[Freeipa-devel] [PATCH 0001] Adding verb to error message to make it less confusing
I found error message Failed to data from service file: Failed to get list of services to probe status: in my logs while experimenting with something and it confused me a bit, hence this patch. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat From 2f56c201b958b2f7b4610ca12cab0bfbc5bd17a9 Mon Sep 17 00:00:00 2001 From: Jan Pazdziora jpazdzi...@redhat.com Date: Tue, 6 May 2014 09:52:21 +0200 Subject: [PATCH] Adding verb to error message to make it less confusing. --- install/tools/ipactl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipactl b/install/tools/ipactl index 202081d..fd29132 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -232,7 +232,7 @@ def ipa_start(options): try: svc_list = get_config(dirsrv) except Exception, e: -emit_err(Failed to data from service file: + str(e)) +emit_err(Failed to read data from service file: + str(e)) emit_err(Shutting down) if not options.force: -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 webui otptoken test data added
On 5.5.2014 16:39, Misnyovszki Adam wrote: On Wed, 30 Apr 2014 13:37:10 +0200 Petr Vobornik pvobo...@redhat.com wrote: On 29.4.2014 16:30, Misnyovszki Adam wrote: On Fri, 25 Apr 2014 17:16:48 +0200 Misnyovszki Adam amisn...@redhat.com wrote: Hi, this patch adds some static test data for the webui otptoken part. Adam Attached corrected DN's. Thanks Adam 1) Why otptoken_batch_del.json ends with error? Also there might be a defect in UI that for batch delete operation it asks for batch.json and not $ENTITY_batch_del.json making otptoken_batch_del.json unused - out of scope of this patch. 2) Why otptoken_mod.json ends with error? 3) otptoken_find.json is not needed since the search facet uses paging (combination of otptoken_get_records.json and otptoken_find_pkeys.json is enough). In general, it's OK to fake the data if there is some bug which causes errors and we know that it will be fixed. Hi, see the attached, and corrected 18 patch for otptoken static test data. Also, I've added patch 20, for fixing the batch_del command in static webui tests. Thanks Adam Patch 18-3: 1. otptoken_batch.json, otptoken_batch_del.json, otptoken_mod.json have trailing whitespace after commas 2. otptoken_batch.json was obsoleted by patch 20. Should be removed since both patches are in one patchset. Patch 20: ACK -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0001] Fixed various typos in ipa-client-install man page
From d9ccbfca05f46515ef3de3065b33e21cf5debe80 Mon Sep 17 00:00:00 2001 From: Thorsten Scherf tsch...@redhat.com Date: Tue, 6 May 2014 10:45:04 +0200 Subject: [PATCH] Fixed various typos in ipa-client-install man page --- ipa-client/man/ipa-client-install.1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 3d72b0c9f5f5c5dec6314adf9eb02f873918bfda..95d13fac97f4a4ee166e9d0a8c7b762c03710003 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -28,7 +28,7 @@ By default this configures SSSD to connect to an IPA server for authentication a An authorized user is required to join a client machine to IPA. This can take the form of a kerberos principal or a one\-time password associated with the machine. -This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the prinicipal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/fqdn@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable fqdn). +This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the principal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/fqdn@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable fqdn). .SS Assumptions The ipa\-client\-install script assumes that the machine has already generated SSH keys. It will not generate SSH keys of its own accord. If SSH keys are not present (e.g when running the ipa\-client\-install in a kickstart, before ever running sshd), they will not be uploaded to the client host entry on the server. @@ -66,11 +66,11 @@ If this has been the case, host can be re\-enrolled using the usual methods. There are two method of authenticating a re\-enrollment: -1. You can use \-\-force\-join option with ipa\-client\-install command. This authenticates the re\-enrollment using the admin's credetials provided via the \-w/\-\-password option. +1. You can use \-\-force\-join option with ipa\-client\-install command. This authenticates the re\-enrollment using the admin's credentials provided via the \-w/\-\-password option. .br 2. If providing the admin's password via the command line is not an option (e.g you want to create a script to re\-enroll a host and keep the admin's password secure), you can use backed up keytab from the previous enrollment of this host to authenticate. See \-\-keytab option. -Consenquences of the re\-enrollment on the host entry: +Consequences of the re\-enrollment on the host entry: 1. A new host certificate is issued .br -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0001] Fixed typo in ipa-test-task man page
From df6acd55db562c24ec5e88166d31eeabc026a087 Mon Sep 17 00:00:00 2001 From: Thorsten Scherf tsch...@redhat.com Date: Tue, 6 May 2014 11:03:15 +0200 Subject: [PATCH] Fixed typo in ipa-test-task man page --- ipatests/man/ipa-test-task.1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipatests/man/ipa-test-task.1 b/ipatests/man/ipa-test-task.1 index 3f523569951c545c9e516f2c1775871d9653d58a..f6717d3f57a30595cc400de29750ce12306abe3f 100644 --- a/ipatests/man/ipa-test-task.1 +++ b/ipatests/man/ipa-test-task.1 @@ -126,8 +126,8 @@ Based on the relationship of the domains configures the IPA DNS for trust. AD DNS needs to be setup manually. .TP -\fBipa\-test\-task estabilish\-trust\-with\-ad HOST AD\fR -Estabilishes trust with Active Directory. Trust type is detected depending on +\fBipa\-test\-task establish\-trust\-with\-ad HOST AD\fR +Establishes trust with Active Directory. Trust type is detected depending on the presence of SfU (Services for Unix) support on the AD. .TP -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 16-17 Attribute box in permission UI is too small
On 25.4.2014 13:06, Misnyovszki Adam wrote: Hi, first patch redesigns attribute box in permission forms, making it a bigger scrollable checkboxlist. Second one adds a filter field to it for better user experience, if the checkboxlist would be too large. Also, webui unit tests for rbac are updated to work properly with the new widget. Thanks Adam Patch 16: 1. jslint warnings: - aci.js(559): lint warning: undeclared identifier: attr_container - aci.js(590): lint warning: undeclared identifier: attr_container 2. you can reuse existing create method of checkboxes widget since attribute widget inherits from it. The same with create_options - option_widget_base.create_options will do the trick. But be careful, it expects different param. 2a. in patch 17 you will have to have custom create method, but the code can be very similar to radio_widget.create method. Patch 17: 1. jslint warnings: - aci.js(614): lint warning: missing semicolon 2. too big indentation: +that.filter.keyup(function(e) { +that.filter_options(); 3. (ul.option_widget.attribute_widget li) matches all options in all attribute widgets in the app. Limit the search to this widget by the context parameter ($node). It will also allow you to use simpler selector. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0001] Fixed various typos in ipa-client-install man page
ACK. On 05/06/2014 10:48 AM, Thorsten Scherf wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0001] Fixed typo in ipa-test-task man page
ACK. On 05/06/2014 11:05 AM, Thorsten Scherf wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 180-182] ipatests: Improvements!
On 05/05/2014 06:08 PM, Alexander Bokovoy wrote: On Fri, 02 May 2014, Jakub Hrozek wrote: On Wed, Apr 30, 2014 at 03:59:01PM +0200, Tomas Babej wrote: Hi, * patch 180 fixes incorrect hostname usage when connecting to legacy clients * patch 181 sets up SSSD in debug_level 7 by default * patch 182 does the same, but on the legacy clients -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ACK to the general intent of debug_level by default. Have you considered using the python ConfigAPI sssd has to change the sections rather than running a sed script? I agree. The patchset in current form does work fine for me in the tests. However, I'd rather wait for a new revision which incorporates changes requested by the Jakub. I'm not sure using python ConfigAPI would be a better option here, for one particular reason - the tests themselves are not run on the machine where we want to change the config. Hence we need to enclose everything we want done on the client in the run_command method. Moving from sed to using python ConfigAPI would mean moving from: +host.run_command(['sed', '-i', + '/debug_level = 7/d', + '/etc/sssd/sssd.conf' + ], raiseonerr=False) + +# Add the debug directive to each section +host.run_command(['sed', '-i', + '/\[*\]/ a\debug_level = 7', + '/etc/sssd/sssd.conf' + ], raiseonerr=False) to creating the python script file of ~10-15 lines on the client and then running it on the client itself via: + host.run_command(['python', 'set_sssd_debug_level.py']) Given that, it does not seem that much simpler than using two sed commands to me. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0001] Fixed typo in ipa_backup.py
On 2.5.2014 17:20, Nathaniel McCallum wrote: ACK Nathaniel Pushed to master: 3f3c8eee24f98807ff8a95dd0f6a022b2b3a5bf5 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0046] Fix a typo in the otptoken doc string
On 5.5.2014 19:22, Nathaniel McCallum wrote: On Mon, 2014-05-05 at 14:03 +0200, Jan Cholasta wrote: Hi, On 2.5.2014 23:45, Nathaniel McCallum wrote: Patch attached ACK, but there is one additional occurence of otp-add in a comment in install/ui/src/freeipa/otptoken.js. https://www.redhat.com/archives/freeipa-devel/2014-May/msg00039.html Nathaniel Pushed to master: 797974b09fdd078c8ad645c217a464b69ce72f66 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0001] Adding verb to error message to make it less confusing
ACK On 05/06/2014 09:58 AM, Jan Pazdziora wrote: I found error message Failed to data from service file: Failed to get list of services to probe status: in my logs while experimenting with something and it confused me a bit, hence this patch. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 629 webui: otptoken-adder dialog - remove obsolete comment
No longer valid. HOTP tokens are also supported. -- Petr Vobornik From 4ca6c7527e27191339b65ea5fd3583a27129303e Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Tue, 6 May 2014 13:28:49 +0200 Subject: [PATCH] webui: otptoken-adder dialog - remove obsolete comment - hotp tokens are also supported --- install/ui/src/freeipa/otptoken.js | 1 - 1 file changed, 1 deletion(-) diff --git a/install/ui/src/freeipa/otptoken.js b/install/ui/src/freeipa/otptoken.js index cf14869ce431d1a89e84687d1c88ffb500ddaf97..022030b9765f9b8f1b7a4d28c64f897650f6c490 100644 --- a/install/ui/src/freeipa/otptoken.js +++ b/install/ui/src/freeipa/otptoken.js @@ -284,7 +284,6 @@ otptoken.adder_dialog_preop = function(spec) { /** * OTP adder dialog * - * - otp-add requires 'type' to be set. At the moment IPA supports only 'totp' * @class * @extends IPA.entity_adder_dialog */ -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0050] Fix typo in token UI javascript comment
On 5.5.2014 19:25, Jan Cholasta wrote: On 5.5.2014 19:10, Nathaniel McCallum wrote: Attached. ACK. NACK, the comment is no longer valid and should be removed. New patch: http://www.redhat.com/archives/freeipa-devel/2014-May/msg00057.html -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0048] Default the token owner to the person adding the token
Hi, On 5.5.2014 18:40, Nathaniel McCallum wrote: Creating tokens for yourself is the most common operation. Making this the default optimizes for the common case. The user-find call should be inside the if statement. Also please check if there actually is a result, if you run user-find --whoami when authenticated as non-user, the result will be empty. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0001] Fixed typo in ipa-test-task man page
On 6.5.2014 12:49, Tomas Babej wrote: ACK. On 05/06/2014 11:05 AM, Thorsten Scherf wrote: Pushed to master: 7646cb8e580f11987c98f1ef81179aecf082eea9 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0001] Fixed various typos in ipa-client-install man page
On 6.5.2014 12:49, Tomas Babej wrote: ACK. Pushed to master: 7cf683b3bc3f8afef6e52d2ff570f2bea77b7a5e -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0001] Adding verb to error message to make it less confusing
On 6.5.2014 12:50, Tomas Babej wrote: ACK On 05/06/2014 09:58 AM, Jan Pazdziora wrote: I found error message Failed to data from service file: Failed to get list of services to probe status: in my logs while experimenting with something and it confused me a bit, hence this patch. Pushed to master: d4e1b05484f41ef7a479861c07685dfe5ca1b73b -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] plugin registration refactoring for pwpolicy
On 2.5.2014 17:19, Nathaniel McCallum wrote: On Fri, 2014-05-02 at 14:01 +0200, Misnyovszki Adam wrote: SSIA Thanks Adam Simple enough. ACK. Nathaniel Pushed to master: 2c08a16f8f52927332bd5fde31bc855b2d657afc -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 629 webui: otptoken-adder dialog - remove obsolete comment
On Tue, 06 May 2014 13:34:28 +0200 Petr Vobornik pvobo...@redhat.com wrote: No longer valid. HOTP tokens are also supported. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0050] Fix typo in token UI javascript comment
On Tue, 2014-05-06 at 13:35 +0200, Petr Vobornik wrote: On 5.5.2014 19:25, Jan Cholasta wrote: On 5.5.2014 19:10, Nathaniel McCallum wrote: Attached. ACK. NACK, the comment is no longer valid and should be removed. New patch: http://www.redhat.com/archives/freeipa-devel/2014-May/msg00057.html ACK Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0051] Validate OTP during password change requests
The pwdch extop would just validate the old password before setting the new one. Becuase this operation returns INVALID_CREDENTIALS when the password is wrong, it provides an opportunity to brute force the first factor distinct from the second factor. This patch causes the pwdch extop to validate the OTP as well. This closes the above attack vector. It is also, conveniently, the behavior most users will probably expect. https://fedorahosted.org/freeipa/ticket/4248 From 1da047f41b3f07a3c659ee2f1a75be483d483359 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Fri, 2 May 2014 13:10:09 -0400 Subject: [PATCH] Validate OTP during password change requests The pwdch extop would just validate the old password before setting the new one. Becuase this operation returns INVALID_CREDENTIALS when the password is wrong, it provides an opportunity to brute force the first factor distinct from the second factor. This patch causes the pwdch extop to validate the OTP as well. This closes the above attack vector. It is also, conveniently, the behavior most users will probably expect. https://fedorahosted.org/freeipa/ticket/4248 --- .../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am| 1 + daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.c | 129 + daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.h | 64 ++ .../ipa-pwd-extop/ipa_pwd_extop.c | 14 ++- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 3 +- daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 95 +-- 6 files changed, 210 insertions(+), 96 deletions(-) create mode 100644 daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.c create mode 100644 daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.h diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index 4cf80ec802b40bb579a44fc9357c6a8119dab577..2045a6e6989115ba9e769a91ea38b768ed64c3f3 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -41,6 +41,7 @@ plugin_LTLIBRARIES = libipa_pwd_extop.la libipa_pwd_extop_la_LIBADD = $(builddir)/../libotp/libotp.la libipa_pwd_extop_la_SOURCES = \ authcfg.c \ + authotp.c \ common.c \ encoding.c \ prepost.c \ diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.c new file mode 100644 index ..f309796cf7b0cbee0ec5151a0d934f2571a4781f --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.c @@ -0,0 +1,129 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see http://www.gnu.org/licenses/. + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, GPL means the GNU General Public + * License, version 3 or any later version, and Non-GPL Code means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the Approved Interfaces). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Nathaniel McCallum npmccal...@redhat.com + * + * Copyright (C) 2014 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +/* + * Authenticates creds against OTP tokens. Returns true when authentication + * completed successfully against a token OR when a user has no active tokens. + * + * WARNING: This function DOES NOT authenticate the first factor. Only the OTP + * code is validated! You still need to validate the first factor. + * + * NOTE: When successful, this function truncates creds to remove the token + * value at the end. This leaves only the password in creds for later + * validation. + */ + +#include authotp.h +#include authcfg.h +#include ipapwd.h + +#include util.h
Re: [Freeipa-devel] [PATCH 0239-0243] Refactor ldap_parse_master_zoneentry()
- Original Message - Hello, This patch set attempts to move ldap_parse_master_zoneentry() a little bit closer to sane code. It is preparation for https://fedorahosted.org/bind-dyndb-ldap/ticket/56 -- Petr^2 Spacek Patches look good. ACK. ACKing of version 2 of the patch 242 will follow. The patch 243 introduced new compilation warning that Peter is aware of. Unfortunately we are unable to find the root cause of it, so leaving it as is for now... Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0239-0243] Refactor ldap_parse_master_zoneentry()
- Original Message - On 17.4.2014 20:00, Petr Spacek wrote: Hello, This patch set attempts to move ldap_parse_master_zoneentry() a little bit closer to sane code. It is preparation for https://fedorahosted.org/bind-dyndb-ldap/ticket/56 bind-dyndb-ldap-pspacek-0242-2-Refactor-master-zone-configuration.patch fixes zone loading for zones without idnsAllowTransfer attribute in LDAP. Previously, the plugin refused to load such zones with error ISC_R_NOTFOUND - missing attribute was treated as fatal error. -- Petr^2 Spacek ACK. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] bind DN of executing command
On Mon, 05 May 2014, Rob Crittenden wrote: Sumit Bose wrote: On Fri, May 02, 2014 at 05:06:06PM -0400, Nathaniel McCallum wrote: I need the DN of the user who is running the current command. This may be defined as the user who is bound or will bind to execute the LDAP commands I have prepared. Does anyone know how to do this in the FreeIPA api? I guess you are looking for ipa user-find --whoami If you're doing this in your own plugin, you get the current principal with: getattr(context, 'principal') Using that you can get the DN of that user with a search like this: ((objectclass=posixaccount)(krbprincipalname=%s)) % getattr(context, 'principal') We don't currently have a helper for this. This is rather inefficient in user-find as it searches from the basedn rather than the user container for some reason. We have whoami plugin enabled by default in 389-ds in FreeIPA. I'd rather use that extended operation as it will give you proper response from the dirsrv side for the connection. I verified that it gives you a user's DN even when S4U2Proxy is in use. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0048] Default the token owner to the person adding the token
On Tue, 2014-05-06 at 13:46 +0200, Jan Cholasta wrote: Hi, On 5.5.2014 18:40, Nathaniel McCallum wrote: Creating tokens for yourself is the most common operation. Making this the default optimizes for the common case. The user-find call should be inside the if statement. This is actually for a reason. See my patch 0049 for further context. Also please check if there actually is a result, if you run user-find --whoami when authenticated as non-user, the result will be empty. Fixed. Nathaniel From 37b4bc35c5108cca06b4c83d3de2719aa14a467b Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Mon, 5 May 2014 10:41:20 -0400 Subject: [PATCH] Default the token owner to the person adding the token Creating tokens for yourself is the most common operation. Making this the default optimizes for the common case. --- ipalib/plugins/otptoken.py | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index f68ea7df596c8d7e837d98874f4fd630a6d7524a..42cc16d1686cb411b3170d8ee59ad37986c13772 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -241,7 +241,17 @@ class otptoken_add(LDAPCreate): if tattr in entry_attrs: del entry_attrs[tattr] -# Resolve the user's dn +# Get the UID of the person adding this token. +try: +cur_uid = self.api.Command.user_find(whoami=True)['result'][0]['uid'][0] +except (KeyError, IndexError): +cur_uid = None + +# If no owner was specified, default to the person adding this token. +if ipatokenowner not in entry_attrs and cur_id is not None: +entry_attrs[ipatokenowner] = cur_uid + +# Resolve the owner's dn _normalize_owner(self.api.Object.user, entry_attrs) # Get the issuer for the URI -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0051] Validate OTP during password change requests
On Tue, 2014-05-06 at 08:28 -0400, Nathaniel McCallum wrote: The pwdch extop would just validate the old password before setting the new one. Becuase this operation returns INVALID_CREDENTIALS when the password is wrong, it provides an opportunity to brute force the first factor distinct from the second factor. This patch causes the pwdch extop to validate the OTP as well. This closes the above attack vector. It is also, conveniently, the behavior most users will probably expect. https://fedorahosted.org/freeipa/ticket/4248 This patch was posted for posterity/record. However, on the call this morning we decided NOT to do this validation. Please do not review this patch. :) Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] bind DN of executing command
On Tue, 2014-05-06 at 15:56 +0300, Alexander Bokovoy wrote: On Mon, 05 May 2014, Rob Crittenden wrote: Sumit Bose wrote: On Fri, May 02, 2014 at 05:06:06PM -0400, Nathaniel McCallum wrote: I need the DN of the user who is running the current command. This may be defined as the user who is bound or will bind to execute the LDAP commands I have prepared. Does anyone know how to do this in the FreeIPA api? I guess you are looking for ipa user-find --whoami If you're doing this in your own plugin, you get the current principal with: getattr(context, 'principal') Using that you can get the DN of that user with a search like this: ((objectclass=posixaccount)(krbprincipalname=%s)) % getattr(context, 'principal') We don't currently have a helper for this. This is rather inefficient in user-find as it searches from the basedn rather than the user container for some reason. We have whoami plugin enabled by default in 389-ds in FreeIPA. I'd rather use that extended operation as it will give you proper response from the dirsrv side for the connection. I verified that it gives you a user's DN even when S4U2Proxy is in use. The context of this question is now my patch 0048. I'm currently calling self.api.Command.user_find(whoami=True) (per the first suggestion). Feel free to make suggestions in that review. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0049] Add support for protected tokens
On Mon, 2014-05-05 at 12:42 -0400, Nathaniel McCallum wrote: This also constitutes a rethinking of the token ACIs after the introduction of SELFDN support. Admins, as before, have full access to all token permissions. Normal users have read/search/compare access to all of the non-secret data for tokens assigned to them, whether protected or non-protected. Users can add or delete non-protected tokens and modify most of their metadata. However they cannot create, delete or modify protected tokens. Regardless of whether the token is protected or not, users cannot change a token's ownership or unique identity. In contrast, admins can create protected tokens. This protects the token from deletion or modification when assigned to users. Additionally, when a user account is deleted, the assigned non-protected tokens are deleted but the protected tokens are merely orphaned. This permits the token to be reassigned without having to recreate it. This last point is particularly useful in the case of hardware tokens. https://fedorahosted.org/freeipa/ticket/4228 NOTE: This patch depends on my patch 0048. This new version makes ipatokenDisabled visible for token owners. It is also writable if the token is non-protected. This additionally fixes: https://fedorahosted.org/freeipa/ticket/4259 Nathaniel From 4340378d134e294d8c9e74673f9302d59f76a779 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Fri, 2 May 2014 16:44:30 -0400 Subject: [PATCH] Add support for protected tokens This also constitutes a rethinking of the token ACIs after the introduction of SELFDN support. Admins, as before, have full access to all token permissions. Normal users have read/search/compare access to all of the non-secret data for tokens assigned to them, whether protected or non-protected. Users can add or delete non-protected tokens and modify most of their metadata. However they cannot create, delete or modify protected tokens. Regardless of whether the token is protected or not, users cannot change a token's ownership or unique identity. In contrast, admins can create protected tokens. This protects the token from deletion or modification when assigned to users. Additionally, when a user account is deleted, the assigned non-protected tokens are deleted but the protected tokens are merely orphaned. This permits the token to be reassigned without having to recreate it. This last point is particularly useful in the case of hardware tokens. https://fedorahosted.org/freeipa/ticket/4228 https://fedorahosted.org/freeipa/ticket/4259 --- install/share/70ipaotp.ldif| 3 ++- install/share/default-aci.ldif | 10 +- install/updates/40-otp.update | 16 +++- ipalib/plugins/otptoken.py | 9 + ipalib/plugins/user.py | 9 - 5 files changed, 35 insertions(+), 12 deletions(-) diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif index a40ad9ee0cfcf72ed6b79306396a29683f9e1a9d..08f639b6cd14b6dd1270a604fdd061cecb4a6482 100644 --- a/install/share/70ipaotp.ldif +++ b/install/share/70ipaotp.ldif @@ -23,7 +23,8 @@ attributeTypes: (2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' DESC attributeTypes: (2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' DESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' DESC 'Attribute to map from the user entry for RADIUS server authentication' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.21 NAME 'ipatokenHOTPcounter' DESC 'HOTP counter' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') -objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial) X-ORIGIN 'IPA OTP') +attributeTypes: (2.16.840.1.113730.3.8.16.1.22 NAME 'ipatokenProtected' DESC 'Optionally marks token as Protected' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA OTP') +objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial $ ipatokenProtected) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) X-ORIGIN 'IPA OTP') objectClasses:
Re: [Freeipa-devel] [PATCH 0048] Default the token owner to the person adding the token
On 6.5.2014 15:16, Nathaniel McCallum wrote: On Tue, 2014-05-06 at 13:46 +0200, Jan Cholasta wrote: Hi, On 5.5.2014 18:40, Nathaniel McCallum wrote: Creating tokens for yourself is the most common operation. Making this the default optimizes for the common case. The user-find call should be inside the if statement. This is actually for a reason. See my patch 0049 for further context. IMO something like this would be better: if 'ipatokenowner' not in entry_attrs or 'ipatokenprotected' not in entry_attrs: result = self.api.Command.user_find(whoami=True)['result'] if result: cur_uid = result[0]['uid'][0] prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid) if cur_uid != prev_uid: entry_attrs.setdefault('ipatokenprotected', True) Also please check if there actually is a result, if you run user-find --whoami when authenticated as non-user, the result will be empty. Fixed. Nathaniel -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0052] Only specify the ipatokenuniqueid default in the add operation
Specifying the default in the LDAP Object causes the parameter to be specified for non-add operations. This is especially problematic when performing the modify operation as it causes the primary key to change for every modification. https://fedorahosted.org/freeipa/ticket/4227 From 9c85cafab11b56bb3b63b4afbe490e9aa9b8a900 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 1 May 2014 16:31:45 -0400 Subject: [PATCH] Only specify the ipatokenuniqueid default in the add operation Specifying the default in the LDAP Object causes the parameter to be specified for non-add operations. This is especially problematic when performing the modify operation as it causes the primary key to change for every modification. https://fedorahosted.org/freeipa/ticket/4227 --- ipalib/plugins/otptoken.py | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index f68ea7df596c8d7e837d98874f4fd630a6d7524a..027c28f85b9697d99bbe378f83cc0dc44b9be5d4 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -120,8 +120,6 @@ class otptoken(LDAPObject): Str('ipatokenuniqueid', cli_name='id', label=_('Unique ID'), -default_from=lambda: unicode(uuid.uuid4()), -autofill=True, primary_key=True, flags=('optional_create'), ), @@ -233,6 +231,11 @@ class otptoken_add(LDAPCreate): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): +# Fill in a default UUID when not specified. +if entry_attrs.get('ipatokenuniqueid', None) is None: +entry_attrs['ipatokenuniqueid'] = str(uuid.uuid4()) +dn = DN(ipatokenuniqueid=%s % entry_attrs['ipatokenuniqueid'], dn) + # Set the object class and defaults for specific token types entry_attrs['objectclass'] = otptoken.object_class + ['ipatoken' + options['type']] for ttype, tattrs in TOKEN_TYPES.items(): -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0052] Only specify the ipatokenuniqueid default in the add operation
On 6.5.2014 16:51, Nathaniel McCallum wrote: Specifying the default in the LDAP Object causes the parameter to be specified for non-add operations. This is especially problematic when performing the modify operation as it causes the primary key to change for every modification. https://fedorahosted.org/freeipa/ticket/4227 shouldn't removal of `autofill=True,` be enough? -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0048] Default the token owner to the person adding the token
On Tue, 2014-05-06 at 16:11 +0200, Jan Cholasta wrote: On 6.5.2014 15:16, Nathaniel McCallum wrote: On Tue, 2014-05-06 at 13:46 +0200, Jan Cholasta wrote: Hi, On 5.5.2014 18:40, Nathaniel McCallum wrote: Creating tokens for yourself is the most common operation. Making this the default optimizes for the common case. The user-find call should be inside the if statement. This is actually for a reason. See my patch 0049 for further context. IMO something like this would be better: if 'ipatokenowner' not in entry_attrs or 'ipatokenprotected' not in entry_attrs: result = self.api.Command.user_find(whoami=True)['result'] if result: cur_uid = result[0]['uid'][0] prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid) if cur_uid != prev_uid: entry_attrs.setdefault('ipatokenprotected', True) Fixed (see also my new revision of patch 0049). Nathaniel From 773901e0c31e5eb520a882ce44027117d80a7b79 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Mon, 5 May 2014 10:41:20 -0400 Subject: [PATCH] Default the token owner to the person adding the token Creating tokens for yourself is the most common operation. Making this the default optimizes for the common case. --- ipalib/plugins/otptoken.py | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index f68ea7df596c8d7e837d98874f4fd630a6d7524a..280e552811630bf01f86528fdd06c2cc9b724790 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -241,7 +241,14 @@ class otptoken_add(LDAPCreate): if tattr in entry_attrs: del entry_attrs[tattr] -# Resolve the user's dn +# If owner was not specified, default to the person adding this token. +if 'ipatokenowner' not in entry_attrs: +result = self.api.Command.user_find(whoami=True)['result'] +if result: +cur_uid = result[0]['uid'][0] +entry_attrs.setdefault('ipatokenowner', cur_uid) + +# Resolve the owner's dn _normalize_owner(self.api.Object.user, entry_attrs) # Get the issuer for the URI -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0049] Add support for protected tokens
On Tue, 2014-05-06 at 09:49 -0400, Nathaniel McCallum wrote: On Mon, 2014-05-05 at 12:42 -0400, Nathaniel McCallum wrote: This also constitutes a rethinking of the token ACIs after the introduction of SELFDN support. Admins, as before, have full access to all token permissions. Normal users have read/search/compare access to all of the non-secret data for tokens assigned to them, whether protected or non-protected. Users can add or delete non-protected tokens and modify most of their metadata. However they cannot create, delete or modify protected tokens. Regardless of whether the token is protected or not, users cannot change a token's ownership or unique identity. In contrast, admins can create protected tokens. This protects the token from deletion or modification when assigned to users. Additionally, when a user account is deleted, the assigned non-protected tokens are deleted but the protected tokens are merely orphaned. This permits the token to be reassigned without having to recreate it. This last point is particularly useful in the case of hardware tokens. https://fedorahosted.org/freeipa/ticket/4228 NOTE: This patch depends on my patch 0048. This new version makes ipatokenDisabled visible for token owners. It is also writable if the token is non-protected. This additionally fixes: https://fedorahosted.org/freeipa/ticket/4259 This new version changes the way the default value of protected is setup in accordance with the changes made for the review of my patch 0048.2. Nathaniel From fea0835c9b55223944a8455451b14ab3bc13eace Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Fri, 2 May 2014 16:44:30 -0400 Subject: [PATCH] Add support for protected tokens This also constitutes a rethinking of the token ACIs after the introduction of SELFDN support. Admins, as before, have full access to all token permissions. Normal users have read/search/compare access to all of the non-secret data for tokens assigned to them, whether protected or non-protected. Users can add or delete non-protected tokens and modify most of their metadata. However they cannot create, delete or modify protected tokens. Regardless of whether the token is protected or not, users cannot change a token's ownership or unique identity. In contrast, admins can create protected tokens. This protects the token from deletion or modification when assigned to users. Additionally, when a user account is deleted, the assigned non-protected tokens are deleted but the protected tokens are merely orphaned. This permits the token to be reassigned without having to recreate it. This last point is particularly useful in the case of hardware tokens. https://fedorahosted.org/freeipa/ticket/4228 https://fedorahosted.org/freeipa/ticket/4259 --- install/share/70ipaotp.ldif| 3 ++- install/share/default-aci.ldif | 10 +- install/updates/40-otp.update | 16 +++- ipalib/plugins/otptoken.py | 11 +-- ipalib/plugins/user.py | 9 - 5 files changed, 35 insertions(+), 14 deletions(-) diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif index a40ad9ee0cfcf72ed6b79306396a29683f9e1a9d..08f639b6cd14b6dd1270a604fdd061cecb4a6482 100644 --- a/install/share/70ipaotp.ldif +++ b/install/share/70ipaotp.ldif @@ -23,7 +23,8 @@ attributeTypes: (2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' DESC attributeTypes: (2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' DESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' DESC 'Attribute to map from the user entry for RADIUS server authentication' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.21 NAME 'ipatokenHOTPcounter' DESC 'HOTP counter' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') -objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial) X-ORIGIN 'IPA OTP') +attributeTypes: (2.16.840.1.113730.3.8.16.1.22 NAME 'ipatokenProtected' DESC 'Optionally marks token as Protected' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA OTP') +objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial $ ipatokenProtected) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME
Re: [Freeipa-devel] [PATCH 0052] Only specify the ipatokenuniqueid default in the add operation
On Tue, 2014-05-06 at 17:04 +0200, Petr Vobornik wrote: On 6.5.2014 16:51, Nathaniel McCallum wrote: Specifying the default in the LDAP Object causes the parameter to be specified for non-add operations. This is especially problematic when performing the modify operation as it causes the primary key to change for every modification. https://fedorahosted.org/freeipa/ticket/4227 shouldn't removal of `autofill=True,` be enough? Removing autofill=True results in the default not being used for the otptoken-add operation. That may be a different bug (I'm not sure what the expectation of autofill is). Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0239-0243] Refactor ldap_parse_master_zoneentry()
On 6.5.2014 14:41, Tomas Hozza wrote: - Original Message - Hello, This patch set attempts to move ldap_parse_master_zoneentry() a little bit closer to sane code. It is preparation for https://fedorahosted.org/bind-dyndb-ldap/ticket/56 -- Petr^2 Spacek Patches look good. ACK. ACKing of version 2 of the patch 242 will follow. The patch 243 introduced new compilation warning that Peter is aware of. Unfortunately we are unable to find the root cause of it, so leaving it as is for now... I managed to find fix one problem (see new version of the patch 243) but GCC still complains. ../../src/ldap_helper.c: In function 'update_zone': ../../src/ldap_helper.c:2334:34: error: 'data_changed' may be used uninitialized in this function [-Werror=maybe-uninitialized] if (sync_state == sync_finished data_changed == ISC_TRUE) ^ ../../src/ldap_helper.c:2218:16: note: 'data_changed' was declared here isc_boolean_t data_changed; On my machine with gcc-4.8.2-7.fc20.x86_64 this happens only with -O2. I'm not able to reproduce this with clang-3.4-6.fc20.x86_64 but it is no so surprising - Clang didn't catch even the first case (fixed by patch version 2). Any hint what is wrong or how to refactor code will be appreciated! ;-) -- Petr^2 Spacek From 237d116de60d7ada5d6be84c9d58a52d5e306f90 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 17 Apr 2014 19:57:48 +0200 Subject: [PATCH] Refactor zone apex synchronization and serial maintenance. ldap_parse_master_zoneentry() is way too long and unmanageable. https://fedorahosted.org/bind-dyndb-ldap/ticket/56 Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 230 ++ 1 file changed, 129 insertions(+), 101 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index d94bb57fdd6e5e0e43a978d7aaba471c62014eb9..7374948a3b283155035aea33fa0da62e8beae95d 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -1896,49 +1896,153 @@ cleanup: return result; } +/** + * Synchronize internal RBTDB with master zone object in LDAP and update serial + * as necessary. + * + * @param[in] new_zone Is the RBTDB empty? (I.e. even without SOA record.) + * @param[in] version LDAP DB opened for reading and writing. + * @param[out] diff Initialized diff. It will be filled with differences + * between RBTDB and LDAP object + SOA serial update. + * @param[out] new_serial SOA serial after update; + *valid if ldap_writeback = ISC_TRUE. + * @param[out] ldap_writeback SOA serial was updated. + * @param[out] data_changed Other data were updated. + * + */ +static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT +zone_sync_apex(const ldap_instance_t * const inst, + ldap_entry_t * const entry, dns_name_t name, + const sync_state_t sync_state, const isc_boolean_t new_zone, + dns_db_t * const ldapdb, dns_db_t * const rbtdb, + dns_dbversion_t * const version, dns_diff_t * const diff, + isc_uint32_t * const new_serial, + isc_boolean_t * const ldap_writeback, + isc_boolean_t * const data_changed) { + isc_result_t result; + const char *fake_mname = NULL; + ldapdb_rdatalist_t rdatalist; + dns_rdatasetiter_t *rbt_rds_iterator = NULL; + /* RBTDB's origin node cannot be detached until the node is non-empty. + * This is workaround for ISC-Bug #35080. */ + dns_dbnode_t *node = NULL; + dns_difftuple_t *soa_tuple = NULL; + isc_boolean_t soa_tuple_alloc = ISC_FALSE; + isc_uint32_t curr_serial; + + INIT_LIST(rdatalist); + CHECK(setting_get_str(fake_mname, inst-local_settings, + fake_mname)); + CHECK(ldap_parse_rrentry(inst-mctx, entry, name, fake_mname, + rdatalist)); + + CHECK(dns_db_getoriginnode(rbtdb, node)); + result = dns_db_allrdatasets(rbtdb, node, version, 0, + rbt_rds_iterator); + if (result == ISC_R_SUCCESS) { + CHECK(diff_ldap_rbtdb(inst-mctx, name, rdatalist, + rbt_rds_iterator, diff)); + dns_rdatasetiter_destroy(rbt_rds_iterator); + } else if (result != ISC_R_NOTFOUND) + goto cleanup; + + /* New zone doesn't have serial defined yet. */ + if (new_zone != ISC_TRUE) + CHECK(dns_db_getsoaserial(rbtdb, version, curr_serial)); + + /* Detect if SOA serial is affected by the update or not. + * Always bump serial in case of re-synchronization. */ + CHECK(diff_analyze_serial(diff, soa_tuple, data_changed)); + if (new_zone == ISC_TRUE || *data_changed == ISC_TRUE || + sync_state != sync_finished) { + if (soa_tuple == NULL) { + /* The diff doesn't contain new SOA serial + * = generate new serial and write it back to LDAP. */ + *ldap_writeback = ISC_TRUE; + soa_tuple_alloc = ISC_TRUE; + CHECK(dns_db_createsoatuple(ldapdb, version, inst-mctx, + DNS_DIFFOP_DEL, soa_tuple)); + dns_diff_appendminimal(diff, soa_tuple); + CHECK(dns_db_createsoatuple(ldapdb, version, inst-mctx, +
Re: [Freeipa-devel] [PATCH 0049] Add support for protected tokens
On 05/06/2014 11:08 AM, Nathaniel McCallum wrote: On Tue, 2014-05-06 at 09:49 -0400, Nathaniel McCallum wrote: On Mon, 2014-05-05 at 12:42 -0400, Nathaniel McCallum wrote: This also constitutes a rethinking of the token ACIs after the introduction of SELFDN support. Admins, as before, have full access to all token permissions. Normal users have read/search/compare access to all of the non-secret data for tokens assigned to them, whether protected or non-protected. Users can add or delete non-protected tokens and modify most of their metadata. However they cannot create, delete or modify protected tokens. Regardless of whether the token is protected or not, users cannot change a token's ownership or unique identity. In contrast, admins can create protected tokens. This protects the token from deletion or modification when assigned to users. Additionally, when a user account is deleted, the assigned non-protected tokens are deleted but the protected tokens are merely orphaned. This permits the token to be reassigned without having to recreate it. This last point is particularly useful in the case of hardware tokens. https://fedorahosted.org/freeipa/ticket/4228 NOTE: This patch depends on my patch 0048. This new version makes ipatokenDisabled visible for token owners. It is also writable if the token is non-protected. This additionally fixes: https://fedorahosted.org/freeipa/ticket/4259 This new version changes the way the default value of protected is setup in accordance with the changes made for the review of my patch 0048.2. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Have we recorded any new OIDs added as a part of this OTP cleanup in our OID registry? If not we should collect all added attributes and make sure they are recorded. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0052] Only specify the ipatokenuniqueid default in the add operation
On 6.5.2014 17:13, Nathaniel McCallum wrote: On Tue, 2014-05-06 at 17:04 +0200, Petr Vobornik wrote: On 6.5.2014 16:51, Nathaniel McCallum wrote: Specifying the default in the LDAP Object causes the parameter to be specified for non-add operations. This is especially problematic when performing the modify operation as it causes the primary key to change for every modification. https://fedorahosted.org/freeipa/ticket/4227 shouldn't removal of `autofill=True,` be enough? Removing autofill=True results in the default not being used for the otptoken-add operation. That may be a different bug (I'm not sure what the expectation of autofill is). Nathaniel Seems to work form me with: diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index f68ea7d..623f1f1 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -121,9 +121,7 @@ class otptoken(LDAPObject): cli_name='id', label=_('Unique ID'), default_from=lambda: unicode(uuid.uuid4()), -autofill=True, primary_key=True, -flags=('optional_create'), ), StrEnum('type?', label=_('Type'), -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0052] Only specify the ipatokenuniqueid default in the add operation
On Tue, 2014-05-06 at 17:34 +0200, Petr Vobornik wrote: On 6.5.2014 17:13, Nathaniel McCallum wrote: On Tue, 2014-05-06 at 17:04 +0200, Petr Vobornik wrote: On 6.5.2014 16:51, Nathaniel McCallum wrote: Specifying the default in the LDAP Object causes the parameter to be specified for non-add operations. This is especially problematic when performing the modify operation as it causes the primary key to change for every modification. https://fedorahosted.org/freeipa/ticket/4227 shouldn't removal of `autofill=True,` be enough? Removing autofill=True results in the default not being used for the otptoken-add operation. That may be a different bug (I'm not sure what the expectation of autofill is). Nathaniel Seems to work form me with: diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index f68ea7d..623f1f1 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -121,9 +121,7 @@ class otptoken(LDAPObject): cli_name='id', label=_('Unique ID'), default_from=lambda: unicode(uuid.uuid4()), -autofill=True, primary_key=True, -flags=('optional_create'), ), StrEnum('type?', label=_('Type'), Doing this causes the ipa otptoken-add command to prompt for the Unique ID. This may be the desired behavior, but it is not how it worked previously (no prompt). Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0052] Only specify the ipatokenuniqueid default in the add operation
On Tue, 2014-05-06 at 11:38 -0400, Nathaniel McCallum wrote: On Tue, 2014-05-06 at 17:34 +0200, Petr Vobornik wrote: On 6.5.2014 17:13, Nathaniel McCallum wrote: On Tue, 2014-05-06 at 17:04 +0200, Petr Vobornik wrote: On 6.5.2014 16:51, Nathaniel McCallum wrote: Specifying the default in the LDAP Object causes the parameter to be specified for non-add operations. This is especially problematic when performing the modify operation as it causes the primary key to change for every modification. https://fedorahosted.org/freeipa/ticket/4227 shouldn't removal of `autofill=True,` be enough? Removing autofill=True results in the default not being used for the otptoken-add operation. That may be a different bug (I'm not sure what the expectation of autofill is). Nathaniel Seems to work form me with: diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index f68ea7d..623f1f1 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -121,9 +121,7 @@ class otptoken(LDAPObject): cli_name='id', label=_('Unique ID'), default_from=lambda: unicode(uuid.uuid4()), -autofill=True, primary_key=True, -flags=('optional_create'), ), StrEnum('type?', label=_('Type'), Doing this causes the ipa otptoken-add command to prompt for the Unique ID. This may be the desired behavior, but it is not how it worked previously (no prompt). Here is an alternate patch for this second approach. I have no strong opinion on the correct behavior here. Nathaniel From 00a5e223c3809f409f93020e29654321b318ba0f Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 1 May 2014 16:31:45 -0400 Subject: [PATCH] Only use the ipatokenuniqueid default in the add operation Without this patch, the ipatokenuniqueid attribute gets filled in during non-add operations. This is especially problematic when performing the modify operation as it causes the primary key to change for every modification. https://fedorahosted.org/freeipa/ticket/4227 --- ipalib/plugins/otptoken.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index f68ea7df596c8d7e837d98874f4fd630a6d7524a..623f1f1dcd798aa7b8f3b9210b2de90fb82cd4bf 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -121,9 +121,7 @@ class otptoken(LDAPObject): cli_name='id', label=_('Unique ID'), default_from=lambda: unicode(uuid.uuid4()), -autofill=True, primary_key=True, -flags=('optional_create'), ), StrEnum('type?', label=_('Type'), -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 20 Trust add datetime fix
Hi, this patch fixes trust add, since now datetime object is returned for 'modifytimestamp', which cannot be split like a string, thus causing an error. Thanks AdamFrom afe6d32cb0912c18fa046992a1e27f352b454dcb Mon Sep 17 00:00:00 2001 From: Adam Misnyovszki amisn...@redhat.com Date: Mon, 5 May 2014 19:21:01 +0200 Subject: [PATCH] Trust add datetime fix Fixes trust add, since now datetime object is returned for 'modifytimestamp', which cannot be split like a string. --- ipaserver/dcerpc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 3b89adc084caf5a21021d29ab55d3f088c4422bc..312761662c6fbde0c3c2136e14ac3d4f48c125c7 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1107,7 +1107,7 @@ class TrustDomainJoins(object): # Use realmdomains' modification timestamp to judge records last update time entry = self.api.Backend.ldap2.get_entry(realm_domains['dn'], ['modifyTimestamp']) # Convert the timestamp to Windows 64-bit timestamp format -trust_timestamp = long(time.mktime(time.strptime(entry['modifytimestamp'][0][:14], %Y%m%d%H%M%S))*1e7+1164447360) +trust_timestamp = long(time.mktime(entry['modifytimestamp'][0].timetuple())*1e7+1164447360) for dom in realm_domains['associateddomain']: ftinfo = dict() -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 20 Trust add datetime fix
On Tue, 2014-05-06 at 17:54 +0200, Misnyovszki Adam wrote: Hi, this patch fixes trust add, since now datetime object is returned for 'modifytimestamp', which cannot be split like a string, thus causing an error. ACK. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 22-23 webui tests extended by checking field disable property
Hi, first patch extends webui tests with a callback function, and an assert_disabled function, to check if a field is disabled under certain conditions. Second patch extends range tests with this checking functionality depending on range types. Thanks AdamFrom ba58847116ea90e129ba009d00f50337b5eee32e Mon Sep 17 00:00:00 2001 From: Adam Misnyovszki amisn...@redhat.com Date: Tue, 6 May 2014 16:47:35 +0200 Subject: [PATCH] webui tests: callback, assert_disabled feature added Added a callback feature to webui tests, to extend functionality. Also added assert_disabled function to ui_driver, to check if a field is disabled in the browser. --- ipatests/test_webui/ui_driver.py | 22 -- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py index 7cfe21ad8985b04fcb296adccf0277a5f02833b9..1f695fb279ace2f47a31bf7e7feebf180bf4e65a 100644 --- a/ipatests/test_webui/ui_driver.py +++ b/ipatests/test_webui/ui_driver.py @@ -1000,7 +1000,7 @@ class UI_driver(object): key = field[1] val = field[2] -if undo: +if undo and not hasattr(key, '__call__'): self.assert_undo_button(key, False, parent) if widget_type == 'textbox': @@ -1025,8 +1025,13 @@ class UI_driver(object): self.fill_multivalued(key, val, parent) elif widget_type == 'table': self.select_record(val, parent, key) +# this meta field specifies a function, to extend functionality of +# field checking +elif widget_type == 'callback': +if hasattr(key, '__call__'): +key(val) self.wait() -if undo: +if undo and not hasattr(key, '__call__'): self.assert_undo_button(key, True, parent) def validate_fields(self, fields, parent=None): @@ -1551,6 +1556,19 @@ class UI_driver(object): else: assert visible, Element not visible: %s % selector +def assert_disabled(self, selector, parent=None, negative=False): + +Assert that element defined by selector is disabled + +selector += [disabled] +if not parent: +parent = self.get_form() +el = self.find(selector, By.CSS_SELECTOR, parent) +if negative: +assert el is None, Element not disabled: %s % selector +else: +assert el, Element disabled: %s % selector + def assert_record(self, pkey, parent=None, table_name=None, negative=False): Assert that record is in current search table -- 1.9.0 From 01b00f7a735c8224619460d05ac239d0a42dc94b Mon Sep 17 00:00:00 2001 From: Adam Misnyovszki amisn...@redhat.com Date: Tue, 6 May 2014 16:49:03 +0200 Subject: [PATCH] webui tests: range test extended Range test extended with checking of disabled field according to trust types. --- ipatests/test_webui/task_range.py | 9 + 1 file changed, 9 insertions(+) diff --git a/ipatests/test_webui/task_range.py b/ipatests/test_webui/task_range.py index 3b9c84a96be00cbe556c04b7c29028c2b2f21d0c..d46d345f03a2b50730e3107ef6f7cda4465c 100644 --- a/ipatests/test_webui/task_range.py +++ b/ipatests/test_webui/task_range.py @@ -95,6 +95,7 @@ class range_tasks(UI_driver): ('textbox', 'ipaidrangesize', str(size)), ('textbox', 'ipabaserid', str(base_rid)), ('radio', 'iparangetype', range_type), +('callback', self.check_range_type_mod, range_type) ] if not sid: @@ -105,3 +106,11 @@ class range_tasks(UI_driver): add.append(('textbox', 'ipanttrusteddomainsid', sid)) return add + +def check_range_type_mod(self, range_type): +if range_type == 'ipa-local': +self.assert_disabled([name=ipanttrusteddomainsid]) +self.assert_disabled([name=ipasecondarybaserid], negative=True) +elif range_type == 'ipa-ad-trust': +self.assert_disabled([name=ipanttrusteddomainsid], negative=True) +self.assert_disabled([name=ipasecondarybaserid]) -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 20 Trust add datetime fix
On Tue, 06 May 2014, Nathaniel McCallum wrote: On Tue, 2014-05-06 at 17:54 +0200, Misnyovszki Adam wrote: Hi, this patch fixes trust add, since now datetime object is returned for 'modifytimestamp', which cannot be split like a string, thus causing an error. ACK. Thanks. Pushed to master: fa7057b72723a7999dffc1de9bdf97d13f12079c -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0137] ipalib: Add DateTime parameter
I know it is a bit late on this, but for the OTP token import script, I have to have support for the full ISO 8601. My plan right now is to use python-dateutil for this. Using dateutil would simplify some of this code. Is there a reason we aren't using dateutil? On Mon, 2014-05-05 at 18:58 +0300, Alexander Bokovoy wrote: On Wed, 30 Apr 2014, Tomas Babej wrote: On 04/25/2014 11:08 AM, Jan Cholasta wrote: On 22.4.2014 13:32, Tomas Babej wrote: Thank you for the suggestions. Updated, rebased patch is attached. This API.txt change from the next patch belongs in this patch: +capability: datetime_values 2.84 I think you should use the LDAP_GENERALIZED_TIME_FORMAT constant here: +accepted_formats = ['%Y%m%d%H%M%SZ', # generalized time This is not right: +elif isinstance(val, datetime.datetime): +return val To actually decode LDAP generalized time attributes to datetime, you need to do this: '2.16.840.1.113719.1.301.4.41.1' : DN, # krbSubTrees '2.16.840.1.113719.1.301.4.52.1' : DN, # krbObjectReferences '2.16.840.1.113719.1.301.4.53.1' : DN, # krbPrincContainerRef + +'1.3.6.1.4.1.1466.115.121.1.24' : datetime.datetime, } # In most cases we lookup the syntax from the schema returned by and this: return val elif target_type is unicode: return val.decode('utf-8') +elif target_type is datetime.datetime: +return datetime.datetime.strptime(val, LDAP_GENERALIZED_TIME_FORMAT) else: return target_type(val) except Exception, e: and add code for formatting datetime values to the textui backend. Thanks for the review. I fixed all the issues, updated patch is attached. I also added unit tests for the new DateTime parameter. Thanks, tested them as part of kerberos principal expiration time patches. Pushed two patches to git master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0239-0243] Refactor ldap_parse_master_zoneentry()
On (06/05/14 17:15), Petr Spacek wrote: On 6.5.2014 14:41, Tomas Hozza wrote: - Original Message - Hello, This patch set attempts to move ldap_parse_master_zoneentry() a little bit closer to sane code. It is preparation for https://fedorahosted.org/bind-dyndb-ldap/ticket/56 -- Petr^2 Spacek Patches look good. ACK. ACKing of version 2 of the patch 242 will follow. The patch 243 introduced new compilation warning that Peter is aware of. Unfortunately we are unable to find the root cause of it, so leaving it as is for now... I managed to find fix one problem (see new version of the patch 243) but GCC still complains. ../../src/ldap_helper.c: In function 'update_zone': ../../src/ldap_helper.c:2334:34: error: 'data_changed' may be used uninitialized in this function [-Werror=maybe-uninitialized] if (sync_state == sync_finished data_changed == ISC_TRUE) ^ ../../src/ldap_helper.c:2218:16: note: 'data_changed' was declared here isc_boolean_t data_changed; On my machine with gcc-4.8.2-7.fc20.x86_64 this happens only with -O2. The same problem with -01,-Os,-O2 or -O3 I doubt it is false possibive, because I could reproduce it even with gcc-4.9.0-1.fc21.x86_64 I'm not able to reproduce this with clang-3.4-6.fc20.x86_64 but it is no so surprising - Clang didn't catch even the first case (fixed by patch version 2). Any hint what is wrong or how to refactor code will be appreciated! ;-) I think it can be some kind of optimization in function zone_sync_apex. You can try to debug this function with plugin -O2-build :-) The warning can be suppresed with initialising variable before the 1st CHECK. It will not work if you try to initialize later. --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -2116,6 +2116,7 @@ zone_sync_apex(const ldap_instance_t * const inst, isc_uint32_t curr_serial; INIT_LIST(rdatalist); + *data_changed = ISC_FALSE; CHECK(setting_get_str(fake_mname, inst-local_settings, fake_mname)); CHECK(ldap_parse_rrentry(inst-mctx, entry, name, fake_mname, -- Petr^2 Spacek LS ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1107 smartproxy cleanup
Remove some unused files, fix an import which means we don't need to import from ipaserver, fix up Requires so it should work better running on a different box than the IPA server. rob From 9b04f60d3d0b0f2a28d1f88311e1aba815e188b9 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 6 May 2014 15:52:11 -0400 Subject: [PATCH] Clean up Smartproxy support, drop unused code Drop the logrotate file because Apache manages the logs Drop the systemd configuration because we run in Apache Import json_encode_binary from ipalib Fix Requires --- freeipa.spec.in | 16 ++-- smartproxy/Makefile.am | 8 smartproxy/ipa-smartproxy.logrotate | 11 --- smartproxy/ipa-smartproxy.py| 2 +- smartproxy/ipa-smartproxy.service | 12 5 files changed, 3 insertions(+), 46 deletions(-) delete mode 100644 smartproxy/ipa-smartproxy.logrotate delete mode 100644 smartproxy/ipa-smartproxy.service diff --git a/freeipa.spec.in b/freeipa.spec.in index 4e3fd7351757be773fae0b02c55549910c5b37ad..68812ee350d645164b02664e4ea51d98c2454a2a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -81,7 +81,6 @@ BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-kerberos BuildRequires: python-cherrypy -BuildRequires: python-requests # Find out Kerberos middle version to infer ABI changes in DAL driver # We cannot load DAL driver into KDC with wrong ABI. @@ -229,8 +228,8 @@ Group: System Environment/Base Requires: %{name}-client = %version-%release Requires: python-cherrypy Requires: gssproxy = 0.3.1 -Requires: python-requests Requires: python-kerberos = 1.1-14 +Requires: mod_wsgi %description server-foreman-smartproxy A Foreman-compatible REST API for managing hosts and hostgroups. @@ -475,7 +474,6 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so mkdir -p %{buildroot}%{_unitdir} install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service -install -m 644 smartproxy/ipa-smartproxy.service %{buildroot}%{_unitdir}/ipa-smartproxy.service # END mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup %endif # ONLY_CLIENT @@ -532,8 +530,6 @@ if [ $1 = 0 ]; then # NOTE: systemd specific section /bin/systemctl --quiet stop ipa.service || : /bin/systemctl --quiet disable ipa.service || : -/bin/systemctl --quiet stop ipa-smartproxy.service || : -/bin/systemctl --quiet disable ipa-smartproxy.service || : # END fi @@ -570,15 +566,9 @@ if [ $1 -eq 0 ]; then %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null fi -%preun server-foreman-smartproxy -if [ $1 = 0 ]; then -/bin/systemctl --quiet disable ipa-smartproxy.service || : -fi - %post server-foreman-smartproxy if [ $1 -gt 1 ] ; then -/bin/systemctl --system daemon-reload 21 || : -/bin/systemctl condrestart ipa-smartproxy.service 21 || : +/bin/systemctl try-restart httpd.service /dev/null 21 || : fi %endif # ONLY_CLIENT @@ -821,9 +811,7 @@ fi %{_usr}/share/ipa/smartproxy/ipa-smartproxy.py* %{_mandir}/man1/ipa-smartproxy.1.gz %{_mandir}/man5/ipa-smartproxy.conf.5.gz -%attr(644,root,root) %{_unitdir}/ipa-smartproxy.service %config(noreplace) %{_sysconfdir}/ipa/ipa-smartproxy.conf -%config(noreplace)%{_sysconfdir}/logrotate.d/ipa-smartproxy %endif # ONLY_CLIENT diff --git a/smartproxy/Makefile.am b/smartproxy/Makefile.am index f79aecfc303aac12d771170badea1eaf952b7ecf..c0994cc37c9b71552a12981a5e8b42082cca7db4 100644 --- a/smartproxy/Makefile.am +++ b/smartproxy/Makefile.am @@ -14,11 +14,6 @@ app_DATA = \ ipa-smartproxy.py \ $(NULL) -rotatedir = $(LOGROTATE_DIR) -rotate_DATA = \ - ipa-smartproxy.logrotate \ - $(NULL) - SUBDIRS = \ man \ $(NULL) @@ -40,6 +35,3 @@ MAINTAINERCLEANFILES = \ missing \ Makefile.in \ $(NULL) - -install-data-hook: - mv $(DESTDIR)/$(LOGROTATE_DIR)/ipa-smartproxy.logrotate $(DESTDIR)/$(LOGROTATE_DIR)/ipa-smartproxy diff --git a/smartproxy/ipa-smartproxy.logrotate b/smartproxy/ipa-smartproxy.logrotate deleted file mode 100644 index 12e25164cd5dea23a219422e20ea07c03a6c9a8e.. --- a/smartproxy/ipa-smartproxy.logrotate +++ /dev/null @@ -1,11 +0,0 @@ -/var/log/ipa-smartproxy.access /var/log/ipa-smartproxy.errors { -weekly -missingok -notifempty -sharedscripts -rotate 52 -compress -postrotate -/bin/systemctl reload ipa-smartproxy.service /dev/null 2/dev/null || true -endscript -} diff --git a/smartproxy/ipa-smartproxy.py b/smartproxy/ipa-smartproxy.py index 23788ecf514b9335955c3b86399e9bb6558ef024..453796a5d3c21324ad21bb3d03521c82fee1c6e4 100644 --- a/smartproxy/ipa-smartproxy.py +++ b/smartproxy/ipa-smartproxy.py @@ -31,7 +31,7 @@ from cherrypy import response from ipalib import api from ipalib