[Freeipa-devel] [PATCH] 087 Allow recursion by default
I suggest adding the following doc to the end of chapter 5.6. DNS (after the paragraphs about forwarders): Any host is permitted to issue recursive queries against configured forwarders by default. When required, this behavior can be changed in /etc/named.conf in allow-recursion statement. Please consult name server documentation for details how to edit the configuration statement. How to test: 1) install IPA with --setup-dns and defined --forwarder 2) query record not-managed by installed IPA (e.g. www.freeipa.org) from localhost - should pass both with and without the patch 3) query record not-managed by installed IPA from other computer from different subnet - fails without the patch and should pass with the patch Update name server configuration file to allow any host to issue recursive queries (allow-recursion statement). https://fedorahosted.org/freeipa/ticket/1335 From 3dd16fab887d70675bf6359b0afdf2d32932b911 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Wed, 22 Jun 2011 08:35:50 +0200 Subject: [PATCH] Allow recursion by default Update name server configuration file to allow any host to issue recursive queries (allow-recursion statement). https://fedorahosted.org/freeipa/ticket/1335 --- install/share/bind.named.conf.template |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index 71facbaf7f3e14f009b2aa9d6ba7a5d8bd0372af..e843b4c005cbbbee55a2f9ef5374a6a3f12dbfca 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -11,6 +11,9 @@ options { forward first; forwarders {$FORWARDERS}; + // Any host is permitted to issue recursive queries + allow-recursion { any; }; + tkey-gssapi-credential DNS/$FQDN; tkey-domain $REALM; }; -- 1.7.5.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On Tue, Jun 21, 2011 at 04:48:08PM -0600, Pete Zaitcev wrote: On Tue, 21 Jun 2011 18:28:36 -0400 Dmitri Pal d...@redhat.com wrote: Dear Dmitri, thanks for the reply. I am reading curl source code now and I notice the distinction between Negotiate that comes from SPNEGO, and GSS-Negotiate. I'm looking for the definition of the latter. I am working on adding authentication/authorization to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented with GNU Microhttpd. [...] So far, I gather that so-called SPNEGO protocol is what everyone uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). There's also a Kerberos on Widows thing (4559), which actually defines the key pieces such as WWW-Authenticate: Negotiate. What web server you are using? It is mostly something that is used outside the application by the web server itself. As I mentioned, iwhd relies on GNU Microhttpd library to implement a webserver. According to http://www.gnu.org/software/libmicrohttpd/ there is only Support for basic and digest authentication (optional). As Dmitri already mentioned there is mod_auth_kerb for Apache which offers the Negotiate. It does GSSAPI but can handle SPNEGO as well and can authenticate an SPNEGO client if it can handle GSSAPI (SPNEGO is basically used to choose between GSSAPI or NTLMSSP). As long as GNU Microhttpd library does not support at least GSSAPI, but SPNEGO would be important for Windows clients, or can use Apache's mod_auth_kerb somehow, I would recommend like Dmitri to use an Apache in front of iwhd and let Apache forward the principal of the authenticated user in e.g. X_FORWARDED_USER header variable. Like with Apache you can use/configure mod_auth_kerb and if the client is configured to negotiate kerberos and the apache server has a keytab and an service principal (name) in KDC (freeIPA) you are all set. This is how the Katello prototype has been set up. I see, the vital part here is the need to register the service principal with the KDC. I was wondering about that too. Yes, both the client/user principal and the service principal must be know to the KDC so that both can trust each other. With freeIPA every user automatically will have it's own principal and every server added to the IPA domain (ipa-client-install or ipa host-add) gets a host principal host/fully.qualified.domain.name@YOUR.KERBEROS.REALM. For a web service you typically do not want to use the host principal but create one for the specific service HTTP/fully.qualified.domain.name@YOUR.KERBEROS.REALM with ipa service-add. If you don't have freeIPA but a plain KDC you have to use the kadmin utility to create the principals (and their keys). HTH bye, Sumit The transactions would require a state. You can try to do something that we are planning to do in IPA to reduce the cost of the re-negotiation on every request. We plan to use a cookie. But it all depends what are your transactions are for. Do they define the commit boundaries or they are just to reduce renegotiation? I am somewhat disaffected with cookies, as they have a lot of weaknesses (usually).. Certainly, turning around the 401 replies costs a lot, but until I know for myself that it cannot be avoided (by posting Authenticate header preventively), I am going to examine the facts a little more. However, if FreeIPA team comes up with standard way to keep tickets in cookies, I would like to hear the details. Thanks again, -- Pete ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 785 data type of certificates
On 8.6.2011 16:56, Rob Crittenden wrote: Jan Cholasta wrote: On 18.5.2011 17:21, Rob Crittenden wrote: Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32 rob NACK lint fails with: ipalib/plugins/host.py:380: [E0602, host_add.pre_callback] Undefined variable 'normalize_certificate' ipalib/plugins/host.py:381: [E0602, host_add.pre_callback] Undefined variable 'verify_cert_subject' Honza Needed to be re-based with changes to 779. rob ACK Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
Sumit Bose wrote: On Tue, Jun 21, 2011 at 04:48:08PM -0600, Pete Zaitcev wrote: On Tue, 21 Jun 2011 18:28:36 -0400 Dmitri Pal d...@redhat.com wrote: Dear Dmitri, thanks for the reply. I am reading curl source code now and I notice the distinction between Negotiate that comes from SPNEGO, and GSS-Negotiate. I'm looking for the definition of the latter. I am working on adding authentication/authorization to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented with GNU Microhttpd. [...] So far, I gather that so-called SPNEGO protocol is what everyone uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). There's also a Kerberos on Widows thing (4559), which actually defines the key pieces such as WWW-Authenticate: Negotiate. What web server you are using? It is mostly something that is used outside the application by the web server itself. As I mentioned, iwhd relies on GNU Microhttpd library to implement a webserver. According to http://www.gnu.org/software/libmicrohttpd/ there is only Support for basic and digest authentication (optional). As Dmitri already mentioned there is mod_auth_kerb for Apache which offers the Negotiate. It does GSSAPI but can handle SPNEGO as well and can authenticate an SPNEGO client if it can handle GSSAPI (SPNEGO is basically used to choose between GSSAPI or NTLMSSP). As long as GNU Microhttpd library does not support at least GSSAPI, but SPNEGO would be important for Windows clients, or can use Apache's mod_auth_kerb somehow, I would recommend like Dmitri to use an Apache in front of iwhd and let Apache forward the principal of the authenticated user in e.g. X_FORWARDED_USER header variable. Unfortunately, replacing (in iwhd) an embedded component like libmicrohttpd may be er, ... challenging. iwhd can be configured to as both server and client, and can use arbitrary port numbers, so deferring to Apache seems infeasible. For example, one use case is to run two interconnected iwhd servers, one upstream and another downstream, as demonstrated in iwhd's t/replication test case. Even if we were to give up this functionality (currently not required by any iwhd client), requiring an additional, private-to-iwhd, kerb-enabled Apache server sounds like disproportionate overhead for an otherwise small daemon. Our best bet may be to find an embeddable httpd server that supports GSSAPI. Do any of you know of one? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 807 get schema in json handler
Adam Young wrote: On 06/21/2011 04:10 PM, Rob Crittenden wrote: If the first request the web server handles is for a bad ticket (e.g. expired) then it is possible to get past the point where the lazy LDAP schema retrieval would happen causing a backtrace in the json handler. Add a call to get the schema which will be skipped if a valid schema has already been retrieved. ticket https://fedorahosted.org/freeipa/ticket/1354 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master. Seems to fix 1354 pushed to ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On 06/21/2011 06:48 PM, Pete Zaitcev wrote: I am somewhat disaffected with cookies, as they have a lot of weaknesses (usually).. Certainly, turning around the 401 replies costs a lot, but until I know for myself that it cannot be avoided (by posting Authenticate header preventively), I am going to examine the facts a little more. However, if FreeIPA team comes up with standard way to keep tickets in cookies, I would like to hear the details. We will see what we would be able to come up. Tickets to watch: https://fedorahosted.org/freeipa/ticket/215 https://fedorahosted.org/freeipa/ticket/225 Both are in Deferred bucket as there are no firm plans. We will see when we would be able look into these tickets. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0251-absolute-to-relative
From 6ddf2efe36bec9befaacc778525309a38ce2de6d Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 22 Jun 2011 10:13:04 -0400 Subject: [PATCH] absolute to relative --- install/ui/ipa.css | 21 + 1 files changed, 5 insertions(+), 16 deletions(-) diff --git a/install/ui/ipa.css b/install/ui/ipa.css index 45a17865fd007949137217b94c3a23c90390..d324131da1a99094786b7286974a493e1d1404ca 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -37,7 +37,7 @@ html { } body { -overflow: auto; +overflow: hidden; background: url(outer-bg.png); background-repeat: repeat-x; background-position: left top; @@ -391,18 +391,13 @@ div.tabs { } .entity-header { -position: absolute; -top: 0; -left: 0; -right: 0; +position: relative; height: 70px; margin: 20px 22px 0; } .entity-title { -position: absolute; -top: 0; -left: 0; +position: relative; color: gray; display: block; } @@ -420,9 +415,7 @@ div.tabs { } .entity-search { -position: absolute; -top: 0; -right: 0; +position: relative; } .back-link { @@ -430,17 +423,13 @@ div.tabs { } .entity-tabs { -position: absolute; +position: relative; height: 40px; -left: 0; -right: 0; -bottom: 0; z-index: 1; /* need to be above facet header */ } .facet-group { float: left; -/*height: 3em; */ margin-right: 1em; position: relative; height: 100%; -- 1.7.5.2 From d95791b07d27778340bf8de96408df14ce6d669d Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Fri, 1 Apr 2011 11:56:09 -0400 Subject: [PATCH] update ipa init a simple script to update the metatdate et alles that comes from the ipa_init batch call --- install/ui/test/bin/update_ipa_init.sh | 21 + 1 files changed, 21 insertions(+), 0 deletions(-) create mode 100755 install/ui/test/bin/update_ipa_init.sh diff --git a/install/ui/test/bin/update_ipa_init.sh b/install/ui/test/bin/update_ipa_init.sh new file mode 100755 index ..064f16b9e81b6888b97ab1a9a192971a230b8f84 --- /dev/null +++ b/install/ui/test/bin/update_ipa_init.sh @@ -0,0 +1,21 @@ +#!/bin/bash -x + +FIXTURE_DIR=$1 + +INIT_FILE=$FIXTURE_DIR/ipa_init.json + +usage(){ + echo $0 {FIXTURE_DIR} + exit 1 +} + +if [ ! -f $INIT_FILE ] +then + usage + exit 1 +fi + + + +curl -v -H Content-Type:application/json -H Accept:applicaton/json --negotiate -u : --cacert /etc/ipa/ca.crt -d '{method:batch,params:[[ {method:json_metadata,params:[[],{}]}, {method:i18n_messages,params:[[],{}]}, {method:user_find,params:[[],{whoami:true,all:true}]}, {method:env,params:[[],{}]}, {method:dns_is_enabled,params:[[],{}]} ],{}],id:1}' -X POST https://`hostname`/ipa/json | sed 's/[ \t]*$//'$INIT_FILE + -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On Tue, 21 Jun 2011 18:28:36 -0400 Dmitri Pal d...@redhat.com wrote: Dear Dmitri, thanks for the reply. I am reading curl source code now and I notice the distinction between Negotiate that comes from SPNEGO, and GSS-Negotiate. I'm looking for the definition of the latter. I am working on adding authentication/authorization to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented with GNU Microhttpd. [...] So far, I gather that so-called SPNEGO protocol is what everyone uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). There's also a Kerberos on Widows thing (4559), which actually defines the key pieces such as WWW-Authenticate: Negotiate. What web server you are using? It is mostly something that is used outside the application by the web server itself. As I mentioned, iwhd relies on GNU Microhttpd library to implement a webserver. Like with Apache you can use/configure mod_auth_kerb and if the client is configured to negotiate kerberos and the apache server has a keytab and an service principal (name) in KDC (freeIPA) you are all set. This is how the Katello prototype has been set up. I see, the vital part here is the need to register the service principal with the KDC. I was wondering about that too. The transactions would require a state. You can try to do something that we are planning to do in IPA to reduce the cost of the re-negotiation on every request. We plan to use a cookie. But it all depends what are your transactions are for. Do they define the commit boundaries or they are just to reduce renegotiation? I am somewhat disaffected with cookies, as they have a lot of weaknesses (usually).. Certainly, turning around the 401 replies costs a lot, but until I know for myself that it cannot be avoided (by posting Authenticate header preventively), I am going to examine the facts a little more. However, if FreeIPA team comes up with standard way to keep tickets in cookies, I would like to hear the details. Thanks again, -- Pete ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 785 data type of certificates
Jan Cholasta wrote: On 8.6.2011 16:56, Rob Crittenden wrote: Jan Cholasta wrote: On 18.5.2011 17:21, Rob Crittenden wrote: Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32 rob NACK lint fails with: ipalib/plugins/host.py:380: [E0602, host_add.pre_callback] Undefined variable 'normalize_certificate' ipalib/plugins/host.py:381: [E0602, host_add.pre_callback] Undefined variable 'verify_cert_subject' Honza Needed to be re-based with changes to 779. rob ACK Honza pushed to master and ipa-2-0 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 792 Update translations
Martin Kosek wrote: On Tue, 2011-06-14 at 17:41 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-06-06 at 13:47 -0400, Rob Crittenden wrote: Our translation files haven't been updated for a few months, this brings things up to date. It is intended for master only. All I did to generate this patch was to run make update-po in install/po. It is otherwise untouched by human hands. 4Mb of changes, 810 new messages, so this patch is huge, sorry. rob Eh, nice patch :-) Did you also pull new translations from Transifex? John wrote a howto in a mail Transifex i18n translation changes. Btw if we also want to update ipa-2-0 translations, it would need a separate patch as those 2 branches have diverged. Martin There are no new translations upstream. Once this is pushed we can push it to Transifex as well rob Ok, ACK from me then. Feel free to regenerate translations if some strings were changed before the review was completed. Martin Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 185 Converted entity header into facet header.
On 06/21/2011 11:09 PM, Endi Sukma Dewata wrote: The content and the size of entity header changes depending on the facet being displayed, so the entity header has been converted into a facet header to allow better control via CSS. The DNS record facet has been updated to use the same styles and support scrolling. To help styling and testing, all buttons have been assigned a name. This patch requires Kyle's patch #9 and #10. Demo is available here: http://edewata.fedorapeople.org/freeipa/install/ui/index.html ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Close. The commonality of config and krbticket policy is that they have no search. INstead of putting a specific name= class for them, use a single class, something like .no-search. That way if we have others, we just reuse that class, instead of having css for each entity. The CSS should be oblivious to the domain model. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
Dmitri Pal wrote: On 06/22/2011 07:44 AM, Jim Meyering wrote: Our best bet may be to find an embeddable httpd server that supports GSSAPI. Do any of you know of one? Quick search on the internet did not reveal any. I found a Ruby GSSAPI library if this is of any help. https://github.com/zenchild/gssapi/wiki If only iwhd were written in Ruby rather than C. Hm I thought everything is written on Ruby nowadays :-) at least most of the cloud infrusturucture services we integrate. Good to hear that something is still written in plain old C. Is there any architectural diagram and high level overview of the project that we can take a look at? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
Dmitri Pal wrote: Dmitri Pal wrote: On 06/22/2011 07:44 AM, Jim Meyering wrote: Our best bet may be to find an embeddable httpd server that supports GSSAPI. Do any of you know of one? Quick search on the internet did not reveal any. I found a Ruby GSSAPI library if this is of any help. https://github.com/zenchild/gssapi/wiki If only iwhd were written in Ruby rather than C. Hm I thought everything is written on Ruby nowadays :-) at least most of the cloud infrusturucture services we integrate. Good to hear that something is still written in plain old C. Is there any architectural diagram and high level overview of the project that we can take a look at? Sure, http://git.fedorahosted.org/git?p=iwhd.git;a=blob;f=doc/image_repo.odt ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On 06/22/2011 12:14 PM, Jim Meyering wrote: Sure, http://git.fedorahosted.org/git?p=iwhd.git;a=blob;f=doc/image_repo.odt Does not open for me. I tried saving but it saves as 0-byte doc -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On Wed, 2011-06-22 at 16:18 +0200, Jim Meyering wrote: Dmitri Pal wrote: On 06/22/2011 07:44 AM, Jim Meyering wrote: Our best bet may be to find an embeddable httpd server that supports GSSAPI. Do any of you know of one? Quick search on the internet did not reveal any. I found a Ruby GSSAPI library if this is of any help. https://github.com/zenchild/gssapi/wiki If only iwhd were written in Ruby rather than C. Maybe you can take mod_auth_kerb sources and adapt it for libmicrohttp, shouldn't be too much work, the crypto details are handled by libgssapi anyways. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0251-absolute-to-relative
On 6/22/2011 9:14 AM, Adam Young wrote: As discussed over IRC, in this particular case the absolute positioning still has advantages over relative because it allows the elements in the header (e.g. title, back link, facet tabs, controls) to attach 'relative' to the header's borders. This way when we change the elements in the header (e.g. hiding the facet tabs) the only thing that might need to change is the header height, which is the same as facet content's top position. I think this is easier to maintain rather than having to rely on the heights of each element in the header. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On Wed, 22 Jun 2011 09:15:48 -0400 Jeff Darcy jda...@redhat.com wrote: (1) Have we definitively concluded that it's not possible to implement the pieces we need on top of the core libmicrohttpd code? I hooked into rest.c:access_handler_0(), using MHD_lookup_connection_value and friends for now. Seems working, without SSL at least. (2) Has anyone tried looking at the libmicrohttpd code, or talking to the libmicrohttpd authors, to evaluate the feasibility of adding the features we need there? No, I haven't. Actually once I'm done maybe we can send them a patch to implement Negotiate authentication. -- Pete ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 086 Fix IPA install for secure umask
Martin Kosek wrote: On Fri, 2011-06-17 at 15:37 +0200, Martin Kosek wrote: On Fri, 2011-06-17 at 14:44 +0200, Martin Kosek wrote: Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282 Self-Nack. Even though install didn't fail, I didn't notice there are still issues with other files. For example dirsrv schema ldifs. This needs to be fixed. Martin Sending a fixed version of the patch. See ticket for instructions how to test. Martin Ack, pushed to master and ipa-2-0 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA LDAP DN handling issues (part 2)
-- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Part 2 of 2 Parts Part 1 introduced some problems discovered with DN handling in FreeIPA. Part 2 discusses proposed utility classes which eliminate the problems described in Part 1 and how to use them. Introduction: - The new module ipalib/dn.py introduces 3 new classes: DN, RDN and AVA. The module and each class have extensive documentation, you should refer to that for details and clarifications, this is only an overview. In addtion there is a unit test (tests/test_ipalib/test_dn.py) with extensive examples of how the classes can be utilized. Of the 3 new classes (DN, RDN AVA) you will most likely only need to use DN, you may need to use RDN, and it's unlikely you'll need to use AVA. This is because the classes are aware of each other and try to behave intelligently on behalf of the programmer. For example if you supply a attr,value pair to a DN object it will interpret this as a single valued RDN and construct a new RDN object, in turn the RDN object will construct a new AVA object passing it the attr,value pair and the RDN object will add the new AVA to itself. Then the DN object will add the new RDN to itself. dn = DN('cn', 'Bob') # This is exactly equivalent to dn = DN(RDN(AVA('cn', 'Bob'))) The DN, RDN and AVA objects have all the intuitive Pythonic behavior you would expect. Recall a DN is an ordered sequence of RDN's and a RDN is a set of AVA's, thus they are containers and all of Python's container and iteration operators are available to you. Basic attr, value access: - AVA's have an attr and value property, thus if you have an AVA # Get the attr and value ava.attr - u'cn' ava.value - u'Bob' # Set the attr and value ava.attr = 'cn' ava.value = 'Bob' But since RDN's are assumed to be single valued, exactly the same behavior applies to an RDN (it will throw an exception if the RDN is not single valued) # Get the attr and value rdn.attr - u'cn' rdn.value - u'Bob' # Set the attr and value rdn.attr = 'cn' rdn.value = 'Bob' Also RDN's can be indexed by name or position (see the RDN class doc for details). rdn['cn'] - u'Bob' rdn[0] - AVA('cn', 'Bob') Basic container iteration operations: --- A DN is a sequence of RDN's, as such any of Python's container operators can be applied to a DN in a intuitive way. # How many RDN's in a DN? len(dn) # WARNING, this a count of RDN's not how characters there are in the # string representation the dn, instead that would be: len(str(dn)) # Iterate over each RDN in a DN for rdn in dn: # Get the first RDN in a DN dn[0] - RDN('cn', 'Bob') # Get the value of the first RDN in a DN dn[0].value - u'Bob' # Get the value of the first RDN by indexing by attr name dn['cn'] - u'Bob' # WARNING, when a string is used as an index key the FIRST RDN's value # in the sequence whose attr matches the key is returned. Thus if you # have a DN like this cn=foo,cn=bar then dn['cn'] will always return # 'foo' even though there is another attr with the name 'cn'. This is # almost always what the programmer wants. See the class doc for how # you can override this default behavior and get a list of every value # whose attr matches the key. # Set the first RDN in the DN (all are equivalent) dn[0] = 'cn', 'Bob' dn[0] = ('cn', 'Bob') dn[0] = RDN('cn', 'Bob') dn[0].attr = 'cn' dn[0].value = 'Bob' # Get the first two RDN's using slices dn[0:2] # Get the last two RDN's using slices dn[-2:] # Get a list of all RDN's using slices dn[:] # Set the 2nd and 3rd RDN using slices (all are equivalent) dn[1:4] = 'cn', 'Bob, 'dc', 'redhat.com' dn[1:4] = ('cn', 'Bob), ('dc', 'redhat.com') dn[1:4] = RDN('cn', 'Bob), RDN('dc', 'redhat.com') String representations and escapes: --- # To get an RFC compliant string representation of a DN, RDN or AVA # simply call str() on it or evaluate it in a string context. str(dn) - 'cn=Bob,dc=redhat.com' # When working with attr's and values you do not have to worry about # escapes, simply use the raw unescaped string in a natural fashion. rdn = RDN('cn', 'R,W') # Thus: rdn.value == 'R,W' - True # But: str(rdn) == 'cn=R,W' - False # Because: str(rdn) - 'cn=R\2cW' or 'cn='R\,W' # depending on the underlying LDAP library Equality and Comparing: --- # All DN's, RDN's and AVA's support equality testing in an intuitive # manner. dn1 = DN('cn', 'Bob') dn2 = DN(RDN('cn', 'Bob')) dn1 == dn2 - True dn1[0] == dn2[0] - True dn1[0].value = 'Bobby' dn1 == dn2 - False # See the class doc for how DN's, RDN's and AVA's compare # (e.g. cmp()). The general rule is for objects supporting multiple # values first their lengths are compared, then if the lengths match # the respective components of each are pair-wise compared until one # is discovered to be non-equal Concatenation and In-Place Addition:
Re: [Freeipa-devel] [PATCH 24/24] Add utility classes for handling DN's along with their, unittest.
John Dennis wrote: Revised patch attached. Added copyright notice. Added support for concatenation and in-place addition for a few more types. Updated the unit test for the new functionality. Correct import statement in unit test. I can work with the updated patch you sent but it isn't in a format that git-am can handle. See this wiki page for patch naming conventions and patch generation commands: https://fedorahosted.org/freeipa/wiki/PatchFormat rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 24/24] Add utility classes for handling DN's along with their, unittest.
John Dennis wrote: Revised patch attached. Added copyright notice. Added support for concatenation and in-place addition for a few more types. Updated the unit test for the new functionality. Correct import statement in unit test. Ack, pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 27/27] get_primary_key_from_dn returns decoded value
John Dennis wrote: DN's may be encoded. If we're going to return the value from one of the RDN's in the DN then we must decode the DN first, otherwise the returned value won't be what we're expecting. Specifically the value getting passed back through the RPC interface was not the value set because it included escaping specific only to DN's. We want to treat the value as the value set by the user, the fact it happens to live as part of a DN is an irrelevant implementation detail which shouldn't be visible in the values we exchange through the RPC mechanism. This patch takes the DN as returned by an ldap search and creates a DN object from it. The DN object allows us to robustly extract the value by name. The DN object also assures the components in the DN have been decoded back into normal unicode strings. There are many other places where we need to properly handle DN's by using a DN object, this is just one place, the minimum needed to get comma's working in privileges. I'd rather make very small incremental changes in the DN handling rather than introducing too many changes in this critical area of the code, let's be conservative at this juncture. ack, pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 26/26] Add backslash escape support for csv reader
John Dennis wrote: The csv reader is used to break comma separated lists into individual items. However what if you want one of those items to have an embedded comma? The answer is to escape it by preceding the comma with a backslash. This patch adds support for escaping in the csv reader. ack, pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 28/28] Update test_role_plugin test to include a comma in a, privilege
John Dennis wrote: Update test_role_plugin test to include a comma in a privilege Introduce a comma into a privilege name to assure we can handle commas. Commas must be escaped for some parameters, add escape_comma() utility and invoke it for the necessary parameters. Utilize a DN object to properly construct a DN and most importantly to allow equality testing between the DN we expect and the one returned. This is necessary because a DN can be encoded according to different encoding syntaxes all of which are valid. DN objects always decode from their input. DN objects can test for equality between DN's without being affected by DN encoding. Add a equality callback for the dn in the expected dict. When the test framework tests for equality between the expected value and the returned value it will call back into a function we provide which will convert the returned dn into a DN object. An equality test is then performed between two DN objects. This is the only way to properly compare two dn's. ack, pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0251-absolute-to-relative
On 06/22/2011 01:53 PM, Endi Sukma Dewata wrote: On 6/22/2011 9:14 AM, Adam Young wrote: As discussed over IRC, in this particular case the absolute positioning still has advantages over relative because it allows the elements in the header (e.g. title, back link, facet tabs, controls) to attach 'relative' to the header's borders. This way when we change the elements in the header (e.g. hiding the facet tabs) the only thing that might need to change is the header height, which is the same as facet content's top position. I think this is easier to maintain rather than having to rely on the heights of each element in the header. In short, NACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 186 Added navigation breadcrumb.
Navigation breadcrumb has been added to the facet header. The breadcrumb will appear on details, association, and automount facets. Ticket #1323 -- Endi S. Dewata From 5bf32d412bbdd1b4d6bd78a5a1944c75af954b3b Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 22 Jun 2011 21:54:28 -0500 Subject: [PATCH] Added navigation breadcrumb. Navigation breadcrumb has been added to the facet header. The breadcrumb will appear on details, association, and automount facets. Ticket #1323 --- install/ui/automount.js | 25 ++- install/ui/details.js |2 +- install/ui/dns.js |2 +- install/ui/entitle.js |2 +- install/ui/entity.js| 108 +- install/ui/ipa.css | 11 +++-- install/ui/search.js|4 +- 7 files changed, 85 insertions(+), 69 deletions(-) diff --git a/install/ui/automount.js b/install/ui/automount.js index 73419f70baaa982fad901423ee53e0e33358b4e0..3e031769c6407a39c83d659d7bf5fd0b81766628 100644 --- a/install/ui/automount.js +++ b/install/ui/automount.js @@ -28,8 +28,7 @@ IPA.entity_factories.automountlocation = function() { return IPA.entity_builder(). -entity({name:'automountlocation', -title:IPA.messages.tabs.automount}). +entity({ name: 'automountlocation' }). search_facet({ title: IPA.metadata.objects.automountlocation.label, columns:['cn'] @@ -39,7 +38,8 @@ IPA.entity_factories.automountlocation = function() { nested_entity : 'automountmap', label : IPA.metadata.objects.automountmap.label, name: 'maps', -columns:['automountmapname'] +columns:['automountmapname'], +back_link_text: 'Back to Locations' }). details_facet({ sections:[ @@ -48,7 +48,9 @@ IPA.entity_factories.automountlocation = function() { label: IPA.messages.details.identity, fields:['cn'] } -]}). +], +back_link_text: 'Back to Locations' +}). adder_dialog({ fields:['cn'] }). @@ -56,8 +58,7 @@ IPA.entity_factories.automountlocation = function() { }; IPA.entity_factories.automountmap = function() { return IPA.entity_builder(). -entity({name:'automountmap', -title:IPA.messages.tabs.automount}). +entity({ name: 'automountmap' }). containing_entity('automountlocation'). nested_search_facet({ facet_group: 'member', @@ -65,7 +66,8 @@ IPA.entity_factories.automountmap = function() { label : IPA.metadata.objects.automountkey.label, name: 'keys', get_values: IPA.get_option_values, -columns:['automountkey','automountinformation'] +columns:['automountkey','automountinformation'], +back_link_text: 'Back to Locations' }). details_facet({ sections:[ @@ -74,7 +76,8 @@ IPA.entity_factories.automountmap = function() { label: IPA.messages.details.identity, fields:['automountmapname','description'] } -] +], +back_link_text: 'Back to Locations' }). adder_dialog({ factory: IPA.automountmap_adder_dialog, @@ -104,8 +107,7 @@ IPA.entity_factories.automountmap = function() { IPA.entity_factories.automountkey = function() { return IPA.entity_builder(). -entity({name:'automountkey', -title:IPA.messages.tabs.automount}). +entity({ name: 'automountkey' }). containing_entity('automountmap'). details_facet({ sections:[ @@ -114,7 +116,8 @@ IPA.entity_factories.automountkey = function() { label: IPA.messages.details.identity, fields:['automountkey','automountinformation','description'] } -] +], +back_link_text: 'Back to Locations' }). adder_dialog({ fields:['automountkey','automountinformation'] diff --git a/install/ui/details.js b/install/ui/details.js index 46a28e508da73947c7223ade58b0472d687ee5be..477857b20006393c90e8fd53a3e7964de07d964b 100644 --- a/install/ui/details.js +++ b/install/ui/details.js @@ -336,7 +336,7 @@ IPA.details_facet = function(spec) { that.create = function(container) { if (that.entity.facets.length == 1) { -that.disable_back_link = true; +that.disable_breadcrumb = true; that.disable_facet_tabs = true; } diff --git a/install/ui/dns.js b/install/ui/dns.js index 6ec807a09fc531de018c1722722ecea14cff2f10..56779a365d280320e134bb214c5b83b91eba5e3d 100644 --- a/install/ui/dns.js +++ b/install/ui/dns.js @@ -99,7 +99,7 @@ IPA.dnsrecord_facet = function(spec) { spec = spec ||
Re: [Freeipa-devel] Kerberos implementation issues
Hi, On 22.06.2011 20:30, Simo Sorce wrote: Quick search on the internet did not reveal any. I found a Ruby GSSAPI library if this is of any help. https://github.com/zenchild/gssapi/wiki If only iwhd were written in Ruby rather than C. Maybe you can take mod_auth_kerb sources and adapt it for libmicrohttp, shouldn't be too much work, the crypto details are handled by libgssapi anyways. That seems to be a common case -- at least for nginx people did go the same way https://github.com/fintler/nginx-mod-auth-kerb -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel