Re: [Freeipa-devel] [PATCH] 440 Server does not detect different server and IPA domain

[Ana Krivokapic]

On 11/06/2013 10:19 AM, Martin Kosek wrote:

Server installer does not properly recognize a situation when server
fqdn is not in a subdomain of the IPA domain, but shares the same
suffix.

For example, if server FQDN is ipa-idm.example.com and domain
is idm.example.com, server's FQDN is not in the main domain, but
installer does not recognize that. proper Kerberos realm-domain
mapping is not created in this case and server does not work
(httpd reports gssapi errors).

https://fedorahosted.org/freeipa/ticket/4012



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


ACK

--
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 198-202 Refactor indirect membership processing

[Petr Viktorin]

I hid Send by mistake; continuing review:


On 11/08/2013 03:14 PM, Petr Viktorin wrote:

On 10/31/2013 02:45 PM, Jan Cholasta wrote:

Hi,

the attached patches fix .

Tested with 25000 users.

Honza


Patch 198:

Also update ipaldap's find_entries docstring, it no longer uses IPA
defaults.


While you're touching this part of code, I had some other improvements
in mind -- you can consider them:

In find_entries,
 attrs_list = [a.lower() for a in attrs_list]
to make sure 'memberindirect' is case insensitive



In get_memberof, construct `indirect` as a set, for Ο(1) remove().

^ ignore that, it's nuked in 201 \o/


Changing MEMBERS_ALL et.al. from numbers to descriptive strings, for
easier debugging.

^ these can be removed entirely in 201




Patch 199: Looks great


Patch 200:

objtype, res_list, red_id, res_ctrls = result
Minor typo --^


This construction won't work as you'd expect in Python 2:

try:
 (possibly raise interesting exception) (*)
except:
 try:
 (possibly raise exception to ignore) (**)
 except:
 pass
 raise  # (***)

The problem is that the exception in (**) overwrites the "current active
exception" raised in (*). In (***) the exception from the cleanup will be
re-raised.
The solution is to store the wanted exception info, including the
traceback:
 exc_type, exc_value, exc_traceback = sys.exc_info()
and then re-raise explicitly:
 raise exc_type, exc_value, exc_traceback

Also, please log the ignored exception from cancelling the paged search.





Patch 201:
Great patch!
A nitpick, I'd rename _process_member{,of} to _process_member{,of}indirect


Patch 202: Looks good
While we're on the subject: Each Plugin has an "api" attribute. It would 
be nice if we started preferring `self.api` instead of the global 
singleton wherever possible, even though they're currently always the same.



--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0019-0020 Broken Firefox configuration files in freeipa-client package

[Petr Vobornik]

On 11/05/2013 10:34 AM, Martin Basti wrote:

ipa-client-install now allows to configure firefox using
--configure-firefox option and optionally with --firefox-dir=INSTALL_DIR
option.

Old configuration files was removed.

Patches attached.

Ticket: https://fedorahosted.org/freeipa/ticket/3821



Thanks for the patch.

1) Remove "pref("network.negotiate-auth.delegation-uris", ".$DOMAIN");" 
from the FIREFOX_CONFIG_TEMPLATE. Delegation is not a thing you want to 
have enabled unless there is no other way (Web UI doesn't need it since 
version 2.2 or 2.3).


Otherwise it works fine on F19.

--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 198-202 Refactor indirect membership processing

[Petr Viktorin]

On 10/31/2013 02:45 PM, Jan Cholasta wrote:

Hi,

the attached patches fix .

Tested with 25000 users.

Honza


Patch 198:

Also update ipaldap's find_entries docstring, it no longer uses IPA 
defaults.



While you're touching this part of code, I had some other improvements 
in mind -- you can consider them:


In find_entries,
attrs_list = [a.lower() for a in attrs_list]
to make sure 'memberindirect' is case insensitive

In get_memberof, construct `indirect` as a set, for Ο(1) remove().

Changing MEMBERS_ALL et.al. from numbers to descriptive strings, for 
easier debugging.




Patch 199: Looks great


Patch 200:

objtype, res_list, red_id, res_ctrls = result
Minor typo --^


This construction won't work as you'd expect in Python 2:

try:
(possibly raise interesting exception) (*)
except:
try:
(possibly raise exception to ignore) (**)
except:
pass
raise  # (***)

The problem is that the exception in (**) overwrites the "current active 
exception" caught in (*). In (***) the exception from cleanup will be 
raised.

The solution is to store the wanted exception info, including the traceback:
exc_type, exc_value, exc_traceback = sys.exc_info()
and then re-raise explicitly:
raise exc_type, exc_value, exc_traceback

Also, please log the ignored exception from cancelling the paged search.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0016] Add RADIUS proxy support to ipalib CLI

[Petr Viktorin]

On 09/25/2013 10:56 PM, Nathaniel McCallum wrote:

On Fri, 2013-09-20 at 12:38 -0400, Nathaniel McCallum wrote:

On Thu, 2013-09-12 at 16:48 -0400, Nathaniel McCallum wrote:

On Thu, 2013-09-05 at 00:06 -0400, Nathaniel McCallum wrote:

patch attached


Update for ./makeapi attached.


Version 3. This should fix all the current review issues, including the
use of the referential integrity plugin. I had to make one schema change
in order to make the referential integrity modification work. Note also
that the command name prefix is changed from radius to radiusproxy.


Version 4. This patch fixes my failure to increment the minor version
number in the VERSION file.

Nathaniel


We've since decided that we'll carry LDAP "content" updates only in 
update files, so you can leave indices.ldif & referint-conf.ldif unchanged.
Schema, on the other hand, will still be in ldif files (and soon *only* 
in ldif files).


The patch needs a rebase.

--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0316 Remove unused utf8_encode_value functions

[Petr Viktorin]

On 11/06/2013 02:20 PM, Ana Krivokapic wrote:

On 11/05/2013 02:02 PM, Petr Viktorin wrote:

Honza's recent LDAP refactoring left some unused helper functions
around. This patch removes them.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


ACK


Thanks! Pushed to master: 196379d126f4c86cb0979d3bae16919858bd7c19


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0015] Add support for managing user auth types

[Petr Viktorin]

On 11/07/2013 07:48 PM, Nathaniel McCallum wrote:

On Mon, 2013-10-07 at 16:22 +0200, Petr Viktorin wrote:

Sorry for the delay.


On 09/25/2013 10:51 PM, Nathaniel McCallum wrote:

On Mon, 2013-09-23 at 15:19 +0200, Petr Viktorin wrote:

Great, we're getting close!


[...]

There's another test failure when trying to rename a manager user. I
didn't investigate in detail why that happens.


Does the failure happen without the patch?


No. It seems the added objectclasses attribute conflicts with renaming a
user who's a manager.


Is this just a standard make  check?


It's the standard make test; specifically:
./make-test ipatests/test_xmlrpc/test_user_plugin.py
It should pass on a newly installed server, with `make` being run in
advance. Make sure to have ~/.ipa/default.conf set up.


Fixed.

Nathaniel



Thanks! ACK, pushed to master: 3f85f09a83f1cd25078c7c11a68d457bb198d66f

I've also pushed my tests from earlier in the thread: 
6c7a59a906ca46d1fbdf38739ac8b33f3136de9e


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH][DOC] 432 Add direct bug reporting links to Feedback section

[Martin Kosek]

On 10/17/2013 12:04 PM, Martin Kosek wrote:
> On 10/17/2013 07:25 AM, Petr Spacek wrote:
>> On 17.10.2013 03:06, Simo Sorce wrote:
>>> On Wed, 2013-10-16 at 21:59 +0200, Petr Spacek wrote:
 On 16.10.2013 15:31, Martin Kosek wrote:
> This change should enable faster and easier filing of new bugs. Patch
> also simplifies the section for both redhat and fedora variants.
>
> https://fedorahosted.org/freeipa/ticket/3754

 Hmm, is there a way to add the "Report a bug" link to each page footer (in
 HTML output)? I think that people should see this option all the time.


 This recalls me another thing:
 Could we add TICKET_CREATE privilege to anonymous 'subject' in the Trac? 
 This
 should allow anyone to create ticket even without registration/logging in,
 which lowers the barrier.
>>>
>>> Bad idea, you'll soon be submerge by the worst looking spam, seriously,
>>> don't do it.
>>>
>>> Besides you wouldn't be able to notify the reporter that you need more
>>> info and so on, its not worth to have fire-and-forget reports.
>>
>> There is an input box for reporter's e-mail...
> 
> Yeah, I wonder who would fill it. I would personally leave it as is, when
> someone really does not not want to register to Fedora, he can send a mail to
> freeipa-users (and thus also give as a way to ask back).
> 
> Martin

I hope that this question was resolved. As for "Report a bug" link on each page
footer, I am not sure if Publican can do that and I am also not sure if it
would not be disturbing.

I would rather like to let us review the requested change and provided patch.
IMO the provided Trac/Bugzilla links makes the bug filing easier, which was the
point of the ticket - please review.

Let us review the change and continue with other doc improvements, there is a
lot of those on our plate in this area.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Internationalized domain names in freeIPA

[Petr Viktorin]

On 11/07/2013 02:14 PM, Martin Kosek wrote:

On 11/07/2013 01:59 PM, Petr Viktorin wrote:

On 11/05/2013 06:08 PM, John Dennis wrote:

On 11/05/2013 12:04 PM, Petr Viktorin wrote:

On 11/05/2013 05:53 PM, John Dennis wrote:

On 11/05/2013 11:13 AM, Martin Basti wrote:

Hi list,

I'm working on ticket: https://fedorahosted.org/freeipa/ticket/3169
UTF-8 DNS names will be converted to punycode ASCII string and stored

But there is a question, how to show DNS names to user (in UI or
dnsrecord-show/find):
* show them in punycode
* convert them to UTF-8 and show
* both ways
* add options to show them in UTF-8

I'll be thankful for your opinion.



We have a rule that all strings use UCS and that UCS be interchanged by
encoding UCS text in UTF-8. Therefore it seems to me the only time
punycode should ever exist is when it's necessary to encode/decode
punycode for dns operations. Since punycode is a standard Python codec
this should be trivial, you just need to determine where you do the
encode/decode (perhaps also validating user input can be successfully
encoded).


In LDAP the values need to be in punycode, so bind-dyndb-ldap can
process them.


This suggests the LDAP type conversion is the right location for
encode/decode.


IMO all layers above that -- API, CLI, WebUI -- should use Unicode,
except with the `--raw` flag.


The reason for this is that UTF-8 isn't as canonical a represenation of
Punicode as, say, a DN object for DNs or a bool for boolean values. Admins
might reasonably want to see the raw value.

Also, these values end up in DNs; I fear converting them at the LDAP wrapper
level could open a can of worms. Do we have resources to give this the testing
it needs?

I think converting them in the DNS plugin is the way to go.



Just to clarify the terms here: DNS plugin === dns.py plugin in FreeIPA, not
bind-dyndb-ldap.


dns.py; sorry for the confusion.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel