Re: [Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID
Hi, Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a): We perform this enforcement at the API level since: * DS level enforcement would be difficult * ipatokenUniqueID generation already happens at the API level It may be nice in the future to perform enforcement in the DS itself. However, the question of the location of enforcement is largely an aesthetic issue. https://fedorahosted.org/freeipa/ticket/4456 That's a rather beefy check. I would prefer something like this (untested): group_dn = self.api.Object.group.get_dn(u'admins') filter = ldap.make_filter( {'krbprincipalname': context.principal, 'memberof': group_dn}, ldap.MATCH_ALL) try: ldap.find_entries( base_dn=self.api.env.basedn, filter=filter, attrs_list=['']) except errors.NotFound: raise ValidationError(name='ipatokenuniqueid', error='can only be specified by admins') Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0269] ipalib: host_del: Extend LDAPDelete's takes_options instead
On 09/16/2014 02:46 PM, Jan Cholasta wrote: Dne 16.9.2014 v 13:21 Tomas Babej napsal(a): Hi, The host-del command did not accept --continue option, since the takes_options was overriden and did not take the options from LDAPDelete. Fix the behaviour. https://fedorahosted.org/freeipa/ticket/4473 ACK. Pushed to: ipa-4-1: adc4abcbe3bd497b8602fce0ef9b4340ed15f0a7 master: 1f8f762b84e7448cb279b6db5158f93b5f517827 -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 319-321 Build and packaging fixes
Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/4532, https://fedorahosted.org/freeipa/ticket/4533 and https://fedorahosted.org/freeipa/ticket/4536. Honza -- Jan Cholasta From 3efd3e88cbe2865c2c8114a89f4ae392cb30c20a Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 17 Sep 2014 10:02:01 +0200 Subject: [PATCH] Allow RPM upgrade from ipa-* packages https://fedorahosted.org/freeipa/ticket/4532 --- freeipa.spec.in | 21 - 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 1138299..14b954d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1,6 +1,7 @@ # Define ONLY_CLIENT to only make the ipa-client and ipa-python subpackages %{!?ONLY_CLIENT:%global ONLY_CLIENT 0} +%global alt_name ipa %global plugin_dir %{_libdir}/dirsrv/plugins %global POLICYCOREUTILSVER 2.1.12-5 %global gettext_domain ipa @@ -128,6 +129,9 @@ Requires(pre): 389-ds-base = 1.3.3.2 Requires: fontawesome-fonts Requires: open-sans-fonts +Conflicts: %{alt_name}-server +Obsoletes: %{alt_name}-server %{version}-%{release} + # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the # entire SELinux policy is stored in the system policy Obsoletes: freeipa-server-selinux 3.3.0 @@ -142,8 +146,6 @@ Conflicts: bind 9.8.2-0.4.rc2 # member. Conflicts: nss-pam-ldapd 0.8.4 -Obsoletes: ipa-server = 1.0 - %description server IPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy @@ -172,6 +174,9 @@ Requires(post): python Requires(postun): %{_sbindir}/update-alternatives Requires(preun): %{_sbindir}/update-alternatives +Conflicts: %{alt_name}-server-trust-ad +Obsoletes: %{alt_name}-server-trust-ad %{version}-%{release} + %description server-trust-ad Cross-realm trusts with Active Directory in IPA require working Samba 4 installation. This package is provided for convenience to install all required @@ -207,7 +212,8 @@ Requires: nfs-utils Requires: python-backports-ssl_match_hostname Requires(post): policycoreutils -Obsoletes: ipa-client = 1.0 +Conflicts: %{alt_name}-client +Obsoletes: %{alt_name}-client %{version}-%{release} %description client IPA is an integrated solution to provide centrally managed Identity (machine, @@ -226,7 +232,8 @@ Requires: %{name}-client = %{version}-%{release} Requires: python-krbV Requires: python-ldap -Obsoletes: ipa-admintools = 1.0 +Conflicts: %{alt_name}-admintools +Obsoletes: %{alt_name}-admintools %{version}-%{release} %description admintools IPA is an integrated solution to provide centrally managed Identity (machine, @@ -253,7 +260,8 @@ Requires: python-pyasn1 Requires: python-dateutil Requires: python-yubico -Obsoletes: ipa-python = 1.0 +Conflicts: %{alt_name}-python +Obsoletes: %{alt_name}-python %{version}-%{release} %description python IPA is an integrated solution to provide centrally managed Identity (machine, @@ -275,6 +283,9 @@ Requires: python-coverage Requires: python-polib Requires: python-paramiko = 1.7.7 +Conflicts: %{alt_name}-tests +Obsoletes: %{alt_name}-tests %{version}-%{release} + %description tests IPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy -- 1.9.3 From 3139fa03be08b1b3693fd65282785873f1637aa5 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 17 Sep 2014 11:49:51 +0200 Subject: [PATCH] Include ipaplatform in client-only build https://fedorahosted.org/freeipa/ticket/4533 --- Makefile| 6 ++ freeipa.spec.in | 3 +++ setup.py| 3 --- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index ddb47bf..3bdec71 100644 --- a/Makefile +++ b/Makefile @@ -71,6 +71,7 @@ client: client-autogen @for subdir in $(CLIENTDIRS); do \ (cd $$subdir $(MAKE) all) || exit 1; \ done + cd ipaplatform $(PYTHON) setup.py build bootstrap-autogen: version-update client-autogen @echo Building IPA $(IPA_VERSION) @@ -96,8 +97,10 @@ client-install: client client-dirs cd install/po $(MAKE) install || exit 1; if [ $(DESTDIR) = ]; then \ $(PYTHON) setup-client.py install; \ + (cd ipaplatform $(PYTHON) setup.py install); \ else \ $(PYTHON) setup-client.py install --root $(DESTDIR); \ + (cd ipaplatform $(PYTHON) setup.py install --root $(DESTDIR)); \ fi client-dirs: @@ -164,12 +167,15 @@ version-update: release-update server: version-update $(PYTHON) setup.py build + cd ipaplatform $(PYTHON) setup.py build server-install: server if [ $(DESTDIR) = ]; then \ $(PYTHON) setup.py install; \ + (cd ipaplatform $(PYTHON) setup.py install); \ else \ $(PYTHON) setup.py install --root $(DESTDIR); \ + (cd ipaplatform $(PYTHON) setup.py install --root $(DESTDIR)); \ fi tests: version-update tests-man-autogen diff
Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb
On 09/01/2014 01:08 PM, Petr Viktorin wrote: On 08/08/2014 03:54 PM, thierry bordaz wrote: Hi, The attached patch is related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates a stageuser plugin with a first function stageuser-add. Stage user entries are provisioned under 'cn=staged users,cn=accounts,cn=provisioning,SUFFIX'. Thanks thierry Avoid `from ipalib.plugins.baseldap import *` in new code; instead import the module itself and use e.g. `baseldap.LDAPObject`. The stageuser help (docstring) is copied from the user plugin, and discusses things like account lockout and disabling users. It should rather explain what stageuser itself does. (And I don't very much like the Note about the interface being badly designed...) Also decide if the docs should call it staged user or stage user or stageuser. A lot of the code is copied and pasted over from the users plugin. Don't do that. Either import things (e.g. validate_nsaccountlock) from the users plugin, or move the reused code into a shared module. For the `user` object, since so much is the same, it might be best to create a common base class for user and stageuser; and similarly for the Command plugins. The default permissions need different names, and you don't need another copy of the 'non_object' ones. Also, run the makeaci script. Hello, This modified patch is mainly moving common base class into a new plugin: accounts.py. user/stageuser plugin inherits from accounts. It also creates a better description of what are stage user, how to add a new stage user, updates ACI.txt and separate active/stage user managed permissions. thanks thierry From 2f17126270838a4ee33bfccd32a66fd48b6202a0 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Fri, 8 Aug 2014 14:14:36 +0200 Subject: [PATCH] User life cycle: stageuser-add verb Add a accounts plugin (accounts class) that defines variables and methods common to 'users' and 'stageuser'. accounts is a superclass of users/stageuser Add the stageuser plugin, with support of stageuser-add verb. Reviewed by: Petr Viktorin https://fedorahosted.org/freeipa/ticket/3813 --- ACI.txt| 90 + API.txt| 49 +++ install/updates/30-provisioning.update | 29 +- ipalib/constants.py| 2 + ipalib/plugins/accounts.py | 627 ipalib/plugins/stageuser.py| 303 ipalib/plugins/user.py | 631 +++-- 7 files changed, 1134 insertions(+), 597 deletions(-) create mode 100644 ipalib/plugins/accounts.py create mode 100644 ipalib/plugins/stageuser.py diff --git a/ACI.txt b/ACI.txt index 1e6bec0ece554fb2457fae0462c0c673a9b24e41..9a552b5fdcf3f2cb965537597de23c7d315312c1 100644 --- a/ACI.txt +++ b/ACI.txt @@ -254,6 +254,96 @@ dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Remove Users;allow (delete) groupdn = ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = krblastadminunlock || krbloginfailedcount || nsaccountlock)(targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Unlock User;allow (write) groupdn = ldap:///cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=groups,cn=accounts,dc=ipa,dc=example +aci: (targetattr = member)(target = ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example;)(version 3.0;acl permission:System: Add User to default group;allow (write) groupdn = ldap:///cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=users,cn=accounts,dc=ipa,dc=example +aci: (targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Add Users;allow (add) groupdn = ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=users,cn=accounts,dc=ipa,dc=example +aci: (targetattr = krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword)(targetfilter = ((!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount)))(version 3.0;acl permission:System: Change User password;allow (write) groupdn = ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=users,cn=accounts,dc=ipa,dc=example +aci: (targetattr = ipasshpubkey)(targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Manage User SSH Public Keys;allow (write) groupdn = ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=users,cn=accounts,dc=ipa,dc=example +aci: (targetattr = businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone ||
Re: [Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID
On 09/17/2014 08:51 AM, Jan Cholasta wrote: Hi, Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a): We perform this enforcement at the API level since: * DS level enforcement would be difficult * ipatokenUniqueID generation already happens at the API level It may be nice in the future to perform enforcement in the DS itself. However, the question of the location of enforcement is largely an aesthetic issue. https://fedorahosted.org/freeipa/ticket/4456 That's a rather beefy check. I would prefer something like this (untested): group_dn = self.api.Object.group.get_dn(u'admins') filter = ldap.make_filter( {'krbprincipalname': context.principal, 'memberof': group_dn}, ldap.MATCH_ALL) try: ldap.find_entries( base_dn=self.api.env.basedn, filter=filter, attrs_list=['']) except errors.NotFound: raise ValidationError(name='ipatokenuniqueid', error='can only be specified by admins') Honza Also, do we want to hard code it to admins group only? Wouldn't it be more flexible to create a new Virtual Operation and let realm admin configure who can change the UID. See Jan's patch d6fb110b77e2c585f0bfc5eb11b0187a43263fa1 for an example how that's done. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0009 Detect and configure all usable IP addresses.
On 09/16/2014 06:09 PM, Martin Basti wrote: On 16/09/14 15:59, David Kupka wrote: ... 2) +# check that there is IP address in every reverse zone +if options.reverse_zones: +for rz in options.reverse_zones: +for ip in config.ip_addresses: +if bindinstance.verify_reverse_zone(rz, ip): + reverse_zones.append(bindinstance.normalize_zone(rz)) +break +else: +sys.exit(There is no IP address matching reverze_zone %s. % rz) +if not options.no_reverse: +# check that there is reverse zone for every IP +if options.unattended: +for ip in config.ip_addresses: +if bindinstance.find_reverse_zone(str(ip)): +# reverse zone is already in LDAP +continue +for rz in reverse_zones: +if bindinstance.verify_reverse_zone(rz, ip): +# reverse zone is entered by user +break +else: +rz = util.get_reverse_zone_default(str(ip)) +reverse_zones.append(rz) +elif options.reverse_zones or (not(options.no_reverse) and bindinstance.create_reverse()): +for ip in config.ip_addresses: +if bindinstance.find_reverse_zone(str(ip)): +# reverse zone is already in LDAP +continue +for rz in reverse_zones: +if bindinstance.verify_reverse_zone(rz, ip): +# reverse zone is entered by user +break +else: +rz = util.get_reverse_zone_default(str(ip)) +rz = bindinstance.read_reverse_zone(rz, str(ip)) +reverse_zones.append(rz) +else: +options.no_reverse = True +reverse_zones = [] Code above is duplicated in replica-install and server-install, with small difference, could you put it inside function, for example into bindinstance module? Also there are duplicated parts inside in if and elif code block, could you add it to one function as well? +1, I wanted to comment the exactly same idea. Keep in mind that we plan to refactor the installers in FreeIPA 4.2 so we will want the installer to be rather calling shared logic and shared functions instead of duplicating code across bare installers. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 319-321 Build and packaging fixes
On 09/17/2014 12:31 PM, Jan Cholasta wrote: +Conflicts: %{alt_name}-server-trust-ad +Obsoletes: %{alt_name}-server-trust-ad %{version}-%{release} Just one question - should we check also for %{release}? Generally, release number does not have much value, we could rebuild our version of the package 10 times, but it does not mean it is newer. I.e. freeipa-server-4.0.0-10 should probably not obsolete ipa-server-4.0.0-1 but only ipa-server-3.3.3-10, right? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0009 Detect and configure all usable IP addresses.
On 17/09/14 07:25, David Kupka wrote: 3) +elif options.reverse_zones or (not(options.no_reverse) and bindinstance.create_reverse()): OR operator, this will create additional zones (non-specified by user) even if user write NO When user specifies some reverse zone (using --reverse-zone) we can assume that he wants to configure reverse zones (otherwise his is kind of indecisive, at least). So there is no reason to ask him again. The question is asked only when the user didn't provided any reverse zone nor specified --no-reverse. 4) IF user specify zone 10.in-addr.arpa, and ip addresses 10.0.0.1, 192.168.1.1, and answer to not create additional zones, how is this case handled? The question is not asked. See the answer to 3). Sorry my bad. -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 319-321 Build and packaging fixes
On Wed, 17 Sep 2014, Martin Kosek wrote: On 09/17/2014 12:31 PM, Jan Cholasta wrote: +Conflicts: %{alt_name}-server-trust-ad +Obsoletes: %{alt_name}-server-trust-ad %{version}-%{release} Just one question - should we check also for %{release}? Generally, release number does not have much value, we could rebuild our version of the package 10 times, but it does not mean it is newer. I.e. freeipa-server-4.0.0-10 should probably not obsolete ipa-server-4.0.0-1 but only ipa-server-3.3.3-10, right? I agree with the %{release} idea. We definitely don't need to be so picky with it. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0297] Add log message about initial LDAP synchronization
Hello, Add log message about initial LDAP synchronization. -- Petr^2 Spacek From ce1b8f400d236d0da5b76c90ddc93adbf6980691 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Wed, 17 Sep 2014 13:32:49 +0200 Subject: [PATCH] Add log message about initial LDAP synchronization. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 1eb8a23501d150cc930e01d1447150b6da3a60f7..05f106f981b72b7a2738da1018772631b7354030 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -5102,7 +5102,9 @@ ldap_syncrepl_watcher(isc_threadarg_t arg) continue; } - log_debug(1, Sending initial syncrepl lookup); + log_info(LDAP instance '%s' is being synchronized, + please ignore message 'all zones loaded', + inst-db_name); ret = ldap_sync_init(ldap_sync, LDAP_SYNC_REFRESH_AND_PERSIST); /* TODO: error handling, set tainted flag do full reload? */ if (ret != LDAP_SUCCESS) { -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 319-321 Build and packaging fixes
Dne 17.9.2014 v 13:07 Alexander Bokovoy napsal(a): On Wed, 17 Sep 2014, Martin Kosek wrote: On 09/17/2014 12:31 PM, Jan Cholasta wrote: +Conflicts: %{alt_name}-server-trust-ad +Obsoletes: %{alt_name}-server-trust-ad %{version}-%{release} Just one question - should we check also for %{release}? Generally, release number does not have much value, we could rebuild our version of the package 10 times, but it does not mean it is newer. I.e. freeipa-server-4.0.0-10 should probably not obsolete ipa-server-4.0.0-1 but only ipa-server-3.3.3-10, right? I agree with the %{release} idea. We definitely don't need to be so picky with it. OK, fixed. I used wrong numbers for the patches, they should be 320-322. Fixed as well. Updated patches attached. -- Jan Cholasta From ee64df5bb38f5885f3996fac185e4f8ebf24d659 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 17 Sep 2014 10:02:01 +0200 Subject: [PATCH] Allow RPM upgrade from ipa-* packages https://fedorahosted.org/freeipa/ticket/4532 --- freeipa.spec.in | 21 - 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 1138299..0e2b279 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1,6 +1,7 @@ # Define ONLY_CLIENT to only make the ipa-client and ipa-python subpackages %{!?ONLY_CLIENT:%global ONLY_CLIENT 0} +%global alt_name ipa %global plugin_dir %{_libdir}/dirsrv/plugins %global POLICYCOREUTILSVER 2.1.12-5 %global gettext_domain ipa @@ -128,6 +129,9 @@ Requires(pre): 389-ds-base = 1.3.3.2 Requires: fontawesome-fonts Requires: open-sans-fonts +Conflicts: %{alt_name}-server +Obsoletes: %{alt_name}-server %{version} + # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the # entire SELinux policy is stored in the system policy Obsoletes: freeipa-server-selinux 3.3.0 @@ -142,8 +146,6 @@ Conflicts: bind 9.8.2-0.4.rc2 # member. Conflicts: nss-pam-ldapd 0.8.4 -Obsoletes: ipa-server = 1.0 - %description server IPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy @@ -172,6 +174,9 @@ Requires(post): python Requires(postun): %{_sbindir}/update-alternatives Requires(preun): %{_sbindir}/update-alternatives +Conflicts: %{alt_name}-server-trust-ad +Obsoletes: %{alt_name}-server-trust-ad %{version} + %description server-trust-ad Cross-realm trusts with Active Directory in IPA require working Samba 4 installation. This package is provided for convenience to install all required @@ -207,7 +212,8 @@ Requires: nfs-utils Requires: python-backports-ssl_match_hostname Requires(post): policycoreutils -Obsoletes: ipa-client = 1.0 +Conflicts: %{alt_name}-client +Obsoletes: %{alt_name}-client %{version} %description client IPA is an integrated solution to provide centrally managed Identity (machine, @@ -226,7 +232,8 @@ Requires: %{name}-client = %{version}-%{release} Requires: python-krbV Requires: python-ldap -Obsoletes: ipa-admintools = 1.0 +Conflicts: %{alt_name}-admintools +Obsoletes: %{alt_name}-admintools %{version} %description admintools IPA is an integrated solution to provide centrally managed Identity (machine, @@ -253,7 +260,8 @@ Requires: python-pyasn1 Requires: python-dateutil Requires: python-yubico -Obsoletes: ipa-python = 1.0 +Conflicts: %{alt_name}-python +Obsoletes: %{alt_name}-python %{version} %description python IPA is an integrated solution to provide centrally managed Identity (machine, @@ -275,6 +283,9 @@ Requires: python-coverage Requires: python-polib Requires: python-paramiko = 1.7.7 +Conflicts: %{alt_name}-tests +Obsoletes: %{alt_name}-tests %{version} + %description tests IPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy -- 1.9.3 From 3139fa03be08b1b3693fd65282785873f1637aa5 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 17 Sep 2014 11:49:51 +0200 Subject: [PATCH] Include ipaplatform in client-only build https://fedorahosted.org/freeipa/ticket/4533 --- Makefile| 6 ++ freeipa.spec.in | 3 +++ setup.py| 3 --- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index ddb47bf..3bdec71 100644 --- a/Makefile +++ b/Makefile @@ -71,6 +71,7 @@ client: client-autogen @for subdir in $(CLIENTDIRS); do \ (cd $$subdir $(MAKE) all) || exit 1; \ done + cd ipaplatform $(PYTHON) setup.py build bootstrap-autogen: version-update client-autogen @echo Building IPA $(IPA_VERSION) @@ -96,8 +97,10 @@ client-install: client client-dirs cd install/po $(MAKE) install || exit 1; if [ $(DESTDIR) = ]; then \ $(PYTHON) setup-client.py install; \ + (cd ipaplatform $(PYTHON) setup.py install); \ else \ $(PYTHON) setup-client.py install --root $(DESTDIR); \ + (cd ipaplatform $(PYTHON) setup.py install
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On 09/15/2014 09:05 PM, Nathaniel McCallum wrote: This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion is not permitted. https://fedorahosted.org/freeipa/ticket/4494 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hello Nathaniel, More thoughts.. I think being betxnpreoperation you are safe with parallel client ops and the check is atomic. I have few comments: * Shouldn't be implemented SLAPI_PLUGIN_CLOSE_FN/SLAPI_PLUGIN_START_FN callback, even if they are empty. * In load_counters, in case we have a target entry that has not 'objectclass' 'ipatokenHOTP|ipatokenTOTP' and the mod operation: dn: entry changetype: modify replace: ipatokenHOTPcounter ipatokenHOTPcounter: 200 - add: objectclass objectclass: ipatokenHOTP I wonder if the operation will not fail although IMHO it should succeeds. Shouldn't let the schema checking reject the operation if the attribute is not granted by the entry objectclass * in load_counters, I am under the impression it may return ipatokenHOTPcounter or ipatokenTOTPwatermark (ipatokenHOTPcounter is missing). But then how the caller knows that the returned value is a counter or a watermark ? * in ldapmod_is_attrs you may prefer PL_strcasecmp to strcasecmp About replicated updates, if updates of counters/watermark are done on several servers. Then a replicated operation may want to set counters/watermark with a smaller value that the existing one. In that case, it will return unwilling to perform. That could break replication. If the update comes from replication and the value is going backward, we could make the operation a nop operation (setting the attribute to its current value). thanks theirry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 323 Fix certmonger code causing the ca_renewal_master update plugin to fail
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4547. Honza -- Jan Cholasta From 8606fad0b8fb26ccdb3cc843509d04316a87efbd Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 17 Sep 2014 15:22:19 +0200 Subject: [PATCH] Fix certmonger code causing the ca_renewal_master update plugin to fail https://fedorahosted.org/freeipa/ticket/4547 --- ipapython/certmonger.py| 8 +++- ipaserver/install/plugins/ca_renewal_master.py | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index 62b2ba8..b46d65b 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -166,7 +166,13 @@ def get_request_value(request_id, directive): root_logger.error('Failed to get request: %s' % e) raise if request: -return request.prop_if.Get(DBUS_CM_REQUEST_IF, directive) +if directive == 'ca-name': +ca_path = request.obj_if.get_ca() +ca = _cm_dbus_object(request.bus, ca_path, DBUS_CM_CA_IF, + DBUS_CM_IF) +return ca.obj_if.get_nickname() +else: +return request.prop_if.Get(DBUS_CM_REQUEST_IF, directive) else: return None diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index 52508b5..e246639 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -60,7 +60,7 @@ class update_ca_renewal_master(PostUpdate): if request_id is not None: self.debug(found certmonger request for ipaCert) -ca_name = certmonger.get_request_value(request_id, 'ca_name') +ca_name = certmonger.get_request_value(request_id, 'ca-name') if ca_name is None: self.warning( certmonger request for ipaCert is missing ca_name, -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0271] baseldap: Properly handle the case of renaming object to the
Hi, When renaming a object to the same name, errors.EmptyModList is raised. This is not properly handled, and can cause other modifications in the LDAPUpdate command to be ignored. https://fedorahosted.org/freeipa/ticket/4548 -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 877c273784a2c8d6ff2b2a312e7256fff928e684 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 17 Sep 2014 17:17:54 +0200 Subject: [PATCH] baseldap: Properly handle the case of renaming object to the same name When renaming a object to the same name, errors.EmptyModList is raised. This is not properly handled, and can cause other modifications in the LDAPUpdate command to be ignored. https://fedorahosted.org/freeipa/ticket/4548 --- ipalib/plugins/baseldap.py | 27 +-- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index a3cfe3ce33ffd999ea725cdf72bcf82cb11d5c84..13487aa9bc9d2e780fe8afbac86c25c822d23216 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1398,16 +1398,23 @@ class LDAPUpdate(LDAPQuery, crud.Update): entry_attrs[self.obj.primary_key.name] = options['rename'] if self.obj.rdn_is_primary_key and self.obj.primary_key.name in entry_attrs: -# RDN change -self._exc_wrapper(keys, options, ldap.update_entry_rdn)( -entry_attrs.dn, -RDN((self.obj.primary_key.name, - entry_attrs[self.obj.primary_key.name]))) -rdnkeys = keys[:-1] + (entry_attrs[self.obj.primary_key.name], ) -entry_attrs.dn = self.obj.get_dn(*rdnkeys) -del entry_attrs[self.obj.primary_key.name] -options['rdnupdate'] = True -rdnupdate = True +try: +# RDN change +self._exc_wrapper(keys, options, ldap.update_entry_rdn)( +entry_attrs.dn, +RDN((self.obj.primary_key.name, + entry_attrs[self.obj.primary_key.name]))) + +rdnkeys = keys[:-1] + (entry_attrs[self.obj.primary_key.name], ) +entry_attrs.dn = self.obj.get_dn(*rdnkeys) +options['rdnupdate'] = True +rdnupdate = True +except errors.EmptyModlist: +# Attempt to rename to the current name, ignore +pass +finally: +# Delete the primary_key from entry_attrs either way +del entry_attrs[self.obj.primary_key.name] # Exception callbacks will need to test for options['rdnupdate'] # to decide what to do. An EmptyModlist in this context doesn't -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] [dyndb] Fix error handling in configure_view() to prevent deadlocks
On Tue 16 Sep 2014 07:32:39 PM CEST, Petr Spacek wrote: Hello, attached patches fix https://bugzilla.redhat.com/show_bug.cgi?id=1142150 https://bugzilla.redhat.com/show_bug.cgi?id=1142152 ... and improve related error messages. I will push it to https://github.com/spacekpe/bind-dynamic_db if you are okay with it. I think there is a mistake in the first patch: 0001-Fix-error-handling-in-configure_view-to-prevent-dead.patch diff --git a/lib/dns/dynamic_db.c b/lib/dns/dynamic_db.c index bf831617b391778ec540b2a5ca0df341937f2427..30c56a65c7227497c3e772c3e1b58ff49eacbd35 100644 --- a/lib/dns/dynamic_db.c +++ b/lib/dns/dynamic_db.c @@ -280,16 +280,24 @@ dns_dyndb_arguments_create(isc_mem_t *mctx) } void -dns_dyndb_arguments_destroy(isc_mem_t *mctx, dns_dyndb_arguments_t *args) +dns_dyndb_arguments_destroy(isc_mem_t *mctx, dns_dyndb_arguments_t **argsp) { + dns_dyndb_arguments_t *args; + REQUIRE(args != NULL); args is not initialized here. I think it should be argsp + args = *argsp; + if (args == NULL) + return; + dns_dyndb_set_view(args, NULL); dns_dyndb_set_zonemgr(args, NULL); dns_dyndb_set_task(args, NULL); dns_dyndb_set_timermgr(args, NULL); isc_mem_put(mctx, args, sizeof(*args)); + + *argsp = NULL; } Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0271] baseldap: Properly handle the case of renaming object to the
Tomas Babej wrote: Hi, When renaming a object to the same name, errors.EmptyModList is raised. This is not properly handled, and can cause other modifications in the LDAPUpdate command to be ignored. https://fedorahosted.org/freeipa/ticket/4548 Needs some tests... rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel