Re: [Freeipa-devel] [PATCH 0072] Provide ipa-client-advise tool
On Wednesday 26 of June 2013 10:12:48 Petr Spacek wrote: [snip] Appropriate error handling = Return 'Permission denied' if particular operation requires higher privileges. IMHO 'cryptic' error message is bad in any case, so the right way how to fix 'cryptic' error messages is to fix the places where errors are thrown. I don't think that additional checks in 'advisor' to hide 'cryptic' errors are the right approach. -- Petr^2 Spacek To wrap-up, after an offline discussion Petr: We came to an conclusion that since 'require_root' attribute is optional (Petr was not aware of that, and that fact was what caused his concern), with default value False, the attribute should not pose any additional burden for the plugin developer. Tomas___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
[snip] The patch now fixes the issue. However, we need to bump the dependency in the specfile since now we require version 1.3.1.1. Tomas Thanks, updated patch is attached. I tested the patch both with clean install and upgrade. ACK___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
On Friday 21 of June 2013 13:52:40 Ana Krivokapic wrote:
On 06/12/2013 02:28 PM, Tomas Babej wrote:
Hi,
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated, but rather removes it altogether.
https://fedorahosted.org/freeipa/ticket/3632
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
1) ipa-server-install (with no DNS), followed by ipa-dns-install now fails,
because you missed one reference to options.persistent_search in
ipa-dns-install:
if options.serial_autoincrement and not options.persistent_search:
parser.error('persistent search feature is required for '
'DNS SOA serial autoincrement')
2) I wonder if we can also remove the '--zone-notif' option from
ipa-server-install and ipa-dns-install. It is already deprecated so maybe this
is a good time to drop it altogether?
3) You can remove the 'persistant_search' attribute of the BindInstance class,
and just hardcode the value to yes in the '__setup_sub_dict()' method.
Updated patch adresses all 3 issues.
Tomas___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0039-0040 systemd ipactl fixes
On Thu, 11 Jul 2013, Alexander Bokovoy wrote:
On Wed, 10 Jul 2013, Ana Krivokapic wrote:
On 07/08/2013 08:32 AM, Alexander Bokovoy wrote:
On Thu, 20 Jun 2013, Ana Krivokapic wrote:
Hello,
Attached patches fix systemd and ipactl related bugs:
https://fedorahosted.org/freeipa/ticket/3730
https://fedorahosted.org/freeipa/ticket/3729
NACK. For me upgrade case fails (rpm -Uhv), dirsrv didn't restart on
upgrade properly and everything else has failed afterwards.
This was caused due to 'systemctl is-active' returning exit status 3
('activating'), and our code treating the non-zero exit status as a failure. I
handled this case in the updated patch.
As for the ipa.service and dependency ordering, I have done some further testing
and found out the adding the '--ignore-dependencies' switch alone solves the
shutdown issue. So I think that no modification of ipa.service file is
necessary.
Updated patches are attached.
This is much better. However, 'ipactl stop' doesn't stop ns-slapd and
dogtag:
What's important is the fact that now I can issue reboot and VM
restarts, not hangs, and then IPA starts properly on boot -- this is
because when ns-slapd gets a signal from systemd, it automatically shuts
itself down properly and the same happens to dogtag. This is good
enough so that I push current patches to master but please proceed on
fixing 'ipactl stop' issue.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 140 Check trust chain length in CA-less install
On Wed, 10 Jul 2013, Rob Crittenden wrote: Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/3707. Honza This patch seems to work ok but I've been unable to test it with an external CA installation because that seems to be broken (unrelated to this patch). I filed https://fedorahosted.org/freeipa/ticket/3773 Commited to master, ipa-3-2: master: ab96ca7831ad8ab2ee2389093ea8b9327d94d6f0 ipa-3-2: e1f481c891b67c79b7d7cc1e9a3ac636826c90cb -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Thu, 27 Jun 2013, Jan Cholasta wrote: On 27.6.2013 17:34, Rich Megginson wrote: On 06/27/2013 09:31 AM, Jan Cholasta wrote: The search is hard-coded in the referint plugin, see https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745. Not sure if it makes sense to do a wildcard/substr search here - please file a ticket with 389 to investigate. https://fedorahosted.org/389/ticket/47411 So, should we merge this patchset or wait until 389-ds analyzes 47411? To me it looks like we can use this one as an interim solution, once Web UI performance is checked through. I've commited the patchset to master. Web UI works just fine for me and with a VM limited to 1GB RAM I seem to get snappier response even when running whole IPA stack and Firefox in the same VM. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 11.7.2013 11:58, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Thu, 27 Jun 2013, Jan Cholasta wrote: On 27.6.2013 17:34, Rich Megginson wrote: On 06/27/2013 09:31 AM, Jan Cholasta wrote: The search is hard-coded in the referint plugin, see https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745. Not sure if it makes sense to do a wildcard/substr search here - please file a ticket with 389 to investigate. https://fedorahosted.org/389/ticket/47411 So, should we merge this patchset or wait until 389-ds analyzes 47411? To me it looks like we can use this one as an interim solution, once Web UI performance is checked through. I've commited the patchset to master. Web UI works just fine for me and with a VM limited to 1GB RAM I seem to get snappier response even when running whole IPA stack and Firefox in the same VM. We can add WebUI improvements later. I have some WIP, but I need to discuss it with Petr first (he's away this week). Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On Thu, 11 Jul 2013, Jan Cholasta wrote: On 11.7.2013 11:58, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Thu, 27 Jun 2013, Jan Cholasta wrote: On 27.6.2013 17:34, Rich Megginson wrote: On 06/27/2013 09:31 AM, Jan Cholasta wrote: The search is hard-coded in the referint plugin, see https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745. Not sure if it makes sense to do a wildcard/substr search here - please file a ticket with 389 to investigate. https://fedorahosted.org/389/ticket/47411 So, should we merge this patchset or wait until 389-ds analyzes 47411? To me it looks like we can use this one as an interim solution, once Web UI performance is checked through. I've commited the patchset to master. Web UI works just fine for me and with a VM limited to 1GB RAM I seem to get snappier response even when running whole IPA stack and Firefox in the same VM. We can add WebUI improvements later. I have some WIP, but I need to discuss it with Petr first (he's away this week). Ok. The patchset is in ipa-3-2 as well now. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Permit reads to ipatokenRadiusProxyUser objects
On Mon, 01 Jul 2013, Nathaniel McCallum wrote: On Thu, 2013-06-20 at 12:21 +0200, Martin Kosek wrote: On 06/18/2013 08:27 PM, Nathaniel McCallum wrote: Patch attached. Hello Nathaniel, Thanks for the patch! I have just few general procedural comments with submitting patch: 1. As you are doing a work on an upstream ticket, please assign the upstream Trac ticket to yourself and accept it. When the patch is sent to the list, you should also mark the ticket as patch sent. 2. Please follow our patch format: - https://fedorahosted.org/freeipa/wiki/PatchFormat This is just a short excerpt of our Development process: http://www.freeipa.org/page/Contribute#Development_Process Patch is attached with proper formatting. The ticket is properly assigned and flagged. No code has changed since the last patch. Thanks. Works for me. Commited to master and ipa-3-2, ticket updated and closed. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0173] Improve logging for cases where SOA serial autoincrementation failed
Hello, Improve logging for cases where SOA serial autoincrementation failed. -- Petr^2 Spacek From 9ef4eee3c484557efd7c777458c6800f7c61bdaf Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Mon, 8 Jul 2013 13:15:56 +0200 Subject: [PATCH] Improve logging for cases where SOA serial autoincrementation failed. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 514b81e8da1539e9402cef8a07f8feafeb13ff4d..05aa1a1d4b5091816af092895e881c0e2b1ff0eb 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -3709,10 +3709,12 @@ soa_serial_increment(isc_mem_t *mctx, ldap_instance_t *inst, CHECK(ldap_get_zone_serial(inst, zone_name, new_serial)); cleanup: - if (result != ISC_R_SUCCESS || - isc_serial_gt(new_serial, old_serial) != ISC_TRUE) - log_error(SOA serial number incrementation failed in zone '%s', -zone_dn_char); + if (result == ISC_R_SUCCESS + isc_serial_gt(new_serial, old_serial) == ISC_FALSE) + result = DNS_R_UNCHANGED; + if (result != ISC_R_SUCCESS) + log_error_r(SOA serial number incrementation failed in zone + '%s', zone_dn_char); str_destroy(zone_dn); ldapdb_rdatalist_destroy(mctx, rdatalist); -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0039-0040 systemd ipactl fixes
On Thu, 11 Jul 2013, Alexander Bokovoy wrote:
On Thu, 11 Jul 2013, Alexander Bokovoy wrote:
On Wed, 10 Jul 2013, Ana Krivokapic wrote:
On 07/08/2013 08:32 AM, Alexander Bokovoy wrote:
On Thu, 20 Jun 2013, Ana Krivokapic wrote:
Hello,
Attached patches fix systemd and ipactl related bugs:
https://fedorahosted.org/freeipa/ticket/3730
https://fedorahosted.org/freeipa/ticket/3729
NACK. For me upgrade case fails (rpm -Uhv), dirsrv didn't restart on
upgrade properly and everything else has failed afterwards.
This was caused due to 'systemctl is-active' returning exit status 3
('activating'), and our code treating the non-zero exit status as a failure. I
handled this case in the updated patch.
As for the ipa.service and dependency ordering, I have done some further testing
and found out the adding the '--ignore-dependencies' switch alone solves the
shutdown issue. So I think that no modification of ipa.service file is
necessary.
Updated patches are attached.
This is much better. However, 'ipactl stop' doesn't stop ns-slapd and
dogtag:
What's important is the fact that now I can issue reboot and VM
restarts, not hangs, and then IPA starts properly on boot -- this is
because when ns-slapd gets a signal from systemd, it automatically shuts
itself down properly and the same happens to dogtag. This is good
enough so that I push current patches to master but please proceed on
fixing 'ipactl stop' issue.
Also pushed to ipa-3-2 and updated the tickets 3729 and 3730.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On Thu, 11 Jul 2013, Tomas Babej wrote: [snip] The patch now fixes the issue. However, we need to bump the dependency in the specfile since now we require version 1.3.1.1. Tomas Thanks, updated patch is attached. I tested the patch both with clean install and upgrade. ACK The patch does not apply to ipa-3-2, it needs rebasing. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix for small syntax error in OTP schema
On Wed, 10 Jul 2013, Nathaniel McCallum wrote: https://fedorahosted.org/freeipa/ticket/3765 Due to the potentially bad ramifications of a schema syntax error, I tested this in both single server and replica configurations. The worst case in both is a truncated attribute description. The above patch fixes the problem in both cases with a simple ipa-ldap-updater. ACK. Committed to master and ipa-3-2. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 07/11/2013 12:34 PM, Alexander Bokovoy wrote:
On Thu, 11 Jul 2013, Tomas Babej wrote:
[snip]
The patch now fixes the issue.
However, we need to bump the dependency in the specfile since now we
require
version 1.3.1.1.
Tomas
Thanks, updated patch is attached.
I tested the patch both with clean install and upgrade.
ACK
The patch does not apply to ipa-3-2, it needs rebasing.
Rebased patch attached.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From 44cd5e2db5d9441fdd779564c8aea543b7d910ac Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Thu, 11 Jul 2013 12:50:01 +0200
Subject: [PATCH] Make sure replication works after DM password is changed
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.
If the DM password is changed after the IPA server installation, the replication
fails.
To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password
https://fedorahosted.org/freeipa/ticket/3594
---
freeipa.spec.in | 9 +---
ipaserver/install/ipa_replica_prepare.py | 36
2 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1f9242ea8b8f41233473db74fd8dac16ae075abd..11365bebebc555fcb4d4c3fc1ec0f60707384fe3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -17,7 +17,7 @@ Source0:freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel = 1.3.1.1
+BuildRequires: 389-ds-base-devel = 1.3.1.3
BuildRequires: svrcore-devel
BuildRequires: /usr/share/selinux/devel/Makefile
BuildRequires: policycoreutils = %{POLICYCOREUTILSVER}
@@ -91,7 +91,7 @@ Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
Requires: %{name}-server-selinux = %{version}-%{release}
-Requires: 389-ds-base = 1.3.1.1
+Requires: 389-ds-base = 1.3.1.3
Requires: openldap-clients 2.4.35-4
%if 0%{?fedora} == 18
Requires: nss = 3.14.3-2
@@ -147,7 +147,7 @@ Requires: zip
Requires: policycoreutils = %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger = 0.65
-Requires(pre): 389-ds-base = 1.3.0.5
+Requires(pre): 389-ds-base = 1.3.1.3
# We have a soft-requires on bind. It is an optional part of
# IPA but if it is configured we need a way to require versions
@@ -844,6 +844,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Wed Jul 10 2013 Ana Krivokapic akriv...@redhat.com - 3.2.99-4
+- Bump minimum version of 389-ds-base to 1.3.1.3 for user password change fix.
+
* Wed Jun 26 2013 Jan Cholasta jchol...@redhat.com - 3.2.1-1
- Bump minimum version of 389-ds-base to 1.3.1.1 for SASL mapping priority
support.
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index f6af28e3a550387050ead412b61c8fb58a8b7fe5..a92e9a91608b3deb1e54c6dba4642a424f1a 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -274,6 +274,11 @@ def copy_ds_certificate(self):
self.copy_info_file(options.dirsrv_pkcs12, dscert.p12)
else:
if ipautil.file_exists(options.ca_file):
+# Since it is possible that the Directory Manager password
+# has changed since ipa-server-install, we need to regenerate
+# the CA PKCS#12 file and update the pki admin user password
+self.regenerate_ca_file(options.ca_file)
+self.update_pki_admin_password()
self.copy_info_file(options.ca_file, cacert.p12)
else:
raise admintool.ScriptError(Root CA PKCS#12 not
@@ -505,3 +510,34 @@ def export_ra_pkcs12(self):
db.export_pkcs12(pkcs12_fname, agent_name, ipaCert)
finally:
os.remove(agent_name)
+
+def update_pki_admin_password(self):
+ldap = ldap2(shared_instance=False)
+ldap.connect(
+bind_dn=DN(('cn', 'directory manager')),
+bind_pw=self.dirman_password
+)
+dn = DN('uid=admin', 'ou=people', 'o=ipaca')
+ldap.modify_password(dn, self.dirman_password)
+ldap.disconnect()
+
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Wed, 10 Jul 2013, Simo Sorce wrote:
On Wed, 2013-07-10 at 19:15 +0300, Alexander Bokovoy wrote:
On Tue, 09 Jul 2013, Jakub Hrozek wrote:
On Tue, Jul 09, 2013 at 11:42:00AM +0200, Jakub Hrozek wrote:
On Tue, Jul 09, 2013 at 10:33:19AM +0300, Alexander Bokovoy wrote:
On Mon, 08 Jul 2013, Jakub Hrozek wrote:
On Mon, Jul 08, 2013 at 07:32:41PM +0300, Alexander Bokovoy wrote:
On Mon, 08 Jul 2013, Jakub Hrozek wrote:
On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote:
On Mon, 08 Jul 2013, Alexander Bokovoy wrote:
On Wed, 03 Jul 2013, Sumit Bose wrote:
Hi,
with this patch the extdom plugin, the LDAP extended operation that
allows IPA clients with recent SSSD to lookup AD users and groups,
will
not use winbind for the lookup anymore but will use SSSD running in
ipa_server_mode.
Since now no plugin uses the winbind client libraries anymore, the
second patch removes the related configures checks.
I think for the time being we cannot remove winbind completely
because
it might be needed for msbd to work properly in a trusted
environment.
s/msbd/smbd/
ACK. I need to add 'ipa_server_mode = True' support to
the installer code and then these patches can go in.
Actually, the code still doesn't work due to some bug in sssd which
fails to respond properly to getsidbyname() request in
libsss_nss_idmap.
Additionally I've found one missing treatment of domain_name for
INP_NAME requests.
We are working with Jakub on tracking down what's wrong on SSSD side.
Indeed, there was a casing issue in sysdb. You can continue testing with
lowercase user names in the meantime. A patch is already on the SSSD
list.
In addition, we need to disqualify user name when returning back a
packet from extdom operation as this is what SSSD expects.
Attached patch does it for all types of requests.
--
/ Alexander Bokovoy
From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Mon, 8 Jul 2013 19:19:56 +0300
Subject: [PATCH] Fix extdom plugin to provide unqualified name in
response as
sssd expects
extdom plugin handles external operation over which SSSD asks IPA server
about
trusted domain users not found through normal paths but detected to
belong
to the trusted domains associated with IPA realm.
SSSD expects that user or group name in the response will be unqualified
because domain name for the user or group is also included in the
response.
Strip domain name from the name if getgrnam_r/getpwnam_r calls returned
fully
qualified name which includes the domain name we are asked to handle.
The code already expects that fully-qualified names are following
user@domain
convention so we are simply tracking whether '@' symbol is present and
is followed
by the domain name.
---
.../ipa-extdom-extop/ipa_extdom_common.c | 26
++
1 file changed, 26 insertions(+)
diff --git
a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 8aa22e1..290da4e 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx,
struct extdom_req *req,
grp_result);
}
}
+domain_name = strdup(req-data.name.domain_name);
I would prefer if this was a separate patch. But this is a correct
change.
Separated.
Ack to this patch.
break;
default:
ret = LDAP_PROTOCOL_ERROR;
@@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct
pwd_grp *pg_data,
const char *domain_name, struct extdom_res **_res)
{
int ret = EFAULT;
+char *locat = NULL;
struct extdom_res *res;
res = calloc(1, sizeof(struct extdom_res));
@@ -354,10 +356,20 @@ int create_response(struct extdom_req *req, struct
pwd_grp *pg_data,
switch(id_type) {
case SSS_ID_TYPE_UID:
case SSS_ID_TYPE_BOTH:
+if ((locat = strchr(pg_data-data.pwd.pw_name,
'@')) != NULL) {
+if (strstr(locat, domain_name) != NULL ) {
strstr doesn't work correctly in my case. In SSSD, the domain names are
case-insensitive, so you can use strcasestr here. In my case, the
condition is never hit as the domain case differs:
407 res-data.user.domain_name =
strdup(domain_name);
(gdb)
408 if ((locat =
strchr(pg_data-data.pwd.pw_name, '@')) != NULL) {
(gdb) n
409 if (strstr(locat, domain_name) != NULL) {
(gdb)
414
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, 10 Jul 2013, Simo Sorce wrote: On Wed, 2013-07-10 at 19:55 +0300, Alexander Bokovoy wrote: The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. New patch attached. After discussion with Simo on IRC, I decided to use krb5_parse_name() to properly parse krbPrincipalName attribute for the service and veto it against pre-defined set of services we support generating MS-PAC for on the IPA master. The list currently includes only cifs/ipa.master@REALM and HTTP/ipa.master@REALM as host/ipa.master@REALM is handled by the is_host case. LGTM. Committed to master. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0230-0244 Integration testing framework
On 10.7.2013 17:50, Petr Viktorin wrote: On 07/10/2013 02:03 PM, Jan Cholasta wrote: make test seems to run fine with patches 230-242 applied, however ipa-run-tests produces the following output: [...Skipping nose output...] I guess the location of the test certificate should be made configurable in order to fix the host and service plugin test failures. Making the existing test suite pass out of tree it's not a goal for this patchset. There is a pending patch for the service cert. Better report it now than forget it later. Also, there is a lot of debugging messages in ipa-run-tests output which wasn't there before IIRC, is that intentional? Yes, I believe that for the integration tests it's better to see what is going on. Both for manual runs, and also this way the information is more easily picked up by CI tools. It's harder to see what's going on with so much noise IMHO, I would prefer less verbose output for manual runs by default. If $MASTER (and possible other host names) is not resolvable, ipa-test-config --global crashes: $ ipa-test-config --global Traceback (most recent call last): File /usr/bin/ipa-test-config, line 104, in module print main(sys.argv[1:]), File /usr/bin/ipa-test-config, line 58, in main return config.env_to_script(get_object(conf, args).to_env(**kwargs)) File /usr/lib/python2.7/site-packages/ipatests/test_integration/config.py, line 168, in to_env env['MASTER'] = default_domain.master.hostname File /usr/lib/python2.7/site-packages/ipatests/test_integration/config.py, line 282, in master return self.masters[0] IndexError: list index out of range Fixed. Now, if the name is not resolvable, reading the config will fail. Alternatively, the IP address can be given in variables such as $BEAKERREPLICA1_IP_env1 (no, I didn't invent the name). This fixed ipa-test-config as advertised, but ipa-run-tests test_integration/test_simple_replication.py still fails. Both the tests in test_simple_replication.py fail for me. I suspect it is because the data isn't replicated fast enough, a little delay between user-show and user-add might fix this. Hm, they worked for me. I've added a delay. It seems fragile, I wonder what the proper way to do this would be. Hmm, the replica - master test still fails for me, even with delay increased to 20 s. Something less fragile than delay would certainly be nice. I've made some other changes, mainly BeakerLib plugin output. Patch 240: Avoid infinite recursion that happened with some cases of bad SSH credentials Patch 241-243: Rework the BeakerLib plugin output to better match traditional Beaker tests Patch 244: Make it possible to explicitly specify IP addresses of hosts To sum things up, there are still some little bugs, but these can be fixed after the beta release, in general everything seems to work, so ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0077] Add libsss_nss_idmap-devel to BuildRequires
Hi, attached patch fixes build problems introduced by recently pushed Sumit's patches. TomasFrom 41c6c7ca44e7c6ef7c40cbef32b1b5dc3cf36130 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 11 Jul 2013 13:33:31 +0200 Subject: [PATCH] Add libsss_nss_idmap-devel to BuildRequires --- freeipa.spec.in | 1 + 1 file changed, 1 insertion(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index debc6e5870af81d684f5da9f0cdd582cf6e81e98..f2847e14a0be4c57263266dae15a89521d8b57af 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -67,6 +67,7 @@ BuildRequires: python-dns BuildRequires: m2crypto BuildRequires: check BuildRequires: libsss_idmap-devel +BuildRequires: libsss_nss_idmap-devel BuildRequires: java-1.7.0-openjdk BuildRequires: libverto-devel BuildRequires: systemd -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0039-0040 systemd ipactl fixes
On 07/11/2013 11:38 AM, Alexander Bokovoy wrote:
On Thu, 11 Jul 2013, Alexander Bokovoy wrote:
On Wed, 10 Jul 2013, Ana Krivokapic wrote:
On 07/08/2013 08:32 AM, Alexander Bokovoy wrote:
On Thu, 20 Jun 2013, Ana Krivokapic wrote:
Hello,
Attached patches fix systemd and ipactl related bugs:
https://fedorahosted.org/freeipa/ticket/3730
https://fedorahosted.org/freeipa/ticket/3729
NACK. For me upgrade case fails (rpm -Uhv), dirsrv didn't restart on
upgrade properly and everything else has failed afterwards.
This was caused due to 'systemctl is-active' returning exit status 3
('activating'), and our code treating the non-zero exit status as a
failure. I
handled this case in the updated patch.
As for the ipa.service and dependency ordering, I have done some further
testing
and found out the adding the '--ignore-dependencies' switch alone solves the
shutdown issue. So I think that no modification of ipa.service file is
necessary.
Updated patches are attached.
This is much better. However, 'ipactl stop' doesn't stop ns-slapd and
dogtag:
What's important is the fact that now I can issue reboot and VM
restarts, not hangs, and then IPA starts properly on boot -- this is
because when ns-slapd gets a signal from systemd, it automatically shuts
itself down properly and the same happens to dogtag. This is good
enough so that I push current patches to master but please proceed on
fixing 'ipactl stop' issue.
Thanks for catching that. I am attaching a patch which should solve this issue.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From b79e839154d09fd1fadd35eb689fb9daba8ec88b Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Thu, 11 Jul 2013 14:23:05 +0200
Subject: [PATCH] Use --ignore-dependencies only when necessary
Using the --ignore-dependencies switch was causing the ipactl stop command
not to stop all instances of dirsrv and dogtag. Make sure the switch is used
only when necessary, i.e. to prevent ipa-otpd.socket from getting stuck during
the shutdown transaction.
https://fedorahosted.org/freeipa/ticket/3730
https://fedorahosted.org/freeipa/ticket/3729
---
ipapython/platform/base/systemd.py | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/ipapython/platform/base/systemd.py b/ipapython/platform/base/systemd.py
index 84287e388f5ddeaf503f1a20579183716a75e677..f1220186840ffe62d9b0ded985532e7d0f8931ee 100644
--- a/ipapython/platform/base/systemd.py
+++ b/ipapython/platform/base/systemd.py
@@ -98,15 +98,16 @@ def __wait_for_open_ports(self, instance_name=):
def stop(self, instance_name=, capture_output=True):
instance = self.service_instance(instance_name)
+args = [/bin/systemctl, stop, instance]
# The --ignore-dependencies switch is used to avoid possible
# deadlock during the shutdown transaction. For more details, see
# https://fedorahosted.org/freeipa/ticket/3729#comment:1 and
# https://bugzilla.redhat.com/show_bug.cgi?id=973331#c11
-ipautil.run(
-[/bin/systemctl, stop, instance, --ignore-dependencies],
-capture_output=capture_output
-)
+if instance == ipa-otpd.socket:
+args.append(--ignore-dependencies)
+
+ipautil.run(args, capture_output=capture_output)
if 'context' in api.env and api.env.context in ['ipactl', 'installer']:
update_service_list = True
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
On 07/11/2013 11:20 AM, Tomas Babej wrote:
boolean_var = {}
-for var in ('persistent_search', 'serial_autoincrement'):
+for var in ('serial_autoincrement'):
This won't work - a one element tuple needs a comma at the end:
('serial_autoincrement', )
boolean_var[var] = yes if getattr(self, var, False) else no
self.sub_dict = dict(FQDN=self.fqdn,
@@ -607,9 +604,8 @@ class BindInstance(service.Service):
SUFFIX=self.suffix,
OPTIONAL_NTP=optional_ntp,
ZONEMGR=self.zonemgr,
- ZONE_REFRESH=self.zone_refresh,
IPA_CA_RECORD=ipa_ca,
-
PERSISTENT_SEARCH=boolean_var['persistent_search'],
+ PERSISTENT_SEARCH=yes,
SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)
But anyway, I think this piece of code is unnecessarily complicated, I don't see
a need for the 'boolean_var' dict here. I would suggest replacing it with
something like:
serial_autoincrement = yes if self.serial_autoincrement else no
and then pass serial_autoincrement to self.sub_dict = dict(...)
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 412 Remove entitlement support
On Thu, 27 Jun 2013, Martin Kosek wrote:
On 06/27/2013 12:32 PM, Jan Cholasta wrote:
On 26.6.2013 14:03, Tomas Babej wrote:
On 06/19/2013 10:31 AM, Petr Vobornik wrote:
On 06/19/2013 10:13 AM, Martin Kosek wrote:
Entitlements code was not tested nor supported upstream since
version 3.0. Remove the associated code.
https://fedorahosted.org/freeipa/ticket/3739
As agreed on Triage meeting, I plan to push this patch to ipa-3-2 and
master
branches.
Martin
ACK on Web UI part.
ACK on the IPA part
Tomas
ipa-upgradeconfig fails for me when upgrading from version with entitlement
plugin to version without entitlement plugin:
2013-06-26T22:22:43Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with
options: {'debug': False, 'quiet': True}
2013-06-26T22:22:43Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2013-06-26T22:22:43Z DEBUG importing all plugin modules in
'/usr/lib/python2.7/site-packages/ipalib/plugins'...
snip
2013-06-26T22:22:43Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py'
2013-06-26T22:22:43Z DEBUG File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 614,
in run_script
return_value = main_function()
File /usr/sbin/ipa-upgradeconfig, line 872, in main
api.finalize()
File /usr/lib/python2.7/site-packages/ipalib/plugable.py, line 674, in
finalize
self.__do_if_not_done('load_plugins')
File /usr/lib/python2.7/site-packages/ipalib/plugable.py, line 454, in
__do_if_not_done
getattr(self, name)()
File /usr/lib/python2.7/site-packages/ipalib/plugable.py, line 613, in
load_plugins
self.import_plugins('ipalib')
File /usr/lib/python2.7/site-packages/ipalib/plugable.py, line 655, in
import_plugins
__import__(fullname)
File /usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py, line 180,
in module
class entitle(LDAPObject):
File /usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py, line 184,
in entitle
container_dn = api.env.container_entitlements
2013-06-26T22:22:43Z DEBUG The ipa-upgradeconfig command failed, exception:
AttributeError: 'Env' object has no attribute 'container_entitlements'
Honza
This happens because we run ipa-upgradeconfig in %post while there was still
entitlements plugin. I think that clean solution for this plugin (and also for
other future occurrences of this issue) is to run upgrade/server restart
process only in %posttrans.
In the end, I iterated to the attached patch. With this spec change, I was able
to upgrade from FreeIPA 3.2 to current master version without any entitlements
related upgrade error.
Adding Alexander and Rob to CC to double-check this upgrade-related change, I
want to be sure I didn't do something stupid.
The patch needed rebase and it also had formatting errors.
I've fixed the patch (attached) and tested it, all works.
--
/ Alexander Bokovoy
From b5e4b46a2a7c22de69cbd3841b7ce2625771018e Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 11 Jul 2013 17:35:26 +0300
Subject: [PATCH 2/2] Run server upgrade and restart in posttrans
Running server upgrade or restart in %post or %postun may cause issues when
there are still parts of old FreeIPA software (like entitlements plugin).
https://fedorahosted.org/freeipa/ticket/3739
---
freeipa.spec.in | 25 -
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index f2847e1..05b43bc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -468,13 +468,22 @@ rm -rf %{buildroot}
# END
if [ $1 -gt 1 ] ; then
/bin/systemctl condrestart certmonger.service 21 || :
-/usr/sbin/ipa-upgradeconfig --quiet /dev/null || :
fi
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-ldap-updater --upgrade --quiet /dev/null || :
+/usr/sbin/ipa-upgradeconfig --quiet /dev/null || :
+
+# Restart IPA processes. This must be also run in postrans so that plugins
+# and software is in consistent state
+python -c import sys; from ipaserver.install import installutils; sys.exit(0
if installutils.is_ipa_configured() else 1); /dev/null 21
+# NOTE: systemd specific section
+if [ $? -eq 0 ]; then
+/bin/systemctl try-restart ipa.service /dev/null 21 || :
+fi
+# END
%preun server
if [ $1 = 0 ]; then
@@ -484,14 +493,6 @@ if [ $1 = 0 ]; then
# END
fi
-%postun server
-if [ $1 -ge 1 ]; then
-# NOTE: systemd specific section
-/bin/systemctl --quiet is-active ipa.service /dev/null \
-/bin/systemctl try-restart ipa.service /dev/null 21 || :
-# END
-fi
-
%pre server
# Stop ipa_kpasswd if it exists before upgrading so we don't have a
# zombie process when we're done.
@@ -511,6 +512,8 @@ fi
%post server-trust-ad
%{_sbindir}/update-alternatives --install
%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
Re: [Freeipa-devel] [PATCHES] 0039-0040 systemd ipactl fixes
On Thu, 11 Jul 2013, Ana Krivokapic wrote:
On 07/11/2013 11:38 AM, Alexander Bokovoy wrote:
On Thu, 11 Jul 2013, Alexander Bokovoy wrote:
On Wed, 10 Jul 2013, Ana Krivokapic wrote:
On 07/08/2013 08:32 AM, Alexander Bokovoy wrote:
On Thu, 20 Jun 2013, Ana Krivokapic wrote:
Hello,
Attached patches fix systemd and ipactl related bugs:
https://fedorahosted.org/freeipa/ticket/3730
https://fedorahosted.org/freeipa/ticket/3729
NACK. For me upgrade case fails (rpm -Uhv), dirsrv didn't restart on
upgrade properly and everything else has failed afterwards.
This was caused due to 'systemctl is-active' returning exit status 3
('activating'), and our code treating the non-zero exit status as a failure. I
handled this case in the updated patch.
As for the ipa.service and dependency ordering, I have done some further
testing
and found out the adding the '--ignore-dependencies' switch alone solves the
shutdown issue. So I think that no modification of ipa.service file is
necessary.
Updated patches are attached.
This is much better. However, 'ipactl stop' doesn't stop ns-slapd and
dogtag:
What's important is the fact that now I can issue reboot and VM
restarts, not hangs, and then IPA starts properly on boot -- this is
because when ns-slapd gets a signal from systemd, it automatically shuts
itself down properly and the same happens to dogtag. This is good
enough so that I push current patches to master but please proceed on
fixing 'ipactl stop' issue.
Thanks for catching that. I am attaching a patch which should solve this issue.
Works now, I tried stop/start/restart, all processes were properly addressed.
Thanks!
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote:
On 07/11/2013 11:20 AM, Tomas Babej wrote:
boolean_var = {}
-for var in ('persistent_search', 'serial_autoincrement'):
+for var in ('serial_autoincrement'):
This won't work - a one element tuple needs a comma at the end:
('serial_autoincrement', )
boolean_var[var] = yes if getattr(self, var, False) else no
self.sub_dict = dict(FQDN=self.fqdn,
@@ -607,9 +604,8 @@ class BindInstance(service.Service):
SUFFIX=self.suffix,
OPTIONAL_NTP=optional_ntp,
ZONEMGR=self.zonemgr,
- ZONE_REFRESH=self.zone_refresh,
IPA_CA_RECORD=ipa_ca,
-
PERSISTENT_SEARCH=boolean_var['persistent_search'],
+ PERSISTENT_SEARCH=yes,
SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)
But anyway, I think this piece of code is unnecessarily complicated, I don't
see
a need for the 'boolean_var' dict here. I would suggest replacing it with
something like:
serial_autoincrement = yes if self.serial_autoincrement else no
and then pass serial_autoincrement to self.sub_dict = dict(...)
Attached patch refactored the relevant part of the code.
TomasFrom d56b32cb1961315bc1a23573ea7da843eaff36c2 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 3 Jun 2013 14:37:20 +0200
Subject: [PATCH] Remove support for IPA deployments with no persistent search
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.
https://fedorahosted.org/freeipa/ticket/3632
---
install/share/bind.named.conf.template | 1 -
install/tools/ipa-dns-install | 24 -
install/tools/ipa-server-install | 24 -
install/tools/ipa-upgradeconfig| 3 ++-
install/tools/man/ipa-dns-install.1| 6 --
install/tools/man/ipa-server-install.1 | 6 --
ipaserver/install/bindinstance.py | 39 --
7 files changed, 20 insertions(+), 83 deletions(-)
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index e4ce6058399e8d9a1f112f55907e060075dff00b..f78e18b5fd1d44e4d75d8b412994f2810ede8d97 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -44,7 +44,6 @@ dynamic-db ipa {
arg auth_method sasl;
arg sasl_mech GSSAPI;
arg sasl_user DNS/$FQDN;
- arg zone_refresh $ZONE_REFRESH;
arg psearch $PERSISTENT_SEARCH;
arg serial_autoincrement $SERIAL_AUTOINCREMENT;
};
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 47bc31b4786c32caf97f20de3cbf20bc767dfe1d..1119093042e987dfdf8fd734ebbf4b19bfd8600f 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -52,16 +52,6 @@ def parse_options():
parser.add_option(--zonemgr, action=callback, callback=bindinstance.zonemgr_callback,
type=string,
help=DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN)
-# this option name has been deprecated, persistent search has been enabled by default
-parser.add_option(--zone-notif, dest=zone_notif,
- action=store_true, default=False, help=SUPPRESS_HELP)
-parser.add_option(--no-persistent-search, dest=persistent_search,
- default=True, action=store_false,
- help=Do not enable persistent search feature in the name server)
-parser.add_option(--zone-refresh, dest=zone_refresh,
- default=0, type=int,
- help=When set to non-zero the name server will use DNS zone
- detection based on polling instead of a persistent search)
parser.add_option(--no-serial-autoincrement, dest=serial_autoincrement,
default=True, action=store_false,
help=Do not enable SOA serial autoincrement)
@@ -80,18 +70,6 @@ def parse_options():
if not options.forwarders and not options.no_forwarders:
parser.error(You must specify at least one --forwarder option or --no-forwarders option)
-if options.zone_refresh 0:
-parser.error(negative numbers not allowed for --zone-refresh)
-elif options.zone_refresh 0:
-options.persistent_search = False # mutually exclusive features
-
-if options.zone_notif:
-print sys.stderr, WARNING: --zone-notif option is deprecated and has no effect
-
-if options.serial_autoincrement and not options.persistent_search:
-parser.error('persistent search feature is required for '
-
Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
On 07/11/2013 05:10 PM, Tomas Babej wrote:
On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote:
On 07/11/2013 11:20 AM, Tomas Babej wrote:
boolean_var = {}
- for var in ('persistent_search', 'serial_autoincrement'):
+ for var in ('serial_autoincrement'):
This won't work - a one element tuple needs a comma at the end:
('serial_autoincrement', )
boolean_var[var] = yes if getattr(self, var, False) else no
self.sub_dict = dict(FQDN=self.fqdn,
@@ -607,9 +604,8 @@ class BindInstance(service.Service):
SUFFIX=self.suffix,
OPTIONAL_NTP=optional_ntp,
ZONEMGR=self.zonemgr,
- ZONE_REFRESH=self.zone_refresh,
IPA_CA_RECORD=ipa_ca,
- PERSISTENT_SEARCH=boolean_var['persistent_search'],
+ PERSISTENT_SEARCH=yes,
SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)
But anyway, I think this piece of code is unnecessarily complicated, I
don't see
a need for the 'boolean_var' dict here. I would suggest replacing it with
something like:
serial_autoincrement = yes if self.serial_autoincrement else no
and then pass serial_autoincrement to self.sub_dict = dict(...)
Attached patch refactored the relevant part of the code.
Tomas
ACK
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 3031 Allow TTL to be configured during ipa-client-install
Hi, SSSD 1.10 added the ability to configure the TTL used in dynamic DNS updates. This patch is the mirror of that rebased from the original patch submitted a year ago onto current head. This patch allows the user during ipa-client-install to pick the TTL to be used on the creation of the client DNS records and configures the value in sssd.conf so that ongoing changes to IP use the TTL as desired. Cheers, James Allow-TTL-to-be-configured-during-ipa-client-install.patch Description: Binary data ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively
Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3717. Also added a small patch to fix a formatting issue with installutils.read_password. Honza Functionally ok but I found it very jarring the way the passwords were prompted for. I think they should be moved after the realm question and the text should be more than just the path to the filename. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1102 set correct content-type
Set the correct content-type on negotiated XML-RPC requests. It was
being set as text/plain when it should be text/xml.
rob
From edf8e41cfe1f5142ced53376f509f2e0d4439cfe Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Thu, 11 Jul 2013 16:46:34 -0400
Subject: [PATCH] Return the correct Content-type on negotiated XML-RPC
requests.
https://fedorahosted.org/freeipa/ticket/3745
---
ipaserver/rpcserver.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 203825ea0c6c023184c6dbd079a5f451808f91e4..eb9b0734ac4956cb0e65664ae1cb4004d72020de 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -699,6 +699,7 @@ class xmlserver(WSGIExecutioner, HTTP_Status, KerberosSession):
self.debug('WSGI xmlserver.__call__:')
user_ccache=environ.get('KRB5CCNAME')
+headers = [('Content-Type', 'text/xml; charset=utf-8')]
if user_ccache is None:
self.internal_error(environ, start_response,
'xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment')
@@ -708,11 +709,10 @@ class xmlserver(WSGIExecutioner, HTTP_Status, KerberosSession):
response = super(xmlserver, self).__call__(environ, start_response)
if getattr(context, 'session_data', None) is None and \
self.env.context != 'lite':
-self.finalize_kerberos_acquisition('xmlserver', user_ccache, environ, start_response)
+self.finalize_kerberos_acquisition('xmlserver', user_ccache, environ, start_response, headers)
except PublicError, e:
status = HTTP_STATUS_SUCCESS
response = status
-headers = [('Content-Type', 'text/plain; charset=utf-8')]
start_response(status, headers)
return self.marshal(None, e)
finally:
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
