[389-devel] lib389 lack a type for nsAdminGroup
Hi all, Please correct me if subject line a wrong , as i cat not find one . Regards Anuj Borah ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Please review
@Mark Reynolds Thanks and welcome . Regards Anuj Borah On Wed, Jul 17, 2019 at 7:31 PM Mark Reynolds wrote: > > On 7/16/19 8:12 PM, Anuj Borah wrote: > > @Mark Reynolds > > @Mark Reynolds > > >>> The code itself looks fine to me, but I find it odd you are testing > matching rules by creating COS entries in two of those PRs. > > Cos entries are used here as part of ( > > objectclass: extensibleObject > > ) > > As cos template has ( > > objectclass: ['top','cosTemplate' , 'extensibleObject'] > > ) > > Which is the nearest one of row extensibleObject entry. > > Ah okay I see. Please add a comment that you are really just trying to > use an entry with extensibleObject, because it is currently confusing. > > > > >>> I don't think that is actually doing anything in regards to matching > rules. I was under the impression that matching rules are only > applied/enforced during searches (not Adds or Modifies). So you are > checking for TYPE_OR_VALUE_EXISTS errors in some of the tests, and I don't > see what that has to do with matching rules. Or, maybe I am just missing > what this test is trying to do as I am not that familiar with MRs. So if > you can clarify that for me I would appreciate it > > > Please refer bellow ldif file and TET Filter suit which is part of Filter > test suit . To See whats going on Please see the original TET Filter suit > . ( test series mr_*() ) > > Filter TET Script : > http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/testcases/DS/6.0/filter/filter.sh > LDIF FIle: > http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/data/DS/6.0/filter/en/mrsearchtests.ldif > LDIF FIle: > http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/data/DS/6.0/filter/en/booleanMatch.add.ldif > > > Thanks for providing more background on this. The rest looks good to me. > > Thanks, > > Mark > > > Regards > Anuj Borah > > On Wed, Jul 17, 2019 at 5:38 AM Anuj Borah wrote: > >> @Mark Reynolds >> >> >>> The code itself looks fine to me, but I find it odd you are testing >> matching rules by creating COS entries in two of those PRs. >> >> Cos entries are used here as part of ( >> >> objectclass: extensibleObject >> >> ) >> >> As cos template has ( >> >> objectclass: ['top','cosTemplate' , 'extensibleObject'] >> >> ) >> >> Which is the nearest one of row extensibleObject entry. >> >> >> >>> I don't think that is actually doing anything in regards to matching >> rules. I was under the impression that matching rules are only >> applied/enforced during searches (not Adds or Modifies). So you are >> checking for TYPE_OR_VALUE_EXISTS errors in some of the tests, and I don't >> see what that has to do with matching rules. Or, maybe I am just missing >> what this test is trying to do as I am not that familiar with MRs. So if >> you can clarify that for me I would appreciate it >> >> >> Please refer bellow ldif file and TET Filter suit which is part of Filter >> test suit . To See whats going on Please see the original TET Filter >> suit . ( test series mr_*() ) >> >> Filter TET Script : >> http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/testcases/DS/6.0/filter >> LDIF FIle: >> http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/data/DS/6.0/filter/en/mrsearchtests.ldif >> LDIF FIle: >> http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/data/DS/6.0/filter/en/booleanMatch.add.ldif >> >> >> >> Regards >> Anuj Borah >> >> On Wed, Jul 17, 2019 at 2:21 AM Mark Reynolds >> wrote: >> >>> >>> On 7/15/19 8:00 AM, Anuj Borah wrote: >>> >>> @Simon Pichugin >>> >>> Please review: >>> >>> https://pagure.io/389-ds-base/pull-request/50468 >>> https://pagure.io/389-ds-base/pull-request/50471 >>> https://pagure.io/389-ds-base/pull-request/50482 >>> >>> >>> The code itself looks fine to me, but I find it odd you are testing >>> matching rules by creating COS entries in two of those PRs. I don't think >>> that is actually doing anything in regards to matching rules. I was under >>> the impression that matching rules are only applied/enforced during >>> searches (not Adds or Modifies). So you are checking for >>> TYPE_OR_VALUE_EXISTS errors in some of the tests, and I don't see what that >>> has to do with matching rules. Or, maybe I am just missing what this test >>> is t
[389-devel] Re: Please review
@Mark Reynolds @Mark Reynolds >>> The code itself looks fine to me, but I find it odd you are testing matching rules by creating COS entries in two of those PRs. Cos entries are used here as part of ( objectclass: extensibleObject ) As cos template has ( objectclass: ['top','cosTemplate' , 'extensibleObject'] ) Which is the nearest one of row extensibleObject entry. >>> I don't think that is actually doing anything in regards to matching rules. I was under the impression that matching rules are only applied/enforced during searches (not Adds or Modifies). So you are checking for TYPE_OR_VALUE_EXISTS errors in some of the tests, and I don't see what that has to do with matching rules. Or, maybe I am just missing what this test is trying to do as I am not that familiar with MRs. So if you can clarify that for me I would appreciate it Please refer bellow ldif file and TET Filter suit which is part of Filter test suit . To See whats going on Please see the original TET Filter suit . ( test series mr_*() ) Filter TET Script : http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/testcases/DS/6.0/filter/filter.sh LDIF FIle: http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/data/DS/6.0/filter/en/mrsearchtests.ldif LDIF FIle: http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/data/DS/6.0/filter/en/booleanMatch.add.ldif Regards Anuj Borah On Wed, Jul 17, 2019 at 5:38 AM Anuj Borah wrote: > @Mark Reynolds > > >>> The code itself looks fine to me, but I find it odd you are testing > matching rules by creating COS entries in two of those PRs. > > Cos entries are used here as part of ( > > objectclass: extensibleObject > > ) > > As cos template has ( > > objectclass: ['top','cosTemplate' , 'extensibleObject'] > > ) > > Which is the nearest one of row extensibleObject entry. > > > >>> I don't think that is actually doing anything in regards to matching > rules. I was under the impression that matching rules are only > applied/enforced during searches (not Adds or Modifies). So you are > checking for TYPE_OR_VALUE_EXISTS errors in some of the tests, and I don't > see what that has to do with matching rules. Or, maybe I am just missing > what this test is trying to do as I am not that familiar with MRs. So if > you can clarify that for me I would appreciate it > > > Please refer bellow ldif file and TET Filter suit which is part of Filter > test suit . To See whats going on Please see the original TET Filter > suit . ( test series mr_*() ) > > Filter TET Script : > http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/testcases/DS/6.0/filter > LDIF FIle: > http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/data/DS/6.0/filter/en/mrsearchtests.ldif > LDIF FIle: > http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/data/DS/6.0/filter/en/booleanMatch.add.ldif > > > > Regards > Anuj Borah > > On Wed, Jul 17, 2019 at 2:21 AM Mark Reynolds > wrote: > >> >> On 7/15/19 8:00 AM, Anuj Borah wrote: >> >> @Simon Pichugin >> >> Please review: >> >> https://pagure.io/389-ds-base/pull-request/50468 >> https://pagure.io/389-ds-base/pull-request/50471 >> https://pagure.io/389-ds-base/pull-request/50482 >> >> >> The code itself looks fine to me, but I find it odd you are testing >> matching rules by creating COS entries in two of those PRs. I don't think >> that is actually doing anything in regards to matching rules. I was under >> the impression that matching rules are only applied/enforced during >> searches (not Adds or Modifies). So you are checking for >> TYPE_OR_VALUE_EXISTS errors in some of the tests, and I don't see what that >> has to do with matching rules. Or, maybe I am just missing what this test >> is trying to do as I am not that familiar with MRs. So if you can clarify >> that for me I would appreciate it >> >> Thanks, >> >> Mark >> >> >> Regards >> AB >> A >> >> >> On Tue, May 21, 2019 at 4:17 PM Anuj Borah wrote: >> >>> @Simon Pichugin >>> >>> Please review: >>> >>> https://pagure.io/389-ds-base/pull-request/50336 >>> >>> Regards >>> Anuj Borah >>> >>> >>> On Wed, May 15, 2019 at 8:50 PM Anuj Borah wrote: >>> >>>> @Simon Pichugin >>>> >>>> Please review: >>>> >>>> https://pagure.io/389-ds-base/pull-request/50328 >>>> >>>> Regards >>>> Anuj Borah >>>> >>>> >>>> >>>> On Thu, May 9, 201
[389-devel] Re: Please review
@Mark Reynolds >>> The code itself looks fine to me, but I find it odd you are testing matching rules by creating COS entries in two of those PRs. Cos entries are used here as part of ( objectclass: extensibleObject ) As cos template has ( objectclass: ['top','cosTemplate' , 'extensibleObject'] ) Which is the nearest one of row extensibleObject entry. >>> I don't think that is actually doing anything in regards to matching rules. I was under the impression that matching rules are only applied/enforced during searches (not Adds or Modifies). So you are checking for TYPE_OR_VALUE_EXISTS errors in some of the tests, and I don't see what that has to do with matching rules. Or, maybe I am just missing what this test is trying to do as I am not that familiar with MRs. So if you can clarify that for me I would appreciate it Please refer bellow ldif file and TET Filter suit which is part of Filter test suit . To See whats going on Please see the original TET Filter suit . ( test series mr_*() ) Filter TET Script : http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/testcases/DS/6.0/filter LDIF FIle: http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/data/DS/6.0/filter/en/mrsearchtests.ldif LDIF FIle: http://git.app.eng.bos.redhat.com/git/dirsrv-tests.git/tree/data/DS/6.0/filter/en/booleanMatch.add.ldif Regards Anuj Borah On Wed, Jul 17, 2019 at 2:21 AM Mark Reynolds wrote: > > On 7/15/19 8:00 AM, Anuj Borah wrote: > > @Simon Pichugin > > Please review: > > https://pagure.io/389-ds-base/pull-request/50468 > https://pagure.io/389-ds-base/pull-request/50471 > https://pagure.io/389-ds-base/pull-request/50482 > > > The code itself looks fine to me, but I find it odd you are testing > matching rules by creating COS entries in two of those PRs. I don't think > that is actually doing anything in regards to matching rules. I was under > the impression that matching rules are only applied/enforced during > searches (not Adds or Modifies). So you are checking for > TYPE_OR_VALUE_EXISTS errors in some of the tests, and I don't see what that > has to do with matching rules. Or, maybe I am just missing what this test > is trying to do as I am not that familiar with MRs. So if you can clarify > that for me I would appreciate it > > Thanks, > > Mark > > > Regards > AB > A > > > On Tue, May 21, 2019 at 4:17 PM Anuj Borah wrote: > >> @Simon Pichugin >> >> Please review: >> >> https://pagure.io/389-ds-base/pull-request/50336 >> >> Regards >> Anuj Borah >> >> >> On Wed, May 15, 2019 at 8:50 PM Anuj Borah wrote: >> >>> @Simon Pichugin >>> >>> Please review: >>> >>> https://pagure.io/389-ds-base/pull-request/50328 >>> >>> Regards >>> Anuj Borah >>> >>> >>> >>> On Thu, May 9, 2019 at 5:27 PM Anuj Borah wrote: >>> >>>> @Simon Pichugin >>>> >>>> This one is still pending . >>>> >>>> https://pagure.io/389-ds-base/pull-request/50192 >>>> >>>> Regards >>>> Anuj Borah >>>> >>>> >>>> On Tue, Apr 30, 2019 at 4:03 PM Anuj Borah wrote: >>>> >>>>> Hi Simon , >>>>> >>>>> Rebsed onto master . >>>>> >>>>> Regards >>>>> Anuj Borah >>>>> >>>>> On Tue, Apr 30, 2019 at 3:54 PM Simon Pichugin >>>>> wrote: >>>>> >>>>>> On Tue, Apr 30, 2019 at 02:15:55PM +0530, Anuj Borah wrote: >>>>>> >Hi all, >>>>>> Hi Anuj, >>>>>> >>>>>> >Please review these PRs. >>>>>> >Pending from Long Time. >>>>>> >[1]https://pagure.io/389-ds-base/pull-request/50180 >>>>>> >[2]https://pagure.io/389-ds-base/pull-request/50192 >>>>>> Could you please rebase them onto master? >>>>>> >>>>>> Thanks, >>>>>> Simon >>>>>> >>>>>> >Regards >>>>>> >Anuj Borah >>>>>> > >>>>>> > References >>>>>> > >>>>>> >1. https://pagure.io/389-ds-base/pull-request/50180 >>>>>> >2. https://pagure.io/389-ds-base/pull-request/50192 >>>>>> >>>>>> > ___ >>>>>> > 389-devel mailing list -- 389-devel@lists.fedoraproject.org >>>
[389-devel] Re: Please review
@Simon Pichugin Please review: https://pagure.io/389-ds-base/pull-request/50468 https://pagure.io/389-ds-base/pull-request/50471 https://pagure.io/389-ds-base/pull-request/50482 Regards AB A On Tue, May 21, 2019 at 4:17 PM Anuj Borah wrote: > @Simon Pichugin > > Please review: > > https://pagure.io/389-ds-base/pull-request/50336 > > Regards > Anuj Borah > > > On Wed, May 15, 2019 at 8:50 PM Anuj Borah wrote: > >> @Simon Pichugin >> >> Please review: >> >> https://pagure.io/389-ds-base/pull-request/50328 >> >> Regards >> Anuj Borah >> >> >> >> On Thu, May 9, 2019 at 5:27 PM Anuj Borah wrote: >> >>> @Simon Pichugin >>> >>> This one is still pending . >>> >>> https://pagure.io/389-ds-base/pull-request/50192 >>> >>> Regards >>> Anuj Borah >>> >>> >>> On Tue, Apr 30, 2019 at 4:03 PM Anuj Borah wrote: >>> >>>> Hi Simon , >>>> >>>> Rebsed onto master . >>>> >>>> Regards >>>> Anuj Borah >>>> >>>> On Tue, Apr 30, 2019 at 3:54 PM Simon Pichugin >>>> wrote: >>>> >>>>> On Tue, Apr 30, 2019 at 02:15:55PM +0530, Anuj Borah wrote: >>>>> >Hi all, >>>>> Hi Anuj, >>>>> >>>>> >Please review these PRs. >>>>> >Pending from Long Time. >>>>> >[1]https://pagure.io/389-ds-base/pull-request/50180 >>>>> >[2]https://pagure.io/389-ds-base/pull-request/50192 >>>>> Could you please rebase them onto master? >>>>> >>>>> Thanks, >>>>> Simon >>>>> >>>>> >Regards >>>>> >Anuj Borah >>>>> > >>>>> > References >>>>> > >>>>> >1. https://pagure.io/389-ds-base/pull-request/50180 >>>>> >2. https://pagure.io/389-ds-base/pull-request/50192 >>>>> >>>>> > ___ >>>>> > 389-devel mailing list -- 389-devel@lists.fedoraproject.org >>>>> > To unsubscribe send an email to >>>>> 389-devel-le...@lists.fedoraproject.org >>>>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>>> > List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> > List Archives: >>>>> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org >>>>> >>>>> ___ >>>>> 389-devel mailing list -- 389-devel@lists.fedoraproject.org >>>>> To unsubscribe send an email to >>>>> 389-devel-le...@lists.fedoraproject.org >>>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org >>>>> >>>> ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] *** NameError: name 'ds_is_older' is not defined
Hi all,
Issue: https://pagure.io/389-ds-base/issue/50446
from lib389.utils import (ds_is_older) is missing in
https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/idm/account.py
users = UserAccounts(standalone, DEFAULT_SUFFIX)
for i in users.list(): i.dn
'uid=testuser,ou=People,dc=example,dc=com'
'uid=test_user_1000,ou=People,dc=example,dc=com'
'uid=test_user1,ou=People,dc=example,dc=com'
UserAccount(standalone,'uid=test_user1,ou=People,dc=example,dc=com').enroll_certificate('/etc/dirsrv/slapd-standalone1/user-test_user1.der')
*** NameError: name 'ds_is_older' is not defined
Regards
Anuj Borah
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: How to create a user with certificate with lib389
Main aim of the test case is filter user with binary search not the base64
.
(Pdb) six.ensure_str(crt)
*** UnicodeDecodeError: 'utf-8' codec can't decode byte 0x82 in position 1:
invalid start byte
On Thu, Jun 13, 2019 at 7:05 PM William Brown wrote:
> I'm really suspicious here that your escape bytes is not needed for ldap
> as much as to prevent python state leaking into the string and the data.
> I'm wondering if there is a better approach
>
> Can ldap filters take base64 instead? Perhaps the issue with your filter
> atm is that you are putting a byte string into an f string so that formats
> with escapes. Have you tried ensure_str() instead?
>
>
>
> > On 13 Jun 2019, at 15:29, Anuj Borah wrote:
> >
> > Yes, it is. but with escape_bytes function only.
> >
> > (Pdb) Accounts(standalone,
> DEFAULT_SUFFIX).filter(f"(userCertificate={crt})")
> > *** ldap.FILTER_ERROR: {'desc': 'Bad search filter', 'errno': 2, 'info':
> 'No such file or directory'}
> >
> > And finally .
> > Accounts(standalone,
> DEFAULT_SUFFIX).filter(f"(userCertificate={escape_bytes(crt)})") >>>
> escape_bytes(this is function i want to put in utils.py)
> > []
> >
> >
> >
> > On Thu, Jun 13, 2019 at 6:56 PM William Brown wrote:
> > Is the test case *just* testing if binary searching of attributes works?
> >
> > > On 13 Jun 2019, at 15:25, Anuj Borah wrote:
> > >
> > > @William Brown
> > >
> > >
> > > This is my test case in bash form . Hope this helps.
> > >
> > > dn: uid=user4F, ou=People, dc=example, dc=com
> > > uid: user4F
> > > cn: User 4F
> > > sn:
> > > givenName:
> > > ou: People
> > > objectClass: top
> > > objectClass: person
> > > objectClass: organizationalPerson
> > > objectClass: inetOrgPerson
> > > description: This is user4F's description
> > > mail:
> > > use...@test.com
> > >
> > > userPassword: user4F
> > > userCertificate;binary::
> MIID5zCCA1CgAwIBAgIDAIF5MA0GCSqGSIb3DQEBBQUAMF4xCzAJ
> > >
> BgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE
> > >
> CxMDUEtJMRkwFwYDVQQDExBET0QgQ0xBU1MgMyBDQS0zMB4XDTAxMTExNDAwMDAwMFoXDTA0MTEx
> > >
> MzAwMDAwMFowdTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE
> > >
> CxMDRG9EMQwwCgYDVQQLEwNQS0kxDDAKBgNVBAsTA1VTTjEiMCAGA1UEAxMZU0xBQ0suU1RBQ0VZ
> > >
> LkouMTAzNTQ3MjE4MTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnma4IZobULRwrDto4O/U
> > >
> mXXVtW1MDuYhooo7/5H6O+9WVWIHMKNW+TvonliezYE/N3VwHG8IFJrnjzHjtrmD/iYi+kl3jz5U
> > >
> QmaS/F1fDiP2/G9hEhc5QP6ZCpjWUjf/0m0NjwFiAxLGWNQV9oBqhWU+fwBxD4gGMWRwzGrbVK8C
> > >
> AwEAAaOCAZowggGWMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQH4UHGgQthSDSPSnwyinB7
> > >
> UgD4MzAdBgNVHQ4EFgQUa6cO9LyOgFuZhaw2S+CKYh8W6NIwFgYDVR0gBA8wDTALBglghkgBZQIB
> > >
> CwkwfgYDVR0SBHcwdYZzbGRhcDovL2RzLTMuYzNwa2kuY2hhbWIuZGlzYS5taWwvY24lM2RET0Ql
> > >
> MjBDTEFTUyUyMDMlMjBDQS0zJTJjb3UlM2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292
> > >
> ZXJubWVudCUyY2MlM2RVUzCBqwYDVR0fBIGjMIGgMIGdoIGaoIGXhoGUbGRhcDovL2RzLTMuYzNw
> > >
> a2kuY2hhbWIuZGlzYS5taWwvY24lM2RET0QlMjBDTEFTUyUyMDMlMjBDQS0zJTJjb3UlM2RQS0kl
> > >
> MmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RVUz9jZXJ0aWZpY2F0ZXJl
> > >
> dm9jYXRpb25saXN0O2JpbmFyeTANBgkqhkiG9w0BAQUFAAOBgQB5aLv3JjaAb+eIOrW3niXs96na
> > >
> mbjDq1IbWK55YVcpCBgD2fYasSlEmnt7ykQlYW8woRORaKv9ERpTcfcg4odi9VbtzIyzYHVyY5DU
> > >
> LuaEhqNiKCnjqWXPeMHmtD2H6nBiDAo6tfyitL5E+NUhz+Rigq7xT5g0Jqo1gXq1jJFdCw==
> > >
> > >
> > >
> > > #./ldapsearch -p 9090 -D "cn=directory manager" -w secret12 -b
> "ou=people, dc=example, dc=com" "(usercertificate;binary=*)"
> > >
> > > #./ldapsearch -p 9090 -D "cn=directory manager" -w secret12 -b
> "ou=people, dc=example, dc=com" "(usercertificate=*)"
> > >
> > > #./ldapsearch -p 9090 -D "cn=directory manager" -w secret12 -b
> "ou=people, dc=example, dc=com"
> "(usercertificate;binary=\4d\49\49\44\35\7a\43\43\41\31\43\67\41\77\49\42\41\67\49\44\41\49\46\35\4d\41\30\47\43\53\71\47\53\49\62\33\44\51\45\42\42\51\55\41\4d\46\34\78\43\7a\41\4a\42\67\4e\56\42\41\59\54\41\6c\56\54\4d\52\67\77\46\67\59\44\56\51\51\4b\45\77\39\56\4c\6c\4d\75\49\45\64\76\64\6d\56\79\62\6d\31\6c\62\6e\51\78\44\44\41\4b\42\67\4e\56\42\41\73\54\41\30\52\76\52\44\45\4d\4d\41\6f\47\41\31\55\45\43\78\4d\44\55\45\74\4a\4d\52\6b\77\46\77\59\44\56\51
[389-devel] Re: How to create a user with certificate with lib389
Yes, it is. but with escape_bytes function only.
(Pdb) Accounts(standalone,
DEFAULT_SUFFIX).filter(f"(userCertificate={crt})")
*** ldap.FILTER_ERROR: {'desc': 'Bad search filter', 'errno': 2, 'info':
'No such file or directory'}
And finally .
Accounts(standalone,
DEFAULT_SUFFIX).filter(f"(userCertificate={escape_bytes(crt)})") >>>
escape_bytes(this is function i want to put in utils.py)
[]
On Thu, Jun 13, 2019 at 6:56 PM William Brown wrote:
> Is the test case *just* testing if binary searching of attributes works?
>
> > On 13 Jun 2019, at 15:25, Anuj Borah wrote:
> >
> > @William Brown
> >
> >
> > This is my test case in bash form . Hope this helps.
> >
> > dn: uid=user4F, ou=People, dc=example, dc=com
> > uid: user4F
> > cn: User 4F
> > sn:
> > givenName:
> > ou: People
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: inetOrgPerson
> > description: This is user4F's description
> > mail:
> > use...@test.com
> >
> > userPassword: user4F
> > userCertificate;binary::
> MIID5zCCA1CgAwIBAgIDAIF5MA0GCSqGSIb3DQEBBQUAMF4xCzAJ
> >
> BgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE
> >
> CxMDUEtJMRkwFwYDVQQDExBET0QgQ0xBU1MgMyBDQS0zMB4XDTAxMTExNDAwMDAwMFoXDTA0MTEx
> >
> MzAwMDAwMFowdTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE
> >
> CxMDRG9EMQwwCgYDVQQLEwNQS0kxDDAKBgNVBAsTA1VTTjEiMCAGA1UEAxMZU0xBQ0suU1RBQ0VZ
> >
> LkouMTAzNTQ3MjE4MTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnma4IZobULRwrDto4O/U
> >
> mXXVtW1MDuYhooo7/5H6O+9WVWIHMKNW+TvonliezYE/N3VwHG8IFJrnjzHjtrmD/iYi+kl3jz5U
> >
> QmaS/F1fDiP2/G9hEhc5QP6ZCpjWUjf/0m0NjwFiAxLGWNQV9oBqhWU+fwBxD4gGMWRwzGrbVK8C
> >
> AwEAAaOCAZowggGWMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQH4UHGgQthSDSPSnwyinB7
> >
> UgD4MzAdBgNVHQ4EFgQUa6cO9LyOgFuZhaw2S+CKYh8W6NIwFgYDVR0gBA8wDTALBglghkgBZQIB
> >
> CwkwfgYDVR0SBHcwdYZzbGRhcDovL2RzLTMuYzNwa2kuY2hhbWIuZGlzYS5taWwvY24lM2RET0Ql
> >
> MjBDTEFTUyUyMDMlMjBDQS0zJTJjb3UlM2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292
> >
> ZXJubWVudCUyY2MlM2RVUzCBqwYDVR0fBIGjMIGgMIGdoIGaoIGXhoGUbGRhcDovL2RzLTMuYzNw
> >
> a2kuY2hhbWIuZGlzYS5taWwvY24lM2RET0QlMjBDTEFTUyUyMDMlMjBDQS0zJTJjb3UlM2RQS0kl
> >
> MmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RVUz9jZXJ0aWZpY2F0ZXJl
> >
> dm9jYXRpb25saXN0O2JpbmFyeTANBgkqhkiG9w0BAQUFAAOBgQB5aLv3JjaAb+eIOrW3niXs96na
> >
> mbjDq1IbWK55YVcpCBgD2fYasSlEmnt7ykQlYW8woRORaKv9ERpTcfcg4odi9VbtzIyzYHVyY5DU
> > LuaEhqNiKCnjqWXPeMHmtD2H6nBiDAo6tfyitL5E+NUhz+Rigq7xT5g0Jqo1gXq1jJFdCw==
> >
> >
> >
> > #./ldapsearch -p 9090 -D "cn=directory manager" -w secret12 -b
> "ou=people, dc=example, dc=com" "(usercertificate;binary=*)"
> >
> > #./ldapsearch -p 9090 -D "cn=directory manager" -w secret12 -b
> "ou=people, dc=example, dc=com" "(usercertificate=*)"
> >
> > #./ldapsearch -p 9090 -D "cn=directory manager" -w secret12 -b
> "ou=people, dc=example, dc=com"
> "(usercertificate;binary=\4d\49\49\44\35\7a\43\43\41\31\43\67\41\77\49\42\41\67\49\44\41\49\46\35\4d\41\30\47\43\53\71\47\53\49\62\33\44\51\45\42\42\51\55\41\4d\46\34\78\43\7a\41\4a\42\67\4e\56\42\41\59\54\41\6c\56\54\4d\52\67\77\46\67\59\44\56\51\51\4b\45\77\39\56\4c\6c\4d\75\49\45\64\76\64\6d\56\79\62\6d\31\6c\62\6e\51\78\44\44\41\4b\42\67\4e\56\42\41\73\54\41\30\52\76\52\44\45\4d\4d\41\6f\47\41\31\55\45\43\78\4d\44\55\45\74\4a\4d\52\6b\77\46\77\59\44\56\51\51\44\45\78\42\45\54\30\51\67\51\30\78\42\55\31\4d\67\4d\79\42\44\51\53\30\7a\4d\42\34\58\44\54\41\78\4d\54\45\78\4e\44\41\77\4d\44\41\77\4d\46\6f\58\44\54\41\30\4d\54\45\78\4d\7a\41\77\4d\44\41\77\4d\46\6f\77\64\54\45\4c\4d\41\6b\47\41\31\55\45\42\68\4d\43\56\56\4d\78\47\44\41\57\42\67\4e\56\42\41\6f\54\44\31\55\75\55\79\34\67\52\32\39\32\5a\58\4a\75\62\57\56\75\64\44\45\4d\4d\41\6f\47\41\31\55\45\43\78\4d\44\52\47\39\45\4d\51\77\77\43\67\59\44\56\51\51\4c\45\77\4e\51\53\30\6b\78\44\44\41\4b\42\67\4e\56\42\41\73\54\41\31\56\54\54\6a\45\69\4d\43\41\47\41\31\55\45\41\78\4d\5a\55\30\78\42\51\30\73\75\55\31\52\42\51\30\56\5a\4c\6b\6f\75\4d\54\41\7a\4e\54\51\33\4d\6a\45\34\4d\54\43\42\6e\7a\41\4e\42\67\6b\71\68\6b\69\47\39\77\30\42\41\51\45\46\41\41\4f\42\6a\51\41\77\67\59\6b\43\67\59\45\41\6e\6d\61\34\49\5a\6f\62\55\4c\52\77\72\44\74\6f\34\4f\2f\55\6d\58\58\56\74\57\31\4d\44\75\59\68\6f\6f\6f\37\2f\35\48\36\4f\2b\39\57\56\57\49\48\4d\4b\4e\57\2b\54\76\6f\6e\6c\69\65\7a\59\45\2f\4e\33\56\77\48\47\38\49\46\4a\72\6e\6a\7a\48\6a\74\72\6d\44\2f\69\59\69\2b\6b\6c\33\6a\7a\35\55\51\6d\61\53\2f\46\31\66\44\69\50\32\2f\47\39\68\45\68\63\35\51\50
[389-devel] Re: How to create a user with certificate with lib389
x100\x0e\x06\x03U\x04\n\x13\x07testing1\x110\x0f\x06\x03U\x04\x03\x13\x08testuser0\x82\x02"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\n\x02\x82\x02\x01\x00\xb5\x14i\xf7\x1f0\xe8hc\xef\x02\xdc\xbf\xc8`\xf9Z\xc5\xecv\x05\xc6*m6\xc3\xf8U\xa8\x9d\x19i\xe2\x915\t\xd6[\x93\xfd\xa3w9\'t\x15L\x97\x88\x93\x17b\xf4\xfb-\xd2\xc8\xd3\xac\x1b\xc2\xe8\x9d\xb7a\xc7>[\xc7\x08s\x84:S\x04=\xf0-\xb1e\x17\x9a\xfd}\xeeUG\xb2\x9fn\x1b\xcbQ#\xe9~\xb6\xbeQ\xf8b\x178\x11>L\x88\xb5H\xba([\xdcs\xd6m\xda\xda\x17\x07\'Qi\xe7\xf4\xca<\x08\xdb+\xff\x8aW\x9e\x96\xb0\x9e\x14\xa0\xedP\xd3\xc0\x8dy\xc7\x9e\xa5\xc7\xfd\xaa\xa9\x9bw\x18c-\nZ\xacRx\xa7\xb8\x11?2\x9aG\xdf&\xcd\x93\xb2\x89\x9d\xee\x87\xe0s\x05\xadq\xee[t\xccmn\x176\xb1\x12\x1bm\xb7PD\x87\xf4\x99z\xe8\x9aE\xdf\xb4\x05\xe3M\x96\xfd\x81@,4D\x9f\xb9\x1c.\x95\x8do\x93&9-\x18T\xbc;\xae\x7f\x13+\x12z(\'\x9b{k\xaa\x0e\xb0a\xab\xb3$\x1dt\xe5\x890\xf1\x1a\x92\xe2[2\x90\xbf"\x89\xcc\x90\x97E\xea\x83g}gk\xb8Z\x81q\xf3\xf5\xa4\x1cc\x88\xdc\xf5dV\xc4\xfd{\x9d\x04A.\x1cta\xf3\n\xd1\xe6\xe9c\x1fv>\x01D\xd4R\xe8U\x9b\xb6"\xba\x8d\xb7\x07N5\x0bY`\x81SW\xa5\xe0\xb1\x91\xc60$1/%\xf4\xf3\\\xa3\xab\x80\xbd\x0f\x93~\xae\xe0Xg\xb1q_\xcd\xc5\x89\xba#\x925\xd7\xa2\x06\xd4\x8es\xaf
> \xdd\x89\x8cg\'\xe3\x08\x05\xcf\x93\xbe\xd3\x12\xaa\xe6\xf0\xa7p\x04\xa2\xe0\xf7I\xe7\xca1#b\xaa\xae0\xc2\x0f\xcc"U\xa3!\xf4rI\xb3\x03\xf5\xbc\nT8TA\xda\xbf\xac\xb8\xc7\xde\xd1:x\x9a\x1f\x97\xd7\x0bMB\xfaa\xfb\xb1\x8a7\xfa\x00Q\xa4p\x07\xe1^\xd6\xe5.
> w\x8d\xe2\xa2\xaa0\xbd\xd6\n\x96\x87\xe6\xdb]\x11H\x13\x1et.\x80\xa8\x94*9\xe6e\x00\x99\xbb\x1e\xe3?\xd15!_\x08n\x89V%\x83\xad\x18\x93\xcb\xc2\xe2\x0e\x01\x9f\x0e=\xad\x02\x03\x01\x00\x01\xa37050\x11\x06\t`\x86H\x01\x86\xf8B\x01\x01\x04\x04\x03\x02\x07\x800\x13\x06\x03U\x1d%\x04\x0c0\n\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x04\xf00\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00Jj\xf5\x95\x91v\x95\xd3\x176-c\xef\xafm\x96rC\xe1\x03\x03"#\xdf\x88\xca\xce`\xac^\xf9\xd3\xe8\xb2\x1f\xbb\xa2\xb5u\x86e\xf3v\xe1,\xaa\xe2\xba\xb1fB(\xd9o\xdf\tT$\xfe\x8b\xb2\xe9
> &\xfa\x95W\rS\xd2s\xf4+V\x7f\xd7\x16N\xfaj\\\xf9GF\x04\xbe\xab\x11\x87\xf7\xab\xc8C\x83\xc3?7\x08\xecxa>\\\xfbL{n=\x8dc\x15\xd1\x7f\xbd\x8f\'l\xd7VF\xb5\xb2\x9a\xb0\x98\xc6M\xbbs\xb6\xb5\x83\x97+\x8b\x13\xf0\x82\x0b5*\xfd\xce\xcbN9_+\xf9s\xd2\x9f\x03\x9du
> @\xbf\x0ce\xb0S#\x95\xc7\xa9{\x81\x84\x17U9\xd6\x1a\xac\x05\xf8\x97\xcb\xa1\x9b\xd6\x96\xa3\xdd\x92\x81\xfb7wG=\xd9\x99B\xc1\xbddH!\x8e\xc9D\xd9&\xdaR\x9d\x97\xa6\xfc\xa1S\xa5\xd8k\xca\xbd4S\x02\x9em\x84\xd3\xb2f\xed\x1f\xd2\xa5\xa8\x7f\x82]\x18\x8a\xc7\x06\xe8S-#q\x08I\xa8\x10o\x9b\xf1
> \x94\xfdR9\xd8~?r\xec\xcb\xbfS}p@J
> ,\xf6\x99I\x1f\x13-\x15\x90cn\xe9\xab\x17\x1c\xe2\x08\x88M/4\xe0\xcd~\xfb\npp!\xd0:\xf5\xf59c$I,\xb8\x1e\xda\xe3\xba\xcc\x90[\x00r\xb2\xcf\xe1Fo?\xa5\x03\xea\x0b\x14\xc4\x98<\rLq\x16\xa0F\x97\xb9\x15\xd8E\xa1\xa8\xeb\xc1\'\xba4\x81+\x87#\x1f\x86\x01\x8b\x1e\xbe\xceA<\xe7FY*i\xf6\xa6\xb1\xb9\xf1kg\xf8\x1f5e0\x0c5\x8f\x90\x83\xe2\xe0\x9e$r\xa9\x02\xf4LoPTc\x15\xf2\xc9\x8a\xf0\xf1m.\x15\xaer\xb8\x86\xb4O2\xb5\xda\x0c\xfa\xfc\x081\\\xa3\x80\xb0\x7f\xd6\x1cg}\x89\xa9x\x84o\\\xef\x8e\x83\xfc\xa32\xa8Dl\xcd\xbd\x1bE\x1b8\x9d\xc3\'&\xd5\xc5\xa2\xfe5\xfe7un\xd9\xba\xf9[=\x16\x99\xd0(\xf2v\xef3\x1b\x1bd\xba\xdc\xd45W\xef\x8c\xe8F\xe0\x81\x1e\xdcA\xb1A\x12\xbc\xec:\xddI\xa7{\x08\xb2\xcb\x84\xd3\xa8i\xb2\xd7\x81'
> >
> >
> > (Pdb) Accounts(standalone,
> DEFAULT_SUFFIX).filter(f"(userCertificate={crt})")
> > *** ldap.FILTER_ERROR: {'desc': 'Bad search filter', 'errno': 2, 'info':
> 'No such file or directory'}
> >
> > And finally .
> > Accounts(standalone,
> DEFAULT_SUFFIX).filter(f"(userCertificate={escape_bytes(crt)})") >>>
> escape_bytes(this is function i want to put in utils.py)
> >
> >
> >
> > Regards
> > Anuj Borah
> >
> >
> >
> > * Consider checking:
> https://pagure.io/389-ds-base/pull-request/49579#request_diff we can
> likely pull out the python from this branch and commit to master as it adds
> a lot of TLS support.
> >
> > Thanks
> >
> > —
> > Sincerely,
> >
> > William Brown
> >
> > Senior Software Engineer, 389 Directory Server
> > SUSE Labs
> >
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
>
>
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: How to create a user with certificate with lib389
On Thu, Jun 13, 2019 at 6:05 PM William Brown wrote:
>
>
> > On 13 Jun 2019, at 14:27, Anuj Borah wrote:
> >
> >
>
> Okay, so:
>
> * WHAT is the test you are creating? What does it test? How? What steps
> from start to finish? Please list this exactly.
> * Use SSCA to make the user cert - it creates pem and der copies
> * Have you looked at:
> https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/idm/account.py#_103
Till this point all ok . But not ok . Its giving error .
(Pdb) Account(standalone,
'uid=testuser,ou=People,dc=example,dc=com').enroll_certificate(tls_locs['crt_der_path'])
*** NameError: name 'ds_is_older' is not defined
Or
(Pdb) users.list()[0].enroll_certificate(tls_locs['crt_der_path'])
*** NameError: name 'ds_is_older' is not defined
Is there a problem with account.py file .
https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/idm/account.py
It did not import >>>> from lib389.utils import (ds_is_older)
Any way after using SSCA we have got the user with userCertificate field .
(Pdb) Account(standalone,
'uid=testuser,ou=People,dc=example,dc=com')._unsafe_raw_entry()
dn: uid=testuser,ou=People,dc=example,dc=com
cn: testuser
gidNumber: 2000
homeDirectory: /home/testuser
objectClass: top
objectClass: account
objectClass: posixaccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: nsMemberOf
objectClass: nsAccount
objectClass: person
sn: user
uid: testuser
uidNumber: 1000
userCertificate;binary::
MIIFcjCCA1qgAwIBAgIFALFmh3wwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxDjAMBgNVBAcTBTM4OWRzMRAwDgYDVQQKEwd0ZXN0aW5nMR8wHQYDVQQDExZzc2NhLjM4OWRzLmV4YW1wbGUuY29tMB4XDTE5MDYxMzEzMDkwM1oXDTIxMDYxMzEzMDkwM1owVzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxDjAMBgNVBAcTBTM4OWRzMRAwDgYDVQQKEwd0ZXN0aW5nMREwDwYDVQQDEwh0ZXN0dXNlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALUUafcfMOhoY+8C3L/IYPlaxex2BcYqbTbD+FWonRlp4pE1CdZbk/2jdzkndBVMl4iTF2L0+y3SyNOsG8Lonbdhxz5bxwhzhDpTBD3wLbFlF5r9fe5VR7KfbhvLUSPpfra+UfhiFzgRPkyItUi6KFvcc9Zt2toXBydRaef0yjwI2yv/ileelrCeFKDtUNPAjXnHnqXH/aqpm3cYYy0KWqxSeKe4ET8ymkffJs2Tsomd7ofgcwWtce5bdMxtbhc2sRIbbbdQRIf0mXromkXftAXjTZb9gUAsNESfuRwulY1vkyY5LRhUvDuufxMrEnooJ5t7a6oOsGGrsyQddOWJMPEakuJbMpC/IonMkJdF6oNnfWdruFqBcfP1pBxjiNz1ZFbE/XudBEEuHHRh8wrR5uljH3Y+AUTUUuhVm7Yiuo23B041C1lggVNXpeCxkcYwJDEvJfTzXKOrgL0Pk36u4FhnsXFfzcWJuiOSNdeiBtSOc68g3YmMZyfjCAXPk77TEqrm8KdwBKLg90nnyjEjYqquMMIPzCJVoyH0ckmzA/W8ClQ4VEHav6wmcLjH3tE6eJofl9cLTUL
6Yfuxijf6AFGkcAfhXtblLiB3jeKiqjC91gqWh+bbXRFIEx50LoColCo55mUAmbse4z/RNSFfCG6JViWDrRiTy8LiDgGfDj2tAgMBAAGjNzA1MBEGCWCGSAGG+EIBAQQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCBPAwDQYJKoZIhvcNAQELBQADggIBAEpq9ZWRdpXTFzYtY++vbZZyQ+EDAyIj34jKzmCsXvnT6LIfu6K1dYZl83bhLKriurFmQijZb98JVCT+i7LpICb6lVcNU9Jz9CtWf9cWTvpqXPlHRgS+qxGH96vIQ4PDPzcI7HhhPlz7THtuPY1jFdF/vY8nbNdWRrWymrCYxk27c7a1g5crixPwggs1Kv3Oy045Xyv5c9KfA511IEC/DGWwUyOVx6l7gYQXVTnWGqwF+JfLoZvWlqPdkoH7N3dHPdmZQsG9ZEghjslE2SbaUp2XpvyhU6XYa8q9NFMCnm2E07Jm7R/Spah/gl0YiscG6FMtI3EISagQb5vxIJT9UjnYfj9y7Mu/U31wQEos9plJHxMtFZBjbumrFxziCIhNLzTgzX77CnBwIdA69fU5YyRJLLge2uO6zJBbAHKyz+FGbz+lA+oLFMSYPA1McRagRpe5FdhFoajrwSe6NIErhyMfhgGLHr7OQTznRlkqafamsbnxa2f4HzVlMAw1j5CD4uCeJHKpAvRMb1BUYxXyyYrw8W0uFa5yuIa0TzK12gz6/AgxXKOAsH/WHGd9ial4hG9c746D/KMyqERszb0bRRs4ncMnJtXFov41/jd1btm6+Vs9FpnQKPJ27zMbG2S63NQ1V++M6EbggR7cQbFBErzsOt1Jp3sIssuE06hpsteB
Now i want to filter that user with filter.
(Pdb) crt = open('/etc/dirsrv/slapd-standalone1/user-testuser.der',
'rb').read()
(Pdb) crt
b'0\x82\x05r0\x82\x03Z\xa0\x03\x02\x01\x02\x02\x05\x00\xb1f\x87|0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000e1\x0b0\t\x06\x03U\x04\x06\x13\x02AU1\x130\x11\x06\x03U\x04\x08\x13\nQueensland1\x0e0\x0c\x06\x03U\x04\x07\x13\x05389ds1\x100\x0e\x06\x03U\x04\n\x13\x07testing1\x1f0\x1d\x06\x03U\x04\x03\x13\x16ssca.389ds.example.com0\x1e\x17\r190613130903Z\x17\r210613130903Z0W1\x0b0\t\x06\x03U\x04\x06\x13\x02AU1\x130\x11\x06\x03U\x04\x08\x13\nQueensland1\x0e0\x0c\x06\x03U\x04\x07\x13\x05389ds1\x100\x0e\x06\x03U\x04\n\x13\x07testing1\x110\x0f\x06\x03U\x04\x03\x13\x08testuser0\x82\x02"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\n\x02\x82\x02\x01\x00\xb5\x14i\xf7\x1f0\xe8hc\xef\x02\xdc\xbf\xc8`\xf9Z\xc5\xecv\x05\xc6*m6\xc3\xf8U\xa8\x9d\x19i\xe2\x915\t\xd6[\x93\xfd\xa3w9\'t\x15L\x97\x88\x93\x17b\xf4\xfb-\xd2\xc8\xd3\xac\x1b\xc2\xe8\x9d\xb7a\xc7>[\xc7\x08s\x84:S\x04=\xf0-\xb1e\x17\x9a\xfd}\xeeUG\xb2\x9fn\x1b\xcbQ#\xe9~\xb6\xbeQ\xf8b\x178\x11>L\x88\xb5H\xba([\xdcs\xd6m\xda\xda\x17\x07\'Qi\xe7\xf4\xca<\x08\xdb+\xff\x8aW\x9e\x96\xb0\x9e\x14\xa0\xedP\xd3\xc0\x8dy\xc7\x9e\xa5\xc7\xfd\xaa\xa9\x9bw\x18c-\nZ\xacRx\xa7\xb8\x11?2\x9aG\xdf&\xcd\x93\xb2\x89\x9d\xee\x87\xe0s\x05\xadq\xee[t\xccmn\x176\xb1\x12\x1bm\xb7PD\x87\xf4\x99z\xe8\x9aE\xdf\xb4\x05\xe3M\x96\xfd\x81@,4D\x9f\xb9\x1c.\x95\x8do\x93&9-\x18T\xbc;\xae\x7f\x13+\x12z(\'\x9b{k\xaa\x0e\xb0a\xab\xb3$\x1dt\xe5\x890\xf1\x1a\x92\xe2[2\
[389-devel] Re: How to create a user with certificate with lib389
@William Brown
Please check the attached test case .
I want to put escape_bytes function to lib389 utils.py file .
Regards
Anuj Borah
On Mon, Jun 10, 2019 at 2:18 PM William Brown wrote:
>
>
> > On 9 Jun 2019, at 03:40, Anuj Borah wrote:
> >
> > @William Brown
> >
> > Yes, it does.
> >
> > Currently i am porting this bug
> https://bugzilla.redhat.com/show_bug.cgi?id=170520
> >
> > I think with help of this script it will be impossible to port it .
>
> I'm not authorised to view that bug. :)
>
> I think youll need to describe, exactly, in sequence the order of events
> you want to test so I can advise properly.
>
> >
> > Do you have any advice .
> >
> > Regards
> > Anuj Borah
> >
> >
> > On Fri, Jun 7, 2019 at 2:47 PM William Brown wrote:
> > I haven't read the link but maybe there is some confusion about TLS
> binding here. You do the create_rsa_user and that only set's up the
> certificates.
> >
> > > On 4 Jun 2019, at 17:51, Anuj Borah wrote:
> > >
> > > @William Brown
> > >
> > > Thanks , I am doing the same . Trying to follow it . (i have make this
> script 99% pass)
> > >
> > > But its way too old . It uses some like :
> > >
> > > standalone.nss_ssl.create_rsa_user('testuser') not valid
> (NssSsl(standalone).create_rsa_user('testuser'))
> > >
> > > standalone.nss_ssl.get_rsa_user('testuser') -- not valid
> (NssSsl(standalone).get_rsa_user('testuser'))
> >
> > IIRC this syntax is valid, but maybe the linking type was removed.
> >
> > >
> > > standalone.openConnection --- I dont know what is it . May be bind.
> >
> > Yes, i think this is bind now. If you grep for create_rsa_user in the
> tests you may find another example.
> >
> > >
> > > And Most importantly, after i have make this script 99% pass . I am
> not able to see the usercertificate field in the test user that was created
> during the test . while i do _unsafe_raw_entry()
> >
> > Because you don't need it. The certificate's cn is mapped to the cn in
> the directory, and then because the certificate was issued be the ca, it
> "confirms" the users identity. No userCertificate attribute required.
> >
> > There is a configuration that DOES require the certificate to not only
> be signed, but also in userCertificate for binary matching, but this is a
> configuration option, not the default. I seem to recall helping document
> all this with Marc, so it should be in the latest RHDS documentation.
> Generally though, the userCertificate attribute today would be used to
> allow a client like SSSD to read the userCertificate to allow smartCard
> authentication to a workstation.
> >
> > Does that help a bit?
> >
> > >
> > > Also mind changing the lib389 doc
> https://spichugi.fedorapeople.org/html/guidelines.html#setting-up-ssl-tls
> . Its the same test case given there , which is not relevant now .
> > >
> > > Regards
> > > Anuj Borah
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Tue, Jun 4, 2019 at 9:08 PM William Brown wrote:
> > > I'm currently traveling at the moment, but I can have a look later to
> update this to work on latest lib389 etc.
> > >
> > > You can read it and use it as an example though, even if it doesn't
> pass ...
> > >
> > >
> > >
> > >
> > > > On 4 Jun 2019, at 16:32, Anuj Borah wrote:
> > > >
> > > > @William Brown
> > > >
> > > > This test script does not pass . Its too old .
> > > >
> > > > Regards
> > > > Anuj Borah
> > > >
> > > > On Tue, Jun 4, 2019 at 8:00 PM William Brown wrote:
> > > > Have a look at this test case if you want to do usercertificate
> generation and authentication :)
> > > >
> > > >
> https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/tests/tls_external_test.py
> > > >
> > > > > On 4 Jun 2019, at 14:31, Anuj Borah wrote:
> > > > >
> > > > > Hi all,
> > > > >
> > > > > Let say i want to create a user with userCertificate fileld. My
> user will look like bellow.
> > > > >
> > > > > users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
> > > > > users_people.create(properties={
> > > > > 'uid': 'certUser2
[389-devel] Re: How to create a user with certificate with lib389
@William Brown
Yes, it does.
Currently i am porting this bug
https://bugzilla.redhat.com/show_bug.cgi?id=170520
I think with help of this script it will be impossible to port it .
Do you have any advice .
Regards
Anuj Borah
On Fri, Jun 7, 2019 at 2:47 PM William Brown wrote:
> I haven't read the link but maybe there is some confusion about TLS
> binding here. You do the create_rsa_user and that only set's up the
> certificates.
>
> > On 4 Jun 2019, at 17:51, Anuj Borah wrote:
> >
> > @William Brown
> >
> > Thanks , I am doing the same . Trying to follow it . (i have make this
> script 99% pass)
> >
> > But its way too old . It uses some like :
> >
> > standalone.nss_ssl.create_rsa_user('testuser') not valid
> (NssSsl(standalone).create_rsa_user('testuser'))
> >
> > standalone.nss_ssl.get_rsa_user('testuser') -- not valid
> (NssSsl(standalone).get_rsa_user('testuser'))
>
> IIRC this syntax is valid, but maybe the linking type was removed.
>
> >
> > standalone.openConnection --- I dont know what is it . May be bind.
>
> Yes, i think this is bind now. If you grep for create_rsa_user in the
> tests you may find another example.
>
> >
> > And Most importantly, after i have make this script 99% pass . I am not
> able to see the usercertificate field in the test user that was created
> during the test . while i do _unsafe_raw_entry()
>
> Because you don't need it. The certificate's cn is mapped to the cn in the
> directory, and then because the certificate was issued be the ca, it
> "confirms" the users identity. No userCertificate attribute required.
>
> There is a configuration that DOES require the certificate to not only be
> signed, but also in userCertificate for binary matching, but this is a
> configuration option, not the default. I seem to recall helping document
> all this with Marc, so it should be in the latest RHDS documentation.
> Generally though, the userCertificate attribute today would be used to
> allow a client like SSSD to read the userCertificate to allow smartCard
> authentication to a workstation.
>
> Does that help a bit?
>
> >
> > Also mind changing the lib389 doc
> https://spichugi.fedorapeople.org/html/guidelines.html#setting-up-ssl-tls
> . Its the same test case given there , which is not relevant now .
> >
> > Regards
> > Anuj Borah
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Jun 4, 2019 at 9:08 PM William Brown wrote:
> > I'm currently traveling at the moment, but I can have a look later to
> update this to work on latest lib389 etc.
> >
> > You can read it and use it as an example though, even if it doesn't pass
> ...
> >
> >
> >
> >
> > > On 4 Jun 2019, at 16:32, Anuj Borah wrote:
> > >
> > > @William Brown
> > >
> > > This test script does not pass . Its too old .
> > >
> > > Regards
> > > Anuj Borah
> > >
> > > On Tue, Jun 4, 2019 at 8:00 PM William Brown wrote:
> > > Have a look at this test case if you want to do usercertificate
> generation and authentication :)
> > >
> > >
> https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/tests/tls_external_test.py
> > >
> > > > On 4 Jun 2019, at 14:31, Anuj Borah wrote:
> > > >
> > > > Hi all,
> > > >
> > > > Let say i want to create a user with userCertificate fileld. My user
> will look like bellow.
> > > >
> > > > users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
> > > > users_people.create(properties={
> > > > 'uid': 'certUser2',
> > > > 'cn': 'CUser2',
> > > > 'sn': 'CertificateUser2',
> > > > 'givenName': 'CU2',
> > > > 'description': "This is certUser2's description",
> > > > 'mail': 'certus...@example.com',
> > > > 'userPassword': PW_DM,
> > > > 'userCertificate':
> 'some_cert_+++NUhz+Rigq7xT5g0Jqo1gXq1jJFdCw==',
> > > > 'manager': f'uid=certUser2,ou=People,{DEFAULT_SUFFIX}',
> > > > 'homeDirectory': '/home/' + 'certUser2',
> > > > 'uidNumber': '1000',
> > > > 'gidNumber': '2000'
> > > > })
> > > >
> > > > Here i have put userCertificate field manually (which i dont want to
> do). But how can i achieve this without putting userCertificate field
> manually . Like create a user and userCertificate field will be auto field
> with auto gener
[389-devel] Re: How to create a user with certificate with lib389
@William Brown
Thanks , I am doing the same . Trying to follow it . (i have make this
script 99% pass)
But its way too old . It uses some like :
standalone.nss_ssl.create_rsa_user('testuser') not valid
(NssSsl(standalone).create_rsa_user('testuser'))
standalone.nss_ssl.get_rsa_user('testuser') -- not valid
(NssSsl(standalone).get_rsa_user('testuser'))
standalone.openConnection --- I dont know what is it . May be bind.
And Most importantly, after i have make this script 99% pass . I am not
able to see the usercertificate field in the test user that was created
during the test . while i do _unsafe_raw_entry()
Also mind changing the lib389 doc
https://spichugi.fedorapeople.org/html/guidelines.html#setting-up-ssl-tls .
Its the same test case given there , which is not relevant now .
Regards
Anuj Borah
On Tue, Jun 4, 2019 at 9:08 PM William Brown wrote:
> I'm currently traveling at the moment, but I can have a look later to
> update this to work on latest lib389 etc.
>
> You can read it and use it as an example though, even if it doesn't pass
> ...
>
>
>
>
> > On 4 Jun 2019, at 16:32, Anuj Borah wrote:
> >
> > @William Brown
> >
> > This test script does not pass . Its too old .
> >
> > Regards
> > Anuj Borah
> >
> > On Tue, Jun 4, 2019 at 8:00 PM William Brown wrote:
> > Have a look at this test case if you want to do usercertificate
> generation and authentication :)
> >
> >
> https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/tests/tls_external_test.py
> >
> > > On 4 Jun 2019, at 14:31, Anuj Borah wrote:
> > >
> > > Hi all,
> > >
> > > Let say i want to create a user with userCertificate fileld. My user
> will look like bellow.
> > >
> > > users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
> > > users_people.create(properties={
> > > 'uid': 'certUser2',
> > > 'cn': 'CUser2',
> > > 'sn': 'CertificateUser2',
> > > 'givenName': 'CU2',
> > > 'description': "This is certUser2's description",
> > > 'mail': 'certus...@example.com',
> > > 'userPassword': PW_DM,
> > > 'userCertificate':
> 'some_cert_+++NUhz+Rigq7xT5g0Jqo1gXq1jJFdCw==',
> > > 'manager': f'uid=certUser2,ou=People,{DEFAULT_SUFFIX}',
> > > 'homeDirectory': '/home/' + 'certUser2',
> > > 'uidNumber': '1000',
> > > 'gidNumber': '2000'
> > > })
> > >
> > > Here i have put userCertificate field manually (which i dont want to
> do). But how can i achieve this without putting userCertificate field
> manually . Like create a user and userCertificate field will be auto field
> with auto generated certificates .
> > >
> > > Regards
> > > Anuj Borah
> > > ___
> > > 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> > > To unsubscribe send an email to
> 389-devel-le...@lists.fedoraproject.org
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
> >
> > —
> > Sincerely,
> >
> > William Brown
> >
> > Senior Software Engineer, 389 Directory Server
> > SUSE Labs
> > ___
> > 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> > To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
>
>
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: How to create a user with certificate with lib389
@William Brown
This test script does not pass . Its too old .
Regards
Anuj Borah
On Tue, Jun 4, 2019 at 8:00 PM William Brown wrote:
> Have a look at this test case if you want to do usercertificate generation
> and authentication :)
>
>
> https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/tests/tls_external_test.py
>
> > On 4 Jun 2019, at 14:31, Anuj Borah wrote:
> >
> > Hi all,
> >
> > Let say i want to create a user with userCertificate fileld. My user
> will look like bellow.
> >
> > users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
> > users_people.create(properties={
> > 'uid': 'certUser2',
> > 'cn': 'CUser2',
> > 'sn': 'CertificateUser2',
> > 'givenName': 'CU2',
> > 'description': "This is certUser2's description",
> > 'mail': 'certus...@example.com',
> > 'userPassword': PW_DM,
> > 'userCertificate':
> 'some_cert_+++NUhz+Rigq7xT5g0Jqo1gXq1jJFdCw==',
> > 'manager': f'uid=certUser2,ou=People,{DEFAULT_SUFFIX}',
> > 'homeDirectory': '/home/' + 'certUser2',
> > 'uidNumber': '1000',
> > 'gidNumber': '2000'
> > })
> >
> > Here i have put userCertificate field manually (which i dont want to
> do). But how can i achieve this without putting userCertificate field
> manually . Like create a user and userCertificate field will be auto field
> with auto generated certificates .
> >
> > Regards
> > Anuj Borah
> > ___
> > 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> > To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] How to create a user with certificate with lib389
Hi all,
Let say i want to create a user with userCertificate fileld. My user will
look like bellow.
users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
users_people.create(properties={
'uid': 'certUser2',
'cn': 'CUser2',
'sn': 'CertificateUser2',
'givenName': 'CU2',
'description': "This is certUser2's description",
'mail': 'certus...@example.com',
'userPassword': PW_DM,
'userCertificate': 'some_cert_+++NUhz+Rigq7xT5g0Jqo1gXq1jJFdCw==',
'manager': f'uid=certUser2,ou=People,{DEFAULT_SUFFIX}',
'homeDirectory': '/home/' + 'certUser2',
'uidNumber': '1000',
'gidNumber': '2000'
})
Here i have put userCertificate field manually (which i dont want to do).
But how can i achieve this without putting userCertificate field manually .
Like create a user and userCertificate field will be auto field with auto
generated certificates .
Regards
Anuj Borah
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Please review
@Simon Pichugin Please review: https://pagure.io/389-ds-base/pull-request/50336 Regards Anuj Borah On Wed, May 15, 2019 at 8:50 PM Anuj Borah wrote: > @Simon Pichugin > > Please review: > > https://pagure.io/389-ds-base/pull-request/50328 > > Regards > Anuj Borah > > > > On Thu, May 9, 2019 at 5:27 PM Anuj Borah wrote: > >> @Simon Pichugin >> >> This one is still pending . >> >> https://pagure.io/389-ds-base/pull-request/50192 >> >> Regards >> Anuj Borah >> >> >> On Tue, Apr 30, 2019 at 4:03 PM Anuj Borah wrote: >> >>> Hi Simon , >>> >>> Rebsed onto master . >>> >>> Regards >>> Anuj Borah >>> >>> On Tue, Apr 30, 2019 at 3:54 PM Simon Pichugin >>> wrote: >>> >>>> On Tue, Apr 30, 2019 at 02:15:55PM +0530, Anuj Borah wrote: >>>> >Hi all, >>>> Hi Anuj, >>>> >>>> >Please review these PRs. >>>> >Pending from Long Time. >>>> >[1]https://pagure.io/389-ds-base/pull-request/50180 >>>> >[2]https://pagure.io/389-ds-base/pull-request/50192 >>>> Could you please rebase them onto master? >>>> >>>> Thanks, >>>> Simon >>>> >>>> >Regards >>>> >Anuj Borah >>>> > >>>> > References >>>> > >>>> >1. https://pagure.io/389-ds-base/pull-request/50180 >>>> >2. https://pagure.io/389-ds-base/pull-request/50192 >>>> >>>> > ___ >>>> > 389-devel mailing list -- 389-devel@lists.fedoraproject.org >>>> > To unsubscribe send an email to >>>> 389-devel-le...@lists.fedoraproject.org >>>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>> > List Guidelines: >>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> > List Archives: >>>> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org >>>> >>>> ___ >>>> 389-devel mailing list -- 389-devel@lists.fedoraproject.org >>>> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org >>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org >>>> >>> ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Use of rust for new logging backend
Hi I will also help from QA team(Test and automation ) , i started learning "rust" 6 month ago (not regular ). I know 2% (may be). Regards Anuj Borah On Wed, May 15, 2019 at 8:20 PM Simon Pichugin wrote: > On Tue, May 14, 2019 at 01:21:28PM +1000, William Brown wrote: > > Hi all, > > > > So it's been a while since I pushed this, but again, I think I want to > bring this up. I'd like to write the new logging backend in Rust. > > > > I'll start with a summary: > > > > Pros: > > * Faster development time due to stricter code correctness guarantees > > * Modern and safe language to lower number of bugs in implementation > > * Much better libraries for interacting with things like json and thread > safety > > > > Cons: > > * Another language in the codebase ... > > * We need to learn it to work on it > > * Vendors need to be ready to build with the toolchain > > > > I've talked through some of these thoughts with Mark a bit, and I really > think it's time we did this - or gave up on pursuing it. I have been > running the rust enabled version of ds for a few years now with no issues. > SUSE is also in a position where they are able to and ready to build DS > with Rust (I'm assuming RH could easily also be brought to parity here). > > > > So the main barrier becomes us: the most common argument is we don't > know enough or have enough experience. However I think this argument is > flawed, in the fact that there are many parts of the code where we already > only have 1 or 2 experts in that area - often when we look into a bug or a > feature, we always have to learn new things, we have to read the code, > understand even the unique styles of how that was written for the time, and > then do work. This would be no different. I think we are all capable of > learning and working with these tools. > > > > By this point, Gnome is looking into Rust as a mainline part of the > desktop, Samba has started to look into it, Firefox is already shipping > Rust components. I think that Rust is here to stay, and is not some passing > trend. > > > > > > So what do we think? I think if there are no major objections I would > like to do this in Rust. I'll also commit to providing C-Rust FFI > documentation for the team, resources to help understand what's going on, > and like always, I will be sure to comment all my code thoroughly as part > of this improvement. > Hi William, > I am more than interested! > > I'd like to learn it one day anyway. > So if there will be no objections and we'll go forward now, > I think, it is important to agree on some points of decreasing a bus > factor: > > - As you said, it should have very detailed comments on all of the > language features and technics you'll use. > - I think it will be nice to have an additional documentation which will > describe the basic setup for the development you use. All the toold you > need to develop, compile, test and debug. > - Also, some nice links for the basic tutorials on Rust types, concepts, > etc. > - I think, we should have detailed unit tests. It will help to > understand the code better and we will have less bugs (hopefully). > > And the final and big point I wanted to mention: > > - We should be prepared for a slow review process because we have quite > limited > recources in the team and a lot of work should be done (WebUI still has > to be refactored to React, > and it is only a small piece of the workload). > Also, I think, it makes sense to have the smallest Rust PRs that can be > put together as an independent unit. > > But everything is just my opinion and I don't know what others think and > if everyone is prepared to join it. I am feeling excited though :) > > Thanks, > Simon > > P.S. check the contribution guide please. Espesially a part about > 'rebase-force-push'. I think it is nice not to force push during > the review process (and rebase-squash only after you got an ACK). > > > > > > > > — > > Sincerely, > > > > William Brown > > > > Senior Software Engineer, 389 Directory Server > > SUSE Labs > > ___ > > 389-devel mailing list -- 389-devel@lists.fedoraproject.org > > To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org > ___ > 389-devel mailing list
[389-devel] Re: Groups are not accessible by filter
@William Brown
Its not relevant to this subject line , but its related to lib389 .
Question : Does get_attrs_vals_utf8 and all get_attrs_vals types should
case sensitive ??
Look at bellow result:
with search_s:
(Pdb) topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, F4,
['cn', 'Cn', 'CN'])
[dn: uid=bhall,ou=People,dc=example,dc=com
cn: Benjamin Hall
]
with filter:
(Pdb) Accounts(topo.standalone,
DEFAULT_SUFFIX).filter(F4)[0].get_attrs_vals_utf8(['cn', 'Cn', 'CN'])
{'cn': ['Benjamin Hall'], 'Cn': ['Benjamin Hall'], 'CN': ['Benjamin Hall']}
(Pdb) Accounts(topo.standalone,
DEFAULT_SUFFIX).filter(F4)[0]._unsafe_raw_entry()
dn: uid=bhall,ou=People,dc=example,dc=com
cn: Benjamin Hall
gidNumber: 2000
givenName: Benjamin
homeDirectory: /home/bhall
l: sunnyvale
mail: bh...@anuj.com
manager: uid=trigden,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixaccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: nsMemberOf
objectClass: nsAccount
objectClass: person
ou: Product Development
ou: People
roomNumber: 2511
sn: Hall
telephoneNumber: +1 408 555 6067
uid: bhall
uidNumber: 1000
userPassword:
{PBKDF2_SHA256}AAAIAC03kM8if/x5GVc9teHEpMTOvB67mfH6NZYEmazAev2n6eoN2X+3JKu13ZpIG+WCPGWZH0niBxc7xvvqFsMkNPoRlBvmx23fWM+5VYcTCJs+iWQRxTb0FV/hheEU9a+Tqdj6fa0lL1aJTiOkKKk/mJdAHUiRvh8M6BtZmmc3pD0KNDwHQK/k/tuP1X7+nA+6ioT5WCb2NjjR4jFuNO681Ko6nG/wAWz/T+lYsVHdFV84MfBX81dgRDGmGyAew2YwNDeuEEmFH9EFYS9iczs241/3oA9igvCPuiSc7hoI/EOsRm4c6IhikouebRVCvX9eiZfjPSIBwXJTFHLi93r7xxNC4q3WWZZh2I01A09SOoQZPhXDXMkL6nuAJawG0wkU3JFeJecTSsk3EPgg+xX15X52Ayt7yKMRfTlYRtp45uku
(Pdb) Accounts(topo.standalone,
DEFAULT_SUFFIX).filter(F4)[0].get_attr_val_utf8('CN')
'Benjamin Hall'
(Pdb) Accounts(topo.standalone,
DEFAULT_SUFFIX).filter(F4)[0].get_attr_val_utf8('cn')
'Benjamin Hall'
(Pdb) Accounts(topo.standalone,
DEFAULT_SUFFIX).filter(F4)[0].get_attr_val_utf8('Cn')
'Benjamin Hall'
Regards
Anuj Borah
On Thu, May 9, 2019 at 9:00 AM Anuj Borah wrote:
> @William Brown
>
> Thank you for the clarification.
>
> Regards
> Anuj Borah
>
> On Thu, May 9, 2019 at 8:57 AM William Brown wrote:
>
>>
>>
>> > On 9 May 2019, at 12:47, Anuj Borah wrote:
>> >
>> > @William Brown
>> >
>> > I am attaching the main script where i am facing the problem .
>> >
>> > F4 gives me the following :
>> >
>> > With search_s:
>> >
>> > (Pdb) topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, F4)
>> > [dn: uid=bhall,ou=People,dc=example,dc=com
>> > cn: Benjamin Hall
>> > gidNumber: 2000
>> > givenName: Benjamin
>> > homeDirectory: /home/bhall
>> > l: sunnyvale
>> > mail: bh...@anuj.com
>> > manager: uid=trigden,ou=People,dc=example,dc=com
>> > objectClass: top
>> > objectClass: account
>> > objectClass: posixaccount
>> > objectClass: inetOrgPerson
>> > objectClass: organizationalPerson
>> > objectClass: nsMemberOf
>> > objectClass: nsAccount
>> > objectClass: person
>> > ou: Product Development
>> > ou: People
>> > roomNumber: 2511
>> > sn: Hall
>> > telephoneNumber: +1 408 555 6067
>> > uid: bhall
>> > uidNumber: 1000
>> > userPassword:
>> {PBKDF2_SHA256}AAAIAAlpB8Yaw03XDVfXkH++eiCaugb3D660gbb6xBE3dkSCXOiCVqvM80dTPhPuSBISkY8IWJZgZXXoDt54brqRweEpqZ4YPrMTtqBAd/2kCsX+ZRM9phJLZFd9k7bIAM3joCnxVPFwyR1ETDSHkes0RSql7Isi+oKb8dloC+m5vzj1NG1M/o0TxdICTMxIBvuln+BdANOS9waGyqJgZfZBnQfw2t3lHOKXFxiduaWSZJvwVV8JtYkHt/ofdmqKItayc00eG6EM44qPS19XZa+3drTADPkL7HNAVhMHg1Y8iIWIXKvlZ7WJ1V/ySrHL6SU6XzcXtMNjBT/qi+GCHpu2Bc+Ka2C0iUZwY5ZiJ7YUANa3UYxh6oIVUgKNVmX+4CkJczJLcEgoI43zFCFnFsjtNHYwflPuIPFtwaXvgeBojItZ
>> >
>> > ]
>> >
>> > With filter:
>> >
>> > (Pdb) Accounts(topo.standalone, DEFAULT_SUFFIX).filter(F4)[0].dn
>> > 'uid=bhall,ou=People,dc=example,dc=com'
>> > (Pdb) Accounts(topo.standalone,
>> DEFAULT_SUFFIX).filter(F4)[0]._unsafe_raw_entry()
>> > dn: uid=bhall,ou=People,dc=example,dc=com
>> > cn: Benjamin Hall
>> > gidNumber: 2000
>> > givenName: Benjamin
>> > homeDirectory: /home/bhall
>> > l: sunnyvale
>> > mail: bh...@anuj.com
>> > manager: uid=trigden,ou=People,dc=example,dc=com
>> > objectClass: top
>> > objectClass: account
>> > objectClass: posixaccount
>> > objectClass: inetOrgPerson
>> > objectClass: organizationalPerson
>> > objectClass: nsMemberOf
>> > objectClass: nsAccount
>> > objectClass: person
>> > ou: Product Development
>> > ou: People
>> > roomNumber: 2511
>> > sn: Hall
>> > te
[389-devel] Re: Groups are not accessible by filter
@William Brown
Thank you for the clarification.
Regards
Anuj Borah
On Thu, May 9, 2019 at 8:57 AM William Brown wrote:
>
>
> > On 9 May 2019, at 12:47, Anuj Borah wrote:
> >
> > @William Brown
> >
> > I am attaching the main script where i am facing the problem .
> >
> > F4 gives me the following :
> >
> > With search_s:
> >
> > (Pdb) topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, F4)
> > [dn: uid=bhall,ou=People,dc=example,dc=com
> > cn: Benjamin Hall
> > gidNumber: 2000
> > givenName: Benjamin
> > homeDirectory: /home/bhall
> > l: sunnyvale
> > mail: bh...@anuj.com
> > manager: uid=trigden,ou=People,dc=example,dc=com
> > objectClass: top
> > objectClass: account
> > objectClass: posixaccount
> > objectClass: inetOrgPerson
> > objectClass: organizationalPerson
> > objectClass: nsMemberOf
> > objectClass: nsAccount
> > objectClass: person
> > ou: Product Development
> > ou: People
> > roomNumber: 2511
> > sn: Hall
> > telephoneNumber: +1 408 555 6067
> > uid: bhall
> > uidNumber: 1000
> > userPassword:
> {PBKDF2_SHA256}AAAIAAlpB8Yaw03XDVfXkH++eiCaugb3D660gbb6xBE3dkSCXOiCVqvM80dTPhPuSBISkY8IWJZgZXXoDt54brqRweEpqZ4YPrMTtqBAd/2kCsX+ZRM9phJLZFd9k7bIAM3joCnxVPFwyR1ETDSHkes0RSql7Isi+oKb8dloC+m5vzj1NG1M/o0TxdICTMxIBvuln+BdANOS9waGyqJgZfZBnQfw2t3lHOKXFxiduaWSZJvwVV8JtYkHt/ofdmqKItayc00eG6EM44qPS19XZa+3drTADPkL7HNAVhMHg1Y8iIWIXKvlZ7WJ1V/ySrHL6SU6XzcXtMNjBT/qi+GCHpu2Bc+Ka2C0iUZwY5ZiJ7YUANa3UYxh6oIVUgKNVmX+4CkJczJLcEgoI43zFCFnFsjtNHYwflPuIPFtwaXvgeBojItZ
> >
> > ]
> >
> > With filter:
> >
> > (Pdb) Accounts(topo.standalone, DEFAULT_SUFFIX).filter(F4)[0].dn
> > 'uid=bhall,ou=People,dc=example,dc=com'
> > (Pdb) Accounts(topo.standalone,
> DEFAULT_SUFFIX).filter(F4)[0]._unsafe_raw_entry()
> > dn: uid=bhall,ou=People,dc=example,dc=com
> > cn: Benjamin Hall
> > gidNumber: 2000
> > givenName: Benjamin
> > homeDirectory: /home/bhall
> > l: sunnyvale
> > mail: bh...@anuj.com
> > manager: uid=trigden,ou=People,dc=example,dc=com
> > objectClass: top
> > objectClass: account
> > objectClass: posixaccount
> > objectClass: inetOrgPerson
> > objectClass: organizationalPerson
> > objectClass: nsMemberOf
> > objectClass: nsAccount
> > objectClass: person
> > ou: Product Development
> > ou: People
> > roomNumber: 2511
> > sn: Hall
> > telephoneNumber: +1 408 555 6067
> > uid: bhall
> > uidNumber: 1000
> > userPassword:
> {PBKDF2_SHA256}AAAIAAlpB8Yaw03XDVfXkH++eiCaugb3D660gbb6xBE3dkSCXOiCVqvM80dTPhPuSBISkY8IWJZgZXXoDt54brqRweEpqZ4YPrMTtqBAd/2kCsX+ZRM9phJLZFd9k7bIAM3joCnxVPFwyR1ETDSHkes0RSql7Isi+oKb8dloC+m5vzj1NG1M/o0TxdICTMxIBvuln+BdANOS9waGyqJgZfZBnQfw2t3lHOKXFxiduaWSZJvwVV8JtYkHt/ofdmqKItayc00eG6EM44qPS19XZa+3drTADPkL7HNAVhMHg1Y8iIWIXKvlZ7WJ1V/ySrHL6SU6XzcXtMNjBT/qi+GCHpu2Bc+Ka2C0iUZwY5ZiJ7YUANa3UYxh6oIVUgKNVmX+4CkJczJLcEgoI43zFCFnFsjtNHYwflPuIPFtwaXvgeBojItZ
> >
> > Now consider the following condition ,
> >
> > (Pdb) topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
> F4,['modifiersName','modifyTimestamp'])
> > [dn: uid=bhall,ou=People,dc=example,dc=com
> > modifiersName: cn=directory manager
> > modifyTimestamp: 20190509030743Z
> >
> > ]
> >
> > Problem is :
> > modifiersName and modifyTimestamp can never get with filter .
>
>
> This is not the fault of the filter, but the fault of how you are treating
> these objects. Filter tells you *what entries to find* not what attributes
> to get from them. To get specific attributes you have to interact with the
> results of the filter search.
>
> I have formerly mentioned you can assign the results of searches such as:
>
> bhall_account = Accounts(...).filter(F4)[0]
>
> bhall_account is now an Instance of the Account object, which itself is
> DSLdapObject. Now you have the entry, you can access attributes of it.
>
> values =
> bhall_account.get_attrs_vals_utf8(['modifiersName','modifyTimestamp'])
> print(values)
>
> Should be:
>
> {
>"modifiersName": '...',
>"modifyTimestamp": '...',
> }
>
> I don't know why you still are afraid to assign results from the searches.
> Fundamentally: DSLdapObjects (and it's subclasses) is the SET of all
> possible entries, and the gateway to searching. It returns instances of
> DSLdapObject, that allow direct inspection and manipulation of that
> data from the entry. I am worried that there is a still a deep
> misunderstanding of the API and how to use it, which is causing these
> problems (and odd accusations ...)
[389-devel] Re: Groups are not accessible by filter
Ok, I will check.
Thanks
On Tue, May 7, 2019 at 8:21 AM William Brown wrote:
>
> > On 7 May 2019, at 11:31, Anuj Borah wrote:
> >
> > @William Brown
> >
> > Actually my concern was as bellow:
> >
> > topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, F4, ['cn',
> 'cn', 'cn'])
> > >>[dn: uid=bhall,ou=People,dc=example,dc=com
> > cn: Benjamin Hall
> >
> > ]
> >
> > Question: Can we use these filter directly in filter module. --->>
> like Accounts().filter(F4, ['cn', 'cn', 'cn'])
> >
> > As this works :
> > (Pdb) Accounts(topo.standalone, DEFAULT_SUFFIX).filter(F4)
> > []
> >
> > But this does not work:
> > (Pdb) Accounts(topo.standalone, DEFAULT_SUFFIX).filter((&(F4)(['cn',
> 'cn', 'cn'])))
> > *** SyntaxError: invalid syntax
>
> ^ it says invalid syntax because your F4, (...) is not vaild. You should
> rethink this part of the statement ...
>
> >
> >
> > And these filter as bellow.
> >
> > topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, F10,
> ['mailquota', 'nsRoleDN'])
> > >> [dn: uid=mtyler,ou=People,dc=example,dc=com
> > mailquota: 600
> > nsRoleDN: cn=new managed role,ou=People,dc=example,dc=com
> >
> > ]
> >
> > Question these filter also: >>>> Accounts(...).filter(F10,
> ['mailquota', 'nsRoleDN'])
>
> As above.
>
> Try doing:
>
> next_filter = F4, (...)
> Account(...).filter(next_filter).
>
> Is that valid? Why? Why not? What do you need to do to make it valid?
>
> >
> > Regards
> > Anuj Borah
> >
> > On Tue, May 7, 2019 at 5:22 AM William Brown wrote:
> > You are missing a key part of the question again: "Is there any chance
> we can use these filters TO GET lib389 objects of the type X".
> >
> > So for example:
> >
> > > On 3 May 2019, at 17:12, Anuj Borah wrote:
> > >
> > > @William Brown
> > >
> > > Are there any chance we can use these filter with filter module
> directly .
> > >
> > > F1 = "(sn=Hall)"
> >
> > If you do:
> >
> > Groups(...).filter("sn=hall")
> >
> > No because it doesn't make sense for a group to match this.
> >
> > If you did:
> >
> > Person(...).filter("sn=hall")
> >
> > Yes! it would work.
> >
> > > F2 = "(nsRoleDN=cn=new managed role)"
> >
> > Groups(...).filter(nsRoleDn=...)
> >
> > Again, doesn't make sense. But:
> >
> > Accounts(...).filter(nsRoleDn=...)
> >
> > Would make sense, to show all Accounts that are part of the role.
> >
> > > F3 = "(l=sunnyvale)"
> >
> > Here, l= would make sense on things like:
> >
> > OrganisationUnits().filter("l=...")
> > Person("l=...")
> >
> > > F4 = "(& (| {} {}) {})".format(F2, F1, F3)
> > > F10 = "(& {} {})".format(F6, F9)
> >
> > Provdide the type you WANT would satisfy these conditions, yes.
> >
> > But you would be better to do:
> >
> > F4 = (&(cond)(cond)(cond))
> >
> > Rather than str sub. Alternately, use gen_filter.
> >
> >
> >
> > So again - you are missing a key element of the question, which is "is
> this filter suitable to get objects of the type I need to work with".
> Lib389 doesn't think like "just search and get generic things" it thinks as
> "search and get strongly typed objects".
> >
> > >
> > > topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, F4,
> ['cn', 'cn', 'cn'])
> > > >>[dn: uid=bhall,ou=People,dc=example,dc=com
> > > cn: Benjamin Hall
> > >
> > > ]
> > >
> > > topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, F10,
> ['mailquota', 'nsRoleDN'])
> > > >> [dn: uid=mtyler,ou=People,dc=example,dc=com
> > > mailquota: 600
> > > nsRoleDN: cn=new managed role,ou=People,dc=example,dc=com
> > >
> > > ]
> > >
> > > Regards
> > > Anuj Borah
> > >
> > > On Mon, Apr 29, 2019 at 12:29 PM Anuj Borah wrote:
> > > Yes, it is.
> > >
> > > On Mon, Apr 29, 2019 at 11:17 AM William Brown wrote:
> > >
> > >
> > > > On 29 Apr 2019, at 15:00, Anuj Borah wrote:
> > > >
> > > > @William Brown
> > > >
> > > > Sorry my bad , syntax was wrong .
> > > &g
[389-devel] Re: Groups are not accessible by filter
@William Brown
Are there any chance we can use these filter with filter module directly .
F1 = "(sn=Hall)"
F2 = "(nsRoleDN=cn=new managed role)"
F3 = "(l=sunnyvale)"
F4 = "(& (| {} {}) {})".format(F2, F1, F3)
F10 = "(& {} {})".format(F6, F9)
topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, F4, ['cn',
'cn', 'cn'])
>>[dn: uid=bhall,ou=People,dc=example,dc=com
cn: Benjamin Hall
]
topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, F10,
['mailquota', 'nsRoleDN'])
>> [dn: uid=mtyler,ou=People,dc=example,dc=com
mailquota: 600
nsRoleDN: cn=new managed role,ou=People,dc=example,dc=com
]
Regards
Anuj Borah
On Mon, Apr 29, 2019 at 12:29 PM Anuj Borah wrote:
> Yes, it is.
>
> On Mon, Apr 29, 2019 at 11:17 AM William Brown wrote:
>
>>
>>
>> > On 29 Apr 2019, at 15:00, Anuj Borah wrote:
>> >
>> > @William Brown
>> >
>> > Sorry my bad , syntax was wrong .
>> >
>> > (Pdb) len(Accounts(topo.standalone,
>> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608,
>> ['attrlist=cn:sn:uid:testUserAccountControl'])"))
>> > 6
>> >
>> > Thanks .
>> >
>> >
>> > On Mon, Apr 29, 2019 at 10:26 AM Anuj Borah wrote:
>> > @William Brown
>> >
>> > This is the filter :
>> "testUserAccountControl:1.2.840.113556.1.4.803:=8388608",
>> ['attrlist=cn:sn:uid:testUserAccountControl']
>> >
>> > len(topo.standalone.search_s(DEFAULT_SUFFIX,
>> ldap.SCOPE_SUBTREE,"testUserAccountControl:1.2.840.113556.1.4.803:=8388608",
>> ['attrlist=cn:sn:uid:testUserAccountControl'])) --- Thid one works .
>> > > 6
>> >
>> > But the full filter does not fit with filter module .
>> >
>> > > (Pdb) len(Accounts(topo.standalone,
>> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608)",
>> ['attrlist=cn:sn:uid:testUserAccountControl']))
>> > > *** TypeError: filter() takes 2 positional arguments but 3 were given
>> > > (Pdb) len(Accounts(topo.standalone,
>> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608),
>> ['attrlist=cn:sn:uid:testUserAccountControl']"))
>> > > *** ldap.FILTER_ERROR: {'desc': 'Bad search filter', 'errno': 2,
>> 'info': 'No such file or directory'}
>> >
>> >
>> > Regards
>> > Anuj Borah
>> >
>>
>> That filter string seems really … uhh, interesting. You are testing:
>>
>> (testUserAccountControl:1.2.840.113556.1.4.803:=8388608,
>> ['attrlist=cn:sn:uid:testUserAccountControl’])
>>
>> Is that really a valid filter?
>>
>>
>> —
>> Sincerely,
>>
>> William Brown
>>
>> Senior Software Engineer, 389 Directory Server
>> SUSE Labs
>>
>>
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Please review
Hi Simon , Rebsed onto master . Regards Anuj Borah On Tue, Apr 30, 2019 at 3:54 PM Simon Pichugin wrote: > On Tue, Apr 30, 2019 at 02:15:55PM +0530, Anuj Borah wrote: > >Hi all, > Hi Anuj, > > >Please review these PRs. > >Pending from Long Time. > >[1]https://pagure.io/389-ds-base/pull-request/50180 > >[2]https://pagure.io/389-ds-base/pull-request/50192 > Could you please rebase them onto master? > > Thanks, > Simon > > >Regards > >Anuj Borah > > > > References > > > >1. https://pagure.io/389-ds-base/pull-request/50180 > >2. https://pagure.io/389-ds-base/pull-request/50192 > > > ___ > > 389-devel mailing list -- 389-devel@lists.fedoraproject.org > > To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org > > ___ > 389-devel mailing list -- 389-devel@lists.fedoraproject.org > To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org > ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Please review
Hi all, Please review these PRs. Pending from Long Time. https://pagure.io/389-ds-base/pull-request/50180 https://pagure.io/389-ds-base/pull-request/50192 Regards Anuj Borah ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Groups are not accessible by filter
Yes, it is.
On Mon, Apr 29, 2019 at 11:17 AM William Brown wrote:
>
>
> > On 29 Apr 2019, at 15:00, Anuj Borah wrote:
> >
> > @William Brown
> >
> > Sorry my bad , syntax was wrong .
> >
> > (Pdb) len(Accounts(topo.standalone,
> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608,
> ['attrlist=cn:sn:uid:testUserAccountControl'])"))
> > 6
> >
> > Thanks .
> >
> >
> > On Mon, Apr 29, 2019 at 10:26 AM Anuj Borah wrote:
> > @William Brown
> >
> > This is the filter :
> "testUserAccountControl:1.2.840.113556.1.4.803:=8388608",
> ['attrlist=cn:sn:uid:testUserAccountControl']
> >
> > len(topo.standalone.search_s(DEFAULT_SUFFIX,
> ldap.SCOPE_SUBTREE,"testUserAccountControl:1.2.840.113556.1.4.803:=8388608",
> ['attrlist=cn:sn:uid:testUserAccountControl'])) --- Thid one works .
> > > 6
> >
> > But the full filter does not fit with filter module .
> >
> > > (Pdb) len(Accounts(topo.standalone,
> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608)",
> ['attrlist=cn:sn:uid:testUserAccountControl']))
> > > *** TypeError: filter() takes 2 positional arguments but 3 were given
> > > (Pdb) len(Accounts(topo.standalone,
> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608),
> ['attrlist=cn:sn:uid:testUserAccountControl']"))
> > > *** ldap.FILTER_ERROR: {'desc': 'Bad search filter', 'errno': 2,
> 'info': 'No such file or directory'}
> >
> >
> > Regards
> > Anuj Borah
> >
>
> That filter string seems really … uhh, interesting. You are testing:
>
> (testUserAccountControl:1.2.840.113556.1.4.803:=8388608,
> ['attrlist=cn:sn:uid:testUserAccountControl’])
>
> Is that really a valid filter?
>
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
>
>
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Groups are not accessible by filter
@William Brown
Sorry my bad , syntax was wrong .
(Pdb) len(Accounts(topo.standalone,
DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608,
['attrlist=cn:sn:uid:testUserAccountControl'])"))
6
Thanks .
On Mon, Apr 29, 2019 at 10:26 AM Anuj Borah wrote:
> @William Brown
>
> This is the filter :
> "testUserAccountControl:1.2.840.113556.1.4.803:=8388608",
> ['attrlist=cn:sn:uid:testUserAccountControl']
>
> len(topo.standalone.search_s(DEFAULT_SUFFIX,
> ldap.SCOPE_SUBTREE,"testUserAccountControl:1.2.840.113556.1.4.803:=8388608",
> ['attrlist=cn:sn:uid:testUserAccountControl'])) --- Thid one works .
> > 6
>
> But the full filter does not fit with filter module .
>
> > (Pdb) len(Accounts(topo.standalone,
> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608)",
> ['attrlist=cn:sn:uid:testUserAccountControl']))
> > *** TypeError: filter() takes 2 positional arguments but 3 were given
> > (Pdb) len(Accounts(topo.standalone,
> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608),
> ['attrlist=cn:sn:uid:testUserAccountControl']"))
> > *** ldap.FILTER_ERROR: {'desc': 'Bad search filter', 'errno': 2, 'info':
> 'No such file or directory'}
>
>
> Regards
> Anuj Borah
>
>
>
>
>
>
> On Mon, Apr 29, 2019 at 10:17 AM William Brown wrote:
>
>>
>>
>> > On 29 Apr 2019, at 12:33, Anuj Borah wrote:
>> >
>> > @William Brown
>> >
>> > Thanks for the tip!
>> >
>> > (Pdb) len(topo.standalone.search_s(DEFAULT_SUFFIX,
>> ldap.SCOPE_SUBTREE,"testUserAccountControl:1.2.840.113556.1.4.803:=8388608",
>> ['attrlist=cn:sn:uid:testUserAccountControl']))
>> > 6
>> > (Pdb) len(Accounts(topo.standalone,
>> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608)"))
>> > 6
>> >
>> > We cant not mix up ['attrlist=cn:sn:uid:testUserAccountControl'] with
>> filter , like we do with search_s .
>> >
>> > (Pdb) len(Accounts(topo.standalone,
>> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608)",
>> ['attrlist=cn:sn:uid:testUserAccountControl']))
>> > *** TypeError: filter() takes 2 positional arguments but 3 were given
>> > (Pdb) len(Accounts(topo.standalone,
>> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608),
>> ['attrlist=cn:sn:uid:testUserAccountControl']"))
>> > *** ldap.FILTER_ERROR: {'desc': 'Bad search filter', 'errno': 2,
>> 'info': 'No such file or directory'}
>> >
>> > Again i have to use "re" module for the same .
>> >
>> >
>>
>> What are you trying to achieve?
>>
>>
>> Sincerely,
>>
>> William Brown
>>
>> Senior Software Engineer, 389 Directory Server
>> SUSE Labs
>>
>>
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Groups are not accessible by filter
@William Brown
This is the filter :
"testUserAccountControl:1.2.840.113556.1.4.803:=8388608",
['attrlist=cn:sn:uid:testUserAccountControl']
len(topo.standalone.search_s(DEFAULT_SUFFIX,
ldap.SCOPE_SUBTREE,"testUserAccountControl:1.2.840.113556.1.4.803:=8388608",
['attrlist=cn:sn:uid:testUserAccountControl'])) --- Thid one works .
> 6
But the full filter does not fit with filter module .
> (Pdb) len(Accounts(topo.standalone,
DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608)",
['attrlist=cn:sn:uid:testUserAccountControl']))
> *** TypeError: filter() takes 2 positional arguments but 3 were given
> (Pdb) len(Accounts(topo.standalone,
DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608),
['attrlist=cn:sn:uid:testUserAccountControl']"))
> *** ldap.FILTER_ERROR: {'desc': 'Bad search filter', 'errno': 2, 'info':
'No such file or directory'}
Regards
Anuj Borah
On Mon, Apr 29, 2019 at 10:17 AM William Brown wrote:
>
>
> > On 29 Apr 2019, at 12:33, Anuj Borah wrote:
> >
> > @William Brown
> >
> > Thanks for the tip!
> >
> > (Pdb) len(topo.standalone.search_s(DEFAULT_SUFFIX,
> ldap.SCOPE_SUBTREE,"testUserAccountControl:1.2.840.113556.1.4.803:=8388608",
> ['attrlist=cn:sn:uid:testUserAccountControl']))
> > 6
> > (Pdb) len(Accounts(topo.standalone,
> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608)"))
> > 6
> >
> > We cant not mix up ['attrlist=cn:sn:uid:testUserAccountControl'] with
> filter , like we do with search_s .
> >
> > (Pdb) len(Accounts(topo.standalone,
> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608)",
> ['attrlist=cn:sn:uid:testUserAccountControl']))
> > *** TypeError: filter() takes 2 positional arguments but 3 were given
> > (Pdb) len(Accounts(topo.standalone,
> DEFAULT_SUFFIX).filter("(testUserAccountControl:1.2.840.113556.1.4.803:=8388608),
> ['attrlist=cn:sn:uid:testUserAccountControl']"))
> > *** ldap.FILTER_ERROR: {'desc': 'Bad search filter', 'errno': 2, 'info':
> 'No such file or directory'}
> >
> > Again i have to use "re" module for the same .
> >
> >
>
> What are you trying to achieve?
>
>
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
>
>
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Groups are not accessible by filter
@William Brown Thank you for the clarification. Same thing was writing in the second mail of this mail chain . I was missing the use case UniqueGroup(…).filter(). What about bellow filters . Can we use filter here also . topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(& (| (nsRoleDN=cn=new managed role) (sn=Hall)) (l=sunnyvale))', ['cn', 'cn', 'cn']) topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(& (| (nsRoleDN=cn=new managed role) (sn=Hall)) (l=sunnyvale))', ['*', 'cn']) And This one . topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,"testUserAccountControl:1.2.840.113556.1.4.804:=16777216",['attrlist=cn:sn:uid:testUserAccountControl']) Regards Anuj Borah On Mon, Apr 29, 2019 at 7:38 AM William Brown wrote: > > > > On 29 Apr 2019, at 11:53, Anuj Borah wrote: > > > > @William Brown > > > > The space did not make any difference . Look at bellow result . > > > > (Pdb) i > > '(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)' > > (Pdb) Accounts(topo.standalone, DEFAULT_SUFFIX).filter(i) > > ^ Because you are using the wrong class. > > Filter will wrap your call because you are filtering over the set of > Accounts, not “generic searching”. If you want to search a group > OfUniqueNames, you need: > > UniqueGroup(…).filter(). > > Have a look at _mapped_object.py in def filter and youll see it does: > > def filter(self, search): > # This will yield and & filter for objectClass with as many terms > as needed. > search_filter = _gen_and([self._get_objectclass_filter(),search]) > > IE, your search of “uniqueMember=…” is then inserted such that: > > (&(objectClass=groupOfUniqueNames)(uniqueMember=…)) > > Because you are using Accounts, this is doing: > > (&(|(objectClass=nsAccount)(objectClass=person)…) (uniqueMember=…)) > > Which of course won’t find anything in a group, because Accounts are not > Groups. > > > So in fact, lib389 is doing exactly the right thing here, by saying “no, > your search is not safe or sane, so you don’t get any results”. Lib389 is > designed to prevent you making mistakes, and so will error or do nothing in > the cases where something is wrong, rather than allow a corruption or odd > behaviour to occur. > > > > > — > Sincerely, > > William Brown > > Senior Software Engineer, 389 Directory Server > SUSE Labs > > ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Groups are not accessible by filter
@William Brown
The space did not make any difference . Look at bellow result .
(Pdb) i
'(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)'
(Pdb) Accounts(topo.standalone, DEFAULT_SUFFIX).filter(i)
[]
(Pdb) topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, i)
[dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com
cn: Accounting Managers
description: People who can manage accounting entries
objectClass: top
objectClass: groupOfUniqueNames
ou: groups
uniqueMember: cn=Directory Manager
uniqueMember: uid=scarter,ou=People,dc=example,dc=com
uniqueMember: uid=tmorris,ou=People,dc=example,dc=com
uniqueMember: uid=kvaughan,ou=People,dc=example,dc=com
uniqueMember: uid=rdaugherty,ou=People,dc=example,dc=com
uniqueMember: uid=hmiller,ou=People,dc=example,dc=com
, dn: cn=HR Managers,ou=Groups,dc=example,dc=com
cn: HR Managers
description: People who can manage HR entries
objectClass: top
objectClass: groupOfUniqueNames
ou: groups
uniqueMember: cn=Directory Manager
uniqueMember: uid=kvaughan,ou=People,dc=example,dc=com
uniqueMember: uid=cschmith,ou=People,dc=example,dc=com
]
My point of this mail is that we need to make some modification to the
filter module so that it can completely replace search_s , till now we cant
use filter as replacement of search_s. Check out bellow condition also .
topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(& (|
(nsRoleDN=cn=new managed role) (sn=Hall)) (l=sunnyvale))', ['cn', 'cn',
'cn'])
topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(& (|
(nsRoleDN=cn=new managed role) (sn=Hall)) (l=sunnyvale))', ['*', 'cn'])
And This one .
topo.standalone.search_s(DEFAULT_SUFFIX,
ldap.SCOPE_SUBTREE,"testUserAccountControl:1.2.840.113556.1.4.804:=16777216",['attrlist=cn:sn:uid:testUserAccountControl'])
There is no way we can use filter for the above cases .
Regards
Anuj Borah
On Mon, Apr 29, 2019 at 4:41 AM William Brown wrote:
>
>
> > On 26 Apr 2019, at 01:56, Anuj Borah wrote:
> >
> > @Ludwig
> >
> > Under the same condition .
> >
> > Accounts(topo.standalone,
> DEFAULT_SUFFIX).filter('(uniquemember=uid=kvaughan, ou=People,
> dc=example,dc=com)') >>> gives 0 result . (From filter script)
> >
> >
> > (Pdb) topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
> '(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)') >>> gives
> 2 result (From search_s script)
>
>
>
> These filters are not the same. There is a “ “ between , and ou=People.
>
>
> >
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Groups are not accessible by filter
@Ludwig
Under the same condition .
Accounts(topo.standalone,
DEFAULT_SUFFIX).filter('(uniquemember=uid=kvaughan, ou=People,
dc=example,dc=com)') >>> gives 0 result . (From filter script)
(Pdb) topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
'(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)') >>> gives
2 result (From search_s script)
[dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com
cn: Accounting Managers
description: People who can manage accounting entries
objectClass: top
objectClass: groupOfUniqueNames
ou: groups
uniqueMember: cn=Directory Manager
uniqueMember: uid=scarter,ou=People,dc=example,dc=com
uniqueMember: uid=tmorris,ou=People,dc=example,dc=com
uniqueMember: uid=kvaughan,ou=People,dc=example,dc=com
uniqueMember: uid=rdaugherty,ou=People,dc=example,dc=com
uniqueMember: uid=hmiller,ou=People,dc=example,dc=com
, dn: cn=HR Managers,ou=Groups,dc=example,dc=com
cn: HR Managers
description: People who can manage HR entries
objectClass: top
objectClass: groupOfUniqueNames
ou: groups
uniqueMember: cn=Directory Manager
uniqueMember: uid=kvaughan,ou=People,dc=example,dc=com
uniqueMember: uid=cschmith,ou=People,dc=example,dc=com
This is the problem .
Regards
On Thu, Apr 25, 2019 at 9:14 PM Ludwig wrote:
>
>
> On 04/25/2019 05:38 PM, Anuj Borah wrote:
>
> @Ludwig
>
> Try running these Two scrips one is with filter and other is with
> search_s.
>
> I will then also get different results, but you need to clarify what is
> "correct" and what not, if it is in what is sent to the server or what is
> done with handling the results
>
>
> Problem is with search_s i am getting correct result , where with filter
> wrong result.
>
> Regards
> Anuj Borah
>
>
>
>
> On Thu, Apr 25, 2019 at 8:30 PM Ludwig wrote:
>
>> what is your problem ? the searches in both access logs produce the same
>> results:
>>
>>
>> grep nentries /tmp/access_with* | grep tag=101
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.560467098 +] conn=1
>> op=148 RESULT err=0 tag=101 nentries=3 etime=0.399837
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.562926674 +] conn=1
>> op=149 RESULT err=0 tag=101 nentries=9 etime=0.452772
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.565416724 +] conn=1
>> op=150 RESULT err=0 tag=101 nentries=8 etime=0.416033
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.567629593 +] conn=1
>> op=151 RESULT err=0 tag=101 nentries=2 etime=0.350486
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.569782885 +] conn=1
>> op=152 RESULT err=0 tag=101 nentries=4 etime=0.350236
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.571945045 +] conn=1
>> op=153 RESULT err=0 tag=101 nentries=7 etime=0.367961
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.53550 +] conn=1
>> op=154 RESULT err=0 tag=101 nentries=7 etime=0.0004031631
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.579866766 +] conn=1
>> op=155 RESULT err=0 tag=101 nentries=3 etime=0.274951
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.581771337 +] conn=1
>> op=156 RESULT err=0 tag=101 nentries=3 etime=0.312338
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.583848484 +] conn=1
>> op=157 RESULT err=0 tag=101 nentries=3 etime=0.1999656509
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.587570224 +] conn=1
>> op=158 RESULT err=0 tag=101 nentries=121 etime=0.0001897405
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.591514384 +] conn=1
>> op=159 RESULT err=0 tag=101 nentries=2 etime=0.319819
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.593657986 +] conn=1
>> op=160 RESULT err=0 tag=101 nentries=3 etime=0.285626
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.595880861 +] conn=1
>> op=161 RESULT err=0 tag=101 nentries=4 etime=0.356436
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.602518935 +] conn=1
>> op=162 RESULT err=0 tag=101 nentries=120 etime=0.0004828401
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.611163994 +] conn=1
>> op=163 RESULT err=0 tag=101 nentries=120 etime=0.0004651831
>> /tmp/access_with_filter:[25/Apr/2019:08:36:36.640014117 +] conn=1
>> op=166 RESULT err=0 tag=101 nentries=2 etime=0.711662
>> /tmp/access_with_search_s:[25/Apr/2019:08:56:30.910324404 +] conn=1
>> op=148 RESULT err=0 tag=101 nentries=3 etime=0.351385
>> /tmp/access_with_search_s:[25/Apr/2019:08:56:30.912317892 +] conn=1
>> op=149 RESULT err=0 tag=101 nentries=9 etime=0.358365
>> /tmp/access_with_search_s:[25/Apr/2019:08:56:30.914679657 +] conn=1
>> op=150 RESULT err=0 tag=101 nentries=8 etime=0.430844
[389-devel] Re: Groups are not accessible by filter
@Ludwig Try running these Two scrips one is with filter and other is with search_s. Problem is with search_s i am getting correct result , where with filter wrong result. Regards Anuj Borah On Thu, Apr 25, 2019 at 8:30 PM Ludwig wrote: > what is your problem ? the searches in both access logs produce the same > results: > > > grep nentries /tmp/access_with* | grep tag=101 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.560467098 +] conn=1 > op=148 RESULT err=0 tag=101 nentries=3 etime=0.399837 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.562926674 +] conn=1 > op=149 RESULT err=0 tag=101 nentries=9 etime=0.452772 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.565416724 +] conn=1 > op=150 RESULT err=0 tag=101 nentries=8 etime=0.416033 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.567629593 +] conn=1 > op=151 RESULT err=0 tag=101 nentries=2 etime=0.350486 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.569782885 +] conn=1 > op=152 RESULT err=0 tag=101 nentries=4 etime=0.350236 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.571945045 +] conn=1 > op=153 RESULT err=0 tag=101 nentries=7 etime=0.367961 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.53550 +] conn=1 > op=154 RESULT err=0 tag=101 nentries=7 etime=0.0004031631 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.579866766 +] conn=1 > op=155 RESULT err=0 tag=101 nentries=3 etime=0.274951 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.581771337 +] conn=1 > op=156 RESULT err=0 tag=101 nentries=3 etime=0.312338 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.583848484 +] conn=1 > op=157 RESULT err=0 tag=101 nentries=3 etime=0.1999656509 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.587570224 +] conn=1 > op=158 RESULT err=0 tag=101 nentries=121 etime=0.0001897405 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.591514384 +] conn=1 > op=159 RESULT err=0 tag=101 nentries=2 etime=0.319819 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.593657986 +] conn=1 > op=160 RESULT err=0 tag=101 nentries=3 etime=0.285626 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.595880861 +] conn=1 > op=161 RESULT err=0 tag=101 nentries=4 etime=0.356436 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.602518935 +] conn=1 > op=162 RESULT err=0 tag=101 nentries=120 etime=0.0004828401 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.611163994 +] conn=1 > op=163 RESULT err=0 tag=101 nentries=120 etime=0.0004651831 > /tmp/access_with_filter:[25/Apr/2019:08:36:36.640014117 +] conn=1 > op=166 RESULT err=0 tag=101 nentries=2 etime=0.711662 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.910324404 +] conn=1 > op=148 RESULT err=0 tag=101 nentries=3 etime=0.351385 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.912317892 +] conn=1 > op=149 RESULT err=0 tag=101 nentries=9 etime=0.358365 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.914679657 +] conn=1 > op=150 RESULT err=0 tag=101 nentries=8 etime=0.430844 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.916847641 +] conn=1 > op=151 RESULT err=0 tag=101 nentries=2 etime=0.332474 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.918878872 +] conn=1 > op=152 RESULT err=0 tag=101 nentries=4 etime=0.341456 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.920965290 +] conn=1 > op=153 RESULT err=0 tag=101 nentries=7 etime=0.374608 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.926723170 +] conn=1 > op=154 RESULT err=0 tag=101 nentries=7 etime=0.0004056591 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.928637310 +] conn=1 > op=155 RESULT err=0 tag=101 nentries=3 etime=0.299780 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.930719687 +] conn=1 > op=156 RESULT err=0 tag=101 nentries=3 etime=0.296688 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.932751416 +] conn=1 > op=157 RESULT err=0 tag=101 nentries=3 etime=0.318958 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.936312042 +] conn=1 > op=158 RESULT err=0 tag=101 nentries=121 etime=0.0001861409 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.939996595 +] conn=1 > op=159 RESULT err=0 tag=101 nentries=2 etime=0.340760 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.942122456 +] conn=1 > op=160 RESULT err=0 tag=101 nentries=3 etime=0.309626 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.944215749 +] conn=1 > op=161 RESULT err=0 tag=101 nentries=4 etime=0.340311 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.950446188 +] conn=1 > op=162 RESULT err=0 tag=101 nentries=120 etime=0.0004499138 > /tmp/access_with_search_s:[25/Apr/2019:08:56:30.957921166 +] conn=1 > op=163 RESULT err=0 tag=101 nentries=120 etime=0.0004453
[389-devel] Re: Groups are not accessible by filter
@Ludwig
Attached the logs .
I have noticed , it happening due to _get_objectclass_filter() method in
filter of DSLdapObjects .
Accounts(topo.standalone, DEFAULT_SUFFIX)._objectclasses
['nsAccount', 'nsPerson', 'simpleSecurityObject', 'organization', 'person',
'account', 'organizationalUnit', 'netscapeServer', 'domain',
'posixAccount', 'shadowAccount', 'posixGroup', 'mailRecipient']
but the cn=Accounting Managers,ou=Groups,dc=example,dc=com has objectClass:
groupOfUniqueNames .
This may be the problem . You can not find any error in access logs as
naturally it does not have any error , its just empty results .
Regards
Anuj Borah
On Thu, Apr 25, 2019 at 12:39 PM Ludwig wrote:
> can you provide the access logs to show what searches were really done
>
> On 04/24/2019 12:23 PM, Anuj Borah wrote:
>
> Hi all,
>
> Please consider bellow condition .
>
> UserAccount(topo.standalone, 'cn=Accounting
> Managers,ou=groups,dc=example,dc=com').add('uniquemember', [
> 'uid=scarter, ou=People, dc=example,dc=com', 'uid=tmorris, ou=People,
> dc=example,dc=com', 'uid=kvaughan, ou=People, dc=example,dc=com',
> 'uid=rdaugherty, ou=People, dc=example,dc=com', 'uid=hmiller, ou=People,
> dc=example,dc=com'])
>
> UserAccount(topo.standalone, 'cn=HR
> Managers,ou=groups,dc=example,dc=com').add('uniquemember', [
> 'uid=kvaughan, ou=People, dc=example,dc=com', 'uid=cschmith, ou=People,
> dc=example,dc=com'])
>
>
> And try to add filter:
>
> With Filter: It fails gives 0 result for those involves Group
> 'cn=Accounting Managers,ou=groups,dc=example,dc=com' .
>
> for i in ['(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)',
> '(uniquemember=uid=rdaugherty, ou=People, dc=example,dc=com)',
> '(uniquemember=uid=hmiller, ou=People, dc=example,dc=com)',
> '(&(objectclass=inetorgperson)(uid=scarter))',
> '(&(objectclass=organizationalperson)(uid=scarter))',
> '(objectclass=inetorgperson)',
> '(&(objectclass=organizationalPerson)(sn=Jensen))',
> '(&(mail=*)(objectclass=organizationalPerson))', '(mail=*)',
>'(&(sn=Rentz)(objectclass=organizationalPerson))',
> '(&(sn=Ward)(sn=Ward))', '(sn=Jensen)', '(sn=*)',
> '(sn=*utz)']:
> assert Accounts(topo.standalone, DEFAULT_SUFFIX).filter(i)
>
>
> with search_s(Old Way): I gives correct results .
>
> for i in ['(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)',
> '(uniquemember=uid=rdaugherty, ou=People, dc=example,dc=com)',
> '(uniquemember=uid=hmiller, ou=People, dc=example,dc=com)',
> '(&(objectclass=inetorgperson)(uid=scarter))',
> '(&(objectclass=organizationalperson)(uid=scarter))',
> '(objectclass=inetorgperson)',
> '(&(objectclass=organizationalPerson)(sn=Jensen))',
> '(&(mail=*)(objectclass=organizationalPerson))', '(mail=*)',
> '(&(sn=Rentz)(objectclass=organizationalPerson))',
> '(&(sn=Ward)(sn=Ward))', '(sn=Jensen)', '(sn=*)',
> '(sn=*utz)']:
> assert topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, i)
>
>
>
> I have attached the test script too . Test
> test_various_combinations_of_filters_and_idlistscanlimit
>
> Regards
> Anuj Borah
>
>
>
>
>
> ___
> 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
>
> ___
> 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
access_with_filter
Description: Binary data
access_with_search_s
Description: Binary data
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Groups are not accessible by filter
Hi all,
Please consider bellow condition .
UserAccount(topo.standalone, 'cn=Accounting
Managers,ou=groups,dc=example,dc=com').add('uniquemember', [
'uid=scarter, ou=People, dc=example,dc=com', 'uid=tmorris,
ou=People, dc=example,dc=com', 'uid=kvaughan, ou=People,
dc=example,dc=com',
'uid=rdaugherty, ou=People, dc=example,dc=com', 'uid=hmiller,
ou=People, dc=example,dc=com'])
UserAccount(topo.standalone, 'cn=HR
Managers,ou=groups,dc=example,dc=com').add('uniquemember', [
'uid=kvaughan, ou=People, dc=example,dc=com', 'uid=cschmith,
ou=People, dc=example,dc=com'])
And try to add filter:
With Filter: It fails gives 0 result for those involves Group
'cn=Accounting Managers,ou=groups,dc=example,dc=com' .
for i in ['(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)',
'(uniquemember=uid=rdaugherty, ou=People, dc=example,dc=com)',
'(uniquemember=uid=hmiller, ou=People, dc=example,dc=com)',
'(&(objectclass=inetorgperson)(uid=scarter))',
'(&(objectclass=organizationalperson)(uid=scarter))',
'(objectclass=inetorgperson)',
'(&(objectclass=organizationalPerson)(sn=Jensen))',
'(&(mail=*)(objectclass=organizationalPerson))',
'(mail=*)',
'(&(sn=Rentz)(objectclass=organizationalPerson))',
'(&(sn=Ward)(sn=Ward))',
'(sn=Jensen)',
'(sn=*)',
'(sn=*utz)']:
assert Accounts(topo.standalone, DEFAULT_SUFFIX).filter(i)
with search_s(Old Way): I gives correct results .
for i in ['(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)',
'(uniquemember=uid=rdaugherty, ou=People, dc=example,dc=com)',
'(uniquemember=uid=hmiller, ou=People, dc=example,dc=com)',
'(&(objectclass=inetorgperson)(uid=scarter))',
'(&(objectclass=organizationalperson)(uid=scarter))',
'(objectclass=inetorgperson)',
'(&(objectclass=organizationalPerson)(sn=Jensen))',
'(&(mail=*)(objectclass=organizationalPerson))',
'(mail=*)',
'(&(sn=Rentz)(objectclass=organizationalPerson))',
'(&(sn=Ward)(sn=Ward))',
'(sn=Jensen)',
'(sn=*)',
'(sn=*utz)']:
assert topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, i)
I have attached the test script too . Test
test_various_combinations_of_filters_and_idlistscanlimit
Regards
Anuj Borah
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ---
import os
import re
import pytest
from lib389._constants import DEFAULT_SUFFIX, PW_DM
from lib389.topologies import topology_st as topo
from lib389.idm.user import UserAccount, UserAccounts
from lib389.idm.organizationalunit import OrganizationalUnit, OrganizationalUnits
from lib389.index import Index
from lib389.idm.account import Accounts
import ldap
GIVEN_NAME = 'cn=givenname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config'
CN_NAME = 'cn=sn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config'
uniquemember = 'cn=uniquemember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config'
objectclass = 'cn=objectclass,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config'
mail = 'cn=mail,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config'
ACLG_OU = f'ou=ACLGroup,{DEFAULT_SUFFIX}'
NESG_OU = f'ou=nestedgroup, {DEFAULT_SUFFIX}'
LIST_OF_USER_ACCOUNTING = [
f"uid=Ted Morris, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=David Miller, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Gern Farmer, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Judy Wallace, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Marcus Ward, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Judy McFarland, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Anuj Hall, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Gern Triplett, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Emanuel Johnson, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Brad Walker, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Tobias Pierce, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Randy Mills, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=David Thorud, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Elba Kohler, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Laurel Campbell, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Torrey Schneider, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Paula Rose, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Frank Albers, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Martin Schneider, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Andrew Hel, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Pete Tyler, ou=Accounting,{DEFAULT_SUFFIX}",
f"uid=Randy Ulrich, ou=Accou
[389-devel] Re: UserAccounts creates users with junk sign
@William Brown
Thanks for the reply .
I was wondering if UserAccount can do it , why UserAccounts cant .
Anyway now i will go for 3. (best) to solve the problem.
Thanks
Anuj Borah
On Wed, Mar 27, 2019 at 5:45 AM William Brown wrote:
> Hi,
>
> I have previously commented a number of times on this pattern that you
> have been using and that it is incorrect in reviews.
>
> > On 26 Mar 2019, at 13:27, Anuj Borah wrote:
> >
> > Hay everyone,
> >
> > Consider bellow condition:
> >
> > users = UserAccounts(topo.standalone, f"ou=Keywords,{DEFAULT_SUFFIX}",
> rdn=None)
> > for i in [f'NONE_2_KEY,ou=Authmethod',
> > f'EVERYDAY_KEY,ou=Dayofweek',
> > f'TODAY_KEY,ou=Dayofweek',
> > f'NODAY_KEY,ou=Dayofweek',
> > f'NETSCAPEDNS_KEY,ou=DNS',
> > f'FULLIP_KEY,ou=IP',
> > f'NETSCAPEIP_KEY,ou=IP',
> > f'NOIP_KEY,ou=IP',
> > f'FULLWORKER_KEY,ou=Timeofday',
> > f'DAYWORKER_KEY,ou=Timeofday',
> > f'NIGHTWORKER_KEY,ou=Timeofday',
> > f'NOWORKER_KEY,ou=Timeofday']:
> > properties = {
> > 'uid': i,
> > 'cn': i.split(',')[0],
> > 'sn': 'user',
> > 'uidNumber': '1000',
> > 'gidNumber': '2000',
> > 'homeDirectory': '/home/' + i,
> > 'userPassword': PW_DM
> > }
> > users.create(properties=properties)
>
> ^ This is where the mistake happens. UserAccounts *already* knows that you
> have an rdn etc. So then you say “users.create(uid = “everyday_key,ou=….”).
>
> So it LITERALLY takes that, escapes the content (which is the cause of the
> \\2C and \\3D you see below) and put’s that into the field)
>
>
> >
> >
> > If you see the created users:
> >
> > for i in users.list(): i.dn
> > 'uid=NONE_2_KEY\\2Cou\\3DAuthmethod,ou=Keywords,dc=example,dc=com'
> > 'uid=EVERYDAY_KEY\\2Cou\\3DDayofweek,ou=Keywords,dc=example,dc=com'
> > 'uid=TODAY_KEY\\2Cou\\3DDayofweek,ou=Keywords,dc=example,dc=com'
> > 'uid=NODAY_KEY\\2Cou\\3DDayofweek,ou=Keywords,dc=example,dc=com'
> > 'uid=NETSCAPEDNS_KEY\\2Cou\\3DDNS,ou=Keywords,dc=example,dc=com'
> > 'uid=FULLIP_KEY\\2Cou\\3DIP,ou=Keywords,dc=example,dc=com'
> > 'uid=NETSCAPEIP_KEY\\2Cou\\3DIP,ou=Keywords,dc=example,dc=com'
> > 'uid=NOIP_KEY\\2Cou\\3DIP,ou=Keywords,dc=example,dc=com'
> > 'uid=FULLWORKER_KEY\\2Cou\\3DTimeofday,ou=Keywords,dc=example,dc=com'
> > 'uid=DAYWORKER_KEY\\2Cou\\3DTimeofday,ou=Keywords,dc=example,dc=com'
> > 'uid=NIGHTWORKER_KEY\\2Cou\\3DTimeofday,ou=Keywords,dc=example,dc=com'
> > 'uid=NOWORKER_KEY\\2Cou\\3DTimeofday,ou=Keywords,dc=example,dc=com'
> >
> > We can see users become useless to use for further operations.
> >
> > And consider bellow condition:
> >
> >
> > for i in [f'NONE_2_KEY,ou=Authmethod',
> > f'EVERYDAY_KEY,ou=Dayofweek',
> > f'TODAY_KEY,ou=Dayofweek',
> > f'NODAY_KEY,ou=Dayofweek',
> > f'NETSCAPEDNS_KEY,ou=DNS',
> > f'FULLIP_KEY,ou=IP',
> > f'NETSCAPEIP_KEY,ou=IP',
> > f'NOIP_KEY,ou=IP',
> > f'FULLWORKER_KEY,ou=Timeofday',
> > f'DAYWORKER_KEY,ou=Timeofday',
> > f'NIGHTWORKER_KEY,ou=Timeofday',
> > f'NOWORKER_KEY,ou=Timeofday']:
> > properties = {
> > 'uid': i,
> > 'cn': i.split(',')[0],
> > 'sn': 'user',
> > 'uidNumber': '1000',
> > 'gidNumber': '2000',
> > 'homeDirectory': '/home/' + i,
> > 'userPassword': PW_DM
> > }
> > users = UserAccount(topo.standalone,
> f"cn={i},ou=Keywords,{DEFAULT_SUFFIX}")
> > users.create(properties=properties)
> >
> >
> > users = UserAccounts(topo.standalone, f"ou=Keywords,{DEFAULT_SUFFIX}",
> rdn=None)
> >
> > for i in users.list(): i.dn
> > 'cn=NONE_2_KEY,ou=Authmethod,ou=Keywords,dc=example,dc=com'
> > 'cn=EVERYDAY_KEY,ou=Dayofweek,ou=Keywords,dc=example,dc=com'
> > 'cn=TODAY_KEY,ou=Dayofweek,ou=Keywords,dc=example,dc=com'
> > 'cn=NODAY_KEY,ou=Dayofweek,ou=Keywords,dc=example,dc=com'
> > 'cn=NETSCAPEDNS_KEY,ou=DNS,ou=Keywords,dc=example,dc=com'
> > 'cn=FULLIP_KEY,ou=IP,ou=Keywords,dc=example,dc=com'
> > 'cn=NETSCAPEIP_KEY,ou=IP,ou=Keywords,dc=example,dc=com'
> > 'cn=NOIP_KEY,ou=IP,ou=Keywords,dc=example,dc=com'
> > 'cn=FULLWORKER_KEY,ou=Timeofday,ou=Keywords,dc=example,dc=com'
> > 'cn=DAYWORKER_KEY,ou=Timeofday,ou=Keywords,dc=example,dc=com'
> > 'cn=NIGHTWORKER
[389-devel] Please review
Hi all, Please review bellow PR: https://pagure.io/389-ds-base/pull-request/50178 Its pending from long time . Regards Anuj Borah ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Filter does not work with Anonymous connection
@Matus Honek
Yes, I agree.
Perhaps we should open one ticket in pagur to track this issue ?
Regards
Anuj Borah
On Tue, Feb 26, 2019 at 9:12 PM Matus Honek wrote:
> This kinda leads me to thinking we should implement ACIs management
> within the DSLdapObjects like this (probably specific to a particular
> subclass, to a degree). One that would take care of this added
> requirement for objectclass ACIs because of hidden .filter's behavour.
> Because that is currently really hard to be understood at a first
> glance, or second.
> On Tue, Feb 26, 2019 at 4:02 AM William Brown wrote:
> >
> >
> >
> > > On 26 Feb 2019, at 12:58, Anuj Borah wrote:
> > >
> > > @William Brown
> > >
> > > ACI syntax in test is correct, it meant to give access to (mail = * )
> only not any thing else . In the same case as mansion bellow:
> >
> > Ummm, that’s not what I’m saying? I’m saying that you may *only* be
> giving access to the mail attribute, so as a result when the .filter
> generates and expands to (&(objectClass=account)(mail=*)), the objectClass
> is denied on the searcch, causing the test to fail (to prevent disclosure).
> >
> > That’s why I suggest changing the aci to allowing mail AND objectClass,
> and testing again. I think this is atn aci issue not a python, and I’d like
> to rule out that first.
> >
> > >
> > > Domain(topo.standalone, DEFAULT_SUFFIX).replace("aci",
> '(target="ldap:///{};)(targetattr="mail")(version 3.0; acl "Test";allow
> (read,search,compare) (userdn = "ldap:///anyone;);
> )'.format(DEFAULT_SUFFIX))
> > >
> > > conn = Anonymous(topo.standalone).bind()
> > > # filter does not works with Anonymous
> > > assert 0 == Accounts(conn, DEFAULT_SUFFIX).filter('(mail=*)')
> - It does not work
> > > assert 3 == len(conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
> "mail=*")) - it works
> > >
> > >
> > > We can clearly see sarch_s works under conn while ACI access to
> (mail=*) , in the same condition filter does not work at all . It gives 0
> result , while search_s gives 3 .
> > >
> > >
> > >
> > > On Tue, Feb 26, 2019 at 5:06 AM William Brown wrote:
> > >
> > >
> > > > On 26 Feb 2019, at 05:09, Anuj Borah wrote:
> > > >
> > > >
> > > >
> > > > Hi all,
> > > >
> > > > We have recently implemented Filter and Anonymous to lib389 . But
> it seems like Filter does not work with Anonymous connection .
> > > > It actually does not work with any kind of connection whether ACI
> allow or not rather than root .
> > > >
> > > > My suspense is it is related to this issue which is not yet fixed:
> https://pagure.io/389-ds-base/issue/50137
> > > >
> > > > Please check attached test case .
> > >
> > > I suspect they are not related, more likely the access control in your
> test doesn’t allow anonymous to search objectClass under DEFAULT_SUFFIX. If
> you change it to:
> > >
> > > Domain(topo.standalone, DEFAULT_SUFFIX).replace("aci",
> '(target="ldap:///{};)(targetattr=“mail || objectClass")(version 3.0; acl
> "Test";allow (read,search,compare) (userdn = "ldap:///anyone;);
> )'.format(DEFAULT_SUFFIX))
> > >
> > > (I hope I have the aci syntax correct)
> > >
> > >
> > > >
> > > > Regards
> > > > Anuj Borah
> > > > ___
> > > > 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> > > > To unsubscribe send an email to
> 389-devel-le...@lists.fedoraproject.org
> > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
> > >
> > > —
> > > Sincerely,
> > >
> > > William Brown
> > > Software Engineer, 389 Directory Server
> > > SUSE Labs
> > > ___
> > > 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> > > To unsubscribe send an email to
> 389-devel-le...@lists.fedoraproject.org
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
>
[389-devel] Re: Fwd: Filter does not work with Anonymous connection
@William Brown
ACI syntax in test is correct, it meant to give access to (mail = * ) only
not any thing else . In the same case as mansion bellow:
Domain(topo.standalone, DEFAULT_SUFFIX).replace("aci",
'(target="ldap:///{};)(targetattr="mail")(version 3.0; acl "Test";allow
(read,search,compare) (userdn = "ldap:///anyone;);
)'.format(DEFAULT_SUFFIX))
conn = Anonymous(topo.standalone).bind()
# filter does not works with Anonymous
assert 0 == Accounts(conn, DEFAULT_SUFFIX).filter('(mail=*)') -
It does not work
assert 3 == len(conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
"mail=*")) - it works
We can clearly see sarch_s works under conn while ACI access to (mail=*) ,
in the same condition filter does not work at all . It gives 0 result ,
while search_s gives 3 .
On Tue, Feb 26, 2019 at 5:06 AM William Brown wrote:
>
>
> > On 26 Feb 2019, at 05:09, Anuj Borah wrote:
> >
> >
> >
> > Hi all,
> >
> > We have recently implemented Filter and Anonymous to lib389 . But it
> seems like Filter does not work with Anonymous connection .
> > It actually does not work with any kind of connection whether ACI allow
> or not rather than root .
> >
> > My suspense is it is related to this issue which is not yet fixed:
> https://pagure.io/389-ds-base/issue/50137
> >
> > Please check attached test case .
>
> I suspect they are not related, more likely the access control in your
> test doesn’t allow anonymous to search objectClass under DEFAULT_SUFFIX. If
> you change it to:
>
> Domain(topo.standalone, DEFAULT_SUFFIX).replace("aci",
> '(target="ldap:///{};)(targetattr=“mail || objectClass")(version 3.0; acl
> "Test";allow (read,search,compare) (userdn = "ldap:///anyone;);
> )'.format(DEFAULT_SUFFIX))
>
> (I hope I have the aci syntax correct)
>
>
> >
> > Regards
> > Anuj Borah
> > ___
> > 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> > To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
> Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Pleas review
Hi all, Please review bellow PRs: https://pagure.io/389-ds-base/pull-request/50180 https://pagure.io/389-ds-base/pull-request/50168 Its pending from long time. Regards Anuj Borah ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: creating a universal class to replace "Entry"
@William Brown Thanks for the reply , please
look into the PR: https://pagure.io/389-ds-base/pull-request/50171
Its to create nsfilterrole .
On Mon, Feb 11, 2019 at 1:06 PM William Brown wrote:
>
>
> > On 11 Feb 2019, at 17:01, Anuj Borah wrote:
> >
> > Hi,
> >
> > As 'Entry' is not allowed to use now , In replace of Entry we are
> suggested to use UserAccounts and UserAccount which is very limited to some
> object classes .
> (['account','posixaccount','inetOrgPerson','organizationalPerson’]
>
> > )
> >
>
> There are many other types than this though?
>
> src/lib389/lib389/plugins.py:23:class Plugin(DSLdapObject):
> src/lib389/lib389/plugins.py:199:class MEPConfig(DSLdapObject):
> src/lib389/lib389/plugins.py:233:class MEPTemplate(DSLdapObject):
> src/lib389/lib389/plugins.py:444:class
> ReferentialIntegrityConfig(DSLdapObject):
> src/lib389/lib389/plugins.py:758:class MemberOfSharedConfig(DSLdapObject):
> src/lib389/lib389/plugins.py:887:class
> AutoMembershipRegexRule(DSLdapObject):
> src/lib389/lib389/plugins.py:905:class
> AutoMembershipDefinition(DSLdapObject):
> src/lib389/lib389/plugins.py:1015:class
> AutoMembershipRegexRule(DSLdapObject):
> src/lib389/lib389/plugins.py:1120:class
> LinkedAttributesConfig(DSLdapObject):
> src/lib389/lib389/plugins.py:1551:class AccountPolicyConfig(DSLdapObject):
> src/lib389/lib389/plugins.py:1598:class DNAPluginConfig(DSLdapObject):
> src/lib389/lib389/idm/organizationalrole.py:17:class
> OrganizationalRole(DSLdapObject):
> src/lib389/lib389/idm/nscontainer.py:11:class nsContainer(DSLdapObject):
> src/lib389/lib389/idm/nscontainer.py:49:class
> nsHiddenContainer(DSLdapObject):
> src/lib389/lib389/idm/domain.py:11:class Domain(DSLdapObject):
> src/lib389/lib389/idm/posixgroup.py:18:class PosixGroup(DSLdapObject):
> src/lib389/lib389/idm/organization.py:17:class Organization(DSLdapObject):
> src/lib389/lib389/idm/ipadomain.py:11:class IpaDomain(DSLdapObject):
> src/lib389/lib389/idm/group.py:17:class Group(DSLdapObject):
> src/lib389/lib389/idm/group.py:104:class UniqueGroup(DSLdapObject):
> src/lib389/lib389/idm/organizationalunit.py:16:class
> OrganizationalUnit(DSLdapObject):
> src/lib389/lib389/idm/account.py:15:class Account(DSLdapObject):
> src/lib389/lib389/tombstone.py:18:class Tombstone(DSLdapObject):
> src/lib389/lib389/backend.py:393:class Backend(DSLdapObject):
> src/lib389/lib389/backend.py:831:class DatabaseConfig(DSLdapObject):
> src/lib389/lib389/tasks.py:24:class Task(DSLdapObject):
> src/lib389/lib389/pwpolicy.py:287:class PwPolicyEntry(DSLdapObject):
> src/lib389/lib389/config.py:28:class Config(DSLdapObject):
> src/lib389/lib389/config.py:205:class Encryption(DSLdapObject):
> src/lib389/lib389/config.py:233:class RSA(DSLdapObject):
> src/lib389/lib389/config.py:358:class LDBMConfig(DSLdapObject):
> src/lib389/lib389/monitor.py:16:class Monitor(DSLdapObject):
> src/lib389/lib389/monitor.py:109:class MonitorLDBM(DSLdapObject):
> src/lib389/lib389/monitor.py:143:class MonitorBackend(DSLdapObject):
> src/lib389/lib389/monitor.py:190:class MonitorChaining(DSLdapObject):
> src/lib389/lib389/saslmap.py:12:class SaslMapping(DSLdapObject):
> src/lib389/lib389/index.py:27:class Index(DSLdapObject):
> src/lib389/lib389/index.py:64:class VLVSearch(DSLdapObject):
> src/lib389/lib389/index.py:147:class VLVIndex(DSLdapObject):
> src/lib389/lib389/encrypted_attributes.py:15:class
> EncryptedAttr(DSLdapObject):
> src/lib389/lib389/_mapped_object.py:84:class DSLdapObject(DSLogging):
> src/lib389/lib389/_mapped_object.py:441:if not
> issubclass(type(obj1), DSLdapObject) or not issubclass(type(obj2),
> DSLdapObject):
> src/lib389/lib389/_mapped_object.py:442:raise
> ValueError("Invalid arguments: Expecting object types that inherits
> 'DSLdapObject' class")
> src/lib389/lib389/agreement.py:23:class Agreement(DSLdapObject):
> src/lib389/lib389/cos.py:18:class CosTemplate(DSLdapObject):
> src/lib389/lib389/cos.py:65:class CosIndirectDefinition(DSLdapObject):
> src/lib389/lib389/cos.py:111:class CosPointerDefinition(DSLdapObject):
> src/lib389/lib389/replica.py:881:class Replica(DSLdapObject):
> src/lib389/lib389/replica.py:1288:class
> BootstrapReplicationManager(DSLdapObject):
> src/lib389/lib389/mappingTree.py:381:class MappingTree(DSLdapObject):
> src/lib389/lib389/chaining.py:18:class ChainingConfig(DSLdapObject):
> src/lib389/lib389/chaining.py:59:class ChainingDefault(DSLdapObject):
> src/lib389/lib389/chaining.py:81:class ChainingLink(DSLdapObject):
> src/lib389/lib389/changelog.py:20:class Changelog5(DSLdapObject):
> src/lib389/lib389/rootdse.py:15:class RootDSE(DSLdapObject):
> src/lib389/lib389/referral.py:14:class Referral(DSLdapObject):
>
[389-devel] Re: [discuss] composable object types in lib389
@Ludwig Krispenz The script i have attached in my
previous mail was ported from the TET script .
Now i am attaching the main bash script , please check it out.
On Tue, Jan 22, 2019 at 1:48 PM Ludwig wrote:
>
>
> On 01/22/2019 08:57 AM, Anuj Borah wrote:
>
> @Ludwig Krispenz , exactly, Please check attached
> script , how it is implemented .
>
> Filter role and aci combination .
>
>
> But this is not testing role based acis,
>
> your bind rule always is userdn=, and you are using the roles attr in
> targeting entries. See the admin guide for acis:
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/defining_bind_rules#using_the_roledn_bind_type
>
> so what you need is an aci with
>
> allow (search, read) roledn="ldap:///cn= definition>,dc=example,dc=com"
>
>
> then you need an filterdrole entry :
>
> cn=,dc=example,dc=com
> nsrolefilter:
>
> then you need users matching this filter and users not matching that
> filter, and check the results of an ldap operation.
>
> Please follow the request and do a writeup of what you want to achieve,
> before providing new code.
>
> Ludwig
>
>
>
>
>
>
>
> On Tue, Jan 22, 2019 at 1:13 PM Ludwig wrote:
>
>>
>>
>> On 01/21/2019 11:01 PM, William Brown wrote:
>> >
>> >> On 21 Jan 2019, at 17:08, Anuj Borah wrote:
>> >>
>> >> One small correction here :
>> >>
>> >> using newly created nsUserAccountRole and nsUserAccountRoles ( Will be
>> used only to create filter role ) , i am creating filter roles only . This
>> is the confusion here , we should remember filter roles are nothing but
>> entries with o='something'. I am not touching any user here , but i am
>> creating roles and these roles are covering the users automatically a
>> Ludwig Krispenzs said earlier. example-
>> >>
>> >>
>> >>
>> >>
>> >>
>> role=nsUserAccountRole(topo.standalone,'cn=tuser1,ou=People,dc=example,dc=com')
>> >> user_props={'cn':'Anuj', 'nsRoleFilter':'cn=*'}
>> >> role.create(properties=user_props, basedn=SUFFIX)
>> >>
>> >>
>> >>
>> >> In above example just created one filer role which will cover all
>> users having 'cn=*' in 'ou=People'. Here
>> 'cn=tuser1,ou=People,dc=example,dc=com' is nothing but a filter role which
>> will cover all users having 'cn=*' in 'ou=People'.
>> >>
>> >> Another example as given bellow:
>> >>
>> >> dn: cn=FILTERROLEENGROLE,o=acivattr1,dc=example,dc=com
>> >> cn: FILTERROLEENGROLE
>> >> nsRoleFilter: cn=*
>> >> objectClass: top
>> >> objectClass: LDAPsubentry
>> >> objectClass: nsRoleDefinition
>> >> objectClass: nsComplexRoleDefinition
>> >> objectClass: nsFilteredRoleDefinition
>> >>
>> >> This above entry is nothing but filter role entry , which will cover
>> all users in 'o=acivattr1' which has sub entries that begins with 'cn'. And
>> this is the property of filter role .
>> >>
>> >> Yes , i must say that newly created nsUserAccountRole and
>> nsUserAccountRoles which i renamed to nsFilterAccountRole and
>> nsFilterAccountRoles will only cover filter role as you cant create Filter
>> role and other roles like Manage role all together . For my porting stuff
>> newly created nsFilterAccountRole and nsFilterAccountRoles is more than
>> enough because i need filter roles only .
>> >>
>> >> Hope it clears all of your doubts.
>> >>
>> > So I think the idea of composing this with nsUsers/nsAccount is so that
>> the nsRoleFilter becomes:
>> >
>> > &(objectClass=account)(cn=*)
>> but this filter would probably match all accounts, to properly test role
>> based acis you need to have a set of user matching the filter and get
>> access granted and a set of user not matching the filter and access
>> rejected.
>> >
>> > This way it’s limited to just those types. Else we would have just
>> “nsFilteredRole” lib389 type (which could be simpler, given that this idea
>> seems to have caused so much confusion already … :( )
>> >
>> > I still think it would be good to see a write of “how it works” by
>> hand, where you make the role, add the filter, show the roles on the users,
>> then how that translates to the lib389.
>> +1
>> >
>> > Thanks,
>> >
>> >
>> > —
>> >
[389-devel] Re: [discuss] composable object types in lib389
@Ludwig Krispenz , exactly, Please check attached
script , how it is implemented .
Filter role and aci combination .
On Tue, Jan 22, 2019 at 1:13 PM Ludwig wrote:
>
>
> On 01/21/2019 11:01 PM, William Brown wrote:
> >
> >> On 21 Jan 2019, at 17:08, Anuj Borah wrote:
> >>
> >> One small correction here :
> >>
> >> using newly created nsUserAccountRole and nsUserAccountRoles ( Will be
> used only to create filter role ) , i am creating filter roles only . This
> is the confusion here , we should remember filter roles are nothing but
> entries with o='something'. I am not touching any user here , but i am
> creating roles and these roles are covering the users automatically a
> Ludwig Krispenzs said earlier. example-
> >>
> >>
> >>
> >>
> >>
> role=nsUserAccountRole(topo.standalone,'cn=tuser1,ou=People,dc=example,dc=com')
> >> user_props={'cn':'Anuj', 'nsRoleFilter':'cn=*'}
> >> role.create(properties=user_props, basedn=SUFFIX)
> >>
> >>
> >>
> >> In above example just created one filer role which will cover all users
> having 'cn=*' in 'ou=People'. Here 'cn=tuser1,ou=People,dc=example,dc=com'
> is nothing but a filter role which will cover all users having 'cn=*' in
> 'ou=People'.
> >>
> >> Another example as given bellow:
> >>
> >> dn: cn=FILTERROLEENGROLE,o=acivattr1,dc=example,dc=com
> >> cn: FILTERROLEENGROLE
> >> nsRoleFilter: cn=*
> >> objectClass: top
> >> objectClass: LDAPsubentry
> >> objectClass: nsRoleDefinition
> >> objectClass: nsComplexRoleDefinition
> >> objectClass: nsFilteredRoleDefinition
> >>
> >> This above entry is nothing but filter role entry , which will cover
> all users in 'o=acivattr1' which has sub entries that begins with 'cn'. And
> this is the property of filter role .
> >>
> >> Yes , i must say that newly created nsUserAccountRole and
> nsUserAccountRoles which i renamed to nsFilterAccountRole and
> nsFilterAccountRoles will only cover filter role as you cant create Filter
> role and other roles like Manage role all together . For my porting stuff
> newly created nsFilterAccountRole and nsFilterAccountRoles is more than
> enough because i need filter roles only .
> >>
> >> Hope it clears all of your doubts.
> >>
> > So I think the idea of composing this with nsUsers/nsAccount is so that
> the nsRoleFilter becomes:
> >
> > &(objectClass=account)(cn=*)
> but this filter would probably match all accounts, to properly test role
> based acis you need to have a set of user matching the filter and get
> access granted and a set of user not matching the filter and access
> rejected.
> >
> > This way it’s limited to just those types. Else we would have just
> “nsFilteredRole” lib389 type (which could be simpler, given that this idea
> seems to have caused so much confusion already … :( )
> >
> > I still think it would be good to see a write of “how it works” by hand,
> where you make the role, add the filter, show the roles on the users, then
> how that translates to the lib389.
> +1
> >
> > Thanks,
> >
> >
> > —
> > Sincerely,
> >
> > William Brown
> > Software Engineer, 389 Directory Server
> > SUSE Labs
> > ___
> > 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> > To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
> ___
> 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ---
from working_contstants import *
DNBASE = "o=acivattr,{}".format(DEFAULT_SUFFIX)
ENG_USER = "cn=enguser1,ou=eng,{}".format(DNBASE)
SALES_UESER = "cn=salesuser1,ou=sales,{}".format(DNBASE)
ENG_MANAGER = "cn=engmanager1,ou=eng,
[389-devel] Re: [discuss] composable object types in lib389
One small correction here :
using newly created nsUserAccountRole and nsUserAccountRoles ( Will be used
only to create filter role ) , i am creating filter roles only . This is
the confusion here , we should remember filter roles are nothing but
entries with o='something'. I am not touching any user here , but i am
creating roles and these roles are covering the users automatically a
Ludwig Krispenzs said earlier. example-
role=nsUserAccountRole(topo.standalone,'cn=tuser1,ou=People,dc=example,dc=com')
user_props={'cn':'Anuj', 'nsRoleFilter':'cn=*'}
role.create(properties=user_props, basedn=SUFFIX)
In above example just created one filer role which will cover all users
having 'cn=*' in 'ou=People'. Here 'cn=tuser1,ou=People,dc=example,dc=com'
is nothing but a filter role which will cover all users having 'cn=*' in
'ou=People'.
Another example as given bellow:
dn: cn=FILTERROLEENGROLE,o=acivattr1,dc=example,dc=com
cn: FILTERROLEENGROLE
nsRoleFilter: cn=*
objectClass: top
objectClass: LDAPsubentry
objectClass: nsRoleDefinition
objectClass: nsComplexRoleDefinition
objectClass: nsFilteredRoleDefinition
This above entry is nothing but filter role entry , which will cover all
users in 'o=acivattr1' which has sub entries that begins with 'cn'. And
this is the property of filter role .
Yes , i must say that newly created nsUserAccountRole and
nsUserAccountRoles which i renamed to nsFilterAccountRole and
nsFilterAccountRoles will only cover filter role as you cant create Filter
role and other roles like Manage role all together . For my porting stuff
newly created nsFilterAccountRole and nsFilterAccountRoles is more than
enough because i need filter roles only .
Hope it clears all of your doubts.
Regards
Anuj Borah
On Fri, Jan 18, 2019 at 4:24 AM William Brown wrote:
>
>
> > On 17 Jan 2019, at 19:40, Ludwig Krispenz wrote:
> >
> >
> > Maybe I do not understand how it works because of some lib389 magic, but
> I think this is not how roles work.
> >
> > You are creating cn=tuser1 and cn=Anju and they will have the role
> objectclasses, but the benefit of roles is that you do NOT have to touch
> the useres to assign roles to them. There is a class of users and a class
> of role definitions and ONLY the change in the role definition will
> determine if a user has a role or not.
>
> I think lib389 probably isn’t helping, but Ludwig’s description here is
> correct.
>
> Maybe a good approach is to “setup” roles by hand, then once you have a
> process in mind, then you can make the lib389 parts? I generally approach
> things this way to understand them well.
>
> Would that help?
>
>
> —
> Sincerely,
>
> William Brown
> Software Engineer, 389 Directory Server
> SUSE Labs
> ___
> 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: [discuss] composable object types in lib389
Hay William.
RDN = 'cn'
class nsUserAccountRole(Account):
def __init__(self, instance, dn=None):
super(nsUserAccountRole, self).__init__(instance, dn)
self._rdn_attribute = RDN
self._create_objectclasses = [
'top',
'LDAPsubentry',
'nsRoleDefinition',
'nsComplexRoleDefinition',
'nsFilteredRoleDefinition'
]
self._childobject = Account
user_compare_exclude = [
'nsUniqueId',
'modifyTimestamp',
'createTimestamp',
'entrydn'
]
self._compare_exclude = self._compare_exclude + user_compare_exclude
self._protected = False
class nsUserAccountRoles(DSLdapObjects):
def __init__(self, instance, basedn, rdn='ou=People'):
super(nsUserAccountRoles, self).__init__(instance)
self._objectclasses = [
'top',
'LDAPsubentry',
'nsRoleDefinition',
'nsComplexRoleDefinition',
'nsFilteredRoleDefinition'
]
self._filterattrs = [RDN, 'cn']
self._childobject = nsUserAccountRole
if rdn is None:
self._basedn = basedn
else:
self._basedn = '{},{}'.format(rdn, basedn)
Here i am not using nsUserAccount in nsUserAccountRole as it requires
'uid' which is not allowed in nsFilteredRoleDefinition and
nsRoleDefinition . Below are usages:
user=nsUserAccountRole(topo.standalone,'cn=tuser1,ou=People,dc=example,dc=com')
user_props={'cn':'Anuj', 'nsRoleFilter':'cn=*'}
user.create(properties=user_props, basedn=SUFFIX)
nsUserAccountRoles(topo.standalone, DEFAULT_SUFFIX).list()[0].dn
>> 'cn=tuser1,ou=People,dc=example,dc=com'
nsUserAccountRoles(topo.standalone,
DEFAULT_SUFFIX).create(properties=user_props)
>>>
nsUserAccountRoles(topo.standalone, DEFAULT_SUFFIX).list()[1].dn
>>> 'cn=Anuj,ou=People,dc=example,dc=com'
Let me know , what you think .
Regards
Anuj Borah
On Tue, Jan 15, 2019 at 6:30 AM William Brown wrote:
>
> > On 14 Jan 2019, at 19:28, Anuj Borah wrote:
> >
> > Hi William ,
> >
> > Just find out a way to do it .
>
>
> This isn’t quite what I had in mind.
>
> Remember, we should be able to compose nsRole types to various other
> objects if required (despite my dislike of nsRoles …).
>
> We have "nsUserAccount(Account)”, and we need to be able to extend it with
> nsRole types.
>
> One way to achieve this is:
>
> class nsRoleDefinition(object):
> def __init__(self, instance, dn=None):
> if ‘_create_objectclasses’ not in self:
> raise Exception ….
> # So we must have been combined with a type to add roles
> self._create_objectclasses.append(’nsFilteredRoleDefinition’)
>
>
> class nsUserAccountRole(nsUserAccount, nsRoleDefinition):
> def __init__(self, instance, dn=None):
> super(nsUserAccount, self).__init__(instance, dn)
> super(nsRoleDefinition, self).__init__(instance, dn)
>
>
>
> Then you would use the nsUserAccountRole like normal. (I think we may need
> a similar “nsUserAccountRoles" for the muliple search parts)
>
> A benefit to this, is you could have role-specific functions like
> setting/changing the filter, but you never loose the “account” features
> like bind. Provided a method is uniquely sourced, I think python takes the
> implementation that is unique, or it takes the “first”. So this should all
> just work.
>
> The main benefit here is it’s really clean, we can compose this to other
> types. It also avoids any duplication of class definitions and logic etc.
>
> I think this is how I would like to see it created. It may be worth making
> a “ticket” just for the nsRole parts and splitting your test for nsRoles
> out of the mega-patch you have.
>
> >
> > class UserAccountnsRole(Account):
> >
> > def __init__(self, instance, dn=None):
> > super(UserAccountnsRole, self).__init__(instance, dn)
> > self._rdn_attribute = RDN
> > self._create_objectclasses = [
> > 'top',
> > 'LDAPsubentry',
> > 'nsRoleDefinition',
> > 'nsComplexRoleDefinition',
> > 'nsFilteredRoleDefinition'
> > ]
> > user_compare_exclude = [
> > 'nsUniqueId',
> > 'modifyTimestamp',
> > 'createTimestamp',
> > 'entrydn'
> > ]
> > self._compare_exclude = self._compare_exclude +
> user_compare_exclude
> > self._protected = False
> >
> > def _validate(self, rdn, properties, basedn):
> > if 'ntUserDomainId' in properties and 'ntUser' not in
> self._cr
[389-devel] Re: [discuss] composable object types in lib389
Hi William ,
Just find out a way to do it .
class UserAccountnsRole(Account):
def __init__(self, instance, dn=None):
super(UserAccountnsRole, self).__init__(instance, dn)
self._rdn_attribute = RDN
self._create_objectclasses = [
'top',
'LDAPsubentry',
'nsRoleDefinition',
'nsComplexRoleDefinition',
'nsFilteredRoleDefinition'
]
user_compare_exclude = [
'nsUniqueId',
'modifyTimestamp',
'createTimestamp',
'entrydn'
]
self._compare_exclude = self._compare_exclude + user_compare_exclude
self._protected = False
def _validate(self, rdn, properties, basedn):
if 'ntUserDomainId' in properties and 'ntUser' not in
self._create_objectclasses:
self._create_objectclasses.append('ntUser')
return super(UserAccountnsRole, self)._validate(rdn, properties, basedn)
def create_test_user_nsrole(instance, cn, nsRoleFilter, description,
suffix=None):
global test_user_id
if cn is None:
cn = "testuser_" + str(test_user_id)
test_user_id += 1
if suffix is None:
suffix = DEFAULT_SUFFIX
dn = "cn=" + cn + "," + suffix
properties = {
'cn': cn,
"nsRoleFilter": nsRoleFilter,
"description": description,
}
user = UserAccountnsRole(instance, dn)
user.create(properties=properties)
return user
Now just using create_test_user_nsrole we will be able to create entries
with nsRoles.
Regards
Anuj Borah
On Mon, Jan 7, 2019 at 2:30 PM William Brown
wrote:
> Hi,
>
> I’ve been speaking to Anuj Borah about a PR they made, and how we can
> properly represent nsRole.
>
> because nsRoles are an extra objectClass, rather than a standalone one, we
> need a way to represent this properly.
>
> It’s probably a good idea to use some of pythons composability here, where
> we could do something like:
>
> class nsFilteredRole(DSLdapObject):
>
>
> class User(DSldapObject):
>
> class User_nsFilteredRole(User, nsFilteredRole):
>
> Then to have a way to define and have each subclass called, and asserted
> for correctness. A question is how we would handle:
>
> user = User.create(…)
> # How to convert user to User_nsFilteredRole
>
> We could do something like:
>
> User_nsFilteredRole.from(user)
>
> And have a from that does a valid conversion based on types and adds in
> the required role parts?
>
> This isn’t a common scenario, so I think having a limited set of well
> understood types that require this type of conversion would be okay.
>
> Thought? *looking at you Simon* :)
>
> PS: It’s good to be back
>
> --
> Sincerely,
>
> William
> ___
> 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
