[Freeipa-devel] [PATCH] 0025 Respect UID and GID soft static allocation.
https://fedorahosted.org/freeipa/ticket/4585
--
David Kupka
From 1cb3a44bcf5cba3dd741ac7222720d87f983e38d Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 22 Oct 2014 09:07:44 -0400
Subject: [PATCH] Respect UID and GID soft static allocation.
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation
https://fedorahosted.org/freeipa/ticket/4585
---
ipaplatform/base/tasks.py | 43 +
ipaplatform/redhat/tasks.py | 50 +++
ipaserver/install/cainstance.py | 2 +-
ipaserver/install/dsinstance.py | 2 +-
ipaserver/install/installutils.py | 42
5 files changed, 95 insertions(+), 44 deletions(-)
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 408447e43cd36d0cdf11a1877b3bc9880c4785de..1ea8db6a2a820f4efdb1522cfd87578e547aae99 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,7 +22,13 @@
This module contains default platform-specific implementations of system tasks.
'''
+import pwd
+import grp
from ipaplatform.paths import paths
+from ipapython.ipa_log_manager import log_mgr
+from ipapython import ipautil
+
+log = log_mgr.get_logger(__name__)
class BaseTaskNamespace(object):
@@ -150,5 +156,42 @@ class BaseTaskNamespace(object):
return
+def create_system_user(self, name, group, homedir, shell):
+Create a system user with a corresponding group
+try:
+grp.getgrnam(group)
+except KeyError:
+log.debug('Adding group %s', group)
+args = [paths.GROUPADD, '-r', group]
+try:
+ipautil.run(args)
+log.debug('Done adding group')
+except ipautil.CalledProcessError as e:
+log.critical('Failed to add group: %s', e)
+raise
+else:
+log.debug('group %s exists', group)
+
+try:
+pwd.getpwnam(name)
+except KeyError:
+log.debug('Adding user %s', name)
+args = [
+paths.USERADD,
+'-g', group,
+'-c', 'DS System User',
+'-d', homedir,
+'-s', shell,
+'-M', '-r', name,
+]
+try:
+ipautil.run(args)
+log.debug('Done adding user')
+except ipautil.CalledProcessError as e:
+log.critical('Failed to add user: %s', e)
+raise
+else:
+log.debug('user %s exists', name)
+
task_namespace = BaseTaskNamespace()
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 16d90a6d1a7d3d9aced5de82a5c1efe6b8c2..eaea806a533fd5f40856161de9bfc89fc3b7eb23 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -30,6 +30,8 @@ import socket
import sys
import urllib
import base64
+import pwd
+import grp
from subprocess import CalledProcessError
from nss.error import NSPRError
@@ -393,5 +395,53 @@ class RedHatTaskNamespace(BaseTaskNamespace):
return True
+def create_system_user(self, name, group, homedir, shell):
+
+Create a system user with a corresponding group
+
+According to https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation
+some system users should have fixed UID, GID and other parameters set.
+This values should be constant and may be hardcoded.
+Add other values for other users when needed.
+
+try:
+grp.getgrnam(group)
+except KeyError:
+log.debug('Adding group %s', group)
+args = [paths.GROUPADD, '-r', group]
+if name == 'pkiuser':
+args += ['-g', '17']
+try:
+ipautil.run(args)
+log.debug('Done adding group')
+except ipautil.CalledProcessError as e:
+log.critical('Failed to add group: %s', e)
+raise
+else:
+log.debug('group %s exists', group)
+
+try:
+pwd.getpwnam(name)
+except KeyError:
+log.debug('Adding user %s', name)
+args = [
+paths.USERADD,
+'-g', group,
+'-c', 'DS System User',
+'-M', '-r', name,
+]
+if name == 'pkiuser':
+args += ['-u', '17', '-d', '/var/lib/pki', '-s', paths.NOLOGIN]
+else:
+args += ['-d', homedir, '-s', shell]
+try:
+ipautil.run(args)
+log.debug('Done adding user')
+except ipautil.CalledProcessError as e:
+log.critical('Failed to add user: %s', e)
+raise
+else:
+log.debug('user %s exists',
Re: [Freeipa-devel] issues with Debian port
On 23.10.2014 23:38, Timo Aaltonen wrote: Oh and the web UI is blank when I try it. Does the client install fail have something to do with it? Client install fail should not affect displaying of Web UI. What do you mean by blank? Are Web UI files downloaded? Is there a JavaScript error? Can be checked in browser developer tools, in console and network tab. Web UI debugging help: https://pvoborni.fedorapeople.org/doc/#!/guide/Debugging -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0025 Respect UID and GID soft static allocation.
On 24/10/14 09:51, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4585 NACK 1) Why is there line with 'DS System User?' The comment should depend on service. +args = [ +paths.USERADD, +'-g', group, +'-c', 'DS System User', +'-d', homedir, +'-s', shell, +'-M', '-r', name, +] 2) code create_system_user is duplicated between base and redhat tasks with platform dependent changes. IMO it would be better to have one method to create user, with keyword arguments. And then platform dependent method which will call method to create user with appropriate arguments (or with default arguments) -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0025 Respect UID and GID soft static allocation.
On 10/24/2014 10:43 AM, Martin Basti wrote:
On 24/10/14 09:51, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/4585
NACK
1)
Why is there line with 'DS System User?' The comment should depend on
service.
+args = [
+paths.USERADD,
+'-g', group,
+'-c', 'DS System User',
+'-d', homedir,
+'-s', shell,
+'-M', '-r', name,
+]
This was part of the original code and I didn't notice it. Nice catch,
thanks.
2)
code create_system_user is duplicated between base and redhat tasks with
platform dependent changes.
IMO it would be better to have one method to create user, with keyword
arguments. And then platform dependent method which will call method to
create user with appropriate arguments (or with default arguments)
You're right it was ugly.
--
David Kupka
From 104a196f619d549e3c53fa50df4199535d86fe32 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 22 Oct 2014 09:07:44 -0400
Subject: [PATCH] Respect UID and GID soft static allocation.
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation
https://fedorahosted.org/freeipa/ticket/4585
---
ipaplatform/base/tasks.py | 48 +++
ipaplatform/redhat/tasks.py | 22 ++
ipaserver/install/cainstance.py | 2 +-
ipaserver/install/dsinstance.py | 2 +-
ipaserver/install/installutils.py | 42 --
5 files changed, 72 insertions(+), 44 deletions(-)
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 408447e43cd36d0cdf11a1877b3bc9880c4785de..f2ba81f44bb991b218232aad84d7810cdae839ef 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,7 +22,13 @@
This module contains default platform-specific implementations of system tasks.
'''
+import pwd
+import grp
from ipaplatform.paths import paths
+from ipapython.ipa_log_manager import log_mgr
+from ipapython import ipautil
+
+log = log_mgr.get_logger(__name__)
class BaseTaskNamespace(object):
@@ -150,5 +156,47 @@ class BaseTaskNamespace(object):
return
+def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+Create a system user with a corresponding group
+try:
+grp.getgrnam(group)
+except KeyError:
+log.debug('Adding group %s', group)
+args = [paths.GROUPADD, '-r', group]
+if gid:
+args += ['-g', str(gid)]
+try:
+ipautil.run(args)
+log.debug('Done adding group')
+except ipautil.CalledProcessError as e:
+log.critical('Failed to add group: %s', e)
+raise
+else:
+log.debug('group %s exists', group)
+
+try:
+pwd.getpwnam(name)
+except KeyError:
+log.debug('Adding user %s', name)
+args = [
+paths.USERADD,
+'-g', group,
+'-d', homedir,
+'-s', shell,
+'-M', '-r', name,
+]
+if uid:
+args += ['-u', str(uid)]
+if comment:
+args += ['-c', comment]
+try:
+ipautil.run(args)
+log.debug('Done adding user')
+except ipautil.CalledProcessError as e:
+log.critical('Failed to add user: %s', e)
+raise
+else:
+log.debug('user %s exists', name)
+
task_namespace = BaseTaskNamespace()
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 16d90a6d1a7d3d9aced5de82a5c1efe6b8c2..c37f6e56853382186092d645538e635d49306f87 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -393,5 +393,27 @@ class RedHatTaskNamespace(BaseTaskNamespace):
return True
+def create_system_user(self, name, group, homedir, shell):
+
+Create a system user with a corresponding group
+
+According to https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation
+some system users should have fixed UID, GID and other parameters set.
+This values should be constant and may be hardcoded.
+Add other values for other users when needed.
+
+uid = gid = comment = None
+if name == 'pkiuser':
+uid = 17
+gid = 17
+homedir = paths.VAR_LIB_PKI_DIR
+shell = paths.NOLOGIN
+comment = 'CA System User'
+if name == 'dirsrv':
+comment = 'DS System User'
+
+BaseTaskNamespace.create_system_user(self, name, group, homedir,
+shell, uid, gid, comment)
+
tasks = RedHatTaskNamespace()
diff --git
[Freeipa-devel] [PATCH 0153] fix regression: DNS zonemgr validation raises assertion error
https://fedorahosted.org/freeipa/ticket/4663 Patch attached. -- Martin Basti From aac897f2c269de06675a6a5cca74b0d30ad3d39e Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Fri, 24 Oct 2014 12:15:17 +0200 Subject: [PATCH] Fix dns zonemgr validation regression https://fedorahosted.org/freeipa/ticket/4663 --- ipalib/util.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipalib/util.py b/ipalib/util.py index fcb2bab96bcf5669de444846d8dea572eefce793..7a283106d70ba6a3e25cc7129d57b44b80876882 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -277,6 +277,7 @@ def validate_zonemgr(zonemgr): def validate_zonemgr_str(zonemgr): zonemgr = normalize_zonemgr(zonemgr) +zonemgr = DNSName(zonemgr) return validate_zonemgr(zonemgr) def validate_hostname(hostname, check_fqdn=True, allow_underscore=False, allow_slash=False): -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
Hi!
A small patch to fix https://fedorahosted.org/freeipa/ticket/4664
--
/ Alexander Bokovoy
From 6f793a9e4450d6a41576c98ca61f6273277ccd60 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Fri, 24 Oct 2014 15:01:27 +0300
Subject: [PATCH] Add ipaSshPubkey to the ACI to read ID user overrides
https://fedorahosted.org/freeipa/ticket/4664
---
ACI.txt | 2 +-
ipalib/plugins/idviews.py | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/ACI.txt b/ACI.txt
index 27a5d2f..f987807 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -131,7 +131,7 @@ aci: (targetfilter = (objectclass=ipahostgroup))(version
3.0;acl permission:S
dn: cn=views,cn=accounts,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || description || entryusn ||
gidnumber || ipaanchoruuid || modifytimestamp || objectclass)(targetfilter =
(objectclass=ipaGroupOverride))(version 3.0;acl permission:System: Read
Group ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=views,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = createtimestamp || description || entryusn || gecos ||
homedirectory || ipaanchoruuid || ipaoriginaluid || loginshell ||
modifytimestamp || objectclass || uid || uidnumber)(targetfilter =
(objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User
ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
+aci: (targetattr = createtimestamp || description || entryusn || gecos ||
homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell
|| modifytimestamp || objectclass || uid || uidnumber)(targetfilter =
(objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User
ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=ranges,cn=etc,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || entryusn || ipabaseid ||
ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype ||
ipasecondarybaserid || modifytimestamp || objectclass)(targetfilter =
(objectclass=ipaidrange))(version 3.0;acl permission:System: Read ID
Ranges;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=views,cn=accounts,dc=ipa,dc=example
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index bfa8675..cd297a4 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -659,6 +659,7 @@ class idoverrideuser(baseidoverride):
'ipapermdefaultattr': {
'objectClass', 'ipaAnchorUUID', 'uidNumber', 'description',
'homeDirectory', 'uid', 'ipaOriginalUid', 'loginShell',
'gecos',
+'ipaSshPubkey',
},
},
}
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0153] fix regression: DNS zonemgr validation raises assertion error
Works for me, ACK. On 10/24/2014 01:27 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4663 Patch attached. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
On Fri, 24 Oct 2014, Alexander Bokovoy wrote:
Hi!
A small patch to fix https://fedorahosted.org/freeipa/ticket/4664
Sumit noted that we also miss gidNumber from the user's override
permissions. Added to the new version of the patch.
--
/ Alexander Bokovoy
From f980405957aeb912b28f8559416faba9c6bbd1bb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Fri, 24 Oct 2014 15:01:27 +0300
Subject: [PATCH] Add ipaSshPubkey to the ACI to read ID user overrides
https://fedorahosted.org/freeipa/ticket/4664
---
ACI.txt | 2 +-
ipalib/plugins/idviews.py | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/ACI.txt b/ACI.txt
index 27a5d2f..6680f65 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -131,7 +131,7 @@ aci: (targetfilter = (objectclass=ipahostgroup))(version
3.0;acl permission:S
dn: cn=views,cn=accounts,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || description || entryusn ||
gidnumber || ipaanchoruuid || modifytimestamp || objectclass)(targetfilter =
(objectclass=ipaGroupOverride))(version 3.0;acl permission:System: Read
Group ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=views,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = createtimestamp || description || entryusn || gecos ||
homedirectory || ipaanchoruuid || ipaoriginaluid || loginshell ||
modifytimestamp || objectclass || uid || uidnumber)(targetfilter =
(objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User
ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
+aci: (targetattr = createtimestamp || description || entryusn || gecos ||
gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey
|| loginshell || modifytimestamp || objectclass || uid ||
uidnumber)(targetfilter = (objectclass=ipaUserOverride))(version 3.0;acl
permission:System: Read User ID Overrides;allow (compare,read,search) userdn
= ldap:///all;;)
dn: cn=ranges,cn=etc,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || entryusn || ipabaseid ||
ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype ||
ipasecondarybaserid || modifytimestamp || objectclass)(targetfilter =
(objectclass=ipaidrange))(version 3.0;acl permission:System: Read ID
Ranges;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=views,cn=accounts,dc=ipa,dc=example
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index bfa8675..9c87210 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -659,6 +659,7 @@ class idoverrideuser(baseidoverride):
'ipapermdefaultattr': {
'objectClass', 'ipaAnchorUUID', 'uidNumber', 'description',
'homeDirectory', 'uid', 'ipaOriginalUid', 'loginShell',
'gecos',
+'gidNumber', 'ipaSshPubkey',
},
},
}
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0025 Respect UID and GID soft static allocation.
On 10/24/2014 01:06 PM, David Kupka wrote:
On 10/24/2014 10:43 AM, Martin Basti wrote:
On 24/10/14 09:51, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/4585
NACK
1)
Why is there line with 'DS System User?' The comment should depend on
service.
+args = [
+paths.USERADD,
+'-g', group,
+'-c', 'DS System User',
+'-d', homedir,
+'-s', shell,
+'-M', '-r', name,
+]
This was part of the original code and I didn't notice it. Nice catch,
thanks.
2)
code create_system_user is duplicated between base and redhat tasks with
platform dependent changes.
IMO it would be better to have one method to create user, with keyword
arguments. And then platform dependent method which will call method to
create user with appropriate arguments (or with default arguments)
You're right it was ugly.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I shouldn't break SOLID principles.
--
David Kupka
From d91e9fedd61780793981f347f529280b86fcca97 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 22 Oct 2014 09:07:44 -0400
Subject: [PATCH] Respect UID and GID soft static allocation.
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation
https://fedorahosted.org/freeipa/ticket/4585
---
ipaplatform/base/tasks.py | 48 +++
ipaplatform/redhat/tasks.py | 21 +
ipaserver/install/cainstance.py | 2 +-
ipaserver/install/dsinstance.py | 2 +-
ipaserver/install/installutils.py | 42 --
5 files changed, 71 insertions(+), 44 deletions(-)
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 408447e43cd36d0cdf11a1877b3bc9880c4785de..f2ba81f44bb991b218232aad84d7810cdae839ef 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,7 +22,13 @@
This module contains default platform-specific implementations of system tasks.
'''
+import pwd
+import grp
from ipaplatform.paths import paths
+from ipapython.ipa_log_manager import log_mgr
+from ipapython import ipautil
+
+log = log_mgr.get_logger(__name__)
class BaseTaskNamespace(object):
@@ -150,5 +156,47 @@ class BaseTaskNamespace(object):
return
+def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+Create a system user with a corresponding group
+try:
+grp.getgrnam(group)
+except KeyError:
+log.debug('Adding group %s', group)
+args = [paths.GROUPADD, '-r', group]
+if gid:
+args += ['-g', str(gid)]
+try:
+ipautil.run(args)
+log.debug('Done adding group')
+except ipautil.CalledProcessError as e:
+log.critical('Failed to add group: %s', e)
+raise
+else:
+log.debug('group %s exists', group)
+
+try:
+pwd.getpwnam(name)
+except KeyError:
+log.debug('Adding user %s', name)
+args = [
+paths.USERADD,
+'-g', group,
+'-d', homedir,
+'-s', shell,
+'-M', '-r', name,
+]
+if uid:
+args += ['-u', str(uid)]
+if comment:
+args += ['-c', comment]
+try:
+ipautil.run(args)
+log.debug('Done adding user')
+except ipautil.CalledProcessError as e:
+log.critical('Failed to add user: %s', e)
+raise
+else:
+log.debug('user %s exists', name)
+
task_namespace = BaseTaskNamespace()
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 16d90a6d1a7d3d9aced5de82a5c1efe6b8c2..2c7cafae358f74dc45424f90fc702eef844ac0df 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -393,5 +393,26 @@ class RedHatTaskNamespace(BaseTaskNamespace):
return True
+def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+
+Create a system user with a corresponding group
+
+According to https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation
+some system users should have fixed UID, GID and other parameters set.
+This values should be constant and may be hardcoded.
+Add other values for other users when needed.
+
+if name == 'pkiuser':
+uid = 17
+gid = 17
+homedir = paths.VAR_LIB_PKI_DIR
+shell = paths.NOLOGIN
+comment = 'CA System User'
+
Re: [Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
On 10/24/2014 02:14 PM, Alexander Bokovoy wrote: On Fri, 24 Oct 2014, Alexander Bokovoy wrote: Hi! A small patch to fix https://fedorahosted.org/freeipa/ticket/4664 Sumit noted that we also miss gidNumber from the user's override permissions. Added to the new version of the patch. The patch itself works fine, I tested an upgrade + ldapsearch with host/ principal. However, patch description needs update to also reflect gidNumber being added. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable
On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote: This patch gives the administrator variables to control the size of the authentication and synchronization windows for OTP tokens. https://fedorahosted.org/freeipa/ticket/4511 NOTE: There is one known issue with this patch which I don't know how to solve. This patch changes the schema in install/share/60ipaconfig.ldif. On an upgrade, all of the new attributeTypes appear correctly. However, the modifications to the pre-existing objectClass do not show up on the server. What am I doing wrong? After modifying ipaGuiConfig manually, everything in this patch works just fine. Also, I need an allocation of OIDs for the new attributes. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
On Fri, 24 Oct 2014, Martin Kosek wrote:
On 10/24/2014 02:14 PM, Alexander Bokovoy wrote:
On Fri, 24 Oct 2014, Alexander Bokovoy wrote:
Hi!
A small patch to fix https://fedorahosted.org/freeipa/ticket/4664
Sumit noted that we also miss gidNumber from the user's override
permissions. Added to the new version of the patch.
The patch itself works fine, I tested an upgrade + ldapsearch with
host/ principal. However, patch description needs update to also
reflect gidNumber being added.
Updated.
--
/ Alexander Bokovoy
From 208e9d750948bf2144aeae1ae6133f035b5716cd Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Fri, 24 Oct 2014 15:01:27 +0300
Subject: [PATCH] Add ipaSshPubkey and gidNumber to the ACI to read ID user
overrides
https://fedorahosted.org/freeipa/ticket/4664
---
ACI.txt | 2 +-
ipalib/plugins/idviews.py | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/ACI.txt b/ACI.txt
index 27a5d2f..6680f65 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -131,7 +131,7 @@ aci: (targetfilter = (objectclass=ipahostgroup))(version
3.0;acl permission:S
dn: cn=views,cn=accounts,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || description || entryusn ||
gidnumber || ipaanchoruuid || modifytimestamp || objectclass)(targetfilter =
(objectclass=ipaGroupOverride))(version 3.0;acl permission:System: Read
Group ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=views,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = createtimestamp || description || entryusn || gecos ||
homedirectory || ipaanchoruuid || ipaoriginaluid || loginshell ||
modifytimestamp || objectclass || uid || uidnumber)(targetfilter =
(objectclass=ipaUserOverride))(version 3.0;acl permission:System: Read User
ID Overrides;allow (compare,read,search) userdn = ldap:///all;;)
+aci: (targetattr = createtimestamp || description || entryusn || gecos ||
gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey
|| loginshell || modifytimestamp || objectclass || uid ||
uidnumber)(targetfilter = (objectclass=ipaUserOverride))(version 3.0;acl
permission:System: Read User ID Overrides;allow (compare,read,search) userdn
= ldap:///all;;)
dn: cn=ranges,cn=etc,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || entryusn || ipabaseid ||
ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype ||
ipasecondarybaserid || modifytimestamp || objectclass)(targetfilter =
(objectclass=ipaidrange))(version 3.0;acl permission:System: Read ID
Ranges;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=views,cn=accounts,dc=ipa,dc=example
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index bfa8675..9c87210 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -659,6 +659,7 @@ class idoverrideuser(baseidoverride):
'ipapermdefaultattr': {
'objectClass', 'ipaAnchorUUID', 'uidNumber', 'description',
'homeDirectory', 'uid', 'ipaOriginalUid', 'loginShell',
'gecos',
+'gidNumber', 'ipaSshPubkey',
},
},
}
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 23.10.2014 10:39, Martin Kosek wrote:
On 10/22/2014 07:39 PM, Tomas Babej wrote:
Hi,
thank you for the patches, comments inline.
On 10/15/2014 02:20 PM, Petr Vobornik wrote:
ticket: https://fedorahosted.org/freeipa/ticket/4221
== [PATCH] 773 ranges: prohibit setting --rid-base with
ipa-trust-ad-posix type ==
We should not allow setting --rid-base for ranges of
ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings
for these ranges (objects have UID/GID set in AD). Thus, setting RID
base makes no sense.
Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class,
value '0' is allowed and used internally for 'ipa-trust-ad-posix'
range type.
We probably don't want to display the first RID if it is 0 and the type
is ad-posix. This occurs in idrange-find:
[tbabej@vm-043 labtool]$ ipa idrange-find
2 ranges matched
Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
First Posix ID of the range: 51480
Number of IDs in the range: 20
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 1
Range type: local domain range
Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
First Posix ID of the range: 1
Number of IDs in the range: 20
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
Range type: Active Directory trust range with POSIX attributes
Number of entries returned 2
And also idrange-show:
[tbabej@vm-043 labtool]$ ipa idrange-show
TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
First Posix ID of the range: 1
Number of IDs in the range: 20
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
Range type: Active Directory trust range with POSIX attributes
No schema change is done.
Fixed
snip
== [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix
ranges ==
Can you use the paged_search=True in find_entries instead of having a
infinite loop? It would make this code quite cleaner.
I also saw you did not update Makefile.am.
Because I did not add a new file.
updated patches attached (only 773-775 are changed)
--
Petr Vobornik
From 7be769b432984dbd54d14309dde465ce6ea24ab0 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 3 Sep 2014 17:23:33 +0200
Subject: [PATCH 5/5] webui: prohibit setting rid base with ipa-trust-ad-posix
type
Base RID is no longer editable for ipa-trust-ad-posix range type
Adder dialog:
- Range type selector was moved up because it affects a field above it
Details page:
- Only fields relevant to range's type are visible
https://fedorahosted.org/freeipa/ticket/4221
---
install/ui/src/freeipa/idrange.js | 77 ++-
1 file changed, 60 insertions(+), 17 deletions(-)
diff --git a/install/ui/src/freeipa/idrange.js b/install/ui/src/freeipa/idrange.js
index 12c0b288b766c059db6b844f445fb88b5821a1db..4e5dbfa00dcf80495d8a96f7fc961b9c6676691f 100644
--- a/install/ui/src/freeipa/idrange.js
+++ b/install/ui/src/freeipa/idrange.js
@@ -54,6 +54,11 @@ return {
'cn',
'iparangetype',
{
+name: 'iparangetyperaw',
+read_only: true,
+visible: false
+},
+{
name: 'ipabaseid',
label: '@i18n:objects.idrange.ipabaseid',
title: '@mo-param:idrange:ipabaseid:label'
@@ -80,6 +85,9 @@ return {
}
]
}
+],
+policies: [
+exp.idrange_policy
]
}
],
@@ -89,21 +97,6 @@ return {
name: 'cn'
},
{
-name: 'ipabaseid',
-label: '@i18n:objects.idrange.ipabaseid',
-title: '@mo-param:idrange:ipabaseid:label'
-},
-{
-name: 'ipaidrangesize',
-label: '@i18n:objects.idrange.ipaidrangesize',
-title: '@mo-param:idrange:ipaidrangesize:label'
-},
-{
-name: 'ipabaserid',
-label: '@i18n:objects.idrange.ipabaserid',
-title: '@mo-param:idrange:ipabaserid:label'
-},
-{
name: 'iparangetype',
$type: 'radio',
label: '@i18n:objects.idrange.type',
@@ -125,6 +118,21 @@ return {
]
},
{
+name: 'ipabaseid',
+label:
Re: [Freeipa-devel] [PATCH] 0168 add permission for reading ipaSshPubkey for ID overrides
On 10/24/2014 03:32 PM, Alexander Bokovoy wrote: On Fri, 24 Oct 2014, Martin Kosek wrote: On 10/24/2014 02:14 PM, Alexander Bokovoy wrote: On Fri, 24 Oct 2014, Alexander Bokovoy wrote: Hi! A small patch to fix https://fedorahosted.org/freeipa/ticket/4664 Sumit noted that we also miss gidNumber from the user's override permissions. Added to the new version of the patch. The patch itself works fine, I tested an upgrade + ldapsearch with host/ principal. However, patch description needs update to also reflect gidNumber being added. Updated. ACK. Pushed to: master: d6b28f29ecffae604801a5380efdff135734785d ipa-4-1: 47ab6351f1dc75cee0f2b868401f38174b67f87a Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] issues with Debian port
On 24.10.2014 11:19, Petr Vobornik wrote: On 23.10.2014 23:38, Timo Aaltonen wrote: Oh and the web UI is blank when I try it. Does the client install fail have something to do with it? Client install fail should not affect displaying of Web UI. What do you mean by blank? Are Web UI files downloaded? Is there a JavaScript error? Can be checked in browser developer tools, in console and network tab. Web UI debugging help: https://pvoborni.fedorapeople.org/doc/#!/guide/Debugging The debugging hint was key, I've now gone back to using embedded dojo/jsquery instead of linking to system versions which didn't work because the apache config didn't allow accessing them. and the UI is looking rather nice ;) -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0075] Ensure users exist when assigning tokens to them
https://fedorahosted.org/freeipa/ticket/4642
From a5126724da30536210ce0399001d68e8e52778b3 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Fri, 24 Oct 2014 16:16:50 -0400
Subject: [PATCH] Ensure users exist when assigning tokens to them
https://fedorahosted.org/freeipa/ticket/4642
---
ipalib/plugins/otptoken.py | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 2b5f1c5fb83341d392e165a3507f5076820f1d3a..460204022939b6e945d04000c6ee4cef1bf327b1 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -100,8 +100,11 @@ def _convert_owner(userobj, entry_attrs, options):
def _normalize_owner(userobj, entry_attrs):
owner = entry_attrs.get('ipatokenowner', None)
-if owner is not None:
-entry_attrs['ipatokenowner'] = userobj.get_dn(owner)
+if owner:
+try:
+entry_attrs['ipatokenowner'] = userobj._normalize_manager(owner)[0]
+except NotFound:
+raise NotFound(reason=_('User %s not found') % owner)
def _check_interval(not_before, not_after):
if not_before and not_after:
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
