account for DST. Is there a way to store time in LDAP with full time zone name (just in case it's needed sometime in future)? There is no way to store DST in LDAP (probably for good reason). Oddly enough the older LDAP v3 RFC (2252) strongly recommends using only GMT but the RFC that obsoletes it (4517) does not include this. Thanks for the info. So I'd like the user to supply the timezone themselves so I don't have to guess (wrongly) and let them worry about differing timezones. We don't have to guess, IIRC there is a way to get the local timezone differential in both Python and JavaScript, so the client could supply it automatically if necessary. I was thinking more about non-IPA clients (like sudo and notBefore). I think this can still be done at least in CLI, but it could be done in a separate patch. Updated patches attached. rob Patch 919 doesn't cleanly apply on current master (neither does 916 BTW). Honza Rebased patch (and 916 too, separately). rob Patch 918: 1. LDAP generalized time allows you to omit minutes from time zone differential, your code treats such values as invalid 2. IMO a better pattern could be used, such as u'^([0-9]{2}){5,7}([.,][0-9]+)?([-+]([0-9]{2}){1,2}|Z)$' 3. 20120229000Z has malformed minutes, but the error message says Malformed seconds 4. 20120229000+ has malformed minutes, but the
Re: [Freeipa-devel] [PATCH] 918, 919 update sudo schema
Martin Kosek wrote: On Fri, 2012-03-02 at 11:40 -0500, Rob Crittenden wrote: Jan Cholasta wrote: On 1.3.2012 20:57, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: On 17.1.2012 04:55, Rob Crittenden wrote: Jan Cholasta wrote: Dne 13.1.2012 17:39, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 16:21, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 15:23, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 05:20, Rob Crittenden napsal(a): The sudo schema now defines sudoOrder, sudoNotBefore and sudoNotAfter but these weren't available in the sudorule plugin. I've added support for these. sudoOrder enforces uniqueness because duplicates are undefined. I also added support for a GeneralizedTime parameter type. This is similar to the existing AccessTime parameter but it only handles a single time value. You should parse the date/time part of the value with time.strptime(timestr, '%Y%m%d%H%M%S') instead of doing it manually, that way you'll get most of the validation for free. Yes but it gives a crappy error message, just saying that some data is left over not what is wrong. IMHO having a separate error message for every field in the time string (like you do in the patch) is an overkill, simple invalid time and/or unknown time format should suffice (we don't have errors like invalid 3rd octet for IP adresses either). Well, the work is done, hard to go back on a better error message. Also, it would be nice to be able to enter the value in more user-friendly format (e.g. 2011-12-14 13:01:25 +0100) and normalize that to LDAP generalized time. When dealing with time there are so many ways to input and display the same values this becomes difficult. I'd expect that the times for these two attributes will be relatively simple and I somehow doubt users are going to want seconds, leap seconds or fractions, but we'll need to consider how to do it for future consistency (otherwise we could have a case where time is entered in one format for some attributes and another for others). If we input in a nice way we need to output in the same way. We could make the preferred input/output time format user-configurable, defaulting to current locale time format. This format would be used for output. For input, we could go over a list of formats (first the user-configured format, then current locale format, then a handful of standard formats like -MM-DD HH:MM:SS) and use the first format that can be successfully used to parse the time string. See how far you get into the rabbit hole with even this simple format? I don't mind, as long as it is the right thing to do (IMHO) :) Anyway, I think this could be done on the client side, so we might use your patch without changes. However, I would prefer if the parameter class was more generic, so we could use it (hypothetically) to store time in some other way than LDAP generalized time attribute (at least name it DateTime please). Ok, I'm fine with that. Thanks. The LDAP GeneralizedTime needs to be either in GMT or include a differential. This gets us into the territory where the client could be in a different timezone than the server which leads us to why we dropped AccessTime in the first place. Speaking of time zones, the differential alone is not a sufficient time zone description, as it doesn't account for DST. Is there a way to store time in LDAP with full time zone name (just in case it's needed sometime in future)? There is no way to store DST in LDAP (probably for good reason). Oddly enough the older LDAP v3 RFC (2252) strongly recommends using only GMT but the RFC that obsoletes it (4517) does not include this. Thanks for the info. So I'd like the user to supply the timezone themselves so I don't have to guess (wrongly) and let them worry about differing timezones. We don't have to guess, IIRC there is a way to get the local timezone differential in both Python and JavaScript, so the client could supply it automatically if necessary. I was thinking more about non-IPA clients (like sudo and notBefore). I think this can still be done at least in CLI, but it could be done in a separate patch. Updated patches attached. rob Patch 919 doesn't cleanly apply on current master (neither does 916 BTW). Honza Rebased patch (and 916 too, separately). rob Patch 918: 1. LDAP generalized time allows you to omit minutes from time zone differential, your code treats such values as invalid 2. IMO a better pattern could be used, such as u'^([0-9]{2}){5,7}([.,][0-9]+)?([-+]([0-9]{2}){1,2}|Z)$' 3. 20120229000Z has malformed minutes, but the error message says Malformed seconds 4. 20120229000+ has malformed minutes, but the error message says Missing operator for differential or malformed time string 5. 20120229+ is valid generalized time, but it causes Missing operator for differential or malformed time string error 6. Invalid month/day
Re: [Freeipa-devel] [PATCH] 918, 919 update sudo schema
On 2.3.2012 19:43, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2012-03-02 at 11:40 -0500, Rob Crittenden wrote: Jan Cholasta wrote: On 1.3.2012 20:57, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: On 17.1.2012 04:55, Rob Crittenden wrote: Jan Cholasta wrote: Dne 13.1.2012 17:39, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 16:21, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 15:23, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 05:20, Rob Crittenden napsal(a): The sudo schema now defines sudoOrder, sudoNotBefore and sudoNotAfter but these weren't available in the sudorule plugin. I've added support for these. sudoOrder enforces uniqueness because duplicates are undefined. I also added support for a GeneralizedTime parameter type. This is similar to the existing AccessTime parameter but it only handles a single time value. You should parse the date/time part of the value with time.strptime(timestr, '%Y%m%d%H%M%S') instead of doing it manually, that way you'll get most of the validation for free. Yes but it gives a crappy error message, just saying that some data is left over not what is wrong. IMHO having a separate error message for every field in the time string (like you do in the patch) is an overkill, simple invalid time and/or unknown time format should suffice (we don't have errors like invalid 3rd octet for IP adresses either). Well, the work is done, hard to go back on a better error message. Also, it would be nice to be able to enter the value in more user-friendly format (e.g. 2011-12-14 13:01:25 +0100) and normalize that to LDAP generalized time. When dealing with time there are so many ways to input and display the same values this becomes difficult. I'd expect that the times for these two attributes will be relatively simple and I somehow doubt users are going to want seconds, leap seconds or fractions, but we'll need to consider how to do it for future consistency (otherwise we could have a case where time is entered in one format for some attributes and another for others). If we input in a nice way we need to output in the same way. We could make the preferred input/output time format user-configurable, defaulting to current locale time format. This format would be used for output. For input, we could go over a list of formats (first the user-configured format, then current locale format, then a handful of standard formats like -MM-DD HH:MM:SS) and use the first format that can be successfully used to parse the time string. See how far you get into the rabbit hole with even this simple format? I don't mind, as long as it is the right thing to do (IMHO) :) Anyway, I think this could be done on the client side, so we might use your patch without changes. However, I would prefer if the parameter class was more generic, so we could use it (hypothetically) to store time in some other way than LDAP generalized time attribute (at least name it DateTime please). Ok, I'm fine with that. Thanks. The LDAP GeneralizedTime needs to be either in GMT or include a differential. This gets us into the territory where the client could be in a different timezone than the server which leads us to why we dropped AccessTime in the first place. Speaking of time zones, the differential alone is not a sufficient time zone description, as it doesn't account for DST. Is there a way to store time in LDAP with full time zone name (just in case it's needed sometime in future)? There is no way to store DST in LDAP (probably for good reason). Oddly enough the older LDAP v3 RFC (2252) strongly recommends using only GMT but the RFC that obsoletes it (4517) does not include this. Thanks for the info. So I'd like the user to supply the timezone themselves so I don't have to guess (wrongly) and let them worry about differing timezones. We don't have to guess, IIRC there is a way to get the local timezone differential in both Python and JavaScript, so the client could supply it automatically if necessary. I was thinking more about non-IPA clients (like sudo and notBefore). I think this can still be done at least in CLI, but it could be done in a separate patch. Updated patches attached. rob Patch 919 doesn't cleanly apply on current master (neither does 916 BTW). Honza Rebased patch (and 916 too, separately). rob Patch 918: 1. LDAP generalized time allows you to omit minutes from time zone differential, your code treats such values as invalid 2. IMO a better pattern could be used, such as u'^([0-9]{2}){5,7}([.,][0-9]+)?([-+]([0-9]{2}){1,2}|Z)$' 3. 20120229000Z has malformed minutes, but the error message says Malformed seconds 4. 20120229000+ has malformed minutes, but the error message says Missing operator for differential or malformed time string 5. 20120229+ is valid generalized time, but it causes Missing operator for differential or malformed time
[Freeipa-devel] Rebélate by self-management, first project of free software by which we bet all / Rebélate por la autogestión, primer proyecto de software libre por el que apostamos todas
Inglés : Many already we have contributed to the first project of free software dedicated to self-management in this campaign of collective financing, it collaborates and it spreads!/ Beginning campaign collective financing http://www.goteo.org/project/rebelaos-publicacion-por-la-autogestion?lang=en Login to enter with user of social networks and for would register in Goteo : http://www.goteo.org/user/login?lang=en Rebelaos! Publication by self-management A massive publication that floods the public transport, the work centers, the parks, the consumption centers, by means of distribution of 500,000 gratuitous units, acting simultaneously in all sides and nowhere. We announce the main tool of a vestibule Web for the management of self-sustaining resources by means of Drupal, in addition in the publication there will be an article dedicated to free software, hardware, It is being prepared in inglès, the machinery You can see more details in the index of the publication https://n-1.cc/pg/file/read/1151902/indexresumen-de-los-contenidos-pdf . A computer system that allows us to share resources in all the scopes of our life so that we do not have to generate means different for each subject nor for each territory. A point of contact digitalis to generate projects of life outside Capitalism and to margin of the State. A tool to spread and to impel the social transformation through the resources that will set out in their contents around self-management, the autoorganización, the disobedience and the collective action. In which the capitalist system goes to the collapse, in a while immersed in a deep systemic crisis (ecological, political and economic, but mainly of values), where individual and collective of people they are being lacking of his fundamental rights, is necessary to develop a horizontal collective process where all the human beings we pruned to interact in equality of conditions and freedom. To interact means to relate to us (as much human as economically), to communicate to us, to cover our basic needs, to generate and to protect communal properties, to know and to provide collective solutions us problematic that our lives interfere. We want abrir a breach within normality in the monotonous life state-capitalist, a day anyone, that finally will not be any day. By means of this publication we try: - To drive a horizontal collective process where all and all we pruned to interact in equality of conditions and freedom. - To create communications network between the people it jeopardize with the change and arranged to act. - To find collective solutions to problematic that our lives interfere - To facilitate the access to resources that make possible self-management. - To participate in the construction of networks of mutual support, generated horizontals, asamblearias and from the base. - To publish all this information in an attractive format stops to facilitate the access to all the society. There are 15 days remaining for the upcoming March 15, the day that will come Rebelaos!, Magazine for the selfmanagement Today, we issue the cover of Rebelaos! (Castilian version) that can be displayed on the following link: https://n-1.cc/pg/file/read/1200503/portada-15-de-marzo-rebelaos The contents of the store owners to us by 15 March. Do you? Do you keep on 15 March? In addition, we have over 200 distribution nodes, distributed throughout the Spanish state. Check the map: https://afinidadrebelde.crowdmap.com/ On the other hand, the funding campaign continues to move and still have 12 days to collect the remaining 6,000 euros. We can all make a bit for all the grains of sand become a great beach on March 15. You can access the co-financing campaign: http://www.goteo.org/project/rebelaos-publicacion-por-la-autogestion Rebel Affinity group www.rebelaos.net --- Castellano: Muchos ya hemos aportado al primer proyecto de software libre dedicado a la la financiación colectiva, colabora y diffunde ! Inicio campaña financiación colectiva goteo.org www.goteo.org/project/rebelaos-publicacion-por-la-autogestion Link para registrarse en Goteo y acceder a redes sociales para colaborar en la difusín http://www.goteo.org/user/login ¡Rebelaos! Publicación por la autogestión Una publicación masiva que inunde el transporte público, los centros de trabajo, los parques, los centros de consumo, mediante la distribución de 500.000 ejemplares gratuitos, actuando simultáneamente en todos lados y en ninguna parte. Anunciamos la herramienta principal de un portal web para la gestión de recursos autogestionados mediante Drupal, además en la publicación habrá un artículo dedicado al software libre, el hardware, la maquinaria... Puedes ver más detalles en el índice de la publicación https://n-1.cc/pg/file/read/1151902/indexresumen-de-los-contenidos-pdf Un sistema infórmatico que nos permita
Re: [Freeipa-devel] [PATCH] 918, 919 update sudo schema
Martin Kosek wrote: On Fri, 2012-03-02 at 20:01 +0100, Jan Cholasta wrote: On 2.3.2012 19:43, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2012-03-02 at 11:40 -0500, Rob Crittenden wrote: Jan Cholasta wrote: On 1.3.2012 20:57, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: On 17.1.2012 04:55, Rob Crittenden wrote: Jan Cholasta wrote: Dne 13.1.2012 17:39, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 16:21, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 15:23, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 14.12.2011 05:20, Rob Crittenden napsal(a): The sudo schema now defines sudoOrder, sudoNotBefore and sudoNotAfter but these weren't available in the sudorule plugin. I've added support for these. sudoOrder enforces uniqueness because duplicates are undefined. I also added support for a GeneralizedTime parameter type. This is similar to the existing AccessTime parameter but it only handles a single time value. You should parse the date/time part of the value with time.strptime(timestr, '%Y%m%d%H%M%S') instead of doing it manually, that way you'll get most of the validation for free. Yes but it gives a crappy error message, just saying that some data is left over not what is wrong. IMHO having a separate error message for every field in the time string (like you do in the patch) is an overkill, simple invalid time and/or unknown time format should suffice (we don't have errors like invalid 3rd octet for IP adresses either). Well, the work is done, hard to go back on a better error message. Also, it would be nice to be able to enter the value in more user-friendly format (e.g. 2011-12-14 13:01:25 +0100) and normalize that to LDAP generalized time. When dealing with time there are so many ways to input and display the same values this becomes difficult. I'd expect that the times for these two attributes will be relatively simple and I somehow doubt users are going to want seconds, leap seconds or fractions, but we'll need to consider how to do it for future consistency (otherwise we could have a case where time is entered in one format for some attributes and another for others). If we input in a nice way we need to output in the same way. We could make the preferred input/output time format user-configurable, defaulting to current locale time format. This format would be used for output. For input, we could go over a list of formats (first the user-configured format, then current locale format, then a handful of standard formats like -MM-DD HH:MM:SS) and use the first format that can be successfully used to parse the time string. See how far you get into the rabbit hole with even this simple format? I don't mind, as long as it is the right thing to do (IMHO) :) Anyway, I think this could be done on the client side, so we might use your patch without changes. However, I would prefer if the parameter class was more generic, so we could use it (hypothetically) to store time in some other way than LDAP generalized time attribute (at least name it DateTime please). Ok, I'm fine with that. Thanks. The LDAP GeneralizedTime needs to be either in GMT or include a differential. This gets us into the territory where the client could be in a different timezone than the server which leads us to why we dropped AccessTime in the first place. Speaking of time zones, the differential alone is not a sufficient time zone description, as it doesn't account for DST. Is there a way to store time in LDAP with full time zone name (just in case it's needed sometime in future)? There is no way to store DST in LDAP (probably for good reason). Oddly enough the older LDAP v3 RFC (2252) strongly recommends using only GMT but the RFC that obsoletes it (4517) does not include this. Thanks for the info. So I'd like the user to supply the timezone themselves so I don't have to guess (wrongly) and let them worry about differing timezones. We don't have to guess, IIRC there is a way to get the local timezone differential in both Python and JavaScript, so the client could supply it automatically if necessary. I was thinking more about non-IPA clients (like sudo and notBefore). I think this can still be done at least in CLI, but it could be done in a separate patch. Updated patches attached. rob Patch 919 doesn't cleanly apply on current master (neither does 916 BTW). Honza Rebased patch (and 916 too, separately). rob Patch 918: 1. LDAP generalized time allows you to omit minutes from time zone differential, your code treats such values as invalid 2. IMO a better pattern could be used, such as u'^([0-9]{2}){5,7}([.,][0-9]+)?([-+]([0-9]{2}){1,2}|Z)$' 3. 20120229000Z has malformed minutes, but the error message says Malformed seconds 4. 20120229000+ has malformed minutes, but the error message says Missing operator for differential or malformed time string 5. 20120229+ is valid generalized
Re: [Freeipa-devel] [PATCH] 221 Fix encoding for setattr/addattr/delattr
Martin Kosek wrote: Attribute values passed by --{set,add,del}attr parameters were normalized and validated using appropriate parameter, but were never encoded for the backend. This make prevents manipulation with dirsvr BOOL attributes where framework tries to pass boolean value instead of encoded TRUE/FALSE values. https://fedorahosted.org/freeipa/ticket/2418 ACK, pushed to master and ipa-2-2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] fix hbactest failures
Another module with some now invalid domain names caught by new validator. Pushed under one-liner rule. rob From 7c454fcefa9bbfe092cb99826863bbc27f5fb01e Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Fri, 2 Mar 2012 14:53:22 -0500 Subject: [PATCH] Make hostnames adhere to new standards in hbactest plugin tests --- tests/test_xmlrpc/test_hbactest_plugin.py |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_xmlrpc/test_hbactest_plugin.py b/tests/test_xmlrpc/test_hbactest_plugin.py index 7899d54..5d829b1 100644 --- a/tests/test_xmlrpc/test_hbactest_plugin.py +++ b/tests/test_xmlrpc/test_hbactest_plugin.py @@ -42,9 +42,9 @@ class test_hbactest(XMLRPC_test): test_user = u'hbacrule_test_user' test_group = u'hbacrule_test_group' -test_host = u'hbacrule.test-host' +test_host = u'hbacrule.testhost' test_hostgroup = u'hbacrule_test_hostgroup' -test_sourcehost = u'hbacrule.test-src-host' +test_sourcehost = u'hbacrule.testsrchost' test_sourcehostgroup = u'hbacrule_test_src_hostgroup' test_service = u'ssh' -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 229 Add help for new structured DNS framework
Martin Kosek wrote: DNS Test Day shown that the new RR specific DNS options and the concepts behind them may not be easily understood. This patch adds an explanation of the new DNS framework for structured options to make it easier for the user to understand and use the new options. https://fedorahosted.org/freeipa/ticket/2382 ACK, pushed to master and ipa-2-2 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 225 Improve dnsrecord interactive help
Martin Kosek wrote: This patch is build on top of my DNS patches 218-220 Add 2 new features to DNS record interactive help to increase its usability and also make its behavior more consistent with standard parameter interactive help: 1) Ask for missing DNS parts When a required part of a newly added DNS record was missing, we just returned a ValidationError. Now, the interactive help rather asks for all missing required parts of all DNS records that were being added by its parts. 2) Let user amend invalid part When an interactive help asked for a DNS record part value and user enters an invalid value, the entire interactive help exits with an error. This may upset a user if he already entered several correct DNS record part values. Now, the help rather tells user what's wrong and give him an opportunity to amend the value. https://fedorahosted.org/freeipa/ticket/2386 - A demonstration of the new features: # ipa dnsrecord-add example.com foo --mx-exchanger=mx.example.com. MX Preference: 0 we don't fail now Record name: foo MX record: 0 mx.example.com. # ipa dnsrecord-add example.com foo Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, DNS resource record type: LOC LOC Degrees Latitude: 1 [LOC Minutes Latitude]: 1000 we don't fail with invalid values! LOC Minutes Latitude: can be at most 59 [LOC Minutes Latitude]: 50 [LOC Seconds Latitude]: LOC Direction Latitude: E LOC Direction Latitude: must be one of (u'N', u'S') LOC Direction Latitude: N LOC Degrees Longtitude: 2 [LOC Minutes Longtitude]: [LOC Seconds Longtitude]: LOC Direction Longtitude: E LOC Altitude: 123 [LOC Size]: [LOC Horizontal Precision]: [LOC Vertical Precision]: Record name: foo LOC record: 1 50 N 2 E 123.00 MX record: 0 mx.example.com. ACK, pushed to master and ipa-2-2 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] fix API for suduOrder
I modified minvalue of sudoOrder without updating API.txt. I bumped VERSION to reflect the new option as well. Pushed to ipa-2-2 and master as a one liner. rob From 71d745f921b9e3d39fbdf800e79f2d90a90cd6ba Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Fri, 2 Mar 2012 15:31:25 -0500 Subject: [PATCH] Fix API.txt and VERSION to reflect new sudoOrder option. --- API.txt |6 +++--- VERSION |2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 9ba3ce4..f21dce7 100644 --- a/API.txt +++ b/API.txt @@ -2839,7 +2839,7 @@ option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', multivalue=F option: StrEnum('cmdcategory', attribute=True, cli_name='cmdcat', multivalue=False, required=False, values=(u'all',)) option: StrEnum('ipasudorunasusercategory', attribute=True, cli_name='runasusercat', multivalue=False, required=False, values=(u'all',)) option: StrEnum('ipasudorunasgroupcategory', attribute=True, cli_name='runasgroupcat', multivalue=False, required=False, values=(u'all',)) -option: Int('sudoorder', attribute=True, cli_name='order', default=0, multivalue=False, required=False) +option: Int('sudoorder', attribute=True, cli_name='order', default=0, minvalue=0, multivalue=False, required=False) option: Str('externaluser', attribute=True, cli_name='externaluser', multivalue=False, required=False) option: Str('ipasudorunasextuser', attribute=True, cli_name='runasexternaluser', multivalue=False, required=False) option: Str('ipasudorunasextgroup', attribute=True, cli_name='runasexternalgroup', multivalue=False, required=False) @@ -2946,7 +2946,7 @@ option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostca option: StrEnum('cmdcategory', attribute=True, autofill=False, cli_name='cmdcat', multivalue=False, query=True, required=False, values=(u'all',)) option: StrEnum('ipasudorunasusercategory', attribute=True, autofill=False, cli_name='runasusercat', multivalue=False, query=True, required=False, values=(u'all',)) option: StrEnum('ipasudorunasgroupcategory', attribute=True, autofill=False, cli_name='runasgroupcat', multivalue=False, query=True, required=False, values=(u'all',)) -option: Int('sudoorder', attribute=True, autofill=False, cli_name='order', default=0, multivalue=False, query=True, required=False) +option: Int('sudoorder', attribute=True, autofill=False, cli_name='order', default=0, minvalue=0, multivalue=False, query=True, required=False) option: Str('externaluser', attribute=True, autofill=False, cli_name='externaluser', multivalue=False, query=True, required=False) option: Str('ipasudorunasextuser', attribute=True, autofill=False, cli_name='runasexternaluser', multivalue=False, query=True, required=False) option: Str('ipasudorunasextgroup', attribute=True, autofill=False, cli_name='runasexternalgroup', multivalue=False, query=True, required=False) @@ -2969,7 +2969,7 @@ option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostca option: StrEnum('cmdcategory', attribute=True, autofill=False, cli_name='cmdcat', multivalue=False, required=False, values=(u'all',)) option: StrEnum('ipasudorunasusercategory', attribute=True, autofill=False, cli_name='runasusercat', multivalue=False, required=False, values=(u'all',)) option: StrEnum('ipasudorunasgroupcategory', attribute=True, autofill=False, cli_name='runasgroupcat', multivalue=False, required=False, values=(u'all',)) -option: Int('sudoorder', attribute=True, autofill=False, cli_name='order', default=0, multivalue=False, required=False) +option: Int('sudoorder', attribute=True, autofill=False, cli_name='order', default=0, minvalue=0, multivalue=False, required=False) option: Str('externaluser', attribute=True, autofill=False, cli_name='externaluser', multivalue=False, required=False) option: Str('ipasudorunasextuser', attribute=True, autofill=False, cli_name='runasexternaluser', multivalue=False, required=False) option: Str('ipasudorunasextgroup', attribute=True, autofill=False, cli_name='runasexternalgroup', multivalue=False, required=False) diff --git a/VERSION b/VERSION index 18add43..51870e7 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=29 +IPA_API_VERSION_MINOR=30 -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 41-2 During ipa-client-install verify forward and reverse dns lookup of server
On Feb 28, 2012, at 10:43 AM, JR Aquino wrote: On Feb 23, 2012, at 3:56 PM, JR Aquino wrote: ipa-server-install has a method for validating forward and reverse via ipaserver/install/installutils.py ipa-client-install does not currently have an equivalent This patch adds valid_dns to ipapython/ipautil.py to validate foward and reverse DNS This patch adds the valid_dns test in ipa-client/ipa-install/ipa-client-install to validate the dns of the FreeIPA server https://fedorahosted.org/freeipa/ticket/2438 Rebased and corrected patch freeipa-jraquino-0041-During-ipa-client-install-verify-forward-and-reve.patch NEW Rebased and corrected patch binRR6EszAHr3.bin Description: freeipa-jraquino-0041-During-ipa-client-install-verify-forward-and-reve.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel