[Freeipa-devel] [PATCH] 172 Bigger textarea for permission type=subtree
Patch description: Adder dialog and details facet for permission type=subtree have small textarea for defining subtree filter. It was unconfortable to define the filter. This difference was removed. https://fedorahosted.org/freeipa/ticket/2832 Note regarding related ticket: Resizable textareas are browser-specific. We can do it in code too but I don't think it is worth the effort. Textarea in IE still seems smaller than in Firefox, but it has the same number of rows and cols. I think it has enough space for defining the filter so it should be fixing the problem. -- Petr Vobornik From 59ba0b5b059eb8ec4ef03c138cd085a939211051 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Mon, 16 Jul 2012 13:40:52 +0200 Subject: [PATCH] Bigger textarea for permission type=subtree Adder dialog and details facet for permission type=subtree have small textarea for defining subtree filter. It was unconfortable to define the filter. This difference was removed. https://fedorahosted.org/freeipa/ticket/2832 --- install/ui/aci.js |2 -- 1 file changed, 2 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index b2e5e19e54fe083093171d29fe894df321bb4c88..63181efac5f335d28a4c23bfa1ae2da95b9a0e75 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -688,8 +688,6 @@ IPA.permission_target_widget = function(spec) { that.subtree_textarea = IPA.textarea_widget({ entity: that.entity, name: 'subtree', -cols: 30, -rows: 1, hidden: true }); -- 1.7.10.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0061 ValidationError takes 'error' named argument, not 'reason'
Hi, https://fedorahosted.org/freeipa/ticket/2865 -- / Alexander Bokovoy From afb200bbd4054b85f72a9cda8105ca07ee4deb2a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 16 Jul 2012 12:43:47 +0300 Subject: [PATCH 3/4] ipalib/plugins/trust.py: ValidationError takes 'error' named argument, not 'reason' https://fedorahosted.org/freeipa/ticket/2865 --- ipalib/plugins/trust.py |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 40bd93e654c0365ad202abfd82e84345583459dd..2932835e038d99d9c48f1822e76fbc2e1570f92f 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -182,13 +182,13 @@ class trust_add(LDAPCreate): realm_admin = options['realm_admin'] if 'realm_passwd' not in options: -raise errors.ValidationError(name=_('AD Trust setup'), reason=_('Realm administrator password should be specified')) +raise errors.ValidationError(name=_('AD Trust setup'), error=_('Realm administrator password should be specified')) realm_passwd = options['realm_passwd'] result = trustinstance.join_ad_full_credentials(keys[-1], realm_server, realm_admin, realm_passwd) if result is None: -raise errors.ValidationError(name=_('AD Trust setup'), reason=_('Unable to verify write permissions to the AD')) +raise errors.ValidationError(name=_('AD Trust setup'), error=_('Unable to verify write permissions to the AD')) return dict(result=dict(), value=trustinstance.remote_domain.info['dns_domain']) @@ -198,7 +198,7 @@ class trust_add(LDAPCreate): if 'trust_secret' in options: result = trustinstance.join_ad_ipa_half(keys[-1], realm_server, options['trust_secret']) return dict(result=dict(), value=trustinstance.remote_domain.info['dns_domain']) -raise errors.ValidationError(name=_('AD Trust setup'), reason=_('Not enough arguments specified to perform trust setup')) +raise errors.ValidationError(name=_('AD Trust setup'), error=_('Not enough arguments specified to perform trust setup')) class trust_del(LDAPDelete): __doc__ = _('Delete a trust.') -- 1.7.10.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0062 support various forms of user account when establishing trusts
Hi, Realm administrator account may be specified using different form: Administrator, DOM\Administrator, Administrator@DOMAIN This patch introduces handling of the second two forms: - In DOM\Administrator only user name is used, short domain name is then taken from a discovered record from the AD DC - In Administrator@DOMAIN first DOMAIN is verified to be the same as the domain we are establishing trust to, and then user name is taken, together with short domain name taken from a discovered record from the AD DC Note that we do not support using to-be-trusted domain's trusted domains' accounts to establish trust as there is basically zero chance to verify that things will work with them. In addition, in order to establish trust one needs to belong to Enterprise Admins group in AD or have specially delegated permissions. These permissions are unlikely delegated to the ones in already trusted domain. https://fedorahosted.org/freeipa/ticket/2864 -- / Alexander Bokovoy From 3365e3501a1cdd13d3741fc791c7843839a5a058 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 16 Jul 2012 13:12:42 +0300 Subject: [PATCH 4/4] Handle various forms of admin accounts when establishing trusts Realm administrator account may be specified using different form: Administrator, DOM\Administrator, Administrator@DOMAIN This patch introduces handling of the second two forms: - In DOM\Administrator only user name is used, short domain name is then taken from a discovered record from the AD DC - In Administrator@DOMAIN first DOMAIN is verified to be the same as the domain we are establishing trust to, and then user name is taken, together with short domain name taken from a discovered record from the AD DC Note that we do not support using to-be-trusted domain's trusted domains' accounts to establish trust as there is basically zero chance to verify that things will work with them. In addition, in order to establish trust one needs to belong to Enterprise Admins group in AD or have specially delegated permissions. These permissions are unlikely delegated to the ones in already trusted domain. https://fedorahosted.org/freeipa/ticket/2864 --- ipalib/plugins/trust.py |8 ipaserver/dcerpc.py |5 + 2 files changed, 13 insertions(+) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 2932835e038d99d9c48f1822e76fbc2e1570f92f..792e6cac2a2f9ebb61f84cc74d01be325995863e 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -180,6 +180,14 @@ class trust_add(LDAPCreate): # generate random trustdom password to do work on both sides if 'realm_admin' in options: realm_admin = options['realm_admin'] +names = realm_admin.split('@') +if len(names) 1: +# realm admin name is in UPN format, user@realm, check that +# realm is the same as the one that we are attempting to trust +if keys[-1].lower() != names[-1].lower(): +raise errors.ValidationError(name=_('AD Trust setup'), + error=_('Trusted domain and administrator account use different realms')) +realm_admin = names[0] if 'realm_passwd' not in options: raise errors.ValidationError(name=_('AD Trust setup'), error=_('Realm administrator password should be specified')) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 07e40c2d35b41a2665232f3e6d853b47aef707bb..6b830f65b854b74fcf080b071212e7658f334adf 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -363,6 +363,11 @@ class TrustDomainJoins(object): rd.read_only = True if realm_admin and realm_passwd: if 'name' in rd.info: +names = realm_admin.split('\\') +if len(names) 1: +# realm admin is in DOMAIN\user format +# strip DOMAIN part as we'll enforce the one discovered +realm_admin = names[-1] auth_string = u%s\%s%%%s % (rd.info['name'], realm_admin, realm_passwd) td = get_instance(self) td.creds.parse_string(auth_string) -- 1.7.10.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1033 renew CA subsystem certificates
Use the new certmonger capability to be able to renew the dogtag subsystem certificates (audit, OCSP, etc). See the ticket for full details. rob From a8932452a1a7343ffe0263183ef63e1efe6a7a6b Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 11 Jul 2012 15:51:01 -0400 Subject: [PATCH] Use certmonger to renew CA subsystem certificates Certificate renewal can be done only one one CA as the certificates need to be shared amongst them. certmonger has been trained to communicate directly with dogtag to perform the renewals. The initial CA installation is the defacto certificate renewal master. A copy of the certificate is stored in the IPA LDAP tree in cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the certificate, when a certificate is renewed. Only the most current certificate is stored. It is valid to have no certificates there, it means that no renewals have taken place. The clones are configured with a new certmonger CA type that polls this location in the IPA tree looking for an updated certificate. If one is not found then certmonger is put into the CA_WORKING state and will poll every 8 hours until an updated certificate is available. The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case. When this certificate is updated we also need to update its entry in the dogtag tree, adding the updated certificate and telling dogtag which certificate to use. This is the certificate that lets IPA issue certificates. On upgrades we check to see if the certificate tracking is already in place. If not then we need to determine if this is the master that will do the renewals or not. This decision is made based on whether it was the first master installed. It is concievable that this master is no longer available meaning that none are actually tracking renewal. We will need to document this. https://fedorahosted.org/freeipa/ticket/2803 --- freeipa.spec.in|7 +- install/Makefile.am|1 + install/certmonger/Makefile.am | 14 +++ .../certmonger/dogtag-ipa-retrieve-agent-submit| 79 +++ install/conf/Makefile.am |3 +- install/conf/ca_renewal|6 ++ install/configure.ac |1 + install/restart_scripts/Makefile.am|3 + install/restart_scripts/renew_ca_cert | 78 ++ install/restart_scripts/renew_ra_cert | 82 +++ install/restart_scripts/restart_dirsrv | 24 + install/restart_scripts/restart_httpd | 20 install/restart_scripts/restart_pkicad | 44 install/share/bootstrap-template.ldif |6 ++ install/share/default-aci.ldif | 11 ++ install/tools/ipa-upgradeconfig| 29 ++ install/updates/21-ca_renewal_container.update |9 ++ install/updates/40-delegation.update |4 + install/updates/Makefile.am|1 + ipalib/x509.py |8 ++ ipapython/certmonger.py| 67 + ipapython/ipautil.py | 23 + ipapython/platform/base.py |2 +- ipapython/platform/fedora16.py |1 + ipaserver/install/cainstance.py| 106 +++- 25 files changed, 624 insertions(+), 5 deletions(-) create mode 100644 install/certmonger/Makefile.am create mode 100644 install/certmonger/dogtag-ipa-retrieve-agent-submit create mode 100644 install/conf/ca_renewal create mode 100644 install/restart_scripts/renew_ca_cert create mode 100644 install/restart_scripts/renew_ra_cert create mode 100644 install/restart_scripts/restart_pkicad create mode 100644 install/updates/21-ca_renewal_container.update diff --git a/freeipa.spec.in b/freeipa.spec.in index 7106310915c8a4e52a009036f7152a38a4c5f18d..be24bfcb609773636d537f94d721d3839baed823 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -247,7 +247,7 @@ Requires: xmlrpc-c %endif %endif Requires: sssd = 1.8.0 -Requires: certmonger = 0.53 +Requires: certmonger = 0.58 Requires: nss-tools Requires: bind-utils Requires: oddjob-mkhomedir @@ -569,6 +569,7 @@ fi %{_sbindir}/ipactl %{_sbindir}/ipa-upgradeconfig %{_sbindir}/ipa-compliance +%{_libexecdir}/certmonger/dogtag-ipa-retrieve-agent-submit %{_sysconfdir}/cron.d/ipa-compliance %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ @@ -631,6 +632,7 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf %ghost %attr(0644,root,apache)
[Freeipa-devel] [PATCH] 1034 more robust cli sessions
Make command-line sessions a bit more robust. This patch does two things. Firstly, it wraps all keyring activity in a try/except so if a keyring operation fails it isn't fatal. The user just won't benefit from sessions. The second part adds per-principal sessions. The principal is included in the session key so we can pull the right one depending on the principal initiating the request. rob From 33dcbe98f09fd37d3a4382c11a97c74fea6c1e53 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 16 Jul 2012 10:40:12 -0400 Subject: [PATCH] Support per-principal sessions and handle session update failures User had a system that refused to store keys into the kernel keyring. Any operation at all on the keyring would return Key has been revoked. Wrap the operations in a try/except so we can ignore keyring failures. Log at the debug level. This also adds per-principal sessions. The principal name is stored in the session key so switching principals in the ccache doesn't require clearing the keyring. https://fedorahosted.org/freeipa/ticket/2880 --- ipalib/rpc.py | 34 +++--- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 6518cb27deb621d8daf31862b7e5fae33bb4..c2356232ab86a8f47d96bbc48fcae3f33b2253c9 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -46,6 +46,7 @@ from ipalib.backend import Connectible from ipalib.errors import public_errors, PublicError, UnknownError, NetworkError, KerberosError, XMLRPCMarshallError from ipalib import errors from ipalib.request import context, Connection +from ipalib.util import get_current_principal from ipapython import ipautil from ipapython import kernel_keyring @@ -57,6 +58,8 @@ from urllib2 import urlparse from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE +COOKIE_NAME = 'ipa_session_cookie:%s' + def xml_wrap(value): Wrap all ``str`` in ``xmlrpclib.Binary``. @@ -258,12 +261,6 @@ class SSLTransport(LanguageAwareTransport): conn.connect() return conn -def parse_response(self, response): -session_cookie = response.getheader('Set-Cookie') -if session_cookie: -kernel_keyring.update_key('ipa_session_cookie', session_cookie) -return LanguageAwareTransport.parse_response(self, response) - class KerbTransport(SSLTransport): @@ -327,6 +324,18 @@ class KerbTransport(SSLTransport): return (host, extra_headers, x509) +def parse_response(self, response): +session_cookie = response.getheader('Set-Cookie') +if session_cookie: +principal = getattr(context, 'principal', None) +try: +kernel_keyring.update_key(COOKIE_NAME % principal, session_cookie) +except ValueError, e: +# Not fatal, we just can't use the session cookie we were +# sent. +self.debug('Unable to update session cookie: %s' % str(e)) +return SSLTransport.parse_response(self, response) + class DelegatedKerbTransport(KerbTransport): @@ -400,10 +409,12 @@ class xmlclient(Connectible): session = False session_data = None xmlrpc_uri = self.env.xmlrpc_uri +principal = get_current_principal() +setattr(context, 'principal', principal) # We have a session cookie, try using the session URI to see if it # is still valid if not delegate: -session_data = kernel_keyring.read_key('ipa_session_cookie') +session_data = kernel_keyring.read_key(COOKIE_NAME % principal) setattr(context, 'session_data', session_data) (scheme, netloc, path, params, query, fragment) = urlparse.urlparse(self.env.xmlrpc_uri) xmlrpc_uri = urlparse.urlunparse((scheme, netloc, '/ipa/session/xml', params, query, fragment)) @@ -453,9 +464,9 @@ class xmlclient(Connectible): except ProtocolError, e: if session_data and e.errcode == 401: # Unauthorized. Remove the session and try again. +delattr(context, 'session_data') try: -kernel_keyring.del_key('ipa_session_cookie') -delattr(context, 'session_data') +kernel_keyring.del_key(COOKIE_NAME % principal) except ValueError: # This shouldn't happen if we have a session but # it isn't fatal. @@ -519,9 +530,10 @@ class xmlclient(Connectible): session_data = getattr(context, 'session_data', None) if session_data and e.errcode == 401: # Unauthorized. Remove the session and try again. +
Re: [Freeipa-devel] [PATCH] 1034 more robust cli sessions
Rob Crittenden wrote: Make command-line sessions a bit more robust. This patch does two things. Firstly, it wraps all keyring activity in a try/except so if a keyring operation fails it isn't fatal. The user just won't benefit from sessions. The second part adds per-principal sessions. The principal is included in the session key so we can pull the right one depending on the principal initiating the request. Left a debug statement in, this one should build and work. rob From eeb47efeb7b0dfa8c03ad1d29f327a1322ca2ebb Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 16 Jul 2012 10:40:12 -0400 Subject: [PATCH] Support per-principal sessions and handle session update failures User had a system that refused to store keys into the kernel keyring. Any operation at all on the keyring would return Key has been revoked. Wrap the operations in a try/except so we can ignore keyring failures. Log at the debug level. This also adds per-principal sessions. The principal name is stored in the session key so switching principals in the ccache doesn't require clearing the keyring. https://fedorahosted.org/freeipa/ticket/2880 --- ipalib/rpc.py | 34 +++--- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 6518cb27deb621d8daf31862b7e5fae33bb4..8a6a5108800517338c33962a4c44ea817675b0df 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -46,6 +46,7 @@ from ipalib.backend import Connectible from ipalib.errors import public_errors, PublicError, UnknownError, NetworkError, KerberosError, XMLRPCMarshallError from ipalib import errors from ipalib.request import context, Connection +from ipalib.util import get_current_principal from ipapython import ipautil from ipapython import kernel_keyring @@ -57,6 +58,8 @@ from urllib2 import urlparse from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE +COOKIE_NAME = 'ipa_session_cookie:%s' + def xml_wrap(value): Wrap all ``str`` in ``xmlrpclib.Binary``. @@ -258,12 +261,6 @@ class SSLTransport(LanguageAwareTransport): conn.connect() return conn -def parse_response(self, response): -session_cookie = response.getheader('Set-Cookie') -if session_cookie: -kernel_keyring.update_key('ipa_session_cookie', session_cookie) -return LanguageAwareTransport.parse_response(self, response) - class KerbTransport(SSLTransport): @@ -327,6 +324,18 @@ class KerbTransport(SSLTransport): return (host, extra_headers, x509) +def parse_response(self, response): +session_cookie = response.getheader('Set-Cookie') +if session_cookie: +principal = getattr(context, 'principal', None) +try: +kernel_keyring.update_key(COOKIE_NAME % principal, session_cookie) +except ValueError, e: +# Not fatal, we just can't use the session cookie we were +# sent. +pass +return SSLTransport.parse_response(self, response) + class DelegatedKerbTransport(KerbTransport): @@ -400,10 +409,12 @@ class xmlclient(Connectible): session = False session_data = None xmlrpc_uri = self.env.xmlrpc_uri +principal = get_current_principal() +setattr(context, 'principal', principal) # We have a session cookie, try using the session URI to see if it # is still valid if not delegate: -session_data = kernel_keyring.read_key('ipa_session_cookie') +session_data = kernel_keyring.read_key(COOKIE_NAME % principal) setattr(context, 'session_data', session_data) (scheme, netloc, path, params, query, fragment) = urlparse.urlparse(self.env.xmlrpc_uri) xmlrpc_uri = urlparse.urlunparse((scheme, netloc, '/ipa/session/xml', params, query, fragment)) @@ -453,9 +464,9 @@ class xmlclient(Connectible): except ProtocolError, e: if session_data and e.errcode == 401: # Unauthorized. Remove the session and try again. +delattr(context, 'session_data') try: -kernel_keyring.del_key('ipa_session_cookie') -delattr(context, 'session_data') +kernel_keyring.del_key(COOKIE_NAME % principal) except ValueError: # This shouldn't happen if we have a session but # it isn't fatal. @@ -519,9 +530,10 @@ class xmlclient(Connectible): session_data = getattr(context, 'session_data', None) if session_data and e.errcode == 401: # Unauthorized. Remove the
Re: [Freeipa-devel] [PATCH] 1033 renew CA subsystem certificates
On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote: Use the new certmonger capability to be able to renew the dogtag subsystem certificates (audit, OCSP, etc). Are the copies of the certificates in the pki-ca CS.cfg file being updated elsewhere? Or is it not turning out to be a problem if they aren't? Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1033 renew CA subsystem certificates
Nalin Dahyabhai wrote: On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote: Use the new certmonger capability to be able to renew the dogtag subsystem certificates (audit, OCSP, etc). Are the copies of the certificates in the pki-ca CS.cfg file being updated elsewhere? Or is it not turning out to be a problem if they aren't? I didn't test validating OCSP signatures but the audit subsystem seemed fine (it complained wildly when I had the wrong trust in the NSS db). Andrew, do I need to update CS.cfg as well? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1033 renew CA subsystem certificates
On 07/16/2012 01:35 PM, Rob Crittenden wrote: Nalin Dahyabhai wrote: On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote: Use the new certmonger capability to be able to renew the dogtag subsystem certificates (audit, OCSP, etc). Are the copies of the certificates in the pki-ca CS.cfg file being updated elsewhere? Or is it not turning out to be a problem if they aren't? I didn't test validating OCSP signatures but the audit subsystem seemed fine (it complained wildly when I had the wrong trust in the NSS db). Andrew, do I need to update CS.cfg as well? Yes, you may need update CS.cfg too. Andrew ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHSET] 496 add some PAC verification
This patchset is about Ticket #2849 The point is to verify that the PAC information we are getting from a trusted realm is actually consistent with the information we know about that trust relationship. The patchset adds a way to load trust information in the kdb driver (first 2 patches), reorganizes a bit the code around PAC verification and adds a filtering function to match realm with AD and SID data. Tested on my trust environment and seem to work fine. Simo. -- Simo Sorce * Red Hat, Inc * New York From 30f30901d99fb827016bee6e3f2a7d7dde7a460d Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Mon, 9 Jul 2012 09:15:51 -0400 Subject: [PATCH 1/5] Move mspac structure to be a private pointer By keeping it's definition in the mspac file it is easier to modify and make sure any opertion on it is handled in the same file. --- daemons/ipa-kdb/ipa_kdb.h |9 ++- daemons/ipa-kdb/ipa_kdb_mspac.c | 49 +-- 2 files changed, 33 insertions(+), 25 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index c1cc7a7d8ecdf86b10606233078abbb8685f6750..0a179dbcf0e9c17c0eb468638cd7436dc60d31a5 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -74,12 +74,7 @@ #define IPA_SETUP ipa-setup-override-restrictions -struct ipadb_wincompat { -char *flat_domain_name; -char *flat_server_name; -char *fallback_group; -uint32_t fallback_rid; -}; +struct ipadb_mspac; struct ipadb_context { char *uri; @@ -91,7 +86,7 @@ struct ipadb_context { bool override_restrictions; krb5_key_salt_tuple *supp_encs; int n_supp_encs; -struct ipadb_wincompat wc; +struct ipadb_mspac *mspac; bool disable_last_success; bool disable_lockout; }; diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 1c7487c3c8f75d02466a2e0746fbef5d36e3d995..44cf522a00e4973077d716a9545f69f325e870ba 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -26,6 +26,13 @@ #include util/time.h #include gen_ndr/ndr_krb5pac.h +struct ipadb_mspac { +char *flat_domain_name; +char *flat_server_name; +char *fallback_group; +uint32_t fallback_rid; +}; + int krb5_klog_syslog(int, const char *, ...); @@ -460,8 +467,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, } if (info3-base.primary_gid == 0) { -if (ipactx-wc.fallback_rid) { -info3-base.primary_gid = ipactx-wc.fallback_rid; +if (ipactx-mspac-fallback_rid) { +info3-base.primary_gid = ipactx-mspac-fallback_rid; } else { /* can't give a pack without a primary group rid */ return ENOENT; @@ -474,9 +481,9 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, /* always zero out, not used for Krb, only NTLM */ memset(info3-base.key, '\0', sizeof(info3-base.key)); -if (ipactx-wc.flat_server_name) { +if (ipactx-mspac-flat_server_name) { info3-base.logon_server.string = -talloc_strdup(memctx, ipactx-wc.flat_server_name); +talloc_strdup(memctx, ipactx-mspac-flat_server_name); if (!info3-base.logon_server.string) { return ENOMEM; } @@ -485,9 +492,9 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, return ENOENT; } -if (ipactx-wc.flat_domain_name) { +if (ipactx-mspac-flat_domain_name) { info3-base.logon_domain.string = -talloc_strdup(memctx, ipactx-wc.flat_domain_name); +talloc_strdup(memctx, ipactx-mspac-flat_domain_name); if (!info3-base.logon_domain.string) { return ENOMEM; } @@ -1318,11 +1325,17 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx) int ret; /* clean up in case we had old values around */ -free(ipactx-wc.flat_domain_name); -ipactx-wc.flat_domain_name = NULL; -free(ipactx-wc.fallback_group); -ipactx-wc.fallback_group = NULL; -ipactx-wc.fallback_rid = 0; +if (ipactx-mspac) { +free(ipactx-mspac-flat_domain_name); +free(ipactx-mspac-fallback_group); +free(ipactx-mspac); +} + +ipactx-mspac = calloc(1, sizeof(struct ipadb_mspac)); +if (!ipactx-mspac) { +kerr = ENOMEM; +goto done; +} kerr = ipadb_simple_search(ipactx, ipactx-base, LDAP_SCOPE_SUBTREE, (objectclass=ipaNTDomainAttrs), dom_attrs, @@ -1341,22 +1354,22 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx) ret = ipadb_ldap_attr_to_str(ipactx-lcontext, lentry, ipaNTFlatName, - ipactx-wc.flat_domain_name); + ipactx-mspac-flat_domain_name); if (ret) { kerr = ret; goto done;
Re: [Freeipa-devel] [PATCH] 170 Differentiation of widget type and text_widget input type
On 7/12/2012 8:10 AM, Petr Vobornik wrote: There was a clash of 'type' attribute in widget's spec. Usually 'type' is used for telling a builder which field and widget to build. Text widget used this attribute also for definion of html input type. It was problematic for some special widgets, which defined own field and used text_widget, like service_type or dnszone_name. In those and possibly other cases it used widget type for specifying input type which lead to execution error in Internet Explorer. Firefox and Chrome took it. This patch is changing text_widget's 'type' to 'input_type' which removes the collision and hence fixes the problem. https://fedorahosted.org/freeipa/ticket/2806 and half of: https://fedorahosted.org/freeipa/ticket/2834 ACK. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 171 Fixed display of attributes_widget in IE9
On 7/16/2012 3:56 AM, Petr Vobornik wrote: Attributes widget is using overflow css rule in tbody element. IE9 doesn't handle it well. To fix the issue, attributes widget was slightly modified and conditional css stylesheet was added just for fixing IE problems. https://fedorahosted.org/freeipa/ticket/2822 ACK. Separate issue, on IE the main navigation tabs aren't rendered nicely. There is a dark line underneath the label (Identity, Policy, IPA Server) when the tab is inactive. If you put the mouse over the tab the dark line will disappear. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 172 Bigger textarea for permission type=subtree
On 7/16/2012 6:53 AM, Petr Vobornik wrote: Patch description: Adder dialog and details facet for permission type=subtree have small textarea for defining subtree filter. It was unconfortable to define the filter. This difference was removed. https://fedorahosted.org/freeipa/ticket/2832 Note regarding related ticket: Resizable textareas are browser-specific. We can do it in code too but I don't think it is worth the effort. Textarea in IE still seems smaller than in Firefox, but it has the same number of rows and cols. I think it has enough space for defining the filter so it should be fixing the problem. ACK. Possible improvement, instead of using a fixed column size the text area also could be made to occupy 100% of available width. Ideally it should have the same width as the text field or drop down list in this dialog. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] DHCP support - Request for review
On 07/13/2012 08:39 PM, Petr Vobornik wrote: On 06/27/2012 03:32 PM, William Brown wrote: Hi, I have been working on adding support for FreeIPA to support configuration storage for ISC-DHCP 4.X servers. I have added the schema which is included at installation, added the template / empty files that will be filled in and used for the installation and created the ipalib plugin for this. At this stage, this feature is still far from done. I would appreciate a review of the work I have done to ensure I am on the right track. I would like to know if there is a better way to add ACLs than by manually updating ldap by hand (IE, using the ACL libraries) (See /install/share/dhcpd.ldif). I just looked on the plugin part from Web UI (API) perspective. Proper plugin review should do somebody else. What seems bad: 1) all entity params are required. When I'm looking at ldif, only couple of attributes are MUST. Param is made optional by adding '?' after its name. Example from user.py: Str('displayname?', label=_('Display name'), default_from=lambda givenname, sn: '%s %s' % (givenname, sn), autofill=True, ), However you can probably enforce some params to be required if it's required by DHCP server and not to blindly copy the LDAP schema. 2) You don't have to specify 'primary_key=False', it's default. 3) Don't use prefix for cli_name like 'dhcp_server_implementation' cli_name is used by IPA Client as an option name. Same for labels. For example for adding dhcp server proper command would probably be: ipa dhcpserver-add $NAME --service-dn=$SERVICE_DN etc not: ipa dhcpserver-add $NAME --dhcp-server-service-dn=$SERVICE_DN etc so the param def should be: Str('dhcpservicedn?', cli_name='service_dn', label=_('Service DN'), ), 5) All params are STR. I think some might be INT or something else. 6) You can fill 'default_attributes' list with more param names. What is mentioned in default attributes is displayed by `XXX-show $CN` command. What is not have to be displayed by `XXX-show $CN --all` command. 7) In labels you use 'Dhcp'. IMO it should be all uppercase. Regards I have never written an IPA plugin before, so most of this was new to me. You did answer some of my questions about how you do things like optional attributes etc. I have made most of these changes and will complete the rest later (time allowing). Thanks for your advice. -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x3C0AC6DAB2F928A2 signature.asc Description: OpenPGP digital signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] stopping su -
sudo -i su - oracle No, you would run sudo -i oracle. -i = simulate initial login. Alternately, you can use sudo -s oracle for run shell as oracle Or you can run sudo -u oracle command -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x3C0AC6DAB2F928A2 signature.asc Description: OpenPGP digital signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel