Re: [Freeipa-devel] [PATCH] 473 fix aci update summary

2010-06-30 Thread Martin Nagy 
On Thu, 2010-06-24 at 14:17 -0400, Rob Crittenden wrote:
 Seems I changed the summary message for updating hosts which breaks a 
 few of the aci tests. This should bring it back in line.
 
 rob

Ack.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 463 drop --with-openldap option in client

2010-06-21 Thread Martin Nagy 
On Wed, 2010-06-02 at 14:57 -0400, Rob Crittenden wrote:
 Drop the --with-openldap option in the client and require the openldap 
 client libraries. This has been required for quite some time but we 
 always just passed in --with-openldap. This will remove the illusion 
 that this isn't explicitly required.
 
 rob

Ack.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 465 fix client bulk enrollment

2010-06-21 Thread Martin Nagy 
On Fri, 2010-06-11 at 11:04 -0400, Rob Crittenden wrote:
 We need to fetch the CA cert so our ldaps connection will succeed.
 
 rob

Ack.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 470 maintainer-clean change

2010-06-21 Thread Martin Nagy 

On 06/17/2010 10:37 PM, Rob Crittenden wrote:

I almost pushed this under the one-liner rule but what the heck. Add a
maintainer-clean target to install/po. All the heavy lifting is already
done in distclean so just depend on that.

rob


Ack.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES] Delete old SRV and NS records during uninstallation

2010-04-19 Thread Martin Nagy 
Hi,
0001 is pretty straightforward, I need it for 0002.
0002 introduces a new class DnsBackup that makes sure that any records
that we might want to potentially remove (SRV and NS right now) are
properly saved using sysrestore. It also takes care of removing them
during the uninstallation.
0003 makes 0002 useful by allowing the user to input the admin password
to ipa-server-install --uninstall and connecting to ldap.

I've tested these quite a lot so hopefully there won't be any major
problems with them.

Thanks
Martin
From 656dbf1e7531c2c2a42914c7018e8dd5399478a4 Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Thu, 15 Apr 2010 11:59:16 +0200
Subject: [PATCH 1/3] Accept unicode for sysrestore

---
 ipapython/sysrestore.py |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py
index 78c9b62..ddc3ee0 100644
--- a/ipapython/sysrestore.py
+++ b/ipapython/sysrestore.py
@@ -282,8 +282,8 @@ class StateFile:
 by the string @key and with the value @value. @value may be
 a string or boolean.
 
-if not (isinstance(value, str) or isinstance(value, bool)):
-raise ValueError(Only strings or booleans supported)
+if not isinstance(value, (str, bool, unicode)):
+raise ValueError(Only strings, booleans or unicode strings are supported)
 
 if not self.modules.has_key(module):
 self.modules[module] = {}
-- 
1.6.2.5

From 0b9db95440940429a802b1fcb00666e6490841c0 Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Wed, 25 Nov 2009 00:49:40 +0100
Subject: [PATCH 2/3] Delete old SRV records during uninstallation

---
 ipaserver/install/bindinstance.py |   79 +++-
 1 files changed, 68 insertions(+), 11 deletions(-)

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index e728911..016d46f 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -87,7 +87,7 @@ def get_reverse_zone(ip_address):
 
 return zone, name
 
-def add_zone(name, update_policy=None):
+def add_zone(name, update_policy=None, dns_backup=None):
 if not update_policy:
 update_policy = grant %s krb5-self * A; % api.env.realm
 
@@ -99,11 +99,11 @@ def add_zone(name, update_policy=None):
 except (errors.DuplicateEntry, errors.EmptyModlist):
 pass
 
-add_rr(name, @, NS, api.env.host+.)
+add_rr(name, @, NS, api.env.host+., dns_backup)
 
 return name
 
-def add_reverze_zone(ip_address, update_policy=None):
+def add_reverze_zone(ip_address, update_policy=None, dns_backup=None):
 zone, name = get_reverse_zone(ip_address)
 if not update_policy:
 update_policy = grant %s krb5-subdomain %s. PTR; % (api.env.realm, zone)
@@ -115,24 +115,75 @@ def add_reverze_zone(ip_address, update_policy=None):
 except (errors.DuplicateEntry, errors.EmptyModlist):
 pass
 
-add_rr(zone, @, NS, api.env.host)
+add_rr(zone, @, NS, api.env.host, dns_backup)
 
 return zone
 
-def add_rr(zone, name, type, rdata):
+def add_rr(zone, name, type, rdata, dns_backup=None):
 try:
 api.Command.dns_add_rr(unicode(zone), unicode(name),
unicode(type), unicode(rdata))
 except (errors.DuplicateEntry, errors.EmptyModlist):
 pass
+if dns_backup:
+dns_backup.add(zone, type, name, rdata)
 
-def add_ptr_rr(ip_address, fqdn):
+def add_ptr_rr(ip_address, fqdn, dns_backup=None):
 zone, name = get_reverse_zone(ip_address)
-add_rr(zone, name, PTR, fqdn+.)
+add_rr(zone, name, PTR, fqdn+., dns_backup)
+
+
+class DnsBackup(object):
+def __init__(self, service):
+self.service = service
+self.zones = {}
+
+def add(self, zone, record_type, host, rdata):
+
+Backup a DNS record in the file store so it can later be removed.
+
+if zone not in self.zones:
+zone_id = len(self.zones)
+self.zones[zone] = (zone_id, 0)
+self.service.backup_state(dns_zone_%s % zone_id, zone)
+
+(zone_id, record_id) = self.zones[zone]
+self.service.backup_state(dns_record_%s_%s % (zone_id, record_id),
+  %s %s %s % (record_type, host, rdata))
+self.zones[zone] = (zone_id, record_id + 1)
+
+def clear_records(self, have_ldap):
+
+Remove all records from the file store. If we are connected to
+ldap, we will also remove them there.
+
+i = 0
+while True:
+zone = self.service.restore_state(dns_zone_%s % i)
+if not zone:
+return
+
+j = 0
+while True:
+dns_record = self.service.restore_state(dns_record_%s_%s % (i, j))
+if not dns_record:
+break
+if have_ldap:
+type, host, rdata

Re: [Freeipa-devel] [PATCH] 418 don't abort when trusting CA cert

2010-04-06 Thread Martin Nagy 
On Thu, 2010-04-01 at 14:20 -0400, Rob Crittenden wrote:
 If there was a problem trusting the CA cert on installation the whole 
 install would abort. This is overkill so let things continue.
 
 rob

Ack.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 394 Catch empty updates

2010-03-07 Thread Martin Nagy 

On 03/04/2010 10:25 PM, Rob Crittenden wrote:

Currently if you pass in an empty update on the cli it won't throw an
error and can be a bit confusing.

rob


I think the change in pwpolicy.py won't preserve the original behaviour:
+if 'group' in options:
+group_cn = options['group']
+del options['group']
+else:
 group_cn = _global
+
+if not 'group' in options:
 ...
 else:
 ...

Notice that at the second if, 'group' will never be in options no matter 
what.


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 396 with verbose print XML-RPC output

2010-03-07 Thread Martin Nagy 

On 03/05/2010 07:45 PM, Rob Crittenden wrote:

Connect the -v flag in the ipa command to including the XML-RPC
conversation in the output:

% ipa -v user-show admin

[snip]

Rob, do you think we could use something like -vv for this? The XML-RPC 
conversation seems to be a little bit too verbose.


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 397 raise exception on empty mod

2010-03-07 Thread Martin Nagy 

On 03/05/2010 07:47 PM, Rob Crittenden wrote:

Raise an error if no modifications were performed in an update.

This will alert the user that nothing was done and is handy when used
with --attr=''. This can be used to delete a non-required attribute but
can be set to any valid attribute, present or not. We should alert the
user if they attempt to delete a non-existant value.

rob


Few questions:
How will the user see this error? I'm not sure this should be presented 
as an error, but more like a notification maybe. Also, I'm not 100% sure 
how we handle exceptions like this on the server side, but I'm guessing 
that this will not show up in the server logs as an exception?


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 395 don't crash on blank min/maxlife in pwpolicy

2010-03-07 Thread Martin Nagy 

On 03/05/2010 07:41 PM, Rob Crittenden wrote:

Don't calculate min/max lifetime if None is passed in.

None is passed if the option is set with --minlife=''. This is a valid
use case to delete a non-required attribute. In this case we simply
don't do the math on None and things work as expected.

rob


ACK and pushed to master.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 398 use cli_name, not name, on Required errors

2010-03-07 Thread Martin Nagy 

On 03/05/2010 08:17 PM, Rob Crittenden wrote:

When raising an error about a required attribute, use cli_name not name.

name is an LDAP attribute and may not be easily identifiable (e.g. sn).

rob


ACK and pushed to master.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 393 don't create ipa_error.log

2010-03-06 Thread Martin Nagy 

On 03/04/2010 05:00 PM, Rob Crittenden wrote:

The log file /var/log/ipa_error.log was used by TurboGears which we have
log deprecated. Don't create this file in the rpm spec file.

rob


Ack.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 389 enable popt macro

2010-03-02 Thread Martin Nagy 
On Wed, 2010-02-24 at 10:43 -0500, Rob Crittenden wrote:
 Add the POPT_AUTOHELP macro to the options table to provide more verbose 
 help output.
 
 rob

ACK
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 388 update client command man pages

2010-03-02 Thread Martin Nagy 
On Tue, 2010-03-02 at 09:10 -0500, Rob Crittenden wrote:
 Martin Nagy wrote:
  On Wed, 2010-02-24 at 10:41 -0500, Rob Crittenden wrote:
  Update the client command man pages with recent option additions and 
  some additional verbiage.
 
  rob
  
  Could you please make the lines shorter than 80 characters?
  
  Martin
  
 
 It is the editor I use that does this (manedit). Is this really a problem?
 
 rob

Nah, that's ok.

ACK

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 374 don't make assumptions about cwd

2010-02-16 Thread Martin Nagy 
On Wed, 2010-02-03 at 17:44 -0500, Rob Crittenden wrote:
 Don't assume that cwd exists or is writable. I had worked on this 
 previously so that we change to a known writable directory when issuing 
 server certs. Enhance that so we change to the NSS db dir when issuing 
 the self-signed CA. certutil wants to write a file to the cwd when 
 generating a key so we need to be some place writable.
 
 Also handle the case where cwd is an invalid directory. I tested this with:
 
 term 1: mkdir foo
  cd foo
 
 term 2: rmdir foo
 
 term 1: ipa-server-install ...
 
 Probably not a major issue but not hard to more carefully handle it 
 either. The installation will still fail but at least we have a good 
 message when it does.
 
 rob

Cool, I actually hit this problem once, thanks.
ACK

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 358 remove files on uninstall

2010-02-16 Thread Martin Nagy 
On Thu, 2010-01-28 at 14:24 -0500, Rob Crittenden wrote:
 Remove some IPA configuration files when doing an uninstallation.
 
 rob

ACK

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix a crash and memory leak in get_config_entry()

2010-02-16 Thread Martin Nagy 
Hi,
noticed this while reading some older emails from freeipa-devel. I
didn't test the patch, since it is really trivial.

Martin
From 2e31847c8b4082e0ac95254867332cb3cbdda706 Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Tue, 16 Feb 2010 15:13:25 +0100
Subject: [PATCH] Fix a crash and memory leak in get_config_entry()

---
 ipa-client/config.c |3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/ipa-client/config.c b/ipa-client/config.c
index f590d10..c32946e 100644
--- a/ipa-client/config.c
+++ b/ipa-client/config.c
@@ -91,7 +91,7 @@ get_config_entry(char * in_data, const char *section, const char *key)
 if (NULL == in_data)
 return NULL;
 else
-strdup(in_data);
+data = strdup(in_data);
 
 for (line = strtok_r(data, \n, ptr); line != NULL;
  line = strtok_r(NULL, \n, ptr)) {
@@ -156,5 +156,6 @@ get_config_entry(char * in_data, const char *section, const char *key)
 }
 }
 }
+free(data);
 return NULL;
 }
-- 
1.6.2.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Make the DNS forwarders interactive input less confusing

2010-02-08 Thread Martin Nagy 
Here's the simple patch for #558984.

Specifically, with this patch, ipa-server-install/ipa-dns-install will
ask you this:

Do you wish to configure DNS forwarders?

If you say yes, you will also see:

Please enter the IP addresses of DNS forwarders that you want to use.
After you are done, enter a blank line to stop.

And the rest is the same, except it doesn't say (empty to stop) at the
end of the prompt as it used to.

David, Jenny, do you think this is good enough? I can change it easily
if there are any objections/ideas.

Patch attached.
Martin
From 6227f43bab6b2118c3c787496524cc8e97c744d5 Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Mon, 8 Feb 2010 19:31:57 +0100
Subject: [PATCH] Make the DNS forwarders interactive input less confusing

Fixes #558984
---
 ipaserver/install/installutils.py |   30 +-
 1 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 6365fe8..df3c891 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -151,19 +151,23 @@ def read_ip_address(host_name, fstore):
 
 def read_dns_forwarders():
 addrs = []
-while True:
-ip = ipautil.user_input(Enter IP address for a DNS forwarder (empty to stop), allow_empty=True)
-
-if not ip:
-break
-if ip == 127.0.0.1 or ip == ::1:
-print You cannot use localhost as a DNS forwarder
-continue
-if not verify_ip_address(ip):
-continue
-
-print DNS forwarder %s added % ip
-addrs.append(ip)
+if ipautil.user_input(Do you wish to configure DNS forwarders?, False):
+print Please enter the IP addresses of DNS forwarders that you want to use.
+print After you are done, enter a blank line to stop.
+
+while True:
+ip = ipautil.user_input(Enter IP address for a DNS forwarder,
+allow_empty=True)
+if not ip:
+break
+if ip == 127.0.0.1 or ip == ::1:
+print You cannot use localhost as a DNS forwarder
+continue
+if not verify_ip_address(ip):
+continue
+
+print DNS forwarder %s added % ip
+addrs.append(ip)
 
 if not addrs:
 print No DNS forwarders configured
-- 
1.6.2.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] jderose 033 Fix fuzzy digigits under Fedora12

2010-01-22 Thread Martin Nagy 
On Mon, 2010-01-11 at 11:40 -0700, Jason Gerard DeRose wrote:
 I'm not sure why the difference, but the uidnumber, gidnumber, etc. are
 being returned as `unicode` instead of `str` under Fedora12.  Returning
 as `unicode` is correct, but this patch allows the test to still work
 under Fedora11 for the time being.

ACK

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] Use the dns plugin during installation

2010-01-20 Thread Martin Nagy 
On Thu, 2009-12-03 at 17:25 +0100, Martin Nagy wrote:
 Hi,
 these three patches should make sure that we add dns records the right
 way. It will also serve for the ipa-dns-install command that's almost
 ready, patch will be coming soon.
 
 Thanks
 Martin

I've rebased the paches and fixed some other things I found later.
Attached.

Martin
From 7397f0b2cd051f61c5810fe16e1f770c4805ccb7 Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Thu, 3 Dec 2009 16:32:56 +0100
Subject: [PATCH 01/12] Move api finalization in ipa-server-install after writing default.conf

We will need to have ipalib correctly configured before we start
installing DNS entries with api.Command.dns.
---
 install/tools/ipa-server-install |   45 ++---
 1 files changed, 22 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index c92989a..ba27ac3 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -481,18 +481,12 @@ def main():
 fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
 
+# Configuration for ipalib, we will bootstrap and finalize later, after
+# we are sure we have the configuration file ready.
 cfg = dict(
 in_server=True,
-webui_assets_dir=ASSETS_DIR,
 debug=options.debug
 )
-if not options.uninstall:
-if options.ca:
-cfg['ra_plugin'] = 'dogtag'
-else:
-cfg['ra_plugin'] = 'selfsign'
-api.bootstrap(**cfg)
-api.finalize()
 
 if options.uninstall:
 if not options.unattended:
@@ -502,6 +496,8 @@ def main():
 print Aborting uninstall operation.
 sys.exit(1)
 
+api.bootstrap(**cfg)
+api.finalize()
 return uninstall(not certs.ipa_self_signed())
 
 # This will override any settings passed in on the cmdline
@@ -662,6 +658,24 @@ def main():
 else:
 dns_forwarders = ()
 
+# Create the management framework config file and finalize api
+fstore.backup_file(/etc/ipa/default.conf)
+fd = open(/etc/ipa/default.conf, w)
+fd.write([global]\n)
+fd.write(basedn= + util.realm_to_suffix(realm_name) + \n)
+fd.write(realm= + realm_name + \n)
+fd.write(domain= + domain_name + \n)
+fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name)
+fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name))
+fd.write(enable_ra=True\n)
+if options.ca:
+fd.write(ra_plugin=dogtag\n)
+fd.write('webui_assets_dir=' + ASSETS_DIR + '\n')
+fd.close()
+
+api.bootstrap(**cfg)
+api.finalize()
+
 if not options.unattended:
 print 
 print The following operations may take some minutes to complete.
@@ -753,21 +767,6 @@ def main():
 http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=not options.ca)
 ipautil.run([/sbin/restorecon, /var/cache/ipa/sessions])
 
-# Create the management framework config file
-fstore.backup_file(/etc/ipa/default.conf)
-fd = open(/etc/ipa/default.conf, w)
-fd.write([global]\n)
-fd.write(basedn= + util.realm_to_suffix(realm_name) + \n)
-fd.write(realm= + realm_name + \n)
-fd.write(domain= + domain_name + \n)
-fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name)
-fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name))
-fd.write(enable_ra=True\n)
-if options.ca:
-fd.write(ra_plugin=dogtag\n)
-fd.write('webui_assets_dir=' + ASSETS_DIR + '\n')
-fd.close()
-
 # Apply any LDAP updates. Needs to be done after the configuration file
 # is created
 service.print_msg(Applying LDAP updates)
-- 
1.6.2.5

From 2d5d396856f1cf393f58deb53d7a6e30095845fc Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Tue, 10 Nov 2009 13:21:09 +0100
Subject: [PATCH 02/12] Use the dns plug-in for addition of records during installation

Fixes #528943
---
 install/share/Makefile.am |1 -
 install/share/dns.ldif|   88 
 install/share/dns_reverse.ldif|   24 
 ipaserver/install/bindinstance.py |  115 ++---
 4 files changed, 82 insertions(+), 146 deletions(-)
 delete mode 100644 install/share/dns_reverse.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index b74f990..e3e7cf6 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -16,7 +16,6 @@ app_DATA =\
 	default-keytypes.ldif		\
 	delegation.ldif			\
 	dns.ldif			\
-	dns_reverse.ldif		\
 	kerberos.ldif			\
 	indices.ldif			\
 	bind.named.conf.template	\
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index 8ce9d69..cb783b8 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -4,91 +4,3 @@ objectClass: nsContainer

Re: [Freeipa-devel] [PATCHES] Use the dns plugin during installation

2010-01-20 Thread Martin Nagy 
On Thu, 2009-12-03 at 17:25 +0100, Martin Nagy wrote:
 Hi,
 these three patches should make sure that we add dns records the right
 way. It will also serve for the ipa-dns-install command that's almost
 ready, patch will be coming soon.
 
 Thanks
 Martin

New patches, rebased + some minor issues in the previous patches fixed,
please review.

Martin
From 7397f0b2cd051f61c5810fe16e1f770c4805ccb7 Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Thu, 3 Dec 2009 16:32:56 +0100
Subject: [PATCH 01/12] Move api finalization in ipa-server-install after writing default.conf

We will need to have ipalib correctly configured before we start
installing DNS entries with api.Command.dns.
---
 install/tools/ipa-server-install |   45 ++---
 1 files changed, 22 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index c92989a..ba27ac3 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -481,18 +481,12 @@ def main():
 fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
 
+# Configuration for ipalib, we will bootstrap and finalize later, after
+# we are sure we have the configuration file ready.
 cfg = dict(
 in_server=True,
-webui_assets_dir=ASSETS_DIR,
 debug=options.debug
 )
-if not options.uninstall:
-if options.ca:
-cfg['ra_plugin'] = 'dogtag'
-else:
-cfg['ra_plugin'] = 'selfsign'
-api.bootstrap(**cfg)
-api.finalize()
 
 if options.uninstall:
 if not options.unattended:
@@ -502,6 +496,8 @@ def main():
 print Aborting uninstall operation.
 sys.exit(1)
 
+api.bootstrap(**cfg)
+api.finalize()
 return uninstall(not certs.ipa_self_signed())
 
 # This will override any settings passed in on the cmdline
@@ -662,6 +658,24 @@ def main():
 else:
 dns_forwarders = ()
 
+# Create the management framework config file and finalize api
+fstore.backup_file(/etc/ipa/default.conf)
+fd = open(/etc/ipa/default.conf, w)
+fd.write([global]\n)
+fd.write(basedn= + util.realm_to_suffix(realm_name) + \n)
+fd.write(realm= + realm_name + \n)
+fd.write(domain= + domain_name + \n)
+fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name)
+fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name))
+fd.write(enable_ra=True\n)
+if options.ca:
+fd.write(ra_plugin=dogtag\n)
+fd.write('webui_assets_dir=' + ASSETS_DIR + '\n')
+fd.close()
+
+api.bootstrap(**cfg)
+api.finalize()
+
 if not options.unattended:
 print 
 print The following operations may take some minutes to complete.
@@ -753,21 +767,6 @@ def main():
 http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=not options.ca)
 ipautil.run([/sbin/restorecon, /var/cache/ipa/sessions])
 
-# Create the management framework config file
-fstore.backup_file(/etc/ipa/default.conf)
-fd = open(/etc/ipa/default.conf, w)
-fd.write([global]\n)
-fd.write(basedn= + util.realm_to_suffix(realm_name) + \n)
-fd.write(realm= + realm_name + \n)
-fd.write(domain= + domain_name + \n)
-fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name)
-fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name))
-fd.write(enable_ra=True\n)
-if options.ca:
-fd.write(ra_plugin=dogtag\n)
-fd.write('webui_assets_dir=' + ASSETS_DIR + '\n')
-fd.close()
-
 # Apply any LDAP updates. Needs to be done after the configuration file
 # is created
 service.print_msg(Applying LDAP updates)
-- 
1.6.2.5

From 2d5d396856f1cf393f58deb53d7a6e30095845fc Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Tue, 10 Nov 2009 13:21:09 +0100
Subject: [PATCH 02/12] Use the dns plug-in for addition of records during installation

Fixes #528943
---
 install/share/Makefile.am |1 -
 install/share/dns.ldif|   88 
 install/share/dns_reverse.ldif|   24 
 ipaserver/install/bindinstance.py |  115 ++---
 4 files changed, 82 insertions(+), 146 deletions(-)
 delete mode 100644 install/share/dns_reverse.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index b74f990..e3e7cf6 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -16,7 +16,6 @@ app_DATA =\
 	default-keytypes.ldif		\
 	delegation.ldif			\
 	dns.ldif			\
-	dns_reverse.ldif		\
 	kerberos.ldif			\
 	indices.ldif			\
 	bind.named.conf.template	\
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index 8ce9d69..cb783b8 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -4,91 +4,3 @@ objectClass

[Freeipa-devel] [PATCHES] Add A and PTR records during ipa-replica-prepare

2010-01-20 Thread Martin Nagy 
Hi,
these patches will allow one to specify an ip address of the replica to
ipa-replica-prepare. The dns records will then be added. This should
make life better for QA :)

Martin
From 05c6e118b748839012a7e8bc0613367d8d27d7a8 Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Mon, 23 Nov 2009 11:08:03 +0100
Subject: [PATCH 1/2] Get rid of ipapython.config in ipa-replica-prepare

Also get rid of functions get_host_name(), get_realm_name() and
get_domain_name(). They used the old ipapython.config. Instead, use the
variables from api.env. We also change them to bootstrap() and
finalize() correctly.
---
 install/tools/ipa-replica-install |   30 ++
 install/tools/ipa-replica-prepare |   78 -
 2 files changed, 30 insertions(+), 78 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 349d518..cbdd08d 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -310,12 +310,21 @@ def main():
 except ldap.INVALID_CREDENTIALS, e :
 sys.exit(\nThe password provided is incorrect for LDAP server %s % config.master_host_name)
 
+# Create the management framework config file
+# Note: We must do this before bootstraping and finalizing ipalib.api
+fd = open(/etc/ipa/default.conf, w)
+fd.write([global]\n)
+fd.write(basedn= + util.realm_to_suffix(config.realm_name) + \n)
+fd.write(realm= + config.realm_name + \n)
+fd.write(domain= + config.domain_name + \n)
+fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % config.host_name)
+fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(config.realm_name))
 if ipautil.file_exists(config.dir + /ca.p12):
-ca_type = 'dogtag'
-else:
-ca_type = 'selfsign'
+fd.write(enable_ra=True\n)
+fd.write(ra_plugin=dogtag\n)
+fd.close()
 
-api.bootstrap(in_server=True, ra_plugin=ca_type)
+api.bootstrap(in_server=True)
 api.finalize()
 
 # Install CA cert so that we can do SSL connections with ldap
@@ -352,19 +361,6 @@ def main():
 # generated
 ds.add_cert_to_service()
 
-# Create the management framework config file
-fd = open(/etc/ipa/default.conf, w)
-fd.write([global]\n)
-fd.write(basedn= + util.realm_to_suffix(config.realm_name) + \n)
-fd.write(realm= + config.realm_name + \n)
-fd.write(domain= + config.domain_name + \n)
-fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % config.host_name)
-fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(config.realm_name))
-if ipautil.file_exists(config.dir + /ca.p12):
-fd.write(enable_ra=True\n)
-fd.write(ra_plugin=dogtag\n)
-fd.close()
-
 # Apply any LDAP updates. Needs to be done after the replica is synced-up
 service.print_msg(Applying LDAP updates)
 ds.apply_updates()
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index bc86a41..175ac62 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -26,12 +26,10 @@ from ConfigParser import SafeConfigParser
 import krbV
 from optparse import OptionParser
 
-import ipapython.config
 from ipapython import ipautil
 from ipaserver.install import dsinstance, installutils, certs, httpinstance
 from ipaserver import ipaldap
 from ipapython import version
-from ipalib.constants import DEFAULT_CONFIG
 from ipalib import api
 import ldap
 
@@ -50,7 +48,6 @@ def parse_options():
 parser.add_option(-p, --password, dest=password, 
   help=Directory Manager (existing master) password)
 
-ipapython.config.add_standard_options(parser)
 options, args = parser.parse_args()
 
 # If any of the PKCS#12 options are selected, all are required. Create a
@@ -64,36 +61,8 @@ def parse_options():
 if len(args) != 1:
 parser.error(must provide the fully-qualified name of the replica)
 
-ipapython.config.init_config(options)
-
 return options, args
 
-def get_host_name():
-hostname = installutils.get_fqdn()
-try:
-installutils.verify_fqdn(hostname)
-except RuntimeError, e:
-logging.error(str(e))
-sys.exit(1)
-
-return hostname
-
-def get_realm_name():
-try:
-c = krbV.default_context()
-return c.default_realm
-except Exception, e:
-return None
-
-def get_domain_name():
-try:
-ipapython.config.init_config()
-domain_name = ipapython.config.config.get_domain()
-except Exception, e:
-return None
-
-return domain_name
-
 def check_ipa_configuration(realm_name):
 config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
 if not ipautil.dir_exists(config_dir):
@@ -119,8 +88,8 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname):
 #ca_db = certs.CertDB

[Freeipa-devel] [PATCH] Set BIND to use ldapi and use fake mname

2010-01-20 Thread Martin Nagy 
Hi,
some additional comments are in the patch.

Martin
From 003b8ee61673216243fe872297d069cb476e5600 Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Wed, 25 Nov 2009 01:00:26 +0100
Subject: [PATCH] Set BIND to use ldapi and use fake mname

The fake_mname for now doesn't exists but is a feature that will be
added in the near future. Since any unknown arguments to bind-dyndb-ldap
are ignored, we are safe to use it now.
---
 install/share/bind.named.conf.template |3 ++-
 ipaserver/install/bindinstance.py  |2 ++
 2 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index 8b5fac2..d733d61 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -32,8 +32,9 @@ include /etc/named.rfc1912.zones;
 
 dynamic-db ipa {
 	library ldap.so;
-	arg uri ldap://$FQDN;;
+	arg uri ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket;
 	arg base cn=dns, $SUFFIX;
+	arg fake_mname $FQDN;
 	arg auth_method sasl;
 	arg sasl_mech GSSAPI;
 	arg sasl_user DNS/$FQDN;
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 8ee46d4..13e9e16 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -26,6 +26,7 @@ import installutils
 import ldap
 import service
 from ipaserver import ipaldap
+from ipaserver.install.dsinstance import realm_to_serverid
 from ipapython import sysrestore
 from ipapython import ipautil
 
@@ -222,6 +223,7 @@ class BindInstance(service.Service):
  DOMAIN=self.domain,
  HOST=self.host,
  REALM=self.realm,
+ SERVER_ID=realm_to_serverid(self.realm),
  FORWARDERS=fwds,
  SUFFIX=self.suffix,
  OPTIONAL_NTP=optional_ntp)
-- 
1.6.2.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 353 enable sssd and certmonger

2010-01-20 Thread Martin Nagy 
On Wed, 2010-01-20 at 17:01 -0500, Rob Crittenden wrote:
 Configure sssd and certmonger in ipa-client-install
 
 This does a number of things under the hood:
 
 - Use authconfig to enable sssd in nss and pam
 - Configure /etc/sssd/sssd.conf to use our IPA provider
 - Enable the certmonger process and request a server cert
 - join the IPA domain and retrieve a principal. The clinet machine 
 *must* exist in IPA to be able to do a join.
 - And then undo all this on uninstall
 rob

Heh, joining FreeIPA and SSSD at last, cool :-)

ACK

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 344 require fully-qualified hostname in ipa-join

2010-01-20 Thread Martin Nagy 
On Fri, 2010-01-08 at 16:04 -0500, Rob Crittenden wrote:
 Require a fully-qualified hostname in ipa-join. The server side will 
 enforce this as well but better to catch it early.
 
 rob

ACK

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Problem with ipa installation: certutil

2009-12-03 Thread Martin Nagy 
On Wed, 2009-12-02 at 09:38 -0500, Rob Crittenden wrote:
 Martin Nagy wrote:
  Hi,
  I'm trying to install ipa and am getting a python traceback (attached).
  It seems that running certutil didn't succeed so I added a debugging
  print before it's execution and tried to run it manually. This is what I
  get:
  
  # /usr/bin/certutil -d /etc/httpd/alias -S -n 'CA certificate' -s
  'cn=IPA Test Certificate Authority' -x -t 'CT,,C' -1 -2 -5 -m 1056 -v
  120 -z /etc/httpd/alias/noise.txt -f /etc/httpd/alias/pwdfile.txt
  certutil -o: unable to open tempcertreq for writing (-5950, 2)
  Exit 255
  
  (The Exit 255 is from my shell saying that certutil exited returning
  255). I did a git grep tempcertreq in freeipa git tree but didn't find
  anything, so I'm assuming we weren't creating it or anything. Does
  anyone know what might be causing this error?
  
  Martin
 
 This message comes directly from certutil itself. It tries to open the 
 file tempcertreq in the cwd.
 
 Odd since you are installing this as root, right? Perhaps you are in a 
 directory that no longer exists?

Correct. I was in my freeipa git directory when I executed
ipa-server-install but had to delete it and clone again in other
terminal.

 I seem to recall running into this in v1 as well and though we did a 
 chdir(). Maybe we do that in some places and not others.

Should we make a patch to prevent any future problems like this (even if
they are rare)? Maybe at the beginning we could chdir() to our current
directory to make sure, and abort if that fails.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES] Use the dns plugin during installation

2009-12-03 Thread Martin Nagy 
Hi,
these three patches should make sure that we add dns records the right
way. It will also serve for the ipa-dns-install command that's almost
ready, patch will be coming soon.

Thanks
Martin
From edbd834dab63b86c04d9b1bb736c64cda3e38b2a Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Thu, 3 Dec 2009 16:32:56 +0100
Subject: [PATCH 1/3] Move api finalization in ipa-server-install after writing default.conf

We will need to have ipalib correctly configured before we start
installing DNS entries with api.Command.dns.
---
 install/tools/ipa-server-install |   45 ++---
 1 files changed, 22 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 0694d6e..21bead1 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -481,18 +481,12 @@ def main():
 fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
 
+# Configuration for ipalib, we will bootstrap and finalize later, after
+# we are sure we have the configuration file ready.
 cfg = dict(
 in_server=True,
-webui_assets_dir=ASSETS_DIR,
 debug=options.debug
 )
-if not options.uninstall:
-if options.ca:
-cfg['ra_plugin'] = 'dogtag'
-else:
-cfg['ra_plugin'] = 'selfsign'
-api.bootstrap(**cfg)
-api.finalize()
 
 if options.uninstall:
 if not options.unattended:
@@ -502,6 +496,8 @@ def main():
 print Aborting uninstall operation.
 sys.exit(1)
 
+api.bootstrap(**cfg)
+api.finalize()
 return uninstall(not certs.ipa_self_signed())
 
 # This will override any settings passed in on the cmdline
@@ -662,6 +658,24 @@ def main():
 else:
 dns_forwarders = ()
 
+# Create the management framework config file and finalize api
+fstore.backup_file(/etc/ipa/default.conf)
+fd = open(/etc/ipa/default.conf, w)
+fd.write([global]\n)
+fd.write(basedn= + util.realm_to_suffix(realm_name) + \n)
+fd.write(realm= + realm_name + \n)
+fd.write(domain= + domain_name + \n)
+fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name)
+fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name))
+fd.write(enable_ra=True\n)
+if options.ca:
+fd.write(ra_plugin=dogtag\n)
+fd.write('webui_assets_dir=' + ASSETS_DIR + '\n')
+fd.close()
+
+api.bootstrap(**cfg)
+api.finalize()
+
 if not options.unattended:
 print 
 print The following operations may take some minutes to complete.
@@ -749,21 +763,6 @@ def main():
 http.create_instance(realm_name, host_name, domain_name, autoconfig=True, self_signed_ca=not options.ca)
 ipautil.run([/sbin/restorecon, /var/cache/ipa/sessions])
 
-# Create the management framework config file
-fstore.backup_file(/etc/ipa/default.conf)
-fd = open(/etc/ipa/default.conf, w)
-fd.write([global]\n)
-fd.write(basedn= + util.realm_to_suffix(realm_name) + \n)
-fd.write(realm= + realm_name + \n)
-fd.write(domain= + domain_name + \n)
-fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name)
-fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name))
-fd.write(enable_ra=True\n)
-if options.ca:
-fd.write(ra_plugin=dogtag\n)
-fd.write('webui_assets_dir=' + ASSETS_DIR + '\n')
-fd.close()
-
 # Apply any LDAP updates. Needs to be done after the configuration file
 # is created
 service.print_msg(Applying LDAP updates)
-- 
1.6.2.5

From c601970aff98645e5c9d82b490d5b90acb26313f Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Tue, 10 Nov 2009 13:21:09 +0100
Subject: [PATCH 2/3] Use the dns plug-in for addition of records during installation

Fixes #528943
---
 install/share/Makefile.am |1 -
 install/share/dns.ldif|   88 
 install/share/dns_reverse.ldif|   24 
 ipaserver/install/bindinstance.py |  113 ++--
 4 files changed, 81 insertions(+), 145 deletions(-)
 delete mode 100644 install/share/dns_reverse.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index b74f990..e3e7cf6 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -16,7 +16,6 @@ app_DATA =\
 	default-keytypes.ldif		\
 	delegation.ldif			\
 	dns.ldif			\
-	dns_reverse.ldif		\
 	kerberos.ldif			\
 	indices.ldif			\
 	bind.named.conf.template	\
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index 8ce9d69..cb783b8 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -4,91 +4,3 @@ objectClass: nsContainer
 objectClass: top
 cn: dns
 aci: (targetfilter = (objectClass=idnsRecord))(targetattr != aci)(version 3.0; acl DNS Servers Updates; allow (add,write,delete) groupdn = ldap

Re: [Freeipa-devel] [PATCH] Make ldap2.convert_attr_synonyms more robust against schema lookup fails.

2009-12-02 Thread Martin Nagy 
On Fri, 2009-11-20 at 09:32 -0500, Rob Crittenden wrote:
 Pavel Zuna wrote:
  Rob Crittenden wrote:
  Pavel Zuna wrote:
  Rob Crittenden wrote:
  Pavel Zuna wrote:
  Rob Crittenden wrote:
  The user plugin is crapping out on line 317 of ldap2.py because 
  attr is coming back None. The attribute it is looking for is member.
 
  I think the fix involves setting member_attributes = ['member'] to 
  the user plugin.
 
  I wonder if we need to make the ldap2 plugin a bit more robust too 
  so it  can handle it better if the schema lookup returns None.
 
  rob
  This should fix the issue.
 
 
  Yes, this will fix it (I did a similar fix to work around it) but 
  what does it mean if there is no attribute found? Is that possible?
 
  Should we catch it and return a more specific error message instead?
 
  rob
 
  If it doesn't find the attribute, PROBABLY nothing will happen...
 
  Fortunately, we don't have to worry about it anymore. I played with 
  python-ldap a bit today and it seems to have the 
  convert_attr_synonyms functionality built-in. :)
 
  Here's a replacement patch.
 
  Pavel
 
  nack. I don't see where python-ldap is replacing it. We weren't seeing 
  it done before were we?
  That's because we were doing it wrong.
  
  We were requesting all attributes ('*') + ACIs ('aci'). After this patch 
  we explicitly request all attributes in the new entry (i.e. all 
  attributes that are going to be updated) and python-ldap will always 
  return them named as they were requested. In other words: If we request 
  localityName as l, python-ldap will return it as l, if we request it as 
  localityName, python-ldap will return it as localityName.
  
  Also, we need to request the 'aci' attribute for the aci plugin to work.
  And we do so, because after this patch, we're requesting all attributes 
  explicitly.
 
 
 Well, no, you're requesting all attributes in the current entry. The 
 code looked like this once before and caused the aci plugin to break. I 
 guess some other change fixed that, things are working as expected.
 
 ack
 
 rob

Pushed to master.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Remove unnecessary error: prefixes

2009-12-02 Thread Martin Nagy 
On Tue, 2009-12-01 at 10:12 -0500, Rob Crittenden wrote:
 Martin Nagy wrote:
  Martin
 
 ack

Pushed to master.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] Problem with ipa installation: certutil

2009-12-02 Thread Martin Nagy 
Hi,
I'm trying to install ipa and am getting a python traceback (attached).
It seems that running certutil didn't succeed so I added a debugging
print before it's execution and tried to run it manually. This is what I
get:

# /usr/bin/certutil -d /etc/httpd/alias -S -n 'CA certificate' -s
'cn=IPA Test Certificate Authority' -x -t 'CT,,C' -1 -2 -5 -m 1056 -v
120 -z /etc/httpd/alias/noise.txt -f /etc/httpd/alias/pwdfile.txt
certutil -o: unable to open tempcertreq for writing (-5950, 2)
Exit 255

(The Exit 255 is from my shell saying that certutil exited returning
255). I did a git grep tempcertreq in freeipa git tree but didn't find
anything, so I'm assuming we weren't creating it or anything. Does
anyone know what might be causing this error?

Martin
ipa: DEBUG: [Errno 32] Broken pipe
  File /usr/sbin/ipa-server-install, line 791, in module
sys.exit(main())

  File /usr/sbin/ipa-server-install, line 673, in main
ds.create_instance(ds_user, realm_name, host_name, domain_name, 
dm_password, self_signed_ca=not options.ca, uidstart=options.uidstart, 
gidstart=options.gidstart)

  File /usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py, line 
193, in create_instance
self.start_creation(Configuring directory server:)

  File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 
171, in start_creation
method()

  File /usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py, line 
342, in __enable_ssl
cadb.create_self_signed()

  File /usr/lib/python2.6/site-packages/ipaserver/install/certs.py, line 826, 
in create_self_signed
self.create_ca_cert()

  File /usr/lib/python2.6/site-packages/ipaserver/install/certs.py, line 357, 
in create_ca_cert
p.stdin.write(0\n1\n5\n9\ny\n)
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Remove unnecessary error: prefixes

2009-12-01 Thread Martin Nagy 
Martin
From 96c64ff2a1051c1e8bdcad9e8aef9488f0e26e87 Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Mon, 23 Nov 2009 08:42:30 +0100
Subject: [PATCH] Remove unnecessary error:  prefixes

The parser.error() method prepends the error:  prefix itself. Adding
it to the error string is not necessary and doesn't look good.
---
 install/tools/ipa-replica-prepare |2 +-
 install/tools/ipa-server-install  |   10 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 3dc0ccc..bc86a41 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -59,7 +59,7 @@ def parse_options():
 pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
 cnt = pkcs12.count(None)
 if cnt  0 and cnt  4:
-parser.error(error: All PKCS#12 options are required if any are used.)
+parser.error(All PKCS#12 options are required if any are used.)
 
 if len(args) != 1:
 parser.error(must provide the fully-qualified name of the replica)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index be525f7..9b5946a 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -131,11 +131,11 @@ def parse_options():
 if (options.ds_user or options.realm_name or
 options.dm_password or options.admin_password or
 options.master_password):
-parser.error(error: In uninstall mode, -u, r, -p and -P options are not allowed)
+parser.error(In uninstall mode, -u, r, -p and -P options are not allowed)
 elif options.unattended:
 if (not options.ds_user or not options.realm_name or
 not options.dm_password or not options.admin_password):
-parser.error(error: In unattended mode you need to provide at least -u, -r, -p and -a options)
+parser.error(In unattended mode you need to provide at least -u, -r, -p and -a options)
 if options.setup_dns:
 if not options.forwarders and not options.no_forwarders:
 parser.error(You must specify at least one --forwarder option or --no-forwarders option)
@@ -146,14 +146,14 @@ def parse_options():
 pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
 cnt = pkcs12.count(None)
 if cnt  0 and cnt  4:
-parser.error(error: All PKCS#12 options are required if any are used.)
+parser.error(All PKCS#12 options are required if any are used.)
 
 if (options.external_cert_file or options.external_ca_file) and not options.ca:
-parser.error(error: --ca required to use the external CA options.)
+parser.error(--ca required to use the external CA options.)
 
 if ((options.external_cert_file and not options.external_ca_file) or
(not options.external_cert_file and options.external_ca_file)):
-parser.error(error: if either external option is used, both are required.)
+parser.error(if either external option is used, both are required.)
 
 if options.external_ca and not options.ca:
 # Go ahead and be nice and fix things up
-- 
1.6.2.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add idnsUpdatePolicy into the dns plug-in

2009-12-01 Thread Martin Nagy 
On Tue, 2009-12-01 at 10:17 -0500, Rob Crittenden wrote:
 Martin Nagy wrote:
  Martin
  
 
 Should there be a validator on idnsUpdatePolicy to ensure that each 
 policy is terminated by a ;? If one wants to have multiple policies is 
 it set with idnspolicy=policy1;policy2;policy3;?
 
 Should the formatting be included in the doc message, or an example of 
 usage be added?

That might not be that easy to do, we would probably need to do more
than that, e.g. make sure bind can accept the policy string. For now,
I'm only adding the idnsupdatepolicy into the dns plugin so that I can
use it to create zones with it during installation (patch will follow
soon). Might I add the other bits later after I'm done with this?

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Ask the user before overwriting /etc/named.conf

2009-12-01 Thread Martin Nagy 
On Tue, 2009-12-01 at 10:15 -0500, Rob Crittenden wrote:
 Martin Nagy wrote:
  Martin
  
 
 ack.
 
 As an aside, it might be nice if the actual package name(s) were used to 
 make it easier for the user to know exactly what they are missing for 
 BIND and the BIND LDAP plug-in.

Yeah, I guess you're right. New patch attached.

Martin
From 258092b18fcba45631202833975e71817b647450 Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Fri, 13 Nov 2009 16:57:51 +0100
Subject: [PATCH] Ask the user before overwriting /etc/named.conf

---
 install/tools/ipa-replica-install |6 ++
 install/tools/ipa-server-install  |6 ++
 ipaserver/install/bindinstance.py |   10 +-
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index e8fabd7..9827bef 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -251,10 +251,8 @@ def check_dirsrv():
 sys.exit(1)
 
 def check_bind():
-if not bindinstance.check_inst():
-print --setup-dns was specified but bind or the BIND LDAP plug-in
-print is not installed on the system
-print Please install bind and the LDAP plug-in and restart the setup program
+if not bindinstance.check_inst(unattended=True):
+print Aborting installation
 sys.exit(1)
 
 def main():
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 748101d..34ddb0f 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -541,10 +541,8 @@ def main():
 
 # check bind packages are installed
 if options.setup_dns:
-if not bindinstance.check_inst():
-print --setup-dns was specified but bind or the BIND LDAP plug-in
-print is not installed on the system
-print Please install bind and the LDAP plug-in and restart the setup program
+if not bindinstance.check_inst(options.unattended):
+print Aborting installation
 return 1
 
 if options.ca:
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 2a922a3..e2edcd3 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -30,17 +30,25 @@ from ipapython import sysrestore
 from ipapython import ipautil
 from ipalib import api, util
 
-def check_inst():
+def check_inst(unattended):
 # So far this file is always present in both RHEL5 and Fedora if all the necessary
 # bind packages are installed (RHEL5 requires also the pkg: caching-nameserver)
 if not os.path.exists('/etc/named.rfc1912.zones'):
+print BIND was not found on this system
+print Please install the bind package and start the installation again
 return False
 
 # Also check for the LDAP BIND plug-in
 if not os.path.exists('/usr/lib/bind/ldap.so') and \
not os.path.exists('/usr/lib64/bind/ldap.so'):
+print The BIND LDAP plug-in was not found on this system
+print Please install the bind-dyndb-ldap package and start the installation again
 return False
 
+if not unattended and os.path.exists('/etc/named.conf'):
+msg = Existing BIND configuration detected, overwrite?
+return ipautil.user_input(msg, False)
+
 return True
 
 class BindInstance(service.Service):
-- 
1.6.2.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix boolean attributes in DNS plugin.

2009-11-30 Thread Martin Nagy 
On Mon, 2009-11-30 at 10:49 +0100, Pavel Zuna wrote:
 Sometimes they worked fine and sometimes DS rejected them as invalid. Now 
 they 
 should always work.
 
 Pavel

Tested and ack.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] DNS schema

2009-11-09 Thread Martin Nagy 
On Thu, 2009-11-05 at 18:16 -0500, Dmitri Pal wrote:
 Simo Sorce wrote:
  On Thu, 2009-11-05 at 14:37 -0500, Dmitri Pal wrote:

  Hi,
 
  Now when we decided to use latest DS that is available from 389 project
  for IPA v2 we can take advantage of the syntaxes that DS team has added.
  For example they added numeric syntax that was a part of the original
  DNS schema we planned for IPA.
  I remember we replaced the originally planned syntax with some other
  syntax that is available.
 
  Does it make sense to revert to the numeric syntax now or it is not a
  big deal?
  I am just concerned that once we will decide to do it the original way
  because we would think it is the right  thing to do and will face all
  sorts of migration issues.
  Ideas?
  
 
  Unless it is a major amount of work we should use the proper syntax.
  Especially for standard schema.
 
  Simo.
 

 It should not be a big deal IMO so Martin if you are ok with this I
 would like to ask Pavel
 to take it as an action item.

Dmitri,
I'm doing something in the neighborhood right now, so let me take care
of it, it'll only take little time.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 288 man page for ipa-join

2009-10-12 Thread Martin Nagy 
On Thu, 2009-10-08 at 11:11 -0400, Rob Crittenden wrote:
 Add a man page for the new ipa-join command.
 
 rob

+ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-w\fR
bulk bind password ] [ \fB\-d\fR ] [ \fB\-q\fR ]

Can you use something like bulk-bind-password instead? (with dashes)

There is also some trailing white-space in the copyright notice and
after all .TP commands.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 291 use DS memberof plugin

2009-10-12 Thread Martin Nagy 
On Fri, 2009-10-09 at 17:29 -0400, Rob Crittenden wrote:
 Use the DS memberof plugin instead of the one contained in the IPA 
 source. I'm not removing that source yet, simply not building or 
 configuring it.
 
 rob

Looks good to me. Ack.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 288 man page for ipa-join

2009-10-12 Thread Martin Nagy 
Rob Crittenden wrote:
 Martin Nagy wrote:
  On Thu, 2009-10-08 at 11:11 -0400, Rob Crittenden wrote:
  Add a man page for the new ipa-join command.
 
  rob
  
  +ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-w\fR
  bulk bind password ] [ \fB\-d\fR ] [ \fB\-q\fR ]
  
  Can you use something like bulk-bind-password instead? (with dashes)

Ah, I didn't mean that you should change -w. But rather, I would change
[ \fB\-w\fR bulk bind password ]
to something like this:
[ \fB\-w\fR bulk\-bind\-password ]

Similarly as we use keytab\-file and not keytab file.

 I picked -w since that is common to the openldap clients. I can add a 
 long version too.
 
  There is also some trailing white-space in the copyright notice and
  after all .TP commands.
 
 I think that the manpage editor I use, manedit, adds those. I can get 
 those cleaned up as well.
 
 Do you want another patch or just a promise that I'll fix these up?
 
 rob

Yes, if you do the changes you have an Ack.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 286 cache installer questions

2009-10-12 Thread Martin Nagy 
Rob Crittenden wrote:
 Martin Nagy wrote:
  Hi Rob,
  
  On Wed, 2009-10-07 at 10:57 -0400, Rob Crittenden wrote:
  Installing a CA that is signed by another CA is a 2-step process. The 
  first step is to generate a CSR for the CA and the second step is to 
  install the certificate issued by the external CA. To avoid asking 
  questions over and over (and potentially getting different answers) the 
  answers are cached.
 
  rob
  
  -try:
  -from ipaserver.install import cainstance
  -except ImportError:
  -print  sys.stderr, Import failed: %s % sys.exc_value
  -sys.exit(1)
  
  What's this? From just a quick look, it seems to me that this will cause
  troubles.
  
  Martin
  
 
 It was duplicated code, we check for that elsewhere.
 
 rob

Ah, right. Not thrilled that it's not in a separate patch but what the
heck. Ack.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 277 properly own Apache config files

2009-09-17 Thread Martin Nagy 
On Wed, 2009-09-16 at 13:05 -0400, Rob Crittenden wrote:
 I goofed on the paths in the original patch I sent on this a while back. 
 This corrects it.
 
 I know it looks like we're creating 0-length files here but with the 
 %ghost directive it won't create the files, just own them.
 
 rob

Why do you create all the directories and 'touch' the files in the
%install section when we own them using %ghost? I'm not 100% sure, but I
believe this isn't required.
What is the difference between /etc/ipa/ and /etc/httpd/conf.d/ ?

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 275 Fix deprecation warning

2009-09-17 Thread Martin Nagy 
On Wed, 2009-09-16 at 13:03 -0400, Rob Crittenden wrote:
 This warning was logged in the Apache error log:
 
 /usr/lib/python2.6/site-packages/mod_python/importer.py:32: 
 DeprecationWarning: the md5 module is deprecated; use hashlib instead
 
 Try to import hashlib for md5 and if it fails, fall back to the 
 deprecated version. Tested on Python 2.4 and 2.6.
 
 rob

Ack.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 277 properly own Apache config files

2009-09-17 Thread Martin Nagy 
On Thu, 2009-09-17 at 09:06 -0400, Rob Crittenden wrote:
 Martin Nagy wrote:
  On Wed, 2009-09-16 at 13:05 -0400, Rob Crittenden wrote:
  I goofed on the paths in the original patch I sent on this a while back. 
  This corrects it.
 
  I know it looks like we're creating 0-length files here but with the 
  %ghost directive it won't create the files, just own them.
 
  rob
  
  Why do you create all the directories and 'touch' the files in the
  %install section when we own them using %ghost? I'm not 100% sure, but I
  believe this isn't required.
 
 These files are created by ipa-server-install, we don't provide empty 
 templates, but I don't want IPA to leave orphaned files.
 
 In order to reference a file in %files, even with %ghost, the file needs 
 to exist: 
 http://www.rpm.org/max-rpm-snapshot/s1-rpm-inside-files-list-directives.html
 
  What is the difference between /etc/ipa/ and /etc/httpd/conf.d/ ?
 
 /etc/ipa holds configuration files for IPA (the server, admin tools, etc).
 
 /etc/httpd/conf.d holds the IPA configuration file for Apache. So yes, 
 we have 2 files named ipa.conf that do completely different things.
 
 rob

Ack.

I was looking at the same page but didn't notice the example that
actually uses touch, sorry.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 265 fix dnaMaxValue

2009-09-09 Thread Martin Nagy 
Rob Crittenden wrote:
 Ensure that dnaMaxValue is higher than dnaNextValue at install time. If 
 you don't specify a specific uid/gid start value then a random one gets 
 set. We need to be sure that the max value is more than this.
 
 I picked a 10 range to ensure that there is some headroom for replicas.
 
 rob

Ack.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] jderose 016 Fixed undefined `dns_forwarders` in ipa-server-install

2009-09-09 Thread Martin Nagy 
David O'Brien wrote:
 Jason Gerard DeRose wrote:
  In ipa-server-install, if options.setup_dns is False, the
  `dns_forwarders` variable doesn't get defined, and so things crap out
  when bind.setup() is called in line 649.

 
 I'm assuming this is what causes the local variable 'dns_forwarders' 
 referenced before assignment error in the install process? Can I work 
 around this just by using --no-forwarders? (I'm about to find out...)

Yes, but then you have to also use --setup-dns. You can try to apply
the patch, or simply just apply the changes by hand. But this is
already pushed in git, so..

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] jderose 016 Fixed undefined `dns_forwarders` in ipa-server-install

2009-09-08 Thread Martin Nagy 
On Tue, 2009-09-08 at 01:12 -0600, Jason Gerard DeRose wrote:
 In ipa-server-install, if options.setup_dns is False, the
 `dns_forwarders` variable doesn't get defined, and so things crap out
 when bind.setup() is called in line 649.

Ack and pushed.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Add forgotten chunks from commit 4e5a68397a102f0be

2009-09-08 Thread Martin Nagy 
I accidentally pushed the older patch that didn't contain bits for
ipa-replica-install.

Martin
From 63b61e9c0a8b1b4de7426a96085de0a9b029ee2a Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Tue, 1 Sep 2009 23:28:52 +0200
Subject: [PATCH] Add forgotten chunks from commit 4e5a68397a102f0be

I accidentally pushed the older patch that didn't contain bits for
ipa-replica-install.
---
 install/tools/ipa-replica-install   |   22 --
 install/tools/man/ipa-replica-install.1 |   12 +++-
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 7f0ec32..0571f94 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -60,12 +60,26 @@ def parse_options():
   help=Directory Manager (existing master) password)
 parser.add_option(--setup-dns, dest=setup_dns, action=store_true,
   default=False, help=configure bind with our zone)
+parser.add_option(--forwarder, dest=forwarders, action=append,
+  help=Add a DNS forwarder)
+parser.add_option(--no-forwarders, dest=no_forwarders, action=store_true,
+  default=False, help=Do not add any DNS forwarders, use root servers instead)
 
 options, args = parser.parse_args()
 
 if len(args) != 1:
 parser.error(you must provide a file generated by ipa-replica-prepare)
 
+if not options.setup_dns:
+if options.forwarders:
+parser.error(You cannot specify a --forwarder option without the --setup-dns option)
+if options.no_forwarders:
+parser.error(You cannot specify a --no-forwarders option without the --setup-dns option)
+elif options.forwarders and options.no_forwarders:
+parser.error(You cannot specify a --forwarder option together with --no-forwarders)
+elif not options.forwarders and not options.no_forwarders:
+parser.error(You must specify at least one --forwarder option or --no-forwarders option)
+
 return options, args[0]
 
 def get_dirman_password():
@@ -189,10 +203,14 @@ def install_http(config):
 print error copying files:  + str(e)
 sys.exit(1)
 
-def install_bind(config):
+def install_bind(config, options):
+if options.forwarders:
+forwarders = options.forwarders
+else:
+forwarders = ()
 bind = bindinstance.BindInstance(dm_password=config.dirman_password)
 ip_address = resolve_host(config.host_name)
-bind.setup(config.host_name, ip_address, config.realm_name, config.domain_name)
+bind.setup(config.host_name, ip_address, config.realm_name, config.domain_name, forwarders)
 bind.create_instance()
 
 def check_dirsrv():
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index 168f665..dd9a9ae 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -37,7 +37,17 @@ Do not configure NTP
 Directory Manager (existing master) password
 .TP
 \fB\-\-setup\-dns\fR
-Generate a DNS zone if it does not exist already and configure the DNS server
+Generate a DNS zone if it does not exist already and configure the DNS server.
+This option requires that you either specify at least one DNS forwarder through
+the \fB\-\-forwarder\fR option or use the \fB\-\-no\-forwarders\fR option.
+.TP 
+\fB\-\-forwarder\fR=\fIIP_ADDRESS\fR
+Add a DNS forwarder to the DNS configuration. You can use this option multiple
+times to specify more forwarders, but at least one must be provided, unless
+the \fB\-\-no\-forwarders\fR option is specified.
+.TP
+\fB\-\-no\-forwarders\fR
+Do not add any DNS forwarders. Root DNS servers will be used instead.
 .SH EXIT STATUS
 0 if the command was successful
 
-- 
1.6.2.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf

2009-09-07 Thread Martin Nagy 
On Mon, 2009-09-07 at 07:54 +1000, David O'Brien wrote:
 Martin Nagy wrote:
  On Fri, 2009-09-04 at 09:50 +1000, David O'Brien wrote:

  Martin Nagy wrote:
  
  Hi,
  This patch adds options --forwarder and --no-forwarders. At least one of
  them must be used if you are doing a setup with DNS server. They are
  also mutually exclusive. The --forwarder option can be used more than
  once to specify more servers. If the installer runs in interactive mode,
  it will prompt the user if none of these option was given at the command
 
  Martin

  Something like ipa-server-install --setup-dns --forwarder IP 
  --forwarder IP ?
  You can't use a separated list of IP addresses to save space and typing?
 
  That may go against coding style or practice, I don't know...
 
  /me has user hat on  :-)
  
 
  Hm, well, we use a python module to handle option parsing [1] and this
  is the way it handles lists. We could allow the IP addresses to be
  separated by, say, ',' but this also has the risk that the user will do
  --forwarder 1.2.3.4, 2.3.4.5 which of course wouldn't work (the last
  IP is treated as a positional argument).
 
  Martin
 
  [1] http://docs.python.org/library/optparse.html
 

 ok, well if it's SOP to handle options this way I'm not about to suggest 
 otherwise[1], but if there were a user-friendly way of doing it that 
 didn't bend or break any rules I'd make more noise.
 
 cheers
 David
 
 [1] One of the goals in ECS' style guide is to adhere as much as 
 possible to industry standards and standard practice, not invent new 
 ones that Red Hat likes better.

I'll patch it to also accept comma-separated IP addresses, it's not that
big a deal :)

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf

2009-09-04 Thread Martin Nagy 
On Fri, 2009-09-04 at 09:50 +1000, David O'Brien wrote:
 Martin Nagy wrote:
  Hi,
  This patch adds options --forwarder and --no-forwarders. At least one of
  them must be used if you are doing a setup with DNS server. They are
  also mutually exclusive. The --forwarder option can be used more than
  once to specify more servers. If the installer runs in interactive mode,
  it will prompt the user if none of these option was given at the command
 
  Martin
  
 
  ___
  Freeipa-devel mailing list
  Freeipa-devel@redhat.com
  https://www.redhat.com/mailman/listinfo/freeipa-devel
 Something like ipa-server-install --setup-dns --forwarder IP 
 --forwarder IP ?
 You can't use a separated list of IP addresses to save space and typing?
 
 That may go against coding style or practice, I don't know...
 
 /me has user hat on  :-)

Hm, well, we use a python module to handle option parsing [1] and this
is the way it handles lists. We could allow the IP addresses to be
separated by, say, ',' but this also has the risk that the user will do
--forwarder 1.2.3.4, 2.3.4.5 which of course wouldn't work (the last
IP is treated as a positional argument).

Martin

[1] http://docs.python.org/library/optparse.html

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Start bind only after restarting kdc and dirsrv

2009-09-02 Thread Martin Nagy 
On Wed, 2009-09-02 at 08:41 -0400, Simo Sorce wrote:
 On Wed, 2009-09-02 at 02:37 +0200, Martin Nagy wrote:
  BIND starting before we apply LDAP updates and restart kdc and
  directory
  server causes trouble. We resolve this for now by postponing BIND
  start
  to the end of installation.
 
 Ack,
 Simo.

Self-nack. I will need to use the xmlrpc plug-ins and decided that it
will be better to move the whole installation of bind after kdc and
directory server are restarted. I'll post the new patch after some
testing.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 1/3] Setup bind only after restarting kdc and dirsrv

2009-09-02 Thread Martin Nagy 
BIND starting before we apply LDAP updates and restart kdc and directory
server causes trouble. We resolve this for now by postponing BIND setup
to the end of installation. Another reason is that we will be using
xml-rpc during the setup in the future.

Martin
From ec71011ff70fc0bc811c505e1be2325cd36a8752 Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Wed, 2 Sep 2009 12:24:17 +0200
Subject: [PATCH 1/3] Setup bind only after restarting kdc and dirsrv

BIND starting before we apply LDAP updates and restart kdc and directory
server causes trouble. We resolve this for now by postponing BIND setup
to the end of installation. Another reason is that we will be using
xml-rpc during the setup in the future.
---
 install/tools/ipa-replica-install |5 +++--
 install/tools/ipa-server-install  |   16 
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index a4d8848..6dd9488 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -328,8 +328,6 @@ def main():
 
 install_krb(config)
 install_http(config)
-if options.setup_dns:
-install_bind(config, options)
 if CA:
 CA.import_ra_cert(dir + /ra.p12)
 CA.fix_ra_perms()
@@ -362,6 +360,9 @@ def main():
 service.restart(dirsrv)
 service.restart(krb5kdc)
 
+if options.setup_dns:
+install_bind(config, options)
+
 # Call client install script
 try:
 ipautil.run([/usr/sbin/ipa-client-install, --on-master, --unattended, --domain, config.domain_name, --server, config.host_name, --realm, config.realm_name])
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 2c890b4..03ee6f4 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -633,14 +633,6 @@ def main():
 fd.write(enable_ra=True\n)
 fd.close()
 
-# Create a BIND instance
-bind = bindinstance.BindInstance(fstore, dm_password)
-bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders)
-if options.setup_dns:
-bind.create_instance()
-else:
-bind.create_sample_bind_zone()
-
 # Apply any LDAP updates. Needs to be done after the configuration file
 # is created
 service.print_msg(Applying LDAP updates)
@@ -653,6 +645,14 @@ def main():
 service.print_msg(restarting the KDC)
 krb.restart()
 
+# Create a BIND instance
+bind = bindinstance.BindInstance(fstore, dm_password)
+bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders)
+if options.setup_dns:
+bind.create_instance()
+else:
+bind.create_sample_bind_zone()
+
 # Set the admin user kerberos password
 ds.change_admin_password(admin_password)
 
-- 
1.6.2.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 2/3] Remove old --setup-bind option

2009-09-02 Thread Martin Nagy 
Since we are changing the behaviour of the --setup-dns option
substantially, we might as well remove the old --setup-bind option.

Martin
From 245db49b6fb70ec02bb97f3fa338d7a8a2052803 Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Wed, 2 Sep 2009 12:27:42 +0200
Subject: [PATCH 2/3] Remove old --setup-bind option

Since we are changing the behaviour of the --setup-dns option
substantially, we might as well remove the old --setup-bind option.
---
 install/tools/ipa-server-install |3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 03ee6f4..306bed5 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -79,9 +79,6 @@ def parse_options():
   default=False, help=Configure a CA instance)
 parser.add_option(--hostname, dest=host_name, help=fully qualified name of server)
 parser.add_option(--ip-address, dest=ip_address, help=Master Server IP Address)
-# FIXME: Remove this option
-parser.add_option(--setup-bind, dest=setup_dns, action=store_true,
-  default=False, help=configure bind with our zone file)
 parser.add_option(--setup-dns, dest=setup_dns, action=store_true,
   default=False, help=configure bind with our zone)
 parser.add_option(--forwarder, dest=forwarders, action=append,
-- 
1.6.2.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 2/3] Remove old --setup-bind option

2009-09-02 Thread Martin Nagy 
Rob Crittenden wrote:
 Martin Nagy wrote:
  Since we are changing the behaviour of the --setup-dns option
  substantially, we might as well remove the old --setup-bind option.
  
  Martin
 
 
 ack

Pushed

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 3/3] Add A and PTR records of ourselves during installation

2009-09-02 Thread Martin Nagy 
Rob Crittenden wrote:
 Martin Nagy wrote:
  If the DNS zones already exist but don't contain our own records, add
  them. This patch introduces the ipalib.api into the installers. For now,
  the code is still little messy. Later patches will abandon the way we
  create zones now and use ipalib.api exclusively.
  
  Martin
 
 ack

Pushed

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf

2009-09-01 Thread Martin Nagy 
Hi,
This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command

MartinFrom 2dbd272bdbd366c4e1fc9a1b7456c5c6d12377ab Mon Sep 17 00:00:00 2001
From: Martin Nagy mn...@redhat.com
Date: Tue, 1 Sep 2009 23:28:52 +0200
Subject: [PATCH] Use DNS forwarders in /etc/named.conf

This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command
line.
---
 install/share/bind.named.conf.template |3 ++
 install/tools/ipa-server-install   |   46 +++-
 install/tools/man/ipa-server-install.1 |   12 +++-
 ipaserver/install/bindinstance.py  |   13 -
 4 files changed, 71 insertions(+), 3 deletions(-)

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index 69bd86b..8b5fac2 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -5,6 +5,9 @@ options {
 	statistics-file		data/named_stats.txt;
 	memstatistics-file	data/named_mem_stats.txt;
 
+	forward first;
+	forwarders {$FORWARDERS};
+
 	tkey-gssapi-credential DNS/$FQDN;
 	tkey-domain $REALM;
 };
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index d0e9397..2c890b4 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -84,6 +84,10 @@ def parse_options():
   default=False, help=configure bind with our zone file)
 parser.add_option(--setup-dns, dest=setup_dns, action=store_true,
   default=False, help=configure bind with our zone)
+parser.add_option(--forwarder, dest=forwarders, action=append,
+  help=Add a DNS forwarder)
+parser.add_option(--no-forwarders, dest=no_forwarders, action=store_true,
+  default=False, help=Do not add any DNS forwarders, use root servers instead)
 parser.add_option(-U, --unattended, dest=unattended, action=store_true,
   default=False, help=unattended installation never prompts the user)
 parser.add_option(, --uninstall, dest=uninstall, action=store_true,
@@ -108,6 +112,14 @@ def parse_options():
   help=The starting gid value (default random))
 options, args = parser.parse_args()
 
+if not options.setup_dns:
+if options.forwarders:
+parser.error(You cannot specify a --forwarder option without the --setup-dns option)
+if options.no_forwarders:
+parser.error(You cannot specify a --no-forwarders option without the --setup-dns option)
+elif options.forwarders and options.no_forwarders:
+parser.error(You cannot specify a --forwarder option together with --no-forwarders)
+
 if options.uninstall:
 if (options.ds_user or options.realm_name or
 options.dm_password or options.admin_password or
@@ -117,6 +129,9 @@ def parse_options():
 if (not options.ds_user or not options.realm_name or
 not options.dm_password or not options.admin_password):
 parser.error(error: In unattended mode you need to provide at least -u, -r, -p and -a options)
+if options.setup_dns:
+if not options.forwarders and not options.no_forwarders:
+parser.error(You must specify at least one --forwarder option or --no-forwarders option)
 
 # If any of the PKCS#12 options are selected, all are required. Create a
 # list of the options and count it to enforce that all are required without
@@ -210,6 +225,27 @@ def read_ip_address(host_name):
 
 return ip
 
+def read_dns_forwarders():
+addrs = []
+while True:
+ip = user_input(Enter IP address for a DNS forwarder (empty to stop), allow_empty=True)
+
+if not ip:
+break
+if ip == 127.0.0.1 or ip == ::1:
+print You cannot use localhost as a DNS forwarder
+continue
+if not verify_ip_address(ip):
+continue
+
+print DNS forwarder %s added % ip
+addrs.append(ip)
+
+if not addrs:
+print No DNS forwarders configured
+
+return addrs
+
 def read_ds_user():
 print The server must run as a specific user in a specific group.
 print It is strongly recommended that this user should have no privileges
@@ -504,6 +540,14 @@ def main():
 else:
 admin_password = options.admin_password
 
+if options.setup_dns:
+if options.no_forwarders

Re: [Freeipa-devel] [PATCH] 243 clean up v1.2 LDAP module

2009-07-29 Thread Martin Nagy 
On Wed, 29 Jul 2009 10:12:51 -0400, Rob Crittenden
rcrit...@redhat.com wrote:

 The 1.2 LDAP module was throwing a deprecation warning for using
 popen2 and pychecker found a slew of other issues as well.
 
 This patch removes a bunch of unused imports, renames some variables 
 that shadowed builtins and renames some functions.
 
 exportLDIF() calls a function that isn't provided. This must have
 gotten left over from when I ported this from Rich's original LDAP
 module which did all sorts of stuff. I think we can drop this as it
 doesn't even work but wanted to throw it out there on the off-chance
 that someone found a way to use it.
 
 rob

Ack

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel