Re: [Freeipa-devel] [PATCHES] 138-145 Action panel for user password reset
On 06/01/2012 02:40 AM, Endi Sukma Dewata wrote: ACK. Looks good. Pushed to master. Some comments: 1. I suppose the select_action will always be the first action in any header_actions, and the action doesn't actually do anything. You might want to consider the '-- select action --' as part of the IPA.action_list_widget and add it automatically in init_options(), that way it doesn't have to be defined explicitly in all header_actions. Can be. If I do it, I will do it configurable with default to use the '-- select action --'. 2. Ideally the Enable/Disable/Delete actions should only be enabled if the user has rights to do that, but this depends on ticket #2187. Yes. Also, I think enable and disable don't need #2187. 3. I noticed that the second argument of observer's notify() is always the object that owns the observer. For example: that.observer = IPA.observer(); that.observer.notify([arg], that); Since the context doesn't change would it make sense to store the context in the observer itself? that.observer = IPA.observer({ context: that }); The arguments can also be passed as varargs: that.observer.notify(arg); that.observer.notify(arg1, arg2); I like this idea. It simplifies things. On 5/24/2012 3:54 AM, Petr Vobornik wrote: This bunch of patches implements new concept: action panel and it's implementation in user page. First two patches refactorizes current action-list/control-buttons code to prepare ground for following patches. Sorry for added review work (could be done this way earlier). Patch descriptions: [PATCH] 138 Refactored action list and control buttons to use shared list of actions This is a first step for implementing action panels which will also use the shared list of actions. This effort changes the way how action list and control buttons are defined. First all actions are defined on facet level - attribute 'actions' in spec file. Implementation of action list widget is not specified on facet level. It is left in facet header. A list of action names used in action list can be now specified in facet spec in 'header_actions' attribute. Control buttons use similar concept. Facet by default is using control_buttons_widget. Details and search facet are defining their own default actions (refresh/add/remove/update/reset). Additional buttons can be defined as array of action names on facet level in control_buttons attribute. state_evaluators and state_listeners were united. They are called state_evaluators but they uses state_listener concept, they are attached to an event. For former state_evaluator the event is post_load. They are defined in spec in state attribute. State object purpose is to aggregate states from all state evaluators. It offers changed event to which can other objects subscribe. It also has summary evaluator which evaluation conditions. Summary evaluator creates summary status with human readable description. It can be used by facet header. https://fedorahosted.org/freeipa/ticket/2248 [PATCH] 139 Refactored entities to use changed actions concept It's continuation of previous refactoring effort. This part is changing specs in entities to used changed concept. https://fedorahosted.org/freeipa/ticket/2248 [PATCH] 140 Action panel This patch implements action panel. Action panel is a box located in facet details section which contains actions related to that object/section. In spec file can be configured actions and title used in action panel. Default title is 'Actions'. Actions are specified by their name. They have to be defined in action collection in facet. https://fedorahosted.org/freeipa/ticket/2248 [PATCH] 141 User password widget modified. Currently the user password is shown as follows in the details page: Password: Reset Password This is inconsistent with the rest of the page because the 'Reset Password' is an action, not the value of the password. Now password is shown as follows: Password: *** (if set) Password: (if not set) Reset password link was removed as well the dialog for reset password was removed from password widget. The dialog was moved to its own object and can be now showed independently. An action for showing this dialog should be created. https://fedorahosted.org/freeipa/ticket/2248 [PATCH] 142 Action panel for user This patch adds action panel to user account section. The panel contain an action for reseting user password. https://fedorahosted.org/freeipa/ticket/2248 [PATCH] 143 Added missing i18n in action list and action panel This patch adds strings to internal.py which were not translated in action list/panel patches. https://fedorahosted.org/freeipa/ticket/2248 [PATCH] 144 Add shadow to dialog This patch adds shadow to dialog used in Web UI. It looks cooler. https://fedorahosted.org/freeipa/ticket/2248 note: I didn't want to create new ticket just for this minor visual enhancement. [PATCH] 145 Enable reset password action according to attribute perrmission This patch
Re: [Freeipa-devel] [PATCH] 150 Text widget's dirty state is changed on various input methods
On 06/01/2012 02:46 AM, Endi Sukma Dewata wrote: On 5/28/2012 6:44 AM, Petr Vobornik wrote: on_value_changed event in textboxes and textareas was raised only on keyboard input. If user used different input method such as paste or browser undo and redo functions widget's on_value_changed event wasn't raised and so dirty state wasn't changed as well. This patch adds listener to text's and textarea's 'input' event. Input is a HTML 5 event which is raises on user initiated action. Some of user initiated actions : * Cut * Copy * Paste * Undo * Redo * Clear * Typing (like keyup) * Form AutoFill * User-invoked spellcheck corrections * Input from Input Method Editor It should be supported by all recent versions of major browsers. IE doesn't support it up to version 8. Listener for 'keyup' event was left in implementation for backward compatibility with older browsers. This may cause firing on_value_change twice but so far it shouldn't cause troubles. Yeah, if it becomes a problem later you might need to check the browser version and only listen to one of the events. ACK. Pushed to master. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 149 Added links to netgroup member tables
On 06/01/2012 02:44 AM, Endi Sukma Dewata wrote: On 5/25/2012 11:23 AM, Petr Vobornik wrote: Tables with members in netgroup were missing links for navigation to associated details pages. This patch adds these links. https://fedorahosted.org/freeipa/ticket/2670 ACK. Pushed to master. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 148 Removal of illegal options in JSON-RPC calls
On 06/01/2012 02:44 AM, Endi Sukma Dewata wrote: On 5/25/2012 9:57 AM, Petr Vobornik wrote: Ticket https://fedorahosted.org/freeipa/ticket/2509 bans using non existent options. If such option is supplied command ends with error. It uncovered several cases in Web UI. This patch is fixing these cases. Automember, Self-service and Delegation don't support 'pkey-only', 'size-limit' and 'rights' option. Pagination and rights check were disabled for them. Automount map adder dialog was sending options for indirect map even if chosen type was direct (when those for indirect was filled earlier), also it was sending non-existant 'method' option. https://fedorahosted.org/freeipa/ticket/2760 Note for reviewing: #2509 is partially done in Petr Viktorin's patch #35. At this time it has a small issue regarding automountmap_add_indirect command. ACK. I suppose if those options are added later the UI can be updated easily. Pushed to master. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 146 Added cancel button to service unprovision dialog
On 06/01/2012 02:40 AM, Endi Sukma Dewata wrote: On 5/24/2012 4:11 AM, Petr Vobornik wrote: Service unprovision dialog was missing a cancel button. The button was added. https://fedorahosted.org/freeipa/ticket/1811 ACK. Pushed to master. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 147 Set network.http.sendRefererHeader to 2 on browser config
On 05/29/2012 11:29 PM, Rob Crittenden wrote: Petr Vobornik wrote: IPA web UI isn't functional when browser doesn't send http headers. This patch adds a functionality which sets Firefox network.http.sendRefererHeader configuration option to value '2' which enables it. Possible values: http://kb.mozillazine.org/Network.http.sendRefererHeader https://fedorahosted.org/freeipa/ticket/2778 Should we also add a message when referer is missing to check this setting in about:config? I'm not sure what you have in mind. We set the referer option so why would user check it afterwards? Yes the ticket was about checking the option but: If user is configuring the browser he wants the browser configured. So we should set all options which are required. This is one of them. We have not been notifying the user what was set, so I didn't add such notification for this option now as well. We might want to notify the user what options were changed but it's not the topic of this ticket. I was also thinking about upgrading the configure.jar. We had a ticket for it, which ended by documenting the steps. https://fedorahosted.org/freeipa/ticket/2311 http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/upgrading.html#ticket-delegation I think the documentation is wrong. In it we are rebuilding the .jar from /usr/share/ipa/html/preferences.html, this file is created on server install and it is never updated therefore the .jar won't be updated. The updated file is its template (the one changed in this patch). The template output is created in httpinstance.__setup_autoconfig() call. For my development purposes I took this code and created a script which rebuilds the .jar file (attached). Do we want to use it? Yes, I think it is worth having this somewhere, even if just on the wiki. rob -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote: On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote: Hi Martin! On Thu, 12 Apr 2012, Martin Kosek wrote: ... 3) I would not try to import ipaserver.dcerpc every time the command is executed: +try: +import ipaserver.dcerpc +except Exception, e: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) I would rather do it once in the beginning and set a flag: try: import ipaserver.dcerpc _bindings_installed = True except Exception: _bindings_installed = False ... The idea was that this code is only executed on the server. We need to differentiate between: - running on client - running on server, no samba4 python bindings - running on server with samba4 python bindings By making it executed all time you are affecting the client code as well while with current approach it only affects server side. Across our code base, this situation is currently solved with this condition: if api.env.in_server and api.env.context in ['lite', 'server']: # try-import block +def execute(self, *keys, **options): +# Join domain using full credentials and with random trustdom +# secret (will be generated by the join method) +trustinstance = None +if not _bindings_installed: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) 4) Another import inside a function: +def arcfour_encrypt(key, data): +from Crypto.Cipher import ARC4 +c = ARC4.new(key) +return c.encrypt(data) Same here, it is only needed on server side. Let us get consensus over 3) and 4) and I'll fix patches altogether (and push). Yeah, I would fix in the same way as 3). Martin I did another round of testing and this is what I found so far: 1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed that) 2) Unit tests need to be updated, currently there is about a dozen test case errors, e.g. extra ipakrbprincipalalias attribute in services or new ipakrbprincipal objectclass for hosts 3) Replication did not work too well for me this time. ipa-replica-install reported just one issue during installation process: 2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy delegation 2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV 2012-06-04T09:42:51Z DEBUG stdout= 2012-06-04T09:42:51Z DEBUG stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com ) ldapmodify: wrong attributeType at line 5, entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm, dc=lab,dc=bos,dc=redhat,dc=com 2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v -f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV' returned non-zero exit status 247 But this may be just a symptom of some bigger issue. After the installation finished, DS did not start, it kept reporting Kerberos issues: [04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/vm-057.idm.lab.bos.redhat@idm.lab.bos.redhat.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for LDAPS requests [04/Jun/2012:05:46:00 -0400] - Listening on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests [04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) errno 0 (Success) [04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin - agmt=cn=meTovm-125.idm.lab.bos.redhat.com (vm-125:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) When I run ipactl restart, dirsrv started and I was able to kinit. 4) Patch Add separate attribute to store trusted domain SID still has a wrong service part of the principal to be removed (s/ldap/cifs): +dn3 =
[Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users
An update plugin needed root privileges, and aborted the update if an ordinary user user ran it. With this patch the plugin is skipped with a warning in that case. https://fedorahosted.org/freeipa/ticket/2621 -- PetrĀ³ From c525b9e90055ba01fee0a9402512c150cc2ced9d Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 30 May 2012 08:08:24 -0400 Subject: [PATCH] Skip the fix_replica_memberof updater plugin for non-root users The plugin does a SASL EXTERNAL bind, for which it needs root privileges. Skip the plugin with a warning if run as a non-root user. https://fedorahosted.org/freeipa/ticket/2621 --- ipaserver/install/plugins/fix_replica_memberof.py |4 1 file changed, 4 insertions(+) diff --git a/ipaserver/install/plugins/fix_replica_memberof.py b/ipaserver/install/plugins/fix_replica_memberof.py index 04152d36021f7d962b335a7553861a13ba03a769..8dd3ed8b406e70cce55e7c338cdc0c5cdcfb4866 100644 --- a/ipaserver/install/plugins/fix_replica_memberof.py +++ b/ipaserver/install/plugins/fix_replica_memberof.py @@ -39,6 +39,10 @@ def execute(self, **options): 'krbloginfailedcount') excludes = ('memberof', ) + totalexcludes +if os.geteuid() != 0: +self.log.warning(Updating replica memberof needs root privileges) +return False, False, [] # No restart, no apply now, no updates + # We need an IPAdmin connection to the backend conn = ipaldap.IPAdmin(api.env.host, ldapi=True, realm=api.env.realm) conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name) -- 1.7.10.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users
On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: An update plugin needed root privileges, and aborted the update if an ordinary user user ran it. With this patch the plugin is skipped with a warning in that case. https://fedorahosted.org/freeipa/ticket/2621 Hi Petr, I am not sure I like the proposed solution. If there is a legitimate reason to run this plugin as non-root (eg admin user) then you should change the connection part to try to use GSSAPI auth over ldap when non-root, not just throw a warning. If there is no reason for anyone but root to run this script then we should just abort if not root IMO. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default
For security reasons, dynamic updates are not enabled for new DNS zones. In order to enable the dynamic zone securely, user needs to allow dynamic updates and create a zone update policy. The policy is not easy to construct for regular users, we should rather fill it by default and let users just switch the policy on or off. https://fedorahosted.org/freeipa/ticket/2441 From bb4769b7860919cb43eef11891c9f14729a2f271 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Mon, 4 Jun 2012 17:53:34 +0200 Subject: [PATCH] Fill new DNS zone update policy by default For security reasons, dynamic updates are not enabled for new DNS zones. In order to enable the dynamic zone securely, user needs to allow dynamic updates and create a zone update policy. The policy is not easy to construct for regular users, we should rather fill it by default and let users just switch the policy on or off. https://fedorahosted.org/freeipa/ticket/2441 --- API.txt |2 +- VERSION |2 +- ipalib/plugins/dns.py | 14 +++--- ipalib/util.py| 29 + ipaserver/install/bindinstance.py |7 --- ipaserver/install/plugins/dns.py |4 ++-- 6 files changed, 44 insertions(+), 14 deletions(-) diff --git a/API.txt b/API.txt index ba5aa1037e5d9b8661326afe4e6f984d52cc3cc8..501e8381450a7d203adf599746ecf372bdcb7043 100644 --- a/API.txt +++ b/API.txt @@ -1014,7 +1014,7 @@ option: Int('idnssoaexpire', attribute=True, autofill=True, cli_name='expire', d option: Int('idnssoaminimum', attribute=True, autofill=True, cli_name='minimum', default=3600, maxvalue=10800, minvalue=0, multivalue=False, required=True) option: Int('dnsttl', attribute=True, cli_name='ttl', multivalue=False, required=False) option: StrEnum('dnsclass', attribute=True, cli_name='class', multivalue=False, required=False, values=(u'IN', u'CS', u'CH', u'HS')) -option: Str('idnsupdatepolicy', attribute=True, cli_name='update_policy', multivalue=False, required=False) +option: Str('idnsupdatepolicy', attribute=True, autofill=True, cli_name='update_policy', multivalue=False, required=False) option: Bool('idnsallowdynupdate', attribute=True, autofill=True, cli_name='dynamic_update', default=False, multivalue=False, required=False) option: Str('idnsallowquery', attribute=True, autofill=True, cli_name='allow_query', default=u'any;', multivalue=False, required=False) option: Str('idnsallowtransfer', attribute=True, autofill=True, cli_name='allow_transfer', default=u'none;', multivalue=False, required=False) diff --git a/VERSION b/VERSION index 9e14c8cf46b8d39f955be952ce62173f4d9d453c..77340e02e91c91b45e5431810aac2a5c9d6237b6 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=37 +IPA_API_VERSION_MINOR=38 diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 1bf75427245e7435364ad5695e35426f5fd67be8..fb2810f10eeaca8cc688b535d9cf29e2929ab7d9 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -32,7 +32,8 @@ from ipalib.parameters import Flag, Bool, Int, Decimal, Str, StrEnum, Any from ipalib.plugins.baseldap import * from ipalib import _, ngettext from ipalib.util import (validate_zonemgr, normalize_zonemgr, -validate_hostname, validate_dns_label, validate_domain_name) +validate_hostname, validate_dns_label, validate_domain_name, +get_dns_forward_zone_update_policy, get_dns_reverse_zone_update_policy) from ipapython.ipautil import valid_ip, CheckedIPAddress, is_host_resolvable from ldap import explode_dn @@ -75,8 +76,7 @@ EXAMPLES: --admin-email=ad...@example.com Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: - ipa dnszone-mod example.com --dynamic-update=TRUE \\ ---update-policy=grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * ; + ipa dnszone-mod example.com --dynamic-update=TRUE Modify the zone to allow zone transfers for local network only: ipa dnszone-mod example.com --allow-transfer=10.0.0.0/8 @@ -1510,6 +1510,12 @@ def dns_container_exists(ldap): return False return True +def default_zone_update_policy(zone): +if zone_is_reverse(zone): +return get_dns_reverse_zone_update_policy(api.env.realm, zone) +else: +return get_dns_forward_zone_update_policy(api.env.realm) + class dnszone(LDAPObject): DNS Zone, container for resource records. @@ -1611,6 +1617,8 @@ class dnszone(LDAPObject): cli_name='update_policy', label=_('BIND update policy'), doc=_('BIND update policy'), +default_from=lambda idnsname: default_zone_update_policy(idnsname), +autofill=True ),
Re: [Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default
Martin Kosek wrote: For security reasons, dynamic updates are not enabled for new DNS zones. In order to enable the dynamic zone securely, user needs to allow dynamic updates and create a zone update policy. The policy is not easy to construct for regular users, we should rather fill it by default and let users just switch the policy on or off. https://fedorahosted.org/freeipa/ticket/2441 I think the example should be something like: Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: ipa dnszone-mod example.com --dynamic-update=TRUE This is the equivalent of: ipa dnszone-mod example.com --dynamic-update=TRUE \\ --update-policy=grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * ; Otherwise ACK. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC
Simo Sorce wrote: The original ldap driver we used up to 2.2 had 2 options admins could set to limit the amount of writes to the database on certain auditing related operations. In particular disable_last_success is really important to reduce the load on database servers. I have implemented ticket #2734 with a little twist. Instead of adding local options in krb5.conf I create global options in the LDAP tree, so that all KDCs in the domain have the same configuration. The 2 new options can be set in ipaConfigString attribute of the cn=ipaConfig object under cn=etc,$SUFFIX These are: KDC:Disable Last Success KDC:Disable Lockout The first string if set will disable updating the krbLastSuccessfulAuth field in the service/user entry. The second one will prevent changing any of the Lockout related fields and will effectively disable lockout policies. I think we may want to set the first one by default in future. The last successful auth field is not very interesting in general and is cause for a lot of writes that pressure a lot the LDAP server and get replicated everywhere with a storm multiplier effect we'd like to avoid. The lockout one instead happen only when there are failed authentication attempt, this means it never happens when keytabs are used for example. And even with users it should happen rarely enough that traking lockouts by default make leaving these writes on by default is a good tradeoff. Note that simply setting the lockout policy to never lockout is *not* equivalent to setting KDC:Disable Lockout, as it does not prevent writes to the database. I've tested setting KDC:Disable Last Success and it effectively prevent MOD operation from showing up in the server access log. Any change to these configuration options requires a reconnection from the KDC to the LDAP server, the simplest way to cause that is to restart the KDC service. Simo. In ipadb_get_global_configs() should there be a call to LOG_OOM()? Also, if ipadb_simple_search() or ipadb_get_global_configs() fails should we log the result code when non-zero? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 147 Set network.http.sendRefererHeader to 2 on browser config
Petr Vobornik wrote: On 05/29/2012 11:29 PM, Rob Crittenden wrote: Petr Vobornik wrote: IPA web UI isn't functional when browser doesn't send http headers. This patch adds a functionality which sets Firefox network.http.sendRefererHeader configuration option to value '2' which enables it. Possible values: http://kb.mozillazine.org/Network.http.sendRefererHeader https://fedorahosted.org/freeipa/ticket/2778 Should we also add a message when referer is missing to check this setting in about:config? I'm not sure what you have in mind. We set the referer option so why would user check it afterwards? Yes the ticket was about checking the option but: If user is configuring the browser he wants the browser configured. So we should set all options which are required. This is one of them. We have not been notifying the user what was set, so I didn't add such notification for this option now as well. We might want to notify the user what options were changed but it's not the topic of this ticket. I was thinking more for already configured browsers who then later mess with this value. It fails in a very non-obvious way. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 270 Improve migration NotFound error
Martin Kosek wrote: When no user/group was found, migration plugin reported an ambiguous error about invalid container. But the root cause may be for example in a wrong list of user/group objectclasses. Report both in the error message to avoid user confusion. User/group objectclass attribute is now also marked as required. Without the list of objectclasses, an invalid LDAP search is produced. https://fedorahosted.org/freeipa/ticket/2206 ACK. The output is a lot readable, you might reconsider having it in parens. A separate sentence or separated by a colon may be more readable. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default
Martin Kosek wrote: On Fri, 2012-05-25 at 17:14 +0200, Martin Kosek wrote: On Fri, 2012-05-25 at 09:25 -0400, Rob Crittenden wrote: Martin Kosek wrote: This set of patches handles enabling psearch both for new installations (patch 263) and upgraded IPA servers. For upgraded IPA servers I needed to make sure that psearch is not enabled for every IPA package update, but at most once, when a user updates to IPA with this patch for the first time (patch 264). This is enabled by a new State store located in /var/lib/ipa/sysupgrade (patch 262). I also improved the way we handled SELinux sebool updates (patch 265), this can make ipa-upgradeconfig to finish in 0.4 seconds and not in 150 seconds as previously. Details are in the patches. Martin 262: The sysupgrade directory isn't created by the RPM install: mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade Fixed. 263: It looks like zone_refresh is simply disabled in bindinstance.py, why not remove it completely? zone_refresh is used by bindinstance.py. ipa-server-install or ipa-dns-install may be configured to use zone refresh instead of persistent search mechanism to update the zones (e.g. --zone-refresh 30). 264: Small nit, worth doing case-insensitive compare of psearch enabled status? Petr2 told me that arg value for boolean configuration option is case-insensitive, so we can do that - fixed. We're updating named.conf in place so I don't know that we need to reset permissions. It at least shouldn't get modified by the write. Right, I was being too defensive. I removed the check. I made the upgrade more robust, now it won't crash for example when named.conf does not exist. I also made sure the upgrade script works correctly when the IPA is configured without DNS. Martin I rebased the patches for current master. I also slightly reworked patch 265, the error message printed in case of an unsuccessful setsebool was not printed right. Martin Trailing whitespace in 264: # git am /tmp/freeipa-mkosek-264-3-enable-psearch-on-upgrades.patch Applying: Enable psearch on upgrades /home/rcrit/redhat/freeipa-nossh/.git/rebase-apply/patch:108: trailing whitespace. root_logger.error('Cannot update connections in %s: %s', warning: 1 line adds whitespace errors. I don't think the DNS detection is adequate in 264, testing for named.conf is not enough. What if someone is running a non-IPA DNS server on the box? I know that I've recently done similar config changes but in 265 is using line.startswith() going to be fragile? In 266 I'd merge in the ipa-upgradeconfig change into 265 or some other patch. In the 'for setting, state' loop should it be catching a CalledProcessException rather than raw Exception? I think that is all that should be raised there. I did an upgrade and it seemed to work ok, ended up with these scary messages in /var/log/messages: Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP server Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server was lost Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: Can't contact LDAP server Jun 4 23:39:17 localhost named[18753]: ldap_psearch_watcher failed to handle LDAP connection error. Reconnection in 60s Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP server Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server was lost Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed: Can't contact LDAP server Jun 4 23:39:17 localhost ns-slapd[18798]: [04/Jun/2012:23:39:17 -0400] - Information: Non-Secure Port Disabled Jun 4 23:40:17 localhost named[18753]: handle_connection_error failed to obtain ldap error code Jun 4 23:40:17 localhost named[18753]: connection to the LDAP server was lost Jun 4 23:40:17 localhost named[18753]: bind to LDAP server failed: Can't contact LDAP server Jun 4 23:40:17 localhost named[18753]: ldap_psearch_watcher failed to handle LDAP connection error. Reconnection in 60s Jun 4 23:41:17 localhost named[18753]: handle_connection_error failed to obtain ldap error code Jun 4 23:41:17 localhost named[18753]: connection to the LDAP server was lost DNS does seem to be working fine from the cli. The tests are another matter. named crashed in 0:1.1.0-0.10.b2.fc17 in the test cleanup. I upgraded to bind-dyndb-ldap-1.1.0-0.11.rc1.fc17 and got this stack trace: Program received signal SIGABRT, Aborted. [Switching to Thread 0x7f68e50db700 (LWP 19367)] 0x7f68e6188915 in raise () from /lib64/libc.so.6 (gdb) where #0 0x7f68e6188915 in raise () from /lib64/libc.so.6 #1 0x7f68e618a0c8 in abort () from /lib64/libc.so.6 #2 0x7f68e91171fb in assertion_failed (file=optimized out, line=optimized out, type=optimized out, cond=optimized out) at ./main.c:219 #3 0x7f68e73a6c3a in isc_assertion_failed ( file=file@entry=0x7f68e8a82deb zone.c, line=optimized out,
Re: [Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default
I think the example should be something like: Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: ipa dnszone-mod example.com --dynamic-update=TRUE This is the equivalent of: ipa dnszone-mod example.com --dynamic-update=TRUE \\ --update-policy=grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * ; What about reverse zones? -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x3C0AC6DAB2F928A2 signature.asc Description: OpenPGP digital signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel