Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively
On 07/15/2013 10:57 AM, Jan Cholasta wrote: On 12.7.2013 10:19, Tomas Babej wrote: Just a nitpick: + # If any of the PKCS#12 options are selected, all are required. + pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) + pkcs12_opt = (options.pkinit_pkcs12,) + if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): parser.error(All PKCS#12 options are required if any are used.) This error message is somewhat misleading, since --pkinit-pkcs12 options is not required. Fixed. Updated patches attached. Honza The updated error message looks OK. ACK, pushed all 3 patches to master, ipa-3-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0079] Change shebang to absolute path in ipa-client-automount
Hi, this fixes the https://fedorahosted.org/freeipa/ticket/3811 Tomas From ed9014c9db13247dbf062af58f21ea583c476300 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 23 Jul 2013 17:11:59 +0200 Subject: [PATCH] Change shebang to absolute path in ipa-client-automount https://fedorahosted.org/freeipa/ticket/3811 --- ipa-client/ipa-install/ipa-client-automount | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount index 346b474fef12ad814eedae5cc98380709eac38ff..8328976adb4d8949bdd400ff9d764b31dd85e5c3 100755 --- a/ipa-client/ipa-install/ipa-client-automount +++ b/ipa-client/ipa-install/ipa-client-automount @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/python # # Authors: # Rob Crittenden rcrit...@redhat.com -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0079] Change shebang to absolute path in ipa-client-automount
On Wed, Jul 24, 2013 at 12:39:07PM +0200, Tomas Babej wrote: Hi, this fixes the https://fedorahosted.org/freeipa/ticket/3811 Tomas From ed9014c9db13247dbf062af58f21ea583c476300 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 23 Jul 2013 17:11:59 +0200 Subject: [PATCH] Change shebang to absolute path in ipa-client-automount https://fedorahosted.org/freeipa/ticket/3811 --- ipa-client/ipa-install/ipa-client-automount | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount index 346b474fef12ad814eedae5cc98380709eac38ff..8328976adb4d8949bdd400ff9d764b31dd85e5c3 100755 --- a/ipa-client/ipa-install/ipa-client-automount +++ b/ipa-client/ipa-install/ipa-client-automount Running git grep shows install/tools/ipa-compliance:#!/usr/bin/env python -- shouldn't it be changed as well? -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0079] Change shebang to absolute path in ipa-client-automount
On 07/24/2013 12:43 PM, Jan Pazdziora wrote: On Wed, Jul 24, 2013 at 12:39:07PM +0200, Tomas Babej wrote: Hi, this fixes the https://fedorahosted.org/freeipa/ticket/3811 Tomas From ed9014c9db13247dbf062af58f21ea583c476300 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 23 Jul 2013 17:11:59 +0200 Subject: [PATCH] Change shebang to absolute path in ipa-client-automount https://fedorahosted.org/freeipa/ticket/3811 --- ipa-client/ipa-install/ipa-client-automount | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount index 346b474fef12ad814eedae5cc98380709eac38ff..8328976adb4d8949bdd400ff9d764b31dd85e5c3 100755 --- a/ipa-client/ipa-install/ipa-client-automount +++ b/ipa-client/ipa-install/ipa-client-automount Running git grep shows install/tools/ipa-compliance:#!/usr/bin/env python -- shouldn't it be changed as well? That tool was removed recently. Update your repo :) -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0079] Change shebang to absolute path in ipa-client-automount
On Wednesday 24 of July 2013 12:43:49 Jan Pazdziora wrote: On Wed, Jul 24, 2013 at 12:39:07PM +0200, Tomas Babej wrote: Hi, this fixes the https://fedorahosted.org/freeipa/ticket/3811 Tomas From ed9014c9db13247dbf062af58f21ea583c476300 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 23 Jul 2013 17:11:59 +0200 Subject: [PATCH] Change shebang to absolute path in ipa-client-automount https://fedorahosted.org/freeipa/ticket/3811 --- ipa-client/ipa-install/ipa-client-automount | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount index 346b474fef12ad814eedae5cc98380709eac38ff..8328976adb4d8949bdd400ff9d764b31dd85e5c3 100755 --- a/ipa-client/ipa-install/ipa-client-automount +++ b/ipa-client/ipa-install/ipa-client-automount Running git grep shows install/tools/ipa-compliance:#!/usr/bin/env python -- shouldn't it be changed as well? It seems that you don't have updated repository. [tbabej@thinkpad7 freeipa]$ git grep /usr/bin/env ipa-client/ipa-install/ipa-client-automount:#!/usr/bin/env python The ipa-compliance script has been removed recently. It is no longer in either master or ipa-3-2 branch. See Martin's commit 77ae4da70632e17b6be09e9ad71fc353b3bad96e. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0079] Change shebang to absolute path in ipa-client-automount
On 07/24/2013 12:39 PM, Tomas Babej wrote: Hi, this fixes the https://fedorahosted.org/freeipa/ticket/3811 Tomas Shouldn't we also add '-E' parameter like we do with in other install tools' shebang? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0080] Move requirement for keyutils to freeipa-python package
Hi, On 24.7.2013 12:40, Tomas Babej wrote: Hi, There was already a dependency in server package, however, the correct place for such dependency is in freeipa-python, since the relevant code using keyutils resides there. Both freeipa-server and freeipa-client require freeipa-python. https://fedorahosted.org/freeipa/ticket/3808 Tomas Please add a changelog entry. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] Fix C compiler warnings
ehlo, Three patches are attached. PATCH 1: fixes warning: passing argument from incompatible pointer type another posiible solution is to cast (void *(*) (void *)) function pointer at function call pthread_create. PATCH 2: Remove unused variable PATCH 3: warning: variable was set, but it was not used. failcnt_interval = slapi_entry_attr_get_uint(policy_entry, krbPwdFailureCountInterval); ^^ Variable failcnt_interval is not used after this line. If this variable should be realy unused, then I can squash 3rd patch to 2nd. else PATCH 3 only remove warrning and does not fix problem. LS From a186f016a6bbfec60cceacde82cf505ecef1b646 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lsleb...@redhat.com Date: Tue, 23 Jul 2013 00:37:32 +0200 Subject: [PATCH 1/3] Use right function prototype for thread function warning: passing argument from incompatible pointer type --- daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h| 3 ++- daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h index ae0b06f..7b0c2aa 100644 --- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h +++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h @@ -98,7 +98,8 @@ struct ipa_cldap_req { struct kvp_list kvps; }; -void *ipa_cldap_worker(struct ipa_cldap_ctx *ctx); +/*void *ipa_cldap_worker(struct ipa_cldap_ctx *ctx);*/ +void *ipa_cldap_worker(void *arg); int ipa_cldap_netlogon(struct ipa_cldap_ctx *ctx, struct ipa_cldap_req *req, diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c index 37de786..df7cc11 100644 --- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c +++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c @@ -314,11 +314,12 @@ static struct ipa_cldap_req *ipa_cldap_recv_dgram(struct ipa_cldap_ctx *ctx) return req; } -void *ipa_cldap_worker(struct ipa_cldap_ctx *ctx) +void *ipa_cldap_worker(void *arg) { struct ipa_cldap_req *req; struct pollfd fds[2]; bool stop = false; +struct ipa_cldap_ctx *ctx = (struct ipa_cldap_ctx *) arg; int ret; while (!stop) { -- 1.8.3.1 From c85ab04e5346d6c180fc7a0fac802a3bf05b2b39 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lsleb...@redhat.com Date: Tue, 23 Jul 2013 00:42:33 +0200 Subject: [PATCH 2/3] Remove unused variable --- daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 1 - 1 file changed, 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c index 0b3b841..6b5ae04 100644 --- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c +++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c @@ -393,7 +393,6 @@ static int ipalockout_postop(Slapi_PBlock *pb) Slapi_Entry *target_entry = NULL; Slapi_Entry *policy_entry = NULL; Slapi_DN *sdn = NULL; -Slapi_DN *pdn = NULL; Slapi_PBlock *pbtm = NULL; Slapi_Mods *smods = NULL; Slapi_Value *objectclass = NULL; -- 1.8.3.1 From eff291b99a44e3cb107835bd7d90ef7574cdeb14 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lsleb...@redhat.com Date: Tue, 23 Jul 2013 00:43:07 +0200 Subject: [PATCH 3/3] Remove unused variable Variable was set, but it was not used. --- daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c index 6b5ae04..9e903aa 100644 --- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c +++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c @@ -668,7 +668,6 @@ static int ipalockout_preop(Slapi_PBlock *pb) int ret = LDAP_SUCCESS; unsigned long failedcount = 0; time_t time_now; -unsigned int failcnt_interval = 0; unsigned int max_fail = 0; unsigned int lockout_duration = 0; time_t last_failed = 0; @@ -737,7 +736,6 @@ static int ipalockout_preop(Slapi_PBlock *pb) failedcount = slapi_entry_attr_get_ulong(target_entry, krbLoginFailedCount); time_now = time(NULL); -failcnt_interval = slapi_entry_attr_get_uint(policy_entry, krbPwdFailureCountInterval); lockout_duration = slapi_entry_attr_get_uint(policy_entry, krbPwdLockoutDuration); lastfail = slapi_entry_attr_get_charptr(target_entry, krbLastFailedAuth); -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0080] Move requirement for keyutils to freeipa-python package
On 24.7.2013 13:52, Tomas Babej wrote: On Wednesday 24 of July 2013 13:19:29 Jan Cholasta wrote: Hi, On 24.7.2013 12:40, Tomas Babej wrote: Hi, There was already a dependency in server package, however, the correct place for such dependency is in freeipa-python, since the relevant code using keyutils resides there. Both freeipa-server and freeipa-client require freeipa-python. https://fedorahosted.org/freeipa/ticket/3808 Tomas Please add a changelog entry. Honza -- Jan Cholasta Added. Tomas ACK. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0079] Change shebang to absolute path in ipa-client-automount
On Wed, Jul 24, 2013 at 12:52:31PM +0200, Petr Viktorin wrote: That tool was removed recently. Update your repo :) Ah, I had some uncommitted change so git pull did not do what I meant it to do (and I ignored the warning it gave me). Sorry about the noise. -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0245-0250 Add the ipa-test-task-tool
On 17.7.2013 14:45, Petr Viktorin wrote: On 07/16/2013 05:25 PM, Petr Viktorin wrote: This exposes tasks such as installation, uninstallation, clean-up should be available as CLI commands so they're available for non-Python tests. https://fedorahosted.org/freeipa/ticket/3721 It also allows tests to install IPA in a specific topology by setting the `topology` attribute to 'star', 'line', 'tree', etc. (so far only 'star' or none was supported). The first patches contain some refactoring/enhancements needed to make this possible. I found a bug in patch 0246 and a typo in 0249. This update fixes them. Patch 245: Since you use tar -J, I think it might make sense to add tar and xz to freeipa-tests requires. Otherwise it looks good to me. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0245-0250 Add the ipa-test-task-tool
On 07/24/2013 02:39 PM, Jan Cholasta wrote: On 17.7.2013 14:45, Petr Viktorin wrote: On 07/16/2013 05:25 PM, Petr Viktorin wrote: This exposes tasks such as installation, uninstallation, clean-up should be available as CLI commands so they're available for non-Python tests. https://fedorahosted.org/freeipa/ticket/3721 It also allows tests to install IPA in a specific topology by setting the `topology` attribute to 'star', 'line', 'tree', etc. (so far only 'star' or none was supported). The first patches contain some refactoring/enhancements needed to make this possible. I found a bug in patch 0246 and a typo in 0249. This update fixes them. Patch 245: Since you use tar -J, I think it might make sense to add tar and xz to freeipa-tests requires. Thanks for the catch. That patch just moves the code around, it doesn't introduce the dependencies. Here's a separate patch to change the spec file. Otherwise it looks good to me. Thanks for the review -- Petr³ From 4a932bb882caa96924f7b446a9e3149a353843a1 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 24 Jul 2013 14:43:43 +0200 Subject: [PATCH] Add tar and xz dependencies to the freeipa-tests package The beakerLib plugin collects log files via compressed tarballs, so these dependencies are needed --- freeipa.spec.in | 5 + 1 file changed, 5 insertions(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index 52e90bf3db514d899f37a8c0e97684bac8366337..912eeaffbc238c35cd788ca70624c4bf13c11e5d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -297,6 +297,8 @@ package. Summary: IPA tests and test tools Requires: %{name}-client = %{version}-%{release} Requires: %{name}-python = %{version}-%{release} +Requires: tar +Requires: xz Requires: python-nose Requires: python-paste Requires: python-coverage @@ -827,6 +829,9 @@ fi %endif # ! %{ONLY_CLIENT} %changelog +* Wed Jul 14 2013 Petr Viktorin pvikt...@redhat.com - 3.2.99-2 +- Add tar and xz dependencies to freeipa-tests + * Thu Jul 18 2013 Ana Krivokapic akriv...@redhat.com - 3.2.99-8 - Bump minimum version of sssd to 1.10.90 for the 'ipa_server_mode' option. -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0047 Honor 'enabled' option for widgets
On 07/23/2013 06:09 PM, Petr Vobornik wrote: On 07/22/2013 04:46 PM, Ana Krivokapic wrote: On 07/18/2013 09:47 AM, Petr Vobornik wrote: On 07/17/2013 09:18 PM, Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3793. Hello, 1) IMO we should not create attribute which is just a negation of another. 2) We should add set_enabled method to base widget. Existing set_enabled methods should use it and maintain widget output consistent with the attribute (ie. one should not directly set the attr and should use set_enabled instead). The method should be also callable when content is not yet created. get_enabled methods might become unnecessary - one can get the state form 'enabled' attribute. The attached updated patch implements the following changes: 1) set_enabled method has been added to the base widget class. 2) get_enabled/is_enabled methods have been removed. 3) Widget classes that inherit from the base widget class override the set_enabled method where necessary. 4) Using 'enabled: true/false' in the widget definition should now work correctly for all types of widgets. Thanks. 1. set_enabled method in input_widget uses `that.input`. Input widget is a base class which doesn't set the property and therefore we can't be certain that the descendant will set it. Also it may break when you call set_enabled(val) before create() . We should test for `that.input` presence. Same content-created test should be perform on other places: widget.js:1017,1147,2006 2. The changes in option_widget_base break disabling if user doesn't have write-rights. (can be reproduced when navigated (by manual change of url) to service in self-service. Note the differences between read_only, writable and enabled: * read_only - reflects metadata * writable - reflects ACL * enabled - context specific read_only and writable don't offer edit interface (label instead of textbox). Enabled controls disabled state of textbox. For some widgets the result might be the same (radios, checkboxes). option_widget_base.set_enabled should be changed. The mixin overwrites the original method and therefore doesn't set 'enabled' property. 3. multiple_choice_section.set_enabled should be renamed. It's related to individual choices and not the widget itself. And then new set_enabled should be added which would call the old one for each choice. 4. widget.js:3870 - not sure if it's needed but if so, one should also change `action_clicked` method. All fixed. Updated patch attached. Thanks for the review. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From cd2bd3ad6f4596c56042a6e3d8c76596f7b4e6e8 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Wed, 17 Jul 2013 21:13:42 +0200 Subject: [PATCH] Honor 'enabled' option for widgets. https://fedorahosted.org/freeipa/ticket/3793 --- install/ui/src/freeipa/association.js | 1 - install/ui/src/freeipa/dns.js | 3 +- install/ui/src/freeipa/facet.js | 2 +- install/ui/src/freeipa/rule.js| 2 - install/ui/src/freeipa/widget.js | 127 ++ 5 files changed, 85 insertions(+), 50 deletions(-) diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js index c60c7b8afe9c16ae55e5147574664c60afc43d3e..ad427d66b6b98119b2eb577ae98e4b7c2f1a6932 100644 --- a/install/ui/src/freeipa/association.js +++ b/install/ui/src/freeipa/association.js @@ -530,7 +530,6 @@ IPA.association_table_widget = function (spec) { $('.action-button', that.table).addClass('action-button-disabled'); that.unselect_all(); } -that.enabled = enabled; }; that.select_changed = function() { diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js index b4085fea8b792e7f642a10373207916886ff50be..0a0fd3f85b33f51c474f3e6a47cca00ae9ffcfe9 100644 --- a/install/ui/src/freeipa/dns.js +++ b/install/ui/src/freeipa/dns.js @@ -603,7 +603,7 @@ IPA.dnszone_adder_dialog = function(spec) { var zone = zone_w.save()[0] || ''; var ns = ns_w.save()[0] || ''; -var zone_is_reverse = !zone_w.is_enabled() || +var zone_is_reverse = !zone_w.enabled || ends_with(zone, '.in-addr.arpa.') || ends_with(zone, '.ip6.arpa.'); var relative_ns = true; @@ -1767,7 +1767,6 @@ IPA.dns.record_type_table_widget = function(spec) { $('.action-button', that.table).addClass('action-button-disabled'); that.unselect_all(); } -that.enabled = enabled; }; that.select_changed = function() { diff --git a/install/ui/src/freeipa/facet.js b/install/ui/src/freeipa/facet.js index 37106e22f44b2fb50fc79b8183cc62e9eb35b6e4..b01452dd718b894ecb66d29f70242779ff75cfa4 100644 --- a/install/ui/src/freeipa/facet.js +++
[Freeipa-devel] Announcing FreeIPA 3.3.0 Beta 1
The FreeIPA team is proud to announce FreeIPA v3.3.0 Beta 1. It can be downloaded from http://www.freeipa.org/page/Downloads. As this is a Beta release and Fedora 19 is now stable, there is no public Fedora build at this time. Please note, that you can help us test the new release in tomorrow's FreeIPA 3.3 Fedora 19 Test Day! See: https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients == Highlights in 3.3 beta 1 == === New features for 3.3 === * Active Directory integration: ** Support of externally defined POSIX attributes for Active Directory trusted domains ** Automatic discovery of Active Directory identity mapping configuration ** Support of trusted domain users for legacy clients ** Identity mapping for AD users can now be delegated * Performance improvements in processing large number of users and groups * Automated integration testing infrastructure * ipa-advise utility is added to generate client setup advice based on an IPA master configuration * FreeIPA-specific SELinux policies has been merged to the main SELinux policy in Fedora 19 * SSSD 1.11 is required === Active Directory integration === Starting with FreeIPA 3.3, it is possible to define identity ranges for a trusted Active Directory domain that rely on POSIX attributes provided by AD DC instead of generating them out of corresponding security identifiers. This functionality requires Services for Unix (SFU) or Server for NIS enabled on Active Directory side and is provided mostly to aid with migration to SID-based mapping. In order to support externally defined POSIX attributes, identity ranges have been extended to support new range types: * AD trust with SID-based mapping: 'ipa-ad-trust' (default) * SFU support: 'ipa-ad-trust-posix' 'ipa-ad-trust-posix' range type is activated when range discovery finds out SFU is in use by Active Directory domain. To override automatic detection, --range-type=ipa-ad-trust can be specified to 'ipa trust-add' command. FreeIPA 3.3 requires SSSD 1.11 on the IPA master in order to support externally defined POSIX attributes in AD. More details: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD FreeIPA 3.3 provides a new way to enable legacy clients to support trusted domain users. A compatibility tree, provided by slapi-nis, can now be configured to look up trusted domain users and handle authentication for them. This functionality relies on SSSD 1.11 and an experimental patch for slapi-nis. One can enable legacy clients support by running ipa-adtrust-install and answering positively to the corresponding question. More details: http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts Finally, SSSD 1.11 is used to query identity information about trusted domains' users from within IPA framework, including SID to name and name to SID resolution. In addition to speed improvements, FreeIPA 3.3 allows to manage mappings for trusted domains' users without requiring elevated privileges of 'trust admins'. === Performance improvements === When acting on large datasets, FreeIPA now reduces number of potential read roundtrips required to update user and group information. When scaled to thousands of users and groups, this shortens the time required by certain operations tenfold. === Automated testing infrastructure === The FreeIPA team has been providing self-testing code for a long time. The FreeIPA 3.3 test suite includes a framework for integration tests that verify functionality such as replication across several machines. Tests can be run manually, or by test automation servers such as Jenkins or Beaker. Development builds now create a freeipa-tests RPM containing the test suite and related tools. However, as the focus is on testing development code, this package will not be released to Fedora yet. More details: http://www.freeipa.org/page/V3/Integration_testing Additionally, it is now possible to run Web UI tests through the test suite. More details: http://www.freeipa.org/page/Web_UI_Integration_Tests === IPA advise tool === FreeIPA 3.3 introduces new framework to generate recipes of configuration based on how IPA master is configured. These recipes can be taken to the target client systems and used there to configure them for a specific task. We expect to expand use of 'ipa-advise' tool to cover at least configuration of legacy systems in subsequent releases. Contributions are always welcome to grow capabilities of 'ipa-advise' tool to other areas. More details: http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts#Major_configuration_options_and_enablement === SELinux policy === SELinux policies specific to FreeIPA have been merged back to the main SELinux policy package in Fedora 19. Starting with FreeIPA 3.2.2 (available in Fedora 19 updates) SELinux policy is no londer provided by freeipa-selinux package and the package is removed in favor of selinux-policy package. === SSSD 1.11 is
Re: [Freeipa-devel] [PATCH 0080] Move requirement for keyutils to freeipa-python package
On 07/24/2013 01:56 PM, Jan Cholasta wrote: On 24.7.2013 13:52, Tomas Babej wrote: On Wednesday 24 of July 2013 13:19:29 Jan Cholasta wrote: Hi, On 24.7.2013 12:40, Tomas Babej wrote: Hi, There was already a dependency in server package, however, the correct place for such dependency is in freeipa-python, since the relevant code using keyutils resides there. Both freeipa-server and freeipa-client require freeipa-python. https://fedorahosted.org/freeipa/ticket/3808 Tomas Please add a changelog entry. Honza -- Jan Cholasta Added. Tomas ACK. Rebased changelog and pushed to master and ipa-3-2. master: d094481ea6c8e04aff36414c569673a380a7863a ipa-3-2: 756deb013755d04b4ae0b14019beb23447b3e175 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] FreeIPA AD Trust improvements, Fedora 19 Test Day, July 25th
Please note that the FreeIPA Fedora 19 Test Day is happening tomorrow! Thanks in advance to all volunteers helping us test the new Active Directory Trust features. The FreeIPA Team On 07/19/2013 11:56 PM, Dmitri Pal wrote: Hello, The FreeIPA team is happy to welcome you to a Fedora Test Day that is being held on Thursday, July 25th. We would like to invite you to take part in testing of the upcoming FreeIPA 3.3 release containing 2 major improvements for easier deployment of FreeIPA Active Directory Trust feature to existing environments: 1) Use POSIX attributes defined in Active Directory [1] With previous FreeIPA releases, users coming from Active Directory to FreeIPA managed machines were always assigned POSIX attributes (UID and GID) by algorithmic mapping. However, in some deployments, Active Directory users and groups already have defined custom POSIX attribute values (UID and GID), which may then be leveraged on Linux machines via other 3rd party Active Directory integration solutions. Administrator may choose to keep the values to not disrupt file ownerships. With FreeIPA 3.3, FreeIPA Active Directory Trust may be configured to use these attributes when Active Directory user authenticates to Linux machines. 2) Expose POSIX data on legacy systems without recent SSSD Administrators may have a deployment of machines which cannot use the recent SSSD with Active Directory Trust support but would still like to be able to authenticate with Active Directory user to these machines. This may affect for example older Linux machines, UNIX machines. With FreeIPA 3.3, Administrator may configure a compatibility LDAP tree which will contain identities of the Active Directory users to the legacy systems. These systems may then leverage standard LDAP authentication in this tree allowing selected Active Directory users to authenticate. To read more about the Test Day and suggested tests, see the following link: https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients Thank you for your help and participation! The FreeIPA team [1] http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD [2] http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts [IdM | IPA] FAQs: https://url.corp.redhat.com/idm-faq Identity Management SME Team on Docspace https://url.corp.redhat.com/sme-idm Search the archives: post-office.corp.redhat.com/mailman/listinfo/idm-tech ___ Freeipa-users mailing list freeipa-us...@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0081] Skip referrals when converting LDAP result to LDAPEntry
Hi, When converting the result obtained by python-ldap library, we need to skip unresolved referral entries, since they cannot be converted. https://fedorahosted.org/freeipa/ticket/3814 TomasFrom 701ce525d52a1797cbdc511f0a57fe08a57a6766 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 24 Jul 2013 21:59:49 +0200 Subject: [PATCH] Skip referrals when converting LDAP result to LDAPEntry When converting the result obtained by python-ldap library, we need to skip unresolved referral entries, since they cannot be converted. https://fedorahosted.org/freeipa/ticket/3814 --- ipapython/ipaldap.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 6873511c44427edc4a7e573bb04da00732a63028..aa852f003e42c35f655010f6e16a780aa6c415df 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -425,6 +425,11 @@ class IPASimpleLDAPObject(object): original_dn = dn_tuple[0] original_attrs = dn_tuple[1] +# original_dn is None if referral instead of an entry was +# returned from the LDAP server, we need to skip this item +if original_dn is None: +continue + ipa_entry = LDAPEntry(self, DN(original_dn)) for attr, original_values in original_attrs.items(): -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel