Re: [Freeipa-devel] [PATCH] test speedup patch

2011-01-19 Thread Pavel Zuna 

On 01/19/2011 04:17 AM, Rob Crittenden wrote:

Rob Crittenden wrote:

Rob Crittenden wrote:

Attached is a rough cut of a patch to try to speed up the cli a little
bit. Basically in production mode it will skip some things during
initialization.

My concept is that we develop in mode != production and release in mode
== production.

I managed to knock a second or so off time to do a user-show on average.

There may be some other things we can do to speed things up, I'm still
looking. Some feedback on the approach would be appreciated.

Note that I've completely ruled out SSL/Negotiate. I did my testing on
lite-server which doesn't use SSL or Negotiate and it was STILL taking
on average 3-4+ seconds per command. The server side was consistently
taking  1 second to complete.

rob


oh, and the patch.


I ran a couple of moderate tests this evening that executed 42 separate
operations like add, delete, and managing group membership. I ran this
10 times each on 2 identical VMs, one with a bit older code and one with
this patch then averaged the times.

With the patch the average was 1.3 seconds per operation, without 2.6. A
50% improvement is more than I expected, I saw a 33% improvement on
individual runs. I'll keep at it but this seems promising. I was also a
bit surprised that the average time without the patch was so low, I was
expecting something over 3 seconds.

Specifically what this patch does is it avoids doing some
self-validation. There is some amount of risk that the framework could
blow up but in a deployed situation I think the risk is rather low.

A side-effect of the API tester makeapi is that it loads the framework.
We can force it to be run in production mode so the product shouldn't be
buildable if it has inconsistencies.

rob



I find it hard to believe this patch causes such a big improvement in 
performance. Especially the parts skipping asserts, that shouldn't be 
significantly slower than your average ifs. Instance locking shouldn't be a time 
consuming operation either.


Bypassing check routines for parameter namespaces might provide a performance 
boost as it is called for every single plugin we have (~250). On the other hand, 
it is only used for positional arguments and most plugins only have 1 or 2 of those.


Personally, I would do some more tests on a single machine, because there's no 
guarantee, that two VMs with an identical image have the same performance.


If it really provides a significant improvement, than it's awesome, because I 
like the philosophy of this patch. It removes self-checking and instance 
locking, that is completely useless in a production environment and kind of 
limiting in non-production. I think there's more places likes this in the framework.


Long story short:
It's improbable, but not impossible, for the changes introduced by this patch to 
cause such a big performance improvement. Even if it doesn't, the patch is still 
good.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 680 ldap lockout

2011-01-19 Thread Jan Zelený 
Rob Crittenden rcrit...@redhat.com wrote:
 Rob Crittenden wrote:
  Jan Zeleny wrote:
  Rob Crittendenrcrit...@redhat.com wrote:
  Update kerberos password policy values on LDAP binds. This is so
  locked-out accounts in kerberos don't try things using LDAP instead.
  
  On a failed bind this will update krbLoginFailedCount and
  krbLastFailedAuth and will potentially fail the bind altogether.
  
  On a successful bind it will zero krbLoginFailedCount and set
  krbLastSuccessfulAuth.
  
  This will also enforce locked-out accounts.
  
  See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
  kerberos lockout.
  
  ticket 343
  
  Ack, good job
  
  Jan
  
  Simo and Nathan pointed out that the update model I'm using is
  vulnerable to multi-threaded attack and suggested that rather than using
  REPLACE I do a DELETE/ADD to be sure that I'm updating the counter
  appropriately. I've got the basics done, need to re-run through
  valgrind. Will submit another patch shortly.
  
  rob
 
 Updated patch attached. Be more careful when updating the failed count.
 
 rob

The patch looks good and it works fine, if Simo doesn't have any more security 
comments: ACK.

Jan

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 680 ldap lockout

2011-01-19 Thread Simo Sorce 
On Wed, 19 Jan 2011 14:15:05 +0100
Jan Zelený jzel...@redhat.com wrote:

 Rob Crittenden rcrit...@redhat.com wrote:
  Rob Crittenden wrote:
   Jan Zeleny wrote:
   Rob Crittendenrcrit...@redhat.com wrote:
   Update kerberos password policy values on LDAP binds. This is so
   locked-out accounts in kerberos don't try things using LDAP
   instead.
   
   On a failed bind this will update krbLoginFailedCount and
   krbLastFailedAuth and will potentially fail the bind altogether.
   
   On a successful bind it will zero krbLoginFailedCount and set
   krbLastSuccessfulAuth.
   
   This will also enforce locked-out accounts.
   
   See http://k5wiki.kerberos.org/wiki/Projects/Lockout for
   details on kerberos lockout.
   
   ticket 343
   
   Ack, good job
   
   Jan
   
   Simo and Nathan pointed out that the update model I'm using is
   vulnerable to multi-threaded attack and suggested that rather
   than using REPLACE I do a DELETE/ADD to be sure that I'm updating
   the counter appropriately. I've got the basics done, need to
   re-run through valgrind. Will submit another patch shortly.
   
   rob
  
  Updated patch attached. Be more careful when updating the failed
  count.
  
  rob
 
 The patch looks good and it works fine, if Simo doesn't have any more
 security comments: ACK.

Patch looks good to me.
I only wonder if it would make sense to try to cache the entry between
the pre-op and the post-op, but given it is just fetched I guess DS
caches it in memory anyways, so probably not a big deal in any case.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] test speedup patch

2011-01-19 Thread Rob Crittenden 

Pavel Zuna wrote:

On 01/19/2011 04:17 AM, Rob Crittenden wrote:

Rob Crittenden wrote:

Rob Crittenden wrote:

Attached is a rough cut of a patch to try to speed up the cli a little
bit. Basically in production mode it will skip some things during
initialization.

My concept is that we develop in mode != production and release in mode
== production.

I managed to knock a second or so off time to do a user-show on
average.

There may be some other things we can do to speed things up, I'm still
looking. Some feedback on the approach would be appreciated.

Note that I've completely ruled out SSL/Negotiate. I did my testing on
lite-server which doesn't use SSL or Negotiate and it was STILL taking
on average 3-4+ seconds per command. The server side was consistently
taking  1 second to complete.

rob


oh, and the patch.


I ran a couple of moderate tests this evening that executed 42 separate
operations like add, delete, and managing group membership. I ran this
10 times each on 2 identical VMs, one with a bit older code and one with
this patch then averaged the times.

With the patch the average was 1.3 seconds per operation, without 2.6. A
50% improvement is more than I expected, I saw a 33% improvement on
individual runs. I'll keep at it but this seems promising. I was also a
bit surprised that the average time without the patch was so low, I was
expecting something over 3 seconds.

Specifically what this patch does is it avoids doing some
self-validation. There is some amount of risk that the framework could
blow up but in a deployed situation I think the risk is rather low.

A side-effect of the API tester makeapi is that it loads the framework.
We can force it to be run in production mode so the product shouldn't be
buildable if it has inconsistencies.

rob



I find it hard to believe this patch causes such a big improvement in
performance. Especially the parts skipping asserts, that shouldn't be
significantly slower than your average ifs. Instance locking shouldn't
be a time consuming operation either.


I'm equally unbelieving! In my dev tree I was seeing 3.9 second+ times 
without the patch. With the patch I was still often seeing 3+ seconds 
but sometimes it would be significantly lower. This is a VM so who knows 
what other stuff is going on.


I agree that locking shouldn't be that slow but cumulatively it is a bit 
of a drag.


Similarly the assert p.instance.api is self is quite slow.


Bypassing check routines for parameter namespaces might provide a
performance boost as it is called for every single plugin we have
(~250). On the other hand, it is only used for positional arguments and
most plugins only have 1 or 2 of those.


I believe that bypassing the check routines is where the biggest boost 
comes from. check_name() is also skipped and that does a regex match.



Personally, I would do some more tests on a single machine, because
there's no guarantee, that two VMs with an identical image have the same
performance.


Using 2 machines lets me test code without having to constantly 
re-install the bits or apply patches. It is easier to track the state so 
I don't end up with meaningless data :-)


I'll stick the meager tests I have into a while loop and let it run for 
longer than 10 iterations to get a better idea of what is going on.




If it really provides a significant improvement, than it's awesome,
because I like the philosophy of this patch. It removes self-checking
and instance locking, that is completely useless in a production
environment and kind of limiting in non-production. I think there's more
places likes this in the framework.

Long story short:
It's improbable, but not impossible, for the changes introduced by this
patch to cause such a big performance improvement. Even if it doesn't,
the patch is still good.


Well, this is why I sent the patch out for a pre-review :-)

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] test speedup patch

2011-01-19 Thread JR Aquino 
Just tested.  I do see a performance increase of ~30%

Without the Patch
time ipa user-find
--
1 user matched
--
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Account activation status: False
  Member of groups: admins

Number of entries returned 1


real 0m1.558s
user 0m0.810s
sys 0m0.165s


With the Patch
time ipa user-find
--
1 user matched
--
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Account disabled: False
  Member of groups: admins

Number of entries returned 1


real 0m1.067s
user 0m0.841s
sys 0m0.157s



On 1/18/11 7:17 PM, Rob Crittenden rcrit...@redhat.com wrote:

Rob Crittenden wrote:
 Rob Crittenden wrote:
 Attached is a rough cut of a patch to try to speed up the cli a little
 bit. Basically in production mode it will skip some things during
 initialization.

 My concept is that we develop in mode != production and release in mode
 == production.

 I managed to knock a second or so off time to do a user-show on
average.

 There may be some other things we can do to speed things up, I'm still
 looking. Some feedback on the approach would be appreciated.

 Note that I've completely ruled out SSL/Negotiate. I did my testing on
 lite-server which doesn't use SSL or Negotiate and it was STILL taking
 on average 3-4+ seconds per command. The server side was consistently
 taking  1 second to complete.

 rob

 oh, and the patch.

I ran a couple of moderate tests this evening that executed 42 separate
operations like add, delete, and managing group membership. I ran this
10 times each on 2 identical VMs, one with a bit older code and one with
this patch then averaged the times.

With the patch the average was 1.3 seconds per operation, without 2.6. A
50% improvement is more than I expected, I saw a 33% improvement on
individual runs. I'll keep at it but this seems promising. I was also a
bit surprised that the average time without the patch was so low, I was
expecting something over 3 seconds.

Specifically what this patch does is it avoids doing some
self-validation. There is some amount of risk that the framework could
blow up but in a deployed situation I think the risk is rather low.

A side-effect of the API tester makeapi is that it loads the framework.
We can force it to be run in production mode so the product shouldn't be
buildable if it has inconsistencies.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] test speedup patch

2011-01-19 Thread Adam Young 

On 01/19/2011 10:26 AM, JR Aquino wrote:

Just tested.  I do see a performance increase of ~30%

Without the Patch
time ipa user-find
--
1 user matched
--
   User login: admin
   Last name: Administrator
   Home directory: /home/admin
   Login shell: /bin/bash
   Account activation status: False
   Member of groups: admins

Number of entries returned 1


real 0m1.558s
user 0m0.810s
sys 0m0.165s


With the Patch
time ipa user-find
--
1 user matched
--
   User login: admin
   Last name: Administrator
   Home directory: /home/admin
   Login shell: /bin/bash
   Account disabled: False
   Member of groups: admins

Number of entries returned 1


real 0m1.067s
user 0m0.841s
sys 0m0.157s



On 1/18/11 7:17 PM, Rob Crittendenrcrit...@redhat.com  wrote:


Rob Crittenden wrote:

Rob Crittenden wrote:

Attached is a rough cut of a patch to try to speed up the cli a little
bit. Basically in production mode it will skip some things during
initialization.

My concept is that we develop in mode != production and release in mode
== production.

I managed to knock a second or so off time to do a user-show on
average.

There may be some other things we can do to speed things up, I'm still
looking. Some feedback on the approach would be appreciated.

Note that I've completely ruled out SSL/Negotiate. I did my testing on
lite-server which doesn't use SSL or Negotiate and it was STILL taking
on average 3-4+ seconds per command. The server side was consistently
taking  1 second to complete.

rob

oh, and the patch.

I ran a couple of moderate tests this evening that executed 42 separate
operations like add, delete, and managing group membership. I ran this
10 times each on 2 identical VMs, one with a bit older code and one with
this patch then averaged the times.

With the patch the average was 1.3 seconds per operation, without 2.6. A
50% improvement is more than I expected, I saw a 33% improvement on
individual runs. I'll keep at it but this seems promising. I was also a
bit surprised that the average time without the patch was so low, I was
expecting something over 3 seconds.

Specifically what this patch does is it avoids doing some
self-validation. There is some amount of risk that the framework could
blow up but in a deployed situation I think the risk is rather low.

A side-effect of the API tester makeapi is that it loads the framework.
We can force it to be run in production mode so the product shouldn't be
buildable if it has inconsistencies.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] Mapping of CLI attributes to LDAP attributes

2011-01-19 Thread Jan Zelený 
Hi,
I've been thinking about the concept of mapping CLI attributes to LDAP 
attributes (ticket #447) and I'd like to get a second opinion.

The most simple solution would be to add this functionality to existing help. 
For the sake of lucidity, it should be hidden by default. To achieve this a 
new parameter (e.g. --fullhelp) would be created. The question now is if this 
approach is suitable for WebUI and whether it is even needed for WebUI.

Another approach might be to create new command, e.g. mapping-show, which 
would take one argument - either name of LDAP object for which we want to show 
all mappings or (better) directly a command. Here are examples how it could be 
invoked:
ipa mapping-show user/ ipa mapping-show user-add
ipa mapping-show hbacrule / ipa mapping-show hbacrule-add

So these are my ideas. Some questions? Comments? Other ideas? I welcome any 
input.

-- 
Thank you
Jan Zeleny

Red Hat Software Engineer
Brno, Czech Republic

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Mapping of CLI attributes to LDAP attributes

2011-01-19 Thread Adam Young 

On 01/19/2011 10:53 AM, Jan Zelený wrote:

Hi,
I've been thinking about the concept of mapping CLI attributes to LDAP
attributes (ticket #447) and I'd like to get a second opinion.

The most simple solution would be to add this functionality to existing help.
For the sake of lucidity, it should be hidden by default. To achieve this a
new parameter (e.g. --fullhelp) would be created. The question now is if this
approach is suitable for WebUI and whether it is even needed for WebUI.

Another approach might be to create new command, e.g. mapping-show, which
would take one argument - either name of LDAP object for which we want to show
all mappings or (better) directly a command. Here are examples how it could be
invoked:
ipa mapping-show user/ ipa mapping-show user-add
ipa mapping-show hbacrule / ipa mapping-show hbacrule-add

So these are my ideas. Some questions? Comments? Other ideas? I welcome any
input.


The second is fairly similar to the metadata call we use for the WebUI

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Adam Young 
I've been working with Kyle Baker to implement the cleanup of the 
migration and the error reporting pages.  One thing that is messing us 
up is the fact that the URL as exposed on the server is different than 
the file structure.  I'd like to propose the folowing changes:



First:  rename install/static to install/ui.

I wanted to use this name from the get go, but there was a conflict with 
the wsgi based ui.  It has been gone for a long enough time now that the 
rename should cause no conflicts.


Second:  merge the html directory into the ui directory.

We need them to be separate originally because the UI was getting 
authentication, but the error messages and so forth were not.  NOw, none 
of the ui gets authenticated, only the JSON RPC.


Third:  make an RPC url that we can call without authentication.

  The migration page is the last thing we have that uses server side 
scripting.  I'd like to complete the work of splitting UI from business 
logic.  However, the migration code needs to make an RPC 
unauthenticated.  Right now this is the only page that needs to do so, 
but we could potentially have others.  If we made a parallel structure 
for xml rpc and json RPC that could be called unauthenticated, we could 
also perform the migration from the command line or other applications, 
which would support some new use cases.



I think the order of execution should be the order I listed them above.  
Feedback?


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts

2011-01-19 Thread JR Aquino 
On 1/18/11 4:02 PM, Simo Sorce sso...@redhat.com wrote:


We need to use authenticated lda binds in init scripts as otherwise
starting components fails when the option to restrict anonymous access
to ldap is set.

In order to do that we need to also start the KDC unconditionally, so
it has been removed form the list of services retrieved from ldap and
always started/stopped/restarted explicitly in the script.
This is necessary so the script can obtain kerberos credentials to bind
to ds using its keytab.

Fixes ticket #795

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


ACK


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Adam Young 

On 01/19/2011 11:29 AM, Dmitri Pal wrote:

Adam Young wrote:

I've been working with Kyle Baker to implement the cleanup of the
migration and the error reporting pages.  One thing that is messing us
up is the fact that the URL as exposed on the server is different than
the file structure.  I'd like to propose the folowing changes:


First:  rename install/static to install/ui.

I wanted to use this name from the get go, but there was a conflict
with the wsgi based ui.  It has been gone for a long enough time now
that the rename should cause no conflicts.

Second:  merge the html directory into the ui directory.

We need them to be separate originally because the UI was getting
authentication, but the error messages and so forth were not.  NOw,
none of the ui gets authenticated, only the JSON RPC.

Third:  make an RPC url that we can call without authentication.

   The migration page is the last thing we have that uses server side
scripting.  I'd like to complete the work of splitting UI from
business logic.  However, the migration code needs to make an RPC
unauthenticated.  Right now this is the only page that needs to do so,
but we could potentially have others.  If we made a parallel structure
for xml rpc and json RPC that could be called unauthenticated, we
could also perform the migration from the command line or other
applications, which would support some new use cases.

Is this really required. Can we use what is there now?
I am not sure I want to spend any cycles on such a major shift at this
stage of the project.
Can we just polish what we have for migration page for now and address
this in 2.1?


Step one is not a major change, actually, as git supports renaming.  It 
keeps us from duplicating the assets (ipa.css, images) in both 
directories) as we can't really develop the migration page without being 
able to see them.   That is the only one needed.  Steps two and three 
are just logical cleanup steps.




I think the order of execution should be the order I listed them
above.  Feedback?

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel






___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Rob Crittenden 

Adam Young wrote:

I've been working with Kyle Baker to implement the cleanup of the
migration and the error reporting pages. One thing that is messing us up
is the fact that the URL as exposed on the server is different than the
file structure. I'd like to propose the folowing changes:


First: rename install/static to install/ui.


You just want to rename the directory in the git tree?


I wanted to use this name from the get go, but there was a conflict with
the wsgi based ui. It has been gone for a long enough time now that the
rename should cause no conflicts.

Second: merge the html directory into the ui directory.


I'm ok with that, it's just 2 files.


We need them to be separate originally because the UI was getting
authentication, but the error messages and so forth were not. NOw, none
of the ui gets authenticated, only the JSON RPC.

Third: make an RPC url that we can call without authentication.

The migration page is the last thing we have that uses server side
scripting. I'd like to complete the work of splitting UI from business
logic. However, the migration code needs to make an RPC unauthenticated.
Right now this is the only page that needs to do so, but we could
potentially have others. If we made a parallel structure for xml rpc and
json RPC that could be called unauthenticated, we could also perform the
migration from the command line or other applications, which would
support some new use cases.


I think the order of execution should be the order I listed them above.
Feedback?


I don't understand the need for the third one. The logic is stills 
server-side it just uses a separate python script.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 682 performance patch

2011-01-19 Thread Rob Crittenden 
This patch skips some self-testing and locking done by the framework 
when in production mode. The assumption is that all development is done 
in mode != production so no inconsistencies can sneak in.


While this patch doesn't seem to do much it improved command-line 
performance for me somewhere between 30 and 50% (so between 3-4 seconds 
per command to 1.5-3, on average, often much better).


I explicitly set mode to production in the installation config files. I 
also explicitly set developer mode when running makeapi --validate so we 
can know at build time that the framework is consistent.


ticket 751

rob
From 920029a8b5f43b11291b076c670a21f02d932f27 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 19 Jan 2011 11:24:31 -0500
Subject: [PATCH] Don't perform some API self-tests in production mode for performance reasons

The API does a fair number of self tests and locking to assure that the
registered commands are consistent and will work. This does not need
to be done on a production system and adds additional overhead causing
somewhere between a 30 and 50% decrease in performance.

Because makeapi is executed when a build is done ensure that it is
executed in developer mode to ensure that the framework is ok.

ticket 751
---
 install/tools/ipa-replica-install |1 +
 install/tools/ipa-server-install  |1 +
 ipalib/config.py  |3 +++
 ipalib/frontend.py|7 ---
 ipalib/plugable.py|   15 ++-
 makeapi   |1 +
 6 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 3c912a7..01e5d38 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -358,6 +358,7 @@ def main():
 if ipautil.file_exists(config.dir + /cacert.p12):
 fd.write(enable_ra=True\n)
 fd.write(ra_plugin=dogtag\n)
+fd.write(mode=production\n)
 fd.close()
 
 api.bootstrap(in_server=True)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 173f5c2..754568c 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -680,6 +680,7 @@ def main():
 fd.write(enable_ra=True\n)
 if not options.selfsign:
 fd.write(ra_plugin=dogtag\n)
+fd.write(mode=production\n)
 fd.close()
 
 api.bootstrap(**cfg)
diff --git a/ipalib/config.py b/ipalib/config.py
index ec86d9e..888785a 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -467,6 +467,9 @@ class Env(object):
 else:
 self.in_tree = False
 
+if self.in_tree and 'mode' not in self:
+self.mode = 'developer'
+
 # Set dot_ipa:
 if 'dot_ipa' not in self:
 self.dot_ipa = self._join('home', '.ipa')
diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index eeed398..51fa524 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -351,9 +351,10 @@ class HasParam(Plugin):
 self._filter_param_by_context(name, env),
 sort=False
 )
-check = getattr(self, 'check_' + name, None)
-if callable(check):
-check(namespace)
+if self.env.mode != 'production':
+check = getattr(self, 'check_' + name, None)
+if callable(check):
+check(namespace)
 setattr(self, name, namespace)
 
 
diff --git a/ipalib/plugable.py b/ipalib/plugable.py
index 264bb68..82bd522 100644
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -207,6 +207,8 @@ class Plugin(ReadOnly):
 def finalize(self):
 
 
+if self.env.mode == 'production':
+return
 lock(self)
 
 def set_api(self, api):
@@ -601,19 +603,22 @@ class API(DictProxy):
 namespace = NameSpace(
 plugin_iter(base, (magic[k] for k in magic))
 )
-assert not (
-name in self.__d or hasattr(self, name)
-)
+	if self.env.mode != 'production':
+assert not (
+name in self.__d or hasattr(self, name)
+)
 self.__d[name] = namespace
 object.__setattr__(self, name, namespace)
 
 for p in plugins.itervalues():
 p.instance.set_api(self)
-assert p.instance.api is self
+if self.env.mode != 'production':
+assert p.instance.api is self
 
 for p in plugins.itervalues():
 p.instance.finalize()
-assert islocked(p.instance) is True
+if self.env.mode != 'production':
+assert islocked(p.instance) is True
 object.__setattr__(self, '_API__finalized', True)
 tuple(PluginInfo(p) for p in plugins.itervalues())
 object.__setattr__(self, 'plugins',
diff --git a/makeapi b/makeapi
index 2c7680f..90f3678 100755
--- a/makeapi
+++

Re: [Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Dmitri Pal 
Rob Crittenden wrote:
 Adam Young wrote:
 I've been working with Kyle Baker to implement the cleanup of the
 migration and the error reporting pages. One thing that is messing us up
 is the fact that the URL as exposed on the server is different than the
 file structure. I'd like to propose the folowing changes:


 First: rename install/static to install/ui.

 You just want to rename the directory in the git tree?

 I wanted to use this name from the get go, but there was a conflict with
 the wsgi based ui. It has been gone for a long enough time now that the
 rename should cause no conflicts.

 Second: merge the html directory into the ui directory.

 I'm ok with that, it's just 2 files.

 We need them to be separate originally because the UI was getting
 authentication, but the error messages and so forth were not. NOw, none
 of the ui gets authenticated, only the JSON RPC.

 Third: make an RPC url that we can call without authentication.

 The migration page is the last thing we have that uses server side
 scripting. I'd like to complete the work of splitting UI from business
 logic. However, the migration code needs to make an RPC unauthenticated.
 Right now this is the only page that needs to do so, but we could
 potentially have others. If we made a parallel structure for xml rpc and
 json RPC that could be called unauthenticated, we could also perform the
 migration from the command line or other applications, which would
 support some new use cases.


 I think the order of execution should be the order I listed them above.
 Feedback?

 I don't understand the need for the third one. The logic is stills
 server-side it just uses a separate python script.

So far I am Ok with 1  2 but do not see need for 3. Please explain.


 rob

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Adam Young 

On 01/19/2011 12:06 PM, Dmitri Pal wrote:

Rob Crittenden wrote:

Adam Young wrote:

I've been working with Kyle Baker to implement the cleanup of the
migration and the error reporting pages. One thing that is messing us up
is the fact that the URL as exposed on the server is different than the
file structure. I'd like to propose the folowing changes:


First: rename install/static to install/ui.

You just want to rename the directory in the git tree?


I wanted to use this name from the get go, but there was a conflict with
the wsgi based ui. It has been gone for a long enough time now that the
rename should cause no conflicts.

Second: merge the html directory into the ui directory.

I'm ok with that, it's just 2 files.


We need them to be separate originally because the UI was getting
authentication, but the error messages and so forth were not. NOw, none
of the ui gets authenticated, only the JSON RPC.

Third: make an RPC url that we can call without authentication.

The migration page is the last thing we have that uses server side
scripting. I'd like to complete the work of splitting UI from business
logic. However, the migration code needs to make an RPC unauthenticated.
Right now this is the only page that needs to do so, but we could
potentially have others. If we made a parallel structure for xml rpc and
json RPC that could be called unauthenticated, we could also perform the
migration from the command line or other applications, which would
support some new use cases.


I think the order of execution should be the order I listed them above.
Feedback?

I don't understand the need for the third one. The logic is stills
server-side it just uses a separate python script.


So far I am Ok with 1  2 but do not see need for 3. Please explain.


I think I can drop 3, as the existing migrate.py will work OK.




rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel






___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Dmitri Pal 
Adam Young wrote:
 On 01/19/2011 12:06 PM, Dmitri Pal wrote:
 Rob Crittenden wrote:
 Adam Young wrote:
 I've been working with Kyle Baker to implement the cleanup of the
 migration and the error reporting pages. One thing that is messing
 us up
 is the fact that the URL as exposed on the server is different than
 the
 file structure. I'd like to propose the folowing changes:


 First: rename install/static to install/ui.
 You just want to rename the directory in the git tree?

 I wanted to use this name from the get go, but there was a conflict
 with
 the wsgi based ui. It has been gone for a long enough time now that
 the
 rename should cause no conflicts.

 Second: merge the html directory into the ui directory.
 I'm ok with that, it's just 2 files.

 We need them to be separate originally because the UI was getting
 authentication, but the error messages and so forth were not. NOw,
 none
 of the ui gets authenticated, only the JSON RPC.

 Third: make an RPC url that we can call without authentication.

 The migration page is the last thing we have that uses server side
 scripting. I'd like to complete the work of splitting UI from business
 logic. However, the migration code needs to make an RPC
 unauthenticated.
 Right now this is the only page that needs to do so, but we could
 potentially have others. If we made a parallel structure for xml
 rpc and
 json RPC that could be called unauthenticated, we could also
 perform the
 migration from the command line or other applications, which would
 support some new use cases.


 I think the order of execution should be the order I listed them
 above.
 Feedback?
 I don't understand the need for the third one. The logic is stills
 server-side it just uses a separate python script.

 So far I am Ok with 1  2 but do not see need for 3. Please explain.

 I think I can drop 3, as the existing migrate.py will work OK.


You can open a ticket and put it into the deferred bucket for future.


 rob

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel




 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts

2011-01-19 Thread Simo Sorce 
On Wed, 19 Jan 2011 16:18:09 +
JR Aquino jr.aqu...@citrix.com wrote:

 On 1/18/11 4:02 PM, Simo Sorce sso...@redhat.com wrote:
 
 
 We need to use authenticated lda binds in init scripts as otherwise
 starting components fails when the option to restrict anonymous
 access to ldap is set.
 
 In order to do that we need to also start the KDC unconditionally, so
 it has been removed form the list of services retrieved from ldap and
 always started/stopped/restarted explicitly in the script.
 This is necessary so the script can obtain kerberos credentials to
 bind to ds using its keytab.
 
 Fixes ticket #795
 
 Simo.
 
 -- 
 Simo Sorce * Red Hat, Inc * New York
 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 
 
 ACK
 

Thanks but Rich pointed me to the docs I couldn't find earlier in order
to use SASL/EXTERNL instead of actual credentials.

So I'll hold on this patch and try to propose an alternative that
does not require SASL/GSSAPI auth. If that will be possible and
satisfactorily I will retire this patch an propose a new one, otherwise
I'll push this one.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0063 Fix ipa_uuid misbehavior

2011-01-19 Thread Simo Sorce 

ipa_uuid was returning an improper error if a modify operation was
performed on an entry that doesn't exists.
This was preventing the dna plugin from working correctly.

Do not error on missing entries, let DS handle the case and report the
proper error code.

Ticket 813

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From be5cbfdb62cd986e4d873773a62ae1490df86da2 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Wed, 19 Jan 2011 14:54:01 -0500
Subject: [PATCH] Fix ipa_uuid to not interfer with proper error reporting

Fixes: https://fedorahosted.org/freeipa/ticket/813
---
 daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c |5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
index 83aac77da95df39cb162988e9a58172585b7ab5a..c6353aeed4a68560be45cb3b3779bdef5ff83620 100644
--- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
@@ -819,9 +819,8 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype)
 slapi_sdn_free(tmp_dn);
 
 if (ret) {
-LOG_FATAL(slapi_search_internal_get_entry failed!? Err %d\n,
-ret);
-ret = LDAP_OPERATIONS_ERROR;
+/* ok a client tried to modify an entry that doesn't exist.
+ * Nothing to see here, move along ... */
 goto done;
 }
 
-- 
1.7.3.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Rob Crittenden 

Pavel Zuna wrote:

Fix #798

Pavel



I don't think this is the right fix.

IIRC the idea was that pre-created hosts with a password (either 
provided or random) would not have a principal. The principal would be 
added once the host is enrolled.


This will fix the plugin as far as adding entries but will cause 
ipa-join to report a warning that the principal already exists.


I realize that this has already been pushed but the ticket should be 
re-opened and another look taken at this.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0063 Fix ipa_uuid misbehavior

2011-01-19 Thread Rob Crittenden 

Simo Sorce wrote:


ipa_uuid was returning an improper error if a modify operation was
performed on an entry that doesn't exists.
This was preventing the dna plugin from working correctly.

Do not error on missing entries, let DS handle the case and report the
proper error code.

Ticket 813

Simo.


ack

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Dmitri Pal 
Rob Crittenden wrote:
 Pavel Zuna wrote:
 Fix #798

 Pavel


 I don't think this is the right fix.

 IIRC the idea was that pre-created hosts with a password (either
 provided or random) would not have a principal. The principal would be
 added once the host is enrolled.
I though that enrollment is based only on presence of the keytab. Since
the the principal is not something that can be changed why it can't be
created when the entry is created?
Does the current logic delete the principal when the machine is
un-enrolled from CLI or GUI. It seems logical to just check the presence
of the keytab. If it is there enrolled. If not then does not.
Am I missing something?



 This will fix the plugin as far as adding entries but will cause
 ipa-join to report a warning that the principal already exists.

 I realize that this has already been pushed but the ticket should be
 re-opened and another look taken at this.

 rob

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Simo Sorce 
On Wed, 19 Jan 2011 15:12:03 -0500
Rob Crittenden rcrit...@redhat.com wrote:

 Pavel Zuna wrote:
  Fix #798
 
  Pavel
 
 
 I don't think this is the right fix.
 
 IIRC the idea was that pre-created hosts with a password (either 
 provided or random) would not have a principal. The principal would
 be added once the host is enrolled.
 
 This will fix the plugin as far as adding entries but will cause 
 ipa-join to report a warning that the principal already exists.
 
 I realize that this has already been pushed but the ticket should be 
 re-opened and another look taken at this.

Should we revert in the meanwhile ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Simo Sorce 
On Wed, 19 Jan 2011 15:22:22 -0500
Dmitri Pal d...@redhat.com wrote:

 I though that enrollment is based only on presence of the keytab.

By keytab I guess you mean the krbPrincipalKey attribute.
The presence of that attribute is unknown to all users except
cn=Directory Manager and uid=kdc, so no user can check for it's
presence as our aci prevent any access for reading (and rightly so).

I think the krbPrincipalNAme attribute was used to check if kerberos
credentials were assigned.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] New Font and I18N

2011-01-19 Thread Adam Young 

Ben,

Since we are going to need Chinese and Japanese support in the font for 
IPA, I'm thinking that we should


1.  Get the translations the site.
2.  Identify the Glyphs requires
3.  Identify the process for people to submit Glyphs to the font base 
from the FreeIPA website.


I'm assuming that the Browser has the ability to fall back to a known 
complete Font for missing glyphs, but I haven't tested it.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Rob Crittenden 

Simo Sorce wrote:

On Wed, 19 Jan 2011 15:22:22 -0500
Dmitri Pald...@redhat.com  wrote:


I though that enrollment is based only on presence of the keytab.


By keytab I guess you mean the krbPrincipalKey attribute.
The presence of that attribute is unknown to all users except
cn=Directory Manager and uid=kdc, so no user can check for it's
presence as our aci prevent any access for reading (and rightly so).

I think the krbPrincipalNAme attribute was used to check if kerberos
credentials were assigned.

Simo.



Yes, that's right. We also use krbLastPwdChange for this purpose but the 
krbPrincipalName work predated this.


We might need to revisit what I originally did which is why I think the 
patch is ok for now. For now, at least as far as I can tell, it just 
causes a strange message in ipa-join.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Dmitri Pal 
Rob Crittenden wrote:
 Simo Sorce wrote:
 On Wed, 19 Jan 2011 15:22:22 -0500
 Dmitri Pald...@redhat.com  wrote:

 I though that enrollment is based only on presence of the keytab.

 By keytab I guess you mean the krbPrincipalKey attribute.
 The presence of that attribute is unknown to all users except
 cn=Directory Manager and uid=kdc, so no user can check for it's
 presence as our aci prevent any access for reading (and rightly so).

 I think the krbPrincipalNAme attribute was used to check if kerberos
 credentials were assigned.

 Simo.


 Yes, that's right. We also use krbLastPwdChange for this purpose but
 the krbPrincipalName work predated this.

 We might need to revisit what I originally did which is why I think
 the patch is ok for now. For now, at least as far as I can tell, it
 just causes a strange message in ipa-join.



Yes the one that I noticed yesterday stating that principal exists.
Ok I am corrected let us reopen the ticket.

 rob

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 683 block anonymous access to hbac info

2011-01-19 Thread Rob Crittenden 
Add a couple of acis to block anonymous access to cn=hbac and to member 
attributes. This is so you can't hunt for what roles, groups, etc. a 
user might be in (so you can target an attack).


ticket 811

rob
From b1d9409042946406b0354af17c9345c1bdf9ec0f Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 19 Jan 2011 17:47:50 -0500
Subject: [PATCH] Block anonymous access to HBAC and member information.

Prevents an unauthenticated user from accessing HBAC information as well
as member information which could diclose roles, memberships in HBAC, etc.

ticket 811
---
 install/share/default-aci.ldif |6 ++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index ff0e5ae..6264135 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -4,6 +4,7 @@ dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey)(version 3.0; acl Enable Anonymous access; allow (read, search, compare) userdn = ldap:///anyone;;)
+aci: (targetattr = member || memberOf || memberHost || memberUser)(version 3.0; acl No anonymous access to member information; deny (read,search,compare) userdn != ldap:///all;;)
 aci: (targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)
 aci: (targetattr = userpassword || krbprincipalkey || sambalmpassword || sambantpassword)(version 3.0; acl Self can write own password; allow (write) userdn=ldap:///self;;)
 aci: (targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory)(version 3.0; acl Admins can write passwords; allow (add,delete,write) groupdn=ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)
@@ -67,3 +68,8 @@ dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr = krbPrincipalKey || krbLastPwdChange)(target = ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(version 3.0;acl Admins can manage host keytab;allow (write) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)
+
+dn: cn=hbac,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = *)(version 3.0; acl No anonymous access to hbac; deny (read,search,compare) userdn != ldap:///all;;)
-- 
1.7.3.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info

2011-01-19 Thread Simo Sorce 
On Wed, 19 Jan 2011 17:51:56 -0500
Rob Crittenden rcrit...@redhat.com wrote:

 +aci: (targetattr = member || memberOf || memberHost ||
 memberUser)(version 3.0; acl No anonymous access to member
 information; deny (read,search,compare) userdn != ldap:///all;;)

Nack, without 'member', nss_ldap will have no way to determine
posixAccount group memberships using anonymous access (the default).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts

2011-01-19 Thread Simo Sorce 
On Wed, 19 Jan 2011 12:20:25 -0500
Simo Sorce sso...@redhat.com wrote:

 On Wed, 19 Jan 2011 16:18:09 +
 JR Aquino jr.aqu...@citrix.com wrote:
 
  On 1/18/11 4:02 PM, Simo Sorce sso...@redhat.com wrote:
  
  
  We need to use authenticated lda binds in init scripts as otherwise
  starting components fails when the option to restrict anonymous
  access to ldap is set.
  
  In order to do that we need to also start the KDC unconditionally,
  so it has been removed form the list of services retrieved from
  ldap and always started/stopped/restarted explicitly in the script.
  This is necessary so the script can obtain kerberos credentials to
  bind to ds using its keytab.
  
  Fixes ticket #795
  
  Simo.
  
  -- 
  Simo Sorce * Red Hat, Inc * New York
  ___
  Freeipa-devel mailing list
  Freeipa-devel@redhat.com
  https://www.redhat.com/mailman/listinfo/freeipa-devel
  
  
  ACK
  
 
 Thanks but Rich pointed me to the docs I couldn't find earlier in
 order to use SASL/EXTERNL instead of actual credentials.
 
 So I'll hold on this patch and try to propose an alternative that
 does not require SASL/GSSAPI auth. If that will be possible and
 satisfactorily I will retire this patch an propose a new one,
 otherwise I'll push this one.
 
 Simo.
 

Ok I am retiring this patch and sending an alternative one.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0064 Fix authentication for init scripts

2011-01-19 Thread Simo Sorce 

In order for ipactl to function even when anonymous access is disabled
we need to authenticate.
Use sASL/EXTERNAL to let root get access as a very low privileged
special user.

Ticket #795

This patch is a replacement of 0061 where I was using SASL/GSSAPI

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From e15af881c47f6ce837006805b2f6977fa7354ba9 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Wed, 19 Jan 2011 15:17:25 -0500
Subject: [PATCH] Allow SASL/EXTERNAL authentication for the root user

This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.

Fixes: https://fedorahosted.org/freeipa/ticket/795
---
 install/share/Makefile.am|1 +
 install/share/root-autobind.ldif |   24 
 install/tools/ipactl |5 -
 ipaserver/install/dsinstance.py  |5 +
 4 files changed, 34 insertions(+), 1 deletions(-)
 create mode 100644 install/share/root-autobind.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 0fb5c8961fa787f4686e93b4f073d954f78d08b1..4527a922c3c7408ff2563dac6a5db9a2657ae1ba 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -47,6 +47,7 @@ app_DATA =\
 	uuid-ipauniqueid.ldif		\
 	modrdn-krbprinc.ldif		\
 	entryusn.ldif			\
+	root-autobind.ldif		\
 	$(NULL)
 
 EXTRA_DIST =\
diff --git a/install/share/root-autobind.ldif b/install/share/root-autobind.ldif
new file mode 100644
index ..e7bbc8dbe430a48d53078cbd585cd479388450de
--- /dev/null
+++ b/install/share/root-autobind.ldif
@@ -0,0 +1,24 @@
+# root-autobind, config
+dn: cn=root-autobind,cn=config
+changetype: add
+objectClass: extensibleObject
+objectClass: top
+cn: root-autobind
+uidNumber: 0
+gidNumber: 0
+
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapiautobind
+nsslapd-ldapiautobind: on
+
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapimaptoentries
+nsslapd-ldapimaptoentries: on
+
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapientrysearchbase
+nsslapd-ldapientrysearchbase: cn=config
+
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 0254a2762580fc83503510d387b3e36d67d514de..fc652c9754cf63e8d9d46a3b20866b94df3ab698 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -26,6 +26,7 @@ try:
 from ipalib import api, errors
 import logging
 import ldap
+import ldap.sasl
 import socket
 except ImportError:
 print  sys.stderr, \
@@ -36,6 +37,8 @@ error was:
  % sys.exc_value
 sys.exit(1)
 
+SASL_EXTERNAL = ldap.sasl.sasl({}, 'EXTERNAL')
+
 def parse_options():
 usage = %prog start|stop|restart|status\n
 parser = config.IPAOptionParser(usage=usage,
@@ -60,7 +63,7 @@ def get_config():
 
 try:
 con = ldap.initialize(api.env.ldap_uri)
-con.simple_bind()
+con.sasl_interactive_bind_s('', SASL_EXTERNAL)
 res = con.search_st(base,
 ldap.SCOPE_SUBTREE,
 filterstr=srcfilter,
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 4fd7a00279c73c5b41e2d7ad5999c1af91eefbf8..5da9d17d4417031920495254ff566ee235234bfb 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -208,6 +208,7 @@ class DsInstance(service.Service):
 self.step(creating indices, self.__create_indices)
 self.step(configuring ssl for ds instance, self.__enable_ssl)
 self.step(configuring certmap.conf, self.__certmap_conf)
+self.step(configure autobind for root, self.__root_autobind)
 self.step(restarting directory server, self.__restart_instance)
 
 def __common_post_setup(self):
@@ -729,3 +730,7 @@ class DsInstance(service.Service):
 
 def __tuning(self):
 self.tune_nofile(8192)
+
+def __root_autobind(self):
+self._ldap_mod(root-autobind.ldif)
+
-- 
1.7.3.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc

2011-01-19 Thread Simo Sorce 

Long ago we decided to use the ldapi socket to let the KDC access the
ldap data in order to avoid comunication over the network (even if it
is 127.0.0.1).

This patch finally implements that. Although beware that this patch
will need you to either create custom policy or to set selinux in
permissive mode until the new policy lands in fedora land.

Bugs have been opened and I think the policy has already landed in
rawhide.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From 5328b459ae3f55377b9609a796dd05dc026ba791 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Wed, 19 Jan 2011 14:08:48 -0500
Subject: [PATCH] Make krb5kdc use the ldapi socket to talk to dirsrv

Fixes: https://fedorahosted.org/freeipa/ticket/812
---
 install/share/krb5.conf.template |2 +-
 ipaserver/install/krbinstance.py |2 ++
 2 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index ab569714bc7d49370ac65587b63bc23e6bd46ca0..9cf4ee84d5e12bc5ecf524f1544e87b2d787c476 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -34,7 +34,7 @@
 [dbmodules]
   $REALM = {
 db_library = kldap
-ldap_servers = ldap://127.0.0.1/
+ldap_servers = ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket
 ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
 ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
 ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index e7c1116377a66954ecf4c024510e6d9dd79ba69d..9f706797fcbeb79bf0c58c60294c0fc7f6e5f4b9 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -35,6 +35,7 @@ from ipalib import errors
 
 from ipaserver import ipaldap
 from ipaserver.install import replication
+from ipaserver.install.dsinstance import realm_to_serverid
 
 import ldap
 from ldap import LDAPError
@@ -255,6 +256,7 @@ class KrbInstance(service.Service):
  SUFFIX=self.suffix,
  DOMAIN=self.domain,
  HOST=self.host,
+ SERVER_ID=realm_to_serverid(self.realm),
  REALM=self.realm)
 
 def __configure_sasl_mappings(self):
-- 
1.7.3.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0063 Fix ipa_uuid misbehavior

2011-01-19 Thread Simo Sorce 
On Wed, 19 Jan 2011 15:15:53 -0500
Rob Crittenden rcrit...@redhat.com wrote:

 Simo Sorce wrote:
 
  ipa_uuid was returning an improper error if a modify operation was
  performed on an entry that doesn't exists.
  This was preventing the dna plugin from working correctly.
 
  Do not error on missing entries, let DS handle the case and report
  the proper error code.
 
  Ticket 813
 
  Simo.
 
 ack

Thanks,
pushed to master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0059 Add command to test if DNS is active

2011-01-19 Thread Adam Young 

On 01/17/2011 01:11 PM, Simo Sorce wrote:

This patch implements the feature requested in ticket #600

The internal dns_is_enabled command returns whether the DNS service is
enable on at least one of the server in the domain.

The UI can use this command to determine whether to show the DNS
related configuration options.

Simo.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
ACK, but be sure to rerun the makeapi command, as I think we have added 
a few new ones since this version was generated.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0059 Add command to test if DNS is active

2011-01-19 Thread Simo Sorce 
On Wed, 19 Jan 2011 20:17:56 -0500
Adam Young ayo...@redhat.com wrote:

 On 01/17/2011 01:11 PM, Simo Sorce wrote:
  This patch implements the feature requested in ticket #600
 
  The internal dns_is_enabled command returns whether the DNS service
  is enable on at least one of the server in the domain.
 
  The UI can use this command to determine whether to show the DNS
  related configuration options.

 ACK, but be sure to rerun the makeapi command, as I think we have
 added a few new ones since this version was generated.

I kept rebasing it on top of master in my tree, I saw no issues.

Pushed to master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel