Re: [Freeipa-devel] NTP in FreeIPA
On Thu, Nov 24, 2016 at 9:14 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 24.11.2016 16:11, Gabe Alford wrote: > > On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti <mba...@redhat.com> wrote: > >> >> >> On 24.11.2016 07:06, David Kupka wrote: >> >>> On 22/11/16 23:15, Gabe Alford wrote: >>> >>>> I would say that it is worth keeping in FreeIPA. I know myself and some >>>> customers use its functionality by having the clients sync to the IPA >>>> servers and have the servers sync to the NTP source. This way if the NTP >>>> source ever gets disrupted for long periods of time (which has happened >>>> in >>>> my environment) the client time drifts with the authentication source. >>>> This >>>> is the way that AD often works and is configured. >>>> >>> >>> Hello Gabe, >>> I agree that it's common practice to synchronize all nodes in network >>> with single source in order to have the same time and save bandwidth. Also >>> I understand that it's comfortable to let FreeIPA installer take care of it. >>> But I don't think FreeIPA should do it IMO this is job for Ansible or >>> similar tool. Also the problem is that in some situations FreeIPA installer >>> makes it worse. >>> >>> Example: >>> >>> 1. Install FreeIPA server (ipa1.example.org) >>> 2. Install FreeIPA client on all nodes in network >>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase >>> redundancy >>> >> > Why not have NTP look at a _srv_records? > > > Do ntpclients support this natively? I just found some ugly hacks for > chrony, i.e extra service that is dynamically changing config file. > But yes this may be way too, but dirty. > > You are right. It is an ugly. I wonder if we can push to make it not so ugly so that _srv_ is used for both Chrony and NTP which IMO makes those two products better. If not and the desire is truly to get rid of chrony/ntp configuration on the client side, what about adding Chrony and NTP configuration to ipa-advise? > > >> Now all the clients have ipa1.example.org as the only server in >>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients >>> will be able to contact KDC on the other server thanks to DNS autodiscovery >>> in libkrb5 but will be unable to synchronize time. >>> >>> >> This can be resolved by DHCP configured NTP. When NTP server changed, you >> just change DHCPd config and hosts conf will be synced. >> We may keep NTP on IPA server side configured, but I'm voting for >> removing it from clients and document+endorse people to use DHCP (anyway >> distros have always enabled some time synchronization so it should >> naturally work without even in small deployments) >> > > If NTP is still configured on the IPA server, this may be less of an > issue. Not everyone has/is/will be using ansible. Also in secure > environments, DHCP > is not allowed/used at all. > > > >> Also NTP is somehow incompatible with containers, usually containers have >> time synchronized from host, and by default IPA client container don't do >> NTP configuration. >> > > Isn't that what the --no-ntp option in the client is for anyway? > > >> >> Let deprecate it in 4.5 >> >> Martin^2 >> >> >> >> >>>> On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta <jchol...@redhat.com> >>>> wrote: >>>> >>>> On 22.11.2016 13:06, Petr Spacek wrote: >>>>> >>>>> On 22.11.2016 12:15, David Kupka wrote: >>>>>> >>>>>> Hello everyone! >>>>>>> >>>>>>> Is it worth to keep configuring NTP in FreeIPA? >>>>>>> >>>>>>> In usual environment there're no special requirements for time >>>>>>> synchronization >>>>>>> and the distribution default (be it ntpd, chrony or anything else) >>>>>>> will >>>>>>> just >>>>>>> work. Any tampering with the configuration can't make it any better. >>>>>>> >>>>>>> In environment with special requirements (network disconnected from >>>>>>> public >>>>>>> internet, nodes disconnected from topology for longer time, ...) time >>>>>>> synchronization must be taken care of accordingly by system >>>>>>> administrator and &
Re: [Freeipa-devel] NTP in FreeIPA
I would say that it is worth keeping in FreeIPA. I know myself and some customers use its functionality by having the clients sync to the IPA servers and have the servers sync to the NTP source. This way if the NTP source ever gets disrupted for long periods of time (which has happened in my environment) the client time drifts with the authentication source. This is the way that AD often works and is configured. On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholastawrote: > On 22.11.2016 13:06, Petr Spacek wrote: > >> On 22.11.2016 12:15, David Kupka wrote: >> >>> Hello everyone! >>> >>> Is it worth to keep configuring NTP in FreeIPA? >>> >>> In usual environment there're no special requirements for time >>> synchronization >>> and the distribution default (be it ntpd, chrony or anything else) will >>> just >>> work. Any tampering with the configuration can't make it any better. >>> >>> In environment with special requirements (network disconnected from >>> public >>> internet, nodes disconnected from topology for longer time, ...) time >>> synchronization must be taken care of accordingly by system >>> administrator and >>> FreeIPA simply can't help here. >>> >>> Also there are problems and weird behavior with the current FreeIPA >>> installers: >>> >>> * ipa-client-install replaces all servers in /etc/ntp.conf with the ones >>> specified by user or resolved from DNS. If none were provided nor >>> resolved the >>> FreeIPA server specified/resolved during installation it used. This >>> leads in >>> just single server in the configuration and no time synchronization when >>> this >>> server is down/decommissioned. >>> >>> * ipa-client-install replaces the NTP configuration. If there was any >>> parts >>> previously edited by system administrator it's lost. >>> >>> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf. >>> What's the point in doing that? These servers're already in the >>> configuration >>> file installed with ntp package. >>> >>> I have NTP-related WIP patches that solve some of the issues but in >>> general I >>> would prefer to remove the whole thing together with documenting "Please >>> make >>> sure that time on all FreeIPA servers and clients is synchronized. On >>> most >>> distributions this was already done during system installation." >>> >>> Can we mark NTP options deprecated in 4.5 and remove them and stop >>> touching >>> any time syncing service in 4.6? >>> >> >> Considering that default config is just fine for normal cases, and given >> how >> poorly integrated it is into FreeIPA, I agree with David. FreeIPA should >> get >> out of configuration management business. >> > > +1 > > -- > Jan Cholasta > > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
On Mon, Jun 27, 2016 at 12:38 AM, Florence Blanc-Renaudwrote: > Hi, > > this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client > installation in a FIPS-140 mode > It prevents installation of FreeIPA if the host is fips-enabled. > > https://fedorahosted.org/freeipa/ticket/5761 > Shouldn't this be about fixing FreeIPA to allow installation/operation in FIPS mode rather than disabling it? There are many environments where FIPS is required, and FreeIPA should support it. Gabe -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 (update 2) provide more information for "ipa cert-revoke -h"
Patrice, Can you please send rebased version of this patch? Thanks, Gabe On Fri, May 6, 2016 at 6:45 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 04.05.2016 14:30, Gabe Alford wrote: > > On Wed, May 4, 2016 at 1:35 AM, Patrice Duc-Jacquet < <patdu...@gmail.com> > patdu...@gmail.com> wrote: > >> Hi everyone >> >> this is a second update that take into account review feedback. >> >> In case the proposal fix is K what are the next step to commit this >> change. I'm not sure to really understand the process. Thanks and regards >> > > If the fix is good, you receive an ack and a core member of the FreeIPA > team will take your ack'ed patch and push it to the official git repository. > > ACK from me > > Gabe > > Pat >> >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> > > > > Hello, I agree with ACk, but I cannot apply the patch using git am -3, can > you please send rebased version? > > Martin^2 > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0069] ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'
On Tue, May 10, 2016 at 6:47 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 10.05.2016 14:42, Gabe Alford wrote: > > On Tue, May 10, 2016 at 6:26 AM, Martin Basti <mba...@redhat.com> wrote: > >> >> >> On 10.05.2016 14:13, Gabe Alford wrote: >> >> On Tue, May 10, 2016 at 2:00 AM, Martin Basti < <mba...@redhat.com> >> mba...@redhat.com> wrote: >> >>> >>> >>> On 04.05.2016 15:14, Gabe Alford wrote: >>> >>> On Tue, May 3, 2016 at 11:17 PM, Abhijeet Kasurde < >>> <akasu...@redhat.com>akasu...@redhat.com> wrote: >>> >>>> Hi Gabe, >>>> >>>> I am wondering, how are we handling "CalledProcessError" exception ? >>>> >>> >>> I am not sure 100% what you are asking, but from what I understand, the >>> "CalledProcessError" exception is when a process returns a non-zero exit >>> status. >>> However when running 'ipa-nis-manage enable', an exception is never hit >>> even if portmap is not installed, hence portmap always being enabled. >>> >>> So it seems that if the process is not installed, "CalledProcessError" >>> doesn't catch an error. >>> >>> Gabe >>> >>> Hello, >>> >>> portmap.enable() may raise the "CalledProcessError" in case that >>> systemct enable failed and we should catch this exception and handle it in >>> the same way as it is done now. i.e catch that exception and set proper >>> return state. >>> >>> Martin^2 >>> >> >> Shouldn't "CalledProcessError" raise an exception in this case? In my >> testing, it doesn't seem to raise an exception when the service does not >> even exist on the system. >> >> Gabe >> >> You are right, there is try-except-pass, so no exception can be raised >> >> def __enable(self, instance_name=""): >> try: >> ipautil.run([paths.SYSTEMCTL, "enable", >> self.service_instance(instance_name)]) >> except ipautil.CalledProcessError: >> pass >> >> >> Martin >> > > It is also the case for disable(), mask(), unmask(), etc. Should we update > the exception in __enable() or is there a reason that it just passes at > exception? > > Gabe > > > I dont think that we should chnge behavior there, what I'm missing there > is proper logging :) If you want you can create ticket for it. Leave > try-except-pass there, changing this may affect a lot of places, and there > is no time to fix it in 4.4 release. > > Martin^2 > Sounds good. Do you also want to keep the try-except-pass in ipa-nis-manage as well or does my patch suffice? Gabe > > >> >> >>> >>> >>> >>>> On 05/04/2016 09:17 AM, Gabe Alford wrote: >>>> >>>> Hello, >>>> >>>> Fix for <https://fedorahosted.org/freeipa/ticket/5857> >>>> https://fedorahosted.org/freeipa/ticket/5857 >>>> >>>> Thanks, >>>> >>>> Gabe >>>> >>>> >>>> Thanks, >>>> Abhijeet Kasurde >>>> >>> >>> >>> >>> >>> >> >> > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0069] ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'
On Tue, May 10, 2016 at 6:26 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 10.05.2016 14:13, Gabe Alford wrote: > > On Tue, May 10, 2016 at 2:00 AM, Martin Basti <mba...@redhat.com> wrote: > >> >> >> On 04.05.2016 15:14, Gabe Alford wrote: >> >> On Tue, May 3, 2016 at 11:17 PM, Abhijeet Kasurde < <akasu...@redhat.com> >> akasu...@redhat.com> wrote: >> >>> Hi Gabe, >>> >>> I am wondering, how are we handling "CalledProcessError" exception ? >>> >> >> I am not sure 100% what you are asking, but from what I understand, the >> "CalledProcessError" exception is when a process returns a non-zero exit >> status. >> However when running 'ipa-nis-manage enable', an exception is never hit >> even if portmap is not installed, hence portmap always being enabled. >> >> So it seems that if the process is not installed, "CalledProcessError" >> doesn't catch an error. >> >> Gabe >> >> Hello, >> >> portmap.enable() may raise the "CalledProcessError" in case that systemct >> enable failed and we should catch this exception and handle it in the same >> way as it is done now. i.e catch that exception and set proper return state. >> >> Martin^2 >> > > Shouldn't "CalledProcessError" raise an exception in this case? In my > testing, it doesn't seem to raise an exception when the service does not > even exist on the system. > > Gabe > > You are right, there is try-except-pass, so no exception can be raised > > def __enable(self, instance_name=""): > try: > ipautil.run([paths.SYSTEMCTL, "enable", > self.service_instance(instance_name)]) > except ipautil.CalledProcessError: > pass > > > Martin > It is also the case for disable(), mask(), unmask(), etc. Should we update the exception in __enable() or is there a reason that it just passes at exception? Gabe > > >> >> >> >>> On 05/04/2016 09:17 AM, Gabe Alford wrote: >>> >>> Hello, >>> >>> Fix for <https://fedorahosted.org/freeipa/ticket/5857> >>> https://fedorahosted.org/freeipa/ticket/5857 >>> >>> Thanks, >>> >>> Gabe >>> >>> >>> Thanks, >>> Abhijeet Kasurde >>> >> >> >> >> >> > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0069] ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'
On Tue, May 10, 2016 at 2:00 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 04.05.2016 15:14, Gabe Alford wrote: > > On Tue, May 3, 2016 at 11:17 PM, Abhijeet Kasurde < <akasu...@redhat.com> > akasu...@redhat.com> wrote: > >> Hi Gabe, >> >> I am wondering, how are we handling "CalledProcessError" exception ? >> > > I am not sure 100% what you are asking, but from what I understand, the > "CalledProcessError" exception is when a process returns a non-zero exit > status. > However when running 'ipa-nis-manage enable', an exception is never hit > even if portmap is not installed, hence portmap always being enabled. > > So it seems that if the process is not installed, "CalledProcessError" > doesn't catch an error. > > Gabe > > Hello, > > portmap.enable() may raise the "CalledProcessError" in case that systemct > enable failed and we should catch this exception and handle it in the same > way as it is done now. i.e catch that exception and set proper return state. > > Martin^2 > Shouldn't "CalledProcessError" raise an exception in this case? In my testing, it doesn't seem to raise an exception when the service does not even exist on the system. Gabe > > > >> On 05/04/2016 09:17 AM, Gabe Alford wrote: >> >> Hello, >> >> Fix for https://fedorahosted.org/freeipa/ticket/5857 >> >> Thanks, >> >> Gabe >> >> >> Thanks, >> Abhijeet Kasurde >> > > > > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0068] Use ipareplica-ca-install.log instead of ipaserver-ca-install.log
Yeah. That makes sense. Let's fix it with the other logger tickets. Gabe On Tue, May 10, 2016 at 5:47 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 03.05.2016 15:41, Gabe Alford wrote: > > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/5727. Per comment #7, > this removes ipaserver-ca-install.log and uses ipareplica-ca-install.log. > > Thanks, > > Gabe > > > Well, with this patch, ipa-ca-install on ca-less master server will log > into ipareplica-ca-install.log what is not right. This difference between > master an replica is somehow unfortunate because those servers are equal > and it should be logged into ipa-ca-install.log. This is part of other > logging tickets that has been postponed I think that all tickets should be > resolved together. > > I suggest to postpone this ticket and fix it together with other logger > tickets. > > Do you agree? > > Martin^2 > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0069] ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'
On Tue, May 3, 2016 at 11:17 PM, Abhijeet Kasurde <akasu...@redhat.com> wrote: > Hi Gabe, > > I am wondering, how are we handling "CalledProcessError" exception ? > I am not sure 100% what you are asking, but from what I understand, the "CalledProcessError" exception is when a process returns a non-zero exit status. However when running 'ipa-nis-manage enable', an exception is never hit even if portmap is not installed, hence portmap always being enabled. So it seems that if the process is not installed, "CalledProcessError" doesn't catch an error. Gabe > On 05/04/2016 09:17 AM, Gabe Alford wrote: > > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/5857 > > Thanks, > > Gabe > > > Thanks, > Abhijeet Kasurde > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 (update 2) provide more information for "ipa cert-revoke -h"
On Wed, May 4, 2016 at 1:35 AM, Patrice Duc-Jacquetwrote: > Hi everyone > > this is a second update that take into account review feedback. > > In case the proposal fix is K what are the next step to commit this > change. I'm not sure to really understand the process. Thanks and regards > If the fix is good, you receive an ack and a core member of the FreeIPA team will take your ack'ed patch and push it to the official git repository. ACK from me Gabe Pat > > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0069] ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5857 Thanks, Gabe From 950da9c812a162569379bd9e530977960e9ab7ca Mon Sep 17 00:00:00 2001 From: GabeDate: Tue, 3 May 2016 21:33:33 -0600 Subject: [PATCH] ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind' https://fedorahosted.org/freeipa/ticket/5857 --- install/tools/ipa-nis-manage | 21 ++--- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage index 3aa1507b205eaa679edebda2a3705b494369abc3..948aa0046b6eeb0f68dd90390eaca6d5b6c8dba3 100755 --- a/install/tools/ipa-nis-manage +++ b/install/tools/ipa-nis-manage @@ -144,19 +144,18 @@ def main(): retval = 1 # Enable either the portmap or rpcbind service -try: -portmap = services.knownservices.portmap +portmap = services.knownservices.portmap +rpcbind = services.knownservices.rpcbind + +if portmap.is_installed(): portmap.enable() servicemsg = portmap.service_name -except ipautil.CalledProcessError as cpe: -if cpe.returncode == 1: -try: -rpcbind = services.knownservices.rpcbind -rpcbind.enable() -servicemsg = rpcbind.service_name -except ipautil.CalledProcessError as cpe: -print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name)) -retval = 3 +elif rpcbind.is_installed(): +rpcbind.enable() +servicemsg = rpcbind.service_name +else: +print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name)) +retval = 3 # The cn=config entry for the plugin may already exist but it # could be turned off, handle both cases. -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 provide more information for "ipa cert-revoke -h"
On Tue, May 3, 2016 at 9:35 AM, Patrice Duc-Jacquet < patrice.duc.jacq...@gmail.com> wrote: > On 05/03/2016 04:41 PM, Rob Crittenden wrote: > > Gabe Alford wrote: >> >>> Hello, >>> >>> Thank you for your patch as well. >>> >>> >-doc=_('Reason for revoking the certificate (0-10)'), >>> >+doc=_('Reason for revoking the certificate (0-10). See >>> RFC 5280 (paragraph 5.3.1) for reason details'), >>> >>> Rather than just specifying the RFC with the paragraph to go look up, >>> can you either add the revocation options or say something like: >>> >>> +doc=_('Reason for revoking the certificate (0-10). See >>> \'ipa help cert\' for revocation reason details.'), >>> >>> IMO, it is a little annoying to go look up revocation reasons when those >>> reasons can either be added to the help output or exist already in `ipa >>> help cert`. >>> >> >> FTR I added it to the top level help because the reasons are used in >> multiple places and didn't want to duplicate them, and adding them to a >> specific option help would overload it big time IMHO. >> >> rob >> >> Hi everyone > thanks for your valuable comments. I fully agree that it is not > recommended to duplicate this information. So as Rob suggested, I should > avoid to add this information to cert_revoke option and thus I plan to > modify the help message as follow: > > doc=_('Reason for revoking the certificate (0-10). Type "ipa help cert" > for reason details'), > > Do you agree with that modification? Thanks in advance and regards > I think the modification is fine. One nitpick that I would have is to say "for revocation reason details." rather than "for reason details." Also, don't forget a period after the word "details". :) Gabe > > Pat > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 provide more information for "ipa cert-revoke -h"
Hello, Thank you for your patch as well. >-doc=_('Reason for revoking the certificate (0-10)'), >+doc=_('Reason for revoking the certificate (0-10). See RFC 5280 (paragraph 5.3.1) for reason details'), Rather than just specifying the RFC with the paragraph to go look up, can you either add the revocation options or say something like: +doc=_('Reason for revoking the certificate (0-10). See \'ipa help cert\' for revocation reason details.'), IMO, it is a little annoying to go look up revocation reasons when those reasons can either be added to the help output or exist already in `ipa help cert`. Thanks, Gabe On Tue, May 3, 2016 at 8:13 AM, Martin Bastiwrote: > > > On 03.05.2016 16:01, Patrice Duc-Jacquet wrote: > > Hi everyone > this is my first patch. So I may have done thhings nor in a proper way. > Please let me know if something is wrong in the proceess I followed. With > regards > > Pat > > > Hello, > > thank you for your patch. Please remove changes in .po and .pot files from > the patch, these files are generated automatically from zanata. > > thank you > > Martin > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0068] Use ipareplica-ca-install.log instead of ipaserver-ca-install.log
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5727. Per comment #7, this removes ipaserver-ca-install.log and uses ipareplica-ca-install.log. Thanks, Gabe From 9f8cb593c1b207d96693879fbd8717a78421e157 Mon Sep 17 00:00:00 2001 From: GabeDate: Tue, 3 May 2016 07:30:13 -0600 Subject: [PATCH] Use ipareplica-ca-install.log instead of ipaserver-ca-install.log https://fedorahosted.org/freeipa/ticket/5727 --- install/tools/ipa-ca-install | 2 +- ipaplatform/base/paths.py| 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 1bc5def03bf687a1e4f9fb38a54363b5429c8fc4..2947009f58ba7ef96ec303e7731dc9b3fdfc8ff2 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -280,7 +280,7 @@ def main(): cainstance.is_ca_installed_locally()): sys.exit("CA is already installed on this host.") -standard_logging_setup(paths.IPASERVER_CA_INSTALL_LOG, debug=options.debug) +standard_logging_setup(paths.IPAREPLICA_CA_INSTALL_LOG, debug=options.debug) root_logger.debug("%s was invoked with options: %s,%s", sys.argv[0], safe_options, filename) root_logger.debug("IPA version %s", version.VENDOR_VERSION) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index ca7eb6cf47b4442fa538a47c74846e13c25e02e8..6d07621b8c001a6a1bc6baa8e5bcb775136d7a62 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -304,7 +304,6 @@ class BasePathNamespace(object): IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log" IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log" IPARESTORE_LOG = "/var/log/iparestore.log" -IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log" IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log" IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log" IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log" -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Possble FreeIPA Trac Malicious Link
Hey all, This is something we may need to watch for. I noticed that a possible malicious link was added to the FreeIPA Trac start page. You can view it here: https://fedorahosted.org/freeipa/wiki/WikiStart?action=diff=22. I changed it back to the original text before the change. I know that the 389 Trac webpage had issues earlier this year with spam. Just an FYI. Gabe -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0067-0069] Various IPA log fixes
Hello, Attached patches fix the following tickets related to IPA log files: https://fedorahosted.org/freeipa/ticket/5724 https://fedorahosted.org/freeipa/ticket/5726 https://fedorahosted.org/freeipa/ticket/5727 Patch 0067 should be applied first, and patch 0069 applied last. Thanks, Gabe From 5646ee0311e5d9195d5510eb5c20fc9dfa1cb1d7 Mon Sep 17 00:00:00 2001 From: GabeDate: Thu, 10 Mar 2016 07:08:55 -0700 Subject: [PATCH 1/3] Store IPA logs in one directory - /var/log/ipa https://fedorahosted.org/freeipa/ticket/5724 --- freeipa.spec.in | 2 ++ ipaplatform/base/paths.py | 26 +- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 9e277020d70215e052ab6c905b1c6a29ae6cdd4d..a3499ea4947c6c89d3ac232ed22fb0eb7ee6bb4d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -828,6 +828,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/ipa/ /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf /bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt mkdir -p %{buildroot}%{_sysconfdir}/ipa/nssdb +mkdir -p %{buildroot}/%{_localstatedir}/log/ipa mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d install -pm 644 contrib/completion/ipa.bash_completion %{buildroot}%{_sysconfdir}/bash_completion.d/ipa @@ -1298,6 +1299,7 @@ fi %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt %ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit %dir %{_usr}/share/ipa +%dir %{_localstatedir}/log/ipa %dir %{_localstatedir}/lib/ipa-client %dir %{_localstatedir}/lib/ipa-client/sysrestore %{_mandir}/man5/default.conf.5.gz diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index bdff4f3934f3250bdfef3f913631b98d55d759b6..76a362b1945e6c1fa6554c9859605012b89d0e88 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -294,19 +294,19 @@ class BasePathNamespace(object): SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access" SLAPD_INSTANCE_ERROR_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/errors" VAR_LOG_HTTPD_DIR = "/var/log/httpd" -IPABACKUP_LOG = "/var/log/ipabackup.log" -IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log" -IPACLIENT_UNINSTALL_LOG = "/var/log/ipaclient-uninstall.log" -IPAREPLICA_CA_INSTALL_LOG = "/var/log/ipareplica-ca-install.log" -IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log" -IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log" -IPARESTORE_LOG = "/var/log/iparestore.log" -IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log" -IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log" -IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log" -IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log" -IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log" -IPAUPGRADE_LOG = "/var/log/ipaupgrade.log" +IPABACKUP_LOG = "/var/log/ipa/ipabackup.log" +IPACLIENT_INSTALL_LOG = "/var/log/ipa/ipaclient-install.log" +IPACLIENT_UNINSTALL_LOG = "/var/log/ipa/ipaclient-uninstall.log" +IPAREPLICA_CA_INSTALL_LOG = "/var/log/ipa/ipareplica-ca-install.log" +IPAREPLICA_CONNCHECK_LOG = "/var/log/ipa/ipareplica-conncheck.log" +IPAREPLICA_INSTALL_LOG = "/var/log/ipa/ipareplica-install.log" +IPARESTORE_LOG = "/var/log/ipa/iparestore.log" +IPASERVER_CA_INSTALL_LOG = "/var/log/ipa/ipaserver-ca-install.log" +IPASERVER_INSTALL_LOG = "/var/log/ipa/ipaserver-install.log" +IPASERVER_KRA_INSTALL_LOG = "/var/log/ipa/ipaserver-kra-install.log" +IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipa/ipaserver-kra-uninstall.log" +IPASERVER_UNINSTALL_LOG = "/var/log/ipa/ipaserver-uninstall.log" +IPAUPGRADE_LOG = "/var/log/ipa/ipaupgrade.log" KADMIND_LOG = "/var/log/kadmind.log" MESSAGES = "/var/log/messages" VAR_LOG_PKI_DIR = "/var/log/pki/" -- 1.8.3.1 From 6d87d26228424b3a4a25dafefdd60359b71043b2 Mon Sep 17 00:00:00 2001 From: Gabe Date: Thu, 10 Mar 2016 07:10:56 -0700 Subject: [PATCH 2/3] Remove unused ipareplica-ca-install.log https://fedorahosted.org/freeipa/ticket/5727 --- install/tools/ipa-ca-install | 2 +- ipaplatform/base/paths.py| 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 1bc5def03bf687a1e4f9fb38a54363b5429c8fc4..cea2f0ddf392f807bd08198c1b8aa3c3e4cca4bc 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -38,7 +38,7 @@ from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipaplatform.paths import paths -log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG +log_file_name = paths.IPASERVER_CA_INSTALL_LOG REPLICA_INFO_TOP_DIR = None def parse_options(): diff --git a/ipaplatform/base/paths.py
Re: [Freeipa-devel] [PATCH] 950 webui: remove moot error from webui build
Ack. Works as expected. Gabe On Wed, Jan 27, 2016 at 7:39 AM, Petr Vobornikwrote: > add module 'libs/d3' to a list of modules provided by third party libraries > > it is provided by d3 library in libs directory > > https://fedorahosted.org/freeipa/ticket/5641 > -- > Petr Vobornik > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit
On Tue, Jan 26, 2016 at 6:56 AM, Martin Bastiwrote: > > > On 26.01.2016 14:55, Petr Spacek wrote: > >> On 26.1.2016 14:02, Martin Basti wrote: >> >>> https://fedorahosted.org/freeipa/ticket/5634 >>> >>> Patch attached. >>> >> It works for me in API, CLI, and Web UI. The warning is shown as expected. >> >> Interestingly, Web UI behaves strangely when search limit is hit. This >> needs >> more investigation because it happens even without this patch :-) >> >> I found different bug there, webUI passes sizelimit: 0 (unlimited), but > this values is not passed to some searches inside BaseldapSearch which > raise error, I will file a ticket na provide details there Works for me as well. However, it would be nice to have what ipasearchlimit is limited to in the error message as well. So something like: "Search result has been truncated, the current search limit is set to 10. Please increase the search limit." Does this also address https://fedorahosted.org/freeipa/ticket/4022? Gabe -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit
On Tue, Jan 26, 2016 at 7:33 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 26.01.2016 15:17, Petr Spacek wrote: > >> On 26.1.2016 15:06, Martin Basti wrote: >> >>> >>> On 26.01.2016 15:00, Gabe Alford wrote: >>> >>>> On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti <mba...@redhat.com >>>> <mailto:mba...@redhat.com>> wrote: >>>> >>>> >>>> >>>> On 26.01.2016 14:55, Petr Spacek wrote: >>>> >>>> On 26.1.2016 14:02, Martin Basti wrote: >>>> >>>> https://fedorahosted.org/freeipa/ticket/5634 >>>> >>>> Patch attached. >>>> >>>> It works for me in API, CLI, and Web UI. The warning is shown >>>> as expected. >>>> >>>> Interestingly, Web UI behaves strangely when search limit is >>>> hit. This needs >>>> more investigation because it happens even without this patch >>>> :-) >>>> >>>> I found different bug there, webUI passes sizelimit: 0 >>>> (unlimited), but this values is not passed to some searches inside >>>> BaseldapSearch which raise error, I will file a ticket na provide >>>> details there >>>> >>>> >>>> Works for me as well. However, it would be nice to have what >>>> ipasearchlimit >>>> is limited to in the error message as well. So something like: >>>> >>> thanks for testing. >>> >>> "Search result has been truncated, the current search limit is set to 10. >>>> Please increase the search limit." >>>> >>> Well this is not so easy to achieve in framework, I prefer not to add >>> number >>> there, it requires bigger change in framework or an extra ldap search. >>> >>>> Does this also address https://fedorahosted.org/freeipa/ticket/4022? >>>> >>> It should. >>> >> Maybe we can use some generic phrase like: >> "Search result has been truncated to configured search limit." >> and avoid advice like 'increase search limit' which may not be possible >> to do, >> e.g. because user does not have permission to do that etc. >> > Sounds good. > Updated patch attached. > Ack from me. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 942 webui: add examples to network address validator error message
LGTM. Gabe On Tue, Dec 22, 2015 at 6:06 AM, Petr Vobornikwrote: > https://fedorahosted.org/freeipa/ticket/5532 > -- > Petr Vobornik > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0065] ipa-replica-install prints incorrect error message when replica is already installed
Fixed. Updated patch attached. On Wed, Dec 9, 2015 at 2:37 AM, Martin Basti <mba...@redhat.com> wrote: > NACK > > Patch contains syntax error, missing brace > > ipaserver/install/server/replicainstall.py:850: [E0001(syntax-error), ] > invalid syntax) > > Martin > > > On 09.12.2015 07:08, Jan Cholasta wrote: > >> LGTM >> >> On 8.12.2015 17:04, Gabe Alford wrote: >> >>> Updated patch attached. >>> >>> On Tue, Dec 8, 2015 at 8:27 AM, Martin Basti <mba...@redhat.com >>> <mailto:mba...@redhat.com>> wrote: >>> >>> >>> >>> On 08.12.2015 16:26, Gabe Alford wrote: >>> >>>> Just to confirm: >>>> >>>> if server is installed: >>>> Let's stop here and not do anything else >>>> >>>> if domain level 0: >>>> check if client installed and stop here >>>> >>>> Right? >>>> >>> yes >>> >>> >>> >>>> >>>> On Tue, Dec 8, 2015 at 8:20 AM, Jan Cholasta <jchol...@redhat.com >>>> <mailto:jchol...@redhat.com>> wrote: >>>> >>>> On 8.12.2015 16:17, Martin Basti wrote: >>>> >>>> >>>> >>>> On 08.12.2015 16:14, Jan Cholasta wrote: >>>> >>>> On 8.12.2015 16:09, Martin Basti wrote: >>>> >>>> >>>> >>>> On 01.12.2015 14:57, Gabe Alford wrote: >>>> >>>> Sorry guys, I forgot to add a meaningful >>>> subject to this message. >>>> Ignore the previous thread start. >>>> >>>> -- Forwarded message -- >>>> From: *Gabe Alford* <redhatri...@gmail.com >>>> <mailto:redhatri...@gmail.com> >>>> <mailto:redhatri...@gmail.com >>>> <mailto:redhatri...@gmail.com>>> >>>> Date: Mon, Nov 30, 2015 at 7:31 PM >>>> Subject: [PATCH 0065] >>>> To: freeipa-devel <freeipa-devel@redhat.com >>>> <mailto:freeipa-devel@redhat.com> >>>> <mailto:freeipa-devel@redhat.com >>>> <mailto:freeipa-devel@redhat.com>>> >>>> >>>> >>>> Hello, >>>> >>>> Patch fix for the following tickets: >>>> >>>> https://fedorahosted.org/freeipa/ticket/5022 >>>> https://fedorahosted.org/freeipa/ticket/5320 >>>> >>>> Thanks, >>>> >>>> Gabe >>>> >>>> >>>> >>>> ACK >>>> >>>> >>>> NACK, you can't install a server over an already >>>> installed client, >>>> thus the original check is correct. >>>> >>>> Ahh domain level 0, right, but this check can be added >>>> before the client >>>> check. >>>> >>>> >>>> Yes. >>>> >>>> With domain level 1, this check should stay there IMO. >>>> >>>> >>>> Yes. It should say "IPA server is already configured" rather >>>> than "IPA replica is already configured", though. >>>> >>>> -- >>>> Jan Cholasta >>>> >>>> >>>> >>> >>> >> >> > From 41af20d4ef76186f4099858e12e6e954d282f70f Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Wed, 9 Dec 2015 06:41:30 -0700 Subject: [PATCH] ipa-replica-install prints incorrect error message when replica is already installed https://fedorahosted.org/freeipa/ticket/5022 https://fedorahosted.org/freeipa/ticket/5320 --- ipaserver/install/server/replicainstall.py | 15 --- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 4554166752ce4e5db2a98a8f495aa061aec963e9..1f4b133e1a11c915b229514456c8624148a741f1 100644 --- a/ipaserv
Re: [Freeipa-devel] [PATCH 0065] ipa-replica-install prints incorrect error message when replica is already installed
Just to confirm: if server is installed: Let's stop here and not do anything else if domain level 0: check if client installed and stop here Right? On Tue, Dec 8, 2015 at 8:20 AM, Jan Cholasta <jchol...@redhat.com> wrote: > On 8.12.2015 16:17, Martin Basti wrote: > >> >> >> On 08.12.2015 16:14, Jan Cholasta wrote: >> >>> On 8.12.2015 16:09, Martin Basti wrote: >>> >>>> >>>> >>>> On 01.12.2015 14:57, Gabe Alford wrote: >>>> >>>>> Sorry guys, I forgot to add a meaningful subject to this message. >>>>> Ignore the previous thread start. >>>>> >>>>> -- Forwarded message -- >>>>> From: *Gabe Alford* <redhatri...@gmail.com >>>>> <mailto:redhatri...@gmail.com>> >>>>> Date: Mon, Nov 30, 2015 at 7:31 PM >>>>> Subject: [PATCH 0065] >>>>> To: freeipa-devel <freeipa-devel@redhat.com >>>>> <mailto:freeipa-devel@redhat.com>> >>>>> >>>>> >>>>> Hello, >>>>> >>>>> Patch fix for the following tickets: >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5022 >>>>> https://fedorahosted.org/freeipa/ticket/5320 >>>>> >>>>> Thanks, >>>>> >>>>> Gabe >>>>> >>>>> >>>>> >>>>> ACK >>>> >>> >>> NACK, you can't install a server over an already installed client, >>> thus the original check is correct. >>> >>> Ahh domain level 0, right, but this check can be added before the client >> check. >> > > Yes. > > With domain level 1, this check should stay there IMO. >> > > Yes. It should say "IPA server is already configured" rather than "IPA > replica is already configured", though. > > -- > Jan Cholasta > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0065] ipa-replica-install prints incorrect error message when replica is already installed
Updated patch attached. On Tue, Dec 8, 2015 at 8:27 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 08.12.2015 16:26, Gabe Alford wrote: > > Just to confirm: > > if server is installed: > Let's stop here and not do anything else > > if domain level 0: > check if client installed and stop here > > Right? > > yes > > > > > On Tue, Dec 8, 2015 at 8:20 AM, Jan Cholasta <jchol...@redhat.com> wrote: > >> On 8.12.2015 16:17, Martin Basti wrote: >> >>> >>> >>> On 08.12.2015 16:14, Jan Cholasta wrote: >>> >>>> On 8.12.2015 16:09, Martin Basti wrote: >>>> >>>>> >>>>> >>>>> On 01.12.2015 14:57, Gabe Alford wrote: >>>>> >>>>>> Sorry guys, I forgot to add a meaningful subject to this message. >>>>>> Ignore the previous thread start. >>>>>> >>>>>> -- Forwarded message -- >>>>>> From: *Gabe Alford* <redhatri...@gmail.com >>>>>> <mailto:redhatri...@gmail.com>> >>>>>> Date: Mon, Nov 30, 2015 at 7:31 PM >>>>>> Subject: [PATCH 0065] >>>>>> To: freeipa-devel <freeipa-devel@redhat.com >>>>>> <mailto:freeipa-devel@redhat.com>> >>>>>> >>>>>> >>>>>> Hello, >>>>>> >>>>>> Patch fix for the following tickets: >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5022 >>>>>> https://fedorahosted.org/freeipa/ticket/5320 >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Gabe >>>>>> >>>>>> >>>>>> >>>>>> ACK >>>>> >>>> >>>> NACK, you can't install a server over an already installed client, >>>> thus the original check is correct. >>>> >>>> Ahh domain level 0, right, but this check can be added before the client >>> check. >>> >> >> Yes. >> >> With domain level 1, this check should stay there IMO. >>> >> >> Yes. It should say "IPA server is already configured" rather than "IPA >> replica is already configured", though. >> >> -- >> Jan Cholasta >> > > > From 340a1316d8a71a4a3d7246fa87d2307f34484776 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Tue, 8 Dec 2015 08:58:56 -0700 Subject: [PATCH] ipa-replica-install prints incorrect error message when replica is already installed https://fedorahosted.org/freeipa/ticket/5022 https://fedorahosted.org/freeipa/ticket/5320 --- ipaserver/install/server/replicainstall.py | 15 --- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 4554166752ce4e5db2a98a8f495aa061aec963e9..e3f061a171e48f060464ef8e32630c8ca394c0b8 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -31,9 +31,8 @@ from ipaserver.install import ( bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance, installutils, kra, krainstance, krbinstance, memcacheinstance, ntpinstance, otpdinstance, custodiainstance, service) -from ipaserver.install.installutils import create_replica_config -from ipaserver.install.installutils import ReplicaConfig -from ipaserver.install.installutils import load_pkcs12 +from ipaserver.install.installutils import ( +create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured) from ipaserver.install.replication import ( ReplicationManager, replica_conn_check) import SSSDConfig @@ -423,6 +422,11 @@ def install_check(installer): tasks.check_selinux_status() +if is_ipa_configured(): +sys.exit("IPA server is already configured on this system.\n" + "If you want to reinstall the IPA server, please uninstall " + "it first using 'ipa-server-install --uninstall'.") + client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) if client_fstore.has_files(): sys.exit("IPA client is already configured on this system.\n" @@ -828,6 +832,11 @@ def promote_check(installer): tasks.check_selinux_status() +if is_ipa_configured(): +sys.exit("IPA server is already configured on this system.\n" + "If you want to reinstall the IPA server, please uninstall " + "it first using 'ipa-server-install --uninstall'." + client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) if not client_fstore.has_files(): ensure_enrolled(installer) -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0065]
Bump for review. On Mon, Nov 30, 2015 at 7:31 PM, Gabe Alford <redhatri...@gmail.com> wrote: > Hello, > > Patch fix for the following tickets: > > https://fedorahosted.org/freeipa/ticket/5022 > https://fedorahosted.org/freeipa/ticket/5320 > > Thanks, > > Gabe > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0065]
Yup you are right. I meant to bump the other one. > It is on my TODO list. Awesome. On Mon, Dec 7, 2015 at 7:20 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 07.12.2015 14:55, Gabe Alford wrote: > > Bump for review. > > On Mon, Nov 30, 2015 at 7:31 PM, Gabe Alford <redhatri...@gmail.com> > wrote: > >> Hello, >> >> Patch fix for the following tickets: >> >> https://fedorahosted.org/freeipa/ticket/5022 >> https://fedorahosted.org/freeipa/ticket/5320 >> >> Thanks, >> >> Gabe >> > > > > Hello, IIRC you said that we should ignore this in thread > [PATCH 0065] ipa-replica-install prints incorrect error message when > replica is already installed > > It is on my TODO list. > > Martin^2 > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0066] Migrate wget references to curl
My bad. Copy and paste error. Updated patch attached. Thanks, Gabe On Fri, Dec 4, 2015 at 12:17 PM, Martin Basti <mba...@redhat.com> wrote: > > > On 01.12.2015 15:00, Gabe Alford wrote: > > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/5458 > > Thanks, > > Gabe > > > Hello, > > I haven't looked closer, but your patch is causing this: > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 > seconds > [1/27]: creating certificate server user > [2/27]: configuring certificate server instance > [3/27]: stopping certificate server instance to update CS.cfg > [4/27]: backing up CS.cfg > [5/27]: disabling nonces > [6/27]: set up CRL publishing > [7/27]: enable PKIX certificate path discovery and validation > [8/27]: starting certificate server instance > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart > the Dogtag instance.See the installation log for details. > [9/27]: creating RA agent certificate database > [10/27]: importing CA chain to RA certificate database > [11/27]: fixing RA database permissions > [12/27]: setting up signing cert profile > [13/27]: setting audit signing renewal to 2 years > [14/27]: restarting certificate server > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart > the Dogtag instance.See the installation log for details. > [15/27]: requesting RA certificate from CA > [16/27]: issuing RA agent certificate > [17/27]: adding RA agent as a trusted user > [18/27]: authorizing RA to modify profiles > [19/27]: configure certmonger for renewals > [20/27]: configure certificate renewals > [21/27]: configure RA certificate renewal > [22/27]: configure Server-Cert certificate renewal > [23/27]: Configure HTTP to proxy connections > [24/27]: restarting certificate server > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart > the Dogtag instance.See the installation log for details. > [25/27]: migrating certificate profiles to LDAP > [26/27]: importing IPA certificate profiles > [27/27]: adding default CA ACL > > > CA is operational and ready, but IPA installer is not able to detect it > correctly > > 2015-12-04T19:08:54Z DEBUG stderr=curl: option --connect-timeout 30: is > unknown > curl: try 'curl --help' or 'curl --manual' for more information > > Martin^2 > From bbeac791988e3bc9a2dc98b9d782b397baab4ba1 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Fri, 4 Dec 2015 14:52:03 -0700 Subject: [PATCH] Migrate wget references and usage to curl https://fedorahosted.org/freeipa/ticket/5458 --- freeipa.spec.in| 4 ++-- ipa-client/ipa-install/ipa-client-install | 2 +- ipaplatform/base/paths.py | 2 +- ipaplatform/redhat/services.py | 8 ipaserver/advise/plugins/legacy_clients.py | 14 +++--- ipatests/test_integration/test_advise.py | 10 +- 6 files changed, 20 insertions(+), 20 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index a60d9b63f363773b6ca1b0969fa56b369a94092f..0d022a915bb89245c96ab9c02e10a41b38646a9c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -262,7 +262,7 @@ Requires: ntp Requires: krb5-workstation Requires: authconfig Requires: pam_krb5 -Requires: wget +Requires: curl Requires: libcurl >= 7.21.7-2 Requires: xmlrpc-c >= 1.27.4 Requires: sssd >= 1.13.1 @@ -330,7 +330,7 @@ Requires: python-pyasn1 Requires: python-dateutil Requires: python-yubico >= 1.2.3 Requires: python-sss-murmur -Requires: wget +Requires: curl Requires: dbus-python Requires: python-setuptools Requires: python-six diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 974dd1da8bf3f5836170ca67d2f4c298e7ec6844..20c9b05532c10b1c5789f26f87c2aebfc9a859b3 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1922,7 +1922,7 @@ def get_ca_certs_from_http(url, warn=True): root_logger.debug("trying to retrieve CA cert via HTTP from %s", url) try: -stdout, stderr, rc = run([paths.BIN_WGET, "-O", "-", url]) +stdout, stderr, rc = run([paths.BIN_CURL, "-o", "-", url]) except CalledProcessError as e: raise errors.NoCertificateError(entry=url) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 9ee488f9fdef19cb409752d66775bcbee6665ba8..762a38136e6c612767705389ee667b6f2ddab397 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -179,7 +179,7 @@ class BasePathNamespace(object): SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy" BIN_TIMEOUT = "/usr/bi
[Freeipa-devel] [PATCH 0066] Migrate wget references to curl
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5458 Thanks, Gabe From 490bb5aceb2c1ea3385c15bb85aea5c29c77f70b Mon Sep 17 00:00:00 2001 From: GabeDate: Tue, 1 Dec 2015 06:45:59 -0700 Subject: [PATCH] Migrate wget references and usage to curl https://fedorahosted.org/freeipa/ticket/5458 --- freeipa.spec.in| 4 ++-- ipa-client/ipa-install/ipa-client-install | 2 +- ipaplatform/base/paths.py | 2 +- ipaplatform/redhat/services.py | 8 ipaserver/advise/plugins/legacy_clients.py | 14 +++--- ipatests/test_integration/test_advise.py | 10 +- 6 files changed, 20 insertions(+), 20 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index a60d9b63f363773b6ca1b0969fa56b369a94092f..0d022a915bb89245c96ab9c02e10a41b38646a9c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -262,7 +262,7 @@ Requires: ntp Requires: krb5-workstation Requires: authconfig Requires: pam_krb5 -Requires: wget +Requires: curl Requires: libcurl >= 7.21.7-2 Requires: xmlrpc-c >= 1.27.4 Requires: sssd >= 1.13.1 @@ -330,7 +330,7 @@ Requires: python-pyasn1 Requires: python-dateutil Requires: python-yubico >= 1.2.3 Requires: python-sss-murmur -Requires: wget +Requires: curl Requires: dbus-python Requires: python-setuptools Requires: python-six diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 05a550b11e74db84e46a126798c4db728226865c..2437bb0bc8247a447da99e663bdf39b9fd8cfa61 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1919,7 +1919,7 @@ def get_ca_certs_from_http(url, warn=True): root_logger.debug("trying to retrieve CA cert via HTTP from %s", url) try: -stdout, stderr, rc = run([paths.BIN_WGET, "-O", "-", url]) +stdout, stderr, rc = run([paths.BIN_CURL, "-o", "-", url]) except CalledProcessError as e: raise errors.NoCertificateError(entry=url) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 9ee488f9fdef19cb409752d66775bcbee6665ba8..762a38136e6c612767705389ee667b6f2ddab397 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -179,7 +179,7 @@ class BasePathNamespace(object): SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy" BIN_TIMEOUT = "/usr/bin/timeout" UPDATE_CA_TRUST = "/usr/bin/update-ca-trust" -BIN_WGET = "/usr/bin/wget" +BIN_CURL = "/usr/bin/curl" ZIP = "/usr/bin/zip" BIND_LDAP_SO = "/usr/lib/bind/ldap.so" BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/" diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 0902215a56191032a1a65d0c2d05ddd5b7dab67f..7f9e85e37f8f6aac3d20874e04fe5576ed426e3c 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -213,10 +213,10 @@ class RedHatCAService(RedHatService): } args = [ -paths.BIN_WGET, -'-S', '-O', '-', -'--timeout=30', -'--no-check-certificate', +paths.BIN_CURL, +'-i', '-o', '-', +'--connect-timeout 30', +'-k', url ] diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py index e673cb45f58901ddee70a0ec6cea62531bba965b..b6e1fc5a1549787fbe2805b0297d79211ae21d77 100644 --- a/ipaserver/advise/plugins/legacy_clients.py +++ b/ipaserver/advise/plugins/legacy_clients.py @@ -51,13 +51,13 @@ class config_base_legacy_client(Advice): 'cacertdir_rehash?format=txt') self.log.comment('Download the CA certificate of the IPA server') self.log.command('mkdir -p -m 755 /etc/openldap/cacerts') -self.log.command('wget http://%s/ipa/config/ca.crt -O ' +self.log.command('curl http://%s/ipa/config/ca.crt -o ' '/etc/openldap/cacerts/ipa.crt\n' % api.env.host) self.log.comment('Generate hashes for the openldap library') self.log.command('command -v cacertdir_rehash') self.log.command('if [ $? -ne 0 ] ; then') -self.log.command(' wget "%s" -O cacertdir_rehash ;' % cacertdir_rehash) +self.log.command(' curl "%s" -o cacertdir_rehash ;' % cacertdir_rehash) self.log.command(' chmod 755 ./cacertdir_rehash ;') self.log.command(' ./cacertdir_rehash /etc/openldap/cacerts/ ;') self.log.command('else') @@ -98,7 +98,7 @@ class config_redhat_sssd_before_1_9(config_base_legacy_client): self.check_compat_plugin() self.log.comment('Install required packages via yum') -self.log.command('yum install -y sssd authconfig wget openssl\n') +self.log.command('yum install -y sssd authconfig curl openssl\n')
[Freeipa-devel] [PATCH 0065] ipa-replica-install prints incorrect error message when replica is already installed
Sorry guys, I forgot to add a meaningful subject to this message. Ignore the previous thread start. -- Forwarded message -- From: Gabe Alford <redhatri...@gmail.com> Date: Mon, Nov 30, 2015 at 7:31 PM Subject: [PATCH 0065] To: freeipa-devel <freeipa-devel@redhat.com> Hello, Patch fix for the following tickets: https://fedorahosted.org/freeipa/ticket/5022 https://fedorahosted.org/freeipa/ticket/5320 Thanks, Gabe From 3e0a6c556a3402bbd0e15a6f113498aae27e2cf4 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Mon, 30 Nov 2015 18:42:14 -0700 Subject: [PATCH] ipa-replica-install prints incorrect error message when replica is already installed https://fedorahosted.org/freeipa/ticket/5022 https://fedorahosted.org/freeipa/ticket/5320 --- ipaserver/install/server/replicainstall.py | 18 +++--- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index e6d96bbe62c6960ebe94c529a8dac9dd0468d734..51d4e95dd0e4174ced2f18ec278871138a9c3bc3 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -30,8 +30,8 @@ from ipaserver.install import ( bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance, installutils, kra, krainstance, krbinstance, memcacheinstance, ntpinstance, otpdinstance, custodiainstance, service) -from ipaserver.install.installutils import create_replica_config -from ipaserver.install.installutils import ReplicaConfig +from ipaserver.install.installutils import ( +create_replica_config, is_ipa_configured, ReplicaConfig) from ipaserver.install.replication import ( ReplicationManager, replica_conn_check) import SSSDConfig @@ -405,11 +405,10 @@ def install_check(installer): tasks.check_selinux_status() -client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) -if client_fstore.has_files(): -sys.exit("IPA client is already configured on this system.\n" - "Please uninstall it first before configuring the replica, " - "using 'ipa-client-install --uninstall'.") +if is_ipa_configured(): +sys.exit("IPA replica is already configured on this system.\n" + "If you want to reinstall the IPA replica, please uninstall " + "it first using 'ipa-server-install --uninstall'.") sstore = sysrestore.StateFile(paths.SYSRESTORE) @@ -759,6 +758,11 @@ def promote_check(installer): tasks.check_selinux_status() +if is_ipa_configured(): +sys.exit("IPA replica is already configured on this system.\n" + "If you want to reinstall the IPA replica, please uninstall " + "it first using 'ipa-server-install --uninstall'.") + client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) if not client_fstore.has_files(): sys.exit("IPA client is not configured on this system.\n" -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0065]
Hello, Patch fix for the following tickets: https://fedorahosted.org/freeipa/ticket/5022 https://fedorahosted.org/freeipa/ticket/5320 Thanks, Gabe From 3e0a6c556a3402bbd0e15a6f113498aae27e2cf4 Mon Sep 17 00:00:00 2001 From: GabeDate: Mon, 30 Nov 2015 18:42:14 -0700 Subject: [PATCH] ipa-replica-install prints incorrect error message when replica is already installed https://fedorahosted.org/freeipa/ticket/5022 https://fedorahosted.org/freeipa/ticket/5320 --- ipaserver/install/server/replicainstall.py | 18 +++--- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index e6d96bbe62c6960ebe94c529a8dac9dd0468d734..51d4e95dd0e4174ced2f18ec278871138a9c3bc3 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -30,8 +30,8 @@ from ipaserver.install import ( bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance, installutils, kra, krainstance, krbinstance, memcacheinstance, ntpinstance, otpdinstance, custodiainstance, service) -from ipaserver.install.installutils import create_replica_config -from ipaserver.install.installutils import ReplicaConfig +from ipaserver.install.installutils import ( +create_replica_config, is_ipa_configured, ReplicaConfig) from ipaserver.install.replication import ( ReplicationManager, replica_conn_check) import SSSDConfig @@ -405,11 +405,10 @@ def install_check(installer): tasks.check_selinux_status() -client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) -if client_fstore.has_files(): -sys.exit("IPA client is already configured on this system.\n" - "Please uninstall it first before configuring the replica, " - "using 'ipa-client-install --uninstall'.") +if is_ipa_configured(): +sys.exit("IPA replica is already configured on this system.\n" + "If you want to reinstall the IPA replica, please uninstall " + "it first using 'ipa-server-install --uninstall'.") sstore = sysrestore.StateFile(paths.SYSRESTORE) @@ -759,6 +758,11 @@ def promote_check(installer): tasks.check_selinux_status() +if is_ipa_configured(): +sys.exit("IPA replica is already configured on this system.\n" + "If you want to reinstall the IPA replica, please uninstall " + "it first using 'ipa-server-install --uninstall'.") + client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) if not client_fstore.has_files(): sys.exit("IPA client is not configured on this system.\n" -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0015] mod_auth_gssapi: Remove ntlmssp support and restrict, mechanism to krb5
Bump for push. May need a rebase. On Wed, Jul 22, 2015 at 7:49 AM, Simo Sorcewrote: > - Original Message - > > From: "Christian Heimes" > > To: "freeipa-devel" > > Sent: Wednesday, July 22, 2015 9:32:59 AM > > Subject: [Freeipa-devel] [PATCH 0015] mod_auth_gssapi: Remove ntlmssp > support and restrict, mechanism to krb5 > > > > By default mod_auth_gssapi allows all locally available mechanisms. If > > the gssntlmssp package is installed, it also offers ntlmssp. This has > > the annoying side effect that some browser will pop up a > > username/password request dialog if no Krb5 credentials are available. > > > > The patch restricts the mechanism to krb5 and removes ntlmssp and > > iakerb support from Apache's ipa.conf. > > > > The new feature was added to mod_auth_gssapi 1.3.0. > > > > https://fedorahosted.org/freeipa/ticket/5114 > > LGTM > > Simo. > > -- > Simo Sorce * Red Hat, Inc. * New York > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0384] ipa-client-automount: Leverage IPAChangeConf to configure the idmapd
Ack. Gabe On Wed, Nov 11, 2015 at 7:22 AM, Tomas Babejwrote: > Hi, > > Simple regexp substitution caused that the domain directive fell under > an inapprorpiate section, if the domain directive was not present. Hence > the idmapd.conf file was not properly parsed. > > Use IPAChangeConf to put the directive in its correct place even if it > the domain directive is missing. > > https://fedorahosted.org/freeipa/ticket/5069 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0064] Check if IPA is configured before attempting a winsync migration
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5470 Thanks, Gabe From 9e9b8813d069b3a65e16ef90a602bf35feade9c9 Mon Sep 17 00:00:00 2001 From: GabeDate: Fri, 20 Nov 2015 07:54:30 -0700 Subject: [PATCH] Check if IPA is configured before attempting a winsync migration https://fedorahosted.org/freeipa/ticket/5470 --- ipaserver/install/ipa_winsync_migrate.py | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py index 87e23fb3698bac0a0371a198d95994ed921ee011..6996c7fbd7954245bb5aabb5fad0d31103e3517f 100644 --- a/ipaserver/install/ipa_winsync_migrate.py +++ b/ipaserver/install/ipa_winsync_migrate.py @@ -29,7 +29,7 @@ from ipapython.dn import DN from ipapython.ipautil import realm_to_suffix, posixify from ipapython.ipa_log_manager import log_mgr from ipaserver.plugins.ldap2 import ldap2 -from ipaserver.install import replication +from ipaserver.install import replication, installutils if six.PY3: unicode = str @@ -344,6 +344,13 @@ class WinsyncMigrate(admintool.AdminTool): api.bootstrap(in_server=True, context='server') api.finalize() +# Check if the IPA server is configured before attempting to migrate +try: +installutils.check_server_configuration() +except RuntimeError as e: +sys.exit(e) + + # Setup LDAP connection try: api.Backend.ldap2.connect() -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0064] Check if IPA is configured before attempting a winsync migration
Thanks. Updated patch attached. Gabe On Fri, Nov 20, 2015 at 10:36 AM, Martin Babinsky <mbabi...@redhat.com> wrote: > On 11/20/2015 04:02 PM, Gabe Alford wrote: > >> Hello, >> >> Fix for https://fedorahosted.org/freeipa/ticket/5470 >> >> Thanks, >> >> Gabe >> >> >> Hi Gabe, > > patch looks good. IMHO it would be better if you moved the check before > API initialization like so: > > """ > @@ -340,6 +340,12 @@ class WinsyncMigrate(admintool.AdminTool): > the plumbing. > """ > > +# Check if the IPA server is configured before attempting to > migrate > +try: > +installutils.check_server_configuration() > +except RuntimeError as e: > +sys.exit(e) > + > # Finalize API > api.bootstrap(in_server=True, context='server') > api.finalize() > """ > > There's no point in initializing API if there is no server installed. > > -- > Martin^3 Babinsky > From 62c89fb0bf760bf721d15a309497635a45a98077 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Fri, 20 Nov 2015 11:06:55 -0700 Subject: [PATCH] Check if IPA is configured before attempting a winsync migration https://fedorahosted.org/freeipa/ticket/5470 --- ipaserver/install/ipa_winsync_migrate.py | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py index 87e23fb3698bac0a0371a198d95994ed921ee011..bbd029c81e7a093b3559e374189b79d12395b79c 100644 --- a/ipaserver/install/ipa_winsync_migrate.py +++ b/ipaserver/install/ipa_winsync_migrate.py @@ -29,7 +29,7 @@ from ipapython.dn import DN from ipapython.ipautil import realm_to_suffix, posixify from ipapython.ipa_log_manager import log_mgr from ipaserver.plugins.ldap2 import ldap2 -from ipaserver.install import replication +from ipaserver.install import replication, installutils if six.PY3: unicode = str @@ -340,6 +340,12 @@ class WinsyncMigrate(admintool.AdminTool): the plumbing. """ +# Check if the IPA server is configured before attempting to migrate +try: +installutils.check_server_configuration() +except RuntimeError as e: +sys.exit(e) + # Finalize API api.bootstrap(in_server=True, context='server') api.finalize() -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0063] ipa-replica-manage del continues when host does not exist in domain level 1
Yeah. That's better. Thanks, Martin. Ack. On Thu, Nov 12, 2015 at 6:02 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 09.11.2015 14:37, Gabe Alford wrote: > > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/5424 > > thanks, > > Gabe > > > Thank you for you patch, almost ACK, but I propose following changes > (patch attached) in error message. > > Let me know if you agree with the change. > > Martin > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0064-0065] ipa-dns-install offers IP addresses from resolv.conf as default forwarder
Does this also fix https://fedorahosted.org/freeipa/ticket/3926? On Tue, Nov 10, 2015 at 8:58 AM, Petr Spacekwrote: > Hello, > > Patch 64: > ipa-dns-install offer IP addresses from resolv.conf as default forwarders > > In non-interactive more option --auto-forwarders can be used to do the > same. --forward option can be used to supply additional IP addresses. > > https://fedorahosted.org/freeipa/ticket/5438 > > > Patch 65: > Remove global variable dns_forwarders from ipaserver.install.dns > It seems to me that the global thingy is not necessary, so I've ripped it > out. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0343] Upgrade: enable custodia service during upgrade
Ack. Thanks, Gabe On Tue, Nov 3, 2015 at 11:18 AM, Martin Bastiwrote: > https://fedorahosted.org/freeipa/ticket/5429 > > Patch attached. > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0063] ipa-replica-manage del continues when host does not exist in domain level 1
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5424 thanks, Gabe From f2f0deee5ca743518d97efe4f01cc22c0672e87a Mon Sep 17 00:00:00 2001 From: GabeDate: Sun, 8 Nov 2015 17:18:17 -0700 Subject: [PATCH] ipa-replica-manage del continues when host does not exist in domain level 1 - Raises error and stops operation unless --cleanup is specified. https://fedorahosted.org/freeipa/ticket/5424 --- install/tools/ipa-replica-manage | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index b9998da44dcc1f01c5eb342ee713634de0ee84ee..ccd48eb635a27b5752484ce68b094c2daf7291fa 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -740,7 +740,12 @@ def del_master_managed(realm, hostname, options): try: api.Command.server_del(hostname_u) except errors.NotFound: -print("Server entry already deleted: %s" % (hostname)) +if not options.cleanup: +print("%s does not exist. Please specify an actual server or add" \ + " the\n--cleanup option to force clean up." % (hostname)) +sys.exit(1) +else: +print("Server entry already deleted: %s" % (hostname)) # 6. Cleanup try: -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0062] custodia: ipa-upgrade failed on replica
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5374. I could reproduce it as the Custodia update file was missing from the updates Makefile which in turn was not being packaged into the rpms. Thanks, Gabe From 871822779696ece33f36e6940ecc96fc090b7ea2 Mon Sep 17 00:00:00 2001 From: GabeDate: Wed, 4 Nov 2015 19:09:58 -0700 Subject: [PATCH] custodia: ipa-upgrade failed on replica - Add 73-custodia.update to install/updates/Makefile.am https://fedorahosted.org/freeipa/ticket/5374 --- install/updates/Makefile.am | 1 + 1 file changed, 1 insertion(+) diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 04ddeb96de4e88d5909f13b13885d3207184e798..6c8fa11e57a7d2119f837932e72ac13b6224aca7 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -51,6 +51,7 @@ app_DATA =\ 62-ranges.update \ 71-idviews.update \ 72-domainlevels.update \ + 73-custodia.update \ 73-winsync.update \ 90-post_upgrade_plugins.update \ $(NULL) -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0061] Remove 50-lockout-policy.update file
Can do Alexander. Here is the updated patch. Gabe On Fri, Oct 30, 2015 at 12:56 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Thu, 29 Oct 2015, Gabe Alford wrote: > >> Hello, >> >> Fix for https://fedorahosted.org/freeipa/ticket/5418 >> > ACK but can you please add something like this in the commit message: > > > Remove lockout policy update file because all currently supported > FreeIPA versions already have krbPwdMaxFailure defaulting to 6 and > krbPwdLockoutDuration defaulting to 600. > > Keeping lockout policy update file prevents from creating a more strict > policy in environments where it is subject to regulatory compliance. > > > >> Thanks, >> >> Gabe >> > > From 7a9086162717bc414a1d65ea71a2d65729f6fa7e Mon Sep 17 00:00:00 2001 >> From: Gabe <redhatri...@gmail.com> >> Date: Thu, 29 Oct 2015 20:30:35 -0600 >> Subject: [PATCH] Remove 50-lockout-policy.update file >> >> https://fedorahosted.org/freeipa/ticket/5418 >> --- >> install/updates/50-lockout-policy.update | 4 >> install/updates/Makefile.am | 1 - >> 2 files changed, 5 deletions(-) >> delete mode 100644 install/updates/50-lockout-policy.update >> >> diff --git a/install/updates/50-lockout-policy.update >> b/install/updates/50-lockout-policy.update >> deleted file mode 100644 >> index >> a5730709e2b649466118502ece1cc530c10e0b40.. >> --- a/install/updates/50-lockout-policy.update >> +++ /dev/null >> @@ -1,4 +0,0 @@ >> -dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX >> -replace:krbPwdLockoutDuration:10::600 >> -replace: krbPwdMaxFailure:3::6 >> - >> diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am >> index >> 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..04ddeb96de4e88d5909f13b13885d3207184e798 >> 100644 >> --- a/install/updates/Makefile.am >> +++ b/install/updates/Makefile.am >> @@ -39,7 +39,6 @@ app_DATA =\ >> 45-roles.update \ >> 50-7_bit_check.update \ >> 50-dogtag10-migration.update\ >> - 50-lockout-policy.update\ >> 50-groupuuid.update \ >> 50-hbacservice.update \ >> 50-krbenctypes.update \ >> -- >> 2.4.3 >> >> > -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> > > > -- > / Alexander Bokovoy > From 24bcde6042d90322883350b5fd97aa41f2e4d77d Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Fri, 30 Oct 2015 06:27:11 -0600 Subject: [PATCH] Remove 50-lockout-policy.update file Remove lockout policy update file because all currently supported versions have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 600. Keeping lockout policy update file prevents from creating a more scrict policy in environments subject to regulatory compliance https://fedorahosted.org/freeipa/ticket/5418 --- install/updates/50-lockout-policy.update | 4 install/updates/Makefile.am | 1 - 2 files changed, 5 deletions(-) delete mode 100644 install/updates/50-lockout-policy.update diff --git a/install/updates/50-lockout-policy.update b/install/updates/50-lockout-policy.update deleted file mode 100644 index a5730709e2b649466118502ece1cc530c10e0b40.. --- a/install/updates/50-lockout-policy.update +++ /dev/null @@ -1,4 +0,0 @@ -dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX -replace:krbPwdLockoutDuration:10::600 -replace: krbPwdMaxFailure:3::6 - diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..04ddeb96de4e88d5909f13b13885d3207184e798 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -39,7 +39,6 @@ app_DATA =\ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ - 50-lockout-policy.update \ 50-groupuuid.update \ 50-hbacservice.update \ 50-krbenctypes.update \ -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
Okay. Added the port range to ipa-adtrust-install and updated the man page to reflect firewall requirements. The firewall section seems a little rough, so let me know what you think it would need to be smoothed over (if anything). thanks, Gabe On Fri, Oct 30, 2015 at 4:12 AM, Petr Spacek <pspa...@redhat.com> wrote: > On 30.10.2015 11:10, Alexander Bokovoy wrote: > > On Fri, 30 Oct 2015, Petr Spacek wrote: > >> On 30.10.2015 07:54, Alexander Bokovoy wrote: > >>> On Thu, 29 Oct 2015, Gabe Alford wrote: > >>>> Hello, > >>>> > >>>> Fix for https://fedorahosted.org/freeipa/ticket/5414 > >>>> > >>>> Thanks, > >>>> > >>>> Gabe > >>> > >>>> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 > >>>> From: Gabe <redhatri...@gmail.com> > >>>> Date: Thu, 29 Oct 2015 20:28:27 -0600 > >>>> Subject: [PATCH] Incomplete ports for IPA AD Trust > >>>> > >>>> https://fedorahosted.org/freeipa/ticket/5414 > >>>> --- > >>>> install/tools/ipa-adtrust-install | 1 + > >>>> 1 file changed, 1 insertion(+) > >>>> > >>>> diff --git a/install/tools/ipa-adtrust-install > >>>> b/install/tools/ipa-adtrust-install > >>>> index > >>>> > 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 > >>>> > >>>> 100755 > >>>> --- a/install/tools/ipa-adtrust-install > >>>> +++ b/install/tools/ipa-adtrust-install > >>>> @@ -472,6 +472,7 @@ Setup complete > >>>> > >>>> You must make sure these network ports are open: > >>>> \tTCP Ports: > >>>> +\t * 135: epmap > >>>> \t * 138: netbios-dgm > >>>> \t * 139: netbios-ssn > >>>> \t * 445: microsoft-ds > >>> This is good but not complete. What end-point mapper does is creating a > >>> listener based on the incoming request and access to the listener needs > >>> to be provided as well. A listener is created currently in the range of > >>> 1024..1300/TCP but we already have request to make this range > >>> configurable (it is hard coded right now in Samba code) because with > >>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535: > >>> https://support.microsoft.com/en-us/kb/929851 > >>> > >>> We were thinking to add a call out hook on Samba side to call > >>> firewall-related script that could do hole punching on demand but it is > >>> not there yet. > >>> > >>> What we could do in ipa-adtrust-install, is to add section about > TCP/UDP > >>> ports to the manual page and explicitly reference that one in case of > >>> epmap line: > >>> \t *135: epmap (see ipa-adtrust-install(1) man page for details) > >>> > >>> We don't have the firewall section in the manpage at all, btw. > >>> > >>> What do you think? > >> > >> Maybe I'm missing something, but ... Could we simply put current range > >> 1024..1300/TCP to the installer now and do other changes as Samba > evolves? I > >> think that it is good enough as a hotfix and that we do not need to > >> over-complicate it in the beginning. > > That's essentially what I said too -- but I want to have firewall > > requirements documented in the manpage so that they are available > > beforehand _and_ people actually read them when they are referenced in > > the output. > > > > I'm not asking for anything else here. Documentation is needed. > > Thanks for clarification, I was under the impression that you wanted to > put it > only into the man page :-) > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > From 227cf5ae9f7e1c0d5ce96c996baa75448430ce99 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Fri, 30 Oct 2015 09:11:00 -0600 Subject: [PATCH] Incomplete ports for IPA AD Trust - Add subsection to ipa-adtrust-install man page - Update port information in ipa-adtrust-install https://fedorahosted.org/freeipa/ticket/5414 --- install/tools/ipa-adtrust-install | 4 install/tools/man/ipa-adtrust-install.1 | 25 + 2 files changed, 29 insertions(+) diff --git a/install/tools/ipa-adtrus
Re: [Freeipa-devel] [PATCH 0058] interactive installer does not ignore leading/trailing whitespace
My bad Martin^2. Here is an updated patch. Gabe On Thu, Oct 29, 2015 at 7:14 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 28.10.2015 02:35, Gabe Alford wrote: > > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/5355 > > Thanks, > > Gabe > > > Thank you Gabe, but patch needs more work to be complete: > > Bool and integer choices also need to strip whitespaces, see bellow: > > Do you want to configure DNS forwarders? [yes]: no > Do you want to configure DNS forwarders? [yes]: no > Do you want to configure DNS forwarders? [yes]: no > Do you want to configure DNS forwarders? [yes]: no > No DNS forwarders configured > > Martin^2 > > From f72f14b973d91689e5d139e6cc9e7ed5e5d5a2d6 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Thu, 29 Oct 2015 07:37:36 -0600 Subject: [PATCH] interactive installer does not ignore leading/trailing whitespace https://fedorahosted.org/freeipa/ticket/5355 --- ipapython/ipautil.py | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index b6fd11338f5f55402d5e4502297866f3b0cc0534..4acdd1a98818bf311a8fef103e7219cc62a28ec1 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -763,7 +763,7 @@ def user_input(prompt, default = None, allow_empty = True): try: ret = input("%s: " % prompt) if allow_empty or ret.strip(): -return ret +return ret.strip() except EOFError: if allow_empty: return '' @@ -776,7 +776,7 @@ def user_input(prompt, default = None, allow_empty = True): if not ret and (allow_empty or default): return default elif ret.strip(): -return ret +return ret.strip() except EOFError: return default @@ -785,6 +785,7 @@ def user_input(prompt, default = None, allow_empty = True): while True: try: ret = input("%s [%s]: " % (prompt, choice)) +ret = ret.strip() if not ret: return default elif ret.lower()[0] == "y": @@ -798,6 +799,7 @@ def user_input(prompt, default = None, allow_empty = True): while True: try: ret = input("%s [%s]: " % (prompt, default)) +ret = ret.strip() if not ret: return default ret = int(ret) -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0059] Add Firefox options to ipa-client-install man page
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5375 Thanks, Gabe From 4e0dba6b17f78aa7dd631780cbfe7c4bfa9edea4 Mon Sep 17 00:00:00 2001 From: GabeDate: Wed, 28 Oct 2015 17:39:40 -0600 Subject: [PATCH] Add Firefox options to ipa-client-install man page - Update --configure-firefox description in ipa-client-install https://fedorahosted.org/freeipa/ticket/5375 --- ipa-client/ipa-install/ipa-client-install | 2 +- ipa-client/man/ipa-client-install.1 | 6 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index e38a0f2f970087791b18fff3137bdb1bc9ac2470..14261e57f1fbc01ea57eb7e8160f9c8bf9d282f8 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -182,7 +182,7 @@ def parse_options(): help="Automount location") basic_group.add_option("--configure-firefox", dest="configure_firefox", action="store_true", default=False, -help="configure Firefox") +help="configure Firefox to use IPA domain credentials") basic_group.add_option("--firefox-dir", dest="firefox_dir", default=None, help="specify directory where Firefox is installed (for example: '/usr/lib/firefox')") basic_group.add_option("--ip-address", dest="ip_addresses", default=[], diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index cdcc56fee6ce82e0fe00048d52b13d27e8fe3450..494fd4952e130bbe31a717522ec3279c49904a87 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -181,6 +181,12 @@ Request certificate for the machine. The certificate will be stored in /etc/ipa/ Configure automount by running ipa\-client\-automount(1) with \fILOCATION\fR as automount location. .TP +\fB\-\-configure\-firefox\fR +Configure Firefox to use IPA domain credentials. +.TP +\fB\-\-firefox\-dir\fR=\fIDIR\fR +Specify Firefox installation directory. For example: '/usr/lib/firefox' +.TP \fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR Use \fIIP_ADDRESS\fR in DNS A/ record for this host. May be specified multiple times to add multiple DNS records. .TP -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5414 Thanks, Gabe From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 From: GabeDate: Thu, 29 Oct 2015 20:28:27 -0600 Subject: [PATCH] Incomplete ports for IPA AD Trust https://fedorahosted.org/freeipa/ticket/5414 --- install/tools/ipa-adtrust-install | 1 + 1 file changed, 1 insertion(+) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -472,6 +472,7 @@ Setup complete You must make sure these network ports are open: \tTCP Ports: +\t * 135: epmap \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 445: microsoft-ds -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0061] Remove 50-lockout-policy.update file
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5418 Thanks, Gabe From 7a9086162717bc414a1d65ea71a2d65729f6fa7e Mon Sep 17 00:00:00 2001 From: GabeDate: Thu, 29 Oct 2015 20:30:35 -0600 Subject: [PATCH] Remove 50-lockout-policy.update file https://fedorahosted.org/freeipa/ticket/5418 --- install/updates/50-lockout-policy.update | 4 install/updates/Makefile.am | 1 - 2 files changed, 5 deletions(-) delete mode 100644 install/updates/50-lockout-policy.update diff --git a/install/updates/50-lockout-policy.update b/install/updates/50-lockout-policy.update deleted file mode 100644 index a5730709e2b649466118502ece1cc530c10e0b40.. --- a/install/updates/50-lockout-policy.update +++ /dev/null @@ -1,4 +0,0 @@ -dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX -replace:krbPwdLockoutDuration:10::600 -replace: krbPwdMaxFailure:3::6 - diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..04ddeb96de4e88d5909f13b13885d3207184e798 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -39,7 +39,6 @@ app_DATA =\ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ - 50-lockout-policy.update \ 50-groupuuid.update \ 50-hbacservice.update \ 50-krbenctypes.update \ -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0058] interactive installer does not ignore leading/trailing whitespace
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5355 Thanks, Gabe From 02434fc8467bbc81313d4bda0cf0e9644c151f00 Mon Sep 17 00:00:00 2001 From: GabeDate: Tue, 27 Oct 2015 19:17:43 -0600 Subject: [PATCH] interactive installer does not ignore leading/trailing whitespace https://fedorahosted.org/freeipa/ticket/5355 --- ipapython/ipautil.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index b6fd11338f5f55402d5e4502297866f3b0cc0534..34ff339800d56673f3438a3495cdf4f54d5563d3 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -763,7 +763,7 @@ def user_input(prompt, default = None, allow_empty = True): try: ret = input("%s: " % prompt) if allow_empty or ret.strip(): -return ret +return ret.strip() except EOFError: if allow_empty: return '' @@ -776,7 +776,7 @@ def user_input(prompt, default = None, allow_empty = True): if not ret and (allow_empty or default): return default elif ret.strip(): -return ret +return ret.strip() except EOFError: return default -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall
Thanks Martin^2. Updated patched attached. On Wed, Oct 21, 2015 at 2:46 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 20.10.2015 05:17, Gabe Alford wrote: > > Bump for re-review. > > > Hello, > > thank your for your patch, the patch LGTM, but please use print() as > function to be python2/3 compatible > > Martin^2 > > > On Tue, Oct 13, 2015 at 7:15 AM, Gabe Alford <redhatri...@gmail.com> > wrote: > >> No worries Petr. All a part of the review process. >> >> I have attached an updated patch that prints only a warning message. >> >> thanks, >> >> Gabe >> >> On Tue, Oct 13, 2015 at 12:39 AM, Petr Spacek < <pspa...@redhat.com> >> pspa...@redhat.com> wrote: >> >>> Hello Gabe, >>> >>> I would like to apologize for the confusion regarding this patch and the >>> repeated reworking. >>> >>> Unfortunately Honza's position is not mentioned in the ticket so you >>> could not >>> know what to do, but Honza is our "installer architect" so he has final >>> say. >>> >>> Petr^2 Spacek >>> >>> On 13.10.2015 08:31, Jan Cholasta wrote: >>> > Hi, >>> > >>> > I don't think this is the correct approach. We are aiming to have >>> idempotent >>> > installers, which means that running uninstall on a system without IPA >>> > installed should be a no-op. This is the current behavior, so your >>> patch is >>> > actually moving us back. >>> > >>> > The proper fix would be to *remove* the check from install (as opposed >>> to >>> > adding it to uninstall), but this requires the install code to be >>> idempotent, >>> > and we're not there yet. >>> > >>> > I'm OK with making this a warning, but don't make it a fatal error >>> and/or >>> > require --force. >>> > >>> > Honza >>> > >>> > On 12.10.2015 17:12, Gabe Alford wrote: >>> >> Thanks, Petr. Updated patch attached. >>> >> >>> >> Gabe >>> >> >>> >> On Mon, Oct 12, 2015 at 12:47 AM, Petr Spacek <pspa...@redhat.com >>> >> pspa...@redhat.com>> wrote: >>> >> >>> >> Hello Gabe, >>> >> >>> >> thank you for your patch! >>> >> >>> >> Please note that there might be a case where detection >>> >> is_ipa_configured() is >>> >> broken but the user still needs to run the uninstall process to >>> >> clean it up. >>> >> >>> >> Could you amend the patch to respect --force option? In that case >>> the >>> >> detection should be skipped. >>> >> >>> >> Thank you for your time! >>> >> >>> >> Petr^2 Spacek >>> >> >>> >> On 9.10.2015 19:17, Gabe Alford wrote: >>> >> > diff --git a/ipaserver/install/server/install.py >>> >> b/ipaserver/install/server/install.py >>> >> > index >>> >> >>> >> >>> 13a59a0e6149dc22ded4a895db02516e9360e02b..ca93e7a6fd7276d9c0d82eb6f94575730759d858 >>> >> >>> >> 100644 >>> >> > --- a/ipaserver/install/server/install.py >>> >> > +++ b/ipaserver/install/server/install.py >>> >> > @@ -954,6 +954,12 @@ def uninstall_check(installer): >>> >> > >>> >> > installer._installation_cleanup = False >>> >> > >>> >> > +if not is_ipa_configured(): >>> >> > +print("IPA server is not configured on this >>> system.\n" + >>> >> > + "If you want to install the IPA server, please >>> >> install " + >>> >> > + "it using 'ipa-server-install'.") >>> >> > +sys.exit(1) >>> >> > + >>> >> > fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH) >>> >> > sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH) >>> >> >> > > > > From 47f82aa203e8302117d0c4c2b1bdcbf50153c021 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Wed, 21 Oct 2015 17:24:25 -0600 Subject: [PATCH] Warn if no installation found when running ipa-server-install --uninstall https://fedorahosted.org/freeipa/ticket/5341 --- ipaserver/install/server/install.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 3f8ba2027ac210cc5cc9cc706c5d39e01e6de7e4..16539892dcffb3ad0e95aab0c5a3d85f3bb44c48 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -968,6 +968,11 @@ def uninstall_check(installer): installer._installation_cleanup = False +if not is_ipa_configured(): +print("WARNING:\nIPA server is not configured on this system. " + "If you want to install the\nIPA server, please install " + "it using 'ipa-server-install'.") + fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH) sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall
Bump for re-review. On Tue, Oct 13, 2015 at 7:15 AM, Gabe Alford <redhatri...@gmail.com> wrote: > No worries Petr. All a part of the review process. > > I have attached an updated patch that prints only a warning message. > > thanks, > > Gabe > > On Tue, Oct 13, 2015 at 12:39 AM, Petr Spacek <pspa...@redhat.com> wrote: > >> Hello Gabe, >> >> I would like to apologize for the confusion regarding this patch and the >> repeated reworking. >> >> Unfortunately Honza's position is not mentioned in the ticket so you >> could not >> know what to do, but Honza is our "installer architect" so he has final >> say. >> >> Petr^2 Spacek >> >> On 13.10.2015 08:31, Jan Cholasta wrote: >> > Hi, >> > >> > I don't think this is the correct approach. We are aiming to have >> idempotent >> > installers, which means that running uninstall on a system without IPA >> > installed should be a no-op. This is the current behavior, so your >> patch is >> > actually moving us back. >> > >> > The proper fix would be to *remove* the check from install (as opposed >> to >> > adding it to uninstall), but this requires the install code to be >> idempotent, >> > and we're not there yet. >> > >> > I'm OK with making this a warning, but don't make it a fatal error >> and/or >> > require --force. >> > >> > Honza >> > >> > On 12.10.2015 17:12, Gabe Alford wrote: >> >> Thanks, Petr. Updated patch attached. >> >> >> >> Gabe >> >> >> >> On Mon, Oct 12, 2015 at 12:47 AM, Petr Spacek <pspa...@redhat.com >> >> <mailto:pspa...@redhat.com>> wrote: >> >> >> >> Hello Gabe, >> >> >> >> thank you for your patch! >> >> >> >> Please note that there might be a case where detection >> >> is_ipa_configured() is >> >> broken but the user still needs to run the uninstall process to >> >> clean it up. >> >> >> >> Could you amend the patch to respect --force option? In that case >> the >> >> detection should be skipped. >> >> >> >> Thank you for your time! >> >> >> >> Petr^2 Spacek >> >> >> >> On 9.10.2015 19:17, Gabe Alford wrote: >> >> > diff --git a/ipaserver/install/server/install.py >> >> b/ipaserver/install/server/install.py >> >> > index >> >> >> >> >> 13a59a0e6149dc22ded4a895db02516e9360e02b..ca93e7a6fd7276d9c0d82eb6f94575730759d858 >> >> >> >> 100644 >> >> > --- a/ipaserver/install/server/install.py >> >> > +++ b/ipaserver/install/server/install.py >> >> > @@ -954,6 +954,12 @@ def uninstall_check(installer): >> >> > >> >> > installer._installation_cleanup = False >> >> > >> >> > +if not is_ipa_configured(): >> >> > +print("IPA server is not configured on this system.\n" >> + >> >> > + "If you want to install the IPA server, please >> >> install " + >> >> > + "it using 'ipa-server-install'.") >> >> > +sys.exit(1) >> >> > + >> >> > fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH) >> >> > sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH) >> > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall
No worries Petr. All a part of the review process. I have attached an updated patch that prints only a warning message. thanks, Gabe On Tue, Oct 13, 2015 at 12:39 AM, Petr Spacek <pspa...@redhat.com> wrote: > Hello Gabe, > > I would like to apologize for the confusion regarding this patch and the > repeated reworking. > > Unfortunately Honza's position is not mentioned in the ticket so you could > not > know what to do, but Honza is our "installer architect" so he has final > say. > > Petr^2 Spacek > > On 13.10.2015 08:31, Jan Cholasta wrote: > > Hi, > > > > I don't think this is the correct approach. We are aiming to have > idempotent > > installers, which means that running uninstall on a system without IPA > > installed should be a no-op. This is the current behavior, so your patch > is > > actually moving us back. > > > > The proper fix would be to *remove* the check from install (as opposed to > > adding it to uninstall), but this requires the install code to be > idempotent, > > and we're not there yet. > > > > I'm OK with making this a warning, but don't make it a fatal error and/or > > require --force. > > > > Honza > > > > On 12.10.2015 17:12, Gabe Alford wrote: > >> Thanks, Petr. Updated patch attached. > >> > >> Gabe > >> > >> On Mon, Oct 12, 2015 at 12:47 AM, Petr Spacek <pspa...@redhat.com > >> <mailto:pspa...@redhat.com>> wrote: > >> > >> Hello Gabe, > >> > >> thank you for your patch! > >> > >> Please note that there might be a case where detection > >> is_ipa_configured() is > >> broken but the user still needs to run the uninstall process to > >> clean it up. > >> > >> Could you amend the patch to respect --force option? In that case > the > >> detection should be skipped. > >> > >> Thank you for your time! > >> > >> Petr^2 Spacek > >> > >> On 9.10.2015 19:17, Gabe Alford wrote: > >> > diff --git a/ipaserver/install/server/install.py > >> b/ipaserver/install/server/install.py > >> > index > >> > >> > 13a59a0e6149dc22ded4a895db02516e9360e02b..ca93e7a6fd7276d9c0d82eb6f94575730759d858 > >> > >> 100644 > >> > --- a/ipaserver/install/server/install.py > >> > +++ b/ipaserver/install/server/install.py > >> > @@ -954,6 +954,12 @@ def uninstall_check(installer): > >> > > >> > installer._installation_cleanup = False > >> > > >> > +if not is_ipa_configured(): > >> > +print("IPA server is not configured on this system.\n" + > >> > + "If you want to install the IPA server, please > >> install " + > >> > + "it using 'ipa-server-install'.") > >> > +sys.exit(1) > >> > + > >> > fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH) > >> > sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH) > From 4d8b4b8c09c018f4a870b9f8d89d4e293e81b2cb Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Tue, 13 Oct 2015 06:59:01 -0600 Subject: [PATCH] Warn if no installation found when running ipa-server-install --uninstall https://fedorahosted.org/freeipa/ticket/5341 --- ipaserver/install/server/install.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 13a59a0e6149dc22ded4a895db02516e9360e02b..7186e82e70f86bf3f3be6e0f841daa6bcc8bf386 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -954,6 +954,12 @@ def uninstall_check(installer): installer._installation_cleanup = False +if not is_ipa_configured(): +msg = ("WARNING:\nIPA server is not configured on this system." + "If you want to install the IPA server, please install " + "it using 'ipa-server-install'.") +print textwrap.fill(msg, width=79, replace_whitespace=False) + fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH) sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH) -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli
Thanks Martin, What about adding no_create and no_update flags? Gabe On Tue, Oct 13, 2015 at 9:54 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 09.10.2015 19:17, Gabe Alford wrote: > > Hello, > > This patch enables nsaccountlock in user.py cli. It is very handy to be > able to search and find users with disabled/enabled accounts, etc. That > said, I couldn't find why it was no_option in the first place, so I am not > 100% sure if it breaks something or the reasoning behind no_option. > > Thanks, > > Gabe > > > Hello, > > https://fedorahosted.org/freeipa/ticket/5366 > > This patch allows to enable/disable user via user-mod, and we do not want > to do this, so NACK for this patch. > I'm not sure yet how to write it in elegant way. > > Martin. > From 706d2f533f1bfb60422e26fd02a03967d76bd3b2 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Tue, 13 Oct 2015 10:51:20 -0600 Subject: [PATCH] Enable nsaccountlock in user.py for user-find cli usage --- API.txt| 8 +++- VERSION| 2 +- ipalib/plugins/user.py | 3 ++- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/API.txt b/API.txt index 4d36a9885157de13529573b3a386b4ef39eba176..9d9cf12e0f924e9a119e85bf7d51dd4646e4a5e2 100644 --- a/API.txt +++ b/API.txt @@ -5147,7 +5147,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: user_add -args: 1,45,3 +args: 1,44,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -5176,7 +5176,6 @@ option: Str('manager', attribute=True, cli_name='manager', multivalue=False, req option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False) -option: Bool('nsaccountlock', attribute=True, cli_name='nsaccountlock', multivalue=False, required=False) option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False) option: Str('pager', attribute=True, cli_name='pager', multivalue=True, required=False) option: Str('postalcode', attribute=True, cli_name='postalcode', multivalue=False, required=False) @@ -5269,7 +5268,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules', csv=True) option: Str('not_in_netgroup*', cli_name='not_in_netgroups', csv=True) option: Str('not_in_role*', cli_name='not_in_roles', csv=True) option: Str('not_in_sudorule*', cli_name='not_in_sudorules', csv=True) -option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='nsaccountlock', multivalue=False, query=True, required=False) +option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='disabled', multivalue=False, query=True, required=False) option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, query=True, required=False) option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalue=True, query=True, required=False) option: Flag('pkey_only?', autofill=True, default=False) @@ -5296,7 +5295,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: user_mod -args: 1,46,3 +args: 1,45,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -5324,7 +5323,6 @@ option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, required=False) option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') -option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='nsaccountlock', multivalue=False, required=False) option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, required=False) option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalue=True, required=False) option: Str('postalcode', attribute=True, autofill=False, cli_name='postalcode', multivalue=False, required=False) diff --git a/VERSION b/VERSION index e1df4694f678b1fb27da7785b94dc827f0f8f207..895c9533cffd4ee1f5c9
Re: [Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli
Updated patch attached. On Tue, Oct 13, 2015 at 10:59 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 13.10.2015 18:53, Gabe Alford wrote: > > Thanks Martin, > > What about adding no_create and no_update flags? > > Gabe > > Yes, that may work, also please increment minor version of API and add > ticket into commit message (https://fedorahosted.org/freeipa/ticket/5366) > <https://fedorahosted.org/freeipa/ticket/5366> > > Thanks. > Martin > > > On Tue, Oct 13, 2015 at 9:54 AM, Martin Basti <mba...@redhat.com> wrote: > >> >> >> On 09.10.2015 19:17, Gabe Alford wrote: >> >> Hello, >> >> This patch enables nsaccountlock in user.py cli. It is very handy to be >> able to search and find users with disabled/enabled accounts, etc. That >> said, I couldn't find why it was no_option in the first place, so I am not >> 100% sure if it breaks something or the reasoning behind no_option. >> >> Thanks, >> >> Gabe >> >> >> Hello, >> >> https://fedorahosted.org/freeipa/ticket/5366 >> >> This patch allows to enable/disable user via user-mod, and we do not want >> to do this, so NACK for this patch. >> I'm not sure yet how to write it in elegant way. >> >> Martin. >> > > > From 9ff0901198bcf900789d0c3a431a2a905093548e Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Tue, 13 Oct 2015 11:09:29 -0600 Subject: [PATCH] Enable nsaccountlock in user.py for user-find cli usage https://fedorahosted.org/freeipa/ticket/5366 --- API.txt| 8 +++- VERSION| 4 ++-- ipalib/plugins/user.py | 3 ++- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/API.txt b/API.txt index 4d36a9885157de13529573b3a386b4ef39eba176..9d9cf12e0f924e9a119e85bf7d51dd4646e4a5e2 100644 --- a/API.txt +++ b/API.txt @@ -5147,7 +5147,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: user_add -args: 1,45,3 +args: 1,44,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -5176,7 +5176,6 @@ option: Str('manager', attribute=True, cli_name='manager', multivalue=False, req option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False) -option: Bool('nsaccountlock', attribute=True, cli_name='nsaccountlock', multivalue=False, required=False) option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False) option: Str('pager', attribute=True, cli_name='pager', multivalue=True, required=False) option: Str('postalcode', attribute=True, cli_name='postalcode', multivalue=False, required=False) @@ -5269,7 +5268,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules', csv=True) option: Str('not_in_netgroup*', cli_name='not_in_netgroups', csv=True) option: Str('not_in_role*', cli_name='not_in_roles', csv=True) option: Str('not_in_sudorule*', cli_name='not_in_sudorules', csv=True) -option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='nsaccountlock', multivalue=False, query=True, required=False) +option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='disabled', multivalue=False, query=True, required=False) option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, query=True, required=False) option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalue=True, query=True, required=False) option: Flag('pkey_only?', autofill=True, default=False) @@ -5296,7 +5295,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: user_mod -args: 1,46,3 +args: 1,45,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -5324,7 +5323,6 @@ option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, required=False) option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, required=False
[Freeipa-devel] [PATCH 0058] Remove bind configuration detected question
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5351 Thanks, Gabe From 509ea0b496fd3d2361df58b23ce6ec8fb0ac9b64 Mon Sep 17 00:00:00 2001 From: GabeDate: Fri, 9 Oct 2015 11:02:06 -0600 Subject: [PATCH] Remove bind configuration detected question https://fedorahosted.org/freeipa/ticket/5351 --- ipaserver/install/bindinstance.py | 7 --- ipaserver/install/dns.py | 4 2 files changed, 11 deletions(-) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 4c4677590b7120b7f12cb014519f61673dd1d68a..1cbda7c6931c55247bb0207ae91fbbf5363ad867 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -63,13 +63,6 @@ named_conf_include_re = re.compile(r'\s*include\s+"(?P)"\s*;') named_conf_include_template = "include \"%(path)s\";\n" -def check_inst(unattended): -if not unattended and os.path.exists(NAMED_CONF): -msg = "Existing BIND configuration detected, overwrite?" -return ipautil.user_input(msg, False) - -return True - def create_reverse(): return ipautil.user_input("Do you want to configure the reverse zone?", True) diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index 099e35dc331722607c8ca02cdbc7a0e66f8c4754..eb09af30b0f78f38ab1948d4dd01264f45dadf7c 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -144,10 +144,6 @@ def install_check(standalone, replica, options, hostname): False)): sys.exit("Aborted") -# Check bind packages are installed -if not bindinstance.check_inst(options.unattended): -sys.exit("Aborting installation.") - if options.disable_dnssec_master: _is_master() -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5341 Thanks, Gabe From 0400bf88987b56d1d3b7a0e665bec525fa81ed02 Mon Sep 17 00:00:00 2001 From: GabeDate: Fri, 9 Oct 2015 10:48:17 -0600 Subject: [PATCH] Warn if no installation found when running ipa-server-install --uninstall https://fedorahosted.org/freeipa/ticket/5341 --- ipaserver/install/server/install.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 13a59a0e6149dc22ded4a895db02516e9360e02b..ca93e7a6fd7276d9c0d82eb6f94575730759d858 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -954,6 +954,12 @@ def uninstall_check(installer): installer._installation_cleanup = False +if not is_ipa_configured(): +print("IPA server is not configured on this system.\n" + + "If you want to install the IPA server, please install " + + "it using 'ipa-server-install'.") +sys.exit(1) + fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH) sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH) -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli
Hello, This patch enables nsaccountlock in user.py cli. It is very handy to be able to search and find users with disabled/enabled accounts, etc. That said, I couldn't find why it was no_option in the first place, so I am not 100% sure if it breaks something or the reasoning behind no_option. Thanks, Gabe From 985f765d2e25d2ce454884cd4a9f66f9005824a7 Mon Sep 17 00:00:00 2001 From: GabeDate: Fri, 9 Oct 2015 07:22:07 -0600 Subject: [PATCH] Enable nsaccountlock in user.py for cli usage --- API.txt| 6 +++--- VERSION| 2 +- ipalib/plugins/user.py | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/API.txt b/API.txt index 4d36a9885157de13529573b3a386b4ef39eba176..b4df75bb66dab43bc9b7c249851f61efcc284e0f 100644 --- a/API.txt +++ b/API.txt @@ -5176,7 +5176,7 @@ option: Str('manager', attribute=True, cli_name='manager', multivalue=False, req option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False) -option: Bool('nsaccountlock', attribute=True, cli_name='nsaccountlock', multivalue=False, required=False) +option: Bool('nsaccountlock', attribute=True, cli_name='disabled', multivalue=False, required=False) option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False) option: Str('pager', attribute=True, cli_name='pager', multivalue=True, required=False) option: Str('postalcode', attribute=True, cli_name='postalcode', multivalue=False, required=False) @@ -5269,7 +5269,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules', csv=True) option: Str('not_in_netgroup*', cli_name='not_in_netgroups', csv=True) option: Str('not_in_role*', cli_name='not_in_roles', csv=True) option: Str('not_in_sudorule*', cli_name='not_in_sudorules', csv=True) -option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='nsaccountlock', multivalue=False, query=True, required=False) +option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='disabled', multivalue=False, query=True, required=False) option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, query=True, required=False) option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalue=True, query=True, required=False) option: Flag('pkey_only?', autofill=True, default=False) @@ -5324,7 +5324,7 @@ option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, required=False) option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') -option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='nsaccountlock', multivalue=False, required=False) +option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='disabled', multivalue=False, required=False) option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, required=False) option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalue=True, required=False) option: Str('postalcode', attribute=True, autofill=False, cli_name='postalcode', multivalue=False, required=False) diff --git a/VERSION b/VERSION index e1df4694f678b1fb27da7785b94dc827f0f8f207..98b64017f320d1cb5e3015476f894d1ece1d2012 100644 --- a/VERSION +++ b/VERSION @@ -91,4 +91,4 @@ IPA_DATA_VERSION=2010061412 IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=156 -# Last change: pvoborni - add vault container commands +# Last change: galford - enable nssacountlock option in cli diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index cb47cbb4869cb978f87603817033580647cc2d17..802dc35f4321c69460fd13bc1103346ab1e30a50 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -340,8 +340,8 @@ class user(baseuser): takes_params = baseuser.takes_params + ( Bool('nsaccountlock?', +cli_name='disabled', label=_('Account disabled'), -flags=['no_option'], ), Bool('preserved?', label=_('Preserved user'), -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0055] dnssec options missing in ipa-dns-install man page
Odd and done. Updated patch attached. Gabe On Wed, Sep 23, 2015 at 5:20 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 09/22/2015 03:32 PM, Gabe Alford wrote: > >> create mode 100644 >> install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch >> > Hello, > > your patch created new patch :-) > > Also there were 3 white space errors, please remove them. > > Martin > From 8b2e7a7ab20a5fd5c8b6d0be05c0b30539d36cfa Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Wed, 23 Sep 2015 06:50:04 -0600 Subject: [PATCH] dnssec option missing in ipa-dns-install man page - Add DNSSEC option ipa-replica-install man page as well https://fedorahosted.org/freeipa/ticket/5300 --- install/tools/man/ipa-dns-install.1 | 12 install/tools/man/ipa-replica-install.1 | 3 +++ 2 files changed, 15 insertions(+) diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1 index 23427b1b15ddf21ff1aba5617adab395d2f25112..66afe7fae5e82f48c7dc4d7c763f0483a41ecda1 100644 --- a/install/tools/man/ipa-dns-install.1 +++ b/install/tools/man/ipa-dns-install.1 @@ -44,6 +44,18 @@ The reverse DNS zone to use. This option can be used multiple times to specify m \fB\-\-no\-reverse\fR Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used. .TP +\fB\-\-no\-dnssec\-validation\fR +Disable DNSSEC validation on this server. +.TP +\fB\-\-dnssec\-master\fR +Setup server to be DNSSEC key master. +.TP +\fB\-\-disable\-dnssec\-master\fR +Disable the DNSSEC master on this server. +.TP +\fB\-\-kasp\-db\fR=\fIKASP_DB\fR +Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file. +.TP \fB\-\-zonemgr\fR The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN .TP diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index 780febf9d597d7d36b6104c0fc1be8f3d1f8fdee..ff4d7d1c09a875bff6a49070fbba3d13fb63 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -109,6 +109,9 @@ Do not use DNS for hostname lookup during installation .TP \fB\-\-no\-dns\-sshfp\fR Do not automatically create DNS SSHFP records. +.TP +\fB\-\-no\-dnssec\-validation\fR +Disable DNSSEC validation on this server. .SH "EXIT STATUS" 0 if the command was successful -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0055] dnssec options missing in ipa-dns-install man page
Thanks. Updated patch attached. On Wed, Sep 23, 2015 at 7:14 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 09/23/2015 03:12 PM, Gabe Alford wrote: > > Odd and done. Updated patch attached. > > Gabe > > On Wed, Sep 23, 2015 at 5:20 AM, Martin Basti <mba...@redhat.com> wrote: > >> >> >> On 09/22/2015 03:32 PM, Gabe Alford wrote: >> >>> create mode 100644 >>> install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch >>> >> Hello, >> >> your patch created new patch :-) >> >> Also there were 3 white space errors, please remove them. >> >> Martin >> > > Thank you, but there is still missing update in ipa-server-install manpage > > Martin > From a47fa4db2b8b757dbaa1e189fe9b37a0983b Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Wed, 23 Sep 2015 07:32:13 -0600 Subject: [PATCH] dnssec option missing in ipa-dns-install man page - Add DNSSEC option ipa-replica-install and ipa-server-install man page as well https://fedorahosted.org/freeipa/ticket/5300 --- install/tools/man/ipa-dns-install.1 | 12 install/tools/man/ipa-replica-install.1 | 3 +++ install/tools/man/ipa-server-install.1 | 3 +++ 3 files changed, 18 insertions(+) diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1 index 23427b1b15ddf21ff1aba5617adab395d2f25112..66afe7fae5e82f48c7dc4d7c763f0483a41ecda1 100644 --- a/install/tools/man/ipa-dns-install.1 +++ b/install/tools/man/ipa-dns-install.1 @@ -44,6 +44,18 @@ The reverse DNS zone to use. This option can be used multiple times to specify m \fB\-\-no\-reverse\fR Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used. .TP +\fB\-\-no\-dnssec\-validation\fR +Disable DNSSEC validation on this server. +.TP +\fB\-\-dnssec\-master\fR +Setup server to be DNSSEC key master. +.TP +\fB\-\-disable\-dnssec\-master\fR +Disable the DNSSEC master on this server. +.TP +\fB\-\-kasp\-db\fR=\fIKASP_DB\fR +Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file. +.TP \fB\-\-zonemgr\fR The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN .TP diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index 780febf9d597d7d36b6104c0fc1be8f3d1f8fdee..ff4d7d1c09a875bff6a49070fbba3d13fb63 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -109,6 +109,9 @@ Do not use DNS for hostname lookup during installation .TP \fB\-\-no\-dns\-sshfp\fR Do not automatically create DNS SSHFP records. +.TP +\fB\-\-no\-dnssec\-validation\fR +Disable DNSSEC validation on this server. .SH "EXIT STATUS" 0 if the command was successful diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 1eaed72119a9cd2f9876d3dc3c4a662782c18a36..2e0ff803c1b185d699f6f15dfb487e455404932e 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -164,6 +164,9 @@ Do not use DNS for hostname lookup during installation .TP \fB\-\-no\-dns\-sshfp\fR Do not automatically create DNS SSHFP records. +.TP +\fB\-\-no\-dnssec\-validation\fR +Disable DNSSEC validation on this server. .SS "UNINSTALL OPTIONS" .TP -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0055] dnssec options missing in ipa-dns-install man page
Thanks! Added and attached updated patch. Gabe On Tue, Sep 22, 2015 at 1:17 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 09/21/2015 05:37 PM, Gabe Alford wrote: > > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/5300 > > Thanks, > > Gabe > > > Thank you! > > The option --no-dnssec-validation is used also in ipa-server-install and > ipa-replica-install, so this option should be documented in multiple > manpages. > > Martin > From 6db931c2d12060a5938d5e160f83df8c08cf6889 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Tue, 22 Sep 2015 07:28:22 -0600 Subject: [PATCH] dnssec options missing in man pages - Add DNSSEC options to ipa-dns-install and ipa-replica-install man pages https://fedorahosted.org/freeipa/ticket/5300 --- ...tions-missing-in-ipa-dns-install-man-page.patch | 36 ++ install/tools/man/ipa-dns-install.1| 12 install/tools/man/ipa-replica-install.1| 3 ++ 3 files changed, 51 insertions(+) create mode 100644 install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch diff --git a/install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch b/install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch new file mode 100644 index ..d0f3d610dd1f8ef6bb1d1b6385f648cb79cd931b --- /dev/null +++ b/install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch @@ -0,0 +1,36 @@ +From e13330dfdff13101aa625e1651289304bd4d73bf Mon Sep 17 00:00:00 2001 +From: Gabe <redhatri...@gmail.com> +Date: Mon, 21 Sep 2015 09:30:31 -0600 +Subject: [PATCH] dnssec options missing in ipa-dns-install man page + +https://fedorahosted.org/freeipa/ticket/5300 +--- + install/tools/man/ipa-dns-install.1 | 12 + 1 file changed, 12 insertions(+) + +diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1 +index 23427b1b15ddf21ff1aba5617adab395d2f25112..229aaedfa09cbe3c4590eca5b66e325769a7f642 100644 +--- a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1 +@@ -44,6 +44,18 @@ The reverse DNS zone to use. This option can be used multiple times to specify m + \fB\-\-no\-reverse\fR + Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used. + .TP ++\fB\-\-no\-dnssec\-validation\fR ++Disable DNSSEC validation on this server. ++.TP ++\fB\-\-dnssec\-master\fR ++Setup server to be DNSSEC key master. ++.TP ++\fB\-\-disable\-dnssec\-master\fR ++Disable the DNSSEC master on this server. ++.TP ++\fB\-\-kasp\-db\fR=\fIKASP_DB\fR ++Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file. ++.TP + \fB\-\-zonemgr\fR + The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN + .TP +-- +1.8.3.1 + diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1 index 23427b1b15ddf21ff1aba5617adab395d2f25112..66afe7fae5e82f48c7dc4d7c763f0483a41ecda1 100644 --- a/install/tools/man/ipa-dns-install.1 +++ b/install/tools/man/ipa-dns-install.1 @@ -44,6 +44,18 @@ The reverse DNS zone to use. This option can be used multiple times to specify m \fB\-\-no\-reverse\fR Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used. .TP +\fB\-\-no\-dnssec\-validation\fR +Disable DNSSEC validation on this server. +.TP +\fB\-\-dnssec\-master\fR +Setup server to be DNSSEC key master. +.TP +\fB\-\-disable\-dnssec\-master\fR +Disable the DNSSEC master on this server. +.TP +\fB\-\-kasp\-db\fR=\fIKASP_DB\fR +Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file. +.TP \fB\-\-zonemgr\fR The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN .TP diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index 780febf9d597d7d36b6104c0fc1be8f3d1f8fdee..ff4d7d1c09a875bff6a49070fbba3d13fb63 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -109,6 +109,9 @@ Do not use DNS for hostname lookup during installation .TP \fB\-\-no\-dns\-sshfp\fR Do not automatically create DNS SSHFP records. +.TP +\fB\-\-no\-dnssec\-validation\fR +Disable DNSSEC validation on this server. .SH "EXIT STATUS" 0 if the command was successful -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit
Sorry. I had fixed another mistake and had not read your comment carefully. Updated patch attached. Gabe On Wed, Sep 16, 2015 at 12:23 AM, Jan Cholasta <jchol...@redhat.com> wrote: > On 15.9.2015 14:42, Gabe Alford wrote: > >> Yup. You are right. It was a mistake. Updated patch attached. >> >> On Tue, Sep 15, 2015 at 12:46 AM, Jan Cholasta <jchol...@redhat.com >> <mailto:jchol...@redhat.com>> wrote: >> >> On 14.9.2015 14:58, Gabe Alford wrote: >> >> Sounds good to me. Updated patch attached. >> >> On Mon, Sep 14, 2015 at 1:34 AM, Petr Spacek <pspa...@redhat.com >> <mailto:pspa...@redhat.com> >> <mailto:pspa...@redhat.com <mailto:pspa...@redhat.com>>> wrote: >> >> On 14.9.2015 07:23, Jan Cholasta wrote: >> > IMO it does, because saying just "-1 is default" is not >> entirely correct and >> > "0 is default" would be confusing, as you pointed out. >> You might say "0 or -1 >> > is unlimited" if you think it's clearer. >> >> my +1 to "0 or -1 is unlimited" variant >> >> Petr^2 Spacek >> >> >> > On 10.9.2015 18:39, Gabe Alford wrote: >> >> Oops.. replied without the list. >> >> >> >> Reason I said -1 is because users might be confused if >> they >> enter `ipa >> >> config-mod --searchtimelimit=0`, and both `ipa >> user-show` and >> the webui >> >> show -1 instead of 0. I wonder if -1 makes more sense >> in that >> regard? >> >> Thoughts? Does "<= 0 is unlimited" make more sense? >> >> >> >> Thanks, >> >> >> >> Gabe >> >> >> The doc for ipasearchtimelimit and ipasearchrecordslimit says "-1 is >> unlimited", but both 0 and -1 is unlimited for them, and the doc for >> timelimit and sizelimit says "-1 or 0 is unlimited", but only 0 is >> unlimited for them. Looks like a mistake. >> >> -- >> Jan Cholasta >> >> >> > This hasn't changed since the previous patch and is still wrong, as -1 is > not supported here: > > Int('timelimit?', > label=_('Time Limit'), > -doc=_('Time limit of search in seconds'), > +doc=_('Time limit of search in seconds (-1 or 0 is > unlimited)'), > flags=['no_display'], > minvalue=0, > autofill=False, > ), > Int('sizelimit?', > label=_('Size Limit'), > -doc=_('Maximum number of entries returned'), > +doc=_('Maximum number of entries returned (-1 or 0 is > unlimited)'), > flags=['no_display'], > minvalue=0, > autofill=False, > > -- > Jan Cholasta > From 1caa56120c9f3cc09b236bef2e0aad218b94365e Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Mon, 21 Sep 2015 06:55:17 -0600 Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue https://fedorahosted.org/freeipa/ticket/4023 --- install/ui/test/data/ipa_init_commands.json | 6 +++--- install/ui/test/data/ipa_init_objects.json | 6 +++--- install/ui/test/data/json_metadata.json | 4 ++-- ipalib/plugins/baseldap.py | 4 ++-- ipalib/plugins/config.py| 21 + ipaserver/plugins/ldap2.py | 4 ++-- 6 files changed, 25 insertions(+), 20 deletions(-) diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json index 743f508e2a733b766008bdd21838454ef7df8c21..c7f717c357624489d0b7f43fdd01b5bb8b1bcd86 100644 --- a/install/ui/test/data/ipa_init_commands.json +++ b/install/ui/test/data/ipa_init_commands.json @@ -2446,7 +2446,7 @@ "attribute": true, "class": "Int", "deprecated_cli_aliases": [], -"doc": "Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)", +"doc": "Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)", "flags": [ "nonempty&quo
[Freeipa-devel] [PATCH 0054] Update FreeIPA package description
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5284 Thanks, Gabe From 4f46a069b799f2613dd3b7ae42bb64b998bc2c40 Mon Sep 17 00:00:00 2001 From: GabeDate: Mon, 21 Sep 2015 07:56:36 -0600 Subject: [PATCH] Update FreeIPA package description https://fedorahosted.org/freeipa/ticket/5284 --- freeipa.spec.in | 64 +++-- 1 file changed, 35 insertions(+), 29 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 614798cc2328a45a205f5ba319e8b683596aa2aa..75cf7f33402b47f952c58efb3f8c3825fa4ecc3c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -104,10 +104,11 @@ BuildRequires: python-pytest-sourceorder BuildRequires: python-kdcproxy >= 0.3 %description -IPA is an integrated solution to provide centrally managed Identity (machine, -user, virtual machines, groups, authentication credentials), Policy -(configuration settings, access control information) and Audit (events, -logs, analysis thereof). +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). %if ! %{ONLY_CLIENT} %package server @@ -177,12 +178,12 @@ Obsoletes: %{name}-server <= 4.2.0.0 Conflicts: nss-pam-ldapd < 0.8.4 %description server -IPA is an integrated solution to provide centrally managed Identity (machine, -user, virtual machines, groups, authentication credentials), Policy -(configuration settings, access control information) and Audit (events, -logs, analysis thereof). If you are installing an IPA server you need -to install this package (in other words, most people should NOT install -this package). +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. %package server-dns @@ -277,11 +278,13 @@ Conflicts: %{alt_name}-client Obsoletes: %{alt_name}-client < %{version} %description client -IPA is an integrated solution to provide centrally managed Identity (machine, -user, virtual machines, groups, authentication credentials), Policy -(configuration settings, access control information) and Audit (events, -logs, analysis thereof). If your network uses IPA for authentication, -this package should be installed on every client machine. +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If your network uses IPA for authentication, this package should be +installed on every client machine. %package admintools @@ -296,11 +299,12 @@ Conflicts: %{alt_name}-admintools Obsoletes: %{alt_name}-admintools < %{version} %description admintools -IPA is an integrated solution to provide centrally managed Identity (machine, -user, virtual machines, groups, authentication credentials), Policy -(configuration settings, access control information) and Audit (events, -logs, analysis thereof). This package provides command-line tools for -IPA administrators. +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +This package provides command-line tools for IPA administrators. %package python Summary: Python libraries used by IPA @@ -328,11 +332,12 @@ Conflicts: %{alt_name}-python Obsoletes: %{alt_name}-python < %{version} %description python -IPA is an integrated solution to provide centrally managed Identity (machine, -user, virtual machines, groups, authentication credentials), Policy -(configuration settings, access control information) and Audit (events, -logs, analysis thereof). If you are using IPA you need to install this -package. +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and
[Freeipa-devel] [PATCH 0055] dnssec options missing in ipa-dns-install man page
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5300 Thanks, Gabe From e13330dfdff13101aa625e1651289304bd4d73bf Mon Sep 17 00:00:00 2001 From: GabeDate: Mon, 21 Sep 2015 09:30:31 -0600 Subject: [PATCH] dnssec options missing in ipa-dns-install man page https://fedorahosted.org/freeipa/ticket/5300 --- install/tools/man/ipa-dns-install.1 | 12 1 file changed, 12 insertions(+) diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1 index 23427b1b15ddf21ff1aba5617adab395d2f25112..229aaedfa09cbe3c4590eca5b66e325769a7f642 100644 --- a/install/tools/man/ipa-dns-install.1 +++ b/install/tools/man/ipa-dns-install.1 @@ -44,6 +44,18 @@ The reverse DNS zone to use. This option can be used multiple times to specify m \fB\-\-no\-reverse\fR Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used. .TP +\fB\-\-no\-dnssec\-validation\fR +Disable DNSSEC validation on this server. +.TP +\fB\-\-dnssec\-master\fR +Setup server to be DNSSEC key master. +.TP +\fB\-\-disable\-dnssec\-master\fR +Disable the DNSSEC master on this server. +.TP +\fB\-\-kasp\-db\fR=\fIKASP_DB\fR +Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file. +.TP \fB\-\-zonemgr\fR The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN .TP -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit
Yup. You are right. It was a mistake. Updated patch attached. On Tue, Sep 15, 2015 at 12:46 AM, Jan Cholasta <jchol...@redhat.com> wrote: > On 14.9.2015 14:58, Gabe Alford wrote: > >> Sounds good to me. Updated patch attached. >> >> On Mon, Sep 14, 2015 at 1:34 AM, Petr Spacek <pspa...@redhat.com >> <mailto:pspa...@redhat.com>> wrote: >> >> On 14.9.2015 07:23, Jan Cholasta wrote: >> > IMO it does, because saying just "-1 is default" is not entirely >> correct and >> > "0 is default" would be confusing, as you pointed out. You might >> say "0 or -1 >> > is unlimited" if you think it's clearer. >> >> my +1 to "0 or -1 is unlimited" variant >> >> Petr^2 Spacek >> >> >> > On 10.9.2015 18:39, Gabe Alford wrote: >> >> Oops.. replied without the list. >> >> >> >> Reason I said -1 is because users might be confused if they >> enter `ipa >> >> config-mod --searchtimelimit=0`, and both `ipa user-show` and >> the webui >> >> show -1 instead of 0. I wonder if -1 makes more sense in that >> regard? >> >> Thoughts? Does "<= 0 is unlimited" make more sense? >> >> >> >> Thanks, >> >> >> >> Gabe >> >> > The doc for ipasearchtimelimit and ipasearchrecordslimit says "-1 is > unlimited", but both 0 and -1 is unlimited for them, and the doc for > timelimit and sizelimit says "-1 or 0 is unlimited", but only 0 is > unlimited for them. Looks like a mistake. > > -- > Jan Cholasta > From 0cdf762bbb6cd3a6dcbc3885104e8b4efbd1bcd7 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Tue, 15 Sep 2015 06:38:13 -0600 Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue https://fedorahosted.org/freeipa/ticket/4023 --- install/ui/test/data/ipa_init_commands.json | 6 +++--- install/ui/test/data/ipa_init_objects.json | 6 +++--- install/ui/test/data/json_metadata.json | 4 ++-- ipalib/plugins/baseldap.py | 4 ++-- ipalib/plugins/config.py| 21 + ipaserver/plugins/ldap2.py | 4 ++-- 6 files changed, 25 insertions(+), 20 deletions(-) diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json index 743f508e2a733b766008bdd21838454ef7df8c21..c7f717c357624489d0b7f43fdd01b5bb8b1bcd86 100644 --- a/install/ui/test/data/ipa_init_commands.json +++ b/install/ui/test/data/ipa_init_commands.json @@ -2446,7 +2446,7 @@ "attribute": true, "class": "Int", "deprecated_cli_aliases": [], -"doc": "Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)", +"doc": "Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)", "flags": [ "nonempty" ], @@ -2460,7 +2460,7 @@ "attribute": true, "class": "Int", "deprecated_cli_aliases": [], -"doc": "Maximum number of records to search (-1 is unlimited)", +"doc": "Maximum number of records to search (-1 or 0 is unlimited)", "flags": [ "nonempty" ], @@ -24018,4 +24018,4 @@ "methods": {}, "objects": {} } -} \ No newline at end of file +} diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json index c8c836926d94dd4c1903aa9a62fa91c11a238e75..ca98a1a22855bfcc306e1a3ed98e398f1b4505b1 100644 --- a/install/ui/test/data/ipa_init_objects.json +++ b/install/ui/test/data/ipa_init_objects.json @@ -498,7 +498,7 @@ { "class": "Int", "deprecated_cli_aliases": [], -"doc": "Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)", +"doc": "Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)", "flags": [], "label": "Sear
Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit
Sounds good to me. Updated patch attached. On Mon, Sep 14, 2015 at 1:34 AM, Petr Spacek <pspa...@redhat.com> wrote: > On 14.9.2015 07:23, Jan Cholasta wrote: > > IMO it does, because saying just "-1 is default" is not entirely correct > and > > "0 is default" would be confusing, as you pointed out. You might say "0 > or -1 > > is unlimited" if you think it's clearer. > > my +1 to "0 or -1 is unlimited" variant > > Petr^2 Spacek > > > > On 10.9.2015 18:39, Gabe Alford wrote: > >> Oops.. replied without the list. > >> > >> Reason I said -1 is because users might be confused if they enter `ipa > >> config-mod --searchtimelimit=0`, and both `ipa user-show` and the webui > >> show -1 instead of 0. I wonder if -1 makes more sense in that regard? > >> Thoughts? Does "<= 0 is unlimited" make more sense? > >> > >> Thanks, > >> > >> Gabe > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > From 99070f93a51c7e03fa9c98b3548420fc589eddc1 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Mon, 14 Sep 2015 06:56:00 -0600 Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue https://fedorahosted.org/freeipa/ticket/4023 --- install/ui/test/data/ipa_init_commands.json | 6 +++--- install/ui/test/data/ipa_init_objects.json | 6 +++--- install/ui/test/data/json_metadata.json | 4 ++-- ipalib/plugins/baseldap.py | 4 ++-- ipalib/plugins/config.py| 19 --- ipaserver/plugins/ldap2.py | 4 ++-- 6 files changed, 24 insertions(+), 19 deletions(-) diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json index 743f508e2a733b766008bdd21838454ef7df8c21..c7f717c357624489d0b7f43fdd01b5bb8b1bcd86 100644 --- a/install/ui/test/data/ipa_init_commands.json +++ b/install/ui/test/data/ipa_init_commands.json @@ -2446,7 +2446,7 @@ "attribute": true, "class": "Int", "deprecated_cli_aliases": [], -"doc": "Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)", +"doc": "Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)", "flags": [ "nonempty" ], @@ -2460,7 +2460,7 @@ "attribute": true, "class": "Int", "deprecated_cli_aliases": [], -"doc": "Maximum number of records to search (-1 is unlimited)", +"doc": "Maximum number of records to search (-1 or 0 is unlimited)", "flags": [ "nonempty" ], @@ -24018,4 +24018,4 @@ "methods": {}, "objects": {} } -} \ No newline at end of file +} diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json index c8c836926d94dd4c1903aa9a62fa91c11a238e75..ca98a1a22855bfcc306e1a3ed98e398f1b4505b1 100644 --- a/install/ui/test/data/ipa_init_objects.json +++ b/install/ui/test/data/ipa_init_objects.json @@ -498,7 +498,7 @@ { "class": "Int", "deprecated_cli_aliases": [], -"doc": "Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)", +"doc": "Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)", "flags": [], "label": "Search time limit", "maxvalue": 2147483647, @@ -510,7 +510,7 @@ { "class": "Int", "deprecated_cli_aliases": [], -"doc": "Maximum number of records to search (-1 is unlimited)", +"doc": "Maximum number of records to search (-1 or 0 is unlimited)", "flags": [], "label": "Search size limit", &qu
Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit
Makes sense. I also changed the doc string to reflect -1 as well. Updated patch attached. Thanks, Gabe On Thu, Sep 10, 2015 at 1:41 AM, Jan Cholasta <jchol...@redhat.com> wrote: > On 4.9.2015 14:43, Gabe Alford wrote: > >> Bump for review. >> >> On Wed, Aug 12, 2015 at 9:32 AM, Gabe Alford <redhatri...@gmail.com >> <mailto:redhatri...@gmail.com>> wrote: >> >> On Tue, Aug 11, 2015 at 1:34 AM, Jan Cholasta <jchol...@redhat.com >> <mailto:jchol...@redhat.com>> wrote: >> >> On 6.8.2015 21:43, Gabe Alford wrote: >> >> Hello, >> >> Updated patch attached. >> >> - Time limit is -1 for unlimited. I found this >> >> https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html >> in reference to keeping the time limit as -1 for unlimited. >> >> >> This patch does two conflicting things: it coerces time limit of >> 0 to -1 and at the same time prohibits the user to use 0 for >> time limit. We should do just one of these and IMHO it should be >> the coercion of 0 to -1. >> >> Sure enough, testing time limit at 0 did not work for >> unlimited as well >> as appeared to have negative effects on IPA. >> >> >> This is because the time limit read from ipa config is not >> converted to int in ldap2.find_entries(), so the coercion does >> not work. Fix this and 0 will work just fine. >> >> Also, I believe that >> >> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s >> specifies unlimited for time limit as -1. (Please correct me >> if I am wrong.) >> >> >> python-ldap is layers below our API and should not determine >> what we use for unlimited time limit. I would prefer if we were >> self-consistent and use 0 for both time limit and size limit. >> >> >> A misunderstanding on my part as I thought it was higher up in the >> API for some reason. Updated patch attached. >> > > Thanks, this is better, but it turns out I was wrong about coercing -1 to > 0 in config-mod: in a topology with different versions of IPA servers, > setting the limits in LDAP to 0 on a newer server with your patch will > break older servers without your patch: > > [user@old]$ ipa user-find > -- > 1 user matched > -- > User login: admin > Last name: Administrator > Home directory: /home/admin > Login shell: /bin/bash > UID: 136480 > GID: 136480 > Account disabled: False > Password: True > Kerberos keys available: True > > Number of entries returned 1 > > > [user@new]$ ipa config-mod --searchtimelimit=0 --searchrecordslimit=0 > ... > > [user@old]$ ipa user-find > --- > 0 users matched > --- > > Number of entries returned 0 > > > To fix this, we actually need to do the opposite and store -1 in LDAP when > 0 is specified in config-mod options. > > Honza > > -- > Jan Cholasta > From 715dfae42bbe9e1ca93dee902b100672d6dafc39 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Thu, 10 Sep 2015 07:51:58 -0600 Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue https://fedorahosted.org/freeipa/ticket/4023 --- install/ui/test/data/ipa_init_commands.json | 4 ++-- install/ui/test/data/ipa_init_objects.json | 4 ++-- install/ui/test/data/json_metadata.json | 2 +- ipalib/plugins/baseldap.py | 4 ++-- ipalib/plugins/config.py| 19 --- ipaserver/plugins/ldap2.py | 4 ++-- 6 files changed, 21 insertions(+), 16 deletions(-) diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json index 743f508e2a733b766008bdd21838454ef7df8c21..13e3cfe87549b0b58cb86db1e34a8f6e2cfbb7e8 100644 --- a/install/ui/test/data/ipa_init_commands.json +++ b/install/ui/test/data/ipa_init_commands.json @@ -2446,7 +2446,7 @@ "attribute": true, "class": "Int", "deprecated_cli_aliases": [], -"doc": "Maximum amount of ti
Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit
Oops.. replied without the list. Reason I said -1 is because users might be confused if they enter `ipa config-mod --searchtimelimit=0`, and both `ipa user-show` and the webui show -1 instead of 0. I wonder if -1 makes more sense in that regard? Thoughts? Does "<= 0 is unlimited" make more sense? Thanks, Gabe On Thu, Sep 10, 2015 at 8:15 AM, Jan Cholasta <jchol...@redhat.com> wrote: > I'm not sure about that, I think it should still say 0, because that's > what we want to use as the unlimited value. If you insist on including -1 > in the docs, maybe we can say "<= 0 is unlimited"? > > On 10.9.2015 16:08, Gabe Alford wrote: > >> Makes sense. I also changed the doc string to reflect -1 as well. >> Updated patch attached. >> >> Thanks, >> >> Gabe >> >> On Thu, Sep 10, 2015 at 1:41 AM, Jan Cholasta <jchol...@redhat.com >> <mailto:jchol...@redhat.com>> wrote: >> >> On 4.9.2015 14:43, Gabe Alford wrote: >> >> Bump for review. >> >> On Wed, Aug 12, 2015 at 9:32 AM, Gabe Alford >> <redhatri...@gmail.com <mailto:redhatri...@gmail.com> >> <mailto:redhatri...@gmail.com <mailto:redhatri...@gmail.com>>> >> wrote: >> >> On Tue, Aug 11, 2015 at 1:34 AM, Jan Cholasta >> <jchol...@redhat.com <mailto:jchol...@redhat.com> >> <mailto:jchol...@redhat.com <mailto:jchol...@redhat.com>>> >> >> wrote: >> >> On 6.8.2015 21:43, Gabe Alford wrote: >> >> Hello, >> >> Updated patch attached. >> >> - Time limit is -1 for unlimited. I found this >> >> https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html >> in reference to keeping the time limit as -1 for >> unlimited. >> >> >> This patch does two conflicting things: it coerces time >> limit of >> 0 to -1 and at the same time prohibits the user to use >> 0 for >> time limit. We should do just one of these and IMHO it >> should be >> the coercion of 0 to -1. >> >> Sure enough, testing time limit at 0 did not work for >> unlimited as well >> as appeared to have negative effects on IPA. >> >> >> This is because the time limit read from ipa config is >> not >> converted to int in ldap2.find_entries(), so the >> coercion does >> not work. Fix this and 0 will work just fine. >> >> Also, I believe that >> >> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s >> specifies unlimited for time limit as -1. (Please >> correct me >> if I am wrong.) >> >> >> python-ldap is layers below our API and should not >> determine >> what we use for unlimited time limit. I would prefer if >> we were >> self-consistent and use 0 for both time limit and size >> limit. >> >> >> A misunderstanding on my part as I thought it was higher up >> in the >> API for some reason. Updated patch attached. >> >> >> Thanks, this is better, but it turns out I was wrong about coercing >> -1 to 0 in config-mod: in a topology with different versions of IPA >> servers, setting the limits in LDAP to 0 on a newer server with your >> patch will break older servers without your patch: >> >> [user@old]$ ipa user-find >> -- >> 1 user matched >> -- >>User login: admin >>Last name: Administrator >>Home directory: /home/admin >>Login shell: /bin/bash >>UID: 136480 >>GID: 136480 >>Account disabled: False >>Password: True >>Kerberos keys available: True >> >> Number of entries returned 1 >> >> >> [user@new]$ ipa config-mod --searchtimelimit=0 >> --searchrecordslimit=0 >> ... >> >> [user@old]$ ipa user-find >> --- >> 0 users matched >> --- >> >> Number of entries returned 0 >> >> >> To fix this, we actually need to do the opposite and store -1 in >> LDAP when 0 is specified in config-mod options. >> >> Honza >> >> -- >> Jan Cholasta >> >> >> > > -- > Jan Cholasta > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit
Bump for review. On Wed, Aug 12, 2015 at 9:32 AM, Gabe Alford <redhatri...@gmail.com> wrote: > On Tue, Aug 11, 2015 at 1:34 AM, Jan Cholasta <jchol...@redhat.com> wrote: > >> On 6.8.2015 21:43, Gabe Alford wrote: >> >>> Hello, >>> >>> Updated patch attached. >>> >>> - Time limit is -1 for unlimited. I found this >>> https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html >>> in reference to keeping the time limit as -1 for unlimited. >>> >> >> This patch does two conflicting things: it coerces time limit of 0 to -1 >> and at the same time prohibits the user to use 0 for time limit. We should >> do just one of these and IMHO it should be the coercion of 0 to -1. >> >> Sure enough, testing time limit at 0 did not work for unlimited as well >>> as appeared to have negative effects on IPA. >>> >> >> This is because the time limit read from ipa config is not converted to >> int in ldap2.find_entries(), so the coercion does not work. Fix this and 0 >> will work just fine. >> >> Also, I believe that >>> >>> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s >>> specifies unlimited for time limit as -1. (Please correct me if I am >>> wrong.) >>> >> >> python-ldap is layers below our API and should not determine what we use >> for unlimited time limit. I would prefer if we were self-consistent and use >> 0 for both time limit and size limit. >> > > A misunderstanding on my part as I thought it was higher up in the API for > some reason. Updated patch attached. > > Thanks, > > Gabe > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0052] Add Chromium configuration note under Chrome section in ssbrowser
Bump for review On Wed, Jul 29, 2015 at 7:49 AM, Gabe Alford <redhatri...@gmail.com> wrote: > Hello, > > As Chromium and Chrome are configured similarly but are configured in > different /etc directories, this patch adds a note to the Chrome section in > ssbrowser.html stating that. > > Thanks, > > Gabe > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit
Hello, Updated patch attached. - Time limit is -1 for unlimited. I found this https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html in reference to keeping the time limit as -1 for unlimited. Sure enough, testing time limit at 0 did not work for unlimited as well as appeared to have negative effects on IPA. Also, I believe that http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s specifies unlimited for time limit as -1. (Please correct me if I am wrong.) - Size limit is 0 for unlimited per Jan's comment including a conversion from -1 to 0 if -1 is entered for unlimited size limit. Actually, 0 means unlimited for size limit, see http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s Thanks, Gabe On Tue, Aug 4, 2015 at 3:28 AM, Jan Cholasta jchol...@redhat.com wrote: Dne 31.7.2015 v 17:08 Gabe Alford napsal(a): Updated patch attached. Thanks, Gabe On Thu, Jul 30, 2015 at 7:15 AM, Gabe Alford redhatri...@gmail.com mailto:redhatri...@gmail.com wrote: On Thu, Jul 30, 2015 at 1:32 AM, Jan Cholasta jchol...@redhat.com mailto:jchol...@redhat.com wrote: Dne 30.7.2015 v 09:23 Jan Cholasta napsal(a): Hi, Dne 29.7.2015 v 17:23 Gabe Alford napsal(a): Hello, Fix for https://fedorahosted.org/freeipa/ticket/4023 Actually, 0 means unlimited for size limit, see http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s . After reading the ticket I think this should be fixed the other way around: make 0 mean unlimited for both time and size limit and fix the config plugin and LDAPClient to respect that. Thanks for the review. Updated patch attached. We still need to accept -1 in config-mod for backward compatibility - when received, it should be converted to 0. -- Jan Cholasta From 73a7fd9f2f3fbfa703da68f1a55bb16e4627ffba Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Thu, 6 Aug 2015 13:18:06 -0600 Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue https://fedorahosted.org/freeipa/ticket/4023 --- API.txt | 82 ++--- VERSION | 2 +- install/ui/test/data/ipa_init_commands.json | 4 +- install/ui/test/data/ipa_init_objects.json | 4 +- install/ui/test/data/json_metadata.json | 2 +- ipalib/plugins/baseldap.py | 6 +-- ipalib/plugins/config.py| 7 ++- 7 files changed, 56 insertions(+), 51 deletions(-) diff --git a/API.txt b/API.txt index 2e19d6b2f1e16cc1c89d71ed7d443145426a28e3..19c7857bee7cd7fb63c96a130b53946612f0c74e 100644 --- a/API.txt +++ b/API.txt @@ -273,7 +273,7 @@ option: IA5Str('automountinformation', attribute=True, autofill=False, cli_name= option: IA5Str('automountkey', attribute=True, autofill=False, cli_name='key', multivalue=False, query=True, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Int('sizelimit?', autofill=False, minvalue=0) -option: Int('timelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=-1) option: Str('version?', exclude='webui') output: Output('count', type 'int', None) output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) @@ -337,7 +337,7 @@ option: Str('cn', attribute=True, autofill=False, cli_name='location', multivalu option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Int('sizelimit?', autofill=False, minvalue=0) -option: Int('timelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=-1) option: Str('version?', exclude='webui') output: Output('count', type 'int', None) output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) @@ -412,7 +412,7 @@ option: Str('description', attribute=True, autofill=False, cli_name='desc', mult option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Int('sizelimit?', autofill=False, minvalue=0) -option: Int('timelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=-1) option: Str('version?', exclude='webui') output: Output('count', type 'int', None) output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) @@ -556,7 +556,7 @@ option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: StrEnum
Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit
Updated patch attached. Thanks, Gabe On Thu, Jul 30, 2015 at 7:15 AM, Gabe Alford redhatri...@gmail.com wrote: On Thu, Jul 30, 2015 at 1:32 AM, Jan Cholasta jchol...@redhat.com wrote: Dne 30.7.2015 v 09:23 Jan Cholasta napsal(a): Hi, Dne 29.7.2015 v 17:23 Gabe Alford napsal(a): Hello, Fix for https://fedorahosted.org/freeipa/ticket/4023 Actually, 0 means unlimited for size limit, see http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s . After reading the ticket I think this should be fixed the other way around: make 0 mean unlimited for both time and size limit and fix the config plugin and LDAPClient to respect that. Thanks for the review. Updated patch attached. -- Jan Cholasta From 953f5bd85ee7d1ac6fee3034fda63b9a5783b418 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Fri, 31 Jul 2015 09:06:05 -0600 Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue https://fedorahosted.org/freeipa/ticket/4023 --- API.txt | 4 ++-- VERSION | 4 ++-- install/ui/test/data/ipa_init_commands.json | 10 +- install/ui/test/data/ipa_init_objects.json | 10 +- install/ui/test/data/json_metadata.json | 8 ipalib/plugins/baseldap.py | 4 ++-- ipalib/plugins/config.py| 10 +- 7 files changed, 25 insertions(+), 25 deletions(-) diff --git a/API.txt b/API.txt index 2e19d6b2f1e16cc1c89d71ed7d443145426a28e3..ef1aa080c9b4c0139dc4fe77c27f47c7b6d91226 100644 --- a/API.txt +++ b/API.txt @@ -778,8 +778,8 @@ option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac option: Int('ipamaxusernamelength', attribute=True, autofill=False, cli_name='maxusername', minvalue=1, multivalue=False, required=False) option: Bool('ipamigrationenabled', attribute=True, autofill=False, cli_name='enable_migration', multivalue=False, required=False) option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwdexpnotify', minvalue=0, multivalue=False, required=False) -option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='searchrecordslimit', minvalue=-1, multivalue=False, required=False) -option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False) +option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='searchrecordslimit', minvalue=0, multivalue=False, required=False) +option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=0, multivalue=False, required=False) option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False) option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False) option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp', u'disabled')) diff --git a/VERSION b/VERSION index ca43f3e0c06880d355c068514134187c5edda175..f31498b39c53bd41fff20fc7a3d9de9a6bdf4397 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=148 -# Last change: ftweedal - add --out option to user-show +IPA_API_VERSION_MINOR=149 +# Last change: galford - Change ipasearchtimelime and ipasearchrecordslimit to 0 for unlimited diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json index 743f508e2a733b766008bdd21838454ef7df8c21..477d7cf75aabd5c23dbf91a6305bfcbb9fbf5b1b 100644 --- a/install/ui/test/data/ipa_init_commands.json +++ b/install/ui/test/data/ipa_init_commands.json @@ -2446,13 +2446,13 @@ attribute: true, class: Int, deprecated_cli_aliases: [], -doc: Maximum amount of time (seconds) for a search ( 0, or -1 for unlimited), +doc: Maximum amount of time (seconds) for a search ( 0, or 0 for unlimited), flags: [ nonempty ], label: Search time limit, maxvalue: 2147483647, -minvalue: -1, +minvalue: 0, name: ipasearchtimelimit, type: int }, @@ -2460,13 +2460,13 @@ attribute: true, class: Int, deprecated_cli_aliases
Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit
On Thu, Jul 30, 2015 at 1:32 AM, Jan Cholasta jchol...@redhat.com wrote: Dne 30.7.2015 v 09:23 Jan Cholasta napsal(a): Hi, Dne 29.7.2015 v 17:23 Gabe Alford napsal(a): Hello, Fix for https://fedorahosted.org/freeipa/ticket/4023 Actually, 0 means unlimited for size limit, see http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s . After reading the ticket I think this should be fixed the other way around: make 0 mean unlimited for both time and size limit and fix the config plugin and LDAPClient to respect that. Thanks for the review. Updated patch attached. -- Jan Cholasta From 58e95a7eebe6e333786d9bd6b798490bdae25941 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Thu, 30 Jul 2015 07:04:06 -0600 Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue https://fedorahosted.org/freeipa/ticket/4023 --- API.txt | 4 ++-- VERSION | 4 ++-- install/ui/test/data/ipa_init_commands.json | 10 +- install/ui/test/data/ipa_init_objects.json | 10 +- install/ui/test/data/json_metadata.json | 8 ipalib/plugins/baseldap.py | 4 ++-- ipalib/plugins/config.py| 10 +- 7 files changed, 25 insertions(+), 25 deletions(-) diff --git a/API.txt b/API.txt index 6ab30ddab41715fdbccb4f37aa1852621bca62b4..90e52a686eb73af8af87b6065868d641e7e868ec 100644 --- a/API.txt +++ b/API.txt @@ -778,8 +778,8 @@ option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac option: Int('ipamaxusernamelength', attribute=True, autofill=False, cli_name='maxusername', minvalue=1, multivalue=False, required=False) option: Bool('ipamigrationenabled', attribute=True, autofill=False, cli_name='enable_migration', multivalue=False, required=False) option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwdexpnotify', minvalue=0, multivalue=False, required=False) -option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='searchrecordslimit', minvalue=-1, multivalue=False, required=False) -option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False) +option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='searchrecordslimit', minvalue=0, multivalue=False, required=False) +option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=0, multivalue=False, required=False) option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False) option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False) option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp', u'disabled')) diff --git a/VERSION b/VERSION index 678d1f8a7e588d480b16441e12e4d527d9c1cd98..837ee846f330779bbaa5fa43311a74c13b013690 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=147 -# Last change: mbasti - Consolidate DNS RR in API and schema +IPA_API_VERSION_MINOR=148 +# Last change: galford - Change ipasearchtimelime and ipasearchrecordslimit to 0 for unlimited diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json index 743f508e2a733b766008bdd21838454ef7df8c21..477d7cf75aabd5c23dbf91a6305bfcbb9fbf5b1b 100644 --- a/install/ui/test/data/ipa_init_commands.json +++ b/install/ui/test/data/ipa_init_commands.json @@ -2446,13 +2446,13 @@ attribute: true, class: Int, deprecated_cli_aliases: [], -doc: Maximum amount of time (seconds) for a search ( 0, or -1 for unlimited), +doc: Maximum amount of time (seconds) for a search ( 0, or 0 for unlimited), flags: [ nonempty ], label: Search time limit, maxvalue: 2147483647, -minvalue: -1, +minvalue: 0, name: ipasearchtimelimit, type: int }, @@ -2460,13 +2460,13 @@ attribute: true, class: Int, deprecated_cli_aliases: [], -doc: Maximum number of records to search (-1 is unlimited), +doc: Maximum
[Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit
Hello, Fix for https://fedorahosted.org/freeipa/ticket/4023 Thanks, Gabe From cba4b0d90f65be7734a977cb84f96f378e1c91d0 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Wed, 29 Jul 2015 09:04:32 -0600 Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and sizelimit for unlimited option https://fedorahosted.org/freeipa/ticket/4023 --- API.txt| 164 ++--- VERSION| 4 +- ipalib/plugins/baseldap.py | 8 +-- 3 files changed, 88 insertions(+), 88 deletions(-) diff --git a/API.txt b/API.txt index 6ab30ddab41715fdbccb4f37aa1852621bca62b4..e588fe538251e84e26358abfb507dd7fce8c597f 100644 --- a/API.txt +++ b/API.txt @@ -272,8 +272,8 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui option: IA5Str('automountinformation', attribute=True, autofill=False, cli_name='info', multivalue=False, query=True, required=False) option: IA5Str('automountkey', attribute=True, autofill=False, cli_name='key', multivalue=False, query=True, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Int('sizelimit?', autofill=False, minvalue=0) -option: Int('timelimit?', autofill=False, minvalue=0) +option: Int('sizelimit?', autofill=False, minvalue=-1) +option: Int('timelimit?', autofill=False, minvalue=-1) option: Str('version?', exclude='webui') output: Output('count', type 'int', None) output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) @@ -336,8 +336,8 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui option: Str('cn', attribute=True, autofill=False, cli_name='location', multivalue=False, primary_key=True, query=True, required=False) option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Int('sizelimit?', autofill=False, minvalue=0) -option: Int('timelimit?', autofill=False, minvalue=0) +option: Int('sizelimit?', autofill=False, minvalue=-1) +option: Int('timelimit?', autofill=False, minvalue=-1) option: Str('version?', exclude='webui') output: Output('count', type 'int', None) output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) @@ -411,8 +411,8 @@ option: IA5Str('automountmapname', attribute=True, autofill=False, cli_name='map option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Int('sizelimit?', autofill=False, minvalue=0) -option: Int('timelimit?', autofill=False, minvalue=0) +option: Int('sizelimit?', autofill=False, minvalue=-1) +option: Int('timelimit?', autofill=False, minvalue=-1) option: Str('version?', exclude='webui') output: Output('count', type 'int', None) output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) @@ -555,8 +555,8 @@ option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, query=True, required=False, values=(u'all',)) -option: Int('sizelimit?', autofill=False, minvalue=0) -option: Int('timelimit?', autofill=False, minvalue=0) +option: Int('sizelimit?', autofill=False, minvalue=-1) +option: Int('timelimit?', autofill=False, minvalue=-1) option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, query=True, required=False, values=(u'all',)) option: Str('version?', exclude='webui') output: Output('count', type 'int', None) @@ -711,8 +711,8 @@ option: Str('description', attribute=True, autofill=False, cli_name='desc', mult option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, query=True, required=False) option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Int('sizelimit?', autofill=False, minvalue=0) -option: Int('timelimit?', autofill=False, minvalue=0) +option: Int('sizelimit?', autofill=False, minvalue=-1) +option: Int('timelimit?', autofill=False, minvalue=-1) option: Str('version?', exclude='webui') output: Output('count', type 'int', None) output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) @@ -831,8 +831,8 @@ option: Int('cospriority', attribute=True, autofill=False,
[Freeipa-devel] [PATCH 0052] Add Chromium configuration note under Chrome section in ssbrowser
Hello, As Chromium and Chrome are configured similarly but are configured in different /etc directories, this patch adds a note to the Chrome section in ssbrowser.html stating that. Thanks, Gabe From a7fb316d3cc273531947768e6b93c656a6bad1bb Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Wed, 29 Jul 2015 07:38:15 -0600 Subject: [PATCH] Add Chromium configuration note to ssbrowser - As Chromium and Chrome share most of the same code base but are configured in different locations, add a note showing the different configuration locations. A part of https://fedorahosted.org/freeipa/ticket/823 --- install/html/ssbrowser.html | 5 + 1 file changed, 5 insertions(+) diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html index 685800e16e6e77c70adf905acfca2996513d1e1d..b88deac900fb1d5a1a5960741512593f9b7f3b15 100644 --- a/install/html/ssbrowser.html +++ b/install/html/ssbrowser.html @@ -134,6 +134,11 @@ /code/div /li /ol +ol +p +strongNote:/strong If using Chromium, use code/etc/chromium/policies/managed//code instead of code/etc/opt/chrome/policies/managed//code for the two SPNEGO Chrome configuration steps above. +/p +/ol h2Internet Explorer/h2 p -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
Hello, Would you mind formatting your patch following the format described at http://www.freeipa.org/page/Contribute/Patch_Format and attach the patch to this thread? Please attach your patch to the corresponding trac ticket as well. thanks, Gabe On Tue, Jul 21, 2015 at 7:26 AM, Michael Simacek msima...@redhat.com wrote: - Original Message - From: Christian Heimes chei...@redhat.com To: freeipa-devel@redhat.com, msima...@redhat.com Sent: Tuesday, July 21, 2015 2:23:06 PM Subject: Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi On 2015-07-21 14:02, Michael Simacek wrote: Hi, This is a first part of my effort to port FreeIPA from Python3-incompatible Kerberos libraries to python-gssapi. This patch should replace python-kerberos with python-gssapi (both use C GSSAPI behind the scenes). def _handle_exception(self, e, service=None): -(major, minor) = ipautil.get_gsserror(e) -if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: +# kerberos library coerced error codes to signed, gssapi uses unsigned +minor = e.min_code - (1 32) +if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: The unsigned to sign conversion is not correct. Although it doesn't make a difference here, please use the technical correct way: minor = e.min_code if minor (1 31): minor -= 1 32 or if you prefer hex: if minor 0x8000: minor -= 0x1 Fixed, thank you. Hopefully, when FreeIPA will use python-gssapi everywhere, such coercions won't be needed. -- Michael Simacek From c59cadae8d461aa0c771cb56a34d53c9533a4248 Mon Sep 17 00:00:00 2001 From: Michael Simacek msima...@redhat.com Date: Thu, 16 Jul 2015 18:22:00 +0200 Subject: [PATCH] Port from python-kerberos library to python-gssapi kerberos library doesn't support Python 3 and probably never will. python-gssapi library is Python 3 compatible. --- BUILD.txt| 2 +- freeipa.spec.in | 2 +- ipalib/rpc.py| 44 +++- ipalib/util.py | 14 +++--- ipapython/ipautil.py | 17 - 5 files changed, 32 insertions(+), 47 deletions(-) diff --git a/BUILD.txt b/BUILD.txt index 6a28beb..53012b1 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \ libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \ krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ autoconf automake m4 libtool gettext python-devel python-ldap \ -python-setuptools python-krbV python-nss python-netaddr python-kerberos \ +python-setuptools python-krbV python-nss python-netaddr python-gssapi \ python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \ sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ diff --git a/freeipa.spec.in b/freeipa.spec.in index fef20e1..5e10022 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -72,7 +72,7 @@ BuildRequires: python-krbV BuildRequires: python-nss BuildRequires: python-cryptography BuildRequires: python-netaddr -BuildRequires: python-kerberos = 1.1-14 +BuildRequires: python-gssapi = 1.1.1 BuildRequires: python-rhsm BuildRequires: pyOpenSSL BuildRequires: pylint = 1.0 diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 466b49a..9e8c97d 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ from urllib2 import urlparse from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy, Transport, ProtocolError, MININT, MAXINT) -import kerberos +import gssapi from dns import resolver, rdatatype from dns.exception import DNSException from nss.error import NSPRError @@ -510,24 +510,29 @@ class KerbTransport(SSLTransport): Handles Kerberos Negotiation authentication to an XML-RPC server. -flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG +flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, + [gssapi.RequirementFlag.mutual_authentication, + gssapi.RequirementFlag.out_of_sequence_detection]) def _handle_exception(self, e, service=None): -(major, minor) = ipautil.get_gsserror(e) -if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: +# kerberos library coerced error codes to signed, gssapi uses unsigned +minor = e.min_code +if minor (1 31): +minor -= 1 32 +if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: raise errors.ServiceError(service=service) -elif minor[1] == KRB5_FCC_NOFILE: +elif minor == KRB5_FCC_NOFILE: raise errors.NoCCacheError() -elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED: +elif minor ==
Re: [Freeipa-devel] Finishing the Community Portal
On Wed, Jul 15, 2015 at 2:32 PM, Nathaniel McCallum npmccal...@redhat.com wrote: I definitely see both models finding use. +1 - Original Message - Yeah, user creation requires manual intervention; an admin has to move the user from staging to the main user tree. It could be pretty easily modified to allow totally automated self sign-up though -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert
Thanks, Martin. Update patch attached. I was getting an 'No newline at the end of file' in my environment hence an extra '\n' at the end. Please let me know if you see the same thing. Thanks, Gabe On Wed, Jul 1, 2015 at 2:54 AM, Martin Basti mba...@redhat.com wrote: On 01/07/15 09:05, Martin Basti wrote: On 30/06/15 17:31, Gabe Alford wrote: On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti mba...@redhat.com wrote: On 16/06/15 16:58, Gabe Alford wrote: I know you guys are busy. Bump for review. Thanks, Gabe On Tue, May 26, 2015 at 8:16 AM, Gabe Alford redhatri...@gmail.com redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/3809 Thanks, Gabe I'm getting certificate on server without extra '\n' at the end. So certificate files are not the same. I assume you did a diff of the server /etc/ipa/ca.crt and the client /etc/ipa/ca.crt, right? Did you setup a server and then connect a client (just wonder what your steps were so that I can also reproduce)? Yes. I did that. I will retest it today. Retested and ca.cert on client has extra '\n' at the end. -- Martin Basti -- Martin Basti -- Martin Basti From b63860a9dd8db042f07796ea9fefc13b619b1b8b Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Wed, 8 Jul 2015 08:02:10 -0600 Subject: [PATCH] Fix client ca.crt to match the server's cert https://fedorahosted.org/freeipa/ticket/3809 --- ipalib/x509.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index edd73ebdc3b3732d326cd8f414bc957f1e4deb87..092d451c66801ff9311e5af4146678dd949d15cc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -264,7 +264,7 @@ def make_pem(data): Convert a raw base64-encoded blob into something that looks like a PE file with lines split to 64 characters and proper headers. -pemcert = '\n'.join([data[x:x+64] for x in range(0, len(data), 64)]) +pemcert = '\r\n'.join([data[x:x+64] for x in range(0, len(data), 64)]) return '-BEGIN CERTIFICATE-\n' + \ pemcert + \ '\n-END CERTIFICATE-' -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert
On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti mba...@redhat.com wrote: On 16/06/15 16:58, Gabe Alford wrote: I know you guys are busy. Bump for review. Thanks, Gabe On Tue, May 26, 2015 at 8:16 AM, Gabe Alford redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/3809 Thanks, Gabe I'm getting certificate on server without extra '\n' at the end. So certificate files are not the same. I assume you did a diff of the server /etc/ipa/ca.crt and the client /etc/ipa/ca.crt, right? Did you setup a server and then connect a client (just wonder what your steps were so that I can also reproduce)? -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert
I know you guys are busy. Bump for review. Thanks, Gabe On Tue, May 26, 2015 at 8:16 AM, Gabe Alford redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/3809 Thanks, Gabe -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client
How should https://www.redhat.com/archives/freeipa-users/2015-June/msg00116.html be handled where the user cleared out the db cache? On Fri, Jun 5, 2015 at 9:08 AM, Jakub Hrozek jhro...@redhat.com wrote: On Fri, Jun 05, 2015 at 05:03:08PM +0200, Martin Basti wrote: On 05/06/15 16:13, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/5049 Thanks, Gabe Thank you. I dont think we should remove all SSSD caches. SSSD can have configured several providers not just IPA. IMO we should remove only IPA related caches, but wait for SSSD guys for their opinion. You could use the python configAPI SSSD has to query which SSSD domains are active. But if the uninstall script removes sss from nsswitch.conf maybe it's enough to remove the memcache (/var/lib/sss/mc/), the persistent cache will not be reachable at all. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client
Thanks. Updated patch attached. On Fri, Jun 5, 2015 at 9:53 AM, Jakub Hrozek jhro...@redhat.com wrote: On Fri, Jun 05, 2015 at 09:46:05AM -0600, Gabe Alford wrote: How should https://www.redhat.com/archives/freeipa-users/2015-June/msg00116.html be handled where the user cleared out the db cache? Ah, I confused that one with another issue Jan Pazdziora had, which was incidentally about client uninstall as well. In that case, you can just remove the single ldb file that corresponds to the domain that the client is leaving. Maybe it would be safer to mv the files instead of remove them, but I guess if you run --uninstall, you really want just to purge everything.. btw do the ipa installer tools support multiple domains at all? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From 40f7c3780baaf0b42d10c94c8527c9359a42247f Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Fri, 5 Jun 2015 11:27:46 -0600 Subject: [PATCH] Clear SSSD caches when uninstalling the client https://fedorahosted.org/freeipa/ticket/5049 --- ipa-client/ipa-install/ipa-client-install | 13 + ipaplatform/base/paths.py | 1 + 2 files changed, 14 insertions(+) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 63e3c9800791f3d29c977d63815c4291f5a235b9..a7a4e9780081559398bbbaa5b0e062dabb9e6f98 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -628,6 +628,19 @@ def uninstall(options, env): Failed to remove krb5/LDAP configuration: %s, str(e)) return CLIENT_INSTALL_ERROR +# Clean up the SSSD cache before SSSD service is stopped or restarted +remove_file(paths.SSSD_MC_GROUP) +remove_file(paths.SSSD_MC_PASSWD) + +ipa_domain = domain.get_option('ipa_domain') +sssd_domain_ldb = cache_ + ipa_domain + .ldb +sssd_ldb_file = os.path.join(paths.SSSD_DB, sssd_domain_ldb) +remove_file(sssd_ldb_file) + +sssd_domain_ccache = ccache_ + ipa_domain.upper() +sssd_ccache_file = os.path.join(paths.SSSD_DB, sssd_domain_ccache) +remove_file(sssd_domain_ccache) + # Next if-elif-elif construction deals with sssd.conf file. # Old pre-IPA domains are preserved due merging the old sssd.conf # during the installation of ipa-client but any new domains are diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 9ba87523b5619188f02bdad6c23d2446a2c4b0f2..8bee3e7c5862a3815987fa1bd55fa90e25b95ebc 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -289,6 +289,7 @@ class BasePathNamespace(object): KRA_BACKUP_KEYS_P12 = /var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12 KRACERT_P12 = /root/kracert.p12 SAMBA_DIR = /var/lib/samba/ +SSSD_DB = /var/lib/sss/db SSSD_MC_GROUP = /var/lib/sss/mc/group SSSD_MC_PASSWD = /var/lib/sss/mc/passwd SSSD_PUBCONF_KNOWN_HOSTS = /var/lib/sss/pubconf/known_hosts -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert
Hello, Fix for https://fedorahosted.org/freeipa/ticket/3809 Thanks, Gabe From b6a852f82e9335ac04fb5d9b96f31013fb2a3bdb Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Tue, 26 May 2015 08:06:12 -0600 Subject: [PATCH] Fix client ca.crt to match the server's cert https://fedorahosted.org/freeipa/ticket/3809 --- ipalib/x509.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index a87dbf4130c60b1b1daf8bbb2ffb81c208f2529c..5f94478194939ee2c5ac01dbeaae1edb9f4d14a0 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -264,10 +264,10 @@ def make_pem(data): Convert a raw base64-encoded blob into something that looks like a PE file with lines split to 64 characters and proper headers. -pemcert = '\n'.join([data[x:x+64] for x in range(0, len(data), 64)]) +pemcert = '\r\n'.join([data[x:x+64] for x in range(0, len(data), 64)]) return '-BEGIN CERTIFICATE-\n' + \ pemcert + \ -'\n-END CERTIFICATE-' +'\n-END CERTIFICATE-\n' def normalize_certificate(rawcert): -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0048] fix ipa help command output errors
Hello, This should fix https://fedorahosted.org/freeipa/ticket/3584, and as requested in the ticket, this should also fix https://fedorahosted.org/freeipa/ticket/2284 Thanks, Gabe From 3d4e7b60287f30e70455facb0035fa30df913c34 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Fri, 22 May 2015 07:52:58 -0600 Subject: [PATCH] Fix ipa help command output errors - Allow ipa help command to run when ipa-client-install is not configured - Do not print traceback when pipe is broken https://fedorahosted.org/freeipa/ticket/3584 https://fedorahosted.org/freeipa/ticket/2284 --- ipalib/cli.py | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index fc6e2303919d4db724d97f839d9a1b71752dfc10..52529ea02c35a8119a5fb2397d7302d170e81526 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -799,7 +799,10 @@ class help(frontend.Local): def _writer(self, outfile): def writer(string=''): -print outfile, unicode(string) +try: +print outfile, unicode(string) +except IOError: +pass return writer def print_topics(self, outfile): @@ -1333,7 +1336,7 @@ def run(api): api.register(klass) api.load_plugins() api.finalize() -if not 'config_loaded' in api.env: +if not 'config_loaded' in api.env and not 'help' in argv: raise NotConfiguredError() sys.exit(api.Backend.cli.run(argv)) except KeyboardInterrupt: -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0048] fix ipa help command output errors
On Fri, May 22, 2015 at 9:01 AM, Martin Basti mba...@redhat.com wrote: On 22/05/15 16:08, Gabe Alford wrote: Hello, This should fix https://fedorahosted.org/freeipa/ticket/3584, and as requested in the ticket, this should also fix https://fedorahosted.org/freeipa/ticket/2284 Thanks, Gabe Thank you! IMO your first part of fix only mask issue, not solving it. This could be way, but I did not test it. out_encoding = getattr(outfile, 'encoding', None) if out_encoding is None: out_encoding = 'utf-8' print outfile, unicode(string).encode(out_encoding) I'm confused and maybe missing something here. If I run `ipa help dns | bad_command`, shouldn't the command fail with only the following? -bash: bad: command not found Can you split this patch into 2 separate patches for each ticket please? Done Martin^2 -- Martin Basti From bea5786dbf6363c6bae541c347b3dd98d7dc23bd Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Fri, 22 May 2015 09:19:03 -0600 Subject: [PATCH] Allow ipa help command to run when ipa-client-install is not configured https://fedorahosted.org/freeipa/ticket/3584 --- ipalib/cli.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index fc6e2303919d4db724d97f839d9a1b71752dfc10..398b5486339ad6930b7b11a53a2b7e6d90903371 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -1333,7 +1333,7 @@ def run(api): api.register(klass) api.load_plugins() api.finalize() -if not 'config_loaded' in api.env: +if not 'config_loaded' in api.env and not 'help' in argv: raise NotConfiguredError() sys.exit(api.Backend.cli.run(argv)) except KeyboardInterrupt: -- 1.8.3.1 From 7b12c4a2818e776f48045eca51027fd5f6df6286 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Fri, 22 May 2015 09:25:08 -0600 Subject: [PATCH] Do not print traceback when pipe is broken https://fedorahosted.org/freeipa/ticket/2284 --- ipalib/cli.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 398b5486339ad6930b7b11a53a2b7e6d90903371..52529ea02c35a8119a5fb2397d7302d170e81526 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -799,7 +799,10 @@ class help(frontend.Local): def _writer(self, outfile): def writer(string=''): -print outfile, unicode(string) +try: +print outfile, unicode(string) +except IOError: +pass return writer def print_topics(self, outfile): -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent
Thanks Petr. I thought I had grepped all that out. Guess I didn't do it from the top of the tree. Updated patch attached. On Tue, May 5, 2015 at 5:15 AM, Petr Vobornik pvobo...@redhat.com wrote: On 04/30/2015 07:43 PM, Gabe Alford wrote: Thanks Kyle and Petr. Update patch attached. Renaming the buttons also requires to update webui integration tests in ipatests/test_webui, quick search: ipatests/test_webui/test_realmdomains.py:42,48 ipatests/test_webui/ui_driver.py:1221,1246,1464,1483 On Wed, Apr 29, 2015 at 7:59 AM, Kyle Baker kyba...@redhat.com wrote: - Original Message - On 04/27/2015 03:03 PM, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4926 Thanks, Gabe PatternFly has new recommendations for terminology and wording [1]. I'm not entirely sure if the usage of 'save' here is good. PF defines 'edit' as the recommended term. The page doesn't say if 'save' is not recommended, though. Save seems to me as a confirmation of editing. Yes I think save would be best here based on the message given. Thanks for checking out the Terminology screen! Kyle, could you advise what is the best term for reflecting user changes and for confirmation of this action? Technical notes: 1. it would be better to add a new string and then use it in the button instead of having 'Save' text for '@i18n:buttons.update' definition. 2. String changes in internal.py should be also reflected in install/ui/test/data/ipa_init.json (for static web ui demo). 3. optional: in addition to text change, buttons and related actions could also be renamed (same reasons as in 1). It's more proper but much more complicated. [1] https://www.patternfly.org/styles/terminology-and-wording/#action-labels -- Petr Vobornik -- Petr Vobornik From 03863c17968a182b5e1857c0cb57ebb956576021 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Tue, 5 May 2015 06:33:27 -0600 Subject: [PATCH] Unsaved changes dialog internally inconsistent https://fedorahosted.org/freeipa/ticket/4926 --- install/ui/src/freeipa/details.js| 30 +++--- install/ui/src/freeipa/dns.js| 2 +- install/ui/src/freeipa/ipa.js| 8 install/ui/test/data/ipa_init.json | 2 ++ install/ui/util/make-ui.sh | 2 +- ipalib/plugins/internal.py | 2 ++ ipatests/test_webui/test_realmdomains.py | 4 ++-- ipatests/test_webui/ui_driver.py | 8 8 files changed, 31 insertions(+), 27 deletions(-) diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js index 7aa4c0ef6541900d6fa5b14b16ec964b50349015..e428dc90875a1ad567a13f379aa5ca079e47b672 100644 --- a/install/ui/src/freeipa/details.js +++ b/install/ui/src/freeipa/details.js @@ -453,8 +453,8 @@ exp.facet_policies = IPA.facet_policies = function(spec) { * - sets name, title, label if not present * - adds default actions and related buttons * - refresh - * - reset - * - update + * - revert + * - save * - adds dirty state evaluator * * @member details @@ -472,21 +472,21 @@ exp.details_facet_pre_op = function(spec, context) { spec.actions = spec.actions || []; spec.actions.unshift( 'refresh', -'reset', -'update'); +'revert', +'save'); spec.control_buttons = spec.control_buttons || []; if (!spec.no_update) { spec.control_buttons.unshift( { -name: 'reset', -label: '@i18n:buttons.reset', +name: 'revert', +label: '@i18n:buttons.revert', icon: 'fa-undo' }, { -name: 'update', -label: '@i18n:buttons.update', +name: 'save', +label: '@i18n:buttons.save', icon: 'fa-upload' }); } @@ -1404,8 +1404,8 @@ exp.refresh_action = IPA.refresh_action = function(spec) { exp.reset_action = IPA.reset_action = function(spec) { spec = spec || {}; -spec.name = spec.name || 'reset'; -spec.label = spec.label || '@i18n:buttons.reset'; +spec.name = spec.name || 'revert'; +spec.label = spec.label || '@i18n:buttons.revert'; spec.enable_cond = spec.enable_cond || ['dirty']; var that = IPA.action(spec); @@ -1426,8 +1426,8 @@ exp.reset_action = IPA.reset_action = function(spec) { exp.update_action = IPA.update_action = function(spec) { spec = spec || {}; -spec.name = spec.name || 'update'; -spec.label = spec.label || '@i18n:buttons.update'; +spec.name = spec.name || 'save'; +spec.label = spec.label || '@i18n:buttons.save'; spec.needs_confirm = spec.needs_confirm !== undefined ? spec.needs_confirm : false; spec.enable_cond = spec.enable_cond || ['dirty']; @@ -2007,8 +2007,8 @@ exp.register = function() { var f = reg.facet; a.register
Re: [Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent
Thanks Kyle and Petr. Update patch attached. On Wed, Apr 29, 2015 at 7:59 AM, Kyle Baker kyba...@redhat.com wrote: - Original Message - On 04/27/2015 03:03 PM, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4926 Thanks, Gabe PatternFly has new recommendations for terminology and wording [1]. I'm not entirely sure if the usage of 'save' here is good. PF defines 'edit' as the recommended term. The page doesn't say if 'save' is not recommended, though. Save seems to me as a confirmation of editing. Yes I think save would be best here based on the message given. Thanks for checking out the Terminology screen! Kyle, could you advise what is the best term for reflecting user changes and for confirmation of this action? Technical notes: 1. it would be better to add a new string and then use it in the button instead of having 'Save' text for '@i18n:buttons.update' definition. 2. String changes in internal.py should be also reflected in install/ui/test/data/ipa_init.json (for static web ui demo). 3. optional: in addition to text change, buttons and related actions could also be renamed (same reasons as in 1). It's more proper but much more complicated. [1] https://www.patternfly.org/styles/terminology-and-wording/#action-labels -- Petr Vobornik From 45ea1a7804b76f73a3a83b1452f83b5895614986 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Thu, 30 Apr 2015 11:39:34 -0600 Subject: [PATCH] Unsaved changes dialog internally inconsistent https://fedorahosted.org/freeipa/ticket/4926 --- install/ui/src/freeipa/details.js | 30 +++--- install/ui/src/freeipa/dns.js | 2 +- install/ui/src/freeipa/ipa.js | 8 install/ui/test/data/ipa_init.json | 2 ++ ipalib/plugins/internal.py | 2 ++ 5 files changed, 24 insertions(+), 20 deletions(-) diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js index 7aa4c0ef6541900d6fa5b14b16ec964b50349015..e428dc90875a1ad567a13f379aa5ca079e47b672 100644 --- a/install/ui/src/freeipa/details.js +++ b/install/ui/src/freeipa/details.js @@ -453,8 +453,8 @@ exp.facet_policies = IPA.facet_policies = function(spec) { * - sets name, title, label if not present * - adds default actions and related buttons * - refresh - * - reset - * - update + * - revert + * - save * - adds dirty state evaluator * * @member details @@ -472,21 +472,21 @@ exp.details_facet_pre_op = function(spec, context) { spec.actions = spec.actions || []; spec.actions.unshift( 'refresh', -'reset', -'update'); +'revert', +'save'); spec.control_buttons = spec.control_buttons || []; if (!spec.no_update) { spec.control_buttons.unshift( { -name: 'reset', -label: '@i18n:buttons.reset', +name: 'revert', +label: '@i18n:buttons.revert', icon: 'fa-undo' }, { -name: 'update', -label: '@i18n:buttons.update', +name: 'save', +label: '@i18n:buttons.save', icon: 'fa-upload' }); } @@ -1404,8 +1404,8 @@ exp.refresh_action = IPA.refresh_action = function(spec) { exp.reset_action = IPA.reset_action = function(spec) { spec = spec || {}; -spec.name = spec.name || 'reset'; -spec.label = spec.label || '@i18n:buttons.reset'; +spec.name = spec.name || 'revert'; +spec.label = spec.label || '@i18n:buttons.revert'; spec.enable_cond = spec.enable_cond || ['dirty']; var that = IPA.action(spec); @@ -1426,8 +1426,8 @@ exp.reset_action = IPA.reset_action = function(spec) { exp.update_action = IPA.update_action = function(spec) { spec = spec || {}; -spec.name = spec.name || 'update'; -spec.label = spec.label || '@i18n:buttons.update'; +spec.name = spec.name || 'save'; +spec.label = spec.label || '@i18n:buttons.save'; spec.needs_confirm = spec.needs_confirm !== undefined ? spec.needs_confirm : false; spec.enable_cond = spec.enable_cond || ['dirty']; @@ -2007,8 +2007,8 @@ exp.register = function() { var f = reg.facet; a.register('refresh', exp.refresh_action); -a.register('reset', exp.reset_action); -a.register('update', exp.update_action); +a.register('revert', exp.reset_action); +a.register('save', exp.update_action); a.register('object', exp.object_action); a.register('enable', exp.enable_action); a.register('disable', exp.disable_action); @@ -2026,4 +2026,4 @@ exp.register = function() { phases.on('registration', exp.register); return exp; -}); \ No newline at end of file +}); diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js index 7b66c8674a761a67025d1c4cfe3f7126b2cf9f68
[Freeipa-devel] [PATCH 0046] Remove unneeded --ip-address option in ipa-adtrust-install
Hello, Fix for https://fedorahosted.org/freeipa/ticket/4575 Thanks, Gabe From 6c9ac52a18df8bbce33db09c16494159258ff104 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Wed, 15 Apr 2015 09:18:58 -0600 Subject: [PATCH] Remove unneeded ip-address option in ipa-adtrust-install https://fedorahosted.org/freeipa/ticket/4575 --- install/tools/ipa-adtrust-install | 25 + install/tools/man/ipa-adtrust-install.1 | 3 --- ipaserver/install/adtrustinstance.py| 4 +--- 3 files changed, 2 insertions(+), 30 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 6e55bbe3e57f1c609398dc571e90cb8677d91a33..3f8f2105bcaf15bc577aeb87ca4bb0d068909b6e 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -39,8 +39,6 @@ def parse_options(): parser = IPAOptionParser(version=version.VERSION) parser.add_option(-d, --debug, dest=debug, action=store_true, default=False, help=print debugging information) -parser.add_option(--ip-address, dest=ip_address, - type=ip, ip_local=True, help=Master Server IP Address) parser.add_option(--netbios-name, dest=netbios_name, help=NetBIOS name of the IPA domain) parser.add_option(--no-msdcs, dest=no_msdcs, action=store_true, @@ -291,37 +289,16 @@ def main(): options.enable_compat = enable_compat_tree() # Check we have a public IP that is associated with the hostname -ip = None try: hostaddr = resolve_host(api.env.host) if len(hostaddr) 1: print sys.stderr, The server hostname resolves to more than one address: for addr in hostaddr: print sys.stderr, %s % addr - -if options.ip_address: -if str(options.ip_address) not in hostaddr: -print sys.stderr, Address passed in --ip-address did not match any resolved -print sys.stderr, address! -sys.exit(1) -print Selected IP address:, str(options.ip_address) -ip = options.ip_address -else: -if options.unattended: -print sys.stderr, Please use --ip-address option to specify the address -sys.exit(1) -else: -ip = read_ip_address(api.env.host, fstore) -else: -ip = hostaddr and ipautil.CheckedIPAddress(hostaddr[0], match_local=True) except Exception, e: -print Error: Invalid IP Address %s: %s % (ip, e) print Aborting installation sys.exit(1) -ip_address = str(ip) -root_logger.debug(will use ip_address: %s\n, ip_address) - admin_password = options.admin_password if not (options.unattended or admin_password): admin_password = read_admin_password(options.admin_name) @@ -406,7 +383,7 @@ def main(): smb = adtrustinstance.ADTRUSTInstance(fstore) smb.realm = api.env.realm smb.autobind = ipaldap.AUTOBIND_ENABLED -smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, +smb.setup(api.env.host, api.env.realm, api.env.domain, netbios_name, reset_netbios_name, options.rid_base, options.secondary_rid_base, options.no_msdcs, options.add_sids, diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index b0aa8ceefc34698329b2a13d3adbcb204f08b3a9..a32eefb0e2dd4334b6dc3597b3643743ead56847 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -41,9 +41,6 @@ might be affected as well. \fB\-d\fR, \fB\-\-debug\fR Enable debug logging when more verbose output is needed .TP -\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR -The IP address of the IPA server. If not provided then this is determined based on the hostname of the server. -.TP \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR The NetBIOS name for the IPA domain. If not provided then this is determined based on the leading component of the DNS domain name. Running diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index b4d644fdbf784dd7936adc8eb085f4825cab797e..92c05f26a10c8f90bbe62ae9f6723d5e22ff3833 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -108,7 +108,6 @@ class ADTRUSTInstance(service.Service): FALLBACK_GROUP_NAME = u'Default SMB Group' def __init__(self, fstore=None): -self.ip_address = None self.netbios_name = None self.reset_netbios_name = None self.no_msdcs = None @@ -774,11 +773,10 @@ class ADTRUSTInstance(service.Service): LDAPI_SOCKET = self.ldapi_socket, FQDN = self.fqdn) -def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name, +
[Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent
Hello, Fix for https://fedorahosted.org/freeipa/ticket/4926 Thanks, Gabe From 053f7dd53e9d1acd6dec4688ab515f138d832ef4 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Mon, 27 Apr 2015 06:49:25 -0600 Subject: [PATCH] Unsaved changes dialog internally inconsistent - Change Update button text to Save - Change Reset button text to Revert https://fedorahosted.org/freeipa/ticket/4926 --- ipalib/plugins/internal.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py index b85f2d077110128963e26ccf0f43e21141c46f4a..a88d0b8bf3f4632faf98e269363c6e9b523eefa1 100644 --- a/ipalib/plugins/internal.py +++ b/ipalib/plugins/internal.py @@ -218,14 +218,14 @@ class i18n_messages(Command): ok: _(OK), refresh: _(Refresh), remove: _(Delete), -reset: _(Reset), +reset: _(Revert), reset_password_and_login: _(Reset Password and Login), restore: _(Restore), retry: _(Retry), revoke: _(Revoke), set: _(Set), unapply: (Un-apply), -update: _(Update), +update: _(Save), view: _(View), }, details: { -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0082] Update python-yubico dependency version
Ack. Thanks, Gabe On Wed, Apr 22, 2015 at 1:45 PM, Nathaniel McCallum npmccal...@redhat.com wrote: On Tue, 2015-03-31 at 10:25 -0400, Nathaniel McCallum wrote: This change enables support for all current YubiKey hardware. Can someone please review this patch? Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 001] Remove recommendation from ipa-adtrust-install
Ack from me. Thanks, Gabe On Fri, Apr 10, 2015 at 7:35 AM, Thorsten Scherf tsch...@redhat.com wrote: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0045] Add message for skipping NTP configuration during client install
Stupid me. I realized that chronyd was running which messed up my testing and such (sorry about that). New patch attached that implements 'else' On Tue, Apr 7, 2015 at 2:32 AM, Martin Basti mba...@redhat.com wrote: On 02/04/15 17:47, Gabe Alford wrote: On Thu, Apr 2, 2015 at 8:59 AM, Martin Basti mba...@redhat.com wrote: On 30/03/15 15:25, Gabe Alford wrote: Hello, With the merging of ticket 4842 https://fedorahosted.org/freeipa/ticket/4842, I believe that half of ticket 3092 https://fedorahosted.org/freeipa/ticket/3092 has been done. This patch just adds a message that says that NTP configuration was skipped which I believe should finish 3092 https://fedorahosted.org/freeipa/ticket/3092. Thanks, Gabe Hello, thank you for the patch. 1) IMO there should be: if *not* options.conf_ntp So, if --no-ntp is not specified, print message that the client is skipping NTP sync? Yes, or did I miss something? I though the message should be shown only if --no-ntp option is used. With your current patch: # ipa-client-install --no-ntp no ntp related output no INFO msg: skipping... # ipa-client-install output omitted / Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Skipping synchronizing time with IPA NTP server. output omitted / But in this case the client did synchronization with NTP (which failed), IMO the message Skipping ... should not be there. This message is shown even the synchronization with NTP is successful. 2) wouldnt be better to use just else? I actually ran ipa-client-install with no options on a system where I used 'else', and it printed the skipping NTP sync when it should not have. That is why the patch does not use 'else'. Interesting, I expected the messages only on client installed on IPA server, or with using --no-ntp option Martin -- Martin Basti -- Martin Basti From 4422cab165a648d8657be70d1deea1b0a834f183 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Tue, 7 Apr 2015 08:54:30 -0600 Subject: [PATCH] Add message for skipping NTP configuration during client install https://fedorahosted.org/freeipa/ticket/3092 --- ipa-client/ipa-install/ipa-client-install | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index e31d83dc98d411d281c9913af6cd45b41e2b51a1..1590a08600bbb1b2fd7f4c3338b5060156d7dc38 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2343,6 +2343,8 @@ def install(options, env, fstore, statestore): root_logger.warning(Unable to sync time with IPA NTP + server, assuming the time is in sync. Please check + that 123 UDP port is opened.) +else: +root_logger.info('Skipping synchronizing time with IPA NTP server.') if not options.unattended: if (options.principal is None and options.password is None and -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0045] Add message for skipping NTP configuration during client install
On Thu, Apr 2, 2015 at 8:59 AM, Martin Basti mba...@redhat.com wrote: On 30/03/15 15:25, Gabe Alford wrote: Hello, With the merging of ticket 4842 https://fedorahosted.org/freeipa/ticket/4842, I believe that half of ticket 3092 https://fedorahosted.org/freeipa/ticket/3092 has been done. This patch just adds a message that says that NTP configuration was skipped which I believe should finish 3092 https://fedorahosted.org/freeipa/ticket/3092. Thanks, Gabe Hello, thank you for the patch. 1) IMO there should be: if *not* options.conf_ntp So, if --no-ntp is not specified, print message that the client is skipping NTP sync? 2) wouldnt be better to use just else? I actually ran ipa-client-install with no options on a system where I used 'else', and it printed the skipping NTP sync when it should not have. That is why the patch does not use 'else'. Martin -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0045] Add message for skipping NTP configuration during client install
Hello, With the merging of ticket 4842 https://fedorahosted.org/freeipa/ticket/4842, I believe that half of ticket 3092 https://fedorahosted.org/freeipa/ticket/3092 has been done. This patch just adds a message that says that NTP configuration was skipped which I believe should finish 3092 https://fedorahosted.org/freeipa/ticket/3092. Thanks, Gabe From 77a8b703acb81b36b11a250660b834a72c7a2f4c Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Mon, 30 Mar 2015 07:09:05 -0600 Subject: [PATCH] Add message for skipping NTP configuration during client install https://fedorahosted.org/freeipa/ticket/3092 --- ipa-client/ipa-install/ipa-client-install | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index e31d83dc98d411d281c9913af6cd45b41e2b51a1..c021eb0ec94284aaa5fb4ed66011e6a9b5b879c4 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2344,6 +2344,9 @@ def install(options, env, fstore, statestore): server, assuming the time is in sync. Please check + that 123 UDP port is opened.) +if options.conf_ntp: +root_logger.info('Skipping synchronizing time with IPA NTP server.') + if not options.unattended: if (options.principal is None and options.password is None and options.prompt_password is False and options.keytab is None): -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0044] Man pages: ipa-replica-prepare can only be created on first master
On Thu, Mar 12, 2015 at 8:26 AM, Martin Kosek mko...@redhat.com wrote: On 03/12/2015 02:37 PM, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4944. Since there seems to be plenty of time, I added it to the freeipa-4-1 branch. Thanks Gabe! I would still suggest against moving the tickets to milestones yourself, all new tickets should still undergo the weekly triage so that all core developers see it and we can decide the target milestone. Sorry about that. With this one, it would likely indeed end in 4.1.x, especially given you contributed a patch, but still... For the patch itself, I still think the wording is not as should be: - following line is not entirely trie, you can install can create replica also on servers installed with ipa-replica-install :-) +A replica can be created on any IPA master server installed with ipa\-server\-install. - Following line may also use some rewording: However if you want to create a replica as a redundant CA with an existing replica or master, ipa\-replica\-prepare should be run on a replica or master that contains the CA. Maybe we should add subsection to DESCRIPTION section, with following lines: What should the .SS be called? Replica Info? PKI INFO? Preparation Requirements? - A replica should only be installed on the same or higher version of IPA on the remote system. - A replica with PKI can only be installed from replica file prepared on a master with PKI Makes sense? We will see if the coffee is working today. :) Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0044] Man pages: ipa-replica-prepare can only be created on first master
Limitations is fine with me. Updated patch attached. On Fri, Mar 13, 2015 at 7:17 AM, Martin Kosek mko...@redhat.com wrote: On 03/13/2015 02:13 PM, Gabe Alford wrote: On Thu, Mar 12, 2015 at 8:26 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/12/2015 02:37 PM, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4944. Since there seems to be plenty of time, I added it to the freeipa-4-1 branch. Thanks Gabe! I would still suggest against moving the tickets to milestones yourself, all new tickets should still undergo the weekly triage so that all core developers see it and we can decide the target milestone. Sorry about that. With this one, it would likely indeed end in 4.1.x, especially given you contributed a patch, but still... For the patch itself, I still think the wording is not as should be: - following line is not entirely trie, you can install can create replica also on servers installed with ipa-replica-install :-) +A replica can be created on any IPA master server installed with ipa\-server\-install. - Following line may also use some rewording: However if you want to create a replica as a redundant CA with an existing replica or master, ipa\-replica\-prepare should be run on a replica or master that contains the CA. Maybe we should add subsection to DESCRIPTION section, with following lines: What should the .SS be called? Replica Info? PKI INFO? Preparation Requirements? Limitations? - A replica should only be installed on the same or higher version of IPA on the remote system. - A replica with PKI can only be installed from replica file prepared on a master with PKI Makes sense? We will see if the coffee is working today. :) Martin From 1a679b80db8b577b531a3bc825340f06e56b9886 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Fri, 13 Mar 2015 07:34:49 -0600 Subject: [PATCH] ipa-replica-prepare can only be created on the first master - https://fedorahosted.org/freeipa/ticket/4944 --- install/tools/man/ipa-replica-prepare.1 | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1 index 1879d2ee88fc78fb755a702a2b2fe9a93e153b45..4c5ad3e8e49798eb33667903f2de1f35d83596c0 100644 --- a/install/tools/man/ipa-replica-prepare.1 +++ b/install/tools/man/ipa-replica-prepare.1 @@ -24,15 +24,17 @@ ipa\-replica\-prepare [\fIOPTION\fR]... hostname .SH DESCRIPTION Generates a replica file that may be used with ipa\-replica\-install to create a replica of an IPA server. -A replica can only be created on an IPA server installed with ipa\-server\-install (the first server). +A replica can be created on any IPA master or replica server. You must provide the fully\-qualified hostname of the machine you want to install the replica on and a host\-specific replica_file will be created. It is host\-specific because SSL server certificates are generated as part of the process and they are specific to a particular hostname. If IPA manages the DNS for your domain, you should either use the \fB\-\-ip\-address\fR option or add the forward and reverse records manually using IPA plugins. Once the file has been created it will be named replica\-hostname. This file can then be moved across the network to the target machine and a new IPA replica setup by running ipa\-replica\-install replica\-hostname. - +.SS LIMITATIONS A replica should only be installed on the same or higher version of IPA on the remote system. + +A replica with PKI can only be installed from a replica file prepared on a master with PKI. .SH OPTIONS .TP \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0044] Man pages: ipa-replica-prepare can only be created on first master
Hello, Fix for https://fedorahosted.org/freeipa/ticket/4944. Since there seems to be plenty of time, I added it to the freeipa-4-1 branch. Thanks, Gabe From 0887f4f4595e62ce4d24f1b031418e47da7586fb Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Thu, 12 Mar 2015 07:26:34 -0600 Subject: [PATCH] ipa-replica-prepare can only be created on the first master - https://fedorahosted.org/freeipa/ticket/4944 --- install/tools/man/ipa-replica-prepare.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1 index 1879d2ee88fc78fb755a702a2b2fe9a93e153b45..8d97c27b36b54d5ce95bd85f0d9adb4022a6ecfb 100644 --- a/install/tools/man/ipa-replica-prepare.1 +++ b/install/tools/man/ipa-replica-prepare.1 @@ -24,7 +24,7 @@ ipa\-replica\-prepare [\fIOPTION\fR]... hostname .SH DESCRIPTION Generates a replica file that may be used with ipa\-replica\-install to create a replica of an IPA server. -A replica can only be created on an IPA server installed with ipa\-server\-install (the first server). +A replica can be created on any IPA master server installed with ipa\-server\-install. However if you want to create a replica as a redundant CA with an existing replica or master, ipa\-replica\-prepare should be run on a replica or master that contains the CA. You must provide the fully\-qualified hostname of the machine you want to install the replica on and a host\-specific replica_file will be created. It is host\-specific because SSL server certificates are generated as part of the process and they are specific to a particular hostname. -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Time-based account policies
On Tue, Mar 10, 2015 at 9:51 AM, Stanislav Láznička s...@seznam.cz wrote: On 03/10/2015 04:06 PM, Jakub Hrozek wrote: On Tue, Mar 10, 2015 at 03:47:10PM +0100, Martin Kosek wrote: This is where importing iCal is helpful because it allows you to outsource the task of creating such event to something else. Parsing event information would produce a rule definition we would store and SSSD would apply as HBAC rule. However, we don't need ourselves to provide a complex UI to define such rules. Instead, we can do a simple UI to create rules plus a UI to import rules defined in iCal by some other software. The rest is visualizing HBAC time/date rules which is separate from dealing with complexity of creating or importing rules. Additionally, for iCal-based imports we can utilize participants information from the iCal to automatically set up members of the rule (based on mail attribute). Ah, makes sense to me. With all the possibilities that iCal format offers, we would more or less end up storing iCal in HBAC rules (or our own format of iCal). I am just concerned it would make a bit complex processing on SSSD side, especially in the security sensitive piece for authorization rules. We may need to use libraries for processing iCal rules, like libical (http://koji.fedoraproject.org/koji/buildinfo?buildID=606329)... Is that what Alexander said, though? In his reply, I see: Parsing event information would produce a rule definition we would store and SSSD would apply as HBAC rule. This is what kind of worried me, too. If I understand it well, this means you would have iCal events such as holidays (these were mentioned before), and you would like to generate HBAC rules based on these events. Those rules would, however, be different for each country (if this is still about holidays) and might collide among user and host groups. Therefore, you would have lots and lots of rules in the end, wouldn't you? I wonder if anyone does that. From what I've seen in AD and 389 Directory Server, time-based rules are being stored in a rather simple manner. I don't mind a more complex solution but I think such exceptions might be little too much. But I might have not understood the idea very well. This is my understanding as well. If using AD as the example, there are two ways that timebased rules are configured: 1. Permit logon hours during specified timeframe on specified day(s) of the week. 2. Deny logon hours during specified timeframe on specified day(s) of the week. There is nothing about holidays. I think that implementing holidays and special exemptions should be avoided. Just my 2 cents. Gabe I don't think iCal dependency is something we want in SSSD, the rules should be converted from iCal to SSSD format in a layer atop libipa_hbac.. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0039] Add test case for unsupported arg for ipa-advise
Yeah. That makes more sense. Updated patch attached. Thanks, Gabe On Wed, Feb 25, 2015 at 3:55 PM, Tomas Babej tba...@redhat.com wrote: Hi Gabe, sorry for not being clear. This approach will not work: +class TestAdvice(BaseTestInvalidAdvice, + BaseTestFedoraAuthconfig, + BaseTestFreeBSDNSSPAM, + BaseTestGenericNSSPAM, + BaseTestGenericSSSDBefore19, + BaseTestRedHatNSS, + BaseTestRedHatNSSPAM, + BaseTestRedHatSSSDBefore19, + BaseTestAdvice): +pass By combining all the base classes into one, you will not get the desired effect (which is to run the test_advice method for each advice_id). Let me explain why: The test runner works in the following way: it inspects any discovered class which name begins with Test, and executes each its method, which names begins with test as a test case. If the test runner inspects the TestAdvice class, the only method beggining with test, which it will see, is the test_advice which was inherited back from BaseTestAdvice class. So we can safely conclude the test runner will only run 1 test case. Which one, you may ask? Well, since the test_advice behaviour is fully determined by the values of advice_id, advice_regex and raiseerr attributes, let's look at their values in TestAdvice class. This class does not define attirbutes with such names, so we move along the inheritance chain (also called MRO) - the first class from which we inherit is BaseTestInvalidAdvice, and this class defines all three mentioned attributes. Hence the only test method will be run the test for invalid advice :) Now, how to fix this? The easiest approach would be to abandon the approach with the separate classes, and map each class to a test method in the TestAdvice class, like this (from the top of my head): +class TestAdvice(IntegrationTest): +topology = 'line' + +def test_invalid_advice(self): +advice_id = 'invalid-advise-param' +advice_regex = invalid[\s]+\'advice\'.* +raiseerr = False +# Obtain the advice from the server +tasks.kinit_admin(self.master) +result = self.master.run_command(['ipa-advise', self.advice_id], + raiseonerr=self.raiseerr) + +if not result.stdout_text: +advice = result.stderr_text +else: +advice = result.stdout_text + +assert re.search(self.advice_regex, advice, re.S) + +def test_advice_fedora_authconfig(self): +advice_id = 'config-fedora-authconfig' +advice_regex = \#\!\/bin\/sh.* \ + authconfig[\s]+\-\-enableldap[\s]+ \ + \-\-ldapserver\=.*[\s]+\-\-enablerfc2307bis[\s]+ \ + \-\-enablekrb5 +raiseonerr = True +# Obtain the advice from the server +tasks.kinit_admin(self.master) +result = self.master.run_command(['ipa-advise', self.advice_id], + raiseonerr=self.raiseerr) + +if not result.stdout_text: +advice = result.stderr_text +else: +advice = result.stdout_text + +assert re.search(self.advice_regex, advice, re.S) ... the same for the remaining 6 cases Now, this pattern has lots of duplicated code which can be extracted to a helper method, I just thought it would help to be more explicit to get the idea across. In the end you can achieve the same level of conciseness than with the separate test classes. Good luck! HTH, Tomas On 02/25/2015 03:52 PM, Gabe Alford wrote: No worries about the delay. Thanks for taking the time! Updated patch attached. Thanks, Gabe On Tue, Feb 24, 2015 at 11:03 AM, Tomas Babej tba...@redhat.com wrote: Hi Gabe, sorry for the delay. Here comes the review! 1.) All the tests fail, since the IPA master is not installed at all: def test_advice(self): # Obtain the advice from the server tasks.kinit_admin(self.master) test_integration/test_advise.py:37: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ test_integration/tasks.py:484: in kinit_admin stdin_text=host.config.admin_password) ../pytest_multihost/host.py:222: in run_command command.wait(raiseonerr=raiseonerr) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = pytest_multihost.transport.SSHCommand object at 0x7f09c0530c90 raiseonerr = True def wait(self, raiseonerr=True): Wait for the remote process to exit Raises an excption if the exit code is not 0, unless raiseonerr is true. if self._done: return self.returncode self._end_process() self._done = True if raiseonerr and self.returncode
Re: [Freeipa-devel] [PATCH 0039] Add test case for unsupported arg for ipa-advise
No worries about the delay. Thanks for taking the time! Updated patch attached. Thanks, Gabe On Tue, Feb 24, 2015 at 11:03 AM, Tomas Babej tba...@redhat.com wrote: Hi Gabe, sorry for the delay. Here comes the review! 1.) All the tests fail, since the IPA master is not installed at all: def test_advice(self): # Obtain the advice from the server tasks.kinit_admin(self.master) test_integration/test_advise.py:37: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ test_integration/tasks.py:484: in kinit_admin stdin_text=host.config.admin_password) ../pytest_multihost/host.py:222: in run_command command.wait(raiseonerr=raiseonerr) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = pytest_multihost.transport.SSHCommand object at 0x7f09c0530c90 raiseonerr = True def wait(self, raiseonerr=True): Wait for the remote process to exit Raises an excption if the exit code is not 0, unless raiseonerr is true. if self._done: return self.returncode self._end_process() self._done = True if raiseonerr and self.returncode: self.log.error('Exit code: %s', self.returncode) raise subprocess.CalledProcessError(self.returncode, self.argv) E CalledProcessError: Command '['kinit', 'admin']' returned non-zero exit status 1 Similiarly for other tests. This is caused by the fact that you did not set topology in the BaseTestAdvise class, like this: --- a/ipatests/test_integration/test_advise.py +++ b/ipatests/test_integration/test_advise.py @@ -31,6 +31,7 @@ class BaseTestAdvise(IntegrationTest, object): advice_id = None raiseerr = None advice_regex = '' +topology = 'line' 2.) BaseTestAdvise inherits from IntegrationTest and from object. Explicitly specifying object as superclass is not needed, IntegrationTest already inherits from it. 3.) I think there is no good incentive to separate the test cases into mutliple classes. Each test class adds overhead of installing and uninstalling IPA server, to guarantee a clean and sane environment. However, it seems to be an overkill for testing ipa-advise command, which should be read-only anyway. By squashing the tests into one test class, we will decrease the run time of this test more than 8-fold. 4.) The patch adds a whitespace error. The test cases themselves are looking fine, and when I fixed the missing topology, they all passed. So this is a question of fixing the above issues, and we should be ready to push. Tomas freeipa-rga-0039-2-ipatests-Add-tests-for-valid-and-invalid-ipa-advise.patch Description: Binary data ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0042] ipa-replica-prepare should document ipv6 options
Hello, Fix for https://fedorahosted.org/freeipa/ticket/4877. I just took what was in the ticket. Thanks, Gabe freeipa-rga-0042-ipa-replica-prepare-should-document-ipv6-options.patch Description: Binary data ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0039] Add test case for unsupported arg for ipa-advise
Hello, I was wondering if I could get a review of this patch. Thanks, Gabe On Thursday, January 29, 2015, Gabe Alford redhatri...@gmail.com wrote: Hello, Here is a patch for https://fedorahosted.org/freeipa/ticket/4029 I added test cases for valid and invalid advice. Thanks, Gabe On Wed, Jan 14, 2015 at 10:23 AM, Tomas Babej tba...@redhat.com javascript:_e(%7B%7D,'cvml','tba...@redhat.com'); wrote: On 01/14/2015 06:13 PM, Gabe Alford wrote: On Wed, Jan 14, 2015 at 10:05 AM, Tomas Babej tba...@redhat.com javascript:_e(%7B%7D,'cvml','tba...@redhat.com'); wrote: On 01/14/2015 06:00 PM, Tomas Babej wrote: On 01/14/2015 05:37 PM, Tomas Babej wrote: On 01/14/2015 02:55 PM, Gabe Alford wrote: Hello, In looking into https://fedorahosted.org/freeipa/ticket/4029 I am wondering if there should be separate ipa-advise test, Yes/No? Could be handy in the future to test more ipa-advise output? Or should this test be added to the test_legacy_clients.py? Thanks, Gabe On Tue, Dec 2, 2014 at 9:21 PM, Gabe Alford redhatri...@gmail.com javascript:_e(%7B%7D,'cvml','redhatri...@gmail.com'); wrote: Hello, I was going to try my hand at attempting a patch for ipa-tests. However in wanting to test my patch, I am not sure how to run ipa-tests to check if it works or not. Documentation is not really clear on what needs to be done to start a test and run a test. This is for https://fedorahosted.org/freeipa/ticket/4029 I have attached the patch that I have yet to really test with ipa-test. Any help on how to test the patch running ipa-tests would be great. Of course, if one of the reviewers looks at the patch and looks good, then I would be happy with that as well. Thanks, Gabe ___ Freeipa-devel mailing listfreeipa-de...@redhat.com javascript:_e(%7B%7D,'cvml','Freeipa-devel@redhat.com');https://www.redhat.com/mailman/listinfo/freeipa-devel Hello, TL;DR: feel free to create a separate ipa-advise test file. Test requested in this ticket really does not belong to the legacy clients feature test. As for the any new tests that might come: I think tests for ipa-advise that are specific to that particular feature should be tested with that feature, more so, if they contain parts that are supposed to work copy-pasted. If a tests, however, tests a general behaviour of ipa-advise, it should live in the ipa-advise namespace, hence separate test file. HTH, -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org The attached patch looks fine, although, please also test for a non-zero return code number. Upon hitting send I noticed you did not include raiseonerr=False into the run_command call. You need to do that, otherwise a exception will be raised, since ipa-advise exited with non-zero return code. Thanks Tomas. Which do you prefer: a test_advise.py or an update to the existing patch? A new test file, as I pointed out in the second email :) sorry for splitting. However, it would be the best if you could spin up a positive test as well (maybe listing out available advices), not just this negative one, to justify the overhead reinstalling IPA for testing this feature. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0041] permission-add does not prompt for ipapermright option in interactive mode
Oops. My mistake. Corrected patch attached. On Wed, Feb 11, 2015 at 8:59 AM, Martin Basti mba...@redhat.com wrote: Sorry, alwaysask didnt work. It was asking for rights during permission-mod. I replaced alwaysask with flag ask_create. Sorry for late catch. Updated patch attached. PS: your name+email is missing in commit message, is it on purpose? And time wasn't correct in previous patch. On 11/02/15 15:06, Gabe Alford wrote: Good point. I personally was not aware of all that the API can do. Thanks Martin^2! Updated patch attached. On Tue, Feb 10, 2015 at 11:42 AM, Martin Basti mba...@redhat.com wrote: On 29/01/15 17:10, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4872 Thanks, Gabe ___ Freeipa-devel mailing listFreeipa-devel@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-devel Thank you for your patch. IMO, would be better to use flag, alwaysask for ipapermright, instead of creating new callback: StrEnum( 'ipapermright*', cli_name='right', deprecated_cli_aliases={'permissions'}, label=_('Granted rights'), doc=_('Rights to grant ' '(read, search, compare, write, add, delete, all)'), values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'), +alwaysask=True, ), This change requires to generate new API.txt please run ./makeapi and increment API version in VERSION file. Thank you in advance :-) Martin^2 -- Martin Basti -- Martin Basti freeipa-rga-0041-3-permission-add-does-not-prompt-for-ipapermright-in-i.patch Description: Binary data ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0041] permission-add does not prompt for ipapermright option in interactive mode
Good point. I personally was not aware of all that the API can do. Thanks Martin^2! Updated patch attached. On Tue, Feb 10, 2015 at 11:42 AM, Martin Basti mba...@redhat.com wrote: On 29/01/15 17:10, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4872 Thanks, Gabe ___ Freeipa-devel mailing listFreeipa-devel@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-devel Thank you for your patch. IMO, would be better to use flag, alwaysask for ipapermright, instead of creating new callback: StrEnum( 'ipapermright*', cli_name='right', deprecated_cli_aliases={'permissions'}, label=_('Granted rights'), doc=_('Rights to grant ' '(read, search, compare, write, add, delete, all)'), values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'), +alwaysask=True, ), This change requires to generate new API.txt please run ./makeapi and increment API version in VERSION file. Thank you in advance :-) Martin^2 -- Martin Basti freeipa-rga-0041-2-permission-add-does-not-prompt-for-ipapermright-in-i.patch Description: Binary data ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0042] Typos in ipa-rmkeytab
Hello, Fix for https://fedorahosted.org/freeipa/ticket/4890 Thanks, Gabe From 6c760974951325419414ef4d474293c1af089004 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Mon, 9 Feb 2015 20:44:31 -0700 Subject: [PATCH] Typos in ipa-rmkeytab options help and man page https://fedorahosted.org/freeipa/ticket/4890 --- ipa-client/ipa-rmkeytab.c | 4 ++-- ipa-client/man/ipa-rmkeytab.1 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-rmkeytab.c b/ipa-client/ipa-rmkeytab.c index a2a292e3d6882f4c15f2134cdb8ff73a7159492f..3687b1dc7ea0ab4484af3385bb87c5b9155e53da 100644 --- a/ipa-client/ipa-rmkeytab.c +++ b/ipa-client/ipa-rmkeytab.c @@ -168,10 +168,10 @@ main(int argc, const char **argv) { debug, 'd', POPT_ARG_NONE, debug, 0, _(Print debugging information), _(Debugging output) }, { principal, 'p', POPT_ARG_STRING, principal, 0, - _(The principal to get a keytab for (ex: ftp/ftp.example@example.com)), + _(The principal to remove from the keytab (ex: ftp/ftp.example@example.com)), _(Kerberos Service Principal Name) }, { keytab, 'k', POPT_ARG_STRING, keytab, 0, - _(File were to store the keytab information), _(Keytab File Name) }, + _(The keytab file to remove the principcal(s) from), _(Keytab File Name) }, { realm, 'r', POPT_ARG_STRING, realm, 0, _(Remove all principals in this realm), _(Realm name) }, POPT_AUTOHELP diff --git a/ipa-client/man/ipa-rmkeytab.1 b/ipa-client/man/ipa-rmkeytab.1 index 4f4fcee2665c105c5cdab5f964e3295bea4b7997..53f775439dbdb5a4b9dfee7fe6c7277fce10893c 100644 --- a/ipa-client/man/ipa-rmkeytab.1 +++ b/ipa-client/man/ipa-rmkeytab.1 @@ -54,7 +54,7 @@ the entry from the local keytab. The non\-realm part of the full principal name. .TP \fB\-k keytab\-file\fR -The keytab file to append the principal(s) from. +The keytab file to remove the principal(s) from. .TP \fB\-r realm\fR A realm to remove all principals for. -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel