[Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
This patch handles the issue in a kind of stupid way, but I couldn't think of anything better. It adds a new flag parameter to user-add (--noprivate). With this flag, the command marks the private group about to be created for deletion and is deleted after the user is created. The only exception is when there is a group, that is named the same way as the user, but isn't a private group - then the group is left there. Private groups are created automatically by the managed entry DS plugin and I didn't find a way to disable its creation for a specific user. Ticket #1131 Pavel From 28d6663b67894f1697e900f7d9518c2f7c168371 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 28 Mar 2011 15:10:57 -0400 Subject: [PATCH] Add a new user-add flag param to disable the creation of UPG. Ticket #1131 --- ipalib/plugins/user.py | 21 ++--- 1 files changed, 18 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index c3bcddd..66ca8d8 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -250,10 +250,17 @@ class user_add(LDAPCreate): Add a new user. - msg_summary = _('Added user %(value)s') +takes_options = LDAPCreate.takes_args + ( +Flag('noprivate', +cli_name='noprivate', +doc=_('don\'t create user private group'), +), +) + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): +setattr(context, 'delupg', options.get('noprivate', False)) try: # The Managed Entries plugin will allow a user to be created # even if a group has a duplicate name. This would leave a user @@ -263,7 +270,9 @@ class user_add(LDAPCreate): self.api.Command['user_show'](keys[-1]) raise errors.DuplicateEntry() except errors.NotFound: -raise errors.ManagedGroupExistsError(group=keys[-1]) +if not options.get('noprivate', False): +raise errors.ManagedGroupExistsError(group=keys[-1]) +setattr(context, 'delupg', False) except errors.NotFound: pass validate_nsaccountlock(entry_attrs) @@ -291,7 +300,7 @@ class user_add(LDAPCreate): if 'gidnumber' not in entry_attrs: # gidNumber wasn't specified explicity, find out what it should be -if ldap.has_upg(): +if not options.get('noprivate', False) and ldap.has_upg(): # User Private Groups - uidNumber == gidNumber entry_attrs['gidnumber'] = entry_attrs['uidnumber'] else: @@ -317,6 +326,12 @@ class user_add(LDAPCreate): def_primary_group = config.get('ipadefaultprimarygroup') group_dn = self.api.Object['group'].get_dn(def_primary_group) ldap.add_entry_to_group(dn, group_dn) +if getattr(context, 'delupg', False): +try: +self.api.Command['group_detach'](keys[-1]) +self.api.Command['group_del'](keys[-1]) +except errors.NotFound: +pass return dn api.register(user_add) -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
On 2011-03-28 23:05, Rob Crittenden wrote: Pavel Zůna wrote: This patch handles the issue in a kind of stupid way, but I couldn't think of anything better. It adds a new flag parameter to user-add (--noprivate). With this flag, the command marks the private group about to be created for deletion and is deleted after the user is created. The only exception is when there is a group, that is named the same way as the user, but isn't a private group - then the group is left there. Private groups are created automatically by the managed entry DS plugin and I didn't find a way to disable its creation for a specific user. Ticket #1131 Pavel I wonder if you can modify the originFilter entry in the Managed Entry plugin and set something special so the user gets created w/o a group. The trick would be getting the filter right. Currently it is originFilter: objectclass=posixAccount I wonder if we could stuff something else in there that would cause it to evaluate false when we don't want a managed group. rob I thought about it, but changing the filter temporarily isn't an option since more user-add operations can be running at the same time and this entry is global. Maybe adding a special object class or temporary attribute to mark users to be created without UPG. Or creating the user without the posixAccount object class and attributes and adding them later using user-mod. This might be a bit faster than deleting the UPG. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.com wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=config,cn=ldbm database,cn=plugins,cn=config with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base cn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
On 2011-02-23 20:26, Rob Crittenden wrote: Pavel Zůna wrote: Rebased patch 81 and 83 (pygettext). Created a new patch to fix these latest test failures - it was easier than doing a complex rebase. All latest versions of localization patches are attached to this email for review. I tried to apply them on a clean master clone, build RPMs, installed and run all unit tests. So hopefully, we're finally going to get this in. :) Pavel I don't understand some of these (and past changes): - Updated patch 83-2 just changes the commit message slightly I rebased everything and did, generated new patches and did a diff to see if anything has changed. This patch had differences in line numbers, so I decided to make a new one, just to make sure it applies cleanly on master. - Patch 84 comments out several lines in the tests.There isn't any explaination what these changes do and why they are needed. It seems to be disabling a confirmation that changing locale works. It comments out parts that tests the deprecated code removed by patch 69. I probably should have removed the lines completely, but wanted to keep them for reference - guess there's no point really. We no longer setup languages in the code, but rather get them from what is passed from the terminal OR from what is requested over XML-RPC. All localization code that uses the context thread local variable doesn't work anyway - that's why the tests were failing. - Patch 82 drops a bunch of the old ugettext code which is fine, but I think one of the purposes was to make sure that translation was occurring. - Patch 82 in test_text.py changing the languages is removed. Are we really exercising this code? Same deal as 84. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Use pygettext to generate translatable strings from plugin files.
This goes on top of my other localization patches! This patch replaces xgettext with a custom pygettext to generate translatable strings from plugin files in ipalib/plugins. pygettext was modified to handle plural forms (credit goes to Jan Hendrik Goellner) and had some bugs fixed by myself. We only use it for plugins, because it's the only place where we need to extract docstrings for the built-in help system. I also had to make some changes to the way the built-in documentation system gets docstrings from modules for this to work. How to test? 1) First, apply all of the localization patches found in thread Localization patches on freeipa-devel. Then apply this patch. 2) Regenerate your install/po/Makefile: - delete install/po/Makefile - run `./configure` in install 3) Regenerate the pot and po files: - run `make update-pot` in install/po - run `make update-po` in install/po 4) Make a change to one of the translations: - example: add translation to the ACI docstring * find docstring for ACI in install/po/es.po * change the corresponding msgstr to msgstr \nBuenos dias, amigos!\n Note: if the translatable string begins with \n, the translation also needs to begin with \n. Same goes for ending. 5) Install the modified translations: - run `make install` in install/po Note: I had some problems with this and had to make rpms and install IPA from beginning for it to work. Looks like doing `make install` manually updates /usr/local/share/locale instead of /usr/share/locale, but maybe I just did something wrong. 6) Set language to Spanish or whatever translation you modified: - example: * # LANG=es_ES.utf8 # export LANG 7) Display the translated documentation: - example: * # ipa help aci Buenos dias, amigos! Pavel freeipa-pzuna-83-pygettext.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix translatable strings in ipalib plugins.
On 2011-02-16 16:25, Pavel Zůna wrote: Some translatable strings were in a wrong format a there were some more related issues. This patch tries to fix all of them. Needed for xgettext/pygettext processing. Pavel Rebased version attached. Pavel freeipa-pzuna-81-2-fixlocstrings.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
On 2011-02-17 05:09, Rob Crittenden wrote: Pavel Zůna wrote: My efforts in fixing localization all around the framework and preparing it for localizing docstrings have resulted in a lot of patches. Because I understand they have become a bit hard to track, I decided to post them all together in this thread to make review easier. After this is committed, there will be one more patch that switches xgettext for pygettext. Then hopefully, we'll be pretty much set when it comes to i18n. Pavel Patch 81 isn't applying for me. Help is not working for me either, this is due to patch 80. $ ipa help user ipa: ERROR: NameError: global name '_' is not defined Traceback (most recent call last): File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 1087, in run api.finalize() File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 619, in finalize plugin_iter(base, (magic[k] for k in magic)) File /home/rcrit/redhat/freeipa-version/ipalib/base.py, line 397, in __init__ sorted(members, key=lambda m: getattr(m, name_attr)) File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 608, in plugin_iter plugins[klass] = PluginInstance(klass) File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 585, in __init__ self.instance = klass() File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 184, in __init__ self.doc = _(inspect.getdoc(cls)) NameError: global name '_' is not defined ipa: ERROR: an internal error has occurred Patches 69, 71 and 73 are still working fine. What is switching from xgettext to pygettext going to do? This was answered by John Dennis: xgettext doesn't parse python docstrings. rob Rebased version of 81 attached. It should also fix the traceback you're getting. Pavel freeipa-pzuna-81-2-fixlocstrings.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Send Accept-Language header over XML-RPC and translate on server.
On 2011-02-04 18:35, Pavel Zůna wrote: On 2011-02-04 16:23, Rob Crittenden wrote: Pavel Zuna wrote: This patch makes the ipa client send the Accept-Language header, so that the server can translate things like exceptions, that cannot be translated on the client. It also fixes the language recognition for the webUI. The values in Accept-Language header are a bit different than what is accepted by the LANG variable as a valid locale - some additional parsing was needed. For example: Accept-Language: es-es;q=1 needs to translate to es_ES otherwise it won't be recognized by gettext Fix #904 Fix #917 Pavel nack. ast is imported but not used Leftover. Removed in the attached updated version. Why are you calling locale.setlocale() instead of locale.getlocale()? Because that's how it should be done. setlocale() with an empty string as second argument gets the current environment settings. getlocale() without a previous call to setlocale returns (None, None). If extra_headers is passed in as a string this will drop it: That's never going to happen. I checked the underlying implementation in xmlrpclib and it can either be a list or dict. In this case, LanguageAwareTransport is calling Transport.get_host_info() which always returns extra_headers as a list or None if empty. The original implementation (before this patch) always dropped the whole thing and used a new list instead. + if not isinstance(extra_headers, list): + extra_headers = [] Multiple Authorization is actually legal though it may be a good idea to remove any others found, so I'll let this part go. I don't know that it is really needed though. Because the underlying Transport class can fill Authorization with 'Basic auth' and the original implementation was dropping it as well. Some formatting is changed to make it less readable IMHO: - else: - scheme = http + else: scheme = http That's unintentional, sorry. The code to break HTTP_ACCEPT_LANGUAGE into language and region is broken. Passing in en-gb returns en_EN. (I think you want [1] not [0]). Nice catch. I was probably thinking that since I'm using rsplit(), the indexes will be the other way around. :) Fixed in attached version. Ideally we would loop through all acceptable languages until we find one that we actually provide. So if we are passed in da, en-gb;q=0.8, en;q=0.7 we would first look for Danish but fall back to British English or any other English (preferring British English). That's a good idea! However I would keep it simple for now and do this in a separate patch. rob Pavel Rebased version attached. Pavel freeipa-pzuna-71-3-acceptlang.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Translate docstrings.
This patch prepares the built-in help system for localized docstrings. Pavel freeipa-pzuna-80-docstringloc.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix translatable strings in ipalib plugins.
Some translatable strings were in a wrong format a there were some more related issues. This patch tries to fix all of them. Needed for xgettext/pygettext processing. Pavel freeipa-pzuna-81-fixlocstrings.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix i18n related failures in unit tests.
Fixes unit test failures cause by the changes introduced in my other localization related patches. Pavel freeipa-pzuna-82-fixlocutests.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it.
