[Freeipa-devel] [PATCH 0242] Set the default attributes for RootDSE
Hi, With 389 DS 1.3.3 upwards we can leverage the nsslapd-return-default-opattr attribute to enumerate the list of attributes that should be returned even if not specified explicitly. Use the behaviour to get the same attributes returned from searches on rootDSE as in 1.3.1. https://fedorahosted.org/freeipa/ticket/4288 -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From c13810e99970ee38f7d22c087781b0c5d5f270a2 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 2 Jul 2014 02:55:01 +0200 Subject: [PATCH] Set the default attributes for RootDSE With 389 DS 1.3.3 upwards we can leverage the nsslapd-return-default-opattr attribute to enumerate the list of attributes that should be returned even if not specified explicitly. Use the behaviour to get the same attributes returned from searches on rootDSE as in 1.3.1. https://fedorahosted.org/freeipa/ticket/4288 --- install/updates/10-rootdse.update | 9 + install/updates/Makefile.am | 1 + 2 files changed, 10 insertions(+) create mode 100644 install/updates/10-rootdse.update diff --git a/install/updates/10-rootdse.update b/install/updates/10-rootdse.update new file mode 100644 index ..f44992a5d9cc0ad58eaed485f9793e1b07f06b6a --- /dev/null +++ b/install/updates/10-rootdse.update @@ -0,0 +1,9 @@ +# Set the default attributes to be returned by RootDSE +dn: +add:nsslapd-return-default-opattr:namingContexts +add:nsslapd-return-default-opattr:supportedControl +add:nsslapd-return-default-opattr:supportedExtension +add:nsslapd-return-default-opattr:supportedLDAPVersion +add:nsslapd-return-default-opattr:supportedSASLMechanisms +add:nsslapd-return-default-opattr:vendorName +add:nsslapd-return-default-opattr:vendorVersion diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index a6d24b94f040293ab76866f9651079d08d4ac297..c951e2edd002bc4e525d649b1bad7d294690f597 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -5,6 +5,7 @@ app_DATA =\ 10-config.update \ 10-enable-betxn.update \ 10-selinuxusermap.update \ + 10-rootdse.update \ 10-uniqueness.update \ 10-schema_compat.update \ 19-managed-entries.update \ -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0240] ipatests: tasks: Fix dns configuration for trusts
On 14.7.2014 11:31, Tomas Babej wrote: Hi, Properly configure forwarders to the AD zone with respect to newly created ipa dnsforwardzone commands. https://fedorahosted.org/freeipa/ticket/4401 Looks reasonable and tests are passing - ACK. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0240] ipatests: tasks: Fix dns configuration for trusts
On 07/15/2014 09:36 AM, Petr Spacek wrote: On 14.7.2014 11:31, Tomas Babej wrote: Hi, Properly configure forwarders to the AD zone with respect to newly created ipa dnsforwardzone commands. https://fedorahosted.org/freeipa/ticket/4401 Looks reasonable and tests are passing - ACK. Pushed to master, ipa-4-1, ipa-4-0: 4254423f8315ac88b0400b261e3b0e4acf015db6 -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0241] trusts: Make cn=adtrust agents sysaccount nestedgroup
On 07/14/2014 05:00 PM, Jan Cholasta wrote: Hi, On 14.7.2014 11:50, Tomas Babej wrote: Hi, Since recent permissions work references this entry, we need to be able to have memberOf attributes created on this entry. Hence we need to include the nestedgroup objectclass. https://fedorahosted.org/freeipa/ticket/4433 NACK, default will not work for IPA upgrades, you have to use add. Oops, thanks for the catch, fixed. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 17e92ccb08edeac2e36748e11a705ec2233ef1c3 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 10 Jul 2014 17:26:25 +0200 Subject: [PATCH] trusts: Make cn=adtrust agents sysaccount nestedgroup Since recent permissions work references this entry, we need to be able to have memberOf attributes created on this entry. Hence we need to include the nestedgroup objectclass. https://fedorahosted.org/freeipa/ticket/4433 --- install/updates/60-trusts.update | 1 + 1 file changed, 1 insertion(+) diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index d55bc94bbe917571999bcc7dfb6e6aaf641c4b49..9dabc806e2f747c47ab809cd2ed2150b2a13c2a6 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -11,6 +11,7 @@ default: nsAccountLock: FALSE default: ipaUniqueID: autogenerate dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX +add: objectClass: nestedgroup default: objectClass: GroupOfNames default: objectClass: top default: cn: adtrust agents -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] RPM's of different ipa versions
On 07/15/2014 07:29 AM, Curtis L. Knight wrote: John Dennis jdennis@... writes: On 07/14/2014 04:19 AM, Petr Spacek wrote: On 11.7.2014 08:40, James wrote: This page seems to suggest that there are continuous builds available: http://www.freeipa.org/page/Downloads#Bleeding_Edge It seems this hasn't been updated since 2013, except the .repo files have recently? Does this still exist? Are there archives for each point release somewhere? In particular, I'm interested in knowing if there are repos with rpm's for each version/os. (=v.3.0.0 and Fedora/CentOS6+/RHEL6+) John, could you comment on this? The bleeding edge repo mentioned on that page is what we call the devel repo. Is the devel repo still being updated? Yes. However being an automated process sometimes snafu's occur that we may not catch right away. For instance I see the last update was on 7/2. It looks like builds are failing for some reason. I don't do the builds, Nalin does, I'll ping Nalin and see what the problem is. Are there archives? No! These builds are *not* official, they are intended for developers *only*, they are *ephemeral*. On any given day the builds might me updated multiple times. The repo only has the *latest* devel builds. Once an automated build completes we purge any previous builds from the repo. Is there a build for every version/os? Probably not. Once again, these builds are for developers only, we only build what serves our developers at the moment. The list of what we build changes. Typically we build a current Fedora releases and current RHEL releases. The packages versions *only* the newest based on the source tree (see above). I have been using docker to build rpms for different platforms. It failed on not having a yubico module for the master branch. This worked on master before but 3.3.5 does not build either. I have enclosed my dockerfile such that you can change it and pick up whatever base system and modify which git branch you would like. You should be able to get at the generated rpms through the freeipa volume at least that was my thought the last time I messed with this during version .10 of docker. Anyway, let me know if this gets you somewhere. Hi, For building master you generally want to enable Fedora's updates-testing repository. Sometimes there are other repos/packages needed as well but we try to keep them to a minimum. When someone brings in a dependency outside updates/updates-testing should announce it on the list; if that doesn't happen, feel free to shout at them. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0241] trusts: Make cn=adtrust agents sysaccount nestedgroup
On 15.7.2014 09:57, Tomas Babej wrote: On 07/14/2014 05:00 PM, Jan Cholasta wrote: Hi, On 14.7.2014 11:50, Tomas Babej wrote: Hi, Since recent permissions work references this entry, we need to be able to have memberOf attributes created on this entry. Hence we need to include the nestedgroup objectclass. https://fedorahosted.org/freeipa/ticket/4433 NACK, default will not work for IPA upgrades, you have to use add. Oops, thanks for the catch, fixed. ACK. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Password Vault Implementation
On 7/15/2014 9:27 AM, Simo Sorce wrote: I am curious about this: Currently there is no NSS backend for Python Cryptography. Yet we use python-nss in some projects already, so what is missing there ? Simo. Does the IPA client currently require python-nss? There's a concern of using python-nss directly on the client as it would create/reinforce the NSS dependency. This wouldn't really matter if IPA client is already depending on python-nss for other things, but I think it would be better if we can use the more abstract interface provided by the Cryptography library. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Password Vault Implementation
Endi Sukma Dewata wrote: On 7/15/2014 9:27 AM, Simo Sorce wrote: I am curious about this: Currently there is no NSS backend for Python Cryptography. Yet we use python-nss in some projects already, so what is missing there ? Simo. Does the IPA client currently require python-nss? There's a concern of using python-nss directly on the client as it would create/reinforce the NSS dependency. The python subpackage has the requirement and the client subpackage requires python, so yes. This wouldn't really matter if IPA client is already depending on python-nss for other things, but I think it would be better if we can use the more abstract interface provided by the Cryptography library. I don't believe we do any direct crypto beyond generating CSRs and doing SSL/TLS, so it may be overkill for our current purposes, but I believe this library was created after IPA. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [Transifex] An issue has been created on ipa: FreeIPA by yurchor
Hi freeipa, An issue has been created on one of your strings by yurchor. Typos: sematics -gt; semantics; bellow -gt; below String: Semantics of forwarding in IPA matches BIND sematics and depends on type of the zone: * Master zone: local BIND replies authoritatively to queries for data in the given zone (including authoritative NXDOMAIN answers) and forwarding affects only queries for names bellow zone cuts (NS records) of locally served zones. * Forward zone: forward zone contains no authoritative data. BIND forwards queries, which cannot be answered from its local cache, to configured forwarders. Language: Ukrainian[1] Resource: ipa[2] Project: FreeIPA[3] View it on Transifex at https://www.transifex.com/projects/p/freeipa/translate/#uk/ipa/c/27511316 [1]: https://www.transifex.com/projects/p/freeipa/language/uk/ [2]: https://www.transifex.com/projects/p/freeipa/resource/ipa/ [3]: https://www.transifex.com/projects/p/freeipa/ -- The Transifex Robot https://www.transifex.com/settings/notices/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Enable debug pid in smb.conf
Hello, Adds debug pid = yes to smb.conf when ipa-adtrust-install command is run. https://fedorahosted.org/freeipa/ticket/3485 Thanks, Gabe From 646640eff93334fe08e3aa7531293b4a4eb0d914 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Mon, 14 Jul 2014 16:18:00 -0600 Subject: [PATCH] Enable debug pid in smb.conf https://fedorahosted.org/freeipa/ticket/3485 --- ipaserver/install/adtrustinstance.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 362965e96914996b64d895e069bc49fb5a09d267..7cfc5e886eaea23ac1527bddc5a15bea5edf9d8c 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -408,6 +408,7 @@ class ADTRUSTInstance(service.Service): conf_fd = open(self.smb_conf, w) conf_fd.write('### Added by IPA Installer ###\n') conf_fd.write('[global]\n') +conf_fd.write('debug pid = yes\n') conf_fd.write('config backend = registry\n') conf_fd.close() -- 2.0.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] ipa trust-add command should be interactive
Hello, Adds AD admin and password to interactive commands. https://fedorahosted.org/freeipa/ticket/3034 Thanks, Gabe From ddea4f0a8915a10aa8d9ac5dd2b78e2032ee335f Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Tue, 15 Jul 2014 20:34:12 -0600 Subject: [PATCH] ipa trust-add command should be interactive - Make ipa trust-add command interactive for realm_admin and realm_passwd - Fix 'Active directory' typo to 'Active Directory' https://fedorahosted.org/freeipa/ticket/3034 --- API.txt | 4 ++-- ipalib/plugins/trust.py | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/API.txt b/API.txt index 69ca2277e68261b8af48bea04997b59e059337de..23b186ff5b925c344455ee350d6ee83604989785 100644 --- a/API.txt +++ b/API.txt @@ -3728,8 +3728,8 @@ option: Int('base_id?', cli_name='base_id') option: Int('range_size?', cli_name='range_size') option: StrEnum('range_type?', cli_name='range_type', values=(u'ipa-ad-trust-posix', u'ipa-ad-trust')) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('realm_admin?', cli_name='admin') -option: Password('realm_passwd?', cli_name='password', confirm=False) +option: Str('realm_admin', cli_name='admin') +option: Password('realm_passwd', cli_name='password', confirm=False) option: Str('realm_server?', cli_name='server') option: Str('setattr*', cli_name='setattr', exclude='webui') option: Password('trust_secret?', cli_name='trust_secret', confirm=False) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 99acfb8f8ce1532e4406087af3f9c158fc313159..bc9f31fa1002ab6664d8efba44f9ecb77e8a3825 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -429,13 +429,13 @@ sides. takes_options = LDAPCreate.takes_options + ( _trust_type_option, -Str('realm_admin?', +Str('realm_admin', cli_name='admin', label=_(Active Directory domain administrator), ), -Password('realm_passwd?', +Password('realm_passwd', cli_name='password', -label=_(Active directory domain administrator's password), +label=_(Active Directory domain administrator's password), confirm=False, ), Str('realm_server?', -- 2.0.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix typos in dns.py
Hello, Fixes https://fedorahosted.org/freeipa/ticket/4429 Thanks, Gabe From 032d8e8d406ed9adb4c7e0bc948679f51cfedc09 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Tue, 15 Jul 2014 20:54:57 -0600 Subject: [PATCH] Fix typos in dns.py https://fedorahosted.org/freeipa/ticket/4429 --- ipalib/plugins/dns.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 4c3497f6c74defbde3aa810f9d42b9c19ad870fc..fdcccb0b74a2b044a1ad917d22d2fe9696d7584c 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -209,11 +209,11 @@ EXAMPLES: authoritative (e.g. sub.example.com) will be routed to the global forwarder. Global forwarding configuration can be overridden per-zone. ) + _( - Semantics of forwarding in IPA matches BIND sematics and depends on type - of the zone: + Semantics of forwarding in IPA matches BIND semantics and depends on the type + of zone: * Master zone: local BIND replies authoritatively to queries for data in the given zone (including authoritative NXDOMAIN answers) and forwarding - affects only queries for names bellow zone cuts (NS records) of locally + affects only queries for names below zone cuts (NS records) of locally served zones. * Forward zone: forward zone contains no authoritative data. BIND forwards -- 2.0.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel