Re: [Freeipa-devel] [PATCH] 231 Ignore case in yes/no prompts
On 03/06/2012 06:40 PM, Martin Kosek wrote: We did not accept answers like Yes, YES, No, etc. as valid answers to yes/no prompts (used for example in dnsrecord-del interactive mode). This could confuse users. This patch changes the behavior to ignore the answer case. https://fedorahosted.org/freeipa/ticket/2484 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, works as advertised. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 231 Ignore case in yes/no prompts
On 03/07/2012 10:40 AM, Petr Viktorin wrote: On 03/06/2012 06:40 PM, Martin Kosek wrote: We did not accept answers like Yes, YES, No, etc. as valid answers to yes/no prompts (used for example in dnsrecord-del interactive mode). This could confuse users. This patch changes the behavior to ignore the answer case. https://fedorahosted.org/freeipa/ticket/2484 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, works as advertised. I hit Send too fast. This triggers a lint warning; ACK if you disable it. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0021 Add CLI tests
Most of the tests we have check if the server does the right thing with
XML-RPC calls. How the commandline is converted to command arguments,
including interactive prompting, is untested.
This patch adds some tests in this area. To do that I had to break up
cli.run into more manageable pieces, and initialize the CLI plugins in
test mode.
Also I added nose's --nocapture option to the make-test script. With
this it's possible to use pdb.set_trace() to drop into a debugger while
running the tests.
I went ahead and added a test for ticket 2484, fixed in Martin's patch
231 (Ignore case in yes/no prompts).
--
Petr³
From 440f2abc1636c42d30ba18ac677ec00aa31294e9 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 6 Mar 2012 07:01:53 -0500
Subject: [PATCH 21/22] Add CLI parsing tests
These test that command lines are parsed to correct Command arguments.
Includes some tests for interactive prompts.
To make this possible cli.run is broken up into several pieces.
Also, ./make-test now passes the --nocapture option to nose, which allows
debugging using pdb.set_trace().
---
ipalib/__init__.py |3 +
ipalib/backend.py |1 -
ipalib/cli.py | 24 ++-
make-test | 27 +---
tests/test_cmdline/test_cli.py | 142
5 files changed, 182 insertions(+), 15 deletions(-)
create mode 100644 tests/test_cmdline/test_cli.py
diff --git a/ipalib/__init__.py b/ipalib/__init__.py
index 1efeeab4a6c5cef8f625c3964be253baf208dd29..dd861a8266614d63a81289672ce2235275c356c0 100644
--- a/ipalib/__init__.py
+++ b/ipalib/__init__.py
@@ -916,5 +916,8 @@ def create_api(mode='dummy'):
api = create_api(mode=None)
if os.environ.get('IPA_UNIT_TEST_MODE', None) == 'cli_test':
+from cli import cli_plugins
+for klass in cli_plugins:
+api.register(klass)
api.bootstrap(context='cli', in_server=False, in_tree=True)
api.finalize()
diff --git a/ipalib/backend.py b/ipalib/backend.py
index 0232fa536ed83273d1c6510ee442915bb8c0c8c1..7be38ecc80faf03e735813fb1e2d0eba5c347800 100644
--- a/ipalib/backend.py
+++ b/ipalib/backend.py
@@ -102,7 +102,6 @@ class Connectible(Backend):
class Executioner(Backend):
-
def create_context(self, ccache=None, client_ip=None):
client_ip: The IP address of the remote client.
diff --git a/ipalib/cli.py b/ipalib/cli.py
index 737ae001573af0f614783fe69add5711362da21e..332c51a181a2c1318e203ffea86e9a7e95445e89 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -123,7 +123,7 @@ class textui(backend.Backend):
def __get_encoding(self, stream):
assert stream in (sys.stdin, sys.stdout)
-if stream.encoding is None:
+if getattr(stream, 'encoding', None) is None:
return 'UTF-8'
return stream.encoding
@@ -1007,7 +1007,11 @@ class cli(backend.Executioner):
Backend plugin for executing from command line interface.
-def run(self, argv):
+def get_command(self, argv):
+Given CLI arguments, return the Command to use
+
+On incorrect invocation, prints out a help message and returns None
+
if len(argv) == 0:
self.Command.help()
return
@@ -1022,14 +1026,26 @@ class cli(backend.Executioner):
if name not in self.Command or self.Command[name].NO_CLI:
raise CommandError(name=key)
cmd = self.Command[name]
-if not isinstance(cmd, frontend.Local):
-self.create_context()
+return cmd
+
+def argv_to_keyword_arguments(self, cmd, argv):
+Get the keyword arguments for a Command
kw = self.parse(cmd, argv)
kw['version'] = API_VERSION
if self.env.interactive:
self.prompt_interactively(cmd, kw)
self.load_files(cmd, kw)
+return kw
+
+def run(self, argv):
+cmd = self.get_command(argv)
+if cmd is None:
+return
+name = cmd.name
+if not isinstance(cmd, frontend.Local):
+self.create_context()
try:
+kw = self.argv_to_keyword_arguments(cmd, argv[1:])
result = self.execute(name, **kw)
if callable(cmd.output_for_cli):
for param in cmd.params():
diff --git a/make-test b/make-test
index b429a7162f4f5c0121355f0fcfff8ba1039ba90a..b6b0c72e0d62d732f296e8364211a0c838d558f8 100755
--- a/make-test
+++ b/make-test
@@ -17,22 +17,27 @@ ran = []
fail = []
parser = optparse.OptionParser(
- usage='usage: %prog [MODULE...]',
+usage='usage: %prog [MODULE...]',
)
parser.add_option('--stop',
- action='store_true',
- default=False,
- help='Stop running tests after the first error or failure',
+action='store_true',
+default=False,
+help='Stop running tests after the first error or failure',
)
parser.add_option('--pdb',
- action='store_true',
- default=False,
- help='Drop into debugger
[Freeipa-devel] [PATCH] 981 set httpd_manage_ipa
Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in
enforcing mode.
This is being done in the HTTP instance so we can set both booleans in
one step and save a bit of time (it is still slow).
rob
From 2794abe72ebbdc38503cdf3cc779fa41d6e14a92 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 7 Mar 2012 09:29:52 -0500
Subject: [PATCH] Set SELinux boolean httpd_manage_ipa so ipa_memcached will
work.
This is being done in the HTTP instance so we can set both
booleans in one step and save a bit of time (it is still slow).
https://fedorahosted.org/freeipa/ticket/2432
---
ipaserver/install/httpinstance.py | 43 +++--
1 files changed, 22 insertions(+), 21 deletions(-)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index a23204be062d0f4ec895cdaf0c6a41d4ce54f4e3..75d80ac9abf91e97739239497b18097f03a8a93c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -37,10 +37,10 @@ HTTPD_DIR = /etc/httpd
SSL_CONF = HTTPD_DIR + /conf.d/ssl.conf
NSS_CONF = HTTPD_DIR + /conf.d/nss.conf
-selinux_warning = WARNING: could not set selinux boolean httpd_can_network_connect to true.
+selinux_warning = WARNING: could not set selinux boolean %(var)s to true.
The web interface may not function correctly until this boolean is
successfully change with the command:
- /usr/sbin/setsebool -P httpd_can_network_connect true
+ /usr/sbin/setsebool -P %(var)s true
Try updating the policycoreutils and selinux-policy packages.
@@ -103,28 +103,28 @@ class HTTPInstance(service.Service):
self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)
def __selinux_config(self):
-selinux=0
+selinux = False
try:
if (os.path.exists('/usr/sbin/selinuxenabled')):
ipautil.run([/usr/sbin/selinuxenabled])
-selinux=1
+selinux = True
except ipautil.CalledProcessError:
# selinuxenabled returns 1 if not enabled
pass
if selinux:
+for var in [httpd_can_network_connect, httpd_manage_ipa]:
+try:
+(stdout, stderr, returncode) = ipautil.run([/usr/sbin/getsebool, var])
+self.backup_state(var, stdout.split()[2])
+except:
+pass
+
+# Allow apache to connect to the dogtag UI and the session cache
+# This can still fail even if selinux is enabled. Execute these
+# together so it is speedier.
try:
-# returns e.g. httpd_can_network_connect -- off
-(stdout, stderr, returncode) = ipautil.run([/usr/sbin/getsebool,
-httpd_can_network_connect])
-self.backup_state(httpd_can_network_connect, stdout.split()[2])
-except:
-pass
-
-# Allow apache to connect to the turbogears web gui
-# This can still fail even if selinux is enabled
-try:
-ipautil.run([/usr/sbin/setsebool, -P, httpd_can_network_connect, true])
+ipautil.run([/usr/sbin/setsebool, -P, httpd_can_network_connect=true, httpd_manage_ipa=true])
except:
self.print_msg(selinux_warning)
@@ -293,12 +293,13 @@ class HTTPInstance(service.Service):
installutils.remove_file(/etc/httpd/conf.d/ipa.conf)
installutils.remove_file(/etc/httpd/conf.d/ipa-pki-proxy.conf)
-sebool_state = self.restore_state(httpd_can_network_connect)
-if not sebool_state is None:
-try:
-ipautil.run([/usr/sbin/setsebool, -P, httpd_can_network_connect, sebool_state])
-except:
-self.print_msg(selinux_warning)
+for var in [httpd_can_network_connect, httpd_manage_ipa]:
+sebool_state = self.restore_state(var)
+if not sebool_state is None:
+try:
+ipautil.run([/usr/sbin/setsebool, -P, var, sebool_state])
+except:
+self.print_msg(selinux_warning % dict(var=var))
if not running is None and running:
self.start()
--
1.7.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 227-228 Add last missing bits in new bind-dyndb-ldap
On Thu, 2012-03-01 at 13:19 +0100, Martin Kosek wrote:
These 2 patches changes the DNS API to support the last missing bits in
new bind-dyndb-ldap:
1) Both global and per-zone forwarders now support a conditional custom
port (with format IP_ADDRESS PORT)
2) Missing global configuration options have been added:
* idnsforwardpolicy: Default policy for conditional forwarding
* idnsallowsyncptr: Allow globaly PTR synchronization for dynamic
updates
* idnszonerefresh: Default interval between regular polls of the
name server for new DNS zones
Before these patches are pushed, I will just have to update the minimal
bind-dyndb-ldap version (it has not been built yet) which have a full
support for these.
Martin
New version of bind-dyndb-ldap has been released, attaching a rebased
patch with fixed bind-dyndb-ldap version in spec file.
I also fixed the forwarder format, it should be $IP port $PORT, not
$IP $PORT as it was in a previous version of the patch. I tested this
new format with bind-dyndb-ldap it forwards the queries properly.
Unfortunately, fixed version of bind have not been released yet, i.e.
bind will crash if forwarders are defined both in named.conf and LDAP
global configuration (dnsconfig-mod).
Martin
From 21d191f23858017b8e0f37f6918268f70c2e6be0 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 7 Mar 2012 15:53:38 +0100
Subject: [PATCH 1/2] Allow port numbers for idnsForwarders
Let user enter custom ports for zone conditional forwarders or
global forwarders in dnsconfig. Ports can be specified in
a standard BIND format: IP_ADDRESS [port PORT]
https://fedorahosted.org/freeipa/ticket/2462
---
freeipa.spec.in |5 -
ipalib/plugins/dns.py | 28
2 files changed, 28 insertions(+), 5 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 9421bd2a800f6dca39c2b40b533e14f108120c56..33c4bc31b8b261419cefc6ed269fc59835541a8d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -151,7 +151,7 @@ Requires(postun): python initscripts chkconfig
# We have a soft-requires on bind. It is an optional part of
# IPA but if it is configured we need a way to require versions
# that work for us.
-Conflicts: bind-dyndb-ldap 1.1.0-0.8.a2
+Conflicts: bind-dyndb-ldap 1.1.0-0.9.b1
Conflicts: bind 9.8.1-1
# mod_proxy provides a single API to communicate over SSL. If mod_ssl
@@ -670,6 +670,9 @@ fi
%changelog
+* Wed Mar 7 2012 Martin Kosek mko...@redhat.com - 2.2.0-16
+- Set min for bind-dyndb-ldap to 1.1.0-0.9.b1 to pick up new features
+
* Thu Mar 1 2012 Jan Cholasta jchol...@redhat.com - 2.2.0-15
- Set min nvr of sssd to 1.8.0 for SSH support
- Add BuildRequires on sssd = 1.8.0
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index a10960a2c20b8915b199ed82462a844ce8f5915c..251db476ed3029759ffd2238ad33fc7320de4ef2 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -348,6 +348,24 @@ def _dns_record_name_validator(ugettext, value):
except ValueError, e:
return unicode(e)
+def _validate_bind_forwarder(ugettext, forwarder):
+ip_address, sep, port = forwarder.partition(u' port ')
+
+ip_address_validation = _validate_ipaddr(ugettext, ip_address)
+
+if ip_address_validation is not None:
+return ip_address_validation
+
+if sep:
+try:
+port = int(port)
+if port 0 or port 65535:
+raise ValueError()
+except ValueError:
+return _('%(port)s is not a valid port' % dict(port=port))
+
+return None
+
def _domain_name_validator(ugettext, value):
try:
validate_domain_name(value)
@@ -1614,10 +1632,11 @@ class dnszone(LDAPObject):
autofill=True,
),
Str('idnsforwarders*',
-_validate_ipaddr,
+_validate_bind_forwarder,
cli_name='forwarder',
label=_('Zone forwarders'),
-doc=_('A list of zone forwarders'),
+doc=_('A list of global forwarders. A custom port can be specified ' \
+ 'for each forwarder using a standard format IP_ADDRESS port PORT'),
csv=True,
),
StrEnum('idnsforwardpolicy?',
@@ -2628,10 +2647,11 @@ class dnsconfig(LDAPObject):
takes_params = (
Str('idnsforwarders*',
-_validate_ipaddr,
+_validate_bind_forwarder,
cli_name='forwarder',
label=_('Global forwarders'),
-doc=_('A list of global forwarders'),
+doc=_('A list of global forwarders. A custom port can be specified ' \
+ 'for each forwarder using a standard format IP_ADDRESS port PORT'),
csv=True,
),
)
--
1.7.7.6
From 8ac6bb44cce5ce88ef00dd8526b7ecd022926c9e Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 7 Mar 2012 15:54:38 +0100
Subject: [PATCH 2/2] Add missing global options in dnsconfig
Add a
Re: [Freeipa-devel] [PATCH] 924 display both hex and decimal serial numbers
On 03/06/2012 09:56 PM, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: Dne 18.1.2012 00:04, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 16.1.2012 22:02, Rob Crittenden napsal(a): Rob Crittenden wrote: Jan Cholasta wrote: Dne 13.1.2012 20:53, Rob Crittenden napsal(a): When viewing a certificate it will show the serial number as hex (dec). # ipa service-show HTTP/rawhide.example.com Principal: HTTP/rawhide.example@example.com Certificate: [snip] Keytab: True Managed by: rawhide.example.com Subject: CN=rawhide.example.com,O=EXAMPLE.COM Serial Number: 0x403 (1027) Issuer: CN=EXAMPLE.COM Certificate Authority Not Before: Fri Jan 13 15:00:44 2012 UTC Not After: Thu Jan 13 15:00:44 2022 UTC Fingerprint (MD5): e5:43:17:0d:8d:af:d6:69:d8:fb:eb:ca:79:fb:47:69 Fingerprint (SHA1): c2:9e:8e:de:42:c9:4a:29:cc:b0:a0:de:57:c7:b7:d8:f9:b5:fe:e6 rob NACK Displaying a host or a service in the webUI fails with IPA error 3009: invalid 'serial_number': Decimal or hexadecimal number is required for serial number. I would suggest to do the nifty formatting of serial numbers on the client side, that would fix the webUI issue, allow non-IPA clients to parse the number without dissecting the string representation of it and probably also save me a hack in the type conversion overhaul. You could for example add a parameter flag like format_serial_number to indicate to the client that it should format the value as a serial number. Honza Well, we want to do as little client formatting as possible. The idea is to have a very thin client. It doesn't seem right to me to enforce this specific representation of what is really just an integer at the API level. Doing a little formatting on the client side won't make the client(s) particularly fat, will it? Yes. The current code just outputs labels and data. There is no if it is this attribute then do that logic. IMHO there is too much stuff done on server that would make more sense to do on client anyway (especially CLI-specific stuff such as CSV parsing). What is the reason we want such a thin client? To avoid double work such that every time we want a formatting change we have to change it in multiple places. This lesson was learned in v1. I believe there should be clear separation of presentation and content, but perhaps I'm a little bit too idealistic :-). You have a point, serial number is defined as an integer. Perhaps we should revisit this decision to display hex at all. I'll look into fixing the UI side. I don't see this error in services, it displays correctly. I'm not sure if it is my browser or what but hosts don't display much of anything for me. rob I have just checked both master and ipa-2-2 and I'm getting the same error message (tested in Firefox 9.0.1) when viewing details of a host or a service with the usercertificate attribute set. BTW, wouldn't it make sense to format serial numbers in the cert plugin in the same way? Perhaps. Like I said, I'm not really in favor of this change. rob Maybe we can do a compromise of some sort. What about allowing the client to specify with each request what representation/formatting the server should use for the resulting entries and attributes? That would be mighty flexible but would open a new can of worms. I think long term I'd like to be able to request what attributes to see (ala ldapsearch) but that too is a bit out of scope. This comes down to Output being rather loosely defined and we already have a ticket open on that. It basically just defines the broad types of data to be returned (string, list, dict, etc) but not the internal components of complex types. Took a new approach and created a new output attribute, serial_number_hex, that is displayed separately. UI portion added as well. ACK for the UI part. I attached a patch which extends UI static testing data - to keep things in solid state. I think this approach is still evil (as the whole ticket) but I don't have a better solution (in CLI). Question: Isn't the '0x' part a bit redundant? The label already says '(hex)'. However I can buy a 'It is a convention.' argument. -- Petr Vobornik From 6302b8074bdc9fa1b46d3d848fb0e81460db4ba4 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 7 Mar 2012 16:32:45 +0100 Subject: [PATCH] Certificate serial number in hex format - ui testing data Updated UI static content to contain value and label for certificate serial_number_hex. https://fedorahosted.org/freeipa/ticket/1991 --- install/ui/test/data/ipa_init.json |1 + install/ui/test/data/service_show.json |1 + 2 files changed, 2 insertions(+), 0 deletions(-) diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 0182aab733a5541d3149ea582bd975faf04db10a..df9fbe9c839b696c2dfc95d85faf8f94e93f08f1 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -177,6 +177,7 @@
[Freeipa-devel] [PATCH] 102-103 UI part of 'Add last missing bits in new bind-dyndb-ldap'
1) Add support of new options in dnsconfig
dnsconfig was extended of new attributes, so reflecting it in UI.
New attributes:
* idnsForwardPolicy
* idnsAllowSyncPTR
* idnsZoneRefresh
https://fedorahosted.org/freeipa/ticket/2489
2) DNS forwarder's value can consist of IP address and a port.
The syntax is 'IP ADDRESS port PORT'. A new validator was created
for this purpose. It is based on IP address validator.
https://fedorahosted.org/freeipa/ticket/2490
--
Petr Vobornik
From 852f62746f1a72c272dded430ecaf29dd5af52b7 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 7 Mar 2012 09:28:54 +0100
Subject: [PATCH] Add support of new options in dnsconfig
dnsconfig was extended of new attributes, so reflecting it in UI.
New attributes:
* idnsForwardPolicy
* idnsAllowSyncPTR
* idnsZoneRefresh
https://fedorahosted.org/freeipa/ticket/2489
---
install/ui/dns.js| 13 -
install/ui/test/data/dnsconfig_mod.json |9 +
install/ui/test/data/dnsconfig_show.json |9 +
3 files changed, 30 insertions(+), 1 deletions(-)
diff --git a/install/ui/dns.js b/install/ui/dns.js
index 4cc6d4c533fb7c81429a58cf81cfe132812ca2ed..6d147300b75531a8f2b1d8258c3c2fcdf587d0da 100644
--- a/install/ui/dns.js
+++ b/install/ui/dns.js
@@ -43,10 +43,21 @@ IPA.dns.config_entity = function(spec) {
label: IPA.messages.objects.dnsconfig.options,
fields: [
{
+type: 'checkbox',
+name: 'idnsallowsyncptr'
+},
+{
type: 'multivalued',
name: 'idnsforwarders',
validators: [IPA.ip_address_validator()]
-}
+},
+{
+type: 'checkboxes',
+name: 'idnsforwardpolicy',
+mutex: true,
+options: IPA.create_options(['only', 'first'])
+},
+'idnszonerefresh'
]
}
],
diff --git a/install/ui/test/data/dnsconfig_mod.json b/install/ui/test/data/dnsconfig_mod.json
index e82e0735ed89439e29fed19c188f088e22cc0bc9..d6e1b8c2d4c2cf7085281d0be5658a18026d855b 100644
--- a/install/ui/test/data/dnsconfig_mod.json
+++ b/install/ui/test/data/dnsconfig_mod.json
@@ -17,9 +17,18 @@
cn: [
dns
],
+idnsallowsyncptr: [
+FALSE
+],
idnsforwarders: [
2001:beef::1
],
+idnsforwardpolicy: [
+first
+],
+idnszonerefresh: [
+20
+],
objectclass: [
idnsConfigObject,
nsContainer,
diff --git a/install/ui/test/data/dnsconfig_show.json b/install/ui/test/data/dnsconfig_show.json
index e663abcc8b4c63d3a99e6de6f4e40a93e127ab1b..4ee15cd2f0ba290f747dbd7fb739c780e89d9667 100644
--- a/install/ui/test/data/dnsconfig_show.json
+++ b/install/ui/test/data/dnsconfig_show.json
@@ -18,9 +18,18 @@
dns
],
dn: cn=dns,dc=dev,dc=example,dc=com,
+idnsallowsyncptr: [
+FALSE
+],
idnsforwarders: [
2001:beef::1
],
+idnsforwardpolicy: [
+first
+],
+idnszonerefresh: [
+20
+],
objectclass: [
idnsConfigObject,
nsContainer,
--
1.7.7.6
From 070d1c4085e531e8e84b1ae4e16cd0ab65cb46f5 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 7 Mar 2012 14:42:59 +0100
Subject: [PATCH] DNS forwarder validator
DNS forwarder's value can consist of IP address and a port.
The syntax is 'IP ADDRESS port PORT'. A new validator was created for this purpose. It is based on IP address validator.
https://fedorahosted.org/freeipa/ticket/2490
---
install/ui/dns.js | 37 +--
install/ui/test/data/ipa_init.json |1 +
ipalib/plugins/internal.py |1 +
3 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/install/ui/dns.js b/install/ui/dns.js
index 6d147300b75531a8f2b1d8258c3c2fcdf587d0da..4212f1d2446eff0d29e0b57225339e79765017fc 100644
--- a/install/ui/dns.js
+++ b/install/ui/dns.js
@@ -49,7 +49,7 @@ IPA.dns.config_entity = function(spec) {
{
type: 'multivalued',
name: 'idnsforwarders',
-validators: [IPA.ip_address_validator()]
+validators: [IPA.dnsforwarder_validator()]
},
[Freeipa-devel] [PATCH] 104 Fixed mask validation in network_validator
Network validator allowed invalid mask format: * leading zeros: 192.168.0.1/0024 * trailing chars: 192.168.0.1/24abcd It was fixed. https://fedorahosted.org/freeipa/ticket/2493 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 924 display both hex and decimal serial numbers
Petr Vobornik wrote: On 03/06/2012 09:56 PM, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: Dne 18.1.2012 00:04, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 16.1.2012 22:02, Rob Crittenden napsal(a): Rob Crittenden wrote: Jan Cholasta wrote: Dne 13.1.2012 20:53, Rob Crittenden napsal(a): When viewing a certificate it will show the serial number as hex (dec). # ipa service-show HTTP/rawhide.example.com Principal: HTTP/rawhide.example@example.com Certificate: [snip] Keytab: True Managed by: rawhide.example.com Subject: CN=rawhide.example.com,O=EXAMPLE.COM Serial Number: 0x403 (1027) Issuer: CN=EXAMPLE.COM Certificate Authority Not Before: Fri Jan 13 15:00:44 2012 UTC Not After: Thu Jan 13 15:00:44 2022 UTC Fingerprint (MD5): e5:43:17:0d:8d:af:d6:69:d8:fb:eb:ca:79:fb:47:69 Fingerprint (SHA1): c2:9e:8e:de:42:c9:4a:29:cc:b0:a0:de:57:c7:b7:d8:f9:b5:fe:e6 rob NACK Displaying a host or a service in the webUI fails with IPA error 3009: invalid 'serial_number': Decimal or hexadecimal number is required for serial number. I would suggest to do the nifty formatting of serial numbers on the client side, that would fix the webUI issue, allow non-IPA clients to parse the number without dissecting the string representation of it and probably also save me a hack in the type conversion overhaul. You could for example add a parameter flag like format_serial_number to indicate to the client that it should format the value as a serial number. Honza Well, we want to do as little client formatting as possible. The idea is to have a very thin client. It doesn't seem right to me to enforce this specific representation of what is really just an integer at the API level. Doing a little formatting on the client side won't make the client(s) particularly fat, will it? Yes. The current code just outputs labels and data. There is no if it is this attribute then do that logic. IMHO there is too much stuff done on server that would make more sense to do on client anyway (especially CLI-specific stuff such as CSV parsing). What is the reason we want such a thin client? To avoid double work such that every time we want a formatting change we have to change it in multiple places. This lesson was learned in v1. I believe there should be clear separation of presentation and content, but perhaps I'm a little bit too idealistic :-). You have a point, serial number is defined as an integer. Perhaps we should revisit this decision to display hex at all. I'll look into fixing the UI side. I don't see this error in services, it displays correctly. I'm not sure if it is my browser or what but hosts don't display much of anything for me. rob I have just checked both master and ipa-2-2 and I'm getting the same error message (tested in Firefox 9.0.1) when viewing details of a host or a service with the usercertificate attribute set. BTW, wouldn't it make sense to format serial numbers in the cert plugin in the same way? Perhaps. Like I said, I'm not really in favor of this change. rob Maybe we can do a compromise of some sort. What about allowing the client to specify with each request what representation/formatting the server should use for the resulting entries and attributes? That would be mighty flexible but would open a new can of worms. I think long term I'd like to be able to request what attributes to see (ala ldapsearch) but that too is a bit out of scope. This comes down to Output being rather loosely defined and we already have a ticket open on that. It basically just defines the broad types of data to be returned (string, list, dict, etc) but not the internal components of complex types. Took a new approach and created a new output attribute, serial_number_hex, that is displayed separately. UI portion added as well. ACK for the UI part. I attached a patch which extends UI static testing data - to keep things in solid state. I think this approach is still evil (as the whole ticket) but I don't have a better solution (in CLI). We are in agreement. Question: Isn't the '0x' part a bit redundant? The label already says '(hex)'. However I can buy a 'It is a convention.' argument. Yes, I did it for convention, plus to avoid confusion for the case where it looks like a decimal number but isn't, e.g. 10. If you saw: Serial number: 16 Serial number (hex): 10 It might be confusing. 0x10 would be clearer. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 104 Fixed mask validation in network_validator
Attaching patch file.
On 03/07/2012 05:10 PM, Petr Vobornik wrote:
Network validator allowed invalid mask format:
* leading zeros: 192.168.0.1/0024
* trailing chars: 192.168.0.1/24abcd
It was fixed.
https://fedorahosted.org/freeipa/ticket/2493
--
Petr Vobornik
From bdc47a1f588a0e406c66467fae53642c6123214b Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 7 Mar 2012 14:43:43 +0100
Subject: [PATCH] Fixed mask validation in network_validator
Network validator allowed invalid mask format:
* leading zeros: 192.168.0.1/0024
* trailing chars: 192.168.0.1/24abcd
It was fixed.
https://fedorahosted.org/freeipa/ticket/2493
---
install/ui/dns.js | 12 +---
1 files changed, 5 insertions(+), 7 deletions(-)
diff --git a/install/ui/dns.js b/install/ui/dns.js
index 4212f1d2446eff0d29e0b57225339e79765017fc..33b21e4cfb315b1fde9a47f9b44dcbfded89015d 100644
--- a/install/ui/dns.js
+++ b/install/ui/dns.js
@@ -2273,7 +2273,7 @@ IPA.network_validator = function(spec) {
return that.true_result();
}
-var address_part, mask_part;
+var address_part, mask;
if (value.indexOf('/') -1) {
@@ -2281,9 +2281,9 @@ IPA.network_validator = function(spec) {
if (parts.length === 2) {
address_part = parts[0];
-mask_part = parts[1];
+mask = parts[1];
-if (mask_part === '') return that.false_result();
+if (mask === '') return that.false_result();
} else {
return that.false_result();
@@ -2302,14 +2302,12 @@ IPA.network_validator = function(spec) {
var address = NET.ip_address(address_part);
if (!address.valid) return that.false_result();
-if (mask_part) {
-
-var mask = parseInt(mask_part, 10);
+if (mask) {
var mask_length = 32;
if (address.type === 'v6') mask_length = 128;
-if (isNaN(mask) || mask 8 || mask mask_length) {
+if (!mask.match(/^[1-9]\d*$/) || mask 8 || mask mask_length) {
return that.false_result();
}
}
--
1.7.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 232 Treat UPGs correctly in winsync replication
There are some test hints attached to the ticket.
---
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.
This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
2) Default group posix, UPG disabled: gidNumber = default
group gidNumber
3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
4) Default group non-posix, UPG disabled: an error is printed to
the dirsrv log as the gidNumber cannot be retrieved. User
is replicated in the same way as before this patch, i.e.
without essential object classes.
https://fedorahosted.org/freeipa/ticket/2436
From cbce8ac48e02edf9f977acfd9fdb3cc64123fafe Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Tue, 6 Mar 2012 15:59:20 +0100
Subject: [PATCH] Treat UPGs correctly in winsync replication
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.
This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
2) Default group posix, UPG disabled: gidNumber = default
group gidNumber
3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
4) Default group non-posix, UPG disabled: an error is printed to
the dirsrv log as the gidNumber cannot be retrieved. User
is replicated in the same way as before this patch, i.e.
without essential object classes.
https://fedorahosted.org/freeipa/ticket/2436
---
.../ipa-winsync/ipa-winsync-config.c | 96 +---
.../ipa-slapi-plugins/ipa-winsync/ipa-winsync.h|6 ++
2 files changed, 91 insertions(+), 11 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
index 456a839aadf01634d657121e5d1e91373a5ccc0e..ae7adecb6e04b5a736fa04b458d51a6fa3860d05 100644
--- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
+++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
@@ -58,6 +58,7 @@
#include dirsrv/winsync-plugin.h
#endif
#include ipa-winsync.h
+#include util.h
#include plstr.h
@@ -176,6 +177,72 @@ parse_acct_disable(const char *theval)
}
/*
+ * Check if User Private Groups are enabled in given IPA domain
+ * Returns: 0 - UPG are enabled
+ * 1 - UPG are disabled
+ * -1 - some sort of error
+ */
+static int
+ipa_winsync_upg_enabled(const Slapi_DN *ds_subtree)
+{
+int ret = -1;
+int rc;
+char * dn = NULL;
+Slapi_Entry *entry = NULL;
+Slapi_Backend *be;
+const Slapi_DN *ds_suffix = NULL;
+Slapi_DN *sdn = NULL;
+const char *attrs_list[] = {IPA_WINSYNC_UPG_DEF_ATTR, 0};
+char * value = NULL;
+
+/* find ancestor base DN */
+be = slapi_be_select(ds_subtree);
+ds_suffix = slapi_be_getsuffix(be, 0);
+if (ds_suffix == NULL) {
+LOG_FATAL(Invalid DS subtree [%s]\n, slapi_sdn_get_dn(ds_subtree));
+goto done;
+}
+
+dn = slapi_ch_smprintf(IPA_WINSYNC_UPG_DEF_DN, slapi_sdn_get_dn(ds_suffix));
+
+if (!dn) {
+LOG_OOM();
+goto done;
+}
+
+sdn = slapi_sdn_new_dn_byref(dn);
+rc = slapi_search_internal_get_entry(sdn, (char **) attrs_list, entry,
+ ipa_winsync_get_plugin_identity());
+
+if (rc) {
+LOG(failed to retrieve UPG definition (%s) with rc %d\n, dn, rc);
+goto done;
+}
+
+value = slapi_entry_attr_get_charptr(entry, IPA_WINSYNC_UPG_DEF_ATTR);
+
+if (!value) {
+LOG(failed to read %s from UPG definition (%s)\n,
+ IPA_WINSYNC_UPG_DEF_ATTR, dn);
+goto done;
+}
+
+if (strstr(value, IPA_WINSYNC_UPG_DEF_DISABLED) == NULL) {
+ret = 0;
+} else {
+ret = 1;
+}
+
+done:
+slapi_ch_free_string(dn);
+slapi_sdn_free(sdn);
+slapi_ch_free_string(value);
+slapi_entry_free(entry);
+
+return ret;
+}
+
+/*
Validate the pending changes in the e entry.
*/
static int
@@ -792,6 +859,7 @@
Re: [Freeipa-devel] [PATCH] 231 Ignore case in yes/no prompts
On Wed, 2012-03-07 at 10:45 +0100, Petr Viktorin wrote: On 03/07/2012 10:40 AM, Petr Viktorin wrote: On 03/06/2012 06:40 PM, Martin Kosek wrote: We did not accept answers like Yes, YES, No, etc. as valid answers to yes/no prompts (used for example in dnsrecord-del interactive mode). This could confuse users. This patch changes the behavior to ignore the answer case. https://fedorahosted.org/freeipa/ticket/2484 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, works as advertised. I hit Send too fast. This triggers a lint warning; ACK if you disable it. I disabled the lint warning and pushed to master, ipa-2-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 982 tweak to no_init patch
I discovered today that cert-request was failing with an untrusted CA error. The problem had to do with the NSS no_init patch. We were setting dbdir in the connection object too soon so it was comparing itself to itself and always determined that NSS was initialized just fine. This needs to be moved after the check. To test this you need a master, a replica and a client with DNS set up and SRV records for both servers. You need two or more servers so we run the ping() test. This is where the client was failing before. What would happen is this: - initialize NSS - run ping() against a server - prepare request - initialize NSS - FAIL That second initialization isn't needed and is correctly caught by the code with this patch. You need to test that a client enrollment works and that ipa cert-request works. cert-request was failing because we initialize NSS with nodb so we can load the CSR for validation. Because dbdir was set too early in the connection we were getting no_init set improperly and nss_shutdown() wasn't being called. rob From 0a420e61810a5c0e198a42ece7584affe6e8c048 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 7 Mar 2012 16:36:52 -0500 Subject: [PATCH] Don't set dbdir in the connection until after the connection is created. We were comparing the current connection with itself so were never going to call nss_shutdown(). dbdir needs to be set after the connection has been made. This worked on single server installs because we don't do a ping so NSS would never be pre-initialized. If multiple servers are available we call ping() to find one that is up before submitting the request, this is what would have pre-initialized NSS. This was tripping up request-cert because it will intialize NSS with no DB if it hasn't been initialized. We need to initialize it to validate the CSR. A non-working client was doing this when calling cert-request: - call load_certificate_request() - nss.nss_nodb_init() - load the CSR - create a connection, dbdir=/etc/pki/nssdb - the dbdir matches within the same connection, don't call nss_shutdown() - connect to remote server - fail, untrusted CA because we are still using db from nss_nodb_init. Instead if we set dbdir afterward then this will properly be shutdown and NSS re-initialized with correct dbdir. https://fedorahosted.org/freeipa/ticket/2498 --- ipalib/rpc.py | 12 +++- 1 files changed, 7 insertions(+), 5 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 16c095cb714d475b727fbc075eec00136d8228c6..04a3f3e35cee62ee3900fc33c6c71fbb0067e882 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -229,7 +229,8 @@ class SSLTransport(LanguageAwareTransport): continue if not isinstance(value.conn._ServerProxy__transport, SSLTransport): continue -if value.conn._ServerProxy__transport.dbdir == dbdir: +if hasattr(value.conn._ServerProxy__transport, 'dbdir') and \ + value.conn._ServerProxy__transport.dbdir == dbdir: return True return False @@ -241,13 +242,14 @@ class SSLTransport(LanguageAwareTransport): # If we an existing connection exists using the same NSS database # there is no need to re-initialize. Pass thsi into the NSS # connection creator. -self.dbdir='/etc/pki/nssdb' -no_init = self.__nss_initialized(self.dbdir) +dbdir = '/etc/pki/nssdb' +no_init = self.__nss_initialized(dbdir) (major, minor, micro, releaselevel, serial) = sys.version_info if major == 2 and minor 7: -conn = NSSHTTPS(host, 443, dbdir=self.dbdir, no_init=no_init) +conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init) else: -conn = NSSConnection(host, 443, dbdir=self.dbdir, no_init=no_init) +conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init) +self.dbdir=dbdir conn.connect() return conn -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 983 add subject key identifier
Add subject key identifier to the dogtag server cert profile.
This will add it on upgrades too and any new certs issued will have a
subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
rob
From 830740ea18e92fa7ea2bf6d8db16a2aadc43e76f Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 7 Mar 2012 17:46:33 -0500
Subject: [PATCH] Add subject key identifier to the dogtag server cert
profile.
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
---
install/tools/ipa-upgradeconfig | 13 +
ipaserver/install/cainstance.py | 20
2 files changed, 33 insertions(+), 0 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index a23489f406f29db4b8f33c153cccb1121675eb61..f158eab98972aaa10115b5be04efcfed8698e8f5 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -31,6 +31,8 @@ try:
from ipaserver.install import httpinstance
from ipaserver.install import memcacheinstance
from ipaserver.install import service
+from ipaserver.install import cainstance
+from ipaserver.install import certs
import ldap
import krbV
import re
@@ -233,6 +235,15 @@ def cleanup_kdc():
if fstore.has_file(filename):
fstore.untrack_file(filename)
+def upgrade_ipa_profile(realm):
+
+Update the IPA Profile provided by dogtag
+
+import pdb; pdb.set_trace()
+ca = cainstance.CAInstance(realm, certs.NSS_DIR)
+if ca.enable_subject_key_identifier():
+ca.restart()
+
def main():
Get some basics about the system. If getting those basics fail then
@@ -284,6 +295,8 @@ def main():
pass
cleanup_kdc()
+upgrade_ipa_profile(krbctx.default_realm)
+
try:
if __name__ == __main__:
sys.exit(main())
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 345a8c2da3567fce5bfc107e4e7a4b7a4918017f..6012ae1c7a00a87522fc0778f2cb355a3924d805 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -520,6 +520,7 @@ class CAInstance(service.Service):
self.step(setting up signing cert profile, self.__setup_sign_profile)
self.step(set up CRL publishing, self.__enable_crl_publish)
self.step(set certificate subject base, self.__set_subject_in_config)
+self.step(enabling Subject Key Identifier, self.enable_subject_key_identifier)
self.step(configuring certificate server to start on boot, self.__enable)
if not self.clone:
self.step(restarting certificate server, self.__restart_instance)
@@ -1071,6 +1072,25 @@ class CAInstance(service.Service):
shutil.copy(ipautil.SHARE_DIR + ipa-pki-proxy.conf,
HTTPD_CONFD + ipa-pki-proxy.conf)
+def enable_subject_key_identifier(self):
+
+See if Subject Key Identifier is set in the profile and if not, add it.
+
+setlist = installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=')
+
+# this is the default setting from pki-ca. Don't touch it if a user
+# has manually modified it.
+if setlist == '1,2,3,4,5,6,7,8':
+installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False, separator='=')
+installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl', quotes=False, separator='=')
+installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.constraint.name', 'No Constraint', quotes=False, separator='=')
+installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.default.class_id', 'subjectKeyIdentifierExtDefaultImpl', quotes=False, separator='=')
+installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.default.name', 'Subject Key Identifier Extension Default', quotes=False, separator='=')
+installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.default.params.critical', 'false', quotes=False, separator='=')
+return True
+
+# No update was done
+return False
def install_replica_ca(config, postinstall=False):
--
1.7.6
___
[Freeipa-devel] [PATCH] 984 fix anonlimits dn
The value of nsslapd-anonlimitsdn wasn't being set properly because it
wasn't quoted. This will fix it, replacing whatever is there with a
correct value.
rob
From a20cb5be4922df78c3ad0ede74bfae5cc9d617a1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 7 Mar 2012 17:59:19 -0500
Subject: [PATCH] Fix nsslapd-anonlimitsdn dn in cn=config
The dn value needs to be quoted otherwise it is interpreted to be a
multi-value.
This will replace whatever value is currently set.
https://fedorahosted.org/freeipa/ticket/2452
---
install/updates/10-config.update |2 +-
ipaserver/ipaldap.py |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/updates/10-config.update b/install/updates/10-config.update
index 420e048805e86010f03b8b544e6cf9cd31069e53..97fbdef2d20d4bc444f0c94fbea6fb76e7e45603 100644
--- a/install/updates/10-config.update
+++ b/install/updates/10-config.update
@@ -31,7 +31,7 @@ default:nsSizeLimit: 5000
default:nsLookThroughLimit: 5000
dn: cn=config
-add:nsslapd-anonlimitsdn:cn=anonymous-limits,cn=etc,$SUFFIX
+only:nsslapd-anonlimitsdn:'cn=anonymous-limits,cn=etc,$SUFFIX'
# Add a defaultNamingContext if one hasn't already been set. This was
# introduced in 389-ds-base-1.2.10-0.9.a8. Adding this to a server that
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index cf19beee051bd011d96136f98831f3378dbd932e..9a8d9e121cea661b34c37137d2c9c454e587ea7b 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -540,7 +540,7 @@ class IPAdmin(IPAEntryLDAPObject):
# Some attributes, like those in cn=config, need to be replaced
# not deleted/added.
-FORCE_REPLACE_ON_UPDATE_ATTRS = ('nsslapd-ssl-check-hostname', 'nsslapd-lookthroughlimit', 'nsslapd-idlistscanlimit')
+FORCE_REPLACE_ON_UPDATE_ATTRS = ('nsslapd-ssl-check-hostname', 'nsslapd-lookthroughlimit', 'nsslapd-idlistscanlimit', 'nsslapd-anonlimitsdn')
modlist = []
old_entry = ipautil.CIDict(old_entry)
--
1.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
