Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin

2013-06-06 Thread Martin Kosek
On 06/03/2013 03:07 PM, Tomas Babej wrote:
> On 06/03/2013 01:10 PM, Tomas Babej wrote:
>> Hi,
>>
>> Default list of attributes that are checked with 7-bit plugin
>> for being 7-bit clean includes userPassword. Consecutively, one
>> is unable to set passwords that contain non-ascii characters.
>>
>> https://fedorahosted.org/freeipa/ticket/3640
>>
>> Tomas
> 
> Proper explanation and missing newline added.
> 
> Updated patch attached.
> 
> Tomas
> 

Works for me. ACK, pushed to master, ipa-3-2.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin

2013-06-03 Thread Tomas Babej

On 06/03/2013 01:10 PM, Tomas Babej wrote:

Hi,

Default list of attributes that are checked with 7-bit plugin
for being 7-bit clean includes userPassword. Consecutively, one
is unable to set passwords that contain non-ascii characters.

https://fedorahosted.org/freeipa/ticket/3640

Tomas


Proper explanation and missing newline added.

Updated patch attached.

Tomas
From 11ae96664836427010d62c89e83a89480f02cca3 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Mon, 3 Jun 2013 09:56:08 +0200
Subject: [PATCH] Do not check userPassword with 7-bit plugin

Default list of attributes that are checked with 7-bit plugin
for being 7-bit clean includes userPassword. Consecutively, one
is unable to set passwords that contain non-ascii characters.

https://fedorahosted.org/freeipa/ticket/3640
---
 install/updates/50-7_bit_check.update | 6 ++
 install/updates/Makefile.am   | 1 +
 2 files changed, 7 insertions(+)
 create mode 100644 install/updates/50-7_bit_check.update

diff --git a/install/updates/50-7_bit_check.update b/install/updates/50-7_bit_check.update
new file mode 100644
index ..b9ea8a97d570e37b6337284358d40c05e32196b6
--- /dev/null
+++ b/install/updates/50-7_bit_check.update
@@ -0,0 +1,6 @@
+# Remove userPassword from the list of attributes checked by 7-bit plugin
+# Replace argument value 'userPassword' with 'mail' to avoid the need to
+# shift the whole argument array. Attribute 'mail' is already listed
+# in pluginarg1, so it is conveniently used as valid value placeholder.
+dn: cn=7-bit check,cn=plugins,cn=config
+replace:nsslapd-pluginarg2:userpassword::mail
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 787a51cfcc574b8d4e0a11b749c1c8aee76e7977..5336f62ed97aba125ca8f1ae7c3e3505bb7ff3ea 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -35,6 +35,7 @@ app_DATA =\
 	40-automember.update		\
 	40-otp.update			\
 	45-roles.update			\
+	50-7_bit_check.update	\
 	50-lockout-policy.update	\
 	50-groupuuid.update		\
 	50-hbacservice.update		\
-- 
1.8.1.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin

2013-06-03 Thread Jan Cholasta

On 3.6.2013 14:55, Martin Kosek wrote:

On 06/03/2013 01:32 PM, Jan Cholasta wrote:

Hi,

On 3.6.2013 13:10, Tomas Babej wrote:

Hi,

Default list of attributes that are checked with 7-bit plugin
for being 7-bit clean includes userPassword. Consecutively, one
is unable to set passwords that contain non-ascii characters.

https://fedorahosted.org/freeipa/ticket/3640

Tomas



what is the idea behind this:

+replace:nsslapd-pluginarg2:userpassword::mail

why not use remove instead of replace?


Because of https://fedorahosted.org/389/ticket/47370, I found - DS would crash.

In this update, I would like to operate only with this one attribute to avoid
shifting the whole nsslapd-pluginargX array if we chose to remove
nsslapd-pluginarg2.

I thought that the safest approach would be to simply replace
nsslapd-pluginarg2 with an already checked value, thus creating a safe NOOP.
But I am open to other values leading to not checking userPassword attribute +
changing nsslapd-pluginarg2 only.

Martin



I see. Anyway, I think there should be a comment in the update file 
explaining why replace is necessary.


--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin

2013-06-03 Thread Martin Kosek
On 06/03/2013 01:32 PM, Jan Cholasta wrote:
> Hi,
> 
> On 3.6.2013 13:10, Tomas Babej wrote:
>> Hi,
>>
>> Default list of attributes that are checked with 7-bit plugin
>> for being 7-bit clean includes userPassword. Consecutively, one
>> is unable to set passwords that contain non-ascii characters.
>>
>> https://fedorahosted.org/freeipa/ticket/3640
>>
>> Tomas
>>
> 
> what is the idea behind this:
> 
> +replace:nsslapd-pluginarg2:userpassword::mail
> 
> why not use remove instead of replace?

Because of https://fedorahosted.org/389/ticket/47370, I found - DS would crash.

In this update, I would like to operate only with this one attribute to avoid
shifting the whole nsslapd-pluginargX array if we chose to remove
nsslapd-pluginarg2.

I thought that the safest approach would be to simply replace
nsslapd-pluginarg2 with an already checked value, thus creating a safe NOOP.
But I am open to other values leading to not checking userPassword attribute +
changing nsslapd-pluginarg2 only.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin

2013-06-03 Thread Jan Cholasta

Hi,

On 3.6.2013 13:10, Tomas Babej wrote:

Hi,

Default list of attributes that are checked with 7-bit plugin
for being 7-bit clean includes userPassword. Consecutively, one
is unable to set passwords that contain non-ascii characters.

https://fedorahosted.org/freeipa/ticket/3640

Tomas



what is the idea behind this:

+replace:nsslapd-pluginarg2:userpassword::mail

why not use remove instead of replace?

Also please add the missing newline at the end of the update file.

Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin

2013-06-03 Thread Tomas Babej

Hi,

Default list of attributes that are checked with 7-bit plugin
for being 7-bit clean includes userPassword. Consecutively, one
is unable to set passwords that contain non-ascii characters.

https://fedorahosted.org/freeipa/ticket/3640

Tomas
From 0ad7f3ee2c20f668bc64a2856ce444d31df65c3f Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Mon, 3 Jun 2013 09:56:08 +0200
Subject: [PATCH] Do not check userPassword with 7-bit plugin

Default list of attributes that are checked with 7-bit plugin
for being 7-bit clean includes userPassword. Consecutively, one
is unable to set passwords that contain non-ascii characters.

https://fedorahosted.org/freeipa/ticket/3640
---
 install/updates/50-7_bit_check.update | 3 +++
 install/updates/Makefile.am   | 1 +
 2 files changed, 4 insertions(+)
 create mode 100644 install/updates/50-7_bit_check.update

diff --git a/install/updates/50-7_bit_check.update b/install/updates/50-7_bit_check.update
new file mode 100644
index ..cef3159b6ac2586bbac42112d3e86b073b8faa3d
--- /dev/null
+++ b/install/updates/50-7_bit_check.update
@@ -0,0 +1,3 @@
+# Remove userPassword from the list of attributes checked by 7-bit plugin
+dn: cn=7-bit check,cn=plugins,cn=config
+replace:nsslapd-pluginarg2:userpassword::mail
\ No newline at end of file
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 787a51cfcc574b8d4e0a11b749c1c8aee76e7977..5336f62ed97aba125ca8f1ae7c3e3505bb7ff3ea 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -35,6 +35,7 @@ app_DATA =\
 	40-automember.update		\
 	40-otp.update			\
 	45-roles.update			\
+	50-7_bit_check.update	\
 	50-lockout-policy.update	\
 	50-groupuuid.update		\
 	50-hbacservice.update		\
-- 
1.8.1.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel