Re: [Freeipa-devel] [PATCH 0184] Always return absolute idnsname in dnszone commands
On 15/01/15 16:07, Jan Cholasta wrote: Dne 15.1.2015 v 15:39 Martin Basti napsal(a): On 15/01/15 15:07, Jan Cholasta wrote: Dne 15.1.2015 v 14:58 Martin Basti napsal(a): On 15/01/15 14:25, Jan Cholasta wrote: Hi, Dne 15.1.2015 v 13:27 Martin Basti napsal(a): On 15/01/15 13:17, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4722 Patch attached. Fast fix. Updated patch attached. 1) Forward zone commands are not fixed. FWzones are new and always normalized to absolute name in ldap Would you bet your money on that? Better be safe than sorry, especially when it's just a matter of moving the code around (right?) 2) It seems that the primary key returned by -mod, -del and -show (.result.value) is made absolute somewhere else in the code. Would it be possible to do it in one place? IMO it is not possible. Value is generated from key, and key is normalized to absolute zone before calling execute. LDAPUpdate: ... if self.obj.primary_key: pkey = keys[-1] else: pkey = None return dict(result=entry_attrs, value=pkey_to_value(pkey, options)) The idnsname attribute is just taken from LDAP without any normalization Right. 3) Attribute values returned from LDAP are never None, so the if should be if 'idnsname' in entry_attrs:. Ok I will revert the change I made. 4) If idnsname always has only single value, use entry_attrs.single_value['idnsname'] = entry_attrs.single_value['idnsname'].make_absolute() Thanks Honza Updated patch attached. Updated patch attached. Thanks. Is there a reason why you put the _make_zone_absolute calls in dnszone_* and dnsforwardzone_* instead of DNSZoneBase_*? I moved callback into Base classes. Patch attached. -- Martin Basti From de0c7ddfaed92ec6bdda56658d8fb80c6dcd10ab Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 15 Jan 2015 13:13:55 +0100 Subject: [PATCH] Always return absolute idnsname in dnszone commands Ticket: https://fedorahosted.org/freeipa/ticket/4722 --- ipalib/plugins/dns.py | 33 + 1 file changed, 33 insertions(+) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 7a80036c94432a01ea8781101712ea1135134948..0fdddbbb826b920d90fff0f3fdeec6e991ca1755 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2081,6 +2081,18 @@ class DNSZoneBase(LDAPObject): except errors.NotFound: raise e # re-raise original exception +def _make_zonename_absolute(self, entry_attrs, **options): + +Zone names can be relative in IPA 4.0, make sure we always return +absolute zone name from ldap + +if options.get('raw'): +return + +if idnsname in entry_attrs: +entry_attrs.single_value['idnsname'] = \ +entry_attrs.single_value['idnsname'].make_absolute() + class DNSZoneBase_add(LDAPCreate): @@ -2128,6 +2140,11 @@ class DNSZoneBase_del(LDAPDelete): class DNSZoneBase_mod(LDAPUpdate): has_output_params = LDAPUpdate.has_output_params + dnszone_output_params +def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +assert isinstance(dn, DN) +self.obj._make_zonename_absolute(entry_attrs, **options) +return dn + class DNSZoneBase_find(LDAPSearch): __doc__ = _('Search for DNS zones (SOA records).') @@ -2162,6 +2179,11 @@ class DNSZoneBase_find(LDAPSearch): filter = _create_idn_filter(self, ldap, *args, **options) return (filter, base_dn, scope) +def post_callback(self, ldap, entries, truncated, *args, **options): +for entry_attrs in entries: +self.obj._make_zonename_absolute(entry_attrs, **options) +return truncated + class DNSZoneBase_show(LDAPRetrieve): has_output_params = LDAPRetrieve.has_output_params + dnszone_output_params @@ -2172,6 +2194,11 @@ class DNSZoneBase_show(LDAPRetrieve): self.obj.handle_not_found(*keys) return dn +def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +assert isinstance(dn, DN) +self.obj._make_zonename_absolute(entry_attrs, **options) +return dn + class DNSZoneBase_disable(LDAPQuery): has_output = output.standard_value @@ -2797,6 +2824,8 @@ class dnszone_mod(DNSZoneBase_mod): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) +super(dnszone_mod, self).post_callback(ldap, dn, entry_attrs, + *keys, **options) self.obj._rr_zone_postprocess(entry_attrs, **options) return dn @@ -2833,6 +2862,8 @@ class dnszone_find(DNSZoneBase_find): return (filter, base_dn, scope) def post_callback(self, ldap, entries, truncated, *args, **options): +super(dnszone_find, self).post_callback(ldap, entries, truncated, +
Re: [Freeipa-devel] [PATCH] 388 Remove RUV from LDIF files before using them in ipa-restore
Dne 13.1.2015 v 17:58 Jan Cholasta napsal(a): Dne 13.1.2015 v 17:44 Petr Vobornik napsal(a): On 01/12/2015 05:46 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4822. Honza works for me, ACK Thanks, pushed to: master: 05e6adecb51b93e9b9d2326df4eabee90c3dfe72 ipa-4-1: eb7917026d418a6d6a1e7a24a19097065df10497 Posting additional patch 394 which fixes a SELinux issue. -- Jan Cholasta From 6f88548e2302c1f99d0756afa351ce79b7e4ed67 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 20 Jan 2015 11:22:29 + Subject: [PATCH] Put LDIF files to their original location in ipa-restore This prevents SELinux failures during online data restore. https://fedorahosted.org/freeipa/ticket/4822 --- ipaserver/install/ipa_restore.py | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index be48716..562a793 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -504,10 +504,17 @@ class Restore(admintool.AdminTool): cn = time.strftime('import_%Y_%m_%d_%H_%M_%S') dn = DN(('cn', cn), ('cn', 'import'), ('cn', 'tasks'), ('cn', 'config')) +ldifdir = paths.SLAPD_INSTANCE_LDIF_DIR_TEMPLATE % instance ldifname = '%s-%s.ldif' % (instance, backend) +ldiffile = os.path.join(ldifdir, ldifname) srcldiffile = os.path.join(self.dir, ldifname) -ldiffile = '%s.noruv' % srcldiffile +if not os.path.exists(ldifdir): +pent = pwd.getpwnam(DS_USER) +os.mkdir(ldifdir, 0770) +os.chown(ldifdir, pent.pw_uid, pent.pw_gid) + +ipautil.backup_file(ldiffile) with open(ldiffile, 'wb') as out_file: ldif_writer = ldif.LDIFWriter(out_file) with open(srcldiffile, 'rb') as in_file: -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 390 Do not crash on unknown services in installutils.stopped_service
Dne 13.1.2015 v 18:55 Jan Cholasta napsal(a): Dne 13.1.2015 v 18:46 David Kupka napsal(a): On 01/13/2015 05:55 PM, Jan Cholasta wrote: Dne 13.1.2015 v 12:12 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4835. Honza Modified the fix to create only one service object in stopped_service. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi! Thanks for the patch. Works for me, ACK. Thanks, pushed to: master: 5bf1c9a6f7d734c296c8eb987cfc4f7e2a345130 ipa-4-1: 065e2bbc9f2260d8c60c55f92a386513727576da Posting additional patch 393 which is necessary to properly fix this. David, could you take a look please? -- Jan Cholasta From 92b37953087d5e396b1c3bf0a3b776558d6b894c Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 20 Jan 2015 09:38:43 + Subject: [PATCH] Do not assume certmonger is running in httpinstance https://fedorahosted.org/freeipa/ticket/4835 --- ipaserver/install/httpinstance.py | 48 +++ 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 2fb315b..cda85ab 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -39,6 +39,7 @@ from ipaserver.install import sysupgrade from ipalib import api from ipaplatform.tasks import tasks from ipaplatform.paths import paths +from ipaplatform import services SELINUX_BOOLEAN_SETTINGS = dict( @@ -228,25 +229,34 @@ class HTTPInstance(service.Service): print Adding Include conf.d/ipa-rewrite to %s failed. % paths.HTTPD_NSS_CONF def configure_certmonger_renewal_guard(self): -bus = dbus.SystemBus() -obj = bus.get_object('org.fedorahosted.certmonger', - '/org/fedorahosted/certmonger') -iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') -path = iface.find_ca_by_nickname('IPA') -if path: -ca_obj = bus.get_object('org.fedorahosted.certmonger', path) -ca_iface = dbus.Interface(ca_obj, - 'org.freedesktop.DBus.Properties') -helper = ca_iface.Get('org.fedorahosted.certmonger.ca', - 'external-helper') -if helper: -args = shlex.split(helper) -if args[0] != paths.IPA_SERVER_GUARD: -self.backup_state('certmonger_ipa_helper', helper) -args = [paths.IPA_SERVER_GUARD] + args -helper = ' '.join(pipes.quote(a) for a in args) -ca_iface.Set('org.fedorahosted.certmonger.ca', - 'external-helper', helper) +certmonger = services.knownservices.certmonger +certmonger_stopped = not certmonger.is_running() + +if certmonger_stopped: +certmonger.start() +try: +bus = dbus.SystemBus() +obj = bus.get_object('org.fedorahosted.certmonger', + '/org/fedorahosted/certmonger') +iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') +path = iface.find_ca_by_nickname('IPA') +if path: +ca_obj = bus.get_object('org.fedorahosted.certmonger', path) +ca_iface = dbus.Interface(ca_obj, + 'org.freedesktop.DBus.Properties') +helper = ca_iface.Get('org.fedorahosted.certmonger.ca', + 'external-helper') +if helper: +args = shlex.split(helper) +if args[0] != paths.IPA_SERVER_GUARD: +self.backup_state('certmonger_ipa_helper', helper) +args = [paths.IPA_SERVER_GUARD] + args +helper = ' '.join(pipes.quote(a) for a in args) +ca_iface.Set('org.fedorahosted.certmonger.ca', + 'external-helper', helper) +finally: +if certmonger_stopped: +certmonger.stop() def __setup_ssl(self): fqdn = self.fqdn -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 390 Do not crash on unknown services in installutils.stopped_service
On 01/20/2015 10:49 AM, Jan Cholasta wrote: Dne 13.1.2015 v 18:55 Jan Cholasta napsal(a): Dne 13.1.2015 v 18:46 David Kupka napsal(a): On 01/13/2015 05:55 PM, Jan Cholasta wrote: Dne 13.1.2015 v 12:12 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4835. Honza Modified the fix to create only one service object in stopped_service. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi! Thanks for the patch. Works for me, ACK. Thanks, pushed to: master: 5bf1c9a6f7d734c296c8eb987cfc4f7e2a345130 ipa-4-1: 065e2bbc9f2260d8c60c55f92a386513727576da Posting additional patch 393 which is necessary to properly fix this. David, could you take a look please? Just looking at this patch, I am thinking it would be great to have @contextmanager also for started_service (we already have stopped_service) and use it (not required for this patch though). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 390 Do not crash on unknown services in installutils.stopped_service
On 01/20/2015 12:07 PM, Martin Kosek wrote: On 01/20/2015 10:49 AM, Jan Cholasta wrote: Dne 13.1.2015 v 18:55 Jan Cholasta napsal(a): Dne 13.1.2015 v 18:46 David Kupka napsal(a): On 01/13/2015 05:55 PM, Jan Cholasta wrote: Dne 13.1.2015 v 12:12 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4835. Honza Modified the fix to create only one service object in stopped_service. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi! Thanks for the patch. Works for me, ACK. Thanks, pushed to: master: 5bf1c9a6f7d734c296c8eb987cfc4f7e2a345130 ipa-4-1: 065e2bbc9f2260d8c60c55f92a386513727576da Posting additional patch 393 which is necessary to properly fix this. David, could you take a look please? Just looking at this patch, I am thinking it would be great to have @contextmanager also for started_service (we already have stopped_service) and use it (not required for this patch though). It would be handy. And there is an other solution for this specific case. Certmonger could be started with incoming DBus message. This will improve the usability not only with freeipa but also with command-line tools like getcert. I've filled a ticket for certmonger: https://fedorahosted.org/certmonger/ticket/38 Martin -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 390 Do not crash on unknown services in installutils.stopped_service
On 01/20/2015 12:19 PM, David Kupka wrote: On 01/20/2015 12:07 PM, Martin Kosek wrote: On 01/20/2015 10:49 AM, Jan Cholasta wrote: Dne 13.1.2015 v 18:55 Jan Cholasta napsal(a): Dne 13.1.2015 v 18:46 David Kupka napsal(a): On 01/13/2015 05:55 PM, Jan Cholasta wrote: Dne 13.1.2015 v 12:12 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4835. Honza Modified the fix to create only one service object in stopped_service. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi! Thanks for the patch. Works for me, ACK. Thanks, pushed to: master: 5bf1c9a6f7d734c296c8eb987cfc4f7e2a345130 ipa-4-1: 065e2bbc9f2260d8c60c55f92a386513727576da Posting additional patch 393 which is necessary to properly fix this. David, could you take a look please? Just looking at this patch, I am thinking it would be great to have @contextmanager also for started_service (we already have stopped_service) and use it (not required for this patch though). It would be handy. And there is an other solution for this specific case. Certmonger could be started with incoming DBus message. This will improve the usability not only with freeipa but also with command-line tools like getcert. I've filled a ticket for certmonger: https://fedorahosted.org/certmonger/ticket/38 Right. But this needs more testing and care. Currently, we need to stabilize and fix a bug in FreeIPA that is also requested from downstream platform. Jan's patch/approach will be good for now. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 15.1.2015 20:49, Lukas Slebodnik wrote: On (15/01/15 20:38), Martin Basti wrote: On 15/01/15 20:24, Martin Basti wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) Sorry, but NACK. 1) BIND/dyndb-ldap bug? (if sync_ptr is enabled) +try: +answers = dns.resolver.query(fqdn, record_type) +except dns.resolver.NoAnswer: +if record_type == dns.rdatatype.A: +root_logger.debug('No A record for %s' % fqdn) +elif record_type == dns.rdatatype.: +root_logger.debug('No record for %s' % fqdn) +except dns.exception.DNSException as e: +root_logger.debug('DNS resolver error: ' % e) +else: +for rdata in answers: +try: +missing_ips.remove(rdata.address) +except ValueError: +extra_ips.append(rdata.address) This somehow doesn't work, for missing A/ records (4 A/ records expected) $host `hostname` vm-024.example.com has address 10.16.78.24 vm-024.example.com has IPv6 address fed0:babe:baab:0:21a:4aff:fe10:4e37 But I get *no warning*. == Why == Probably bug in BIND, all /A records *exists for several seconds*, then bind remove all A/ records without PTR record. (Needs more investigation, maybe it is dependent on bind version, in previous testing, the A/ records stay untouched ) This it the older journal from the *same machine* with same packages, where record without PTR haven't been deleted after few seconds EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 'vm-101.example.com' A EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 'vm-101.example.com' EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' A EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com'
Re: [Freeipa-devel] [PATCH] 390 Do not crash on unknown services in installutils.stopped_service
On 01/20/2015 10:49 AM, Jan Cholasta wrote: Dne 13.1.2015 v 18:55 Jan Cholasta napsal(a): Dne 13.1.2015 v 18:46 David Kupka napsal(a): On 01/13/2015 05:55 PM, Jan Cholasta wrote: Dne 13.1.2015 v 12:12 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4835. Honza Modified the fix to create only one service object in stopped_service. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi! Thanks for the patch. Works for me, ACK. Thanks, pushed to: master: 5bf1c9a6f7d734c296c8eb987cfc4f7e2a345130 ipa-4-1: 065e2bbc9f2260d8c60c55f92a386513727576da Posting additional patch 393 which is necessary to properly fix this. David, could you take a look please? Pushed to: master: 82ab0eabf8b963023611ceb42f87244f40651c05 ipa-4-1: f204b28da316f60d85c6a6a0578e78ac74397fac Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 390 Do not crash on unknown services in installutils.stopped_service
On 01/20/2015 10:49 AM, Jan Cholasta wrote: Dne 13.1.2015 v 18:55 Jan Cholasta napsal(a): Dne 13.1.2015 v 18:46 David Kupka napsal(a): On 01/13/2015 05:55 PM, Jan Cholasta wrote: Dne 13.1.2015 v 12:12 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4835. Honza Modified the fix to create only one service object in stopped_service. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi! Thanks for the patch. Works for me, ACK. Thanks, pushed to: master: 5bf1c9a6f7d734c296c8eb987cfc4f7e2a345130 ipa-4-1: 065e2bbc9f2260d8c60c55f92a386513727576da Posting additional patch 393 which is necessary to properly fix this. David, could you take a look please? Hi! Thanks for the patch. We know that there are better ways how to do it but this works as expected and we need the fix now, ACK. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 492 Add anonymous read ACI for DUA profile
DUA profile(s) are consumed by Solaris clients. https://fedorahosted.org/freeipa/ticket/4850 -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From 19b460c4154becd801f71d14b84c8ad72033c6db Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 20 Jan 2015 17:57:07 +0100 Subject: [PATCH] Add anonymous read ACI for DUA profile DUA profile(s) are consumed by Solaris clients. https://fedorahosted.org/freeipa/ticket/4850 --- ACI.txt | 2 ++ .../install/plugins/update_managed_permissions.py | 19 +++ 2 files changed, 21 insertions(+) diff --git a/ACI.txt b/ACI.txt index fdef43e63595d6b5b38237991ff4fcdaa8225666..daa4652e157ab8531117fb047e2c80ba046b117f 100644 --- a/ACI.txt +++ b/ACI.txt @@ -300,6 +300,8 @@ dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = cacertificate || cn || createtimestamp || entryusn || ipacertissuerserial || ipacertsubject || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage || ipapublickey || modifytimestamp || objectclass)(targetfilter = (objectclass=ipacertificate))(version 3.0;acl permission:System: Read Certificate Store Entries;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || entryusn || modifytimestamp || objectclass)(targetfilter = (objectclass=dnasharedconfig))(version 3.0;acl permission:System: Read DNA Configuration;allow (compare,read,search) userdn = ldap:///all;;) +dn: ou=profile,dc=ipa,dc=example +aci: (targetattr = attributemap || authenticationmethod || bindtimelimit || credentiallevel || defaultsearchbase || defaultsearchscope || defaultserverlist || dereferencealiases || followreferrals || objectclassmap || ou || preferredserverlist || profilettl || searchtimelimit || serviceauthenticationmethod || servicecredentiallevel || servicesearchdescriptor)(targetfilter = (|(objectclass=organizationalUnit)(objectclass=DUAConfigProfile)))(version 3.0;acl permission:System: Read DUA Profile;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass)(targetfilter = (objectclass=nscontainer))(version 3.0;acl permission:System: Read IPA Masters;allow (compare,read,search) groupdn = ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=config diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 032485aac5b84b12b91464f16870c9940b18bc2d..a34ba08cb0ab719c91b19830f5b5e3124ef9d742 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -320,6 +320,25 @@ 'winsyncsubtreepair', }, 'default_privileges': {'Replication Administrators'}, +}, +'System: Read DUA Profile': { +'ipapermlocation': DN('ou=profile', api.env.basedn), +'ipapermtargetfilter': { +'(|' +'(objectclass=organizationalUnit)' +'(objectclass=DUAConfigProfile)' +')' +}, +'ipapermbindruletype': 'anonymous', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'objectclass', 'ou', 'defaultServerList', 'preferredServerList', +'defaultSearchBase', 'defaultSearchScope', 'searchTimeLimit', +'bindTimeLimit', 'credentialLevel', 'authenticationMethod', +'followReferrals', 'dereferenceAliases', 'serviceSearchDescriptor', +'serviceCredentialLevel', 'serviceAuthenticationMethod', +'objectclassMap', 'attributeMap', 'profileTTL' +}, } } -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0186] Add debug messages into client realm autodetection
It was hard to debug issue with client, when for several issues was raised only one error. Patch attached. -- Martin Basti From 11d154d0df7cc208c168a69d05e232ac253a210b Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 20 Jan 2015 17:30:51 +0100 Subject: [PATCH] Add debug messages into client autodetection Is hard to debug what the problem with REALM is without debug messages. --- ipa-client/ipaclient/ipadiscovery.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 0d574825aa493a8d565afe30077b74aec03924a3..5e316837de7f10c1797198f881f58546e0ed3f43 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -390,10 +390,15 @@ class IPADiscovery(object): if trealm == r: return [0, thost, trealm] # must match or something is very wrong +root_logger.debug(Realm %s does not match any realm in LDAP + database, trealm) return [REALM_NOT_FOUND] else: if len(lrealms) != 1: #which one? we can't attach to a multi-realm server without DNS working +root_logger.debug(Multiple realms found, cannot decide + which realm is the right without + working DNS) return [REALM_NOT_FOUND] else: return [0, thost, lrealms[0]] -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 492 Add anonymous read ACI for DUA profile
On 01/20/2015 05:58 PM, Martin Kosek wrote: DUA profile(s) are consumed by Solaris clients. https://fedorahosted.org/freeipa/ticket/4850 I forgot to add CN to the list (I only coppied all the MAY attributes). Fix attached. Martin From 7c15c924c8d6035e2459c6dee2d397a79d317203 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 20 Jan 2015 17:57:07 +0100 Subject: [PATCH] Add anonymous read ACI for DUA profile DUA profile(s) are consumed by Solaris clients. https://fedorahosted.org/freeipa/ticket/4850 --- ACI.txt | 2 ++ .../install/plugins/update_managed_permissions.py| 20 2 files changed, 22 insertions(+) diff --git a/ACI.txt b/ACI.txt index fdef43e63595d6b5b38237991ff4fcdaa8225666..c5483ad4d3428c0449f3e099600e0384e573f17a 100644 --- a/ACI.txt +++ b/ACI.txt @@ -300,6 +300,8 @@ dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = cacertificate || cn || createtimestamp || entryusn || ipacertissuerserial || ipacertsubject || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage || ipapublickey || modifytimestamp || objectclass)(targetfilter = (objectclass=ipacertificate))(version 3.0;acl permission:System: Read Certificate Store Entries;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || entryusn || modifytimestamp || objectclass)(targetfilter = (objectclass=dnasharedconfig))(version 3.0;acl permission:System: Read DNA Configuration;allow (compare,read,search) userdn = ldap:///all;;) +dn: ou=profile,dc=ipa,dc=example +aci: (targetattr = attributemap || authenticationmethod || bindtimelimit || cn || createtimestamp || credentiallevel || defaultsearchbase || defaultsearchscope || defaultserverlist || dereferencealiases || entryusn || followreferrals || modifytimestamp || objectclass || objectclassmap || ou || preferredserverlist || profilettl || searchtimelimit || serviceauthenticationmethod || servicecredentiallevel || servicesearchdescriptor)(targetfilter = (|(objectclass=organizationalUnit)(objectclass=DUAConfigProfile)))(version 3.0;acl permission:System: Read DUA Profile;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass)(targetfilter = (objectclass=nscontainer))(version 3.0;acl permission:System: Read IPA Masters;allow (compare,read,search) groupdn = ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=config diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 032485aac5b84b12b91464f16870c9940b18bc2d..430a2919a315bfd8d8e6174a915890d44b782c5c 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -320,6 +320,26 @@ 'winsyncsubtreepair', }, 'default_privileges': {'Replication Administrators'}, +}, +'System: Read DUA Profile': { +'ipapermlocation': DN('ou=profile', api.env.basedn), +'ipapermtargetfilter': { +'(|' +'(objectclass=organizationalUnit)' +'(objectclass=DUAConfigProfile)' +')' +}, +'ipapermbindruletype': 'anonymous', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'objectclass', 'ou', 'cn', 'defaultServerList', +'preferredServerList', 'defaultSearchBase', 'defaultSearchScope', +'searchTimeLimit', 'bindTimeLimit', 'credentialLevel', +'authenticationMethod', 'followReferrals', 'dereferenceAliases', +'serviceSearchDescriptor', 'serviceCredentialLevel', +'serviceAuthenticationMethod', 'objectclassMap', 'attributeMap', +'profileTTL' +}, } } -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0186] Add debug messages into client realm autodetection
On Tue, 20 Jan 2015, Martin Basti wrote: It was hard to debug issue with client, when for several issues was raised only one error. Patch attached. -- Martin Basti From 11d154d0df7cc208c168a69d05e232ac253a210b Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 20 Jan 2015 17:30:51 +0100 Subject: [PATCH] Add debug messages into client autodetection Is hard to debug what the problem with REALM is without debug messages. --- ipa-client/ipaclient/ipadiscovery.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 0d574825aa493a8d565afe30077b74aec03924a3..5e316837de7f10c1797198f881f58546e0ed3f43 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -390,10 +390,15 @@ class IPADiscovery(object): if trealm == r: return [0, thost, trealm] # must match or something is very wrong +root_logger.debug(Realm %s does not match any realm in LDAP + database, trealm) return [REALM_NOT_FOUND] else: if len(lrealms) != 1: #which one? we can't attach to a multi-realm server without DNS working +root_logger.debug(Multiple realms found, cannot decide + which realm is the right without + working DNS) return [REALM_NOT_FOUND] else: return [0, thost, lrealms[0]] ACK -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0186] Add debug messages into client realm autodetection
On 01/20/2015 06:44 PM, Alexander Bokovoy wrote: On Tue, 20 Jan 2015, Martin Basti wrote: It was hard to debug issue with client, when for several issues was raised only one error. Patch attached. -- Martin Basti From 11d154d0df7cc208c168a69d05e232ac253a210b Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 20 Jan 2015 17:30:51 +0100 Subject: [PATCH] Add debug messages into client autodetection Is hard to debug what the problem with REALM is without debug messages. --- ipa-client/ipaclient/ipadiscovery.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 0d574825aa493a8d565afe30077b74aec03924a3..5e316837de7f10c1797198f881f58546e0ed3f43 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -390,10 +390,15 @@ class IPADiscovery(object): if trealm == r: return [0, thost, trealm] # must match or something is very wrong +root_logger.debug(Realm %s does not match any realm in LDAP + database, trealm) return [REALM_NOT_FOUND] else: if len(lrealms) != 1: #which one? we can't attach to a multi-realm server without DNS working +root_logger.debug(Multiple realms found, cannot decide + which realm is the right without + working DNS) return [REALM_NOT_FOUND] else: return [0, thost, lrealms[0]] ACK This is fine even for ipa-4-1 branch. Pushed to: master: af1f87a0346653532deeb04dc7f236d143c8b9a7 ipa-4-1: 1bde1b03ef24b83646bec7becd1b263c5835c5c5 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 492 Add anonymous read ACI for DUA profile
Hi, Dne 20.1.2015 v 18:05 Martin Kosek napsal(a): On 01/20/2015 05:58 PM, Martin Kosek wrote: DUA profile(s) are consumed by Solaris clients. https://fedorahosted.org/freeipa/ticket/4850 I forgot to add CN to the list (I only coppied all the MAY attributes). Fix attached. Martin Works for me, ACK. Pushed to: master: 0a7a8d66040f7a5f0e55da4b01e614dd9b569a00 ipa-4-1: b54b740f7903a0722930cc281ccb5a2bece45aef Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 388 Remove RUV from LDIF files before using them in ipa-restore
On 01/20/2015 12:59 PM, Jan Cholasta wrote: Dne 13.1.2015 v 17:58 Jan Cholasta napsal(a): Dne 13.1.2015 v 17:44 Petr Vobornik napsal(a): On 01/12/2015 05:46 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4822. Honza works for me, ACK Thanks, pushed to: master: 05e6adecb51b93e9b9d2326df4eabee90c3dfe72 ipa-4-1: eb7917026d418a6d6a1e7a24a19097065df10497 Posting additional patch 394 which fixes a SELinux issue. Works fine, thanks. ACK. Pushed to: master: 4994cd1d8dde69d94130894ca86aa8a11fb590bf ipa-4-1: 85599416ae4a0cc83b8e0669e686740dd2a10ea2 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel