[Freeipa-devel] [PATCH] import NSPRError in host.py
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The host plugin references NSPRError on couple of places but never imports it. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PGGkACgkQHsardTLnvCW6rACg6LetC6RilUSTpvRWBs1CDFJd H40AoJC7KWGNIYMyHvh9Kmd8EGZ0ZUyH =2U5v -END PGP SIGNATURE- From d578f9cd964fb147c4394ca3f2e122f9baebbaf1 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sun, 19 Dec 2010 23:18:29 +0100 Subject: [PATCH] import NSPRError in host.py --- ipalib/plugins/host.py |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 91aa651..161eddb 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -73,6 +73,7 @@ EXAMPLES: import platform import os import sys +from nss.error import NSPRError from ipalib import api, errors, util from ipalib import Str, Flag, Bytes -- 1.7.3.3 freeipa-jhrozek-026-import-NSPRError-in-host.py.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Modified ipa help behavior
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/09/2010 09:54 AM, Jan Zelený wrote: > Jan Zelený wrote: >> Jan Zelený wrote: >>> Now each plugin can define its topic as a 2-tuple, where the first >>> item is the name of topic it belongs to and the second item is >>> a description of such topic. Topic descriptions must be the same >>> for all modules belonging to the topic. >>> >>> By using this topics, it is possible to group plugins as we see fit. >>> When asking for help for a particular topic, help for all modules >>> in given topic is written. >>> >>> ipa help - show all topics (until now it showed all plugins) >>> ipa help - show details to given topic >>> >>> https://fedorahosted.org/freeipa/ticket/410 >> >> So here it is: I'm sending couple patches which resolve the ticket and >> implement grouping the way we previously discussed. Please feel free to >> send me any recommendations if anything should be modified. > > Here's updated version of 0014 (changed type detection from type(var) is > type({}) to type(var) is dict) > > Jan The first patch in the series does not apply cleanly anymore, can you rebase? Also, ipa help gives me a traceback now: ipa: ERROR: UnboundLocalError: local variable 'mod_name' referenced before assignment Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1049, in run api.finalize() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 615, in finalize p.instance.finalize() File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 662, in finalize self._count_topic_mcl(topic_name, mod_name) UnboundLocalError: local variable 'mod_name' referenced before assignment ipa: ERROR: an internal error has occurred -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PLA8ACgkQHsardTLnvCWgIwCeIlMoGGZhbmr0t9aD19L4pBHP rf4AoNrX+TkHlSDfT0BmR3J1MEz7bU5+ =XzUE -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/14/2010 07:05 PM, Jan Zelený wrote: > When adding a host with specific IP address, the operation would fail in > case we don't own the reverse DNS. This new option overrides the > check for reverse DNS zone and falls back to different IP address > existence check. > > https://fedorahosted.org/freeipa/ticket/417 > > I was considering deleting the reverse zone detection entirely and check the > IP address directly by querying for A records containing it, but I think this > way it is more efficient. > Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PMikACgkQHsardTLnvCW8kACeIiYZGg1s32dXU0lvErxcpbro KRQAoNGHYok29j+xj6MeOiLqYJ2DnisA =YW3x -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Allow renaming of object that have a parent
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 When performing an RDN change, we would construct the new DN from the RDN attribute only. This doesn't work when the object needs has a parent. There's currently no testcase, I hit that when working on automount - so this patch will be testable with the automount patch and also a dependency for it. But I think the code is pretty clear.. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PSNwACgkQHsardTLnvCWVNwCg2R+eiK2KoM6GlIuSrsYJZKzw zOcAnihrRg63h72zzhCzjg4WjPeuguP/ =SNXO -END PGP SIGNATURE- From d6520b9d391a1541d18b73bd00a5a05a304f667e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 15 Dec 2010 10:07:46 +0100 Subject: [PATCH] Allow renaming of object that have a parent Allow renaming of object that have a parent --- ipalib/plugins/baseldap.py |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 9ef5f37..69682dc 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -772,7 +772,8 @@ class LDAPUpdate(LDAPQuery, crud.Update): # RDN change ldap.update_entry_rdn(dn, unicode('%s=%s' % (self.obj.rdnattr, entry_attrs[self.obj.rdnattr]))) -dn = self.obj.get_dn(entry_attrs[self.obj.rdnattr]) +rdnkeys = keys[:-1] + (entry_attrs[self.obj.rdnattr], ) +dn = self.obj.get_dn(*rdnkeys) del entry_attrs[self.obj.rdnattr] options['rdnupdate'] = True rdnupdate = True -- 1.7.3.3 freeipa-jhrozek-027-rename-with-parent.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Make pkey always iterable when deleting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 When deleting multiple objects, the code tries to enforce that the primary key is always iterable by doing: keys = keys[:-1] + (keys[-1], ) But this doesn't work, the line only concatenates two tuples effectively returning the original one. See the attached patch for a fix. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PSOgACgkQHsardTLnvCWaYwCgxLGN09ZAjApMevLaQqlSM0hZ NnIAoLFkL2o2eBbQhDyEEJ7URz9NkFvo =Z2cP -END PGP SIGNATURE- From 0438ac08fbfbc6e06cded529b6021f3c5b5255fe Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 14 Dec 2010 18:02:41 +0100 Subject: [PATCH] Make pkey always iterable when deleting --- ipalib/plugins/baseldap.py |8 +--- 1 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 69682dc..3adf351 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -889,12 +889,14 @@ class LDAPDelete(LDAPMultiQuery): return result if not self.obj.primary_key or not isinstance(keys[-1], (list, tuple)): -keys = keys[:-1] + (keys[-1], ) +pkeyiter = (keys[-1], ) +else: +pkeyiter = keys[-1] deleted = [] failed = [] result = True -for pkey in keys[-1]: +for pkey in pkeyiter: try: if not delete_entry(pkey): result = False @@ -905,7 +907,7 @@ class LDAPDelete(LDAPMultiQuery): else: deleted.append(pkey) -if self.obj.primary_key and keys[-1] is not None: +if self.obj.primary_key and pkeyiter is not None: return dict(result=result, value=u','.join(deleted)) return dict(result=result, value=u'') -- 1.7.3.3 freeipa-jhrozek-028-pkey-iterable.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Attached is a patch that changes the uniqueness constraint of automount keys from (key) to (key,info) pairs. The patch is not really standard baseldap style. The reason is that during development, I found that baseldap is really dependent on having a single primary key and also during many operations accessing it as keys[-1]. Please note that the ipa automountkey-* commands used to have three args, now its two args and two required options (that compose the tuple that is primary key). I know next to nothing about UI, but I assume this has consequences as the JSON marshalled call needs to be different now. Can someone point me to the place in code that I need to fix now? Fixes: https://fedorahosted.org/freeipa/ticket/293 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PXtgACgkQHsardTLnvCUSkACfS010sMTUgl2Oi7x2eKvL9cVV DtUAoNuqMZFwV9MypFvJ4Oe8VTBVVqx0 =ChvW -END PGP SIGNATURE- From 4cfcbbd2e28a6e4a4b4d272136c6b3d92f34b3ac Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sun, 19 Dec 2010 21:23:16 +0100 Subject: [PATCH] Enforce uniqueness on (key,info) pairs in automount keys https://fedorahosted.org/freeipa/ticket/293 --- install/share/bootstrap-template.ldif |3 +- ipalib/plugins/automount.py| 179 ++-- tests/test_xmlrpc/test_automount_plugin.py | 82 ++--- 3 files changed, 236 insertions(+), 28 deletions(-) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 69dbe3d..cfa8ec2 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -64,11 +64,12 @@ changetype: add objectClass: automountMap automountMapName: auto.direct -dn: automountkey=/-,automountmapname=auto.master,cn=default,cn=automount,$SUFFIX +dn: description=/- auto.direct,automountmapname=auto.master,cn=default,cn=automount,$SUFFIX changetype: add objectClass: automount automountKey: /- automountInformation: auto.direct +description: /- auto.direct dn: cn=hbacservices,cn=accounts,$SUFFIX changetype: add diff --git a/ipalib/plugins/automount.py b/ipalib/plugins/automount.py index 39605d4..d2df07b 100644 --- a/ipalib/plugins/automount.py +++ b/ipalib/plugins/automount.py @@ -88,16 +88,19 @@ Keys: Create a new key for the auto.share map in location baltimore. This ties the map we previously created to auto.master: - ipa automountkey-add baltimore auto.master /share --info=auto.share +ipa automountkey-add baltimore auto.master --key=/share --info=auto.share Create a new key for our auto.share map, an NFS mount for man pages: -ipa automountkey-add baltimore auto.share man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man" +ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man" Find all keys for the auto.share map: -ipa automountkey-find baltimore auto.share +ipa automountkey-find baltimore --info=auto.share + + Find all direct automount keys: +ipa automountkey-find baltimore --key=/- Remove the man key from the auto.share map: -ipa automountkey-del baltimore auto.share man +ipa automountkey-del baltimore auto.share --key=man """ """ @@ -362,7 +365,11 @@ class automountlocation_import(LDAPQuery): # Add a new key to the auto.master map for the new map file try: -api.Command['automountkey_add'](args[0], u'auto.master', unicode(am[0]), automountinformation=unicode(' '.join(am[1:]))) +api.Command['automountkey_add']( +args[0], +u'auto.master', +automountkey=unicode(am[0]), +automountinformation=unicode(' '.join(am[1:]))) result['keys'].append([am[0], u'auto.master']) except errors.DuplicateEntry, e: if options.get('continue', False): @@ -410,7 +417,11 @@ class automountlocation_import(LDAPQuery): am = x.split(None) key = unicode(am[0].replace('"','')) try: -api.Command['automountkey_add'](args[0], unicode(m), key, automountinformation=unicode(' '.join(am[1:]))) +api.Command['automountkey_add']( +args[0], +unicode(m), +automountkey=key, +automountinformation=unicode(' '.join(am[1:]))) result['keys'].append([key,m]) except errors.DuplicateEntry, e: if options.get('continue', False): @@ -566,25 +577,88 @@ class automountkey(LDAPObject): default_attributes = [ 'automountkey', 'automountinformation', 'description' ] +rdn
Re: [Freeipa-devel] [PATCH] Make pkey always iterable when deleting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/20/2010 03:07 PM, Jan Zelený wrote: > Jakub Hrozek wrote: >> When deleting multiple objects, the code tries to enforce that the >> primary key is always iterable by doing: >> >> keys = keys[:-1] + (keys[-1], ) >> >> But this doesn't work, the line only concatenates two tuples effectively >> returning the original one. See the attached patch for a fix. > > nack: you have the condition in chunk #2 wrong - pkeyiter will be never None > > Jan > Thanks, attached is a new patch. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PaBYACgkQHsardTLnvCVszQCeJLpRnhTlTE4sfXEsOGYHxTuM XNMAoOPT5ha6jlNRFlcg86GLAcElsRI8 =P15o -END PGP SIGNATURE- From f187c602390f369c290bddb99ba74df491335701 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 14 Dec 2010 18:02:41 +0100 Subject: [PATCH] Make pkey always iterable when deleting --- ipalib/plugins/baseldap.py |8 +--- 1 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 69682dc..ea974f9 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -889,12 +889,14 @@ class LDAPDelete(LDAPMultiQuery): return result if not self.obj.primary_key or not isinstance(keys[-1], (list, tuple)): -keys = keys[:-1] + (keys[-1], ) +pkeyiter = (keys[-1], ) +else: +pkeyiter = keys[-1] deleted = [] failed = [] result = True -for pkey in keys[-1]: +for pkey in pkeyiter: try: if not delete_entry(pkey): result = False @@ -905,7 +907,7 @@ class LDAPDelete(LDAPMultiQuery): else: deleted.append(pkey) -if self.obj.primary_key and keys[-1] is not None: +if self.obj.primary_key and pkeyiter[0] is not None: return dict(result=result, value=u','.join(deleted)) return dict(result=result, value=u'') -- 1.7.3.3 freeipa-jhrozek-028-02-pkey-iterable.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/20/2010 02:49 PM, Jakub Hrozek wrote: > Attached is a patch that changes the uniqueness constraint of automount > keys from (key) to (key,info) pairs. The patch is not really standard > baseldap style. The reason is that during development, I found that > baseldap is really dependent on having a single primary key and also > during many operations accessing it as keys[-1]. > > Please note that the ipa automountkey-* commands used to have three > args, now its two args and two required options (that compose the tuple > that is primary key). I know next to nothing about UI, but I assume this > has consequences as the JSON marshalled call needs to be different now. > Can someone point me to the place in code that I need to fix now? > > Fixes: > https://fedorahosted.org/freeipa/ticket/293 Sorry, I left some debugging statements in. Attached is a new patch. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PaUkACgkQHsardTLnvCXYsgCePRyuu2yz6yQ+Pw1dhf3P61eW VFUAoL9RDDDOSolHA0dg35lSwitp/mNE =tsL7 -END PGP SIGNATURE- From 03b1b94e4cec479a139e1d20640f8900337c0419 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sun, 19 Dec 2010 21:23:16 +0100 Subject: [PATCH] Enforce uniqueness on (key,info) pairs in automount keys https://fedorahosted.org/freeipa/ticket/293 --- install/share/bootstrap-template.ldif |3 +- ipalib/plugins/automount.py| 177 ++-- tests/test_xmlrpc/test_automount_plugin.py | 82 ++--- 3 files changed, 234 insertions(+), 28 deletions(-) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 69dbe3d..cfa8ec2 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -64,11 +64,12 @@ changetype: add objectClass: automountMap automountMapName: auto.direct -dn: automountkey=/-,automountmapname=auto.master,cn=default,cn=automount,$SUFFIX +dn: description=/- auto.direct,automountmapname=auto.master,cn=default,cn=automount,$SUFFIX changetype: add objectClass: automount automountKey: /- automountInformation: auto.direct +description: /- auto.direct dn: cn=hbacservices,cn=accounts,$SUFFIX changetype: add diff --git a/ipalib/plugins/automount.py b/ipalib/plugins/automount.py index 39605d4..a568908 100644 --- a/ipalib/plugins/automount.py +++ b/ipalib/plugins/automount.py @@ -88,16 +88,19 @@ Keys: Create a new key for the auto.share map in location baltimore. This ties the map we previously created to auto.master: - ipa automountkey-add baltimore auto.master /share --info=auto.share +ipa automountkey-add baltimore auto.master --key=/share --info=auto.share Create a new key for our auto.share map, an NFS mount for man pages: -ipa automountkey-add baltimore auto.share man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man" +ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man" Find all keys for the auto.share map: -ipa automountkey-find baltimore auto.share +ipa automountkey-find baltimore --info=auto.share + + Find all direct automount keys: +ipa automountkey-find baltimore --key=/- Remove the man key from the auto.share map: -ipa automountkey-del baltimore auto.share man +ipa automountkey-del baltimore auto.share --key=man """ """ @@ -362,7 +365,11 @@ class automountlocation_import(LDAPQuery): # Add a new key to the auto.master map for the new map file try: -api.Command['automountkey_add'](args[0], u'auto.master', unicode(am[0]), automountinformation=unicode(' '.join(am[1:]))) +api.Command['automountkey_add']( +args[0], +u'auto.master', +automountkey=unicode(am[0]), +automountinformation=unicode(' '.join(am[1:]))) result['keys'].append([am[0], u'auto.master']) except errors.DuplicateEntry, e: if options.get('continue', False): @@ -410,7 +417,11 @@ class automountlocation_import(LDAPQuery): am = x.split(None) key = unicode(am[0].replace('"','')) try: -api.Command['automountkey_add'](args[0], unicode(m), key, automountinformation=unicode(' '.join(am[1:]))) +api.Command['automountkey_add']( +args[0], +unicode(m), +automountkey=key, +automountinformation=unicode(' '.join(am[1:]))) result['keys'].append([key,m]) except errors.DuplicateEntry, e: if options.get('continue', False): @@ -566,25 +577,86
[Freeipa-devel] [PATCH] 030 Fix delegation.ldif
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There was a typo in the delagation LDIF file that caused the LDIF to fail to load during installation. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PbbQACgkQHsardTLnvCXGpgCg5dHyih4G+btRmMdc9OU84Q8p qjQAoNwwGuatbAP7vNkIzOYFch+CSbMQ =iQII -END PGP SIGNATURE- From dff2a30dc88cce7fe287ceba175a49650e68674b Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 20 Dec 2010 15:44:21 +0100 Subject: [PATCH] Fix delegation.ldif typo --- install/share/delegation.ldif |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 235f59b..abd2aae 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -581,7 +581,7 @@ aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "krblrincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";;) +aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";;) # Add the ACI needed to do host enrollment. When this occurs we # set the krbPrincipalName, add krbPrincipalAux to objectClass and -- 1.7.3.3 freeipa-jhrozek-030-delegation-typo.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 030 Fix delegation.ldif
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There was a typo in the delagation LDIF file that caused the LDIF to fail to load during installation. ack, pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 030 Fix delegation.ldif
On Mon, 20 Dec 2010 15:52:36 +0100 Jakub Hrozek wrote: > There was a typo in the delagation LDIF file that caused the LDIF to > fail to load during installation. Obviously correct, ACK and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make pkey always iterable when deleting
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/20/2010 03:07 PM, Jan Zelený wrote: Jakub Hrozek wrote: When deleting multiple objects, the code tries to enforce that the primary key is always iterable by doing: keys = keys[:-1] + (keys[-1], ) But this doesn't work, the line only concatenates two tuples effectively returning the original one. See the attached patch for a fix. nack: you have the condition in chunk #2 wrong - pkeyiter will be never None Jan Thanks, attached is a new patch. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Allow renaming of object that have a parent
Jan Zelený wrote: Jakub Hrozek wrote: When performing an RDN change, we would construct the new DN from the RDN attribute only. This doesn't work when the object needs has a parent. There's currently no testcase, I hit that when working on automount - so this patch will be testable with the automount patch and also a dependency for it. But I think the code is pretty clear.. ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/14/2010 07:05 PM, Jan Zelený wrote: When adding a host with specific IP address, the operation would fail in case we don't own the reverse DNS. This new option overrides the check for reverse DNS zone and falls back to different IP address existence check. https://fedorahosted.org/freeipa/ticket/417 I was considering deleting the reverse zone detection entirely and check the IP address directly by querying for A records containing it, but I think this way it is more efficient. Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] import NSPRError in host.py
Jan Zelený wrote: Jakub Hrozek wrote: The host plugin references NSPRError on couple of places but never imports it. Obviously ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed typos in man page of ipa-getkeytab.
David O'Brien wrote: Gowrishankar Rajaiyan wrote: Hi All, Fixed typos in the man page of ipa-getkeytab and corrected my name in Contributors.txt. Regards /Shanks ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 023 Clarify ipa-replica-install error message
Jan Zelený wrote: Jakub Hrozek wrote: Just a cosmetic fix to the replica installation error message, there's no ticket for this. ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 025 Allow RDN changes from CLI
Jan Zelený wrote: Jakub Hrozek wrote: Adds a new parameter 'rename' to all objects with 'rdnattr' attribute. This parameter is a clone of the rdnattr attribute, except for name and docs, so normalizer, default_from and also the type are the same as the original attribute. https://fedorahosted.org/freeipa/ticket/397 ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 022 Check the number of fields when importing automount maps
Jan Zelený wrote: Jakub Hrozek wrote: https://fedorahosted.org/freeipa/ticket/359 Sending this separately from the other automount changes since those are more intrusive and may be under review for a while. ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 021 Make the IPA installer IPv6 friendly
Jan Zelený wrote: Jakub Hrozek wrote: On 12/15/2010 10:55 AM, Jan Zelený wrote: Jakub Hrozek wrote: This is a first patch towards IPv6 support. Currently it only touches the installer only as other changes will be fully testable only when python-nss is IPv6 ready. Changes include: * parse records in dnsclient * also ask for records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname(). The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist" Nack, the patch doesn't handle situations when host cannot be resolved. Jan Thanks, it didn't handle the case in ipa-replica-install, now it should catch the exception and return None (and the caller would react upon getting None for the IP address). In krbinstance.py it would still raise an exception, but I think that is OK during instance creation (we surely don't want to print anything). The user would see the error string, anyway.. ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
On Wed, Dec 15, 2010 at 08:01:10PM -0500, Simo Sorce wrote: > > Clean up records related to the master being deleted in the shared tree. > > This also avoid issues later on if you want to rejoin the server as a > master. It is also needed in order to give back valid information for > patch 0035 > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > def del_master(replman, hostname, force=False): > +has_repl_agreement = True > try: > t = replman.get_agreement_type(hostname) > except ldap.NO_SUCH_OBJECT: > print "No replication agreement found for '%s'" % hostname > -return > +if force: > +has_repl_agreement = False > +else: > +return > except errors.NotFound: > print "No replication agreement found for '%s'" % hostname > -return > +if force: > +has_repl_agreement = False > +else: > +return This is just a nitpick but the above except: blocks are exactly the same. One could remove the redundancy by just using: except (errors.NotFound, ldap.NO_SUCH_OBJECT): > + > +def replica_cleanup(self, replica, realm, force=False): > + > +err = None > + > +if replica == self.hostname: > +raise RuntimeError("Can't cleanup self") > + > +if not self.suffix or self.suffix == "": > +self.suffix = util.realm_to_suffix(realm) > +self.suffix = ipaldap.IPAdmin.normalizeDN(self.suffix) This looks suspicious. Should one of these be in else: perhaps? The rest of the code looks OK, but I'm currently not able to test as the deletion fails with "Insufficient access". In my setup, vm-061 is the master and vm-038 is the replica: [r...@vm-061 ~]# ipa-replica-manage list vm-061.idm.lab.bos.redhat.com vm-038.idm.lab.bos.redhat.com [r...@vm-061 ~]# ipa-replica-manage del vm-038.idm.lab.bos.redhat.com Unable to remove agreement on vm-038.idm.lab.bos.redhat.com: Insufficient access: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Add disconnect command to change topology
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/16/2010 02:02 AM, Simo Sorce wrote: > > This command will delete a replication agreement unless it is the last > one on either server. It is used to change replication topology without > actually removing any single master for the domain (the del command > must be used if that the intent). > > Simo. > Please document the new action in the manpage. As the actions are not printed when one specifies --help, there's no way to discover it short of reading the code. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PkOgACgkQHsardTLnvCXuDQCeMHTn6ezhtHQmxq7FVx0NATBn iNIAoKsWq/2DgHljH2VVc/gK1S+C8bVD =/Lcz -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.
On 12/20/2010 11:20 AM, Jan Zelený wrote: Pavel Zuna wrote: On 12/08/2010 08:30 PM, Rob Crittenden wrote: Pavel Zůna wrote: On 2010-11-30 04:06, Rob Crittenden wrote: Pavel Zůna wrote: LDAPSearch base class has now the ability to generate additional options for objects with member attributes. These options are used to filter search results - search only for objects without the specified members. Any class that extends LDAPSearch can benefit from this functionality. This patch enables it for the following objects: group, netgroup, rolegroup, hostgroup, taskgroup Example: ipa group-find --no-users=admin Only direct members are taken into account, but if we need indirect members as well - it's not a problem. Ticket #288 Pavel This works as advertised but I wonder what would happen if a huge list of members was passed in to ignore. Is there a limit on the search filter size (remember that the member will be translated into a full dn so will quickly grow in size). Should we impose a cofigurable limit on the # of members to be excluded? Is there a max search filter size and should we check that we haven't exceeded that before doing a search? rob I tried it out with more than a 1000 users and was getting an unwilling to perform error (search filter nested too deep). After a little bit of investigation, I figured the filter was being generated like this: (&(&(!(a=v))(!(a2=v2 We were going deeper with each additional DN! I updated the patch to generate the filter like this instead: (!(|(a=v)(a2=v2))) Tried it again with more than 1000 users (~55Kb) - it worked and wasn't even slow. Updated patch attached. I also had to fix a bug in ldap2 filter generator, as a result this patch depends on my patch number 43. Pavel You'll need to rebase this against master but otherwise ACK. It might be a small optimization to de-dupe the no-users list but it isn't a priority. rob Re-based patch attached. Pavel This hasn't been already pushed and the patch still applies against master. Can someone push it so the ticket can be closed? Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host
On 12/20/2010 10:45 AM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/14/2010 07:05 PM, Jan Zelený wrote: When adding a host with specific IP address, the operation would fail in case we don't own the reverse DNS. This new option overrides the check for reverse DNS zone and falls back to different IP address existence check. https://fedorahosted.org/freeipa/ticket/417 I was considering deleting the reverse zone detection entirely and check the IP address directly by querying for A records containing it, but I think this way it is more efficient. Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I think that this is going to make the CLI capable of doing something that the CLI can't. Do we need a UI field to add in this flag? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 655 translation delegation group dns to names
Translate the membergroup dn into a group name. Drop filter from the output, it is superfluous. ticket 634 >From b8077ae7945f5395afc47f5d6d317e07d283fe3e Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 20 Dec 2010 13:53:35 -0500 Subject: [PATCH] Translate the membergroup dn into a group name. Drop filter from the output, it is superfluous. ticket 634 --- ipalib/plugins/delegation.py| 33 ++ tests/test_xmlrpc/test_delegation_plugin.py | 17 +- 2 files changed, 29 insertions(+), 21 deletions(-) diff --git a/ipalib/plugins/delegation.py b/ipalib/plugins/delegation.py index c233784..468e017 100644 --- a/ipalib/plugins/delegation.py +++ b/ipalib/plugins/delegation.py @@ -50,7 +50,7 @@ from ipalib import api, crud, errors from ipalib import output from ipalib import Object, Command -def convert_delegation(aci): +def convert_delegation(ldap, aci): """ memberOf is in filter but we want to pull out the group for easier displaying. @@ -61,11 +61,19 @@ def convert_delegation(aci): raise errors.NotFound(reason=_('Delegation \'%(permission)s\' not found') % dict(permission=aci['aciname'])) en = filter.find(')', st) membergroup = filter[st+9:en] -aci['membergroup'] = membergroup +try: +(dn, entry_attrs) = ldap.get_entry(membergroup, ['cn']) +except Exception, e: +# Uh oh, the group we're granting access to has an error +msg = _('Error retrieving member group %(group)s: %(error)s') % (membergroup, str(e)) +raise errors.NonFatalError(reason=msg) +aci['membergroup'] = entry_attrs['cn'] + +del aci['filter'] return aci -def is_delegation(aciname): +def is_delegation(ldap, aciname): """ Determine if the ACI is a Delegation ACI and raise an exception if it isn't. @@ -75,7 +83,7 @@ def is_delegation(aciname): """ result = api.Command['aci_show'](aciname)['result'] if 'filter' in result: -result = convert_delegation(result) +result = convert_delegation(ldap, result) else: raise errors.NotFound(reason=_('Delegation \'%(permission)s\' not found') % dict(permission=aciname)) return result @@ -144,11 +152,12 @@ class delegation_add(crud.Create): msg_summary = _('Added delegation "%(value)s"') def execute(self, aciname, **kw): +ldap = self.api.Backend.ldap2 if not 'permissions' in kw: kw['permissions'] = (u'write',) result = api.Command['aci_add'](aciname, **kw)['result'] if 'filter' in result: -result = convert_delegation(result) +result = convert_delegation(ldap, result) return dict( result=result, @@ -167,7 +176,8 @@ class delegation_del(crud.Delete): msg_summary = _('Deleted delegation "%(value)s"') def execute(self, aciname, **kw): -is_delegation(aciname) +ldap = self.api.Backend.ldap2 +is_delegation(ldap, aciname) result = api.Command['aci_del'](aciname, **kw) return dict( result=True, @@ -185,10 +195,11 @@ class delegation_mod(crud.Update): msg_summary = _('Modified delegation "%(value)s"') def execute(self, aciname, **kw): -is_delegation(aciname) +ldap = self.api.Backend.ldap2 +is_delegation(ldap, aciname) result = api.Command['aci_mod'](aciname, **kw)['result'] if 'filter' in result: -result = convert_delegation(result) +result = convert_delegation(ldap, result) return dict( result=result, value=aciname, @@ -207,12 +218,13 @@ class delegation_find(crud.Search): ) def execute(self, term, **kw): +ldap = self.api.Backend.ldap2 acis = api.Command['aci_find'](term, **kw)['result'] results = [] for aci in acis: try: if 'filter' in aci: -aci = convert_delegation(aci) +aci = convert_delegation(ldap, aci) results.append(aci) except errors.NotFound: pass @@ -237,7 +249,8 @@ class delegation_show(crud.Retrieve): ) def execute(self, aciname, **kw): -result = is_delegation(aciname) +ldap = self.api.Backend.ldap2 +result = is_delegation(ldap, aciname) return dict( result=result, value=aciname, diff --git a/tests/test_xmlrpc/test_delegation_plugin.py b/tests/test_xmlrpc/test_delegation_plugin.py index a4520f4..b2b24d9 100644 --- a/tests/test_xmlrpc/test_delegation_plugin.py +++ b/tests/test_xmlrpc/test_delegation_plugin.py @@ -26,7 +26,7 @@ from tests.test_xmlrpc import objectclasses from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid delegation1 = u'testdelegation' -memberdn1 = u'cn=admins,cn=groups,cn=accounts,%s' % api.env.basedn +member1 = u'admins' class test_delegatio
Re: [Freeipa-devel] [PATCH] Bugfixes for bind-dyndb-ldap
On Wed, 15 Dec 2010 12:29:01 -0500 Simo Sorce wrote: > On Wed, 15 Dec 2010 18:21:20 +0100 > Adam Tkac wrote: > > > Hello, > > > > those four patches for bind-dyndb-ldap fix following issues: > > > > 0001-Bugfix-Improve-LDAP-schema-to-be-loadable-by-OpenLDA.patch: > > - Current schema is not loadable by OpenLDAP > > - https://bugzilla.redhat.com/show_bug.cgi?id=622604 > > > > 0002-Change-bug-reporting-address-to-freeipa-devel-redhat.patch > > - fix bug reporting address > > > > 0003-Fail-and-emit-error-when-BIND9-or-OpenLDAP-devel-fil.patch > > - ./configure should fail if bind-devel or openldap-devel is not > > installed > > > > 0004-Bugfix-Fix-loading-of-child-zones-from-LDAP.patch > > - child zones aren't currently loaded well > > - https://bugzilla.redhat.com/show_bug.cgi?id=622617 > > > > If noone has objections I will push patches till end of the week. > > ACK to all four. These have been pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
On Mon, 20 Dec 2010 18:02:02 +0100 Jakub Hrozek wrote: > On Wed, Dec 15, 2010 at 08:01:10PM -0500, Simo Sorce wrote: > > > > Clean up records related to the master being deleted in the shared > > tree. > > > > This also avoid issues later on if you want to rejoin the server as > > a master. It is also needed in order to give back valid information > > for patch 0035 > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > def del_master(replman, hostname, force=False): > > +has_repl_agreement = True > > try: > > t = replman.get_agreement_type(hostname) > > except ldap.NO_SUCH_OBJECT: > > print "No replication agreement found for '%s'" % hostname > > -return > > +if force: > > +has_repl_agreement = False > > +else: > > +return > > except errors.NotFound: > > print "No replication agreement found for '%s'" % hostname > > -return > > +if force: > > +has_repl_agreement = False > > +else: > > +return > > This is just a nitpick but the above except: blocks are exactly the > same. One could remove the redundancy by just using: > > except (errors.NotFound, ldap.NO_SUCH_OBJECT): > > > + > > +def replica_cleanup(self, replica, realm, force=False): > > + > > +err = None > > + > > +if replica == self.hostname: > > +raise RuntimeError("Can't cleanup self") > > + > > +if not self.suffix or self.suffix == "": > > +self.suffix = util.realm_to_suffix(realm) > > +self.suffix = ipaldap.IPAdmin.normalizeDN(self.suffix) > > This looks suspicious. Should one of these be in else: perhaps? No, I just reused the same var to keep a temporary value, instead of having a long line. not pretty but it is correct. I can use a temp var if you think it makes for more readable code though. > The rest of the code looks OK, but I'm currently not able to test as > the deletion fails with "Insufficient access". In my setup, vm-061 is > the master and vm-038 is the replica: > > [r...@vm-061 ~]# ipa-replica-manage list vm-061.idm.lab.bos.redhat.com > vm-038.idm.lab.bos.redhat.com > [r...@vm-061 ~]# ipa-replica-manage del vm-038.idm.lab.bos.redhat.com > Unable to remove agreement on vm-038.idm.lab.bos.redhat.com: > Insufficient access: Do you have a ticket as admin when you try this ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Add disconnect command to change topology
On Mon, 20 Dec 2010 18:22:48 +0100 Jakub Hrozek wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 12/16/2010 02:02 AM, Simo Sorce wrote: > > > > This command will delete a replication agreement unless it is the > > last one on either server. It is used to change replication > > topology without actually removing any single master for the domain > > (the del command must be used if that the intent). > > > > Simo. > > > > Please document the new action in the manpage. As the actions are not > printed when one specifies --help, there's no way to discover it short > of reading the code. I have a separate ticket to add all the changes to the man page. It requires some deep review and I preferred to split it from the rest of the changes. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Remove referrals to removed replicas/links
When a replication agreement is removed also make sure to remove referrals to the replicas to avoid dangling referrals. This patch also fixes acis related to replica as the fix is also required to be able to change the referrals attributes. Simo. -- Simo Sorce * Red Hat, Inc * New York >From 7a7436a36b618f4364f7220f3d532fa901ce660a Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 20 Dec 2010 10:05:17 -0500 Subject: [PATCH] Remove referrals when removing agreements Part of this fix requires also giving proper permission to change the replication agreements root. While there also fix replica-related permissions to have the classic add/modify/remove triplet of permissions. Fixes: https://fedorahosted.org/freeipa/ticket/630 --- install/share/delegation.ldif| 20 ++-- install/share/replica-acis.ldif |9 +++-- install/tools/ipa-replica-manage |2 ++ ipaserver/install/replication.py | 13 + 4 files changed, 36 insertions(+), 8 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 7a634821cd43558f3846649862a5a5c1b81d9f5b..79533fda7c245cbbcec0eb2fb08fb6b4b853ea34 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -441,20 +441,28 @@ member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX # Replica administration -dn: cn=managereplica,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addreplica,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: managereplica -description: Manage Replication Agreements +cn: addreplica +description: Add Replication Agreements member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: deletereplica -description: Delete Replication Agreements +cn: modifyreplica +description: Modify Replication Agreements +member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=removereplica,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removereplica +description: Remove Replication Agreements member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX # Entitlement management diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif index 931163cfe8b5cf9ba5250bdfaa33097b1fc79590..feda1d9b74962447f2d909923097d6d69dcae88f 100644 --- a/install/share/replica-acis.ldif +++ b/install/share/replica-acis.ldif @@ -3,10 +3,15 @@ dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci -aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX";;) +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Add Replication Agreements";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=accounts,$SUFFIX";;) dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci -aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Delete Replication Agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX";;) +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX";;) + +dn: cn="$SUFFIX",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=accounts,$SUFFIX";;) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index cbb2cad1db4692e3f861bc0762798a8d3e372d5e..17089e614454f712a17a6275209ce37df53ee1a0 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -219,6 +219,7 @@ def del_link(replica1, replica2, dirman_passwd, force=False): failed = False try: repl2.delete_agreement(replica1) +repl2.delete_referral(replica1) except ldap.LDAPError, e: desc = e.args[0]['desc'].strip() info = e.args[0].get('info', '').strip() @@ -238,6 +239,7 @@ def del_link(replica1, replica2, dirman_passwd, force=False): print "Forcing removal on '%s'" % replica1
Re: [Freeipa-devel] [PATCH] 655 translation delegation group dns to names
On 12/20/2010 02:06 PM, Rob Crittenden wrote: Translate the membergroup dn into a group name. Drop filter from the output, it is superfluous. ticket 634 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 656 move permissions and privileges
Move permissions and privileges to their own container. They don't really belong in cn=accounts any more. This leaves just roles there. ticket 638 rob >From fd0716e92fa90f726f226e1c705d4f22b3742923 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 20 Dec 2010 15:54:00 -0500 Subject: [PATCH] Move permissions and privileges to their own container, cn=pbac,$SUFFIX ticket 638 --- install/share/delegation.ldif | 317 install/share/dns.ldif | 28 ++-- install/static/test/data/ipa_init.json | 10 +- ipalib/constants.py|4 +- ipaserver/install/bindinstance.py |2 +- 5 files changed, 184 insertions(+), 177 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index abd2aae..94b0fd3 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -7,13 +7,20 @@ objectClass: top objectClass: nsContainer cn: roles -dn: cn=privileges,cn=accounts,$SUFFIX +# Permissions-based Access Control +dn: cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: pbac + +dn: cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: nsContainer cn: privileges -dn: cn=permissions,cn=accounts,$SUFFIX +dn: cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: nsContainer @@ -33,7 +40,7 @@ description: Helpdesk # Add the default privileges -dn: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -41,7 +48,7 @@ objectClass: nestedgroup cn: useradmin description: User Administrators -dn: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -49,7 +56,7 @@ objectClass: nestedgroup cn: groupadmin description: Group Administrators -dn: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -57,7 +64,7 @@ objectClass: nestedgroup cn: hostadmin description: Host Administrators -dn: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -65,7 +72,7 @@ objectClass: nestedgroup cn: hostgroupadmin description: Host Group Administrators -dn: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -73,7 +80,7 @@ objectClass: nestedgroup cn: delegationadmin description: Role administration -dn: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -81,7 +88,7 @@ objectClass: nestedgroup cn: serviceadmin description: Service Administrators -dn: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -89,7 +96,7 @@ objectClass: nestedgroup cn: automountadmin description: Automount Administrators -dn: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -97,7 +104,7 @@ objectClass: nestedgroup cn: netgroupadmin description: Netgroups Administrators -dn: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -105,7 +112,7 @@ objectClass: nestedgroup cn: certadmin description: Certificate Administrators -dn: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -114,7 +121,7 @@ cn: replicaadmin description: Replication Administrators member: cn=admins,cn=groups,cn=accounts,$SUFFIX -dn: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX +dn: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -122,7 +129,7 @@ objectClass: nestedgroup cn: enrollhost description: Host Enrollment -dn: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -136,352 +143,352 @@ description: Entitlement Administrators # User administration -dn: cn=addusers,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addusers,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addusers description: Add Users -member: c
Re: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host
Adam Young wrote: On 12/20/2010 10:45 AM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/14/2010 07:05 PM, Jan Zelený wrote: When adding a host with specific IP address, the operation would fail in case we don't own the reverse DNS. This new option overrides the check for reverse DNS zone and falls back to different IP address existence check. https://fedorahosted.org/freeipa/ticket/417 I was considering deleting the reverse zone detection entirely and check the IP address directly by querying for A records containing it, but I think this way it is more efficient. Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I think that this is going to make the CLI capable of doing something that the CLI can't. Do we need a UI field to add in this flag? Yes, I think we'd need a check-box or equivalent for it. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
On 12/20/2010 09:02 PM, Simo Sorce wrote: On Mon, 20 Dec 2010 18:02:02 +0100 Jakub Hrozek wrote: On Wed, Dec 15, 2010 at 08:01:10PM -0500, Simo Sorce wrote: Clean up records related to the master being deleted in the shared tree. This also avoid issues later on if you want to rejoin the server as a master. It is also needed in order to give back valid information for patch 0035 Simo. -- Simo Sorce * Red Hat, Inc * New York def del_master(replman, hostname, force=False): +has_repl_agreement = True try: t = replman.get_agreement_type(hostname) except ldap.NO_SUCH_OBJECT: print "No replication agreement found for '%s'" % hostname -return +if force: +has_repl_agreement = False +else: +return except errors.NotFound: print "No replication agreement found for '%s'" % hostname -return +if force: +has_repl_agreement = False +else: +return This is just a nitpick but the above except: blocks are exactly the same. One could remove the redundancy by just using: except (errors.NotFound, ldap.NO_SUCH_OBJECT): + +def replica_cleanup(self, replica, realm, force=False): + +err = None + +if replica == self.hostname: +raise RuntimeError("Can't cleanup self") + +if not self.suffix or self.suffix == "": +self.suffix = util.realm_to_suffix(realm) +self.suffix = ipaldap.IPAdmin.normalizeDN(self.suffix) This looks suspicious. Should one of these be in else: perhaps? No, I just reused the same var to keep a temporary value, instead of having a long line. not pretty but it is correct. I can use a temp var if you think it makes for more readable code though. Oh, that's OK, I was just too lazy to read the methods before. It makes sense now, thanks. The rest of the code looks OK, but I'm currently not able to test as the deletion fails with "Insufficient access". In my setup, vm-061 is the master and vm-038 is the replica: [r...@vm-061 ~]# ipa-replica-manage list vm-061.idm.lab.bos.redhat.com vm-038.idm.lab.bos.redhat.com [r...@vm-061 ~]# ipa-replica-manage del vm-038.idm.lab.bos.redhat.com Unable to remove agreement on vm-038.idm.lab.bos.redhat.com: Insufficient access: Do you have a ticket as admin when you try this ? Simo. I do. The traceback looks like this (I inserted and extra traceback.print_exc() call to get it): Traceback (most recent call last): File "/usr/sbin/ipa-replica-manage", line 269, in del_master other_replman.delete_agreement(replman.conn.host) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 408, in delete_agreement return self.conn.deleteEntry(dn) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 563, in deleteEntry self.__handle_errors(e, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 316, in __handle_errors raise errors.ACIError(info=info) ACIError: Insufficient access: So this seems to be an ACI problem. I have your 4 patches applied on top of the current origin/master and was calling "ipa-replica-manage del ". ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH]admiyo-0119-cusor-pointer-for-undo-link
From 14cefe3790baa167dba2b4fa6342bcb680abdea0 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Mon, 20 Dec 2010 16:56:14 -0500 Subject: [PATCH] cusor pointer for undo link --- install/static/details.js |2 +- install/static/ipa.css|4 2 files changed, 5 insertions(+), 1 deletions(-) diff --git a/install/static/details.js b/install/static/details.js index 013f4c9eeb0732c724d7ba0481db048fd9d14002..3f5f95e31ee9c435d0fc4d39d7f8d2ee3dbac114 100644 --- a/install/static/details.js +++ b/install/static/details.js @@ -835,7 +835,7 @@ function _ipa_create_text_input(value, param_info, rights, index) span.append($("",{ html:"undo", -"class":"ui-state-highlight ui-corner-all", +"class":"ui-state-highlight ui-corner-all undo", style:"display:none", click: function(){ var previous_value = that.values || ''; diff --git a/install/static/ipa.css b/install/static/ipa.css index 82019ff5421f83bd3dd35aded6d1128fa629b599..f5c4ee742e18bdb3672f30e66c005b757f33f5f1 100644 --- a/install/static/ipa.css +++ b/install/static/ipa.css @@ -170,6 +170,10 @@ hr { padding-right: 18px; } +.undo { +cursor:pointer; +} + dl.entryattrs { clear: both; margin-left: 15px; -- 1.7.2.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH]admiyo-0119-cusor-pointer-for-undo-link
On 12/20/2010 04:57 PM, Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Graphical diff is here: https://fedorahosted.org/freeipa/attachment/ticket/489/freeipa-admiyo-0119-cusor-pointer-for-undo-link.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
On Mon, 20 Dec 2010 22:40:50 +0100 Jakub Hrozek wrote: > >> The rest of the code looks OK, but I'm currently not able to test > >> as the deletion fails with "Insufficient access". In my setup, > >> vm-061 is the master and vm-038 is the replica: > >> > >> [r...@vm-061 ~]# ipa-replica-manage list > >> vm-061.idm.lab.bos.redhat.com vm-038.idm.lab.bos.redhat.com > >> [r...@vm-061 ~]# ipa-replica-manage del > >> vm-038.idm.lab.bos.redhat.com Unable to remove agreement on > >> vm-038.idm.lab.bos.redhat.com: Insufficient access: > > > > Do you have a ticket as admin when you try this ? > > > > Simo. > > > > I do. The traceback looks like this (I inserted and extra > traceback.print_exc() call to get it): > > > Traceback (most recent call last): >File "/usr/sbin/ipa-replica-manage", line 269, in del_master > other_replman.delete_agreement(replman.conn.host) >File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 408, in delete_agreement > return self.conn.deleteEntry(dn) >File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line > 563, in deleteEntry > self.__handle_errors(e, **kw) >File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line > 316, in __handle_errors > raise errors.ACIError(info=info) > ACIError: Insufficient access: > > > So this seems to be an ACI problem. I have your 4 patches applied on > top of the current origin/master and was calling "ipa-replica-manage > del ". > I guess it work properly if you kdestroy and use the DM password ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 024 Change FreeIPA license to GPLv3+
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, attached is a patch that replaces all GPLv2 license blobs with GPLv3+ blobs. The new blobs also tell users to see a website for the complete license text (the old ones advised to write to a snail mail address..). The SLAPI plugins use a different wording as they need the GPL exception. When this patch is pushed, I think we should send a note at least to freeipa-devel but probably even -users and -interest. Also, I'll keep an eye on all patches that people are sending..those that add some new files will need to include the new blobs. The patch is compressed, as the original had 480 kB.. double-ack from me and Simo. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH]admiyo-0119-cusor-pointer-for-undo-link
On Mon, 20 Dec 2010 16:58:49 -0500 Adam Young wrote: > On 12/20/2010 04:57 PM, Adam Young wrote: > > > > > > ___ > > Freeipa-devel mailing list > > Freeipa-devel@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Graphical diff is here: > > https://fedorahosted.org/freeipa/attachment/ticket/489/freeipa-admiyo-0119-cusor-pointer-for-undo-link.patch ACK Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0037 Fix race condition in install
This seem to fix a long-standing bug that was mitigated by a workaround, but was still present after all. Simo. -- Simo Sorce * Red Hat, Inc * New York >From 04777b8938d929e0464d3953cbfce76f243e04c8 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 20 Dec 2010 21:19:36 -0500 Subject: [PATCH] Fix race condition in installation due to use of asynchronous search. Fixes: https://fedorahosted.org/freeipa/ticket/640 --- ipaserver/install/krbinstance.py | 31 --- 1 files changed, 12 insertions(+), 19 deletions(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index c1e5a3f0a10596d8a28774dd791a3bf4f44aaa8c..63903ef48e273b880670c2bbb9fa510705a0e7a1 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -268,28 +268,21 @@ class KrbInstance(service.Service): def __configure_sasl_mappings(self): # we need to remove any existing SASL mappings in the directory as otherwise they -# they may conflict. There is no way to define the order they are used in atm. +# they may conflict. -# FIXME: for some reason IPAdmin dies here, so we switch -# it out for a regular ldapobject. -conn = self.conn -self.conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/";) -self.conn.bind("cn=directory manager", self.admin_password) try: -msgid = self.conn.search("cn=mapping,cn=sasl,cn=config", ldap.SCOPE_ONELEVEL, "(objectclass=nsSaslMapping)") -res = self.conn.result(msgid) -for r in res[1]: -self.conn.delete_s(r[0]) -#except LDAPError, e: -#logging.critical("Error during SASL mapping removal: %s" % str(e)) -except Exception, e: -logging.critical("Could not connect to the Directory Server on %s" % self.fqdn) +res = self.conn.search_s("cn=mapping,cn=sasl,cn=config", + ldap.SCOPE_ONELEVEL, + "(objectclass=nsSaslMapping)") +for r in res: +try: +self.conn.delete_s(r.dn) +except LDAPError, e: +logging.critical("Error during SASL mapping removal: %s" % str(e)) +raise e +except LDAPError, e: +logging.critical("Error while enumerating SASL mappings %s" % str(e)) raise e -print type(e) -print dir(e) -raise e - -self.conn = conn entry = ipaldap.Entry("cn=Full Principal,cn=mapping,cn=sasl,cn=config") entry.setValues("objectclass", "top", "nsSaslMapping") -- 1.7.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH]admiyo-0119-cusor-pointer-for-undo-link
On 12/20/2010 08:47 PM, Simo Sorce wrote: On Mon, 20 Dec 2010 16:58:49 -0500 Adam Young wrote: On 12/20/2010 04:57 PM, Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Graphical diff is here: https://fedorahosted.org/freeipa/attachment/ticket/489/freeipa-admiyo-0119-cusor-pointer-for-undo-link.patch ACK Simo. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0118-aci-ui
Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ack. Adam, I'm going to let you push this. There were a couple of trivial merge errors but I figure you're best to work them out. I will have a follow-on patch shortly to fix a few problems on my end I discovered while poking around with this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0037 Fix race condition in install
On 12/20/2010 09:23 PM, Simo Sorce wrote: This seem to fix a long-standing bug that was mitigated by a workaround, but was still present after all. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Applied and ran the install successfully. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 657 fix a few ACI problems found
This depends on Adam's patch 0118. In meta data make ACI attributes lower-case, sorted. Add possible attributes. The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups). To make the list easier to handle sort it and make it all lower-case. Fix a couple of missed camel-case attributes in the default ACI list. ticket 641 rob >From 5e38eed733b1e45c9d1819a9c746c1008df98686 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 20 Dec 2010 23:28:33 -0500 Subject: [PATCH] In meta data make ACI attributes lower-case, sorted. Add possible attributes. The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups). To make the list easier to handle sort it and make it all lower-case. Fix a couple of missed camel-case attributes in the default ACI list. ticket 641 --- install/share/delegation.ldif |4 ++-- ipalib/plugins/baseldap.py|9 +++-- ipalib/plugins/group.py |1 + ipalib/plugins/user.py|1 + 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index abd2aae..69050df 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -496,7 +496,7 @@ aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Ad aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";;) aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";;) aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";;) -aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";;) +aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";;) # Group administration @@ -508,7 +508,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFI aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";;) # We need objectclass and gidnumber in modify so a non-posix group can be # promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. -aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";;) +aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";;) # Host administration diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index f8e5445..1a8f10a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -233,6 +233,9 @@ class LDAPObject(Object): object_name_plural = 'entries' object_class = [] object_class_config = None +# If an objectclass is possible but not default in an entry. Needed for +# collecting attributes for ACI UI. +possible_objectclasses = [] search_attributes = [] search_attributes_config = None
Re: [Freeipa-devel] [PATCH] admiyo-0118-aci-ui
On 12/20/2010 11:23 PM, Rob Crittenden wrote: Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ack. Adam, I'm going to let you push this. There were a couple of trivial merge errors but I figure you're best to work them out. I will have a follow-on patch shortly to fix a few problems on my end I discovered while poking around with this. rob rebased and pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Issues with ACI UI
1. Can't add an ACI. Before, I was able to get away with a blank filter, but that doesn't seem to work anymore. 2. Delegation-add : the group-find for the combo boxes isn't getting executed. 3. Some edits are broken for Permissions: For certain, update dns entries 4. adding self service permission, attrs is required, even if the user just wants to do an 'add' permission. 5. Modifying the self service permission just added gives an internal error. I removed the 'delete' and 'write' permission ( which I did not set in the add dialog) as well as the 'audio' permission. Log is below: [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 211, in wsgi_execute [Tue Dec 21 00:18:03 2010] [error] result = self.Command[name](*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in __call__ [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py", line 160, in execute [Tue Dec 21 00:18:03 2010] [error] result = api.Command['aci_mod'](aciname, **kw)['result'] [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in __call__ [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 550, in execute [Tue Dec 21 00:18:03 2010] [error] result = self.api.Command['aci_add'](aciname, **newkw)['result'] [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in __call__ [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 450, in execute [Tue Dec 21 00:18:03 2010] [error] newaci_str = unicode(newaci) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/aci.py", line 68, in __repr__ [Tue Dec 21 00:18:03 2010] [error] return self.export_to_string() [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/aci.py", line 79, in export_to_string [Tue Dec 21 00:18:03 2010] [error] target = target + l + " || " [Tue Dec 21 00:18:03 2010] [error] TypeError: cannot concatenate 'str' and 'NoneType' objects Some of these are on the UI side, and some are on the server side. We'll need to sort out which is which. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0037 Fix race condition in install
On 12/20/2010 11:31 PM, Adam Young wrote: On 12/20/2010 09:23 PM, Simo Sorce wrote: This seem to fix a long-standing bug that was mitigated by a workaround, but was still present after all. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Applied and ran the install successfully. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0038 Rework init and sync commands of ipa-replica-prepare
These commands had a very confusing syntax as well as issues (init was running the memberof task on the wrong server). The commands has been renamed to make it clearer what they do. init -> re-initialize synch -> force-sync both commands now require a --from as the server they get their data from and can only be run on the replica that needs to be re-initialized or re-synced. This is to make it was confusing to understand what server was used so now the server you are operating on is the one you are sitting on. As a bonus the whole thing now works with just admin credentials (or any kerb credentials of a user with the managereplica permission). The init command also does not return until the re-initialization is done (giving out the status once a second) and properly runs the memberof task only once all the entries have been received. The only thing that I am a bit unconfortable with is the new aci on the cn=tasks,cn=config object. I tried to add the task on the cn=memberof task,cn=tasks,cn=config object to restrict pwer only on that task, but DS refused to allow me to set an aci on that entry for some reason. Fixes: #626 Simo. -- Simo Sorce * Red Hat, Inc * New York >From b40bb7f36b2f119300f1abf5bc91da9413fec71d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 20 Dec 2010 23:34:00 -0500 Subject: [PATCH] Rework old init and synch commands and use better names. These commands can now be run exclusively o the replica that needs to be resynced or reinitialized and the --from command must be used to tell from which other replica it can will pull data. Fixes: https://fedorahosted.org/freeipa/ticket/626 --- install/share/replica-acis.ldif |5 +++ install/tools/ipa-replica-manage | 70 + ipaserver/install/service.py | 21 +++ 3 files changed, 66 insertions(+), 30 deletions(-) diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif index feda1d9b74962447f2d909923097d6d69dcae88f..df91b5a5a86ae6880c9924dd39708d7b413aac9e 100644 --- a/install/share/replica-acis.ldif +++ b/install/share/replica-acis.ldif @@ -15,3 +15,8 @@ changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=accounts,$SUFFIX";;) +dn: cn=tasks,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX";;) + diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 2ff1f11f2a8cf4d610bb9a15bef01ef219f3588e..0e1f37a00553fc82879c7769a0f2777d3ac81557 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -39,10 +39,8 @@ commands = { "must provide the name of the server to disconnect"), "del":(1, 1, "", "must provide hostname of master to delete"), -"init":(1, 1, "", -"hostname of master to initialize is required"), -"synch":(1, 1, "master fqdn>", -"must provide hostname of supplier to synchronize with") +"re-initialize":(0, 0, "", ""), +"force-sync":(0, 0, "", "") } def parse_options(): @@ -69,6 +67,7 @@ def parse_options(): help="DN of Windows subtree containing the users you want to sync (default cn=Users," +sys.exit(1) + +repl = replication.ReplicationManager(options.fromhost, options.dirman_passwd) +repl.suffix = get_suffix() + +thishost = installutils.get_fqdn() + +filter = "(&(nsDS5ReplicaHost=%s)(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement)))" % thishost +entry = repl.conn.search_s("cn=config", ldap.SCOPE_SUBTREE, filter) if len(entry) == 0: -logging.error("Unable to find replication agreement for %s" % hostname) +logging.error("Unable to find %s -> %s replication agreement" % (options.fromhost, thishost)) sys.exit(1) if len(entry) > 1: -logging.error("Found multiple agreements for %s. Only initializing the first one returned: %s" % (hostname, entry[0].dn)) -replman.initialize_replication(entry[0].dn, replman.conn) -ds = dsinstance.DsInstance(realm_name = get_realm_name(), dm_password = dirman_passwd) +logging.error("Found multiple agreements for %s. Only initializing the first one returned: %s" % (thishost, entry[0].dn)) + +repl.initialize_replication(entry[0].dn, repl.conn) +repl.wait_for_repl_init(repl.conn, entry[0].dn) + +ds = dsinstance.DsInstance(realm_name = get_realm_name(), dm_password = options.dirman_passwd) ds.init_memberof() -def synch_master(replman, hostname): -filter = "(&(nsDS5ReplicaHost=%s)(|(objectclass=nsDSWindowsReplicationAgreement)(