Re: [Freeipa-devel] [PATCH] 473 fix aci update summary
On Thu, 2010-06-24 at 14:17 -0400, Rob Crittenden wrote: Seems I changed the summary message for updating hosts which breaks a few of the aci tests. This should bring it back in line. rob Ack. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 463 drop --with-openldap option in client
On Wed, 2010-06-02 at 14:57 -0400, Rob Crittenden wrote: Drop the --with-openldap option in the client and require the openldap client libraries. This has been required for quite some time but we always just passed in --with-openldap. This will remove the illusion that this isn't explicitly required. rob Ack. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 465 fix client bulk enrollment
On Fri, 2010-06-11 at 11:04 -0400, Rob Crittenden wrote: We need to fetch the CA cert so our ldaps connection will succeed. rob Ack. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 470 maintainer-clean change
On 06/17/2010 10:37 PM, Rob Crittenden wrote: I almost pushed this under the one-liner rule but what the heck. Add a maintainer-clean target to install/po. All the heavy lifting is already done in distclean so just depend on that. rob Ack. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] Delete old SRV and NS records during uninstallation
Hi, 0001 is pretty straightforward, I need it for 0002. 0002 introduces a new class DnsBackup that makes sure that any records that we might want to potentially remove (SRV and NS right now) are properly saved using sysrestore. It also takes care of removing them during the uninstallation. 0003 makes 0002 useful by allowing the user to input the admin password to ipa-server-install --uninstall and connecting to ldap. I've tested these quite a lot so hopefully there won't be any major problems with them. Thanks Martin From 656dbf1e7531c2c2a42914c7018e8dd5399478a4 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Thu, 15 Apr 2010 11:59:16 +0200 Subject: [PATCH 1/3] Accept unicode for sysrestore --- ipapython/sysrestore.py |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py index 78c9b62..ddc3ee0 100644 --- a/ipapython/sysrestore.py +++ b/ipapython/sysrestore.py @@ -282,8 +282,8 @@ class StateFile: by the string @key and with the value @value. @value may be a string or boolean. -if not (isinstance(value, str) or isinstance(value, bool)): -raise ValueError(Only strings or booleans supported) +if not isinstance(value, (str, bool, unicode)): +raise ValueError(Only strings, booleans or unicode strings are supported) if not self.modules.has_key(module): self.modules[module] = {} -- 1.6.2.5 From 0b9db95440940429a802b1fcb00666e6490841c0 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Wed, 25 Nov 2009 00:49:40 +0100 Subject: [PATCH 2/3] Delete old SRV records during uninstallation --- ipaserver/install/bindinstance.py | 79 +++- 1 files changed, 68 insertions(+), 11 deletions(-) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index e728911..016d46f 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -87,7 +87,7 @@ def get_reverse_zone(ip_address): return zone, name -def add_zone(name, update_policy=None): +def add_zone(name, update_policy=None, dns_backup=None): if not update_policy: update_policy = grant %s krb5-self * A; % api.env.realm @@ -99,11 +99,11 @@ def add_zone(name, update_policy=None): except (errors.DuplicateEntry, errors.EmptyModlist): pass -add_rr(name, @, NS, api.env.host+.) +add_rr(name, @, NS, api.env.host+., dns_backup) return name -def add_reverze_zone(ip_address, update_policy=None): +def add_reverze_zone(ip_address, update_policy=None, dns_backup=None): zone, name = get_reverse_zone(ip_address) if not update_policy: update_policy = grant %s krb5-subdomain %s. PTR; % (api.env.realm, zone) @@ -115,24 +115,75 @@ def add_reverze_zone(ip_address, update_policy=None): except (errors.DuplicateEntry, errors.EmptyModlist): pass -add_rr(zone, @, NS, api.env.host) +add_rr(zone, @, NS, api.env.host, dns_backup) return zone -def add_rr(zone, name, type, rdata): +def add_rr(zone, name, type, rdata, dns_backup=None): try: api.Command.dns_add_rr(unicode(zone), unicode(name), unicode(type), unicode(rdata)) except (errors.DuplicateEntry, errors.EmptyModlist): pass +if dns_backup: +dns_backup.add(zone, type, name, rdata) -def add_ptr_rr(ip_address, fqdn): +def add_ptr_rr(ip_address, fqdn, dns_backup=None): zone, name = get_reverse_zone(ip_address) -add_rr(zone, name, PTR, fqdn+.) +add_rr(zone, name, PTR, fqdn+., dns_backup) + + +class DnsBackup(object): +def __init__(self, service): +self.service = service +self.zones = {} + +def add(self, zone, record_type, host, rdata): + +Backup a DNS record in the file store so it can later be removed. + +if zone not in self.zones: +zone_id = len(self.zones) +self.zones[zone] = (zone_id, 0) +self.service.backup_state(dns_zone_%s % zone_id, zone) + +(zone_id, record_id) = self.zones[zone] +self.service.backup_state(dns_record_%s_%s % (zone_id, record_id), + %s %s %s % (record_type, host, rdata)) +self.zones[zone] = (zone_id, record_id + 1) + +def clear_records(self, have_ldap): + +Remove all records from the file store. If we are connected to +ldap, we will also remove them there. + +i = 0 +while True: +zone = self.service.restore_state(dns_zone_%s % i) +if not zone: +return + +j = 0 +while True: +dns_record = self.service.restore_state(dns_record_%s_%s % (i, j)) +if not dns_record: +break +if have_ldap: +type, host, rdata
Re: [Freeipa-devel] [PATCH] 418 don't abort when trusting CA cert
On Thu, 2010-04-01 at 14:20 -0400, Rob Crittenden wrote: If there was a problem trusting the CA cert on installation the whole install would abort. This is overkill so let things continue. rob Ack. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 394 Catch empty updates
On 03/04/2010 10:25 PM, Rob Crittenden wrote: Currently if you pass in an empty update on the cli it won't throw an error and can be a bit confusing. rob I think the change in pwpolicy.py won't preserve the original behaviour: +if 'group' in options: +group_cn = options['group'] +del options['group'] +else: group_cn = _global + +if not 'group' in options: ... else: ... Notice that at the second if, 'group' will never be in options no matter what. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 396 with verbose print XML-RPC output
On 03/05/2010 07:45 PM, Rob Crittenden wrote: Connect the -v flag in the ipa command to including the XML-RPC conversation in the output: % ipa -v user-show admin [snip] Rob, do you think we could use something like -vv for this? The XML-RPC conversation seems to be a little bit too verbose. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 397 raise exception on empty mod
On 03/05/2010 07:47 PM, Rob Crittenden wrote: Raise an error if no modifications were performed in an update. This will alert the user that nothing was done and is handy when used with --attr=''. This can be used to delete a non-required attribute but can be set to any valid attribute, present or not. We should alert the user if they attempt to delete a non-existant value. rob Few questions: How will the user see this error? I'm not sure this should be presented as an error, but more like a notification maybe. Also, I'm not 100% sure how we handle exceptions like this on the server side, but I'm guessing that this will not show up in the server logs as an exception? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 395 don't crash on blank min/maxlife in pwpolicy
On 03/05/2010 07:41 PM, Rob Crittenden wrote: Don't calculate min/max lifetime if None is passed in. None is passed if the option is set with --minlife=''. This is a valid use case to delete a non-required attribute. In this case we simply don't do the math on None and things work as expected. rob ACK and pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 398 use cli_name, not name, on Required errors
On 03/05/2010 08:17 PM, Rob Crittenden wrote: When raising an error about a required attribute, use cli_name not name. name is an LDAP attribute and may not be easily identifiable (e.g. sn). rob ACK and pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 393 don't create ipa_error.log
On 03/04/2010 05:00 PM, Rob Crittenden wrote: The log file /var/log/ipa_error.log was used by TurboGears which we have log deprecated. Don't create this file in the rpm spec file. rob Ack. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 389 enable popt macro
On Wed, 2010-02-24 at 10:43 -0500, Rob Crittenden wrote: Add the POPT_AUTOHELP macro to the options table to provide more verbose help output. rob ACK Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 388 update client command man pages
On Tue, 2010-03-02 at 09:10 -0500, Rob Crittenden wrote: Martin Nagy wrote: On Wed, 2010-02-24 at 10:41 -0500, Rob Crittenden wrote: Update the client command man pages with recent option additions and some additional verbiage. rob Could you please make the lines shorter than 80 characters? Martin It is the editor I use that does this (manedit). Is this really a problem? rob Nah, that's ok. ACK Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 374 don't make assumptions about cwd
On Wed, 2010-02-03 at 17:44 -0500, Rob Crittenden wrote: Don't assume that cwd exists or is writable. I had worked on this previously so that we change to a known writable directory when issuing server certs. Enhance that so we change to the NSS db dir when issuing the self-signed CA. certutil wants to write a file to the cwd when generating a key so we need to be some place writable. Also handle the case where cwd is an invalid directory. I tested this with: term 1: mkdir foo cd foo term 2: rmdir foo term 1: ipa-server-install ... Probably not a major issue but not hard to more carefully handle it either. The installation will still fail but at least we have a good message when it does. rob Cool, I actually hit this problem once, thanks. ACK Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 358 remove files on uninstall
On Thu, 2010-01-28 at 14:24 -0500, Rob Crittenden wrote: Remove some IPA configuration files when doing an uninstallation. rob ACK Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix a crash and memory leak in get_config_entry()
Hi, noticed this while reading some older emails from freeipa-devel. I didn't test the patch, since it is really trivial. Martin From 2e31847c8b4082e0ac95254867332cb3cbdda706 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Tue, 16 Feb 2010 15:13:25 +0100 Subject: [PATCH] Fix a crash and memory leak in get_config_entry() --- ipa-client/config.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/ipa-client/config.c b/ipa-client/config.c index f590d10..c32946e 100644 --- a/ipa-client/config.c +++ b/ipa-client/config.c @@ -91,7 +91,7 @@ get_config_entry(char * in_data, const char *section, const char *key) if (NULL == in_data) return NULL; else -strdup(in_data); +data = strdup(in_data); for (line = strtok_r(data, \n, ptr); line != NULL; line = strtok_r(NULL, \n, ptr)) { @@ -156,5 +156,6 @@ get_config_entry(char * in_data, const char *section, const char *key) } } } +free(data); return NULL; } -- 1.6.2.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Make the DNS forwarders interactive input less confusing
Here's the simple patch for #558984. Specifically, with this patch, ipa-server-install/ipa-dns-install will ask you this: Do you wish to configure DNS forwarders? If you say yes, you will also see: Please enter the IP addresses of DNS forwarders that you want to use. After you are done, enter a blank line to stop. And the rest is the same, except it doesn't say (empty to stop) at the end of the prompt as it used to. David, Jenny, do you think this is good enough? I can change it easily if there are any objections/ideas. Patch attached. Martin From 6227f43bab6b2118c3c787496524cc8e97c744d5 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Mon, 8 Feb 2010 19:31:57 +0100 Subject: [PATCH] Make the DNS forwarders interactive input less confusing Fixes #558984 --- ipaserver/install/installutils.py | 30 +- 1 files changed, 17 insertions(+), 13 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 6365fe8..df3c891 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -151,19 +151,23 @@ def read_ip_address(host_name, fstore): def read_dns_forwarders(): addrs = [] -while True: -ip = ipautil.user_input(Enter IP address for a DNS forwarder (empty to stop), allow_empty=True) - -if not ip: -break -if ip == 127.0.0.1 or ip == ::1: -print You cannot use localhost as a DNS forwarder -continue -if not verify_ip_address(ip): -continue - -print DNS forwarder %s added % ip -addrs.append(ip) +if ipautil.user_input(Do you wish to configure DNS forwarders?, False): +print Please enter the IP addresses of DNS forwarders that you want to use. +print After you are done, enter a blank line to stop. + +while True: +ip = ipautil.user_input(Enter IP address for a DNS forwarder, +allow_empty=True) +if not ip: +break +if ip == 127.0.0.1 or ip == ::1: +print You cannot use localhost as a DNS forwarder +continue +if not verify_ip_address(ip): +continue + +print DNS forwarder %s added % ip +addrs.append(ip) if not addrs: print No DNS forwarders configured -- 1.6.2.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 033 Fix fuzzy digigits under Fedora12
On Mon, 2010-01-11 at 11:40 -0700, Jason Gerard DeRose wrote: I'm not sure why the difference, but the uidnumber, gidnumber, etc. are being returned as `unicode` instead of `str` under Fedora12. Returning as `unicode` is correct, but this patch allows the test to still work under Fedora11 for the time being. ACK Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Use the dns plugin during installation
On Thu, 2009-12-03 at 17:25 +0100, Martin Nagy wrote: Hi, these three patches should make sure that we add dns records the right way. It will also serve for the ipa-dns-install command that's almost ready, patch will be coming soon. Thanks Martin I've rebased the paches and fixed some other things I found later. Attached. Martin From 7397f0b2cd051f61c5810fe16e1f770c4805ccb7 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Thu, 3 Dec 2009 16:32:56 +0100 Subject: [PATCH 01/12] Move api finalization in ipa-server-install after writing default.conf We will need to have ipalib correctly configured before we start installing DNS entries with api.Command.dns. --- install/tools/ipa-server-install | 45 ++--- 1 files changed, 22 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index c92989a..ba27ac3 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -481,18 +481,12 @@ def main(): fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') +# Configuration for ipalib, we will bootstrap and finalize later, after +# we are sure we have the configuration file ready. cfg = dict( in_server=True, -webui_assets_dir=ASSETS_DIR, debug=options.debug ) -if not options.uninstall: -if options.ca: -cfg['ra_plugin'] = 'dogtag' -else: -cfg['ra_plugin'] = 'selfsign' -api.bootstrap(**cfg) -api.finalize() if options.uninstall: if not options.unattended: @@ -502,6 +496,8 @@ def main(): print Aborting uninstall operation. sys.exit(1) +api.bootstrap(**cfg) +api.finalize() return uninstall(not certs.ipa_self_signed()) # This will override any settings passed in on the cmdline @@ -662,6 +658,24 @@ def main(): else: dns_forwarders = () +# Create the management framework config file and finalize api +fstore.backup_file(/etc/ipa/default.conf) +fd = open(/etc/ipa/default.conf, w) +fd.write([global]\n) +fd.write(basedn= + util.realm_to_suffix(realm_name) + \n) +fd.write(realm= + realm_name + \n) +fd.write(domain= + domain_name + \n) +fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name) +fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name)) +fd.write(enable_ra=True\n) +if options.ca: +fd.write(ra_plugin=dogtag\n) +fd.write('webui_assets_dir=' + ASSETS_DIR + '\n') +fd.close() + +api.bootstrap(**cfg) +api.finalize() + if not options.unattended: print print The following operations may take some minutes to complete. @@ -753,21 +767,6 @@ def main(): http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=not options.ca) ipautil.run([/sbin/restorecon, /var/cache/ipa/sessions]) -# Create the management framework config file -fstore.backup_file(/etc/ipa/default.conf) -fd = open(/etc/ipa/default.conf, w) -fd.write([global]\n) -fd.write(basedn= + util.realm_to_suffix(realm_name) + \n) -fd.write(realm= + realm_name + \n) -fd.write(domain= + domain_name + \n) -fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name) -fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name)) -fd.write(enable_ra=True\n) -if options.ca: -fd.write(ra_plugin=dogtag\n) -fd.write('webui_assets_dir=' + ASSETS_DIR + '\n') -fd.close() - # Apply any LDAP updates. Needs to be done after the configuration file # is created service.print_msg(Applying LDAP updates) -- 1.6.2.5 From 2d5d396856f1cf393f58deb53d7a6e30095845fc Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Tue, 10 Nov 2009 13:21:09 +0100 Subject: [PATCH 02/12] Use the dns plug-in for addition of records during installation Fixes #528943 --- install/share/Makefile.am |1 - install/share/dns.ldif| 88 install/share/dns_reverse.ldif| 24 ipaserver/install/bindinstance.py | 115 ++--- 4 files changed, 82 insertions(+), 146 deletions(-) delete mode 100644 install/share/dns_reverse.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index b74f990..e3e7cf6 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -16,7 +16,6 @@ app_DATA =\ default-keytypes.ldif \ delegation.ldif \ dns.ldif \ - dns_reverse.ldif \ kerberos.ldif \ indices.ldif \ bind.named.conf.template \ diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 8ce9d69..cb783b8 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,91 +4,3 @@ objectClass: nsContainer
Re: [Freeipa-devel] [PATCHES] Use the dns plugin during installation
On Thu, 2009-12-03 at 17:25 +0100, Martin Nagy wrote: Hi, these three patches should make sure that we add dns records the right way. It will also serve for the ipa-dns-install command that's almost ready, patch will be coming soon. Thanks Martin New patches, rebased + some minor issues in the previous patches fixed, please review. Martin From 7397f0b2cd051f61c5810fe16e1f770c4805ccb7 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Thu, 3 Dec 2009 16:32:56 +0100 Subject: [PATCH 01/12] Move api finalization in ipa-server-install after writing default.conf We will need to have ipalib correctly configured before we start installing DNS entries with api.Command.dns. --- install/tools/ipa-server-install | 45 ++--- 1 files changed, 22 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index c92989a..ba27ac3 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -481,18 +481,12 @@ def main(): fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') +# Configuration for ipalib, we will bootstrap and finalize later, after +# we are sure we have the configuration file ready. cfg = dict( in_server=True, -webui_assets_dir=ASSETS_DIR, debug=options.debug ) -if not options.uninstall: -if options.ca: -cfg['ra_plugin'] = 'dogtag' -else: -cfg['ra_plugin'] = 'selfsign' -api.bootstrap(**cfg) -api.finalize() if options.uninstall: if not options.unattended: @@ -502,6 +496,8 @@ def main(): print Aborting uninstall operation. sys.exit(1) +api.bootstrap(**cfg) +api.finalize() return uninstall(not certs.ipa_self_signed()) # This will override any settings passed in on the cmdline @@ -662,6 +658,24 @@ def main(): else: dns_forwarders = () +# Create the management framework config file and finalize api +fstore.backup_file(/etc/ipa/default.conf) +fd = open(/etc/ipa/default.conf, w) +fd.write([global]\n) +fd.write(basedn= + util.realm_to_suffix(realm_name) + \n) +fd.write(realm= + realm_name + \n) +fd.write(domain= + domain_name + \n) +fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name) +fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name)) +fd.write(enable_ra=True\n) +if options.ca: +fd.write(ra_plugin=dogtag\n) +fd.write('webui_assets_dir=' + ASSETS_DIR + '\n') +fd.close() + +api.bootstrap(**cfg) +api.finalize() + if not options.unattended: print print The following operations may take some minutes to complete. @@ -753,21 +767,6 @@ def main(): http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=not options.ca) ipautil.run([/sbin/restorecon, /var/cache/ipa/sessions]) -# Create the management framework config file -fstore.backup_file(/etc/ipa/default.conf) -fd = open(/etc/ipa/default.conf, w) -fd.write([global]\n) -fd.write(basedn= + util.realm_to_suffix(realm_name) + \n) -fd.write(realm= + realm_name + \n) -fd.write(domain= + domain_name + \n) -fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name) -fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name)) -fd.write(enable_ra=True\n) -if options.ca: -fd.write(ra_plugin=dogtag\n) -fd.write('webui_assets_dir=' + ASSETS_DIR + '\n') -fd.close() - # Apply any LDAP updates. Needs to be done after the configuration file # is created service.print_msg(Applying LDAP updates) -- 1.6.2.5 From 2d5d396856f1cf393f58deb53d7a6e30095845fc Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Tue, 10 Nov 2009 13:21:09 +0100 Subject: [PATCH 02/12] Use the dns plug-in for addition of records during installation Fixes #528943 --- install/share/Makefile.am |1 - install/share/dns.ldif| 88 install/share/dns_reverse.ldif| 24 ipaserver/install/bindinstance.py | 115 ++--- 4 files changed, 82 insertions(+), 146 deletions(-) delete mode 100644 install/share/dns_reverse.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index b74f990..e3e7cf6 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -16,7 +16,6 @@ app_DATA =\ default-keytypes.ldif \ delegation.ldif \ dns.ldif \ - dns_reverse.ldif \ kerberos.ldif \ indices.ldif \ bind.named.conf.template \ diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 8ce9d69..cb783b8 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,91 +4,3 @@ objectClass
[Freeipa-devel] [PATCHES] Add A and PTR records during ipa-replica-prepare
Hi, these patches will allow one to specify an ip address of the replica to ipa-replica-prepare. The dns records will then be added. This should make life better for QA :) Martin From 05c6e118b748839012a7e8bc0613367d8d27d7a8 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Mon, 23 Nov 2009 11:08:03 +0100 Subject: [PATCH 1/2] Get rid of ipapython.config in ipa-replica-prepare Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. --- install/tools/ipa-replica-install | 30 ++ install/tools/ipa-replica-prepare | 78 - 2 files changed, 30 insertions(+), 78 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 349d518..cbdd08d 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -310,12 +310,21 @@ def main(): except ldap.INVALID_CREDENTIALS, e : sys.exit(\nThe password provided is incorrect for LDAP server %s % config.master_host_name) +# Create the management framework config file +# Note: We must do this before bootstraping and finalizing ipalib.api +fd = open(/etc/ipa/default.conf, w) +fd.write([global]\n) +fd.write(basedn= + util.realm_to_suffix(config.realm_name) + \n) +fd.write(realm= + config.realm_name + \n) +fd.write(domain= + config.domain_name + \n) +fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % config.host_name) +fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(config.realm_name)) if ipautil.file_exists(config.dir + /ca.p12): -ca_type = 'dogtag' -else: -ca_type = 'selfsign' +fd.write(enable_ra=True\n) +fd.write(ra_plugin=dogtag\n) +fd.close() -api.bootstrap(in_server=True, ra_plugin=ca_type) +api.bootstrap(in_server=True) api.finalize() # Install CA cert so that we can do SSL connections with ldap @@ -352,19 +361,6 @@ def main(): # generated ds.add_cert_to_service() -# Create the management framework config file -fd = open(/etc/ipa/default.conf, w) -fd.write([global]\n) -fd.write(basedn= + util.realm_to_suffix(config.realm_name) + \n) -fd.write(realm= + config.realm_name + \n) -fd.write(domain= + config.domain_name + \n) -fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % config.host_name) -fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(config.realm_name)) -if ipautil.file_exists(config.dir + /ca.p12): -fd.write(enable_ra=True\n) -fd.write(ra_plugin=dogtag\n) -fd.close() - # Apply any LDAP updates. Needs to be done after the replica is synced-up service.print_msg(Applying LDAP updates) ds.apply_updates() diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index bc86a41..175ac62 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -26,12 +26,10 @@ from ConfigParser import SafeConfigParser import krbV from optparse import OptionParser -import ipapython.config from ipapython import ipautil from ipaserver.install import dsinstance, installutils, certs, httpinstance from ipaserver import ipaldap from ipapython import version -from ipalib.constants import DEFAULT_CONFIG from ipalib import api import ldap @@ -50,7 +48,6 @@ def parse_options(): parser.add_option(-p, --password, dest=password, help=Directory Manager (existing master) password) -ipapython.config.add_standard_options(parser) options, args = parser.parse_args() # If any of the PKCS#12 options are selected, all are required. Create a @@ -64,36 +61,8 @@ def parse_options(): if len(args) != 1: parser.error(must provide the fully-qualified name of the replica) -ipapython.config.init_config(options) - return options, args -def get_host_name(): -hostname = installutils.get_fqdn() -try: -installutils.verify_fqdn(hostname) -except RuntimeError, e: -logging.error(str(e)) -sys.exit(1) - -return hostname - -def get_realm_name(): -try: -c = krbV.default_context() -return c.default_realm -except Exception, e: -return None - -def get_domain_name(): -try: -ipapython.config.init_config() -domain_name = ipapython.config.config.get_domain() -except Exception, e: -return None - -return domain_name - def check_ipa_configuration(realm_name): config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) if not ipautil.dir_exists(config_dir): @@ -119,8 +88,8 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname): #ca_db = certs.CertDB
[Freeipa-devel] [PATCH] Set BIND to use ldapi and use fake mname
Hi, some additional comments are in the patch. Martin From 003b8ee61673216243fe872297d069cb476e5600 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Wed, 25 Nov 2009 01:00:26 +0100 Subject: [PATCH] Set BIND to use ldapi and use fake mname The fake_mname for now doesn't exists but is a feature that will be added in the near future. Since any unknown arguments to bind-dyndb-ldap are ignored, we are safe to use it now. --- install/share/bind.named.conf.template |3 ++- ipaserver/install/bindinstance.py |2 ++ 2 files changed, 4 insertions(+), 1 deletions(-) diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index 8b5fac2..d733d61 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -32,8 +32,9 @@ include /etc/named.rfc1912.zones; dynamic-db ipa { library ldap.so; - arg uri ldap://$FQDN;; + arg uri ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket; arg base cn=dns, $SUFFIX; + arg fake_mname $FQDN; arg auth_method sasl; arg sasl_mech GSSAPI; arg sasl_user DNS/$FQDN; diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 8ee46d4..13e9e16 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -26,6 +26,7 @@ import installutils import ldap import service from ipaserver import ipaldap +from ipaserver.install.dsinstance import realm_to_serverid from ipapython import sysrestore from ipapython import ipautil @@ -222,6 +223,7 @@ class BindInstance(service.Service): DOMAIN=self.domain, HOST=self.host, REALM=self.realm, + SERVER_ID=realm_to_serverid(self.realm), FORWARDERS=fwds, SUFFIX=self.suffix, OPTIONAL_NTP=optional_ntp) -- 1.6.2.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 353 enable sssd and certmonger
On Wed, 2010-01-20 at 17:01 -0500, Rob Crittenden wrote: Configure sssd and certmonger in ipa-client-install This does a number of things under the hood: - Use authconfig to enable sssd in nss and pam - Configure /etc/sssd/sssd.conf to use our IPA provider - Enable the certmonger process and request a server cert - join the IPA domain and retrieve a principal. The clinet machine *must* exist in IPA to be able to do a join. - And then undo all this on uninstall rob Heh, joining FreeIPA and SSSD at last, cool :-) ACK Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 344 require fully-qualified hostname in ipa-join
On Fri, 2010-01-08 at 16:04 -0500, Rob Crittenden wrote: Require a fully-qualified hostname in ipa-join. The server side will enforce this as well but better to catch it early. rob ACK Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Problem with ipa installation: certutil
On Wed, 2009-12-02 at 09:38 -0500, Rob Crittenden wrote: Martin Nagy wrote: Hi, I'm trying to install ipa and am getting a python traceback (attached). It seems that running certutil didn't succeed so I added a debugging print before it's execution and tried to run it manually. This is what I get: # /usr/bin/certutil -d /etc/httpd/alias -S -n 'CA certificate' -s 'cn=IPA Test Certificate Authority' -x -t 'CT,,C' -1 -2 -5 -m 1056 -v 120 -z /etc/httpd/alias/noise.txt -f /etc/httpd/alias/pwdfile.txt certutil -o: unable to open tempcertreq for writing (-5950, 2) Exit 255 (The Exit 255 is from my shell saying that certutil exited returning 255). I did a git grep tempcertreq in freeipa git tree but didn't find anything, so I'm assuming we weren't creating it or anything. Does anyone know what might be causing this error? Martin This message comes directly from certutil itself. It tries to open the file tempcertreq in the cwd. Odd since you are installing this as root, right? Perhaps you are in a directory that no longer exists? Correct. I was in my freeipa git directory when I executed ipa-server-install but had to delete it and clone again in other terminal. I seem to recall running into this in v1 as well and though we did a chdir(). Maybe we do that in some places and not others. Should we make a patch to prevent any future problems like this (even if they are rare)? Maybe at the beginning we could chdir() to our current directory to make sure, and abort if that fails. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] Use the dns plugin during installation
Hi, these three patches should make sure that we add dns records the right way. It will also serve for the ipa-dns-install command that's almost ready, patch will be coming soon. Thanks Martin From edbd834dab63b86c04d9b1bb736c64cda3e38b2a Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Thu, 3 Dec 2009 16:32:56 +0100 Subject: [PATCH 1/3] Move api finalization in ipa-server-install after writing default.conf We will need to have ipalib correctly configured before we start installing DNS entries with api.Command.dns. --- install/tools/ipa-server-install | 45 ++--- 1 files changed, 22 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 0694d6e..21bead1 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -481,18 +481,12 @@ def main(): fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') +# Configuration for ipalib, we will bootstrap and finalize later, after +# we are sure we have the configuration file ready. cfg = dict( in_server=True, -webui_assets_dir=ASSETS_DIR, debug=options.debug ) -if not options.uninstall: -if options.ca: -cfg['ra_plugin'] = 'dogtag' -else: -cfg['ra_plugin'] = 'selfsign' -api.bootstrap(**cfg) -api.finalize() if options.uninstall: if not options.unattended: @@ -502,6 +496,8 @@ def main(): print Aborting uninstall operation. sys.exit(1) +api.bootstrap(**cfg) +api.finalize() return uninstall(not certs.ipa_self_signed()) # This will override any settings passed in on the cmdline @@ -662,6 +658,24 @@ def main(): else: dns_forwarders = () +# Create the management framework config file and finalize api +fstore.backup_file(/etc/ipa/default.conf) +fd = open(/etc/ipa/default.conf, w) +fd.write([global]\n) +fd.write(basedn= + util.realm_to_suffix(realm_name) + \n) +fd.write(realm= + realm_name + \n) +fd.write(domain= + domain_name + \n) +fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name) +fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name)) +fd.write(enable_ra=True\n) +if options.ca: +fd.write(ra_plugin=dogtag\n) +fd.write('webui_assets_dir=' + ASSETS_DIR + '\n') +fd.close() + +api.bootstrap(**cfg) +api.finalize() + if not options.unattended: print print The following operations may take some minutes to complete. @@ -749,21 +763,6 @@ def main(): http.create_instance(realm_name, host_name, domain_name, autoconfig=True, self_signed_ca=not options.ca) ipautil.run([/sbin/restorecon, /var/cache/ipa/sessions]) -# Create the management framework config file -fstore.backup_file(/etc/ipa/default.conf) -fd = open(/etc/ipa/default.conf, w) -fd.write([global]\n) -fd.write(basedn= + util.realm_to_suffix(realm_name) + \n) -fd.write(realm= + realm_name + \n) -fd.write(domain= + domain_name + \n) -fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name) -fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name)) -fd.write(enable_ra=True\n) -if options.ca: -fd.write(ra_plugin=dogtag\n) -fd.write('webui_assets_dir=' + ASSETS_DIR + '\n') -fd.close() - # Apply any LDAP updates. Needs to be done after the configuration file # is created service.print_msg(Applying LDAP updates) -- 1.6.2.5 From c601970aff98645e5c9d82b490d5b90acb26313f Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Tue, 10 Nov 2009 13:21:09 +0100 Subject: [PATCH 2/3] Use the dns plug-in for addition of records during installation Fixes #528943 --- install/share/Makefile.am |1 - install/share/dns.ldif| 88 install/share/dns_reverse.ldif| 24 ipaserver/install/bindinstance.py | 113 ++-- 4 files changed, 81 insertions(+), 145 deletions(-) delete mode 100644 install/share/dns_reverse.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index b74f990..e3e7cf6 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -16,7 +16,6 @@ app_DATA =\ default-keytypes.ldif \ delegation.ldif \ dns.ldif \ - dns_reverse.ldif \ kerberos.ldif \ indices.ldif \ bind.named.conf.template \ diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 8ce9d69..cb783b8 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,91 +4,3 @@ objectClass: nsContainer objectClass: top cn: dns aci: (targetfilter = (objectClass=idnsRecord))(targetattr != aci)(version 3.0; acl DNS Servers Updates; allow (add,write,delete) groupdn = ldap
Re: [Freeipa-devel] [PATCH] Make ldap2.convert_attr_synonyms more robust against schema lookup fails.
On Fri, 2009-11-20 at 09:32 -0500, Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: The user plugin is crapping out on line 317 of ldap2.py because attr is coming back None. The attribute it is looking for is member. I think the fix involves setting member_attributes = ['member'] to the user plugin. I wonder if we need to make the ldap2 plugin a bit more robust too so it can handle it better if the schema lookup returns None. rob This should fix the issue. Yes, this will fix it (I did a similar fix to work around it) but what does it mean if there is no attribute found? Is that possible? Should we catch it and return a more specific error message instead? rob If it doesn't find the attribute, PROBABLY nothing will happen... Fortunately, we don't have to worry about it anymore. I played with python-ldap a bit today and it seems to have the convert_attr_synonyms functionality built-in. :) Here's a replacement patch. Pavel nack. I don't see where python-ldap is replacing it. We weren't seeing it done before were we? That's because we were doing it wrong. We were requesting all attributes ('*') + ACIs ('aci'). After this patch we explicitly request all attributes in the new entry (i.e. all attributes that are going to be updated) and python-ldap will always return them named as they were requested. In other words: If we request localityName as l, python-ldap will return it as l, if we request it as localityName, python-ldap will return it as localityName. Also, we need to request the 'aci' attribute for the aci plugin to work. And we do so, because after this patch, we're requesting all attributes explicitly. Well, no, you're requesting all attributes in the current entry. The code looked like this once before and caused the aci plugin to break. I guess some other change fixed that, things are working as expected. ack rob Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Remove unnecessary error: prefixes
On Tue, 2009-12-01 at 10:12 -0500, Rob Crittenden wrote: Martin Nagy wrote: Martin ack Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Problem with ipa installation: certutil
Hi, I'm trying to install ipa and am getting a python traceback (attached). It seems that running certutil didn't succeed so I added a debugging print before it's execution and tried to run it manually. This is what I get: # /usr/bin/certutil -d /etc/httpd/alias -S -n 'CA certificate' -s 'cn=IPA Test Certificate Authority' -x -t 'CT,,C' -1 -2 -5 -m 1056 -v 120 -z /etc/httpd/alias/noise.txt -f /etc/httpd/alias/pwdfile.txt certutil -o: unable to open tempcertreq for writing (-5950, 2) Exit 255 (The Exit 255 is from my shell saying that certutil exited returning 255). I did a git grep tempcertreq in freeipa git tree but didn't find anything, so I'm assuming we weren't creating it or anything. Does anyone know what might be causing this error? Martin ipa: DEBUG: [Errno 32] Broken pipe File /usr/sbin/ipa-server-install, line 791, in module sys.exit(main()) File /usr/sbin/ipa-server-install, line 673, in main ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=not options.ca, uidstart=options.uidstart, gidstart=options.gidstart) File /usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py, line 193, in create_instance self.start_creation(Configuring directory server:) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 171, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py, line 342, in __enable_ssl cadb.create_self_signed() File /usr/lib/python2.6/site-packages/ipaserver/install/certs.py, line 826, in create_self_signed self.create_ca_cert() File /usr/lib/python2.6/site-packages/ipaserver/install/certs.py, line 357, in create_ca_cert p.stdin.write(0\n1\n5\n9\ny\n) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Remove unnecessary error: prefixes
Martin From 96c64ff2a1051c1e8bdcad9e8aef9488f0e26e87 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Mon, 23 Nov 2009 08:42:30 +0100 Subject: [PATCH] Remove unnecessary error: prefixes The parser.error() method prepends the error: prefix itself. Adding it to the error string is not necessary and doesn't look good. --- install/tools/ipa-replica-prepare |2 +- install/tools/ipa-server-install | 10 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 3dc0ccc..bc86a41 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -59,7 +59,7 @@ def parse_options(): pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] cnt = pkcs12.count(None) if cnt 0 and cnt 4: -parser.error(error: All PKCS#12 options are required if any are used.) +parser.error(All PKCS#12 options are required if any are used.) if len(args) != 1: parser.error(must provide the fully-qualified name of the replica) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index be525f7..9b5946a 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -131,11 +131,11 @@ def parse_options(): if (options.ds_user or options.realm_name or options.dm_password or options.admin_password or options.master_password): -parser.error(error: In uninstall mode, -u, r, -p and -P options are not allowed) +parser.error(In uninstall mode, -u, r, -p and -P options are not allowed) elif options.unattended: if (not options.ds_user or not options.realm_name or not options.dm_password or not options.admin_password): -parser.error(error: In unattended mode you need to provide at least -u, -r, -p and -a options) +parser.error(In unattended mode you need to provide at least -u, -r, -p and -a options) if options.setup_dns: if not options.forwarders and not options.no_forwarders: parser.error(You must specify at least one --forwarder option or --no-forwarders option) @@ -146,14 +146,14 @@ def parse_options(): pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] cnt = pkcs12.count(None) if cnt 0 and cnt 4: -parser.error(error: All PKCS#12 options are required if any are used.) +parser.error(All PKCS#12 options are required if any are used.) if (options.external_cert_file or options.external_ca_file) and not options.ca: -parser.error(error: --ca required to use the external CA options.) +parser.error(--ca required to use the external CA options.) if ((options.external_cert_file and not options.external_ca_file) or (not options.external_cert_file and options.external_ca_file)): -parser.error(error: if either external option is used, both are required.) +parser.error(if either external option is used, both are required.) if options.external_ca and not options.ca: # Go ahead and be nice and fix things up -- 1.6.2.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add idnsUpdatePolicy into the dns plug-in
On Tue, 2009-12-01 at 10:17 -0500, Rob Crittenden wrote: Martin Nagy wrote: Martin Should there be a validator on idnsUpdatePolicy to ensure that each policy is terminated by a ;? If one wants to have multiple policies is it set with idnspolicy=policy1;policy2;policy3;? Should the formatting be included in the doc message, or an example of usage be added? That might not be that easy to do, we would probably need to do more than that, e.g. make sure bind can accept the policy string. For now, I'm only adding the idnsupdatepolicy into the dns plugin so that I can use it to create zones with it during installation (patch will follow soon). Might I add the other bits later after I'm done with this? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Ask the user before overwriting /etc/named.conf
On Tue, 2009-12-01 at 10:15 -0500, Rob Crittenden wrote: Martin Nagy wrote: Martin ack. As an aside, it might be nice if the actual package name(s) were used to make it easier for the user to know exactly what they are missing for BIND and the BIND LDAP plug-in. Yeah, I guess you're right. New patch attached. Martin From 258092b18fcba45631202833975e71817b647450 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Fri, 13 Nov 2009 16:57:51 +0100 Subject: [PATCH] Ask the user before overwriting /etc/named.conf --- install/tools/ipa-replica-install |6 ++ install/tools/ipa-server-install |6 ++ ipaserver/install/bindinstance.py | 10 +- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index e8fabd7..9827bef 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -251,10 +251,8 @@ def check_dirsrv(): sys.exit(1) def check_bind(): -if not bindinstance.check_inst(): -print --setup-dns was specified but bind or the BIND LDAP plug-in -print is not installed on the system -print Please install bind and the LDAP plug-in and restart the setup program +if not bindinstance.check_inst(unattended=True): +print Aborting installation sys.exit(1) def main(): diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 748101d..34ddb0f 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -541,10 +541,8 @@ def main(): # check bind packages are installed if options.setup_dns: -if not bindinstance.check_inst(): -print --setup-dns was specified but bind or the BIND LDAP plug-in -print is not installed on the system -print Please install bind and the LDAP plug-in and restart the setup program +if not bindinstance.check_inst(options.unattended): +print Aborting installation return 1 if options.ca: diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 2a922a3..e2edcd3 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -30,17 +30,25 @@ from ipapython import sysrestore from ipapython import ipautil from ipalib import api, util -def check_inst(): +def check_inst(unattended): # So far this file is always present in both RHEL5 and Fedora if all the necessary # bind packages are installed (RHEL5 requires also the pkg: caching-nameserver) if not os.path.exists('/etc/named.rfc1912.zones'): +print BIND was not found on this system +print Please install the bind package and start the installation again return False # Also check for the LDAP BIND plug-in if not os.path.exists('/usr/lib/bind/ldap.so') and \ not os.path.exists('/usr/lib64/bind/ldap.so'): +print The BIND LDAP plug-in was not found on this system +print Please install the bind-dyndb-ldap package and start the installation again return False +if not unattended and os.path.exists('/etc/named.conf'): +msg = Existing BIND configuration detected, overwrite? +return ipautil.user_input(msg, False) + return True class BindInstance(service.Service): -- 1.6.2.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix boolean attributes in DNS plugin.
On Mon, 2009-11-30 at 10:49 +0100, Pavel Zuna wrote: Sometimes they worked fine and sometimes DS rejected them as invalid. Now they should always work. Pavel Tested and ack. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] DNS schema
On Thu, 2009-11-05 at 18:16 -0500, Dmitri Pal wrote: Simo Sorce wrote: On Thu, 2009-11-05 at 14:37 -0500, Dmitri Pal wrote: Hi, Now when we decided to use latest DS that is available from 389 project for IPA v2 we can take advantage of the syntaxes that DS team has added. For example they added numeric syntax that was a part of the original DNS schema we planned for IPA. I remember we replaced the originally planned syntax with some other syntax that is available. Does it make sense to revert to the numeric syntax now or it is not a big deal? I am just concerned that once we will decide to do it the original way because we would think it is the right thing to do and will face all sorts of migration issues. Ideas? Unless it is a major amount of work we should use the proper syntax. Especially for standard schema. Simo. It should not be a big deal IMO so Martin if you are ok with this I would like to ask Pavel to take it as an action item. Dmitri, I'm doing something in the neighborhood right now, so let me take care of it, it'll only take little time. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 288 man page for ipa-join
On Thu, 2009-10-08 at 11:11 -0400, Rob Crittenden wrote: Add a man page for the new ipa-join command. rob +ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-w\fR bulk bind password ] [ \fB\-d\fR ] [ \fB\-q\fR ] Can you use something like bulk-bind-password instead? (with dashes) There is also some trailing white-space in the copyright notice and after all .TP commands. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 291 use DS memberof plugin
On Fri, 2009-10-09 at 17:29 -0400, Rob Crittenden wrote: Use the DS memberof plugin instead of the one contained in the IPA source. I'm not removing that source yet, simply not building or configuring it. rob Looks good to me. Ack. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 288 man page for ipa-join
Rob Crittenden wrote: Martin Nagy wrote: On Thu, 2009-10-08 at 11:11 -0400, Rob Crittenden wrote: Add a man page for the new ipa-join command. rob +ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-w\fR bulk bind password ] [ \fB\-d\fR ] [ \fB\-q\fR ] Can you use something like bulk-bind-password instead? (with dashes) Ah, I didn't mean that you should change -w. But rather, I would change [ \fB\-w\fR bulk bind password ] to something like this: [ \fB\-w\fR bulk\-bind\-password ] Similarly as we use keytab\-file and not keytab file. I picked -w since that is common to the openldap clients. I can add a long version too. There is also some trailing white-space in the copyright notice and after all .TP commands. I think that the manpage editor I use, manedit, adds those. I can get those cleaned up as well. Do you want another patch or just a promise that I'll fix these up? rob Yes, if you do the changes you have an Ack. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 286 cache installer questions
Rob Crittenden wrote: Martin Nagy wrote: Hi Rob, On Wed, 2009-10-07 at 10:57 -0400, Rob Crittenden wrote: Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached. rob -try: -from ipaserver.install import cainstance -except ImportError: -print sys.stderr, Import failed: %s % sys.exc_value -sys.exit(1) What's this? From just a quick look, it seems to me that this will cause troubles. Martin It was duplicated code, we check for that elsewhere. rob Ah, right. Not thrilled that it's not in a separate patch but what the heck. Ack. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 277 properly own Apache config files
On Wed, 2009-09-16 at 13:05 -0400, Rob Crittenden wrote: I goofed on the paths in the original patch I sent on this a while back. This corrects it. I know it looks like we're creating 0-length files here but with the %ghost directive it won't create the files, just own them. rob Why do you create all the directories and 'touch' the files in the %install section when we own them using %ghost? I'm not 100% sure, but I believe this isn't required. What is the difference between /etc/ipa/ and /etc/httpd/conf.d/ ? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 275 Fix deprecation warning
On Wed, 2009-09-16 at 13:03 -0400, Rob Crittenden wrote: This warning was logged in the Apache error log: /usr/lib/python2.6/site-packages/mod_python/importer.py:32: DeprecationWarning: the md5 module is deprecated; use hashlib instead Try to import hashlib for md5 and if it fails, fall back to the deprecated version. Tested on Python 2.4 and 2.6. rob Ack. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 277 properly own Apache config files
On Thu, 2009-09-17 at 09:06 -0400, Rob Crittenden wrote: Martin Nagy wrote: On Wed, 2009-09-16 at 13:05 -0400, Rob Crittenden wrote: I goofed on the paths in the original patch I sent on this a while back. This corrects it. I know it looks like we're creating 0-length files here but with the %ghost directive it won't create the files, just own them. rob Why do you create all the directories and 'touch' the files in the %install section when we own them using %ghost? I'm not 100% sure, but I believe this isn't required. These files are created by ipa-server-install, we don't provide empty templates, but I don't want IPA to leave orphaned files. In order to reference a file in %files, even with %ghost, the file needs to exist: http://www.rpm.org/max-rpm-snapshot/s1-rpm-inside-files-list-directives.html What is the difference between /etc/ipa/ and /etc/httpd/conf.d/ ? /etc/ipa holds configuration files for IPA (the server, admin tools, etc). /etc/httpd/conf.d holds the IPA configuration file for Apache. So yes, we have 2 files named ipa.conf that do completely different things. rob Ack. I was looking at the same page but didn't notice the example that actually uses touch, sorry. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 265 fix dnaMaxValue
Rob Crittenden wrote: Ensure that dnaMaxValue is higher than dnaNextValue at install time. If you don't specify a specific uid/gid start value then a random one gets set. We need to be sure that the max value is more than this. I picked a 10 range to ensure that there is some headroom for replicas. rob Ack. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 016 Fixed undefined `dns_forwarders` in ipa-server-install
David O'Brien wrote: Jason Gerard DeRose wrote: In ipa-server-install, if options.setup_dns is False, the `dns_forwarders` variable doesn't get defined, and so things crap out when bind.setup() is called in line 649. I'm assuming this is what causes the local variable 'dns_forwarders' referenced before assignment error in the install process? Can I work around this just by using --no-forwarders? (I'm about to find out...) Yes, but then you have to also use --setup-dns. You can try to apply the patch, or simply just apply the changes by hand. But this is already pushed in git, so.. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 016 Fixed undefined `dns_forwarders` in ipa-server-install
On Tue, 2009-09-08 at 01:12 -0600, Jason Gerard DeRose wrote: In ipa-server-install, if options.setup_dns is False, the `dns_forwarders` variable doesn't get defined, and so things crap out when bind.setup() is called in line 649. Ack and pushed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add forgotten chunks from commit 4e5a68397a102f0be
I accidentally pushed the older patch that didn't contain bits for ipa-replica-install. Martin From 63b61e9c0a8b1b4de7426a96085de0a9b029ee2a Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Tue, 1 Sep 2009 23:28:52 +0200 Subject: [PATCH] Add forgotten chunks from commit 4e5a68397a102f0be I accidentally pushed the older patch that didn't contain bits for ipa-replica-install. --- install/tools/ipa-replica-install | 22 -- install/tools/man/ipa-replica-install.1 | 12 +++- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 7f0ec32..0571f94 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -60,12 +60,26 @@ def parse_options(): help=Directory Manager (existing master) password) parser.add_option(--setup-dns, dest=setup_dns, action=store_true, default=False, help=configure bind with our zone) +parser.add_option(--forwarder, dest=forwarders, action=append, + help=Add a DNS forwarder) +parser.add_option(--no-forwarders, dest=no_forwarders, action=store_true, + default=False, help=Do not add any DNS forwarders, use root servers instead) options, args = parser.parse_args() if len(args) != 1: parser.error(you must provide a file generated by ipa-replica-prepare) +if not options.setup_dns: +if options.forwarders: +parser.error(You cannot specify a --forwarder option without the --setup-dns option) +if options.no_forwarders: +parser.error(You cannot specify a --no-forwarders option without the --setup-dns option) +elif options.forwarders and options.no_forwarders: +parser.error(You cannot specify a --forwarder option together with --no-forwarders) +elif not options.forwarders and not options.no_forwarders: +parser.error(You must specify at least one --forwarder option or --no-forwarders option) + return options, args[0] def get_dirman_password(): @@ -189,10 +203,14 @@ def install_http(config): print error copying files: + str(e) sys.exit(1) -def install_bind(config): +def install_bind(config, options): +if options.forwarders: +forwarders = options.forwarders +else: +forwarders = () bind = bindinstance.BindInstance(dm_password=config.dirman_password) ip_address = resolve_host(config.host_name) -bind.setup(config.host_name, ip_address, config.realm_name, config.domain_name) +bind.setup(config.host_name, ip_address, config.realm_name, config.domain_name, forwarders) bind.create_instance() def check_dirsrv(): diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index 168f665..dd9a9ae 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -37,7 +37,17 @@ Do not configure NTP Directory Manager (existing master) password .TP \fB\-\-setup\-dns\fR -Generate a DNS zone if it does not exist already and configure the DNS server +Generate a DNS zone if it does not exist already and configure the DNS server. +This option requires that you either specify at least one DNS forwarder through +the \fB\-\-forwarder\fR option or use the \fB\-\-no\-forwarders\fR option. +.TP +\fB\-\-forwarder\fR=\fIIP_ADDRESS\fR +Add a DNS forwarder to the DNS configuration. You can use this option multiple +times to specify more forwarders, but at least one must be provided, unless +the \fB\-\-no\-forwarders\fR option is specified. +.TP +\fB\-\-no\-forwarders\fR +Do not add any DNS forwarders. Root DNS servers will be used instead. .SH EXIT STATUS 0 if the command was successful -- 1.6.2.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
On Mon, 2009-09-07 at 07:54 +1000, David O'Brien wrote: Martin Nagy wrote: On Fri, 2009-09-04 at 09:50 +1000, David O'Brien wrote: Martin Nagy wrote: Hi, This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command Martin Something like ipa-server-install --setup-dns --forwarder IP --forwarder IP ? You can't use a separated list of IP addresses to save space and typing? That may go against coding style or practice, I don't know... /me has user hat on :-) Hm, well, we use a python module to handle option parsing [1] and this is the way it handles lists. We could allow the IP addresses to be separated by, say, ',' but this also has the risk that the user will do --forwarder 1.2.3.4, 2.3.4.5 which of course wouldn't work (the last IP is treated as a positional argument). Martin [1] http://docs.python.org/library/optparse.html ok, well if it's SOP to handle options this way I'm not about to suggest otherwise[1], but if there were a user-friendly way of doing it that didn't bend or break any rules I'd make more noise. cheers David [1] One of the goals in ECS' style guide is to adhere as much as possible to industry standards and standard practice, not invent new ones that Red Hat likes better. I'll patch it to also accept comma-separated IP addresses, it's not that big a deal :) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
On Fri, 2009-09-04 at 09:50 +1000, David O'Brien wrote: Martin Nagy wrote: Hi, This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Something like ipa-server-install --setup-dns --forwarder IP --forwarder IP ? You can't use a separated list of IP addresses to save space and typing? That may go against coding style or practice, I don't know... /me has user hat on :-) Hm, well, we use a python module to handle option parsing [1] and this is the way it handles lists. We could allow the IP addresses to be separated by, say, ',' but this also has the risk that the user will do --forwarder 1.2.3.4, 2.3.4.5 which of course wouldn't work (the last IP is treated as a positional argument). Martin [1] http://docs.python.org/library/optparse.html ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Start bind only after restarting kdc and dirsrv
On Wed, 2009-09-02 at 08:41 -0400, Simo Sorce wrote: On Wed, 2009-09-02 at 02:37 +0200, Martin Nagy wrote: BIND starting before we apply LDAP updates and restart kdc and directory server causes trouble. We resolve this for now by postponing BIND start to the end of installation. Ack, Simo. Self-nack. I will need to use the xmlrpc plug-ins and decided that it will be better to move the whole installation of bind after kdc and directory server are restarted. I'll post the new patch after some testing. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 1/3] Setup bind only after restarting kdc and dirsrv
BIND starting before we apply LDAP updates and restart kdc and directory server causes trouble. We resolve this for now by postponing BIND setup to the end of installation. Another reason is that we will be using xml-rpc during the setup in the future. Martin From ec71011ff70fc0bc811c505e1be2325cd36a8752 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Wed, 2 Sep 2009 12:24:17 +0200 Subject: [PATCH 1/3] Setup bind only after restarting kdc and dirsrv BIND starting before we apply LDAP updates and restart kdc and directory server causes trouble. We resolve this for now by postponing BIND setup to the end of installation. Another reason is that we will be using xml-rpc during the setup in the future. --- install/tools/ipa-replica-install |5 +++-- install/tools/ipa-server-install | 16 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index a4d8848..6dd9488 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -328,8 +328,6 @@ def main(): install_krb(config) install_http(config) -if options.setup_dns: -install_bind(config, options) if CA: CA.import_ra_cert(dir + /ra.p12) CA.fix_ra_perms() @@ -362,6 +360,9 @@ def main(): service.restart(dirsrv) service.restart(krb5kdc) +if options.setup_dns: +install_bind(config, options) + # Call client install script try: ipautil.run([/usr/sbin/ipa-client-install, --on-master, --unattended, --domain, config.domain_name, --server, config.host_name, --realm, config.realm_name]) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 2c890b4..03ee6f4 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -633,14 +633,6 @@ def main(): fd.write(enable_ra=True\n) fd.close() -# Create a BIND instance -bind = bindinstance.BindInstance(fstore, dm_password) -bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders) -if options.setup_dns: -bind.create_instance() -else: -bind.create_sample_bind_zone() - # Apply any LDAP updates. Needs to be done after the configuration file # is created service.print_msg(Applying LDAP updates) @@ -653,6 +645,14 @@ def main(): service.print_msg(restarting the KDC) krb.restart() +# Create a BIND instance +bind = bindinstance.BindInstance(fstore, dm_password) +bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders) +if options.setup_dns: +bind.create_instance() +else: +bind.create_sample_bind_zone() + # Set the admin user kerberos password ds.change_admin_password(admin_password) -- 1.6.2.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 2/3] Remove old --setup-bind option
Since we are changing the behaviour of the --setup-dns option substantially, we might as well remove the old --setup-bind option. Martin From 245db49b6fb70ec02bb97f3fa338d7a8a2052803 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Wed, 2 Sep 2009 12:27:42 +0200 Subject: [PATCH 2/3] Remove old --setup-bind option Since we are changing the behaviour of the --setup-dns option substantially, we might as well remove the old --setup-bind option. --- install/tools/ipa-server-install |3 --- 1 files changed, 0 insertions(+), 3 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 03ee6f4..306bed5 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -79,9 +79,6 @@ def parse_options(): default=False, help=Configure a CA instance) parser.add_option(--hostname, dest=host_name, help=fully qualified name of server) parser.add_option(--ip-address, dest=ip_address, help=Master Server IP Address) -# FIXME: Remove this option -parser.add_option(--setup-bind, dest=setup_dns, action=store_true, - default=False, help=configure bind with our zone file) parser.add_option(--setup-dns, dest=setup_dns, action=store_true, default=False, help=configure bind with our zone) parser.add_option(--forwarder, dest=forwarders, action=append, -- 1.6.2.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 2/3] Remove old --setup-bind option
Rob Crittenden wrote: Martin Nagy wrote: Since we are changing the behaviour of the --setup-dns option substantially, we might as well remove the old --setup-bind option. Martin ack Pushed ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 3/3] Add A and PTR records of ourselves during installation
Rob Crittenden wrote: Martin Nagy wrote: If the DNS zones already exist but don't contain our own records, add them. This patch introduces the ipalib.api into the installers. For now, the code is still little messy. Later patches will abandon the way we create zones now and use ipalib.api exclusively. Martin ack Pushed ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
Hi, This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command MartinFrom 2dbd272bdbd366c4e1fc9a1b7456c5c6d12377ab Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Tue, 1 Sep 2009 23:28:52 +0200 Subject: [PATCH] Use DNS forwarders in /etc/named.conf This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line. --- install/share/bind.named.conf.template |3 ++ install/tools/ipa-server-install | 46 +++- install/tools/man/ipa-server-install.1 | 12 +++- ipaserver/install/bindinstance.py | 13 - 4 files changed, 71 insertions(+), 3 deletions(-) diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index 69bd86b..8b5fac2 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -5,6 +5,9 @@ options { statistics-file data/named_stats.txt; memstatistics-file data/named_mem_stats.txt; + forward first; + forwarders {$FORWARDERS}; + tkey-gssapi-credential DNS/$FQDN; tkey-domain $REALM; }; diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index d0e9397..2c890b4 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -84,6 +84,10 @@ def parse_options(): default=False, help=configure bind with our zone file) parser.add_option(--setup-dns, dest=setup_dns, action=store_true, default=False, help=configure bind with our zone) +parser.add_option(--forwarder, dest=forwarders, action=append, + help=Add a DNS forwarder) +parser.add_option(--no-forwarders, dest=no_forwarders, action=store_true, + default=False, help=Do not add any DNS forwarders, use root servers instead) parser.add_option(-U, --unattended, dest=unattended, action=store_true, default=False, help=unattended installation never prompts the user) parser.add_option(, --uninstall, dest=uninstall, action=store_true, @@ -108,6 +112,14 @@ def parse_options(): help=The starting gid value (default random)) options, args = parser.parse_args() +if not options.setup_dns: +if options.forwarders: +parser.error(You cannot specify a --forwarder option without the --setup-dns option) +if options.no_forwarders: +parser.error(You cannot specify a --no-forwarders option without the --setup-dns option) +elif options.forwarders and options.no_forwarders: +parser.error(You cannot specify a --forwarder option together with --no-forwarders) + if options.uninstall: if (options.ds_user or options.realm_name or options.dm_password or options.admin_password or @@ -117,6 +129,9 @@ def parse_options(): if (not options.ds_user or not options.realm_name or not options.dm_password or not options.admin_password): parser.error(error: In unattended mode you need to provide at least -u, -r, -p and -a options) +if options.setup_dns: +if not options.forwarders and not options.no_forwarders: +parser.error(You must specify at least one --forwarder option or --no-forwarders option) # If any of the PKCS#12 options are selected, all are required. Create a # list of the options and count it to enforce that all are required without @@ -210,6 +225,27 @@ def read_ip_address(host_name): return ip +def read_dns_forwarders(): +addrs = [] +while True: +ip = user_input(Enter IP address for a DNS forwarder (empty to stop), allow_empty=True) + +if not ip: +break +if ip == 127.0.0.1 or ip == ::1: +print You cannot use localhost as a DNS forwarder +continue +if not verify_ip_address(ip): +continue + +print DNS forwarder %s added % ip +addrs.append(ip) + +if not addrs: +print No DNS forwarders configured + +return addrs + def read_ds_user(): print The server must run as a specific user in a specific group. print It is strongly recommended that this user should have no privileges @@ -504,6 +540,14 @@ def main(): else: admin_password = options.admin_password +if options.setup_dns: +if options.no_forwarders
Re: [Freeipa-devel] [PATCH] 243 clean up v1.2 LDAP module
On Wed, 29 Jul 2009 10:12:51 -0400, Rob Crittenden rcrit...@redhat.com wrote: The 1.2 LDAP module was throwing a deprecation warning for using popen2 and pychecker found a slew of other issues as well. This patch removes a bunch of unused imports, renames some variables that shadowed builtins and renames some functions. exportLDIF() calls a function that isn't provided. This must have gotten left over from when I ported this from Rich's original LDAP module which did all sorts of stuff. I think we can drop this as it doesn't even work but wanted to throw it out there on the off-chance that someone found a way to use it. rob Ack Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel