Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
On 09/25/2014 05:14 PM, Jan Cholasta wrote: Dne 25.9.2014 v 16:15 Martin Basti napsal(a): On 22/09/14 19:30, Martin Basti wrote: On 19/09/14 14:47, Jan Cholasta wrote: Dne 19.9.2014 v 13:33 Martin Basti napsal(a): On 02/09/14 11:59, Martin Basti wrote: On 02/09/14 09:10, Jan Cholasta wrote: Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by ipactl restart Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza Updated patch attached ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Please review, this should be in 4.1 -- Martin Basti 1) ipaConfigString is case-insensitive, so you need to look for the string enabledService in a case-insensitive way. 2) Don't say failed to enable ... when the service is already enabled. It is not a failure. Same for disabled. 3) Missing ipaConfigString is nothing to warn about. 4) You should log success in both ldap_enable/ldap_disable. 5) The except below update_entry should say except errors.EmptyModlist. Thank you, updated patch attached Updated patch attached. I modified ldap_disable to use search function. ACK. Pushed to: master: 66ce71f17a689bcad03022e3df6bbdf0fada2ab8 ipa-4-1: df9086c938963fdf59309cd8af69f4f5d8a7a34e Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
On 22/09/14 19:30, Martin Basti wrote:
On 19/09/14 14:47, Jan Cholasta wrote:
Dne 19.9.2014 v 13:33 Martin Basti napsal(a):
On 02/09/14 11:59, Martin Basti wrote:
On 02/09/14 09:10, Jan Cholasta wrote:
Hi,
Dne 1.9.2014 v 16:57 Martin Basti napsal(a):
This patch allows to disable service in LDAP to prevents service
to be
started by ipactl restart
Required by DNSSEC
Patch attached
I don't think the extra argument in ldap_enable is necessary. It
should enable the service no matter if the entry existed before or
not.
Similarly, in ldap_disable you should not raise an error when the
entry is not found, because that already makes the service disabled.
Honza
Updated patch attached
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Please review, this should be in 4.1
--
Martin Basti
1) ipaConfigString is case-insensitive, so you need to look for the
string enabledService in a case-insensitive way.
2) Don't say failed to enable ... when the service is already
enabled. It is not a failure. Same for disabled.
3) Missing ipaConfigString is nothing to warn about.
4) You should log success in both ldap_enable/ldap_disable.
5) The except below update_entry should say except
errors.EmptyModlist.
Thank you,
updated patch attached
Updated patch attached. I modified ldap_disable to use search function.
--
Martin Basti
From 045137a10a7b003f92132c96fa8b341eeaf2d95c Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Thu, 28 Aug 2014 19:27:44 +0200
Subject: [PATCH] LDAP disable service
This patch allows to disable service in LDAP (ipactl will not start it)
---
ipaserver/install/service.py | 67 +++-
1 file changed, 66 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 8fb802099d7e58a10fd8fb17ff5dc7511eb98c7f..d095fe041bec8098937bf5b99b301a41842ce53e 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -392,6 +392,32 @@ class Service(object):
self.ldap_connect()
entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
+
+# enable disabled service
+try:
+entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString'])
+except errors.NotFound:
+pass
+else:
+if any(u'enabledservice' == val.lower()
+ for val in entry.get('ipaConfigString', [])):
+root_logger.debug(service %s startup entry already enabled, name)
+return
+
+entry.setdefault('ipaConfigString', []).append(u'enabledService')
+
+try:
+self.admin_conn.update_entry(entry)
+except errors.EmptyModlist:
+root_logger.debug(service %s startup entry already enabled, name)
+return
+except:
+root_logger.debug(failed to enable service %s startup entry, name)
+raise
+
+root_logger.debug(service %s startup entry enabled, name)
+return
+
order = SERVICE_LIST[name][1]
entry = self.admin_conn.make_entry(
entry_name,
@@ -404,9 +430,48 @@ class Service(object):
try:
self.admin_conn.add_entry(entry)
except (errors.DuplicateEntry), e:
-root_logger.debug(failed to add %s Service startup entry % name)
+root_logger.debug(failed to add service %s startup entry, name)
raise e
+def ldap_disable(self, name, fqdn, ldap_suffix):
+assert isinstance(ldap_suffix, DN)
+if not self.admin_conn:
+self.ldap_connect()
+
+entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'),
+('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
+search_kw = {'ipaConfigString': u'enabledService'}
+filter = self.admin_conn.make_filter(search_kw)
+try:
+entries, truncated = self.admin_conn.find_entries(
+filter=filter,
+attrs_list=['ipaConfigString'],
+base_dn=entry_dn,
+scope=self.admin_conn.SCOPE_BASE)
+except errors.NotFound:
+root_logger.debug(service %s startup entry already disabled, name)
+return
+
+assert len(entries) == 1 # only one entry is expected
+entry = entries[0]
+
+# case insensitive
+for value in entry.get('ipaConfigString', []):
+if value.lower() == u'enabledservice':
+entry['ipaConfigString'].remove(value)
+break
+
+try:
+self.admin_conn.update_entry(entry)
+except errors.EmptyModlist:
+pass
+except:
+root_logger.debug(failed to disable service %s startup
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
Dne 25.9.2014 v 16:15 Martin Basti napsal(a): On 22/09/14 19:30, Martin Basti wrote: On 19/09/14 14:47, Jan Cholasta wrote: Dne 19.9.2014 v 13:33 Martin Basti napsal(a): On 02/09/14 11:59, Martin Basti wrote: On 02/09/14 09:10, Jan Cholasta wrote: Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by ipactl restart Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza Updated patch attached ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Please review, this should be in 4.1 -- Martin Basti 1) ipaConfigString is case-insensitive, so you need to look for the string enabledService in a case-insensitive way. 2) Don't say failed to enable ... when the service is already enabled. It is not a failure. Same for disabled. 3) Missing ipaConfigString is nothing to warn about. 4) You should log success in both ldap_enable/ldap_disable. 5) The except below update_entry should say except errors.EmptyModlist. Thank you, updated patch attached Updated patch attached. I modified ldap_disable to use search function. ACK. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
On 19/09/14 14:47, Jan Cholasta wrote:
Dne 19.9.2014 v 13:33 Martin Basti napsal(a):
On 02/09/14 11:59, Martin Basti wrote:
On 02/09/14 09:10, Jan Cholasta wrote:
Hi,
Dne 1.9.2014 v 16:57 Martin Basti napsal(a):
This patch allows to disable service in LDAP to prevents service
to be
started by ipactl restart
Required by DNSSEC
Patch attached
I don't think the extra argument in ldap_enable is necessary. It
should enable the service no matter if the entry existed before or
not.
Similarly, in ldap_disable you should not raise an error when the
entry is not found, because that already makes the service disabled.
Honza
Updated patch attached
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Please review, this should be in 4.1
--
Martin Basti
1) ipaConfigString is case-insensitive, so you need to look for the
string enabledService in a case-insensitive way.
2) Don't say failed to enable ... when the service is already
enabled. It is not a failure. Same for disabled.
3) Missing ipaConfigString is nothing to warn about.
4) You should log success in both ldap_enable/ldap_disable.
5) The except below update_entry should say except errors.EmptyModlist.
Thank you,
updated patch attached
--
Martin Basti
From 89d54ab02a3a8db846cce8bbea96925dacbe3156 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Thu, 28 Aug 2014 19:27:44 +0200
Subject: [PATCH] LDAP disable service
This patch allows to disable service in LDAP (ipactl will not start it)
---
ipaserver/install/service.py | 55 +++-
1 file changed, 54 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 7f812a99c557ae567cd1d8a0db30eba434c507f9..b2b343c6b0a1f23ec7b369384ab4c15d29b73053 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -374,6 +374,30 @@ class Service(object):
self.ldap_connect()
entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
+
+# enable disabled service
+try:
+entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString'])
+except errors.NotFound:
+pass
+else:
+if any(u'enabledservice' == x.lower() for x in entry.get('ipaConfigString', [])):
+root_logger.debug(service %s startup entry already enabled, name)
+return
+
+if 'ipaConfigString' in entry and entry['ipaConfigString'] is not None:
+entry['ipaConfigString'].append(u'enabledService')
+else:
+entry['ipaConfigString'] = [u'enabledService']
+
+try:
+self.admin_conn.update_entry(entry)
+except errors.EmptyModlist:
+root_logger.debug(service %s startup entry already enabled, name)
+
+root_logger.debug(service %s startup entry enabled, name)
+return
+
order = SERVICE_LIST[name][1]
entry = self.admin_conn.make_entry(
entry_name,
@@ -386,9 +410,38 @@ class Service(object):
try:
self.admin_conn.add_entry(entry)
except (errors.DuplicateEntry), e:
-root_logger.debug(failed to add %s Service startup entry % name)
+root_logger.debug(failed to add service %s startup entry, name)
raise e
+def ldap_disable(self, name, fqdn, ldap_suffix):
+assert isinstance(ldap_suffix, DN)
+if not self.admin_conn:
+self.ldap_connect()
+
+entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
+try:
+entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString'])
+except errors.NotFound:
+root_logger.debug(service %s startup entry already disabled (entry not found), name)
+return
+
+if not any(u'enabledservice' == x.lower() for x in entry.get('ipaConfigString', [])):
+root_logger.debug(service %s startup entry already disabled, name)
+return
+
+entry['ipaConfigString'].remove(u'enabledService')
+
+try:
+self.admin_conn.update_entry(entry)
+except errors.EmptyModlist:
+pass
+except:
+root_logger.debug(failed to disable service %s startup entry, name)
+raise
+
+root_logger.debug(service %s startup entry disabled, name)
+
+
class SimpleServiceInstance(Service):
def create_instance(self, gensvc_name=None, fqdn=None, dm_password=None, ldap_suffix=None, realm=None):
self.gensvc_name = gensvc_name
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
On 02/09/14 11:59, Martin Basti wrote: On 02/09/14 09:10, Jan Cholasta wrote: Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by ipactl restart Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza Updated patch attached ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Please review, this should be in 4.1 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
Dne 19.9.2014 v 13:33 Martin Basti napsal(a): On 02/09/14 11:59, Martin Basti wrote: On 02/09/14 09:10, Jan Cholasta wrote: Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by ipactl restart Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza Updated patch attached ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Please review, this should be in 4.1 -- Martin Basti 1) ipaConfigString is case-insensitive, so you need to look for the string enabledService in a case-insensitive way. 2) Don't say failed to enable ... when the service is already enabled. It is not a failure. Same for disabled. 3) Missing ipaConfigString is nothing to warn about. 4) You should log success in both ldap_enable/ldap_disable. 5) The except below update_entry should say except errors.EmptyModlist. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by ipactl restart Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
On 02/09/14 09:10, Jan Cholasta wrote:
Hi,
Dne 1.9.2014 v 16:57 Martin Basti napsal(a):
This patch allows to disable service in LDAP to prevents service to be
started by ipactl restart
Required by DNSSEC
Patch attached
I don't think the extra argument in ldap_enable is necessary. It
should enable the service no matter if the entry existed before or not.
Similarly, in ldap_disable you should not raise an error when the
entry is not found, because that already makes the service disabled.
Honza
Updated patch attached
--
Martin Basti
From 43fb8d981cc02b60c76b0a7040d0232bdf2165bc Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Thu, 28 Aug 2014 19:27:44 +0200
Subject: [PATCH] LDAP disable service
This patch allows to disable service in LDAP (ipactl will not start it)
---
ipaserver/install/service.py | 49
1 file changed, 49 insertions(+)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 1f01b275135173b7d0bfdb4d56729438a0853142..370f86fe308607162e9bd8b41144e3557ab0a7ab 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -375,6 +375,30 @@ class Service(object):
self.ldap_connect()
entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
+
+# enable disabled service
+try:
+entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString'])
+except errors.NotFound:
+pass
+else:
+if 'enabledService' in entry.get('ipaConfigString', []):
+root_logger.debug(failed to enable %s Service startup entry (already enabled) % name)
+return
+
+if 'ipaConfigString' in entry and entry['ipaConfigString'] is not None:
+entry['ipaConfigString'].append('enabledService')
+else:
+entry['ipaConfigString'] = ['enabledService']
+root_logger.warning(%s Service startup entry has no 'ipaConfigString' attributes % name)
+
+try:
+self.admin_conn.update_entry(entry)
+except:
+root_logger.debug(failed to re-enable %s Service startup entry (already enabled) % name)
+
+return
+
order = SERVICE_LIST[name][1]
entry = self.admin_conn.make_entry(
entry_name,
@@ -390,6 +414,31 @@ class Service(object):
root_logger.debug(failed to add %s Service startup entry % name)
raise e
+def ldap_disable(self, name, fqdn, ldap_suffix):
+assert isinstance(ldap_suffix, DN)
+if not self.admin_conn:
+self.ldap_connect()
+
+entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
+try:
+entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString'])
+except errors.NotFound:
+root_logger.debug(failed to disable %s Service startup entry (service not found) % name)
+return
+
+if 'enabledService' not in entry.get('ipaConfigString', []):
+root_logger.debug(failed to disable %s Service startup entry (Service already disabled) % name)
+return
+
+entry['ipaConfigString'].remove('enabledService')
+
+try:
+self.admin_conn.update_entry(entry)
+except:
+root_logger.debug(failed to disable %s Service startup entry % name)
+raise
+
+
class SimpleServiceInstance(Service):
def create_instance(self, gensvc_name=None, fqdn=None, dm_password=None, ldap_suffix=None, realm=None):
self.gensvc_name = gensvc_name
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
This patch allows to disable service in LDAP to prevents service to be
started by ipactl restart
Required by DNSSEC
Patch attached
--
Martin Basti
From df330b6b2d630982a25ceaf7c7f6af79327f9089 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Thu, 28 Aug 2014 19:27:44 +0200
Subject: [PATCH] LDAP disable service
This patch allows to disable service in LDAP (ipactl will not start it)
---
ipaserver/install/service.py | 54 +++-
1 file changed, 53 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 1f01b275135173b7d0bfdb4d56729438a0853142..f008c7b8f94f3c8489b2c69f8d7cac52c2172a82 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -368,13 +368,40 @@ class Service(object):
self.steps = []
-def ldap_enable(self, name, fqdn, dm_password, ldap_suffix, config=[]):
+def ldap_enable(self, name, fqdn, dm_password, ldap_suffix, config=[], enable_if_exists=False):
assert isinstance(ldap_suffix, DN)
self.disable()
if not self.admin_conn:
self.ldap_connect()
entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
+
+# enable disabled service
+if enable_if_exists:
+try:
+entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString'])
+except errors.NotFound:
+pass
+else:
+if 'enabledService' in entry.get('ipaConfigString', []):
+root_logger.debug(failed to re-enable %s Service startup entry (already enabled) % name)
+return
+
+if 'ipaConfigString' in entry and entry['ipaConfigString'] is not None:
+entry['ipaConfigString'].append('enabledService')
+else:
+entry['ipaConfigString'] = ['serviceEnabled']
+root_logger.warning(%s Service startup entry has no 'ipaConfigString' attributes % name)
+
+try:
+self.admin_conn.update_entry(entry)
+except:
+root_logger.debug(failed to re-enable %s Service startup entry (already enabled) % name)
+raise
+else:
+return
+
+
order = SERVICE_LIST[name][1]
entry = self.admin_conn.make_entry(
entry_name,
@@ -390,6 +417,31 @@ class Service(object):
root_logger.debug(failed to add %s Service startup entry % name)
raise e
+def ldap_disable(self, name, fqdn, ldap_suffix):
+assert isinstance(ldap_suffix, DN)
+if not self.admin_conn:
+self.ldap_connect()
+
+entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
+try:
+entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString'])
+except errors.NotFound:
+root_logger.debug(failed to disable %s Service startup entry (service not found) % name)
+raise
+
+if 'enabledService' not in entry.get('ipaConfigString', []):
+root_logger.debug(failed to disable %s Service startup entry (Service already disabled) % name)
+return
+
+entry['ipaConfigString'].remove('enabledService')
+
+try:
+self.admin_conn.update_entry(entry)
+except:
+root_logger.debug(failed to disable %s Service startup entry % name)
+raise
+
+
class SimpleServiceInstance(Service):
def create_instance(self, gensvc_name=None, fqdn=None, dm_password=None, ldap_suffix=None, realm=None):
self.gensvc_name = gensvc_name
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
