Re: [Freeipa-devel] [PATCH] 478 Prepare spec for 4.0 release
On 07/04/2014 06:57 PM, Martin Kosek wrote:
On 07/04/2014 06:39 PM, Petr Viktorin wrote:
On 07/04/2014 04:43 PM, Martin Kosek wrote:
- Bump 389-ds-base requires to fix the deref call with new ACIs:
https://fedorahosted.org/freeipa/ticket/4389
- Bump bind-dyndb-ldap Conflicts to fetch the DNSSEC capability
- Bump selinux-policy to fix the CRL retrieval:
https://fedorahosted.org/freeipa/ticket/4369
- Remove conditionals for Fedora < 20 as FreeIPA 4.0 is not planned
to be released on these platforms.
[...]
-%if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2
Requires: nss-tools >= 3.14.3-2
-%else
-Requires: nss >= 3.14.3-12.0
-Requires: nss-tools >= 3.14.3-12.0
-%endif
NACK, you left the "== 18" block in.
Attaching fix, I can push if you agree.
Sure, agreed.
Martin
Pushed to master: 5434851efd394c27ab6445a4b7544767452e20a5
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 478 Prepare spec for 4.0 release
On 07/04/2014 06:39 PM, Petr Viktorin wrote:
On 07/04/2014 04:43 PM, Martin Kosek wrote:
- Bump 389-ds-base requires to fix the deref call with new ACIs:
https://fedorahosted.org/freeipa/ticket/4389
- Bump bind-dyndb-ldap Conflicts to fetch the DNSSEC capability
- Bump selinux-policy to fix the CRL retrieval:
https://fedorahosted.org/freeipa/ticket/4369
- Remove conditionals for Fedora < 20 as FreeIPA 4.0 is not planned
to be released on these platforms.
[...]
-%if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2
Requires: nss-tools >= 3.14.3-2
-%else
-Requires: nss >= 3.14.3-12.0
-Requires: nss-tools >= 3.14.3-12.0
-%endif
NACK, you left the "== 18" block in.
Attaching fix, I can push if you agree.
Sure, agreed.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0098-0100] DNS tests
On 07/04/2014 04:34 PM, Martin Basti wrote: Just tests to avoid regressions in future. Patches attached ACK, pushed to master: 80cb95da36215a4d0132d943536a3c6f399c18a7 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 478 Prepare spec for 4.0 release
On 07/04/2014 04:43 PM, Martin Kosek wrote:
- Bump 389-ds-base requires to fix the deref call with new ACIs:
https://fedorahosted.org/freeipa/ticket/4389
- Bump bind-dyndb-ldap Conflicts to fetch the DNSSEC capability
- Bump selinux-policy to fix the CRL retrieval:
https://fedorahosted.org/freeipa/ticket/4369
- Remove conditionals for Fedora < 20 as FreeIPA 4.0 is not planned
to be released on these platforms.
[...]
-%if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2
Requires: nss-tools >= 3.14.3-2
-%else
-Requires: nss >= 3.14.3-12.0
-Requires: nss-tools >= 3.14.3-12.0
-%endif
NACK, you left the "== 18" block in.
Attaching fix, I can push if you agree.
--
Petr³
From 7bdaebe2bb7a7460fa965a3cc6d07a57b72d7827 Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Fri, 4 Jul 2014 16:35:17 +0200
Subject: [PATCH] Prepare spec for 4.0 release
- Bump 389-ds-base requires to fix the deref call with new ACIs:
https://fedorahosted.org/freeipa/ticket/4389
- Bump bind-dyndb-ldap Conflicts to fetch the DNSSEC capability
- Bump selinux-policy to fix the CRL retrieval:
https://fedorahosted.org/freeipa/ticket/4369
- Remove conditionals for Fedora < 20 as FreeIPA 4.0 is not planned
to be released on these platforms.
---
freeipa.spec.in | 52
1 file changed, 4 insertions(+), 48 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 774cd8fd18d3e6574164718a101124ec38990e8b..9af0178b93fa477d51a2d3e8c60f52cd5a39d798 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -4,10 +4,7 @@
%global plugin_dir %{_libdir}/dirsrv/plugins
%global POLICYCOREUTILSVER 2.1.12-5
%global gettext_domain ipa
-
-%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
%define _hardened_build 1
-%endif
Name: freeipa
Version:__VERSION__
@@ -25,14 +22,9 @@ BuildRequires: 389-ds-base-devel >= 1.3.2.16
BuildRequires: svrcore-devel
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: systemd-units
-%if 0%{?fedora} >= 18
BuildRequires: samba-devel >= 2:4.0.5-1
BuildRequires: samba-python
BuildRequires: libwbclient-devel
-%else
-BuildRequires: samba4-devel >= 4.0.0-139
-BuildRequires: samba4-python
-%endif
BuildRequires: libtalloc-devel
BuildRequires: libtevent-devel
%endif # ONLY_CLIENT
@@ -81,11 +73,6 @@ BuildRequires: libunistring-devel
BuildRequires: python-lesscpy
BuildRequires: python-yubico
-# Find out Kerberos middle version to infer ABI changes in DAL driver
-# We cannot load DAL driver into KDC with wrong ABI.
-# This is also needed to support ipa-devel repository where krb5 1.11 is available for F18
-%global krb5_dal_version %{expand:%(echo "#include "|cpp -dM|grep KRB5_KDB_DAL_MAJOR_VERSION|cut -d' ' -f3)}
-
%description
IPA is an integrated solution to provide centrally managed Identity (machine,
user, virtual machines, groups, authentication credentials), Policy
@@ -99,36 +86,17 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.2.16
+Requires: 389-ds-base >= 1.3.2.19
Requires: openldap-clients > 2.4.35-4
-%if 0%{?fedora} == 18
-Requires: nss >= 3.14.3-2
-Requires: nss-tools >= 3.14.3-2
-%else
Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
-%endif
-%if 0%{?krb5_dal_version} >= 4
Requires: krb5-server >= 1.11.5-3
-%else
-%if 0%{krb5_dal_version} == 3
-# krb5 1.11 bumped DAL interface major version, a rebuild is needed
-Requires: krb5-server < 1.11
-Requires: krb5-server >= 1.10
-%else
-Requires: krb5-server >= 1.10
-%endif
-%endif
Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: httpd >= 2.4.6-6
Requires: mod_wsgi
-%if 0%{?fedora} >= 18
Requires: mod_auth_kerb >= 5.4-16
-%else
-Requires: mod_auth_kerb >= 5.4-8
-%endif
Requires: mod_nss >= 1.0.8-26
Requires: python-ldap
Requires: python-krbV
@@ -140,7 +108,7 @@ Requires: dbus-python
Requires: systemd-units >= 38
Requires(pre): systemd-units
Requires(post): systemd-units
-Requires: selinux-policy >= 3.12.1-135
+Requires: selinux-policy >= 3.12.1-176
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.47.7
Requires: pki-ca >= 10.1.1
@@ -155,7 +123,7 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.2.11
+Requires(pre): 389-ds-base >= 1.3.2.19
Requires: fontawesome-fonts
Requires: open-sans-fonts
@@ -166,11 +134,7 @@ Obsoletes: freeipa-server-selinux < 3.3.0
# We have a soft-requires on bind. It is an optional part of
# IPA but if it is configured we need a way to require versions
# that work for us.
-%if 0%{?fedora} >= 18
-Conflicts: bind-dyndb-ldap < 3.5
-%else
-Conflicts: bind-dyndb-ldap < 1.1.0-0.12.rc1
-%endif
+Conflicts: bind-dyndb-ldap < 5.0
Conflicts: bind < 9.8.2-0.4.rc2
# Versions of n
Re: [Freeipa-devel] git branching after 4.0
I'm afraid this mail is not very clear for people who didn't participate in discussions behind these plans. The planning of future work is of course Red Hat specific -- we can't dictate how others spend their time. Read our plans as "here's roughly what we want to do, does it fit in with your plans?" Let me provide a few links and clarifications so everyone can follow along or join in! On 07/04/2014 05:26 PM, Martin Kosek wrote: When 4.0 releases, there will be several development trains that we will need to manage in our git: 1) FreeIPA 4.0 bugfixing - tickets in 4.0.1 milestone, will go to ipa-4-0 branch Milestones are here: https://fedorahosted.org/freeipa/report/3 2) FreeIPA 4.1 "small" development - 4.1 will be just a short release for the summer focused on Views, full support of DNSSEC, OTP local high watermark, Backup and Restore and other small features (and possibly also CA management tool). 3) FreeIPA 4.2 big development - this is a longer, more in the future (read Fedora 22 time frame) development with major features going in - Vault, User provisioning, publishing CA certs to clients and many others stuff still being scoped. It will include for example big updates to installers which should not go to more stable 4.1/4.0.x releases. How to handle that in git repo? Given that we do not do merge commits, I think the easiest way would be to: - When 4.0 releases, create ipa-4-0 and ipa-4-1 branches. This will leave us with master, ipa-4-1, ipa-4-0 active branches - 4.2 team will commit their work to master only - 4.1 team will commit their work to master, ipa-4-1 - 4.0.x bugfixing team will commit their work to master, ipa-4-1 and ipa-4-0 +1 We just need to make sure the work won't overlap too much. This may sound complicated, but with Petr's ipatool pushing to multiple branches should be easy. Our CI should guard at least ipa-4-0 and ipa-4-1 branches for the summer (instead of ipa-3-3 and master) to report failures early. My ipatool is available here: https://github.com/encukou/ipa-tools/ -- it's automation for some of the processes described at and around http://www.freeipa.org/page/Contribute "Our CI" here means a Jenkins instance in Red Hat's internal lab. We're sorry it's not visible yet -- too much other work to do :( The configuration is available, though (https://github.com/encukou/freeipa-ci), and I'd be happy to help if you'd like to set up a CI machine. If there is a better idea, please propose it. But this plan seemed to me as the most straightforward. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Ready to release?
On 4.7.2014 17:20, Petr Viktorin wrote: On 07/04/2014 04:57 PM, Martin Kosek wrote: Hello developers! I would like to thank everyone for the hard work during the last weeks, when finishing the FreeIPA 4.0 release, I saw many last stabilization fixes in DNS, OTP, ACIs, upgrade and Web UI areas. The last major work that is still not pushed is the CA management tool. Unfortunately, the final development and review did not go so well and we still do not have final patches. Given that this is a major piece of work (>50 patches) and given that the reviewer is on a leave, I am considering moving the feature to next release - FreeIPA 4.1 which is short and would still make it to Fedora 21. I would not like to stall 4.0 any more, I would like to offer all the work we have done for wider testing as soon as possible. Thoughts? Any other last patches you would like to add to add to 4.0 GA? There is still little time, but remember, git tag hammer is ready to fire. I'm testing these two: - mbasti-0098-100, DNS tests - mkosek-478, Spec bump Then there's pvoborni-695 with only a functional ACK The CA management is still up for discussion, but it's more and more likely We have deferred 'full' DNSSEC support already so it is not unprecedented. I have one proposal (valid only if we decide to defer CA management): Maybe we could release 4.1 in few weeks when DNSSEC and CA management are done & properly reviewed. That would allow us to follow 'release early, release often' lore. In my opinion, smaller release = safer. Of course, it would mean shifting current version numbers from 4.x to 4.(x+1), sorry Martin! :-) -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] git branching after 4.0
When 4.0 releases, there will be several development trains that we will need to manage in our git: 1) FreeIPA 4.0 bugfixing - tickets in 4.0.1 milestone, will go to ipa-4-0 branch 2) FreeIPA 4.1 "small" development - 4.1 will be just a short release for the summer focused on Views, full support of DNSSEC, OTP local high watermark, Backup and Restore and other small features (and possibly also CA management tool). 3) FreeIPA 4.2 big development - this is a longer, more in the future (read Fedora 22 time frame) development with major features going in - Vault, User provisioning, publishing CA certs to clients and many others stuff still being scoped. It will include for example big updates to installers which should not go to more stable 4.1/4.0.x releases. How to handle that in git repo? Given that we do not do merge commits, I think the easiest way would be to: - When 4.0 releases, create ipa-4-0 and ipa-4-1 branches. This will leave us with master, ipa-4-1, ipa-4-0 active branches - 4.2 team will commit their work to master only - 4.1 team will commit their work to master, ipa-4-1 - 4.0.x bugfixing team will commit their work to master, ipa-4-1 and ipa-4-0 This may sound complicated, but with Petr's ipatool pushing to multiple branches should be easy. Our CI should guard at least ipa-4-0 and ipa-4-1 branches for the summer (instead of ipa-3-3 and master) to report failures early. If there is a better idea, please propose it. But this plan seemed to me as the most straightforward. -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Release platforms for 4.0
On Fri, Jul 04, 2014 at 05:13:35PM +0200, Martin Kosek wrote: > Given that Fedora 20 is now in stable phase and FreeIPA 4.0 adds a lot of > functionality, we agreed that we will not publish FreeIPA 4.0 in stable > Fedora 20 updates now. > > When releasing 4.0, we need to: > 1) Prepare a COPR build for Fedora 20 with all dependencies that are not in > Fedora 20 yet. AFAIK, it should be just FreeIPA as new bind-dyndb-ldap and > 389-ds-base are in updates-testing. Note: I assume we'll want to include SSSD 1.12 to this repo as well. We need to remember to add the latest ding-libs release, too, as stock F-20 ding-libs don't provide all the functionality the latest SSSD requires. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Ready to release?
On 07/04/2014 04:57 PM, Martin Kosek wrote: Hello developers! I would like to thank everyone for the hard work during the last weeks, when finishing the FreeIPA 4.0 release, I saw many last stabilization fixes in DNS, OTP, ACIs, upgrade and Web UI areas. The last major work that is still not pushed is the CA management tool. Unfortunately, the final development and review did not go so well and we still do not have final patches. Given that this is a major piece of work (>50 patches) and given that the reviewer is on a leave, I am considering moving the feature to next release - FreeIPA 4.1 which is short and would still make it to Fedora 21. I would not like to stall 4.0 any more, I would like to offer all the work we have done for wider testing as soon as possible. Thoughts? Any other last patches you would like to add to add to 4.0 GA? There is still little time, but remember, git tag hammer is ready to fire. I'm testing these two: - mbasti-0098-100, DNS tests - mkosek-478, Spec bump Then there's pvoborni-695 with only a functional ACK The CA management is still up for discussion, but it's more and more likely that it'll slip. If you have an opinion, let it be heard. Finally, I'd like to update translations one more time, since we made quite a large change very late. That should be it. If you'd like to include a patch that you don't see here, shout now. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Release platforms for 4.0
Given that Fedora 20 is now in stable phase and FreeIPA 4.0 adds a lot of functionality, we agreed that we will not publish FreeIPA 4.0 in stable Fedora 20 updates now. When releasing 4.0, we need to: 1) Prepare a COPR build for Fedora 20 with all dependencies that are not in Fedora 20 yet. AFAIK, it should be just FreeIPA as new bind-dyndb-ldap and 389-ds-base are in updates-testing. 2) Prepare Fedora 21 build. It may not be so simple, there may be issues with other software or dependencies - we may need to patch FreeIPA or file bugs right away. Petr3, as you plan to do the release, please drive these 2 efforts. -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Ready to release?
Hello developers! I would like to thank everyone for the hard work during the last weeks, when finishing the FreeIPA 4.0 release, I saw many last stabilization fixes in DNS, OTP, ACIs, upgrade and Web UI areas. The last major work that is still not pushed is the CA management tool. Unfortunately, the final development and review did not go so well and we still do not have final patches. Given that this is a major piece of work (>50 patches) and given that the reviewer is on a leave, I am considering moving the feature to next release - FreeIPA 4.1 which is short and would still make it to Fedora 21. I would not like to stall 4.0 any more, I would like to offer all the work we have done for wider testing as soon as possible. Thoughts? Any other last patches you would like to add to add to 4.0 GA? There is still little time, but remember, git tag hammer is ready to fire. Thanks. -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 478 Prepare spec for 4.0 release
- Bump 389-ds-base requires to fix the deref call with new ACIs:
https://fedorahosted.org/freeipa/ticket/4389
- Bump bind-dyndb-ldap Conflicts to fetch the DNSSEC capability
- Bump selinux-policy to fix the CRL retrieval:
https://fedorahosted.org/freeipa/ticket/4369
- Remove conditionals for Fedora < 20 as FreeIPA 4.0 is not planned
to be released on these platforms.
--
Martin Kosek
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
From 7bdaebe2bb7a7460fa965a3cc6d07a57b72d7827 Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Fri, 4 Jul 2014 16:35:17 +0200
Subject: [PATCH] Prepare spec for 4.0 release
- Bump 389-ds-base requires to fix the deref call with new ACIs:
https://fedorahosted.org/freeipa/ticket/4389
- Bump bind-dyndb-ldap Conflicts to fetch the DNSSEC capability
- Bump selinux-policy to fix the CRL retrieval:
https://fedorahosted.org/freeipa/ticket/4369
- Remove conditionals for Fedora < 20 as FreeIPA 4.0 is not planned
to be released on these platforms.
---
freeipa.spec.in | 52
1 file changed, 4 insertions(+), 48 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 774cd8fd18d3e6574164718a101124ec38990e8b..9af0178b93fa477d51a2d3e8c60f52cd5a39d798 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -4,10 +4,7 @@
%global plugin_dir %{_libdir}/dirsrv/plugins
%global POLICYCOREUTILSVER 2.1.12-5
%global gettext_domain ipa
-
-%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
%define _hardened_build 1
-%endif
Name: freeipa
Version:__VERSION__
@@ -25,14 +22,9 @@ BuildRequires: 389-ds-base-devel >= 1.3.2.16
BuildRequires: svrcore-devel
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: systemd-units
-%if 0%{?fedora} >= 18
BuildRequires: samba-devel >= 2:4.0.5-1
BuildRequires: samba-python
BuildRequires: libwbclient-devel
-%else
-BuildRequires: samba4-devel >= 4.0.0-139
-BuildRequires: samba4-python
-%endif
BuildRequires: libtalloc-devel
BuildRequires: libtevent-devel
%endif # ONLY_CLIENT
@@ -81,11 +73,6 @@ BuildRequires: libunistring-devel
BuildRequires: python-lesscpy
BuildRequires: python-yubico
-# Find out Kerberos middle version to infer ABI changes in DAL driver
-# We cannot load DAL driver into KDC with wrong ABI.
-# This is also needed to support ipa-devel repository where krb5 1.11 is available for F18
-%global krb5_dal_version %{expand:%(echo "#include "|cpp -dM|grep KRB5_KDB_DAL_MAJOR_VERSION|cut -d' ' -f3)}
-
%description
IPA is an integrated solution to provide centrally managed Identity (machine,
user, virtual machines, groups, authentication credentials), Policy
@@ -99,36 +86,17 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.2.16
+Requires: 389-ds-base >= 1.3.2.19
Requires: openldap-clients > 2.4.35-4
-%if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2
Requires: nss-tools >= 3.14.3-2
-%else
-Requires: nss >= 3.14.3-12.0
-Requires: nss-tools >= 3.14.3-12.0
-%endif
-%if 0%{?krb5_dal_version} >= 4
Requires: krb5-server >= 1.11.5-3
-%else
-%if 0%{krb5_dal_version} == 3
-# krb5 1.11 bumped DAL interface major version, a rebuild is needed
-Requires: krb5-server < 1.11
-Requires: krb5-server >= 1.10
-%else
-Requires: krb5-server >= 1.10
-%endif
-%endif
Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: httpd >= 2.4.6-6
Requires: mod_wsgi
-%if 0%{?fedora} >= 18
Requires: mod_auth_kerb >= 5.4-16
-%else
-Requires: mod_auth_kerb >= 5.4-8
-%endif
Requires: mod_nss >= 1.0.8-26
Requires: python-ldap
Requires: python-krbV
@@ -140,7 +108,7 @@ Requires: dbus-python
Requires: systemd-units >= 38
Requires(pre): systemd-units
Requires(post): systemd-units
-Requires: selinux-policy >= 3.12.1-135
+Requires: selinux-policy >= 3.12.1-176
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.47.7
Requires: pki-ca >= 10.1.1
@@ -155,7 +123,7 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.2.11
+Requires(pre): 389-ds-base >= 1.3.2.19
Requires: fontawesome-fonts
Requires: open-sans-fonts
@@ -166,11 +134,7 @@ Obsoletes: freeipa-server-selinux < 3.3.0
# We have a soft-requires on bind. It is an optional part of
# IPA but if it is configured we need a way to require versions
# that work for us.
-%if 0%{?fedora} >= 18
-Conflicts: bind-dyndb-ldap < 3.5
-%else
-Conflicts: bind-dyndb-ldap < 1.1.0-0.12.rc1
-%endif
+Conflicts: bind-dyndb-ldap < 5.0
Conflicts: bind < 9.8.2-0.4.rc2
# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
@@ -193,19 +157,11 @@ Summary: Virtual package to install packages required for Active Directory trust
Group: System Environment/Base
Requires: %{name}-serve
[Freeipa-devel] [PATCH 0098-0100] DNS tests
Just tests to avoid regressions in future.
Patches attached
--
Martin^2 Basti
>From 37a054a8afad4be000dddc090e200d3793cb7947 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 4 Jul 2014 14:11:58 +0200
Subject: [PATCH 1/3] Test DNS: test zone normalization
---
ipatests/test_xmlrpc/test_dns_plugin.py | 48 -
1 file changed, 47 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 1f22e24..7b3a014 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -73,6 +73,15 @@ zone3_ns2_arec = u'ns2'
zone3_ns2_arec_dnsname = DNSName(zone3_ns2_arec)
zone3_ns2_arec_dn = DN(('idnsname',zone3_ns2_arec), zone3_dn)
+zone4_upper = u'ZONE4.test'
+zone4 = u'zone4.test.'
+zone4_dnsname = DNSName(zone4)
+zone4_dn = DN(('idnsname', zone4), api.env.container_dns, api.env.basedn)
+zone4_ns = u'ns1.%s' % zone4
+zone4_ns_dnsname = DNSName(zone4_ns)
+zone4_rname = u'root.%s' % zone4
+zone4_rname_dnsname = DNSName(zone4_rname)
+
revzone1 = u'31.16.172.in-addr.arpa.'
revzone1_dnsname = DNSName(revzone1)
revzone1_ip = u'172.16.31.0'
@@ -259,7 +268,7 @@ class test_dns(Declarative):
pass
cleanup_commands = [
-('dnszone_del', [zone1, zone2, zone3, revzone1, revzone2,
+('dnszone_del', [zone1, zone2, zone3, zone4, revzone1, revzone2,
revzone3_classless1, revzone3_classless2,
idnzone1, revidnzone1, zone_findtest_master],
{'continue': True}),
@@ -406,6 +415,43 @@ class test_dns(Declarative):
dict(
+desc='Create a zone with upper case name with --force',
+command=(
+'dnszone_add', [zone4_upper], {
+'idnssoamname': zone4_ns,
+'idnssoarname': zone4_rname,
+'force' : True,
+}
+),
+expected={
+'value': zone4_dnsname,
+'summary': None,
+'result': {
+'dn': zone4_dn,
+'idnsname': [zone4_dnsname],
+'idnszoneactive': [u'TRUE'],
+'idnssoamname': [zone4_ns_dnsname],
+'nsrecord': [zone4_ns],
+'idnssoarname': [zone4_rname_dnsname],
+'idnssoaserial': [fuzzy_digits],
+'idnssoarefresh': [fuzzy_digits],
+'idnssoaretry': [fuzzy_digits],
+'idnssoaexpire': [fuzzy_digits],
+'idnssoaminimum': [fuzzy_digits],
+'idnsallowdynupdate': [u'FALSE'],
+'idnsupdatepolicy': [u'grant %(realm)s krb5-self * A; '
+ u'grant %(realm)s krb5-self * ; '
+ u'grant %(realm)s krb5-self * SSHFP;'
+ % dict(realm=api.env.realm)],
+'idnsallowtransfer': [u'none;'],
+'idnsallowquery': [u'any;'],
+'objectclass': objectclasses.dnszone,
+},
+},
+),
+
+
+dict(
desc='Retrieve zone %r' % zone1,
command=('dnszone_show', [zone1], {}),
expected={
--
1.8.3.1
>From 462c0ea18f220ee4b27bc1b1d578aedeadb7d02e Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 4 Jul 2014 16:28:17 +0200
Subject: [PATCH 2/3] Test DNS: TLSA record
---
ipatests/test_xmlrpc/test_dns_plugin.py | 66 +
1 file changed, 66 insertions(+)
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 7b3a014..abc8449 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -139,6 +139,15 @@ dlv_dn = DN(('idnsname', dlv), zone1_dn)
dlvrec = u'60485 5 1 2BB183AF5F22588179A53B0A98631FAD1A292118'
+tlsa = u'tlsa'
+tlsa_dnsname = DNSName(tlsa)
+tlsa_dn = DN(('idnsname', tlsa), zone1_dn)
+
+tlsarec_err1 = u'300 0 1 d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971'
+tlsarec_err2 = u'0 300 1 d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971'
+tlsarec_err3 = u'0 0 300 d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971'
+tlsarec_ok = u'0 0 1 d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971'
+
wildcard_rec1 = u'*.test'
wildcard_rec1_dnsname = DNSName(wildcard_rec1)
wildcard_rec1_dn = DN(('idnsname',wildcard_rec1), zone1_dn)
@@ -1278,6 +1287,63 @@ class test_dns(Declarative):
dict(
+desc='Try to add invalid TLSA record to %r using dnsrecord_add (1)' % (tlsa),
+command=('dnsrecord_add', [zone1, tlsa], {'tlsarecord': tlsarec_err1}),
+expected=errors.ValidationError(
+name="cert_usage",
+error=u'c
Re: [Freeipa-devel] [PATCH] 694 webui: new navigation structure
On 4.7.2014 16:10, Petr Spacek wrote: On 4.7.2014 16:07, Martin Kosek wrote: On 07/03/2014 03:06 PM, Petr Vobornik wrote: On 3.7.2014 08:13, Fraser Tweedale wrote: On Wed, Jul 02, 2014 at 04:14:13PM +0200, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/4418 according to latest proposal:http://www.redhat.com/archives/freeipa-devel/2014-June/msg00839.html -- Petr Vobornik Haven't run the webui tests but lines up with the proposal and looks very nice! ACK if webui tests pass. I've run the complete test suite and discovered that I forgot to modify 2 other tests. Also there was an existing fail in test_navigation in DNS-less installation. All fixed, updated patch attached. I checked the menu, it looks OK. Now even the DNS page is fixed. So similarly to Fraser - ACK if Web UI tests pass (I cannot run them ATM). I works for me too, triple-ACK! :-) Tests pass for me. Pushed to master: 0b0e77cf99b38cfd958a82caad715511c91f9ee3 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 695 webui: display messages contained in API responses
On 4.7.2014 16:14, Martin Basti wrote: On Fri, 2014-07-04 at 16:12 +0200, Petr Spacek wrote: On 3.7.2014 15:30, Petr Vobornik wrote: API responses can contain warnings in "messages" array. This patch also adds support for displaying multiple notifications at the same time in order to show the message and a status of finished operation. Notes: - was implemented because of https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=33cf958b98dc2d80d17b3de1c145d403df4a3ba3 --> test by modifying Master DNS Zone which has a Zone forwarder set. - I'd like to move the notification code to separate module in a future and then extend it according to PatternFly pattern which is currently under developemnt (should contain history, ...). ACK from functional perspective. It properly displays warnings about DNS zones and DNSSEC. It can be pushed if there is no problem in the code, I can't really check that. Was there any problem with hardcoded '/n' in warning message text? It works for me - the text is wrapped, I don't see any glitch. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 695 webui: display messages contained in API responses
On Fri, 2014-07-04 at 16:12 +0200, Petr Spacek wrote: > On 3.7.2014 15:30, Petr Vobornik wrote: > > API responses can contain warnings in "messages" array. This patch > > also adds support for displaying multiple notifications at the same > > time in order to show the message and a status of finished operation. > > > > Notes: > > - was implemented because of > > https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=33cf958b98dc2d80d17b3de1c145d403df4a3ba3 > > --> test by modifying Master DNS Zone which has a Zone forwarder set. > > - I'd like to move the notification code to separate module in a future and > > then extend it according to PatternFly pattern which is currently under > > developemnt (should contain history, ...). > > ACK from functional perspective. It properly displays warnings about DNS > zones > and DNSSEC. > > It can be pushed if there is no problem in the code, I can't really check > that. > Was there any problem with hardcoded '/n' in warning message text? -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 695 webui: display messages contained in API responses
On 3.7.2014 15:30, Petr Vobornik wrote: API responses can contain warnings in "messages" array. This patch also adds support for displaying multiple notifications at the same time in order to show the message and a status of finished operation. Notes: - was implemented because of https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=33cf958b98dc2d80d17b3de1c145d403df4a3ba3 --> test by modifying Master DNS Zone which has a Zone forwarder set. - I'd like to move the notification code to separate module in a future and then extend it according to PatternFly pattern which is currently under developemnt (should contain history, ...). ACK from functional perspective. It properly displays warnings about DNS zones and DNSSEC. It can be pushed if there is no problem in the code, I can't really check that. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0096-0097] Allow '/' in permission name
On 07/04/2014 04:03 PM, Petr Spacek wrote: On 4.7.2014 14:17, Martin Basti wrote: On Fri, 2014-07-04 at 13:10 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4422 Classless reverse zone contains '/' which disallow to add managed permission. This should be in IPA 4.0 (If ACKed before release) IPA 3.3.5 supports classless reverse zones too. Should be this patch applied to 3.3.x too? Both patches attached (3.3 and 4.0) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Updated patches attached (Fix: cleanup permission) ACK from functional perspective. It can be pushed if there is no problem on Python side of things. I've just finished testing this as well. Full ACK to the 4.0 version. For the 3.3 one there's a discussion about branching API_VERSION in another thread. Pushed to master: 2637116eab51be16c33745d51f284aaee0c57ae1 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 694 webui: new navigation structure
On 4.7.2014 16:07, Martin Kosek wrote: On 07/03/2014 03:06 PM, Petr Vobornik wrote: On 3.7.2014 08:13, Fraser Tweedale wrote: On Wed, Jul 02, 2014 at 04:14:13PM +0200, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/4418 according to latest proposal:http://www.redhat.com/archives/freeipa-devel/2014-June/msg00839.html -- Petr Vobornik Haven't run the webui tests but lines up with the proposal and looks very nice! ACK if webui tests pass. I've run the complete test suite and discovered that I forgot to modify 2 other tests. Also there was an existing fail in test_navigation in DNS-less installation. All fixed, updated patch attached. I checked the menu, it looks OK. Now even the DNS page is fixed. So similarly to Fraser - ACK if Web UI tests pass (I cannot run them ATM). I works for me too, triple-ACK! :-) -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0616 Allow read access to services in cn=masters to auth'd users
On 4.7.2014 14:49, Petr Viktorin wrote: Hello, The dns-is-enabled command, used by the Web UI to determine if DNS pages should be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in cn=masters. However, currently the service entries are not accessible to all users, so the check will fail for non-admins. We talked about this with Martin and agreed that there's no sensitive information in the service entries. This patch grants read access to all authenticated users. Simo, is this OK? This patch fixes https://fedorahosted.org/freeipa/ticket/4425 for me. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 694 webui: new navigation structure
On 07/03/2014 03:06 PM, Petr Vobornik wrote: On 3.7.2014 08:13, Fraser Tweedale wrote: On Wed, Jul 02, 2014 at 04:14:13PM +0200, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/4418 according to latest proposal:http://www.redhat.com/archives/freeipa-devel/2014-June/msg00839.html -- Petr Vobornik Haven't run the webui tests but lines up with the proposal and looks very nice! ACK if webui tests pass. I've run the complete test suite and discovered that I forgot to modify 2 other tests. Also there was an existing fail in test_navigation in DNS-less installation. All fixed, updated patch attached. I checked the menu, it looks OK. Now even the DNS page is fixed. So similarly to Fraser - ACK if Web UI tests pass (I cannot run them ATM). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0096-0097] Allow '/' in permission name
On 4.7.2014 14:17, Martin Basti wrote: On Fri, 2014-07-04 at 13:10 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4422 Classless reverse zone contains '/' which disallow to add managed permission. This should be in IPA 4.0 (If ACKed before release) IPA 3.3.5 supports classless reverse zones too. Should be this patch applied to 3.3.x too? Both patches attached (3.3 and 4.0) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Updated patches attached (Fix: cleanup permission) ACK from functional perspective. It can be pushed if there is no problem on Python side of things. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0616 Allow read access to services in cn=masters to auth'd users
On 07/04/2014 03:55 PM, Petr Viktorin wrote: On 07/04/2014 03:40 PM, Martin Kosek wrote: On 07/04/2014 02:49 PM, Petr Viktorin wrote: Hello, The dns-is-enabled command, used by the Web UI to determine if DNS pages should be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in cn=masters. However, currently the service entries are not accessible to all users, so the check will fail for non-admins. We talked about this with Martin and agreed that there's no sensitive information in the service entries. This patch grants read access to all authenticated users. Simo, is this OK? I think this change is OK. We also only expose the service name, we do not expose any additional setting. Would it make sense though that we instead of creating an ACI for cn=masters, we would just update the 'Anonymous read access to containers' ACI and remove the 'target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX";' part? That would grant *anonymous* access the masters & services. Do we want that? Hmm, no, I do not think this we want to do that. Your change looks good to me then. Besides others, it fixes https://fedorahosted.org/freeipa/ticket/4425 so I added it to patch description. ACK. Pushed to master: 23feb4e0271d6876e2137f301f209a9f3af19084 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0616 Allow read access to services in cn=masters to auth'd users
On 07/04/2014 03:40 PM, Martin Kosek wrote: On 07/04/2014 02:49 PM, Petr Viktorin wrote: Hello, The dns-is-enabled command, used by the Web UI to determine if DNS pages should be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in cn=masters. However, currently the service entries are not accessible to all users, so the check will fail for non-admins. We talked about this with Martin and agreed that there's no sensitive information in the service entries. This patch grants read access to all authenticated users. Simo, is this OK? I think this change is OK. We also only expose the service name, we do not expose any additional setting. Would it make sense though that we instead of creating an ACI for cn=masters, we would just update the 'Anonymous read access to containers' ACI and remove the 'target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX";' part? That would grant *anonymous* access the masters & services. Do we want that? Given that this ACI is in the DIT root, I would like to keep it as simple as possible for performance reasons. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0615 ldapupdate: Restore 'replace' functionality
On 07/04/2014 12:14 PM, Petr Viktorin wrote: Some months ago, when working on the schema updater, I broke the 'replace' directive in ldapupdater. Luckily the regression didn't make it to a released version. Here is a fix. Good catch! Oh, the memories when I look at my old enhanced schema updater being removed again :-) The replace OP is back now, works fine. ACK. Pushed to master: 2f99140c92f05c9ff11ff57002cb87784c632091 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] API version conflict
On Fri, 2014-07-04 at 15:30 +0200, Petr Viktorin wrote: > On 07/04/2014 03:20 PM, Martin Basti wrote: > > On Fri, 2014-07-04 at 15:13 +0200, Jan Cholasta wrote: > >> On 4.7.2014 13:34, Martin Basti wrote: > >>> Hi list, > >>> > >>> I need increase version number in ipa-3-3 branch to 2.66, but 2.66 is > >>> already used in ipa-master branch (2.66 Add support for managing user > >>> auth types). Fortunately it is very minor change so If I don't increase > >>> the version nothing happens. > >>> > >>> How to solve this problem? Don't increase the version number in ipa-3-3 > >>> anymore (?) > >>> > >>> If we will increase the IPA-3 API version to number which hits a IPA-4 > >>> capability, it could break communication between ipa3-client and > >>> ipa4-server. > >>> > >>> Should we try increase the major version sometimes? > >>> > >> > >> Would 2.66.1 work? > >> > > > > IMO 2.65.1, 2.65.2, .. 2.65.x and never reach 2.66, but I dont know is > > this possible in framework? > > > > The versions are (supposed to be) compared with version.LooseVersion, so > this should work. > There may be a case where it would break, but if we need this in ipa-3-3 > it would be worth it to test. > > > Of course, backporting new capabilities to older versions would still be > impossible in this scheme. > To do this, we need capability to send supported capabilities to server, and it will be pain. -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0616 Allow read access to services in cn=masters to auth'd users
On 07/04/2014 02:49 PM, Petr Viktorin wrote: Hello, The dns-is-enabled command, used by the Web UI to determine if DNS pages should be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in cn=masters. However, currently the service entries are not accessible to all users, so the check will fail for non-admins. We talked about this with Martin and agreed that there's no sensitive information in the service entries. This patch grants read access to all authenticated users. Simo, is this OK? I think this change is OK. We also only expose the service name, we do not expose any additional setting. Would it make sense though that we instead of creating an ACI for cn=masters, we would just update the 'Anonymous read access to containers' ACI and remove the 'target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX";' part? Given that this ACI is in the DIT root, I would like to keep it as simple as possible for performance reasons. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] API version conflict
On 07/04/2014 03:30 PM, Petr Viktorin wrote: On 07/04/2014 03:20 PM, Martin Basti wrote: On Fri, 2014-07-04 at 15:13 +0200, Jan Cholasta wrote: On 4.7.2014 13:34, Martin Basti wrote: Hi list, I need increase version number in ipa-3-3 branch to 2.66, but 2.66 is already used in ipa-master branch (2.66 Add support for managing user auth types). Fortunately it is very minor change so If I don't increase the version nothing happens. How to solve this problem? Don't increase the version number in ipa-3-3 anymore (?) If we will increase the IPA-3 API version to number which hits a IPA-4 capability, it could break communication between ipa3-client and ipa4-server. Should we try increase the major version sometimes? Would 2.66.1 work? IMO 2.65.1, 2.65.2, .. 2.65.x and never reach 2.66, but I dont know is this possible in framework? The versions are (supposed to be) compared with version.LooseVersion, so this should work. There may be a case where it would break, but if we need this in ipa-3-3 it would be worth it to test. Of course, backporting new capabilities to older versions would still be impossible in this scheme. BTW, the comparison code in Command.verify_client_version looks like it was written with 3+-part versions in mind: ver = version.LooseVersion(client_version) if len(ver.version) < 2: raise VersionError(cver=ver.version, sver=server_ver.version, server= self.env.xmlrpc_uri) client_major = ver.version[0] client_minor = ver.version[1] -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] API version conflict
On 07/04/2014 03:20 PM, Martin Basti wrote: On Fri, 2014-07-04 at 15:13 +0200, Jan Cholasta wrote: On 4.7.2014 13:34, Martin Basti wrote: Hi list, I need increase version number in ipa-3-3 branch to 2.66, but 2.66 is already used in ipa-master branch (2.66 Add support for managing user auth types). Fortunately it is very minor change so If I don't increase the version nothing happens. How to solve this problem? Don't increase the version number in ipa-3-3 anymore (?) If we will increase the IPA-3 API version to number which hits a IPA-4 capability, it could break communication between ipa3-client and ipa4-server. Should we try increase the major version sometimes? Would 2.66.1 work? IMO 2.65.1, 2.65.2, .. 2.65.x and never reach 2.66, but I dont know is this possible in framework? The versions are (supposed to be) compared with version.LooseVersion, so this should work. There may be a case where it would break, but if we need this in ipa-3-3 it would be worth it to test. Of course, backporting new capabilities to older versions would still be impossible in this scheme. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] API version conflict
On 07/04/2014 03:20 PM, Martin Basti wrote: On Fri, 2014-07-04 at 15:13 +0200, Jan Cholasta wrote: On 4.7.2014 13:34, Martin Basti wrote: Hi list, I need increase version number in ipa-3-3 branch to 2.66, but 2.66 is already used in ipa-master branch (2.66 Add support for managing user auth types). Fortunately it is very minor change so If I don't increase the version nothing happens. How to solve this problem? Don't increase the version number in ipa-3-3 anymore (?) If we will increase the IPA-3 API version to number which hits a IPA-4 capability, it could break communication between ipa3-client and ipa4-server. Should we try increase the major version sometimes? Would 2.66.1 work? IMO 2.65.1, 2.65.2, .. 2.65.x and never reach 2.66, but I dont know is this possible in framework? I do not think it is. But given that we do not offer backwards compatibility with ipa commands, we can add a support in 4.0.x and support both 2.x and 2.x.y form. Please file a ticket. Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] API version conflict
On Fri, 2014-07-04 at 15:13 +0200, Jan Cholasta wrote: > On 4.7.2014 13:34, Martin Basti wrote: > > Hi list, > > > > I need increase version number in ipa-3-3 branch to 2.66, but 2.66 is > > already used in ipa-master branch (2.66 Add support for managing user > > auth types). Fortunately it is very minor change so If I don't increase > > the version nothing happens. > > > > How to solve this problem? Don't increase the version number in ipa-3-3 > > anymore (?) > > > > If we will increase the IPA-3 API version to number which hits a IPA-4 > > capability, it could break communication between ipa3-client and > > ipa4-server. > > > > Should we try increase the major version sometimes? > > > > Would 2.66.1 work? > IMO 2.65.1, 2.65.2, .. 2.65.x and never reach 2.66, but I dont know is this possible in framework? -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] API version conflict
On 07/04/2014 01:34 PM, Martin Basti wrote: Hi list, I need increase version number in ipa-3-3 branch to 2.66, but 2.66 is already used in ipa-master branch (2.66 Add support for managing user auth types). Fortunately it is very minor change so If I don't increase the version nothing happens. How to solve this problem? Don't increase the version number in ipa-3-3 anymore (?) If we will increase the IPA-3 API version to number which hits a IPA-4 capability, it could break communication between ipa3-client and ipa4-server. Should we try increase the major version sometimes? Hmm, that's a very good question. I think that current model does not count with API changes in bug fix releases (in the branches). It also did not expect that that the Capabilities will depend on it. It seems to me that the least pain is to avoid increasing the API number in ipa-3-3 for now and think about some better scheme how to avoid this problem (I do not have an idea ATM which would not break compatibility). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] API version conflict
On 4.7.2014 13:34, Martin Basti wrote: Hi list, I need increase version number in ipa-3-3 branch to 2.66, but 2.66 is already used in ipa-master branch (2.66 Add support for managing user auth types). Fortunately it is very minor change so If I don't increase the version nothing happens. How to solve this problem? Don't increase the version number in ipa-3-3 anymore (?) If we will increase the IPA-3 API version to number which hits a IPA-4 capability, it could break communication between ipa3-client and ipa4-server. Should we try increase the major version sometimes? Would 2.66.1 work? -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0616 Allow read access to services in cn=masters to auth'd users
On 4.7.2014 14:49, Petr Viktorin wrote: Hello, The dns-is-enabled command, used by the Web UI to determine if DNS pages should be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in cn=masters. However, currently the service entries are not accessible to all users, so the check will fail for non-admins. We talked about this with Martin and agreed that there's no sensitive information in the service entries. This patch grants read access to all authenticated users. Simo, is this OK? BTW this information has to be available anyway. It will be necessary for automatic NS record management. (After all, it doesn't make sense to require user input for NS records because valid values can be simply enumerated from LDAP.) -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0616 Allow read access to services in cn=masters to auth'd users
Hello, The dns-is-enabled command, used by the Web UI to determine if DNS pages should be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in cn=masters. However, currently the service entries are not accessible to all users, so the check will fail for non-admins. We talked about this with Martin and agreed that there's no sensitive information in the service entries. This patch grants read access to all authenticated users. Simo, is this OK? -- Petr³ From 1be7481fd8521a133fc751c46df4faebcfdce58c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 4 Jul 2014 13:19:37 +0200 Subject: [PATCH] Allow read access to services in cn=masters to auth'd users --- install/updates/20-aci.update | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 5c4d1a1e3a90fc92effc8cd08c5220a2c382a8c7..9bbb7e4bb8d51b3d957d1f63d2c889e793276598 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -28,9 +28,9 @@ dn: $SUFFIX dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";;)' -# Read access to masters (but not their services) +# Read access to masters and their services dn: cn=masters,cn=ipa,cn=etc,$SUFFIX -add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=ipaConfigObject)))")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)' +add:aci:'(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)' # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos) dn: cn=kerberos,$SUFFIX -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0096-0097] Allow '/' in permission name
On Fri, 2014-07-04 at 13:10 +0200, Martin Basti wrote:
> Ticket: https://fedorahosted.org/freeipa/ticket/4422
> Classless reverse zone contains '/' which disallow to add managed
> permission.
>
> This should be in IPA 4.0 (If ACKed before release)
>
> IPA 3.3.5 supports classless reverse zones too. Should be this patch
> applied to 3.3.x too?
>
> Both patches attached (3.3 and 4.0)
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Updated patches attached (Fix: cleanup permission)
--
Martin^2 Basti
>From 9f37614c30185883aff023a779b0ac7fd053f4ba Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 4 Jul 2014 12:03:19 +0200
Subject: [PATCH] Allow to add managed permission for reverse zones
Ticket: https://fedorahosted.org/freeipa/ticket/4422
---
API.txt| 16 ++--
ipalib/plugins/permission.py | 4 +--
ipatests/test_xmlrpc/test_dns_plugin.py| 34 +-
ipatests/test_xmlrpc/test_permission_plugin.py | 2 +-
4 files changed, 44 insertions(+), 12 deletions(-)
diff --git a/API.txt b/API.txt
index 605f9ee30b7a945e529dc208c8e719cd04ec3a87..b6c0a4c961e15131490c4fcd6ed1539cfeab49ff 100644
--- a/API.txt
+++ b/API.txt
@@ -2218,7 +2218,7 @@ output: Output('summary', (, ), None)
output: Output('value', , None)
command: permission_add
args: 1,13,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9/]+$', primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', alwaysask=True, attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, query=False, required=False)
@@ -2237,7 +2237,7 @@ output: Output('summary', (, ), None)
output: Output('value', , None)
command: permission_add_member
args: 1,5,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9/]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('privilege*', alwaysask=True, cli_name='privileges', csv=True)
@@ -2259,7 +2259,7 @@ output: Output('summary', (, ), None)
output: Output('value', , None)
command: permission_del
args: 1,3,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=True, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=True, pattern='^[-_ a-zA-Z0-9/]+$', primary_key=True, query=True, required=True)
option: Flag('continue', autofill=True, cli_name='continue', default=False)
option: Flag('force', autofill=True, default=False)
option: Str('version?', exclude='webui')
@@ -2271,7 +2271,7 @@ args: 1,15,4
arg: Str('criteria?', noextrawhitespace=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, query=True, required=False)
-option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=False)
+option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9/]+$', primary_key=True, query=True, required=False)
option: Str('filter', attribute=True, autofill=False, cli_name='filter', multivalue=False, query=True, required=False)
option: Str('memberof', attribute=True, autofill=False, cli_name='memberof', multivalue=False, query=True, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
@@ -2290,7 +2290,7 @@ output: Output('summary', (, ), None)
output: Output('truncated', , None)
command: permission_mod
args: 1,16,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9/]+$', primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, required=False)
@@ -2300,7 +2300,7 @@ option: Str('memberof', attribute=True, autofill=False, cli_name='memberof', mul
option: Flag('no
Re: [Freeipa-devel] API version conflict
On 4.7.2014 13:34, Martin Basti wrote: Hi list, I need increase version number in ipa-3-3 branch to 2.66, but 2.66 is already used in ipa-master branch (2.66 Add support for managing user auth types). Fortunately it is very minor change so If I don't increase the version nothing happens. How to solve this problem? Don't increase the version number in ipa-3-3 anymore (?) If we will increase the IPA-3 API version to number which hits a IPA-4 capability, it could break communication between ipa3-client and ipa4-server. Should we try increase the major version sometimes? Or migrate to something better? :-) Linear version numbering in Ovirt/VDSM causes me a lot of pain. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] API version conflict
Hi list, I need increase version number in ipa-3-3 branch to 2.66, but 2.66 is already used in ipa-master branch (2.66 Add support for managing user auth types). Fortunately it is very minor change so If I don't increase the version nothing happens. How to solve this problem? Don't increase the version number in ipa-3-3 anymore (?) If we will increase the IPA-3 API version to number which hits a IPA-4 capability, it could break communication between ipa3-client and ipa4-server. Should we try increase the major version sometimes? -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0096-0097] Allow '/' in permission name
Ticket: https://fedorahosted.org/freeipa/ticket/4422
Classless reverse zone contains '/' which disallow to add managed
permission.
This should be in IPA 4.0 (If ACKed before release)
IPA 3.3.5 supports classless reverse zones too. Should be this patch
applied to 3.3.x too?
Both patches attached (3.3 and 4.0)
--
Martin^2 Basti
>From 1a4049209ab302b05611aa4c02372ccc2be184dc Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 4 Jul 2014 12:03:19 +0200
Subject: [PATCH] Allow to add managed permission for reverse zones
Ticket: https://fedorahosted.org/freeipa/ticket/4422
---
API.txt| 16 ++---
ipalib/plugins/permission.py | 4 ++--
ipatests/test_xmlrpc/test_dns_plugin.py| 31 ++
ipatests/test_xmlrpc/test_permission_plugin.py | 2 +-
4 files changed, 42 insertions(+), 11 deletions(-)
diff --git a/API.txt b/API.txt
index 605f9ee30b7a945e529dc208c8e719cd04ec3a87..b6c0a4c961e15131490c4fcd6ed1539cfeab49ff 100644
--- a/API.txt
+++ b/API.txt
@@ -2218,7 +2218,7 @@ output: Output('summary', (, ), None)
output: Output('value', , None)
command: permission_add
args: 1,13,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9/]+$', primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', alwaysask=True, attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, query=False, required=False)
@@ -2237,7 +2237,7 @@ output: Output('summary', (, ), None)
output: Output('value', , None)
command: permission_add_member
args: 1,5,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9/]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('privilege*', alwaysask=True, cli_name='privileges', csv=True)
@@ -2259,7 +2259,7 @@ output: Output('summary', (, ), None)
output: Output('value', , None)
command: permission_del
args: 1,3,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=True, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=True, pattern='^[-_ a-zA-Z0-9/]+$', primary_key=True, query=True, required=True)
option: Flag('continue', autofill=True, cli_name='continue', default=False)
option: Flag('force', autofill=True, default=False)
option: Str('version?', exclude='webui')
@@ -2271,7 +2271,7 @@ args: 1,15,4
arg: Str('criteria?', noextrawhitespace=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, query=True, required=False)
-option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=False)
+option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9/]+$', primary_key=True, query=True, required=False)
option: Str('filter', attribute=True, autofill=False, cli_name='filter', multivalue=False, query=True, required=False)
option: Str('memberof', attribute=True, autofill=False, cli_name='memberof', multivalue=False, query=True, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
@@ -2290,7 +2290,7 @@ output: Output('summary', (, ), None)
output: Output('truncated', , None)
command: permission_mod
args: 1,16,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9/]+$', primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, required=False)
@@ -2300,7 +2300,7 @@ option: Str('memberof', attribute=True, autofill=False, cli_name='memberof', mul
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('permissions', attribute=True, autofill=False, cli_name='permissions', csv=True, multivalue=True, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Str('rena
Re: [Freeipa-devel] [PATCH 0093] Restore priviledges after forward zone upgrade
On Fri, 2014-07-04 at 12:51 +0200, Petr Viktorin wrote: > On 07/03/2014 09:24 PM, Petr Spacek wrote: > > On 3.7.2014 19:00, Martin Basti wrote: > >> Patch attached > > > > Congratulations! I wasn't able to find any bug in this ;-) > > > > ACK from functional perspective. > > > > It can be pushed if there is no problem with Python side of things. > > > > > > Martin, I see a lot of code like this: > zone['idnsname'][0] > To get a single-valued attribute, you should use: > zone.single_value['idnsname'] > which does a proper check that there is really only a single value. > > I see the old style used elsewhere in the plugin though; it should be > changed everywhere, and I don't think there's immediate benefit to doing > that. Just keep this in mind for the future. > > > Pushed 0093 to master: f8b6595f4999740a704bcdae6d4f9b5021f7f61f > Thank you for the hint. If I have a time I will fix it in dns plugin(s) -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0093] Restore priviledges after forward zone upgrade
On 07/03/2014 09:24 PM, Petr Spacek wrote: On 3.7.2014 19:00, Martin Basti wrote: Patch attached Congratulations! I wasn't able to find any bug in this ;-) ACK from functional perspective. It can be pushed if there is no problem with Python side of things. Martin, I see a lot of code like this: zone['idnsname'][0] To get a single-valued attribute, you should use: zone.single_value['idnsname'] which does a proper check that there is really only a single value. I see the old style used elsewhere in the plugin though; it should be changed everywhere, and I don't think there's immediate benefit to doing that. Just keep this in mind for the future. Pushed 0093 to master: f8b6595f4999740a704bcdae6d4f9b5021f7f61f -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0087] Fix: missing records in 40-dns.update
On 07/04/2014 12:21 PM, Martin Basti wrote: On Fri, 2014-07-04 at 12:15 +0200, Petr Viktorin wrote: On 07/04/2014 09:52 AM, Martin Basti wrote: Updated patch attached Almost there. There's a missing space in the "addifexist" ACI, quite important as the values are checked byte-for-byte on updates. Also, it turns out dns.ldif (which creates cn=dns) is loaded after updates, so a line there is needed as well. Sorry for misinformation I've spread offline. I tested the attached version with working ldapupdater (my patch 0615): upgrades and new installs, both with DNS missing and DNS installed. I can push if you agree with the changes. I agree with changes Thanks! Pushed to master: 3461be5c78dcc77a758235dce6f0cc8e370a0310 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0087] Fix: missing records in 40-dns.update
On Fri, 2014-07-04 at 12:15 +0200, Petr Viktorin wrote: > On 07/04/2014 09:52 AM, Martin Basti wrote: > > Updated patch attached > > > > Almost there. > There's a missing space in the "addifexist" ACI, quite important as the > values are checked byte-for-byte on updates. > > Also, it turns out dns.ldif (which creates cn=dns) is loaded after > updates, so a line there is needed as well. Sorry for misinformation > I've spread offline. > > I tested the attached version with working ldapupdater (my patch 0615): > upgrades and new installs, both with DNS missing and DNS installed. I > can push if you agree with the changes. > > I agree with changes -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 477 Add Modify Realm Domains permission
On 07/04/2014 12:09 PM, Petr Spacek wrote: On 4.7.2014 10:08, Martin Kosek wrote: On 07/04/2014 10:00 AM, Petr Spacek wrote: On 4.7.2014 09:34, Martin Kosek wrote: The permission is required for DNS Administrators as realm domains object is updated when a master zone is added. https://fedorahosted.org/freeipa/ticket/4423 I can't resist ;-) NACK: Build failed. [...] Oh, well - here is an updated patch. ACK from functional perspective. I'm not able to reproduce the problem with the patch applied. I have tested clean installation and also upgrade from 3.3.5. It can be pushed if there is no problem on Python side of things. Pushed to master: ef83a0c67884274be000f3b4fcc8150e8910bcb7 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0087] Fix: missing records in 40-dns.update
On 07/04/2014 09:52 AM, Martin Basti wrote: Updated patch attached Almost there. There's a missing space in the "addifexist" ACI, quite important as the values are checked byte-for-byte on updates. Also, it turns out dns.ldif (which creates cn=dns) is loaded after updates, so a line there is needed as well. Sorry for misinformation I've spread offline. I tested the attached version with working ldapupdater (my patch 0615): upgrades and new installs, both with DNS missing and DNS installed. I can push if you agree with the changes. -- Petr³ From c1751c8b2f0a7e4918cedeedd49dc9eb5869a619 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 1 Jul 2014 17:25:43 +0200 Subject: [PATCH] Fix: Missing ACI for records in 40-dns.update --- install/share/dns.ldif| 1 + install/updates/40-dns.update | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 56cc15f612b92d7c17659d858a3a617dd0db4779..2c6050f8598b82e3f0e476d5bff5522f4b54e521 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -7,6 +7,7 @@ dn: cn=dns,$SUFFIX aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) +aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update index 796a293692f790666bafaca865d010b7f6899e6f..00fc97fcafc98ee6ef6e0c36b2005635867287b2 100644 --- a/install/updates/40-dns.update +++ b/install/updates/40-dns.update @@ -4,13 +4,13 @@ dn: cn=dns, $SUFFIX addifexist: objectClass: idnsConfigObject addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)' addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)' -addifexist: aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)' +addifexist: aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update
[Freeipa-devel] [PATCH] 0615 ldapupdate: Restore 'replace' functionality
Some months ago, when working on the schema updater, I broke the
'replace' directive in ldapupdater. Luckily the regression didn't make
it to a released version.
Here is a fix.
--
Petr³
From 2c5c96abb0989a84e9c2bb4bd3bf642a1da1 Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Fri, 4 Jul 2014 09:50:58 +0200
Subject: [PATCH] ldapupdate: Restore 'replace' functionality
The replace directive was made a no-op by mistake in commit 6381d76.
Restore it.
---
ipaserver/install/ldapupdate.py | 8
1 file changed, 8 insertions(+)
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index b6c6d2b90b1f86f5d45985d4e1476fd03f7d112d..6bed046d2661f48218b66c11e6f6a43c6dc0f6bf 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -625,6 +625,14 @@ def _apply_update_disposition(self, updates, entry):
(old, new) = update_value.split('::', 1)
except ValueError:
raise BadSyntax, "bad syntax in replace, needs to be in the format old::new in %s" % update_value
+try:
+entry_values.remove(old)
+except ValueError:
+self.debug('replace: %s not found, skipping', safe_output(attr, old))
+else:
+entry_values.append(new)
+self.debug('replace: updated value %s', safe_output(attr, entry_values))
+entry[attr] = entry_values
return entry
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 477 Add Modify Realm Domains permission
On 4.7.2014 10:08, Martin Kosek wrote: On 07/04/2014 10:00 AM, Petr Spacek wrote: On 4.7.2014 09:34, Martin Kosek wrote: The permission is required for DNS Administrators as realm domains object is updated when a master zone is added. https://fedorahosted.org/freeipa/ticket/4423 I can't resist ;-) NACK: Build failed. --- existing ACI.txt +++ new result @@ -154,6 +154,8 @@ aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example Managed permission ACI validation failed. Re-check permission changes and run `makeaci`. ACI.txt validation failed Oh, well - here is an updated patch. ACK from functional perspective. I'm not able to reproduce the problem with the patch applied. I have tested clean installation and also upgrade from 3.3.5. It can be pushed if there is no problem on Python side of things. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0095] Fix dns_realmdomains_integration test
On 07/04/2014 10:18 AM, Martin Basti wrote: > Patch attached Yup, this fixed the test. ACK. Pushed to master: 52bcf5345c9a920db513ed3fc8c2dc029661ecf2 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0095] Fix dns_realmdomains_integration test
Patch attached
--
Martin^2 Basti
>From d9f921c2d2e47cc10af419a1e1041d15640faeac Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 4 Jul 2014 10:14:36 +0200
Subject: [PATCH] Fix tests dns_realmdomains_integration
Added warning message about forwarders
---
ipatests/test_xmlrpc/test_dns_realmdomains_integration.py | 9 +
1 file changed, 9 insertions(+)
diff --git a/ipatests/test_xmlrpc/test_dns_realmdomains_integration.py b/ipatests/test_xmlrpc/test_dns_realmdomains_integration.py
index f5300bc35e2d9180a4e1f4f8ee9a88476f3c2ccb..80a4e841e43ca80f840d551f94f76e56a61ab192 100644
--- a/ipatests/test_xmlrpc/test_dns_realmdomains_integration.py
+++ b/ipatests/test_xmlrpc/test_dns_realmdomains_integration.py
@@ -141,6 +141,15 @@ class test_dns_realmdomains_integration(Declarative):
expected={
'value': DNSName(dnszone_2_absolute),
'summary': None,
+'messages': ({
+u'message': u'DNS forwarder semantics changed since '
+u'IPA 4.0.\nYou may want to use forward zones '
+u'(dnsforwardzone-*) instead.\nFor more details read '
+u'the docs.',
+u'code': 13002,
+u'type': u'warning',
+u'name': u'ForwardersWarning'
+},),
'result': {
'dn': dnszone_2_dn,
'idnsname': [DNSName(dnszone_2_absolute)],
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 477 Add Modify Realm Domains permission
On 07/04/2014 10:00 AM, Petr Spacek wrote: > On 4.7.2014 09:34, Martin Kosek wrote: >> The permission is required for DNS Administrators as realm domains >> object is updated when a master zone is added. >> >> https://fedorahosted.org/freeipa/ticket/4423 > > I can't resist ;-) > > NACK: Build failed. > > --- existing ACI.txt > +++ new result > @@ -154,6 +154,8 @@ > aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || > krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || > krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = > "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group > Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group > Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) > dn: cn=System: Read Group Password > Policy,cn=permissions,cn=pbac,dc=ipa,dc=example > aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || > krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || > krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || > objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl > "permission:System: Read Group Password Policy";allow (compare,read,search) > groupdn = "ldap:///cn=System: Read Group Password > Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) > +dn: cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example > +aci: (targetattr = "associateddomain")(targetfilter = > "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: > Modify > Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm > Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";) > dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example > aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = > "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read > Realm Domains";allow (compare,read,search) userdn = "ldap:///all";;) > dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example > > Managed permission ACI validation failed. > Re-check permission changes and run `makeaci`. > ACI.txt validation failed Oh, well - here is an updated patch. Martin From 93ac182eeadd4b933f85d44bc2a75855aeb0e8de Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Fri, 4 Jul 2014 09:32:08 +0200 Subject: [PATCH] Add Modify Realm Domains permission The permission is required for DNS Administrators as realm domains object is updated when a master zone is added. https://fedorahosted.org/freeipa/ticket/4423 --- ACI.txt| 2 ++ ipalib/plugins/realmdomains.py | 8 2 files changed, 10 insertions(+) diff --git a/ACI.txt b/ACI.txt index 8e73c5c8541154e73c201994de828aa43c3777b1..bc82d644e6a3ca2fd24437b4b1bfa4534e955de5 100644 --- a/ACI.txt +++ b/ACI.txt @@ -154,6 +154,8 @@ dn: cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=exa aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py index 08d3a6a7857766e1c1d6fc4225b5d3a605c9f869..c53340591bd0f0f02fcc9db3142b74197aff551b 100644 --- a/ipalib/plugins/realmdomains.py +++ b/ipalib/plugins/realmdomains.py @@ -79,6 +79,14 @@ class realmdomains(LDAPObject): 'objectclass', 'cn',
Re: [Freeipa-devel] [PATCH] 477 Add Modify Realm Domains permission
On 4.7.2014 09:34, Martin Kosek wrote: The permission is required for DNS Administrators as realm domains object is updated when a master zone is added. https://fedorahosted.org/freeipa/ticket/4423 I can't resist ;-) NACK: Build failed. --- existing ACI.txt +++ new result @@ -154,6 +154,8 @@ aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example Managed permission ACI validation failed. Re-check permission changes and run `makeaci`. ACI.txt validation failed -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0087] Fix: missing records in 40-dns.update
Updated patch attached >From b17b048598b09d08c4a5a65adfeeb3ae74a0c50b Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 1 Jul 2014 17:25:43 +0200 Subject: [PATCH] Fix: Missing ACI for records in 40-dns.update --- install/updates/40-dns.update | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update index 796a293692f790666bafaca865d010b7f6899e6f..d73f055810a3cdbf715ef63b027f978a720962c3 100644 --- a/install/updates/40-dns.update +++ b/install/updates/40-dns.update @@ -4,13 +4,13 @@ dn: cn=dns, $SUFFIX addifexist: objectClass: idnsConfigObject addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)' addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)' -addifexist: aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)' +addifexist: aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)' # replace DNS tree deny rule with managedBy enhanced allow rule dn: cn=dns, $SUFFIX replace:aci:'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)' replace:aci:'(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)' -replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnsso
[Freeipa-devel] [PATCH] 477 Add Modify Realm Domains permission
The permission is required for DNS Administrators as realm domains
object is updated when a master zone is added.
https://fedorahosted.org/freeipa/ticket/4423
--
Martin Kosek
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
From 87278e622bb5d80fcb5a406f30873726b13ab73c Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Fri, 4 Jul 2014 09:32:08 +0200
Subject: [PATCH] Add Modify Realm Domains permission
The permission is required for DNS Administrators as realm domains
object is updated when a master zone is added.
https://fedorahosted.org/freeipa/ticket/4423
---
ipalib/plugins/realmdomains.py | 8
1 file changed, 8 insertions(+)
diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index 08d3a6a7857766e1c1d6fc4225b5d3a605c9f869..c53340591bd0f0f02fcc9db3142b74197aff551b 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -79,6 +79,14 @@ class realmdomains(LDAPObject):
'objectclass', 'cn', 'associateddomain',
},
},
+'System: Modify Realm Domains': {
+'ipapermbindruletype': 'permission',
+'ipapermright': {'write'},
+'ipapermdefaultattr': {
+'associatedDomain',
+},
+'default_privileges': {'DNS Administrators'},
+},
}
label = _('Realm Domains')
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0094] Non IDNA zone name should be normalized to lowercase
On 07/03/2014 09:41 PM, Petr Spacek wrote: > On 3.7.2014 19:04, Martin Basti wrote: >> On Thu, 2014-07-03 at 19:03 +0200, Martin Basti wrote: >>> Regresion caused by removing validation in DNSName for regular domain >>> names >>> In original code before IDNA, zones were normalized >>> Patch attached >> >> Subject changed to patch 0094 >> sorry, I attach patch again. > > ACK from functional perspective. Command "ipa dnszone TEST" adds DNS zone > "test.". > > It can be pushed if there is no problem on Python side of things. Looks good to me. Pushed to master: 29951ada9fd7dd8e0887f0832c6b58f266960b72 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] test_ipaserver: Add OTP token test data to ipatests package
On 07/02/2014 06:20 PM, Petr Viktorin wrote: > Hello, > > Some data is not put in the ipatests package. This prevents OTP token import > tests from passing when run out of tree. > > Fix included. Thanks, package now contains the test date. ACK. Pushed to master: 6f2451ce9e68e2425c665f5dc11d0800ae83a0b2 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
