Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 11/04/2014 01:05 PM, Petr Vobornik wrote: On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 updated version of patch 773 attached. Fixes issue in interactive_prompt_callback. Not related to this ticket: - should we show interactive prompt for domain name when user specifies --type=ipa-adtrust or ipa-adtrust-posix? Atm it will prompt for values related to local range. ACK for the whole patchset, works in my testing. Pushed to ipa-4-1: c2ac4a88775274e2cb8f199d104a1393a1d4a81e Pushed to master: 8248f696275e2e63dab860a25467e2868aa17036 Regarding the issue, yes, I agree, prompting for values for the local ranges should not happen. I think the most reasonable behaviour is as follows: - first value that intractive callback asks for should be type, if not specified or cannot be derived explicitly from used parameters (and after the range's name) - after that, the interactive prompt should ask for relevant attributes only. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 11.11.2014 12:13, Tomas Babej wrote: On 11/04/2014 01:05 PM, Petr Vobornik wrote: On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 updated version of patch 773 attached. Fixes issue in interactive_prompt_callback. Not related to this ticket: - should we show interactive prompt for domain name when user specifies --type=ipa-adtrust or ipa-adtrust-posix? Atm it will prompt for values related to local range. ACK for the whole patchset, works in my testing. Pushed to ipa-4-1: c2ac4a88775274e2cb8f199d104a1393a1d4a81e Pushed to master: 8248f696275e2e63dab860a25467e2868aa17036 Regarding the issue, yes, I agree, prompting for values for the local ranges should not happen. I think the most reasonable behaviour is as follows: - first value that intractive callback asks for should be type, if not specified or cannot be derived explicitly from used parameters (and after the range's name) - after that, the interactive prompt should ask for relevant attributes only. +1 https://fedorahosted.org/freeipa/ticket/4714 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 10/15/2014 02:20 PM, Petr Vobornik wrote:
ticket: https://fedorahosted.org/freeipa/ticket/4221
updated version of patch 773 attached. Fixes issue in
interactive_prompt_callback.
Not related to this ticket:
- should we show interactive prompt for domain name when user specifies
--type=ipa-adtrust or ipa-adtrust-posix? Atm it will prompt for values
related to local range.
--
Petr Vobornik
From d4aab791db8349da45711d8c6dcba724b752a03b Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Mon, 13 Oct 2014 14:57:45 +0200
Subject: [PATCH] ranges: prohibit setting --rid-base with ipa-trust-ad-posix
type
We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense.
Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type.
No schema change is done.
https://fedorahosted.org/freeipa/ticket/4221
---
ipalib/plugins/idrange.py | 61 ---
1 file changed, 47 insertions(+), 14 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 9e0481e94048c465f9a86112378a47390de0d494..6c3be6e69595127e346969e41703dc98e783282e 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -248,6 +248,12 @@ class idrange(LDAPObject):
if not options.get('all', False) or options.get('pkey_only', False):
entry_attrs.pop('objectclass', None)
+def handle_ipabaserid(self, entry_attrs, options):
+if any((options.get('pkey_only', False), options.get('raw', False))):
+return
+if entry_attrs['iparangetype'][0] == u'ipa-ad-trust-posix':
+entry_attrs.pop('ipabaserid', None)
+
def check_ids_in_modified_range(self, old_base, old_size, new_base,
new_size):
if new_base is None and new_size is None:
@@ -414,6 +420,7 @@ class idrange_add(LDAPCreate):
rid_base = kw.get('ipabaserid', None)
secondary_rid_base = kw.get('ipasecondarybaserid', None)
+range_type = kw.get('iparangetype', None)
def set_from_prompt(param):
value = self.prompt_param(self.params[param])
@@ -424,7 +431,7 @@ class idrange_add(LDAPCreate):
# This is a trusted range
# Prompt for RID base if domain SID / name was given
-if rid_base is None:
+if rid_base is None and range_type != u'ipa-ad-trust-posix':
set_from_prompt('ipabaserid')
else:
@@ -486,23 +493,33 @@ class idrange_add(LDAPCreate):
if not is_set('iparangetype'):
entry_attrs['iparangetype'] = u'ipa-ad-trust'
-if entry_attrs['iparangetype'] not in (u'ipa-ad-trust',
- u'ipa-ad-trust-posix'):
+if entry_attrs['iparangetype'] == u'ipa-ad-trust':
+if not is_set('ipabaserid'):
+raise errors.ValidationError(
+name='ID Range setup',
+error=_('Options dom-sid/dom-name and rid-base must '
+'be used together')
+)
+elif entry_attrs['iparangetype'] == u'ipa-ad-trust-posix':
+if is_set('ipabaserid') and entry_attrs['ipabaserid'] != 0:
+raise errors.ValidationError(
+name='ID Range setup',
+error=_('Option rid-base must not be used when IPA '
+'range type is ipa-ad-trust-posix')
+)
+else:
+entry_attrs['ipabaserid'] = 0
+else:
raise errors.ValidationError(name='ID Range setup',
error=_('IPA Range type must be one of ipa-ad-trust '
'or ipa-ad-trust-posix when SID of the trusted '
-'domain is specified.'))
+'domain is specified'))
if is_set('ipasecondarybaserid'):
raise errors.ValidationError(name='ID Range setup',
error=_('Options dom-sid/dom-name and secondary-rid-base '
'cannot be used together'))
-if not is_set('ipabaserid'):
-raise errors.ValidationError(name='ID Range setup',
-error=_('Options dom-sid/dom-name and rid-base must '
-'be used together'))
-
# Validate SID as the one of trusted domains
self.obj.validate_trusted_domain_sid(
entry_attrs['ipanttrusteddomainsid'])
@@ -557,6 +574,7 @@ class idrange_add(LDAPCreate):
def post_callback(self, ldap, dn,
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 23.10.2014 10:39, Martin Kosek wrote:
On 10/22/2014 07:39 PM, Tomas Babej wrote:
Hi,
thank you for the patches, comments inline.
On 10/15/2014 02:20 PM, Petr Vobornik wrote:
ticket: https://fedorahosted.org/freeipa/ticket/4221
== [PATCH] 773 ranges: prohibit setting --rid-base with
ipa-trust-ad-posix type ==
We should not allow setting --rid-base for ranges of
ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings
for these ranges (objects have UID/GID set in AD). Thus, setting RID
base makes no sense.
Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class,
value '0' is allowed and used internally for 'ipa-trust-ad-posix'
range type.
We probably don't want to display the first RID if it is 0 and the type
is ad-posix. This occurs in idrange-find:
[tbabej@vm-043 labtool]$ ipa idrange-find
2 ranges matched
Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
First Posix ID of the range: 51480
Number of IDs in the range: 20
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 1
Range type: local domain range
Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
First Posix ID of the range: 1
Number of IDs in the range: 20
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
Range type: Active Directory trust range with POSIX attributes
Number of entries returned 2
And also idrange-show:
[tbabej@vm-043 labtool]$ ipa idrange-show
TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
First Posix ID of the range: 1
Number of IDs in the range: 20
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
Range type: Active Directory trust range with POSIX attributes
No schema change is done.
Fixed
snip
== [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix
ranges ==
Can you use the paged_search=True in find_entries instead of having a
infinite loop? It would make this code quite cleaner.
I also saw you did not update Makefile.am.
Because I did not add a new file.
updated patches attached (only 773-775 are changed)
--
Petr Vobornik
From 7be769b432984dbd54d14309dde465ce6ea24ab0 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 3 Sep 2014 17:23:33 +0200
Subject: [PATCH 5/5] webui: prohibit setting rid base with ipa-trust-ad-posix
type
Base RID is no longer editable for ipa-trust-ad-posix range type
Adder dialog:
- Range type selector was moved up because it affects a field above it
Details page:
- Only fields relevant to range's type are visible
https://fedorahosted.org/freeipa/ticket/4221
---
install/ui/src/freeipa/idrange.js | 77 ++-
1 file changed, 60 insertions(+), 17 deletions(-)
diff --git a/install/ui/src/freeipa/idrange.js b/install/ui/src/freeipa/idrange.js
index 12c0b288b766c059db6b844f445fb88b5821a1db..4e5dbfa00dcf80495d8a96f7fc961b9c6676691f 100644
--- a/install/ui/src/freeipa/idrange.js
+++ b/install/ui/src/freeipa/idrange.js
@@ -54,6 +54,11 @@ return {
'cn',
'iparangetype',
{
+name: 'iparangetyperaw',
+read_only: true,
+visible: false
+},
+{
name: 'ipabaseid',
label: '@i18n:objects.idrange.ipabaseid',
title: '@mo-param:idrange:ipabaseid:label'
@@ -80,6 +85,9 @@ return {
}
]
}
+],
+policies: [
+exp.idrange_policy
]
}
],
@@ -89,21 +97,6 @@ return {
name: 'cn'
},
{
-name: 'ipabaseid',
-label: '@i18n:objects.idrange.ipabaseid',
-title: '@mo-param:idrange:ipabaseid:label'
-},
-{
-name: 'ipaidrangesize',
-label: '@i18n:objects.idrange.ipaidrangesize',
-title: '@mo-param:idrange:ipaidrangesize:label'
-},
-{
-name: 'ipabaserid',
-label: '@i18n:objects.idrange.ipabaserid',
-title: '@mo-param:idrange:ipabaserid:label'
-},
-{
name: 'iparangetype',
$type: 'radio',
label: '@i18n:objects.idrange.type',
@@ -125,6 +118,21 @@ return {
]
},
{
+name: 'ipabaseid',
+label:
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 10/22/2014 07:39 PM, Tomas Babej wrote: Hi, thank you for the patches, comments inline. On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 773 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type == We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. We probably don't want to display the first RID if it is 0 and the type is ad-posix. This occurs in idrange-find: [tbabej@vm-043 labtool]$ ipa idrange-find 2 ranges matched Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 51480 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes Number of entries returned 2 And also idrange-show: [tbabej@vm-043 labtool]$ ipa idrange-show TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes No schema change is done. == [PATCH] 774 unittests: baserid for ipa-ad-trust-posix idranges == Looks good. == [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges == Can you use the paged_search=True in find_entries instead of having a infinite loop? It would make this code quite cleaner. I also saw you did not update Makefile.am. New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 776 idrange: include raw range type in output == iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers Solved by new iparangetyperaw output attribute which contains iparangetype's raw value Note: I don't like this approach. It would be better to return just the raw value a do the transformation in clients. But we do have a precedent: http://www.redhat.com/archives/freeipa-devel/2012-January/msg00190.html I am not happy about it either.. I guess we could create a capability for this, but it would probably be a overkill. == [PATCH] 777 webui: prohibit setting rid base with ipa-trust-ad-posix type == Base RID is no longer editable for ipa-trust-ad-posix range type Adder dialog: - Range type selector was moved up because it affects a field above it Details page: - Only fields relevant to range's type are visible Looks fine. On a related note, I added a new ticket https://fedorahosted.org/freeipa/ticket/4661 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
Hi, thank you for the patches, comments inline. On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 773 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type == We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. We probably don't want to display the first RID if it is 0 and the type is ad-posix. This occurs in idrange-find: [tbabej@vm-043 labtool]$ ipa idrange-find 2 ranges matched Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 51480 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes Number of entries returned 2 And also idrange-show: [tbabej@vm-043 labtool]$ ipa idrange-show TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes No schema change is done. == [PATCH] 774 unittests: baserid for ipa-ad-trust-posix idranges == Looks good. == [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges == Can you use the paged_search=True in find_entries instead of having a infinite loop? It would make this code quite cleaner. New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 776 idrange: include raw range type in output == iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers Solved by new iparangetyperaw output attribute which contains iparangetype's raw value Note: I don't like this approach. It would be better to return just the raw value a do the transformation in clients. But we do have a precedent: http://www.redhat.com/archives/freeipa-devel/2012-January/msg00190.html I am not happy about it either.. I guess we could create a capability for this, but it would probably be a overkill. == [PATCH] 777 webui: prohibit setting rid base with ipa-trust-ad-posix type == Base RID is no longer editable for ipa-trust-ad-posix range type Adder dialog: - Range type selector was moved up because it affects a field above it Details page: - Only fields relevant to range's type are visible Looks fine. On a related note, I added a new ticket https://fedorahosted.org/freeipa/ticket/4661 -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
ticket: https://fedorahosted.org/freeipa/ticket/4221
== [PATCH] 773 ranges: prohibit setting --rid-base with
ipa-trust-ad-posix type ==
We should not allow setting --rid-base for ranges of ipa-trust-ad-posix
since we do not perform any RID - UID/GID mappings for these ranges
(objects have UID/GID set in AD). Thus, setting RID base makes no sense.
Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class,
value '0' is allowed and used internally for 'ipa-trust-ad-posix' range
type.
No schema change is done.
== [PATCH] 774 unittests: baserid for ipa-ad-trust-posix idranges ==
== [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix
ranges ==
New updater plugin which sets baserid to 0 for ranges with type
ipa-ad-trust-posix
https://fedorahosted.org/freeipa/ticket/4221
== [PATCH] 776 idrange: include raw range type in output ==
iparangetype output is a localized human-readable value which is not
suitable for machine-based API consumers
Solved by new iparangetyperaw output attribute which contains
iparangetype's raw value
Note: I don't like this approach. It would be better to return just the
raw value a do the transformation in clients. But we do have a
precedent:
http://www.redhat.com/archives/freeipa-devel/2012-January/msg00190.html
== [PATCH] 777 webui: prohibit setting rid base with ipa-trust-ad-posix
type ==
Base RID is no longer editable for ipa-trust-ad-posix range type
Adder dialog:
- Range type selector was moved up because it affects a field above it
Details page:
- Only fields relevant to range's type are visible
https://fedorahosted.org/freeipa/ticket/4221
--
Petr Vobornik
From 1bda87528855aaf4ad9b18a31479c8b2a353bd92 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 3 Sep 2014 17:23:33 +0200
Subject: [PATCH] webui: prohibit setting rid base with ipa-trust-ad-posix type
Base RID is no longer editable for ipa-trust-ad-posix range type
Adder dialog:
- Range type selector was moved up because it affects a field above it
Details page:
- Only fields relevant to range's type are visible
https://fedorahosted.org/freeipa/ticket/4221
---
install/ui/src/freeipa/idrange.js | 77 ++-
1 file changed, 60 insertions(+), 17 deletions(-)
diff --git a/install/ui/src/freeipa/idrange.js b/install/ui/src/freeipa/idrange.js
index 12c0b288b766c059db6b844f445fb88b5821a1db..4e5dbfa00dcf80495d8a96f7fc961b9c6676691f 100644
--- a/install/ui/src/freeipa/idrange.js
+++ b/install/ui/src/freeipa/idrange.js
@@ -54,6 +54,11 @@ return {
'cn',
'iparangetype',
{
+name: 'iparangetyperaw',
+read_only: true,
+visible: false
+},
+{
name: 'ipabaseid',
label: '@i18n:objects.idrange.ipabaseid',
title: '@mo-param:idrange:ipabaseid:label'
@@ -80,6 +85,9 @@ return {
}
]
}
+],
+policies: [
+exp.idrange_policy
]
}
],
@@ -89,21 +97,6 @@ return {
name: 'cn'
},
{
-name: 'ipabaseid',
-label: '@i18n:objects.idrange.ipabaseid',
-title: '@mo-param:idrange:ipabaseid:label'
-},
-{
-name: 'ipaidrangesize',
-label: '@i18n:objects.idrange.ipaidrangesize',
-title: '@mo-param:idrange:ipaidrangesize:label'
-},
-{
-name: 'ipabaserid',
-label: '@i18n:objects.idrange.ipabaserid',
-title: '@mo-param:idrange:ipabaserid:label'
-},
-{
name: 'iparangetype',
$type: 'radio',
label: '@i18n:objects.idrange.type',
@@ -125,6 +118,21 @@ return {
]
},
{
+name: 'ipabaseid',
+label: '@i18n:objects.idrange.ipabaseid',
+title: '@mo-param:idrange:ipabaseid:label'
+},
+{
+name: 'ipaidrangesize',
+label: '@i18n:objects.idrange.ipaidrangesize',
+title: '@mo-param:idrange:ipaidrangesize:label'
+},
+{
+name: 'ipabaserid',
+label: '@i18n:objects.idrange.ipabaserid',
+title: '@mo-param:idrange:ipabaserid:label'
+},
+{
name: 'ipasecondarybaserid',
label: '@i18n:objects.idrange.ipasecondarybaserid',
title: '@mo-param:idrange:ipasecondarybaserid:label'
@@ -147,7 +155,9 @@ IPA.idrange_adder_policy = function(spec) {
The logic for