On 2011-02-04 16:24, Rob Crittenden wrote: Pavel Zuna wrote: On 02/04/2011 04:03 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 02/02/2011 09:36 PM, Rob Crittenden wrote: Pavel Zuna wrote: This ticket effectively fixes the translation of exception messages. Ticket #903 Pavel On hold for now, see also patch 'Translate exception messages on the client side.' rob This should get pushed for the translation in exceptions to work. It only removes the defunct code and replaces it with something functional. Pavel If the server locale is not en_US.UTF-8 then messages are translated. rob I know, but it's not the purpose of this patch to do the right translation for the client. It's purpose is to fix the code to actually perform the translation. There's another patch (71) to do the right thing and it depends on this one. Pavel Right but 71 fails if there are keywords to translate. I'd prefer to hold off on both of these until we come to a more complete solution. rob No, that's 70 failing. :) 71 is the Accept-Language patch I posted today. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix crash when displaying values composed of white chars only in CLI.
Fix #825 Pavel From 8a7e6119399aa974457eda41b998cb765186d4eb Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Fri, 21 Jan 2011 09:30:23 -0500 Subject: [PATCH] Fix crash when displaying values composed of white-space chars only in CLI. Ticket #825 --- ipalib/cli.py |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 54ab1c4..a30375f 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -302,6 +302,8 @@ class textui(backend.Backend): text = textwrap.wrap( text, line_len, break_long_words=False ) +if len(text) == 0: +text = [u''] else: text = [text] self.print_indented(format % (attr, text[0]), indent) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0127-add-missing-files-in-rpm
On 2011-01-05 20:57, Adam Young wrote: Had to move some files around, and added to both Makefile.am and ipa.spec ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights.
LDAPObject sub-classes can define a custom list of attributes for effective rights retrieval. Fix #677 Pavel From 98b7456f1c4d872e265ea4e8c26ab42e206375e8 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Thu, 30 Dec 2010 08:48:12 -0500 Subject: [PATCH 2/4] Enable custom list of attributes to retrieve effective rights. Fix #677 --- ipalib/plugins/baseldap.py | 38 -- ipalib/plugins/config.py |4 2 files changed, 24 insertions(+), 18 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 259d02b..1cd181c 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -162,20 +162,6 @@ def get_attributes(attrs): return attrlist -def get_effective_rights(ldap, dn, attrs=None): -if attrs is None: -attrs = ['*', 'nsaccountlock', 'cospriority'] -rights = ldap.get_effective_rights(dn, attrs) -rdict = {} -if 'attributelevelrights' in rights[1]: -rights = rights[1]['attributelevelrights'] -rights = rights[0].split(', ') -for r in rights: -(k,v) = r.split(':') -rdict[k.strip().lower()] = v - -return rdict - def wait_for_memberof(keys, entry_start, completed, show_command, adding=True): When adding or removing reverse members we are faking an update to @@ -240,6 +226,7 @@ class LDAPObject(Object): search_attributes_config = None default_attributes = [] hidden_attributes = ['objectclass', 'aci'] +rights_attributes = ['*', 'nsaccountlock', 'cospriority'] # set rdn_attribute only if RDN attribute differs from primary key! rdn_attribute = '' uuid_attribute = '' @@ -288,6 +275,19 @@ class LDAPObject(Object): pass return dn[len(self.primary_key.name) + 1:dn.find(',')] +def get_effective_rights(self, dn, attrs=None): +rdict = {} +if attrs is None: +attrs = self.rights_attributes +rights = self.backend.get_effective_rights(dn, attrs) +if 'attributelevelrights' in rights[1]: +rights = rights[1]['attributelevelrights'] +rights = rights[0].split(', ') +for r in rights: +(k, v) = r.split(':') +rdict[k.strip().lower()] = v +return rdict + def get_ancestor_primary_keys(self): if self.parent_object: parent_obj = self.api.Object[self.parent_object] @@ -674,8 +674,9 @@ class LDAPRetrieve(LDAPQuery): except errors.NotFound: self.obj.handle_not_found(*keys) -if options.get('rights', False) and options.get('all', False): -entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn) +if options.get('rights', False): +rights = self.obj.get_effective_rights(dn) +entry_attrs['attributelevelrights'] = rights for callback in self.POST_CALLBACKS: if hasattr(callback, 'im_self'): @@ -830,8 +831,9 @@ class LDAPUpdate(LDAPQuery, crud.Update): format=_('the entry was deleted while being modified') ) -if options.get('rights', False) and options.get('all', False): -entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn) +if options.get('rights', False): +rights = self.obj.get_effective_rights(dn) +entry_attrs['attributelevelrights'] = rights for callback in self.POST_CALLBACKS: if hasattr(callback, 'im_self'): diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index cabfd76..7c9f458 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -81,6 +81,9 @@ class config(LDAPObject): 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields', 'ipamigrationenabled', 'ipacertificatesubjectbase', ] +rights_attributes = LDAPObject.rights_attributes + [ +'ipahomesrootdir', 'ipagroupsearchfields', +] label = _('Configuration') @@ -200,3 +203,4 @@ class config_show(LDAPRetrieve): api.register(config_show) + -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Translate IA5Str paramaters the editable text fields in the webUI.
Fix #684 Pavel From ea2cd3c1c97c11c216c0c2baff07615d2f14298e Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Thu, 30 Dec 2010 09:11:58 -0500 Subject: [PATCH 3/4] Translate IA5Str paramaters the editable text fields in the webUI. Fix #684 --- install/static/details.js |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/install/static/details.js b/install/static/details.js index 1aeffb1..6afe743 100644 --- a/install/static/details.js +++ b/install/static/details.js @@ -75,7 +75,9 @@ function ipa_details_field(spec) { var rights = 'rsc'; if (that.record.attributelevelrights){ +alert(this.name); rights = that.record.attributelevelrights[this.name] || rights ; +alert(rights); } if (that.values) { @@ -724,6 +726,7 @@ function ipa_insert_dd(jobj, content, dd_class){ /* mapping of parameter types to handlers used to create inputs */ var _ipa_param_type_2_handler_map = { 'Str': _ipa_create_text_input, +'IA5Str': _ipa_create_text_input, 'Int': _ipa_create_text_input, 'Bool': _ipa_create_text_input, 'List': _ipa_create_text_input -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix 'ipa help permissions'; add 'dns' in allowed types.
Pavel From 08534b8e0fe9ab9713599de166a5bfb4232c1776 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Thu, 30 Dec 2010 09:12:35 -0500 Subject: [PATCH 4/4] Fix 'ipa help permissions'; add 'dns' in allowed types. --- ipalib/plugins/permission.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 1a707c4..43bb263 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -120,7 +120,7 @@ class permission(LDAPObject): StrEnum('type?', cli_name='type', label=_('Type'), -doc=_('Type of IPA object (user, group, host, hostgroup, service, netgroup)'), +doc=_('Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',), ), Str('memberof?', -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Translate IA5Str paramaters the editable text fields in the webUI.
On 2010-12-30 10:29, Pavel Zůna wrote: Fix #684 Pavel Left some debugging output in the original patch. Fixed version attached. Pavel From 508a68cc41f812683cbf62640c3dc2de02dd2981 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Thu, 30 Dec 2010 09:11:58 -0500 Subject: [PATCH] Translate IA5Str paramaters the editable text fields in the webUI. Fix #684 --- install/static/details.js |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/install/static/details.js b/install/static/details.js index 1aeffb1..77dc88f 100644 --- a/install/static/details.js +++ b/install/static/details.js @@ -724,6 +724,7 @@ function ipa_insert_dd(jobj, content, dd_class){ /* mapping of parameter types to handlers used to create inputs */ var _ipa_param_type_2_handler_map = { 'Str': _ipa_create_text_input, +'IA5Str': _ipa_create_text_input, 'Int': _ipa_create_text_input, 'Bool': _ipa_create_text_input, 'List': _ipa_create_text_input -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Disable action panel links when the selected entry is deleted.
Fix #685 Pavel From 2dd2304d8f10272d3e376090cbe2565e21ff627d Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Thu, 30 Dec 2010 16:41:50 -0500 Subject: [PATCH] Disable action panel links when the selected entry is deleted. Fix #685 --- install/static/search.js |6 +- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/install/static/search.js b/install/static/search.js index 061824c..a111e0c 100644 --- a/install/static/search.js +++ b/install/static/search.js @@ -206,6 +206,11 @@ function ipa_search_widget(spec) { function on_success(data, text_status, xhr) { +var action_panel = that.facet.get_action_panel(); +$('li.entity-facet', action_panel). +addClass('entity-facet-disabled'); +$('input', action_panel).val(null); + that.tbody.empty(); var result = data.result.result; @@ -215,7 +220,6 @@ function ipa_search_widget(spec) { } var summary = $('span[name=summary]', that.tfoot); - if (data.result.truncated) { summary.text( 'Query returned results than configured size limit will show.' + -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.
On 2010-11-30 04:06, Rob Crittenden wrote: Pavel Zůna wrote: LDAPSearch base class has now the ability to generate additional options for objects with member attributes. These options are used to filter search results - search only for objects without the specified members. Any class that extends LDAPSearch can benefit from this functionality. This patch enables it for the following objects: group, netgroup, rolegroup, hostgroup, taskgroup Example: ipa group-find --no-users=admin Only direct members are taken into account, but if we need indirect members as well - it's not a problem. Ticket #288 Pavel This works as advertised but I wonder what would happen if a huge list of members was passed in to ignore. Is there a limit on the search filter size (remember that the member will be translated into a full dn so will quickly grow in size). Should we impose a cofigurable limit on the # of members to be excluded? Is there a max search filter size and should we check that we haven't exceeded that before doing a search? rob I tried it out with more than a 1000 users and was getting an unwilling to perform error (search filter nested too deep). After a little bit of investigation, I figured the filter was being generated like this: (((!(a=v))(!(a2=v2 We were going deeper with each additional DN! I updated the patch to generate the filter like this instead: (!(|(a=v)(a2=v2))) Tried it again with more than 1000 users (~55Kb) - it worked and wasn't even slow. Updated patch attached. I also had to fix a bug in ldap2 filter generator, as a result this patch depends on my patch number 43. Pavel From b8c6fa683715d0221b1be33dde6b8065283125d3 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 29 Nov 2010 06:44:09 -0500 Subject: [PATCH 2/2] Enable filtering search results by member attributes. LDAPSearch base class has now the ability to generate additional options for objects with member attributes. These options are used to filter search results - search only for objects without the specified members. Example: ipa group-find --no-users=admin Only direct members are taken into account. Ticket #288 --- ipalib/plugins/baseldap.py | 34 +- ipalib/plugins/group.py |2 ++ ipalib/plugins/hostgroup.py |2 +- ipalib/plugins/netgroup.py |1 + ipalib/plugins/rolegroup.py |2 +- ipalib/plugins/taskgroup.py |2 +- 6 files changed, 39 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index a67b84d..ea5454b 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1091,6 +1091,9 @@ class LDAPSearch(CallbackInterface, crud.Search): Retrieve all LDAP entries matching the given criteria. +member_attributes = [] +member_param_doc = 'exclude %s with member %s (comma-separated list)' + takes_options = ( Int('timelimit?', label=_('Time Limit'), @@ -1118,6 +1121,33 @@ class LDAPSearch(CallbackInterface, crud.Search): def get_options(self): for option in super(LDAPSearch, self).get_options(): yield option +for attr in self.member_attributes: +for ldap_obj_name in self.obj.attribute_members[attr]: +ldap_obj = self.api.Object[ldap_obj_name] +name = to_cli(ldap_obj_name) +doc = self.member_param_doc % ( +self.obj.object_name_plural, ldap_obj.object_name_plural +) +yield List('no_%s?' % name, cli_name='no_%ss' % name, doc=doc, + label=ldap_obj.object_name) + +def get_member_filter(self, ldap, **options): +filter = '' +for attr in self.member_attributes: +for ldap_obj_name in self.obj.attribute_members[attr]: +param_name = 'no_%s' % to_cli(ldap_obj_name) +if param_name in options: +dns = [] +ldap_obj = self.api.Object[ldap_obj_name] +for pkey in options[param_name]: +dns.append(ldap_obj.get_dn(pkey)) +flt = ldap.make_filter_from_attr( +attr, dns, ldap.MATCH_NONE +) +filter = ldap.combine_filters( +(filter, flt), ldap.MATCH_ALL +) +return filter has_output_params = global_output_params @@ -1159,8 +1189,10 @@ class LDAPSearch(CallbackInterface, crud.Search): search_kw[a] = term term_filter = ldap.make_filter(search_kw, exact=False) +member_filter = self.get_member_filter(ldap, **options) + filter = ldap.combine_filters( -(term_filter, attr_filter), rules=ldap.MATCH_ALL +(term_filter, attr_filter, member_filter), rules=ldap.MATCH_ALL ) scope = ldap.SCOPE_ONELEVEL diff --git
[Freeipa-devel] [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods.
If the parent and child entries have the same attribute as primary key (such as in the DNS schema), we need to rename the parent key to prevent a param name conflict. It has no side effects, because the primary key name is always taken from the LDAPObject params, never from the method params. Pavel From 88e1399e5a1271d95bafef3f83206181b6b7b88b Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 8 Nov 2010 22:36:04 -0500 Subject: [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods. If the parent and child entries have the same attribute as primary key (such as in the DNS schema), we need to rename the parent key to prevent a param name conflict. It has no side effects, because the primary key name is always taken from the LDAPObject params, never from the method params. --- ipalib/plugins/baseldap.py |6 +- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 6bf9b3b..ff5dba9 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -232,7 +232,11 @@ class LDAPObject(Object): for key in parent_obj.get_ancestor_primary_keys(): yield key if parent_obj.primary_key: -yield parent_obj.primary_key.clone(query=True) +pkey = parent_obj.primary_key +yield pkey.__class__( +parent_obj.name + pkey.name, required=True, query=True, +cli_name=parent_obj.name, label=pkey.label +) def convert_attribute_members(self, entry_attrs, *keys, **options): if options.get('raw', False): -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
Finally, there it is. :) I redesigned the whole thing to fit the baseldap model. Here's some example on how it's used: # create zone 'example.com' # ipa dnszone-add example.com --name=ns.example.com --admin=ad...@example.com # create a resource in zone 'example.com' named 'machine1' # (machine1.example.com) with A record 10.10.0.1 # ipa dnsres-add example.com machine1 --a-rec=10.10.0.1 # Add another A record to 'machine1' in 'example.com' # ipa dnsres-add-record example.com machine1 --a-rec=10.10.0.2 # Remove one of the A records from 'machine1' in 'example.com' # ipa dnsres-remove-record example.com machine1 --a-rec=10.10.0.1 The plugin is pretty complex and requires my patch number 35 to work. There is a bunch of unit tests, so hopefully it won't be too much pain to review. You can use both dns and dns2 at the same time. When dns2 is tested enough, it should replace the original dns plugin. docstring (ipa help dns2) documentation will follow soon in a separate patch. Pavel From defad70e665a5c126e56032bfc5ed698363eef9f Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 8 Nov 2010 22:34:14 -0500 Subject: [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. --- ipalib/plugins/dns2.py | 504 ++ tests/test_xmlrpc/test_dns_plugin.py | 360 2 files changed, 864 insertions(+), 0 deletions(-) create mode 100644 ipalib/plugins/dns2.py create mode 100644 tests/test_xmlrpc/test_dns_plugin.py diff --git a/ipalib/plugins/dns2.py b/ipalib/plugins/dns2.py new file mode 100644 index 000..5b36d37 --- /dev/null +++ b/ipalib/plugins/dns2.py @@ -0,0 +1,504 @@ +# Authors: +# Pavel Zuna pz...@redhat.com +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +import time + +from ipalib import api, errors, output +from ipalib import Command +from ipalib import Flag, Int, List, Str, StrEnum +from ipalib.plugins.baseldap import * +from ipalib import _, ngettext + +# supported resource record types +_record_types = ( +u'A', u'', u'A6', u'AFSDB', u'CERT', u'CNAME', u'DNAME', +u'DS', u'HINFO', u'KEY', u'KX', u'LOC', u'MD', u'MINFO', u'MX', +u'NAPTR', u'NS', u'NSEC', u'NXT', u'PTR', u'RRSIG', u'SSHFP', +u'SRV', u'TXT', +) + +# attributes derived from record types +_record_attributes = [str('%srecord' % t.lower()) for t in _record_types] + +# supported DNS classes, IN = internet, rest is almost never used +_record_classes = (u'IN', u'CS', u'CH', u'HS') + +# normalizer for admin email +def _rname_normalizer(value): +value = value.replace('@', '.') +if not value.endswith('.'): +value += '.' +return value + +def _create_zone_serial(**kwargs): +Generate serial number for zones. +return int('%s01' % time.strftime('%Y%d%m')) + + +class dnszone(LDAPObject): + +DNS Zone, container for resource records. + +container_dn = api.env.container_dns +object_name = 'DNS zone' +object_name_plural = 'DNS zones' +object_class = ['top', 'idnsrecord', 'idnszone'] +default_attributes = [ +'idnsname', 'idnszoneactive', 'idnssoamname', 'idnssoarname', +'idnssoaserial', 'idnssoarefresh', 'idnssoaretry', 'idnssoaexpire', +'idnssoaminimum' +] + _record_attributes +label = _('DNS zone') + +takes_params = ( +Str('idnsname', +cli_name='name', +label=_('Zone name'), +doc=_('Zone name (FQDN)'), +normalizer=lambda value: value.lower(), +primary_key=True, +), +Str('idnssoamname', +cli_name='name_server', +label=_('Authoritative name server'), +doc=_('Authoritative name server'), +), +Str('idnssoarname', +cli_name='admin_email', +label=_('Administrator e-mail address'), +doc=_('Administrator e-mail address'), +default_from=lambda idnsname: 'root.%s' % idnsname, +normalizer=_rname_normalizer, +), +Int('idnssoaserial?', +cli_name='serial', +label=_('SOA serial'), +doc=_('SOA record serial number'), +create_default=_create_zone_serial, +autofill=True, +), +
[Freeipa-devel] [PATCH] Replace 'Locking' in `ipa help user` with 'Disabling'.
Ticket #452 Pavel From e03d082523a677b1d57e829ba10c31fd7f8d87b5 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 8 Nov 2010 22:45:27 -0500 Subject: [PATCH] Replace 'Locking' in `ipa help user` with 'Disabling'. Ticket #452 --- ipalib/plugins/user.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 536848b..726177c 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -22,7 +22,7 @@ Users Manage user entries. All users are POSIX users. -Locking a user account prevents that user from obtaining new Kerberos +Disabling a user account prevents that user from obtaining new Kerberos credentials. It does not invalidate any credentials that have already been issued. -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
On 2010-11-09 05:07, Pavel Zůna wrote: Finally, there it is. :) I redesigned the whole thing to fit the baseldap model. Here's some example on how it's used: # create zone 'example.com' # ipa dnszone-add example.com --name=ns.example.com --admin=ad...@example.com # create a resource in zone 'example.com' named 'machine1' # (machine1.example.com) with A record 10.10.0.1 # ipa dnsres-add example.com machine1 --a-rec=10.10.0.1 # Add another A record to 'machine1' in 'example.com' # ipa dnsres-add-record example.com machine1 --a-rec=10.10.0.2 # Remove one of the A records from 'machine1' in 'example.com' # ipa dnsres-remove-record example.com machine1 --a-rec=10.10.0.1 The plugin is pretty complex and requires my patch number 35 to work. There is a bunch of unit tests, so hopefully it won't be too much pain to review. You can use both dns and dns2 at the same time. When dns2 is tested enough, it should replace the original dns plugin. docstring (ipa help dns2) documentation will follow soon in a separate patch. Pavel Forgot to mention that this solves: Ticket #36 Ticket #450 Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Proposed Javascript coding standards
On 2010-09-13 23:46, Simo Sorce wrote: On Mon, 13 Sep 2010 17:02:19 -0400 Adam Youngayo...@redhat.com wrote: The is a really nasty bug that the same line policy avoids. Javascript often attempts to guess where you meant to put semicolons, and puts the in for you, without telling you. return { status: true; }; actually returns undefined. I fully acknowledge that this is brain dead. There are some really brain-dead features in JavaScript. It is easier to be consistent here, hence the rule always put it on the opening statement line. Ok, in that case please note the rationale in the coding style. Also though in that case I think function() { (with the space) is better than function(){, unless the sapce is what causes javascript to put in the automatic ';'. If that's the case I hate it :) For functions I also prefer: func() { } but only use it for file scope (thus global) functions in Javascript. For nested functions and every other compound statement: func() { } I wouldn't mind switching to the second variant for everything for consistency. We also banned C++ style comments in C code, /* */ is preferred and should never be added on the same line of code but only on the previous line. I'm OK with that rule. C++ style comments are only to be used for commenting out code, which probably shouldn't get checked in anyway. Given space matters in javascript I say that the git history is where you put unused code, not in comments :) Simo. I don't like the 'spec' object to be used instead of naming each variable separately for parameter lists of functions. I think it's very artificial. I do agree, that being able to do this: function some_func(spec) { return (spec.param1 + spec.param2); } var some_var = some_func({'param1': 'value1', 'param2': 'value2'}) is nice, but it makes the code less readable. You can't tell directly what parameters the function takes. The rest is almost 100% compatible with my coding style, so naturally I agree. :D Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 517 updated command documentation
On 2010-08-25 05:52, Rob Crittenden wrote: David O'Brien reviewed all the per-command documentation last month and provided a ton of great feedback. I've applied all his changes. rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make changes to details.js. See commit message.
On 2010-08-25 13:54, Pavel Zůna wrote: First off: I know I promised this patch yesterday, but I just didn't make it - I felt asleep on the keyboard and there were still some things to fix. :) This patch has some of the most important things, that we discussed on Tuesday last week, namely: - Add/Remove links are now only available for multivalue attributes (Param.multivalue = true) and attributes with param types, that are multivalue by definition (as of now only List). Single-value attributes with no value are displayed as empty input elements. - When updating an attribute, leading and trailing spaces are stripped - Context help available in the form of hints, that are extracted form Param.hint. I know there was more, but the rest of it is related to specific attribute (it doesn't affect details pages for all objects) and will be in another patch. Most of this won't show at the moment, because meta-data is still missing for a lot of attributes, that we display in the webUI. For testing on the user page, you can add the title attribute to takes_params in the user class, e.g.: takes_params = ( Str('title', cli_name='title', label=_('Title'), hint=_('Enter job or academic title.'), multivalue=true, # just to test the multivalue functionality ), # ... ) For testing in using the lite-server, I suggest you modify install/static/sampledata/metadata.js. By the way, the patch modifies details.js and ipa.css, so it should go smoothly with Adam's patch n.0015. Pavel One more thing I forgot to mention: The patch is a bit inflated, because it fixes quite a lot of places were tabs and spaces got mixed together. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add 'hint' kwarg to Param. Used for context help in webUI.
On 2010-08-25 15:52, Rob Crittenden wrote: Pavel Zůna wrote: Used like this: Str('someparam', cli_name='sp', label='Some Param', hint='Use at own risk!', ), After the following patch (pzuna-freeipa-0021-details), it will show up in the webUI as (details page): Some Param: [ ] Hint: Use at own risk! How will hint vary from the doc attribute we already have in a Param? rob Hint is what is displayed in the webUI as context help, it should give the user a basic idea about HOW to enter values. Doc on the other hand is more general and should say WHAT does the attribute represent. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] BA-BBQ
On 2010-08-23 16:41, Adam Young wrote: On 08/23/2010 07:51 AM, Pavel Zuna wrote: On 08/23/2010 04:12 AM, Adam Young wrote: Pavel, Thoughts of jquery.ba-bbq have been marinating in the back of my brain. I know that the Back button doesn't work so well with hjashparams, and that BBQ purports to fix this, but I had some sort of mental shift I had to make. I think I have it now. BBQ, and in fact the whole AJAX approach works off of client side code, which means the whole hash params approach. What I didn't get was that the best approach to dealing with this was to drive the site off of the event that happens when the url hash changes. We need to do this. Bascially, navigation.js registers: $(window).bind( 'hashchange', function(e) { ... } This function gets called each time the URL hash changes, which happens on either a tab click or on a back button (lets start with those two, there will be more) So bascially, this function is our dispatach. Instead of having to register the onclick functions for each of the tabs, we know that they will all end up in this function, and then we let it parse the params for us. BBQ has the concept of a stack, where we can push and pop state. Thyis might be useful for pushing a query, going to the details page, and then popping the query afterwards. I'm still mulling this over. Note, we will want to replace the custom hash param working we are doing with JQuery.deparam and JQuery.param calls, as they are much more mature, and it is less code we have to debug. Sure, from what I've read in jQuery docs, it looks more powerful than what we currently have. The thing I have to figure out now is what this will do to navigation on the details, add and groups pages. I don't think it will be a problem. Functional links (such as Reset, Update, Add, Remove) are only used to run javascript functions - the URL, query string or hash doesn't change. Most of these action are also one way only. We don't want the user to be able to go Back after he updated an entry. (Going back in this case should probably bring him back to the search page). Pavel I notice he uses JQuery.ui Tabs for his demo. I wonder if we want to move to that as well? http://benalman.com/code/projects/jquery-bbq/examples/fragment-jquery-ui-tabs/ You mean this example, right? It looks good and if it can simplify our code, why not. I'll take a look at the API a maybe play around with it a little. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix script tags in index.xhtml. End tag is required.
On 2010-08-20 02:26, Adam Young wrote: On 08/19/2010 06:51 PM, Pavel Zůna wrote: On 2010-08-20 00:48, Pavel Zůna wrote: The paste server had some issues with it and end tags are required by the standard anyway. Pavel I forgot to mention that this applies after Adam's 0009 patch (updated Hash Params). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Is this only a problem on the javascript tags, or are we going to see a problem on all of the xhtml that doesn't use closing tags? Either way, it should be filed as an upstream bug. I think it's just the script tags. From wiki (http://en.wikipedia.org/wiki/XHTML): The format script/script, rather than the more concise script /, is required for HTML compatibility when served as MIME type text/html. I know we were using application/xhtml+json at some point in the old UI. text/html seems to have better support though. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Hash Params Redux
On 2010-08-18 22:59, Adam Young wrote: The patch replaces the earlier Hash Params patch. It fixs the build issues, and fixes the group details page as well. Git still reports white space errors, but that's hardly a show stopper. ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix script tags in index.xhtml. End tag is required.
On 2010-08-20 00:48, Pavel Zůna wrote: The paste server had some issues with it and end tags are required by the standard anyway. Pavel I forgot to mention that this applies after Adam's 0009 patch (updated Hash Params). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Improve serialization to JSON.
On 2010-08-11 22:55, Rob Crittenden wrote: Pavel Zůna wrote: On 2010-08-10 21:45, Rob Crittenden wrote: Pavel Zuna wrote: - Make it recursive. - Make Param classes serializable. - Take python native data types into account. Pavel Oops, sorry, commented on wrong patch. This looks ok but you have a serious whitespace issue in the def __json__ method. ack if you fix that before pushing. rob Version with fixed whitespace attached. Pavel This isn't applying. I'm assuming there is some other patch I haven't pushed but I wasn't able to find it. rob It depends on: [PATCH] Make LDAPObject classes JSON serializable (posted 2010-08-09) (pzuna-freeipa-0006-json.patch) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Change the behaviour of addattr/setattr parameters
On 2010-08-12 04:46, Rob Crittenden wrote: Pavel Zůna wrote: setattr and addattr can now be used both to set all values of ANY attribute. the last setattr always resets the attribute to the specified value and all addattr append to it. Examples: user-mod testuser --setattr=title=msc title: msc user-mod testuser --setattr=title=msb title: msb user-mod testuser --addattr=title=msc title: msb, msc user-mod testuser --setattr=title= title: user-mod testuser --setattr=title=msc --addattr=msb title: msc, msb user-mod testuser --setattr=title=ing --addattr=bc title: ing, bc user-mod testuser --setattr=title=doc title: doc It's not very user friendly, but it's going to be used very very rarely in special conditions in the CLI and we can use it to save lots of JSON-RPC roundtrips in the webUI. Pavel It was my intention when I added addattr and setattr that one couldn't set already-defined params this way. They were silently ignored. So you couldn't do: user-mod testuser --setattr=givenname=Jeff This would be possible with this patch. Was that intentional? BTW I have the start of a test suite for this functionality. rob Yes, it is intentional. I forgot to mention it in the description. I'm using setattr/addattr for everything in the webUI - it makes the code a lot simpler. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Change the behaviour of addattr/setattr parameters
On 2010-08-12 14:38, Rob Crittenden wrote: Pavel Zůna wrote: On 2010-08-12 04:46, Rob Crittenden wrote: Pavel Zůna wrote: setattr and addattr can now be used both to set all values of ANY attribute. the last setattr always resets the attribute to the specified value and all addattr append to it. Examples: user-mod testuser --setattr=title=msc title: msc user-mod testuser --setattr=title=msb title: msb user-mod testuser --addattr=title=msc title: msb, msc user-mod testuser --setattr=title= title: user-mod testuser --setattr=title=msc --addattr=msb title: msc, msb user-mod testuser --setattr=title=ing --addattr=bc title: ing, bc user-mod testuser --setattr=title=doc title: doc It's not very user friendly, but it's going to be used very very rarely in special conditions in the CLI and we can use it to save lots of JSON-RPC roundtrips in the webUI. Pavel It was my intention when I added addattr and setattr that one couldn't set already-defined params this way. They were silently ignored. So you couldn't do: user-mod testuser --setattr=givenname=Jeff This would be possible with this patch. Was that intentional? BTW I have the start of a test suite for this functionality. rob Yes, it is intentional. I forgot to mention it in the description. I'm using setattr/addattr for everything in the webUI - it makes the code a lot simpler. Doesn't that invalidate all the validators we have in the plugins? This is why I disallowed it. rob It does, but I see these options as something only experienced users, who need to set something we don't support directly, will use. Sometimes they might want to disable the validators, if they know what they're doing. We could also make the setattr/addattr handler in frontend.py detect if a there's a validator available and use it. Validators in the webUI is still something we need to figure out. Adam was proposing having validators in the form of regex strings, which is not a bad idea as it's easy to implement on any platform/language. On the other hand, I don't know if it's good enough for all parameters we have. Hmm. There's a lot to think about here actually. I'll make it my homework for the weekend. :) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Improve serialization to JSON.
On 2010-08-10 21:45, Rob Crittenden wrote: Pavel Zuna wrote: - Make it recursive. - Make Param classes serializable. - Take python native data types into account. Pavel Oops, sorry, commented on wrong patch. This looks ok but you have a serious whitespace issue in the def __json__ method. ack if you fix that before pushing. rob Version with fixed whitespace attached. Pavel From 654dea5b85815951a6ff90933f827b26c23a94fd Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 10 Aug 2010 16:40:00 -0400 Subject: [PATCH 1/6] Improve serialization to JSON. - Make it recursive. - Make Param classes serializable. - Take python native data types into account. --- ipalib/parameters.py | 14 ++ ipalib/plugins/baseldap.py |3 ++- ipalib/util.py | 12 +++- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index c86db75..7d89f4e 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -852,6 +852,20 @@ class Param(ReadOnly): pass return self.default +def __json__(self): +json_dict = {} +for (a, k, d) in self.kwargs: +if k in (callable, DefaultFrom): +continue +elif isinstance(getattr(self, a), frozenset): +json_dict[a] = [k for k in getattr(self, a, [])] +else: +json_dict[a] = getattr(self, a, '') +json_dict['class'] = self.__class__.__name__ +json_dict['name'] = self.name +json_dict['type'] = self.type.__name__ +return json_dict + class Bool(Param): diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 7e2fd4f..f3e5b0f 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -137,7 +137,8 @@ class LDAPObject(Object): json_dict = dict( (a, getattr(self, a)) for a in self.json_friendly_attributes ) -json_dict['primary_key'] = self.primary_key.name +if self.primary_key: +json_dict['primary_key'] = self.primary_key.name json_dict['methods'] = [m for m in self.methods] return json_dict diff --git a/ipalib/util.py b/ipalib/util.py index ba111d4..4aff88f 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -27,15 +27,25 @@ import logging import time import krbV import socket +from types import NoneType + from ipalib import errors from ipapython import dnsclient def json_serialize(obj): +if isinstance(obj, (list, tuple)): +return [json_serialize(o) for o in obj] +if isinstance(obj, dict): +return dict((k, json_serialize(v)) for (k, v) in obj.iteritems()) +if isinstance(obj, (bool, float, int, unicode, NoneType)): +return obj +if isinstance(obj, str): +return obj.decode('utf-8') if not callable(getattr(obj, '__json__', None)): # raise TypeError('%r is not JSON serializable') return '' -return obj.__json__() +return json_serialize(obj.__json__()) def get_current_principal(): try: -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 509 add BuildRequries for authconfig
On 2010-08-10 22:41, Rob Crittenden wrote: In ipapython/dnsclient.py we import acutil which is provided by authconfig. This can get invoked by setup.py so we need to have it at build time. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 502 hosts can fetch keytabs
On 2010-08-06 04:50, Rob Crittenden wrote: Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning host from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output This is for ticket 68 rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Make LDAPObject classes JSON serializable
Allow LDAPObject classes (and sub-classes) to be serialized into a JSON string using: json.dumps(obj, default=ipalib.util.json_serialize) Pavel From 209162028b58ba8cc59e8c90409082eb8478a0dd Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 9 Aug 2010 16:45:26 -0400 Subject: [PATCH 1/4] Make LDAPObject classes JSON serializable. --- ipalib/plugins/baseldap.py | 17 + ipalib/util.py |6 ++ 2 files changed, 23 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 11fd18e..52f32e3 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -21,6 +21,7 @@ Base classes for LDAP plugins. import re +import json from ipalib import crud, errors, uuid from ipalib import Method, Object @@ -29,6 +30,7 @@ from ipalib.base import NameSpace from ipalib.cli import to_cli, from_cli from ipalib import output from ipalib.text import _ +from ipalib.util import json_serialize def validate_add_attribute(ugettext, attr): @@ -121,6 +123,21 @@ class LDAPObject(Object): } ) +# list of attributes we want exported to JSON +json_friendly_attributes = ( +'parent_object', 'container_dn', 'object_name', 'object_name_plural', +'object_class', 'object_class_config', 'default_attributes', 'label', +'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name', +'takes_params', +) +def __json__(self): +json_dict = dict( +(a, getattr(self, a)) for a in self.json_friendly_attributes +) +json_dict['primary_key'] = self.primary_key.name +json_dict['methods'] = [m for m in self.methods] +return json_dict + # Options used by create and update. _attr_options = ( diff --git a/ipalib/util.py b/ipalib/util.py index 570d66e..ba111d4 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -31,6 +31,12 @@ from ipalib import errors from ipapython import dnsclient +def json_serialize(obj): +if not callable(getattr(obj, '__json__', None)): +# raise TypeError('%r is not JSON serializable') +return '' +return obj.__json__() + def get_current_principal(): try: return unicode(krbV.default_context().default_ccache().principal().name) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Change the behaviour of addattr/setattr parameters
setattr and addattr can now be used both to set all values of ANY attribute. the last setattr always resets the attribute to the specified value and all addattr append to it. Examples: user-mod testuser --setattr=title=msc title: msc user-mod testuser --setattr=title=msb title: msb user-mod testuser --addattr=title=msc title: msb, msc user-mod testuser --setattr=title= title: user-mod testuser --setattr=title=msc --addattr=msb title: msc, msb user-mod testuser --setattr=title=ing --addattr=bc title: ing, bc user-mod testuser --setattr=title=doc title: doc It's not very user friendly, but it's going to be used very very rarely in special conditions in the CLI and we can use it to save lots of JSON-RPC roundtrips in the webUI. Pavel From 5467a93dc7e4e24e82ba3559b333ac5e55814127 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 9 Aug 2010 19:43:00 -0400 Subject: [PATCH 2/4] Change the behaviour of addattr/setattr parameters. setattr and addattr can now be used both to set all values of ANY attribute. the last setattr always resets the attribute to the specified value and all addattr append to it. Examples: user-mod testuser --setattr=title=msc title: msc user-mod testuser --setattr=title=msb title: msb user-mod testuser --addattr=title=msc title: msb, msc user-mod testuser --setattr=title= title: user-mod testuser --setattr=title=msc --addattr=msb title: msc, msb user-mod testuser --setattr=title=ing --addattr=bc title: ing, bc user-mod testuser --setattr=title=doc title: doc It's not very user friendly, but it's going to be used very very rarely in special conditions in the CLI and we can use it to save lots of JSON-RPC roundtrips in the webUI. --- ipalib/frontend.py | 15 +++ ipalib/plugins/baseldap.py | 58 ++-- 2 files changed, 38 insertions(+), 35 deletions(-) diff --git a/ipalib/frontend.py b/ipalib/frontend.py index d320f02..950fa7b 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -519,11 +519,10 @@ class Command(HasParam): if len(value) == 0: # None means delete this attribute value = None -if attr not in self.params: -if append and attr in newdict: -newdict[attr].append(value) -else: -newdict[attr] = [value] +if append and attr in newdict: +newdict[attr].append(value) +else: +newdict[attr] = [value] return newdict def __attributes_2_entry(self, kw): @@ -540,7 +539,11 @@ class Command(HasParam): adddict = self.__convert_2_dict(kw['setattr'], append=False) if kw.get('addattr'): -adddict.update(self.__convert_2_dict(kw['addattr'])) +for (k, v) in self.__convert_2_dict(kw['addattr']).iteritems(): +if k in adddict: +adddict[k] += v +else: +adddict[k] = v for name in adddict: value = adddict[name] diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 52f32e3..c995a61 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -415,6 +415,35 @@ class LDAPUpdate(LDAPQuery, crud.Update): entry_attrs = self.args_options_2_entry(**options) + +Some special handling is needed because we need to update the +values here rather than letting ldap.update_entry() do the work. We +have to do the work of adding new values to an existing attribute +because if we pass just what is addded only the new values get +set. + +if 'addattr' in options: +setset = set(get_attributes(options.get('setattr', []))) +addset = set(get_attributes(options.get('addattr', []))) +difflist = list(addset.difference(setset)) +if difflist: +try: +(dn, old_entry) = ldap.get_entry( +dn, difflist, normalize=self.obj.normalize_dn +) +except errors.ExecutionError, e: +try: +(dn, old_entry) = self._call_exc_callbacks( +keys, options, e, ldap.get_entry, dn, attrs_list, +normalize=self.obj.normalize_dn +) +except errors.NotFound: +self.obj.handle_not_found(*keys) +for a in old_entry: +if not isinstance(entry_attrs[a], (list, tuple)): +entry_attrs[a] = [entry_attrs[a]] +entry_attrs[a] += old_entry[a] + if options.get('all', False): attrs_list = ['*'] else: @@ -432,35 +461,6 @@ class LDAPUpdate(LDAPQuery, crud.Update): self, ldap, dn,
[Freeipa-devel] [PATCH] Add new parameters to LDAPSearch: timelimit and sizelimit.
Doesn't include Robs loading of default values from cn=ipaConfig. Pavel From a81e2b42d16473b0102969246dcf81820b1930f0 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 9 Aug 2010 19:56:14 -0400 Subject: [PATCH 4/4] Add new parameters to LDAPSearch: timelimit and sizelimit. --- ipalib/plugins/baseldap.py | 25 +++-- 1 files changed, 23 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index abc1180..7e2fd4f 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -25,7 +25,7 @@ import json from ipalib import crud, errors, uuid from ipalib import Method, Object -from ipalib import Flag, List, Str +from ipalib import Flag, Int, List, Str from ipalib.base import NameSpace from ipalib.cli import to_cli, from_cli from ipalib import output @@ -827,6 +827,25 @@ class LDAPSearch(CallbackInterface, crud.Search): Retrieve all LDAP entries matching the given criteria. +takes_options = ( +Int('timelimit', +label=_('Time Limit'), +doc=_('Time limit of search in seconds (default 1)'), +flags=['no_dispaly'], +minvalue=0, +default=1, +autofill=True, +), +Int('sizelimit', +label=_('Size Limit'), +doc=_('Maximum number of entries returned (default 3000)'), +flags=['no_dispaly'], +minvalue=0, +default=3000, +autofill=True, +), +) + def get_args(self): for key in self.obj.get_ancestor_primary_keys(): yield key @@ -890,7 +909,9 @@ class LDAPSearch(CallbackInterface, crud.Search): try: (entries, truncated) = ldap.find_entries( -filter, attrs_list, base_dn, scope=ldap.SCOPE_ONELEVEL +filter, attrs_list, base_dn, scope=ldap.SCOPE_ONELEVEL, +time_limit=options.get('timelimit', 1), +size_limit=options.get('sizelimit', 3000) ) except errors.ExecutionError, e: try: -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] Changes to the python infrastructure-supporting-the-web ui
On 2010-08-06 17:57, Adam Young wrote: On 08/06/2010 11:51 AM, Rob Crittenden wrote: Adam Young wrote: This code contains the changes to the python code necessary to support the new web ui. It handles the changes to the baseldap code necessary to expose the meta data to the front end, as well as the installation support. nack. About 75 tests are failing with this patch. I didn't investigate them in detail but it looks like memberof isn't being removed after a member attribute is converted. wsgi.py has a ton of imports added that aren't being used. There is an indention change in ipalib/frontend.py that doesn't seem necessary. The timelimit patch is gonig to conflict with a timelimit patch I had submitted previously (patch titled 'use time and search limit values from cn=ipaconfig'). Not even in terms of code but in forcing a default that does not tie into the global config. I think I'd rather have this as an optional argument do no default and autofill is needed. rob I'm going to fob this work off on pzuna, as these are his changes that I just merged in. I split the baseldap.py changes into 4 patches and posted them on the list a few minutes ago. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix bug: not found exc. handler was failing for singleton objects
On 2010-08-09 23:00, Rob Crittenden wrote: Pavel Zůna wrote: Very minor bug, that would probably never happen in production anyway, but why not fix it. Can you describe the situation this could occur in? How useful would the error be if the key isn't available? rob Well, I caught the bug thanks to a bad config file. The basedn was set to dc=example,dc=com and all searches were failing. The key isn't available on for singleton objects such as config, example: # ipa config-show ipa: ERROR: : configuration options not found Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] Simple-plugin-for-reflecting-user-principal
On 2010-08-04 01:49, Adam Young wrote: This is a required patch for the UI code. Basically, the Kerberos authentication method does not provide any way for the web ui to know who logged in. With this patch, we can do the equivalent of 'ipa whoami' that returns the user principal in the summary field. There are some unnecessary imports, but that's a very minor remark, so ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 spec file cleanups
On 2010-05-10 20:11, Rob Crittenden wrote: Remove references to Fedora 10 and add some tests for RHEL 6. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 451 fix i18n test
On 2010-06-02 21:01, Rob Crittenden wrote: Pavel Zuna wrote: On 05/21/2010 11:35 PM, Rob Crittenden wrote: Fix this test to work from source tree root It would work if you ran the test from its location in tests/test_ipalib but this isn't the most common method. If you want to run it individually you can do: $ ./make-test tests/test_ipalib/test_text.py rob Maybe I'm doing something wrong, but I'm still getting this one error: == ERROR: Test gettext translation -- Traceback (most recent call last): File /usr/lib/python2.6/site-packages/nose/case.py, line 183, in runTest self.test(*self.arg) File /root/freeipa/tests/test_ipalib/test_text.py, line 89, in test_gettext msgid = get_msgid(test_file) File /root/freeipa/tests/test_ipalib/test_text.py, line 43, in get_msgid f = open(po_file) IOError: [Errno 2] No such file or directory: 'install/po/test.po' Pavel I finally got around to figuring this out. The problem is that your test language hasn't been built yet. Try this: $ make -C install/po test_lang $ ./make-test tests/test_ipalib/test_text.py Normally one executes this via 'make test' which will ensure that this dependency exists, I was using the 'run one test' option to demonstrate that it works. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Correctly handle EmptyModlist exception in pwpolicy2-mod.
On 2010-05-10 15:44, Pavel Zuna wrote: EmptyModlist exception was generated by pwpolicy2-mod when modifying policy priority only. It was because the priority attribute is stored outside of the policy entry (in a CoS entry) and there was nothing left to be changed in the policy entry. This patch uses the new exception callbacks in baseldap.py classes (introduced in my recent patch no. 0004) to catch the EmptyModlist exception and checks if there was really nothing to be modified before reraising the exception. Pavel Improved version attached: - there a bug that Rob pointed out in another thread - exceptions other than EmptyModlist were suppressed unintentionally - the GLOBAL password policy was always displayed in searches using pwpolicy2-find, now it's only displayed if searching without criteria Pavel From 57b217e508846a633a66dcfab60c7d322c2722fc Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 10 May 2010 14:48:48 +0200 Subject: [PATCH 2/2] Correctly handle EmptyModlist exception in pwpolicy2-mod. EmptyModlist exception was generated by pwpolicy2-mod when modifying policy priority only. It was because the priority attribute is stored outside of the policy entry (in a CoS entry) and there was nothing left to be changed in the policy entry. This patch uses the new exception callbacks in baseldap.py classes to catch the EmptyModlist exception and checks if there was really nothing to be modified before reraising the exception. --- ipalib/plugins/pwpolicy2.py | 22 +++--- 1 files changed, 15 insertions(+), 7 deletions(-) diff --git a/ipalib/plugins/pwpolicy2.py b/ipalib/plugins/pwpolicy2.py index 797c081..d672292 100644 --- a/ipalib/plugins/pwpolicy2.py +++ b/ipalib/plugins/pwpolicy2.py @@ -276,12 +276,19 @@ class pwpolicy2_mod(LDAPUpdate): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): if not options.get('raw', False): if options.get('cospriority') is not None: -entry_attrs['cospriority'] = [unicode(options['copriority'])] +entry_attrs['cospriority'] = [unicode(options['cospriority'])] if keys[-1] is None: entry_attrs['cn'] = GLOBAL_POLICY_NAME self.obj.convert_time_for_output(entry_attrs, **options) return dn +def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): +if isinstance(exc, errors.EmptyModlist): +entry_attrs = call_args[1] +if not entry_attrs and 'cospriority' in options: +return +raise exc + api.register(pwpolicy2_mod) @@ -340,12 +347,13 @@ class pwpolicy2_find(LDAPSearch): except errors.NotFound: pass self.obj.convert_time_for_output(e[1], **options) -global_entry = self.api.Command.pwpolicy2_show( -all=options.get('all', False), raw=options.get('raw', False) -)['result'] -dn = global_entry['dn'] -del global_entry['dn'] -entries.insert(0, (dn, global_entry)) +if not args[-1]: +global_entry = self.api.Command.pwpolicy2_show( +all=options.get('all', False), raw=options.get('raw', False) +)['result'] +dn = global_entry['dn'] +del global_entry['dn'] +entries.insert(0, (dn, global_entry)) api.register(pwpolicy2_find) -- 1.6.6.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 432 add default open HBAC on install
On 2010-05-04 21:30, Rob Crittenden wrote: Create an HBAC that allows all users to access all hosts from any host. This should make initial installation and testing easier. It is expected that this rule (allow_all) will be removed before deployment. In case you know you don't want this you can pass --no_hbac_allow to ipa-server-install and the rule won't be added. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 433 improve hbac output
On 2010-05-04 21:31, Rob Crittenden wrote: This patch adds more attributes to the default output and fixes up some labels. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 4/15/2010 8:18 PM, Rob Crittenden wrote: Pavel Zůna wrote: On 4/14/2010 4:35 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/30/2010 10:27 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/23/2010 09:40 PM, Rob Crittenden wrote: Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob Fixed patch attached. Pavel I'm not sure if you attached the wrong patch or not (it's dated 3/24) but things are still not working: # ipa-replica-install replica-info-tiger.example.com.gpg Directory Manager (existing master) password: creation of replica failed: 'Env' object has no attribute 'basedn' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. rob Sorry for a late reply. Here's a patch that should finally work. I did a lot more testing and setting up a replica went smoothly every time. Pavel Lots better. I was able to create and manage replicas but ipa-dns-install isn't working: # ipa-dns-install The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup DNS for the FreeIPA Server. This includes: * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: y Do you wish to configure DNS forwarders? [no]: No DNS forwarders configured Directory Manager password: Unexpected error - see ipaserver-install.log for details: 'API' object has no attribute 'env_host' Ouch, sorry about that. New patch attached. Pavel Still not working: root : CRITICAL Could not modify principal's krbprincipalname=DNS/lion.greyoak@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com entry Unexpected error - see ipaserver-install.log for details: The backtrace is: File /usr/sbin/ipa-dns-install, line 172, in module sys.exit(main()) File /usr/sbin/ipa-dns-install, line 158, in main bind.create_instance() File /usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py, line 195, in create_instance self.start_creation(Configuring named:) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 237, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py, line 293, in __setup_principal raise e ('expected a string in the list', u'k') rob This is fixed in the ipa-dns-install patch I posted yesterday. I thought this wasn't caused by the changes made by the Use ldap2... patch. The problem here is that we call python-ldap with a unicode string. The string is generated from api.env constants that have become unicode a month or two ago. Anyway, I can always move the fix to this problem from the ipa-dns-install patch into this one. However I need to talk to Martin about the bindinstance.py file - I'll make sure to resolve this by the end of today. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
On 4/16/2010 5:09 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel This fails to apply because the pwpolicy2 plugin hasn't been committed yet. You had suggested that this patch shouldn't be applied yet. Should I remove the pwpolicy2 part of this patch and push, rebase it, or what? rob I rebased the patch - attached. It no longer depends on pwpolicy2. I'm going to release an updated pwpolicy2 patch with quoting gone along with this one. Pavel 0001-Use-escapes-in-DNs-instead-of-quoting.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add new pwpolicy plugin based on baseldap classes
Don't mind the numbering. This is a completely independent patch. It adds a new pwpolicy plugin based on baseldap.py classes. It has the same functionality as the current pwpolicy plugin, but a more clean and consistent interface, fine grained search capabilities, etc. This is actually an updated version of a patch I released some time ago, but it never got fully reviewed. Pavel 0002-Add-new-pwpolicy-plugin-based-on-baseldap-classes.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix DNS plugin: proper output definitions, --all, dns-add-rr overwritting
On 4/14/2010 5:36 PM, Rob Crittenden wrote: Pavel Zůna wrote: On 4/13/2010 10:51 PM, Rob Crittenden wrote: Pavel Zuna wrote: The DNS plugin is getting old, tired and already looking forward to his pension in the Carribean. It will be replaced soon by a younger, faster, safer, shorter (in terms of code) and more maintainable version. Until that happens, here's some medicine for the old guy: - proper output definitions: the DNS plugin was created before we had the has_output attribute in place - --all: this is related to the output definitions as Command.get_options() adds the --all and --raw options automatically if has_output contains entries - dns-add-rr overwritting: missing .lower() caused records to be overwritten every time a new one was added from the CLI Pavel This looks ok but I wonder why you are defining your own Output definition instead of using the standard? The only difference seems to be that your custom one doesn't have a summary. rob Because the standard output definitions with entries make Command plugins automatically add the --all and --raw options. dns-*-rr commands aren't comfortable with it. Can you be more specific? What doesn't work? rob There were conflicts with --all being defined explicitly by some of the commands. Also, dns-del-rr didn't expect any options and raised an exception when it received the automatically added --all/--raw. Anyway, I fixed those issues, so that we can use the standard definitions from ipalib/output.py. I guess I got lazy before or just wasn't thinking about it too much. :) Modified patch attached. Pavel From 6073a12c78c4702916c7de4c5115a7ea1c62cdca Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 30 Mar 2010 18:56:02 +0200 Subject: [PATCH] Fix DNS plugin: proper output definitions, --all, dns-add-rr overwritting The DNS plugin is getting old, tired and already looking forward to his pension in the Carribean. It will be replaced soon by a younger, faster, safer, shorter (in terms of code) and more maintainable version. Until that happens, here's some medicine for the old guy: - proper output definitions: the DNS plugin was created before we had the has_output attribute in place - --all: this is related to the output definitions as Command.get_options() adds the --all and --raw options automatically if has_output contains entries - dns-add-rr overwritting: missing .lower() caused records to be overwritten everytime a new one was added from the CLI --- ipalib/plugins/dns.py | 29 +++-- 1 files changed, 15 insertions(+), 14 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 5f6949a..4c81a8e 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -67,6 +67,7 @@ from ipalib import api, crud, errors, output from ipalib import Object, Command from ipalib import Flag, Int, Str, StrEnum from ipalib import _, ngettext +from ipalib.output import Output, standard_entry, standard_list_of_entries # parent DN _zone_container_dn = api.env.container_dns @@ -310,7 +311,7 @@ class dns_find(crud.Search): filter = ldap.make_filter_from_attr('idnsname', term, exact=False) # select attributes we want to retrieve -if options['all']: +if options.get('all', False): attrs_list = ['*'] else: attrs_list = _zone_default_attributes @@ -362,7 +363,7 @@ class dns_show(crud.Retrieve): dn = _get_zone_dn(ldap, idnsname) # select attributes we want to retrieve -if options['all']: +if options.get('all', False): attrs_list = ['*'] else: attrs_list = _zone_default_attributes @@ -492,11 +493,11 @@ class dns_add_rr(Command): ), ) -has_output = output.standard_entry +has_output = standard_entry def execute(self, zone, idnsname, type, data, **options): ldap = self.api.Backend.ldap2 -attr = '%srecord' % type +attr = ('%srecord' % type).lower() # build entry DN dn = _get_record_dn(ldap, zone, idnsname) @@ -593,11 +594,11 @@ class dns_del_rr(Command): ), ) -has_output = output.standard_entry +has_output = standard_entry -def execute(self, zone, idnsname, type, data): +def execute(self, zone, idnsname, type, data, **options): ldap = self.api.Backend.ldap2 -attr = '%srecord' % type +attr = ('%srecord' % type).lower() # build entry DN dn = _get_record_dn(ldap, zone, idnsname) @@ -635,9 +636,9 @@ class dns_del_rr(Command): (dn, entry_attrs) = ldap.get_entry(dn, ['idnsname', attr]) entry_attrs['dn'] = dn -return dict(result=result, value=idnsname) +return dict(result=entry_attrs, value=idnsname) -def output_for_cli(self, textui, result, zone, idnsname, type, data): +def output_for_cli(self, textui, result, zone, idnsname, type, data
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 4/14/2010 4:35 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/30/2010 10:27 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/23/2010 09:40 PM, Rob Crittenden wrote: Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob Fixed patch attached. Pavel I'm not sure if you attached the wrong patch or not (it's dated 3/24) but things are still not working: # ipa-replica-install replica-info-tiger.example.com.gpg Directory Manager (existing master) password: creation of replica failed: 'Env' object has no attribute 'basedn' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. rob Sorry for a late reply. Here's a patch that should finally work. I did a lot more testing and setting up a replica went smoothly every time. Pavel Lots better. I was able to create and manage replicas but ipa-dns-install isn't working: # ipa-dns-install The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup DNS for the FreeIPA Server. This includes: * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: y Do you wish to configure DNS forwarders? [no]: No DNS forwarders configured Directory Manager password: Unexpected error - see ipaserver-install.log for details: 'API' object has no attribute 'env_host' Ouch, sorry about that. New patch attached. Pavel From 6f1e71d1ad926b827d43c4dbcab768ecaa675389 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 24 Mar 2010 15:51:31 +0100 Subject: [PATCH] Use ldap2 instead of legacy LDAP code from v1 in installer scripts. --- install/tools/ipa-compat-manage | 38 ++-- install/tools/ipa-dns-install| 18 +- install/tools/ipa-fix-CVE-2008-3274 | 63 +++-- install/tools/ipa-ldap-updater |2 - install/tools/ipa-nis-manage | 44 +++ install/tools/ipa-replica-install| 22 ++-- install/tools/ipa-replica-manage |8 ++-- install/tools/ipa-replica-prepare| 33 - install/tools/ipa-server-certinstall | 18 - install/tools/ipa-server-install | 24 ++--- ipaserver/plugins/ldap2.py | 22 +--- 11 files changed, 144 insertions(+), 148 deletions(-) diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index 09a06ca..b22ce77 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -22,12 +22,11 @@ import sys try: from optparse import OptionParser -from ipaserver import ipaldap from ipapython import entity, ipautil, config from ipaserver.install import installutils from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR +from ipaserver.plugins.ldap2 import ldap2 from ipalib import errors -import ldap import logging import re import krbV @@ -95,26 +94,29 @@ def main(): else: dirman_password = get_dirman_password() +conn = None try: +ldapuri = 'ldap://%s' % installutils.get_fqdn() try: -conn = ipaldap.IPAdmin(installutils.get_fqdn()) -conn.do_simple_bind(bindpw=dirman_password) -except ldap.LDAPError, e: +conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') +conn.connect( +bind_dn='cn=directory manager', bind_pw=dirman_password +) +except errors.LDAPError, e: print An error occurred while connecting to the server. -print %s % e[0]['desc'] +print e return 1 if args[0] == enable: try: -conn.getEntry(cn=Schema Compatibility,cn=plugins,cn=config, - ldap.SCOPE_BASE, (objectclass=*)) +conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config') print Plugin already Enabled retval = 2 except errors.NotFound: print Enabling plugin -except ldap.LDAPError, e: +except errors.LDAPError, e: print An error occurred while talking to the server. -print %s % e[0]['desc'] +print e retval = 1 if retval == 0: @@ -127,17 +129,15 @@ def main(): # Make a quick hack foir now, directly delete the entries by name, # In future we should add
[Freeipa-devel] [PATCH] Fix ipa-dns-install. It was failing when DNS was reinstalling.
I noticed a few bugs when DNS was reinstalling: - Service.move_service returned None, because the service entry was already in the right place - BindInstance didn't expect that. - We were passing a unicode string to python-ldap although we know it hates that. - We were catching all exception alike when modifying the dnsserver role group. It's no longer an error if the DNS principal is already present. I think Martin has some work in progess on the bindinstance.py file, so please don't push until he acks it. He might want to included these changes in his own patch. I had to fix these to test my own code in the installer and posted the patch to point out the bugs. Pavel From 2deba7ac45bb8dc2c52afb9fa7ecedb1d867fcbf Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 14 Apr 2010 18:52:12 +0200 Subject: [PATCH] Fix ipa-dns-install. It was failing when DNS was reinstalling. --- ipaserver/install/bindinstance.py | 11 +-- 1 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 105cf4e..ff1e4e4 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -263,7 +263,12 @@ class BindInstance(service.Service): # Store the keytab on disk self.fstore.backup_file(/etc/named.keytab) installutils.create_keytab(/etc/named.keytab, dns_principal) -dns_principal = self.move_service(dns_principal) +p = self.move_service(dns_principal) +if p is None: +# the service has already been moved, perhaps we're doing a DNS reinstall +dns_principal = krbprincipalname=%s,cn=services,cn=accounts,%s % (dns_principal, self.suffix) +else: +dns_principal = p # Make sure access is strictly reserved to the named user pent = pwd.getpwnam(self.named_user) @@ -284,10 +289,12 @@ class BindInstance(service.Service): raise e dns_group = cn=dnsserver,cn=rolegroups,cn=accounts,%s % self.suffix -mod = [(ldap.MOD_ADD, 'member', dns_principal)] +mod = [(ldap.MOD_ADD, 'member', str(dns_principal))] try: conn.modify_s(dns_group, mod) +except ldap.TYPE_OR_VALUE_EXISTS: +pass except Exception, e: logging.critical(Could not modify principal's %s entry % dns_principal) raise e -- 1.6.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix output of commands, that do not return entries.
This patch fixes Command.output_for_cli for the env plugin. Before we assumed, that a list/tuple is always a list of entries and a dict is always an entry. Still, this solution isn't perfect. I think, that in the future, we should allow Output subclasses to control the way we output values instead of doing type-based output in Command.output_for_cli. Pavel 0001-Fix-output-for-commands-that-do-not-return-entries.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix output of env plugin. It displayed more than it should.
Some outputs were missing the 'no_display' flag. Pavel 0001-Fix-output-of-env-plugin.-It-displayed-more-than-it-.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix output of commands, that do not return entries.
Rob Crittenden wrote: Pavel Zůna wrote: Pavel Zůna wrote: This patch fixes Command.output_for_cli for the env plugin. Before we assumed, that a list/tuple is always a list of entries and a dict is always an entry. Still, this solution isn't perfect. I think, that in the future, we should allow Output subclasses to control the way we output values instead of doing type-based output in Command.output_for_cli. Pavel Before anyone asks... :) I also changed the default value of the print_all argument in textui.print_entry from False to True. It think it makes more sense this way, because: 1) if order is None, it will still print something 2) if order is not None, it will print what's in order first and then the rest 3) commands that care about the print_all argument have to set it in any case, those that don't care usually want to print everything Why not set the default for print_all in print_entries() to True as well? That's just a mistake I made. Fixed. Seems like this reasoning should be documented in the function as well. Particularly how print_all gets handled when one returns Entries or a ListOfEntries vs just returning a dict/tuple (where --all controls whether everything is printed in the former and defaults to everything in the later assuming print_entries also ends up defaulting to True). Added docstring for Command.output_for_cli and also updated the docstring for Command.get_options with info about --all/--raw. rob New patch attached. Pavel 0001-Fix-output-for-commands-that-do-not-return-entries.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add interface for baseldap plugins to register additional callbacks.
This is somewhat of a tech-preview patch. It works, but the whole concept might need some more work/thinking done. It adds another way to extend plugins without resorting to the versioning system. Until now, every baseldap command had two callbacks. The pre-callback called before data was passed to python-ldap and the post-callback called after. This patch introduces class methods, that enable the registration of new pre/post callbacks. It supports top level functions as well, so you don't have to touch the original class at all. It works likes this: from ipalib.plugins.user import user_show def test_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('hello callback world!') attrs_list = ['uid'] # only retrieve the user name return dn user_show.register_pre_callback(test_callback) The original callbacks defined in the class are always called first. Pavel 0001-Add-interface-for-baseldap-plugins-to-register-addit.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add interface for baseldap plugins to register additional callbacks.
Rob Crittenden wrote: Pavel Zůna wrote: This is somewhat of a tech-preview patch. It works, but the whole concept might need some more work/thinking done. It adds another way to extend plugins without resorting to the versioning system. Until now, every baseldap command had two callbacks. The pre-callback called before data was passed to python-ldap and the post-callback called after. This patch introduces class methods, that enable the registration of new pre/post callbacks. It supports top level functions as well, so you don't have to touch the original class at all. It works likes this: from ipalib.plugins.user import user_show def test_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('hello callback world!') attrs_list = ['uid'] # only retrieve the user name return dn user_show.register_pre_callback(test_callback) The original callbacks defined in the class are always called first. Pavel I think I'd like another registration argument, sort of a hint on where you'd like this plugin registered: first or last (defaulting to last). We wouldn't necessarily guarantee where the plugin would get registered but we could easily handle prepending or appending the new registration. The argument is already there, but as you said, it doesn't guarantee a specific order. The in-class callback is added when the plugin instance is created and is inserted at the beginning of the list. More callbacks could be theoretically added later before this one, but that probably won't happen. Not sure how complicated we want this to be but we could also add a dependency system, so that if some other callback is registered, then this one comes first (or registration fails), etc. A priority system might be better and easier to implement in this case. I'm also thinking of making the callback signature common for all commands (even though they have different needs) and adding a context variable callbacks could use to pass data to each other. rob By the way, the approach with class methods and class attributes I'm using is 100% compatible with the versioning system I proposed before. You can do this for example: class user_show(...): VERSION = (1, 0) ... user_show.register_pre_callback(some_callback) user.show_register_pre_callback(some_other_callback) class user_show(user_show): VERSION = (1, 1) ... And the new user_show class will have all the callbacks for the previous version. Isn't that cool? Man, I love python. It's the hackers holy grail. :D Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 387 fix test failures
Rob Crittenden wrote: This fixes the failures in the Env due to switching to unicode internally. Now that --all works this also adds the dn to the output in the XML-RPC tests. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix bug where parameter cloning didn't clone validating rules.
I thought we had validation fixed, but this little bit was still missing. Pavel 0001-Fix-bug-where-parameter-cloning-didn-t-clone-validat.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [DOC] about netgroups
I was asked to complete the documentation of IPA commands on the internal wiki. Unfortunatly, I currently don't have access to it and have decided to put some of the information I've been gathering here on freeipa-devel. It's not a secret after all and is easier to review by other team members. I'm going to put this on the wiki as soon as I can. So, in the first (and possibly last) issue of CommandDocs(tm), we're going to look at netgroups and commands related to them. What are netgroups? === Netgroups are a concept introduced in the directory service NIS. They are supposed to contain users, hosts (machines) and other netgroups. Here are a few examples of why such groups can be useful: http://directory.fedoraproject.org/wiki/Howto:Netgroups#What_are_NIS_netgroups_good_for.3F Don't continue reading after the What are NIS netgroups good for? part. Netgroup entries are different in IPA. Some more info about netgroups (optional reading; I'll explain most of the important stuff): http://www.softpanorama.org/Net/Application_layer/NIS/nis_netgroups.shtml How do we store netgroups in the IPA backend (LDAP)? NIS groups traditionally contain a so called netgroup triple of the format: (machine, user, domain) machine - machine name, a host name user - user name domain - NIS domain of the machine and user Note that there is no necessary relationship between the machine and the user. Only one of those fields is usually used at a time to avoid confusion. In IPA, we don't use the triple anymore. It's ugly and unclear. Instead we use the membership relationship between LDAP entries. You simple add users, host and even their groups as members of a netgroup. The domain field is constant for each netgroup and defaults to the current IPA domain. Example of a netgroup displayed using the IPA CLI: # ipa netgroup-show net1 Netgroup name: net1 Description: test netgroup NIS domain name: pzuna Member User: admin Member Host: testbox.pzuna What commands are available in IPA for handling netgroups? == The management plugin for netgroups in IPA conforms to the CRUD command naming conventions used in all other plugins, that come with the default IPA installation. Creating new netgroups -- ipa netgroup-add NAME [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN] NAME is the name of the netgroup (can be anything, but must be unique) DESCRIPTION is the netgroup description (required) NISDOMAIN is the NIS domain name, defaults to the current IPA domain Deleting netgroups -- ipa netgroup-del NAME Displaying netgroups ipa netgroup-show NAME Modifying netgroups --- ipa netgroup-mod NAME [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN] Same as `ipa netgroup-add`, except modifying description is required and NISDOMAIN doesn't default to anything. Searching for netgroups --- ipa netgroup-find [CRITERIA] [--name=NAME] [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN] [--uuid=UUID] CRITERIA is an optional substring, that has to appear in either the name, the description or the NIS domain of the groups you're looking for Other options are the same as `ipa netgroup-add`, except nothing is required and doesn't default to anything. There's a new UUID option, that allows searching netgroups by ipaUniqueID. If one of these options is set, the command returns only exact matches of this option. Adding users and hosts to netgroups --- ipa netgroup-add-member NAME [--users=USERS] [--groups=GROUPS] [--hosts=HOSTS] [--hostgroups=HOSTGROUPS] [--netgroups=NETGROUPS] USERS,GROUPS,HOSTS,HOSTGROUPS,NETGROUPS are comma-separated lists of names of the appropriate objects. Removing users and hosts from netgroups --- ipa netgroup-remove-member NAME [--users=USERS] [--groups=GROUPS] [--hosts=HOSTS] [--hostgroups=HOSTGROUPS] [--netgroups=NETGROUPS] Same as `netgroup-add-member`. Examples # ipa netgroup-add net0 --desc=test netgroup Netgroup name: net0 Description: test netgroup NIS domain name: pzuna IPA unique ID: 9e6e089c-2089-11df-b677-5452004c033a # ipa netgroup-mod net0 --desc=description change Netgroup name: net0 Description: description change NIS domain name: pzuna # ipa netgroup-add-member net0 --users=admin --hosts=testbox.pzuna Netgroup name: net0 Description: description change NIS domain name: pzuna Member User: admin Member Host: testbox.pzuna - Number of members added 2 - # ipa netgroup-remove-member net0 --users=admin Netgroup name: net0
Re: [Freeipa-devel] [PATCHES] Bring back old outputting functionality
Jason Gerard DeRose wrote: On Wed, 2010-02-10 at 10:30 -0500, Rob Crittenden wrote: Pavel Zuna wrote: What I'm saying is that the Env object stores all strings as str and the env command uses the same output_for_cli as LDAP commands, that only use str for binary. So, we either need to override output_for_cli or switch to unicode in Env. Not exactly sure what to do here though using unicode seems like the best route. Yes, we should store the env as `unicode`... this is something I've been meaning to do. I originally left them as `str` because I was having problems using `unicode` somewhere (maybe it was python-ldap), but we should just fix this special case in the appropriate place. That's possible, python-ldap seems to hate everything except str and list. As I wrote the latest Env version (using Martins work as a starting point), I can make this change. Actually, if you didn't start on it yet. I would take this task onto myself as I already did some experiments to see if it would work and I should be able to have a patch by tomorrow. Should this be post-alpha? Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 354 removing bogus code
Rob Crittenden wrote: Somehow the same block of code got added twice to ipa-rmkeytab causing, not surprisingly, a double-free. This resolves it. rob ack Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add {user, host, sourcehost}Category to HBAC and make accessTime multivalue.
Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zuna wrote: Due to the format of accessTime (it has commas and spaces in it), we can't use the List parameter type. I made it so that accessTime values have to be entered one by one using new commands. We also agreed, that we're going to rename GeneralizedTime parameter to AccessTime to prevent confusion with RFC 4517 standard. I attached a separate patch for clarity. Pavel A couple of questions: - Would it make sense to leave time in as an option that takes a singular value? If someone wants multiple times they can use the new add interface, right? It would and I think it's a good idea, updated patch attached. - What are these new enums for? If there is only one choice do you really have a choice? Well for now, we only have the 'all' in categories, but the list is expected to grow. At first I didn't include categories in the plugin, because of this, but Sumit wanted it to be complete. - We still need some tests for GeneralizedTime/AccessTime. Ok, added to my TODO list. The patch isn't applying for me: $ patch -p1 --dry-run 0003-Fix-takes_options-in-automount-plugin.patch patching file ipalib/plugins/hbac.py patching file tests/test_xmlrpc/test_hbac_plugin.py Hunk #1 FAILED at 52. Hunk #2 FAILED at 84. 2 out of 3 hunks FAILED -- saving rejects to file tests/test_xmlrpc/test_hbac_plugin.py.rej Since you have to mess with this anyway, can you: - add another test to also test adding the access time on the add. You added back the capability but the tests are still removed AFAICT. - add a FUTURE or FIXME comment indicating that the enumerators are future-proofing things by making them a 1-option enumerator for now? rob Fixed patch attached. Pavel 0001-Add-user-host-sourcehost-Category-to-HBAC-and-make.patch Description: application/mbox 0002-Rename-GeneralizedTime-to-AccessTime.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 285 CRL publishing
Rob Crittenden wrote: This enables CRL publishing by dogtag to a place where Apache can get the files. I have to do a couple of tricks here because dogtag is an optional component. This is why in the installer I first see if the dogtag SELinux policy is installed and if not add it. Similarly the installer will remove it upon uninstall. The policy itself just lets dogtag write to some Apache-labeled directories. dogtag uses symlinks to mark the latest CRL hence the permissions for links. rob The patch looks fine, except that it doesn't apply on the current tree. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Re: [PATCHES] Make plugins use baseldap classes.
Rob Crittenden wrote: Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zůna wrote: This is a series of patches that depends on patches: - Improve attribute printing in the CLI. - Improve ipalib.plugins.baseldap classes. All plugins are converted to extend baseldap classes. This makes things more consistent, fixes some general bugs (with return values for example) and it also makes plugins easier to maintain (as it removes a lot of duplicate code). Because baseldap classes have features that enable us to define relationships between plugins, I thought it might be best to submit all of the conversions at once and have all the relationships fully defined. Affected plugins: config user host service group hostgroup netgroup rolegroup taskgroup pwpolicy There's also a patch that fixes all unit tests. Jenny, I included you to Cc, because the patch introduces a lot of changes to the UI (and you're probably not going to like me for this). Each command extending the LDAP* base classes now has a --raw option. Without it, data from LDAP is formated and translated to human readable. For example: # ipa user-show admin --all -- user-show: -- User: admin user id: admin full name: Administrator last name: Administrator home directory: /home/admin login shell: /bin/bash uid number: 999 gid number: 1001 gecos: Administrator kerberos principal: ad...@pzuna last password change: 20090904122852Z password expiration: 20091203122852Z member of groups: admins # ipa user-show admin --all --raw -- user-show: -- dn: uid=admin,cn=users,cn=accounts,dc=pzuna uid: admin cn: Administrator sn: Administrator homedirectory: /home/admin loginshell: /bin/bash uidnumber: 999 gidnumber: 1001 gecos: Administrator krbprincipalname: ad...@pzuna krblastpwdchange: 20090904122852Z krbpasswordexpiration: 20091203122852Z memberof: cn=admins,cn=groups,cn=accounts,dc=pzuna objectclass: top objectclass: person objectclass: posixaccount objectclass: krbprincipalaux objectclass: inetuser Advantages: more user friendly, allows for easy localization, translation of DNs to primary keys (immediately usable as input to other plugin commands) I recommend, that you use the --raw flag for testing. I know it's a lot of changes, so I setup a git repo at: git://fedorapeople.org/~pzuna/freeipa.git It should be up-to-date with master and all my patches are applied there. I hope it makes reviewing them at least a bit easier. Pavel Why are you using a pre_callback() to define default values instead of using default_from? It seems clearer to use that. You're probably referring to the user plugin, where gecos and krbprincipalname defaults are set inside pre_callback. It's a residue from some time ago when we didn't use autofill=True with default_from and it didn't have any effect on optional parameters. It's a small change, but I included an updated version of the patch with this email. Ok. I gather you've moved a lot of logic into the pre_callback plugin to avoid overriding execute? One other goal we wanted was to allow plugins to extend other plugins and this may be good step on the way there. So for example, a user wants to be able to set some extra objectclass, they could do it with a similar pre_callback extension to the user plugin (once we do the plumbing for it, that is). Right. The goal is to have a common execute in the baseclass, that does most of the dirty work and let the user/plugin author add the specifics of his plugin in the pre/post callbacks. All the data generated by the base (before calling python-ldap) is available for modification in the pre-callbacks and all data coming out of python-ldap is made available in the post-callback. And yes, the plugins could be almost endlessly extended this way. For example, someone could do this: from ipalib.plugins.user import user_add class user_add_extended(user_add): def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): # let the original user_add plugin do its job super(user_add_extended, self).pre_callback( ldap, dn, entry_attrs, *keys, **options) # add an extra object class entry_attrs['objectclass'].append('new_object_class') return dn api.register(user_add_extended) This also duplicates some values in the attribute_names() dictionary. I wonder if this can be either created from the parameters or define a global set somewhere that covers all plugins. I know, but I couldn't find a better solution. I thought we could add something like a 'real_name' kwarg to params, but this has 2 main disadvantages: 1) it only makes sense with parameters that refer to an LDAP attribute 2) it doesn't work for attributes with no param counterparts The global set is a good idea as long as we consider only our own plugins. 3rd
Re: [Freeipa-devel] [PATCH] 266 remove deprecated comment
Rob Crittenden wrote: Remove comment about plugin naming conventions. We've dumped this convention. rob ack Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 267 fix virtual plugin
Rob Crittenden wrote: Fix the virtual access plugin to work with the new backend. Also do a more explicit objectviolation catch. We will switch this to use GER when that is completed. rob ack Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 268 explicitly set verbose to false in RPC client
Rob Crittenden wrote: I've needed to set verbose to True in the rpc client and every time I have to do this I hunt around trying to figure out where to put it. This will make it easier to find next time :-) rob ack Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix bug in dns_find - execute() returned different value than expected.
dns_find.execute() wasn't returning the truncated (truncated search results) flag. It threw an exception when invoked. Pavel 0002-Fix-bug-in-dns_find-execute-returned-different-v.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Improve attribute printing in the CLI.
This patch makes printing of LDAP attributes more versatile. The caller can now choose if attributes with more than one value should be printed on one line (each value separated by ', ') or on several lines (each value on its own line). In the later case, the patch also introduces smart word wrapping. Pavel 0003-Improve-attribute-printing-in-the-CLI.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] Improve ipalib.plugins.baseldap classes.
- remove obsolete code related to PluginProxy - remove parent_key attribute, for the purpose of nested objects the parent's primary key is retrieved automatically - added support for auto-generating UUIDs - make use of the improved attribute printing in CLI !!! depends on previous patch !!! - make LDAPDelete delete all sub-entries, not just one-level - minor bug fixes This patch is pretty important, it makes little functional difference to IPA by itself, but it is going to be required by subsequent patches that make plugins use the baseldap classes. Pavel 0005-Improve-ipalib.plugins.baseldap-classes.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel