[Freeipa-devel] [PATCH] Disable renaming to empty string
So far it was possible to rename any object using LDAPUpdate to a name with empty primary key. Since this can cause nasty problems, this patch disables empty string in --rename argument. https://fedorahosted.org/freeipa/ticket/827 Jan From 5d2eb85af1df7c20049e7fdc05e6a529a2b2839b Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Mon, 24 Jan 2011 03:24:05 -0500 Subject: [PATCH] Disable renaming to empty string So far it was possible to rename any object using LDAPUpdate to a name with empty primary key. Since this can cause nasty problems, this patch disables empty string in --rename argument. https://fedorahosted.org/freeipa/ticket/827 --- ipalib/plugins/baseldap.py |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index e7ccb7724ff39a115c8931c7829d4352c3e0c691..1ef1af56947c5d0f90088b9ba2be98b8acb0278c 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -799,6 +799,8 @@ class LDAPUpdate(LDAPQuery, crud.Update): rdnupdate = False try: if self.obj.rdnattr and 'rename' in options: +if not options['rename']: +raise errors.ValidationError(name='rename', error=u'can\'t be empty') entry_attrs[self.obj.rdnattr] = options['rename'] if self.obj.rdnattr and self.obj.rdnattr in entry_attrs: -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Disable renaming to empty string
On Mon, 24 Jan 2011 09:38:45 +0100 Jan Zelený wrote: > So far it was possible to rename any object using LDAPUpdate to a name > with empty primary key. Since this can cause nasty problems, this > patch disables empty string in --rename argument. > > https://fedorahosted.org/freeipa/ticket/827 ack Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/22/2011 02:28 AM, Adam Young wrote: > Does any of this imply that we shopuld change the WebUI handling of Zone > or Record deletes? Sorry, I don't know enough about the WebUI to give an authoritative answer. I'll try to summarize the changes I did, if it doesn't answer your question, please catch me on IRC :-) The only change to the API is a new option "del_all" that specifies that the caller wants to delete the whole DNS record. Calling dnsrecord-add and dnsrecord-del with no options is now disallowed. See my reply to Rob's email for more details. The return value of dnsrecord-del changed for the case the whole record is deleted - now it returns the same value other -del commands do, which in the Python CLI world is a dictionary that contains entries we failed to delete. Jakub -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09kfcACgkQHsardTLnvCXklgCg0qCPgt3RLKOjExvR0HcD/bgN Uo4AmgJkeLFBhKFfMV/2tnmjkrgGYtqY =uN9v -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/21/2011 05:54 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 01/20/2011 11:53 PM, Simo Sorce wrote: >>> On Thu, 20 Jan 2011 17:27:37 -0500 >>> Dmitri Pal wrote: >>> Michael Gregg wrote: > Jakub Hrozek wrote: > Hi, > > as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 > to delete a DNS RR one has to remove its record types one by one. > > This patch modifies the behaviour so that if the user runs > dnsrecord-delwith no other parameters, the > whole record is removed. > > Alternative solutions might be to expose the internal command that > is able to delete the record (although I think it is > counterintuitive to have one command to remove record types and one > for the whole record) or have a special flag (--del-all?) to remove > the whole record. > > The patch also fixes the unit tests as they didn't reflect all the > recent changes. > Going with this patch sounds good, but to make sure, I polled > several people here, and they all seemed to think that having to add a --del-all or --del-record flag at the end would be better as it would be less prone to failure where admins would accidentally delete a entire record because they didn't specify anything after the " " > So, maybe we do need a --del-all or --del-record operator. Agree. >>> >>> +1 >>> Someone may simply push enter accidentally while checking what to write >>> after the command. It would be rather unfortunate. >>> >>> Simo. >>> >>> >> >> Attached is a new version of the patch that implements --del-all. It >> also reports failure when deleting a nonexistent RR (new ticket 829). > > nack, this isn't working properly for me. > > Here is how I tested: > > - add a new zone, newzone1 > - ipa dnsrecord-add newzone1 as --a-rec 3.4.5.6 > - ipa dnsrecord-add newzone1 as > Record name: as > A record: 3.4.5.6 > - ipa dnsrecord-show newzone1 as > Record name: as > A record: 3.4.5.6 > - ipa dnsrecord-del newzone1 as --del-all > [ no output ] > - ipa dnsrecord-show newzone1 as > ipa: ERROR: as: DNS resource record not found > > So a couple of problems: > > 1. An error should have been thrown when I tried a delete without a > specific record type. I agree but I was reluctant to do this because it was perfectly OK to call "dnsrecord-add" with no options. That would create an empty DNS record. The interface was orthogonal so "dnsrecord-del" with no options would remove the record if it was empty. But I don't think an empty DNS record makes any sense. I changed the behaviour such that: * dnsrecord-add with no attributes is no longer allowed. You have to specify at least one RR type. * dnsrecord-del with no attributes is no longer allowed. You have to either specify a RR type or --del-all. > 2. Some output should be displayed when I delete all records, at least a > summary. > Agreed and fixed. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09kfIACgkQHsardTLnvCWyBgCeIos2bWGps/FxL7of6BkuiU8U AzEAn1Bp/uuoNKB2Qlm2XGGwdDL4dAjl =I13I -END PGP SIGNATURE- From f35265821eba70da8984283c5fbd5678a2eccdc3 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 20 Jan 2011 07:54:14 -0500 Subject: [PATCH] Delete the whole DNS record with no parameters Error out when deleting a nonexistent DNS record Also fixes the DNS unit tests. https://fedorahosted.org/freeipa/ticket/816 https://fedorahosted.org/freeipa/ticket/829 --- API.txt |3 +- ipalib/plugins/dns.py| 46 +++--- tests/test_xmlrpc/test_dns_plugin.py | 38 +++ 3 files changed, 65 insertions(+), 22 deletions(-) diff --git a/API.txt b/API.txt index 178f8f5..0a44ad9 100644 --- a/API.txt +++ b/API.txt @@ -580,9 +580,10 @@ output: Output('summary', (, ), 'User-friendly output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , "The primary_key value of the entry, e.g. 'jdoe' for a user") command: dnsrecord_del -args: 2,41,3 +args: 2,42,3 arg: Str('dnszoneidnsname', cli_name='dnszone', label=Gettext('Zone name', domain='ipa', localedir=None), query=True, required=True) arg: Str('idnsname', attribute=True, cli_name='name', label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) +option: Flag('del_all', autofill=True, default=False, label=Gettext('Delete all associated records', domain='ipa', localedir=None)) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui',
Re: [Freeipa-devel] [PATCH] Make ipa permission-add ask for optional attributes
Jan Zelený wrote: Rob Crittenden wrote: Jan Zeleny wrote: Either one of type, filter, subtree, targetgroup, attrs or memberof is required. https://fedorahosted.org/freeipa/ticket/819 Jan Do you think the prompt should be annotated somehow to indicate that the optional attributes are optional? I've been wondering about this since I added alwaysask for managing permissions, it isn't very clear that you don't have to enter something. I'm not sure how we would do it, a *, or some other indicator? rob That's definitely a good idea, but if we will use *, I think it should be present for required arguments, otherwise it might be confusing - on the web * usually marks required fields. From this point of view square brackets are used to indicate something is optional, so about something like [Subtree]:? Jan Yes, that sounds perfect. I filed ticket https://fedorahosted.org/freeipa/ticket/832 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
On 01/24/2011 09:51 AM, Jakub Hrozek wrote: Sorry, I don't know enough about the WebUI to give an authoritative answer. I'll try to summarize the changes I did, if it doesn't answer your question, please catch me on IRC:-) The only change to the API is a new option "del_all" that specifies that the caller wants to delete the whole DNS record. Calling dnsrecord-add and dnsrecord-del with no options is now disallowed. See my reply to Rob's email for more details. The return value of dnsrecord-del changed for the case the whole record is deleted - now it returns the same value other -del commands do, which in the Python CLI world is a dictionary that contains entries we failed to delete. I think that this won't change anything UI based. If you want to delete all of the records for a given Zone, you would just select all of them in the UI, so it would be an exhaustive list. To select them all, we have UI control that toggles all of the checkmarks. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field.
I'm not sure if this is a user error or a bug. I didn't see a way to tell OpenSSL to not require that Country be in the CSR. Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'MYREALM.COM' commonName:PRINTABLE:'Certificate Authority' The mandatory countryName field was missing I didn't see anything in Trac regarding this. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field.
Jeff B wrote: I'm not sure if this is a user error or a bug. I didn't see a way to tell OpenSSL to not require that Country be in the CSR. Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'MYREALM.COM' commonName:PRINTABLE:'Certificate Authority' The mandatory countryName field was missing I didn't see anything in Trac regarding this. I don't know a ton about OpenSSL but I think it is because the default configuration file, /etc/pki/tls/openssl.cnf, requires country. You should be able to provide your own config file to the openssl commands. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field.
On Mon, Jan 24, 2011 at 10:38 AM, Jeff B wrote: > You are right. I changed: > > [ policy_match ] > countryName = match > stateOrProvinceName = match > organizationName = match > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > to > > [ policy_match ] > countryName = optional > stateOrProvinceName = optional > organizationName = supplied > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > > Aside from the Country and State missing It also complained that the > organizationName didn't match the org name of my CA so I had to change > the 3rd line from match to supplied. > > > > On Mon, Jan 24, 2011 at 10:26 AM, Rob Crittenden wrote: >> Jeff B wrote: >>> >>> I'm not sure if this is a user error or a bug. I didn't see a way to >>> tell OpenSSL to not require that Country be in the CSR. >>> >>> Check that the request matches the signature >>> Signature ok >>> The Subject's Distinguished Name is as follows >>> organizationName :PRINTABLE:'MYREALM.COM' >>> commonName :PRINTABLE:'Certificate Authority' >>> The mandatory countryName field was missing >>> >>> I didn't see anything in Trac regarding this. >>> >> >> I don't know a ton about OpenSSL but I think it is because the default >> configuration file, /etc/pki/tls/openssl.cnf, requires country. You should >> be able to provide your own config file to the openssl commands. >> >> rob >> > ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] fix doctest
I pushed this under the 1-liner rule, it fixes a doctest failure. rob >From 76cbd48896bc8953fdd7abf4afd797ffb6cbfc92 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 24 Jan 2011 10:41:20 -0500 Subject: [PATCH] Fix exception doctest failure --- ipalib/errors.py |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index faa9e81..20cd52b 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1353,10 +1353,10 @@ class BadSearchFilter(ExecutionError): For example: ->>> raise BadSearchFilter(info='') +>>> raise BadSearchFilter(info='invalid syntax') Traceback (most recent call last): ... -BadSearchFilter: Bad search filter +BadSearchFilter: Bad search filter invalid syntax """ errno = 4209 -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 688 fix some unit tests
It looks like python 2.7 changed the API of time.utcoffset(), this should fix the tests. We have recently relaxed what input a Str will take, the tests need to be updated to accomodate. rob >From 459b204be01bd57ba2420a269b3a9702dfc22a3c Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 24 Jan 2011 10:43:59 -0500 Subject: [PATCH] Fix failed tests. API for utcoffset changed and strings are more robust. In Python 2.7 the API for time.utcoffset() changed. We do more automatic conversions of strings so need to loosen the tests a bit. --- ipapython/test/test_ipautil.py |8 tests/test_ipalib/test_parameters.py |7 --- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/ipapython/test/test_ipautil.py b/ipapython/test/test_ipautil.py index ef1afd3..ff9f282 100644 --- a/ipapython/test/test_ipautil.py +++ b/ipapython/test/test_ipautil.py @@ -275,7 +275,7 @@ class TestTimeParser(unittest.TestCase): time = ipautil.parse_generalized_time(timestr) self.assertEqual(0, time.tzinfo.houroffset) self.assertEqual(0, time.tzinfo.minoffset) -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual(0, offset.seconds) timestr = "20051213141205+0500" @@ -283,7 +283,7 @@ class TestTimeParser(unittest.TestCase): time = ipautil.parse_generalized_time(timestr) self.assertEqual(5, time.tzinfo.houroffset) self.assertEqual(0, time.tzinfo.minoffset) -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual(5 * 60 * 60, offset.seconds) timestr = "20051213141205-0500" @@ -293,7 +293,7 @@ class TestTimeParser(unittest.TestCase): self.assertEqual(0, time.tzinfo.minoffset) # NOTE - the offset is always positive - it's minutes #_east_ of UTC -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual((24 - 5) * 60 * 60, offset.seconds) timestr = "20051213141205-0930" @@ -301,7 +301,7 @@ class TestTimeParser(unittest.TestCase): time = ipautil.parse_generalized_time(timestr) self.assertEqual(-9, time.tzinfo.houroffset) self.assertEqual(-30, time.tzinfo.minoffset) -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual(((24 - 9) * 60 * 60) - (30 * 60), offset.seconds) diff --git a/tests/test_ipalib/test_parameters.py b/tests/test_ipalib/test_parameters.py index fd9880d..e90a262 100644 --- a/tests/test_ipalib/test_parameters.py +++ b/tests/test_ipalib/test_parameters.py @@ -33,6 +33,7 @@ from ipalib import parameters, request, errors, config from ipalib.constants import TYPE_ERROR, CALLABLE_ERROR, NULLS from ipalib.errors import ValidationError from ipalib import _ +from xmlrpclib import MAXINT class test_DefaultFrom(ClassChecker): """ @@ -921,7 +922,7 @@ class test_Str(ClassChecker): mthd = o._convert_scalar for value in (u'Hello', 42, 1.2, unicode_str): assert mthd(value) == unicode(value) -bad = [True, 'Hello', dict(one=1), utf8_bytes] +bad = [True, dict(one=1)] for value in bad: e = raises(errors.ConversionError, mthd, value) assert e.name == 'my_str' @@ -1164,7 +1165,7 @@ class test_Int(ClassChecker): assert o.type is int assert isinstance(o, parameters.Int) assert o.minvalue is None -assert o.maxvalue is None +assert o.maxvalue == int(MAXINT) # Test when min > max: e = raises(ValueError, self.cls, 'my_number', minvalue=22, maxvalue=15) @@ -1233,7 +1234,7 @@ class test_Int(ClassChecker): """ o = self.cls('my_number') # Assure invalid inputs raise error -for bad in ['hello', u'hello', True, None, '10', u'', u'.']: +for bad in ['hello', u'hello', True, None, u'', u'.']: e = raises(errors.ConversionError, o._convert_scalar, bad) assert e.name == 'my_number' assert e.index is None -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses
In the host plugin we modify the default set of objectclasses depending on what kind of host we're creating. This was actually updating the objectclass of the object itself so that the objectclass variable was storing duplicate objectclasses (because we sometimes append values). Make a deepcopy instead. I also re-ordered some values in the host plugin to match what the unit tests expect. It was easier to change in one place than many and have the same result :-) rob >From 459b204be01bd57ba2420a269b3a9702dfc22a3c Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 24 Jan 2011 10:43:59 -0500 Subject: [PATCH] Fix failed tests. API for utcoffset changed and strings are more robust. In Python 2.7 the API for time.utcoffset() changed. We do more automatic conversions of strings so need to loosen the tests a bit. --- ipapython/test/test_ipautil.py |8 tests/test_ipalib/test_parameters.py |7 --- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/ipapython/test/test_ipautil.py b/ipapython/test/test_ipautil.py index ef1afd3..ff9f282 100644 --- a/ipapython/test/test_ipautil.py +++ b/ipapython/test/test_ipautil.py @@ -275,7 +275,7 @@ class TestTimeParser(unittest.TestCase): time = ipautil.parse_generalized_time(timestr) self.assertEqual(0, time.tzinfo.houroffset) self.assertEqual(0, time.tzinfo.minoffset) -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual(0, offset.seconds) timestr = "20051213141205+0500" @@ -283,7 +283,7 @@ class TestTimeParser(unittest.TestCase): time = ipautil.parse_generalized_time(timestr) self.assertEqual(5, time.tzinfo.houroffset) self.assertEqual(0, time.tzinfo.minoffset) -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual(5 * 60 * 60, offset.seconds) timestr = "20051213141205-0500" @@ -293,7 +293,7 @@ class TestTimeParser(unittest.TestCase): self.assertEqual(0, time.tzinfo.minoffset) # NOTE - the offset is always positive - it's minutes #_east_ of UTC -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual((24 - 5) * 60 * 60, offset.seconds) timestr = "20051213141205-0930" @@ -301,7 +301,7 @@ class TestTimeParser(unittest.TestCase): time = ipautil.parse_generalized_time(timestr) self.assertEqual(-9, time.tzinfo.houroffset) self.assertEqual(-30, time.tzinfo.minoffset) -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual(((24 - 9) * 60 * 60) - (30 * 60), offset.seconds) diff --git a/tests/test_ipalib/test_parameters.py b/tests/test_ipalib/test_parameters.py index fd9880d..e90a262 100644 --- a/tests/test_ipalib/test_parameters.py +++ b/tests/test_ipalib/test_parameters.py @@ -33,6 +33,7 @@ from ipalib import parameters, request, errors, config from ipalib.constants import TYPE_ERROR, CALLABLE_ERROR, NULLS from ipalib.errors import ValidationError from ipalib import _ +from xmlrpclib import MAXINT class test_DefaultFrom(ClassChecker): """ @@ -921,7 +922,7 @@ class test_Str(ClassChecker): mthd = o._convert_scalar for value in (u'Hello', 42, 1.2, unicode_str): assert mthd(value) == unicode(value) -bad = [True, 'Hello', dict(one=1), utf8_bytes] +bad = [True, dict(one=1)] for value in bad: e = raises(errors.ConversionError, mthd, value) assert e.name == 'my_str' @@ -1164,7 +1165,7 @@ class test_Int(ClassChecker): assert o.type is int assert isinstance(o, parameters.Int) assert o.minvalue is None -assert o.maxvalue is None +assert o.maxvalue == int(MAXINT) # Test when min > max: e = raises(ValueError, self.cls, 'my_number', minvalue=22, maxvalue=15) @@ -1233,7 +1234,7 @@ class test_Int(ClassChecker): """ o = self.cls('my_number') # Assure invalid inputs raise error -for bad in ['hello', u'hello', True, None, '10', u'', u'.']: +for bad in ['hello', u'hello', True, None, u'', u'.']: e = raises(errors.ConversionError, o._convert_scalar, bad) assert e.name == 'my_number' assert e.index is None -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:50 PM, Rob Crittenden wrote: > In the host plugin we modify the default set of objectclasses depending > on what kind of host we're creating. This was actually updating the > objectclass of the object itself so that the objectclass variable was > storing duplicate objectclasses (because we sometimes append values). > > Make a deepcopy instead. > > I also re-ordered some values in the host plugin to match what the unit > tests expect. It was easier to change in one place than many and have > the same result :-) > > rob > I think you sent a wrong patch (688, should have been 689) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09oP8ACgkQHsardTLnvCWNzQCgoWpYWVo4kq4vdRP1/XWqF+8S smgAoKFYRGzpAvCyrFwiiRE/uiL7X+6l =+FB/ -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:50 PM, Rob Crittenden wrote: In the host plugin we modify the default set of objectclasses depending on what kind of host we're creating. This was actually updating the objectclass of the object itself so that the objectclass variable was storing duplicate objectclasses (because we sometimes append values). Make a deepcopy instead. I also re-ordered some values in the host plugin to match what the unit tests expect. It was easier to change in one place than many and have the same result :-) rob I think you sent a wrong patch (688, should have been 689) Ok, here goes. rob >From 2512a94629e55e3693ec9b348fff09866f21585d Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 24 Jan 2011 10:46:44 -0500 Subject: [PATCH] Make a copy of objectclasses so a call can't update them globally. In the host plugin we may change the default objectclasses based on the options selected. This was affecting it globally and causing subsequent calls to fail. --- ipalib/plugins/baseldap.py |3 ++- ipalib/plugins/host.py |8 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index e7ccb77..27e543d 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -23,6 +23,7 @@ Base classes for LDAP plugins. import re import json import time +from copy import deepcopy from ipalib import api, crud, errors from ipalib import Method, Object @@ -504,7 +505,7 @@ class LDAPCreate(CallbackInterface, crud.Create): ldap = self.obj.backend entry_attrs = self.args_options_2_entry(*keys, **options) -entry_attrs['objectclass'] = self.obj.object_class +entry_attrs['objectclass'] = deepcopy(self.obj.object_class) if self.obj.object_class_config: config = ldap.get_ipa_config()[1] diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 6947d90..3225a78 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -323,15 +323,15 @@ class host_add(LDAPCreate): entry_attrs['krbprincipalname'] = 'host/%s@%s' % ( keys[-1], self.api.env.realm ) +if 'krbprincipalaux' not in entry_attrs: +entry_attrs['objectclass'].append('krbprincipalaux') if 'krbprincipal' not in entry_attrs: entry_attrs['objectclass'].append('krbprincipal') -if 'krbprincipal' not in entry_attrs: -entry_attrs['objectclass'].append('krbprincipalaux') else: -if 'krbprincipal' in entry_attrs['objectclass']: -entry_attrs['objectclass'].remove('krbprincipal') if 'krbprincipalaux' in entry_attrs['objectclass']: entry_attrs['objectclass'].remove('krbprincipalaux') +if 'krbprincipal' in entry_attrs['objectclass']: +entry_attrs['objectclass'].remove('krbprincipal') if 'random' in options: if options.get('random'): entry_attrs['userpassword'] = ipa_generate_password() -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 688 fix some unit tests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:46 PM, Rob Crittenden wrote: > It looks like python 2.7 changed the API of time.utcoffset(), this > should fix the tests. > > We have recently relaxed what input a Str will take, the tests need to > be updated to accomodate. > > rob > Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09q8YACgkQHsardTLnvCWXdgCgtTAcSusoWRQxDDtt33QaZFY9 irEAoKtxSLfaiTgGC1EfUdHgWbAyCQqw =FcPa -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:58 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 01/24/2011 04:50 PM, Rob Crittenden wrote: >>> In the host plugin we modify the default set of objectclasses depending >>> on what kind of host we're creating. This was actually updating the >>> objectclass of the object itself so that the objectclass variable was >>> storing duplicate objectclasses (because we sometimes append values). >>> >>> Make a deepcopy instead. >>> >>> I also re-ordered some values in the host plugin to match what the unit >>> tests expect. It was easier to change in one place than many and have >>> the same result :-) >>> >>> rob >>> >> >> I think you sent a wrong patch (688, should have been 689) > > Ok, here goes. > > rob Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09rEAACgkQHsardTLnvCV5zACgih6krPeHUe4UzDEccDlYYV8n g9AAoN47pXdhXtVDimqi+OUX1d1whtmT =gYvF -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Results of some testing
Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install without any command line parameters. It any prompt try to stop installation by pressing Ctrl+C. You are still at the prompt and there is no way to abort installation. This can be an ER. 2) For the unattended install with -U the -u is listed as required option -u, --user=DS_USER The user that the Directory Server will run as Why it is a required if the interactive install never asks for it. IMO a bug. 3) When adding service in UI via popup it does not automatically append realm to the host when it creates a service pricipal. IMO a bug. 4) The service status is all messed up and unclear. After just being added it should be in "not provisioned" state but this is not what you see. You see as if it is already provisioned. When the service screen is shown it blinks showing a lot of different buttons and statuses before it settles down on the following UI Please retry. May be it is already addressed with latest fixes. 5) The items in the action panel are now black The links in the action panel that you are supposed to click are now black which is not intuitive since they are clickable links. 6) [dpal@lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 --no-reverse ipa: ERROR: The host was added but the DNS update failed with: 1.1.1.in-addr.arpa: DNS zone not found Should not fail since --no-reverse is specified. I checked. If the zone is there it is added automatically. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured.
I'm trying to do an ipa-server-install with an --external-ca but after it generates the .csr and I sign a .crt I can't run the followup ips-server-install to import the certificate. I don't think I'm supposed to run an --uninstall between the --external-ca and the --external_cert_file installations but I'm not sure. Here is what I'm getting: [root@ipa0 ~]# ipa-server-install --setup-dns --forwarder="10.0.0.53 10.0.1.53" -U -p -a -u dirsrv -r MYREALM.COM --external-ca The log file for this installation can be found in /var/log/ipaserver-install.log == This program will set up the FreeIPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: Hostname (ipa0.averesys.com) not found in DNS The domain name has been calculated based on the host name. The IPA Master Server will be configured with Hostname:ipa0.myrealm.com IP address: 10.0.0.11 Domain name: myrealm.com Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/4]: creating certificate server user [2/4]: creating pki-ca instance [3/4]: restarting certificate server [4/4]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as: ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate ... Signed the Certificate ... [root@ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt --external_ca_file=/root/ca.crt The log file for this installation can be found in /var/log/ipaserver-install.log IPA server is already configured on this system. [root@ipa0 ~]# cat /var/log/ipaserver-install.log 2011-01-24 11:36:14,214 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-01-24 11:36:14,309 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2011-01-24 11:36:14,336 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0070 Create DNS entries early on
See ticket #833 for a detailed explanation. Simo. -- Simo Sorce * Red Hat, Inc * New York >From f74f30aa01a7b3cc669ebf0275ad7e3768ede787 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 24 Jan 2011 11:42:53 -0500 Subject: [PATCH] Create DNS records as early as possible Fixes: https://fedorahosted.org/freeipa/ticket/833 --- install/tools/ipa-replica-install | 19 +++ 1 files changed, 15 insertions(+), 4 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index b53ceeea4f7849a67facd46e7fbf3c2203ad7af5..9fca31ff762d3eed56d37e8ca8830667867b8f2b 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -270,12 +270,18 @@ def install_bind(config, options): def install_dns_records(config, options): -if not bindinstance.dns_container_exists(config.host_name, +if not bindinstance.dns_container_exists(config.master_host_name, util.realm_to_suffix(config.realm_name)): return +# We have to force to connect to the remote master because we do this step +# before our DS server is installed. +cur_uri = api.Backend.ldap2.ldap_uri +object.__setattr__(api.Backend.ldap2, 'ldap_uri', + 'ldaps://%s' % config.master_host_name) api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", - bind_pw=config.dirman_password) + bind_pw=config.dirman_password, + tls_cacertfile=CACERT) bind = bindinstance.BindInstance(dm_password=config.dirman_password) ip_address = resolve_host(config.host_name) if not ip_address: @@ -285,6 +291,10 @@ def install_dns_records(config, options): config.realm_name, config.domain_name, options.conf_ntp) +#set it back to the default +api.Backend.ldap2.disconnect() +object.__setattr__(api.Backend.ldap2, 'ldap_uri', cur_uri) + def check_dirsrv(): serverids = dsinstance.check_existing_installation() if serverids: @@ -421,6 +431,9 @@ def main(): # Configure the CA if necessary CA = install_ca(config) +# Always try to install DNS records +install_dns_records(config, options) + # Configure dirsrv ds = install_replica_ds(config) @@ -452,8 +465,6 @@ def main(): if options.setup_dns: install_bind(config, options) -else: -install_dns_records(config, options) # Call client install script try: -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Results of some testing
Dmitri Pal wrote: Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install without any command line parameters. It any prompt try to stop installation by pressing Ctrl+C. You are still at the prompt and there is no way to abort installation. This can be an ER. Was this in a password prompt? I'm thinking that python 2.7 changed their handling. 2) For the unattended install with -U the -u is listed as required option -u, --user=DS_USER The user that the Directory Server will run as Why it is a required if the interactive install never asks for it. IMO a bug. It seemed an unnecessary question to prompt for in the UI so we removed it. It should be optional in non-interactive. 3) When adding service in UI via popup it does not automatically append realm to the host when it creates a service pricipal. IMO a bug. The framework will add the realm automatically if it is not provided. Or are you actually seeing a service created with no realm? 4) The service status is all messed up and unclear. After just being added it should be in "not provisioned" state but this is not what you see. You see as if it is already provisioned. When the service screen is shown it blinks showing a lot of different buttons and statuses before it settles down on the following UI Please retry. May be it is already addressed with latest fixes. 5) The items in the action panel are now black The links in the action panel that you are supposed to click are now black which is not intuitive since they are clickable links. 6) [dpal@lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 --no-reverse ipa: ERROR: The host was added but the DNS update failed with: 1.1.1.in-addr.arpa: DNS zone not found Should not fail since --no-reverse is specified. I checked. If the zone is there it is added automatically. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Modified description of nsaccountlock attribute
Jan Zelený wrote: > The original one was misleading, giving the value exactly opposite > meaning than it actually was. > > https://fedorahosted.org/freeipa/ticket/741 > > Jan Just a reminder that this patch still needs a review. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Modified description of nsaccountlock attribute
Jan Zeleny wrote: > Jan Zelený wrote: > > The original one was misleading, giving the value exactly opposite > > meaning than it actually was. > > > > https://fedorahosted.org/freeipa/ticket/741 > > > > Jan > > Just a reminder that this patch still needs a review. > > Jan Never mind, I missed the review from Simo. Sorry for the noise. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený wrote: > Rob Crittenden wrote: > > Jan Zelený wrote: > > > Recent change of DNS module to version caused that dns object type > > > was replaced by dnszone and dnsrecord. This patch corrects dns types > > > in permissions class. > > > > > > https://fedorahosted.org/freeipa/ticket/646 > > > > Nack. These values need to be added as valid types to the aci plugin and > > the _type_map needs to be updated. > > > > rob > > I'm sending an updated patch. > > Jan Just a reminder that this patch needs to be reviewed. Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Check field's validity before executing add
On 01/22/2011 07:49 PM, Endi Sukma Dewata wrote: This should fix this bug: https://fedorahosted.org/freeipa/ticket/660 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK: Too many false positives: Try adding a user group. Group name works as designed, others do not allow anything through. Ithink you are not accounting fro null validation. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added scrollable panel for delete dialog box.
On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: This is required by the latest spec. May need further revision. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. As follow on, we need to fix the max size of the delete dialog ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added spaces around radio buttons.
On 01/22/2011 07:45 PM, Endi Sukma Dewata wrote: This is required by the latest spec. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Removed 'name' from 'Sudo Command Group name'
On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: This is required by the latest spec. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added scrollable panel for delete dialog box.
On 01/24/2011 01:29 PM, Adam Young wrote: On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: This is required by the latest spec. May need further revision. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. As follow on, we need to fix the max size of the delete dialog ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added spaces around radio buttons.
On 01/24/2011 01:29 PM, Adam Young wrote: On 01/22/2011 07:45 PM, Endi Sukma Dewata wrote: This is required by the latest spec. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Removed 'name' from 'Sudo Command Group name'
On 01/24/2011 01:31 PM, Adam Young wrote: On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: This is required by the latest spec. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured.
Jeff B wrote: I'm trying to do an ipa-server-install with an --external-ca but after it generates the .csr and I sign a .crt I can't run the followup ips-server-install to import the certificate. I don't think I'm supposed to run an --uninstall between the --external-ca and the --external_cert_file installations but I'm not sure. Here is what I'm getting: [root@ipa0 ~]# ipa-server-install --setup-dns --forwarder="10.0.0.53 10.0.1.53" -U -p -a -u dirsrv -r MYREALM.COM --external-ca The log file for this installation can be found in /var/log/ipaserver-install.log == This program will set up the FreeIPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: Hostname (ipa0.averesys.com) not found in DNS The domain name has been calculated based on the host name. The IPA Master Server will be configured with Hostname:ipa0.myrealm.com IP address: 10.0.0.11 Domain name: myrealm.com Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/4]: creating certificate server user [2/4]: creating pki-ca instance [3/4]: restarting certificate server [4/4]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as: ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate ... Signed the Certificate ... [root@ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt --external_ca_file=/root/ca.crt The log file for this installation can be found in /var/log/ipaserver-install.log IPA server is already configured on this system. [root@ipa0 ~]# cat /var/log/ipaserver-install.log 2011-01-24 11:36:14,214 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-01-24 11:36:14,309 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2011-01-24 11:36:14,336 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Looks like a bug. You should be able to work around it by commenting out these lines in /usr/sbin/ipa-server-install: if dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured(): sys.exit("IPA server is already configured on this system.") The python comment is a hash (#). I opened ticket https://fedorahosted.org/freeipa/ticket/835 to track this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Results of some testing
Rob Crittenden wrote: > Dmitri Pal wrote: >> Hello, >> >> Here are some issues that I came across during my testing of the latest >> IPA version on Friday. >> Please take a look and file tickets as appropriate. >> >> 1) Can't bail out from the install >> Start IPA install without any command line parameters. It any prompt try >> to stop installation by pressing Ctrl+C. >> You are still at the prompt and there is no way to abort installation. >> This can be an ER. > > Was this in a password prompt? I'm thinking that python 2.7 changed > their handling. Yes. But I think not only. The first prompt is the prompt for domain and you can't break from it either. > >> >> 2) For the unattended install with -U the -u is listed as required >> option >> -u, --user=DS_USER >>The user that the Directory Server will run as >> Why it is a required if the interactive install never asks for it. IMO a >> bug. > > It seemed an unnecessary question to prompt for in the UI so we > removed it. It should be optional in non-interactive. Please file a ticket. > >> >> 3) When adding service in UI via popup it does not automatically append >> realm to the host when it creates a service pricipal. >> IMO a bug. > > The framework will add the realm automatically if it is not provided. > Or are you actually seeing a service created with no realm? Created with no realm. > >> 4) The service status is all messed up and unclear. After just being >> added it should be in "not provisioned" >> state but this is not what you see. You see as if it is already >> provisioned. >> When the service screen is shown it blinks showing a lot of different >> buttons and statuses before it settles down on the following UI >> >> Please retry. May be it is already addressed with latest fixes. >> >> >> 5) The items in the action panel are now black >> >> The links in the action panel that you are supposed to click are now >> black which is not intuitive since they are clickable links. >> >> 6) [dpal@lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 >> --no-reverse >> ipa: ERROR: The host was added but the DNS update failed with: >> 1.1.1.in-addr.arpa: DNS zone not found >> >> Should not fail since --no-reverse is specified. I checked. If the zone >> is there it is added automatically. >> > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Results of some testing
Dmitri Pal wrote: Rob Crittenden wrote: Dmitri Pal wrote: Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install without any command line parameters. It any prompt try to stop installation by pressing Ctrl+C. You are still at the prompt and there is no way to abort installation. This can be an ER. Was this in a password prompt? I'm thinking that python 2.7 changed their handling. Yes. But I think not only. The first prompt is the prompt for domain and you can't break from it either. It works for me. What distro are you using? 2) For the unattended install with -U the -u is listed as required option -u, --user=DS_USER The user that the Directory Server will run as Why it is a required if the interactive install never asks for it. IMO a bug. It seemed an unnecessary question to prompt for in the UI so we removed it. It should be optional in non-interactive. Please file a ticket. done 3) When adding service in UI via popup it does not automatically append realm to the host when it creates a service pricipal. IMO a bug. The framework will add the realm automatically if it is not provided. Or are you actually seeing a service created with no realm? Created with no realm. Can you do an ldapsearch to confirm this? I never include the realm when I add services, it gets automatically added. 4) The service status is all messed up and unclear. After just being added it should be in "not provisioned" state but this is not what you see. You see as if it is already provisioned. When the service screen is shown it blinks showing a lot of different buttons and statuses before it settles down on the following UI Please retry. May be it is already addressed with latest fixes. 5) The items in the action panel are now black The links in the action panel that you are supposed to click are now black which is not intuitive since they are clickable links. 6) [dpal@lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 --no-reverse ipa: ERROR: The host was added but the DNS update failed with: 1.1.1.in-addr.arpa: DNS zone not found Should not fail since --no-reverse is specified. I checked. If the zone is there it is added automatically. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info
JR Aquino wrote: On 1/20/11 10:05 AM, "Rob Crittenden" wrote: Simo Sorce wrote: On Wed, 19 Jan 2011 17:51:56 -0500 Rob Crittenden wrote: +aci: (targetattr = "member || memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";;) Nack, without 'member', nss_ldap will have no way to determine posixAccount group memberships using anonymous access (the default). Simo. Ok, dropped member and added an aci for cn=roles. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 688 fix some unit tests
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:46 PM, Rob Crittenden wrote: It looks like python 2.7 changed the API of time.utcoffset(), this should fix the tests. We have recently relaxed what input a Str will take, the tests need to be updated to accomodate. rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:58 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:50 PM, Rob Crittenden wrote: In the host plugin we modify the default set of objectclasses depending on what kind of host we're creating. This was actually updating the objectclass of the object itself so that the objectclass variable was storing duplicate objectclasses (because we sometimes append values). Make a deepcopy instead. I also re-ordered some values in the host plugin to match what the unit tests expect. It was easier to change in one place than many and have the same result :-) rob I think you sent a wrong patch (688, should have been 689) Ok, here goes. rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Results of some testing
Rob Crittenden wrote: > Dmitri Pal wrote: >> Rob Crittenden wrote: >>> Dmitri Pal wrote: Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install without any command line parameters. It any prompt try to stop installation by pressing Ctrl+C. You are still at the prompt and there is no way to abort installation. This can be an ER. >>> >>> Was this in a password prompt? I'm thinking that python 2.7 changed >>> their handling. >> Yes. But I think not only. The first prompt is the prompt for domain and >> you can't break from it either. > > It works for me. What distro are you using? F14. I will retest. > >> >> >>> 2) For the unattended install with -U the -u is listed as required option -u, --user=DS_USER The user that the Directory Server will run as Why it is a required if the interactive install never asks for it. IMO a bug. >>> >>> It seemed an unnecessary question to prompt for in the UI so we >>> removed it. It should be optional in non-interactive. >> Please file a ticket. > > done > >> >>> 3) When adding service in UI via popup it does not automatically append realm to the host when it creates a service pricipal. IMO a bug. >>> >>> The framework will add the realm automatically if it is not provided. >>> Or are you actually seeing a service created with no realm? >> Created with no realm. > > Can you do an ldapsearch to confirm this? I never include the realm > when I add services, it gets automatically added. I will retry. What about the rest below? > >> >>> 4) The service status is all messed up and unclear. After just being added it should be in "not provisioned" state but this is not what you see. You see as if it is already provisioned. When the service screen is shown it blinks showing a lot of different buttons and statuses before it settles down on the following UI Please retry. May be it is already addressed with latest fixes. 5) The items in the action panel are now black The links in the action panel that you are supposed to click are now black which is not intuitive since they are clickable links. 6) [dpal@lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 --no-reverse ipa: ERROR: The host was added but the DNS update failed with: 1.1.1.in-addr.arpa: DNS zone not found Should not fail since --no-reverse is specified. I checked. If the zone is there it is added automatically. >>> >> >> > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured.
I don't want to start filing tickets since I'm not that familiar with the project but here is another similar one where the checks aren't necessarily doing what they are intended to be doing. Steps: 1. ran install with --external-ca 2. tried running with --external_cert_file but hit error in #835 3. Did workaround to commented out the configuration check and exit message like suggested by Rob 4. tried importing the cert again but got an error saying connection refused on "Attempting to connect to: ipa0.myrealm.com:9445" 5. I didn't know what service wasn't running so I rebooted (yeah, bad jeff) 6. I tried running --external_cert_file again but it looked like it had forgotten all my configs and looked like it was starting over. It prompted me: An existing Directory Server has been detected. Do you wish to remove it and create a new one? [no]: I chose 'no' and the installer exited. 7. Did an --uninstall 8. tried to start fresh but it failed with this error: You already have a CA signing request for this server (/root/ipa.csr), you need to include --external_cert_file and --external_ca_file Which is not right because since I uninstalled I can't just add the certs. Either the uninstall needs to clean up the .csr or the installer needs to not assume so much just from the existence of a .csr On Mon, Jan 24, 2011 at 1:55 PM, Rob Crittenden wrote: > Jeff B wrote: >> >> I'm trying to do an ipa-server-install with an --external-ca but after >> it generates the .csr and I sign a .crt I can't run the followup >> ips-server-install to import the certificate. >> >> I don't think I'm supposed to run an --uninstall between the >> --external-ca and the --external_cert_file installations but I'm not >> sure. >> >> Here is what I'm getting: >> >> >> [root@ipa0 ~]# ipa-server-install --setup-dns --forwarder="10.0.0.53 >> 10.0.1.53" -U -p -a -u dirsrv -r MYREALM.COM >> --external-ca >> >> The log file for this installation can be found in >> /var/log/ipaserver-install.log >> >> == >> This program will set up the FreeIPA Server. >> >> This includes: >> * Configure the Network Time Daemon (ntpd) >> * Create and configure an instance of Directory Server >> * Create and configure a Kerberos Key Distribution Center (KDC) >> * Configure Apache (httpd) >> * Configure DNS (bind) >> >> To accept the default shown in brackets, press the Enter key. >> >> Warning: Hostname (ipa0.averesys.com) not found in DNS >> The domain name has been calculated based on the host name. >> >> The IPA Master Server will be configured with >> Hostname: ipa0.myrealm.com >> IP address: 10.0.0.11 >> Domain name: myrealm.com >> >> Configuring ntpd >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> done configuring ntpd. >> Configuring directory server for the CA: Estimated time 30 seconds >> [1/3]: creating directory server user >> [2/3]: creating directory server instance >> [3/3]: restarting directory server >> done configuring pkids. >> Configuring certificate server: Estimated time 6 minutes >> [1/4]: creating certificate server user >> [2/4]: creating pki-ca instance >> [3/4]: restarting certificate server >> [4/4]: configuring certificate server instance >> The next step is to get /root/ipa.csr signed by your CA and re-run >> ipa-server-install as: >> ipa-server-install --external_cert_file=/path/to/signed_certificate >> --external_ca_file=/path/to/external_ca_certificate >> >> ... Signed the Certificate ... >> >> [root@ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt >> --external_ca_file=/root/ca.crt >> >> The log file for this installation can be found in >> /var/log/ipaserver-install.log >> IPA server is already configured on this system. >> >> >> [root@ipa0 ~]# cat /var/log/ipaserver-install.log >> 2011-01-24 11:36:14,214 DEBUG Loading StateFile from >> '/var/lib/ipa/sysrestore/sysrestore.state' >> 2011-01-24 11:36:14,309 DEBUG Loading Index file from >> '/var/lib/ipa/sysrestore/sysrestore.index' >> 2011-01-24 11:36:14,336 DEBUG Loading StateFile from >> '/var/lib/ipa/sysrestore/sysrestore.state' > > Looks like a bug. You should be able to work around it by commenting out > these lines in /usr/sbin/ipa-server-install: > > if dsinstance.DsInstance().is_configured() or > cainstance.CADSInstance().is_configured(): > sys.exit("IPA server is already configured on this system.") > > The python comment is a hash (#). > > I opened ticket https://fedorahosted.org/freeipa/ticket/835 to track this. > > rob > ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0071 Make -u optional in unattended mode
We have a default user name, which is also the recommended one, it made no sense to force users to specify it at the command line for unattended installations. Just use the default if none is provided. Ticket #836 Simo. -- Simo Sorce * Red Hat, Inc * New York >From fab7dcca35ea37a637ad1fcc741cb8986ec60da9 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 24 Jan 2011 14:58:11 -0500 Subject: [PATCH] Make the -u option optional in unattended mode Fixes: https://fedorahosted.org/freeipa/ticket/836 --- install/tools/ipa-server-install | 19 +++ 1 files changed, 11 insertions(+), 8 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 37ded58d852b143b5c9cc91ad75281befe0b21f6..f1cab63f6ef7a7a34404b78d5f6cdb107aa9b3cb 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -58,6 +58,7 @@ from ipapython.ipautil import * from ipalib import api, errors, util from ipapython.config import IPAOptionParser +DEF_DS_USER = 'dirsrv' pw_name = None uninstalling = False @@ -154,9 +155,11 @@ def parse_options(): options.admin_password or options.master_password): parser.error("In uninstall mode, -u, r and -P options are not allowed") elif options.unattended: -if (not options.ds_user or not options.realm_name or +if not options.ds_user: +options.ds_user = DEF_DS_USER +if (not options.realm_name or not options.dm_password or not options.admin_password): -parser.error("In unattended mode you need to provide at least -u, -r, -p and -a options") +parser.error("In unattended mode you need to provide at least -r, -p and -a options") if options.setup_dns: if not options.forwarders and not options.no_forwarders: parser.error("You must specify at least one --forwarder option or --no-forwarders option") @@ -313,19 +316,19 @@ def read_ds_user(): ds_user = "" try: -pwd.getpwnam('dirsrv') +pwd.getpwnam(DEF_DS_USER) -print "A user account named 'dirsrv' already exists. This is the user id" -print "that the Directory Server will run as." +print "A user account named %s already exists." % DEF_DS_USER +print "This is the user id that the Directory Server will run as." print "" -if user_input("Do you want to use the existing 'dirsrv' account?", True): -ds_user = "dirsrv" +if user_input("Do you want to use the existing %s account?" % DEF_DS_USER, True): +ds_user = DEF_DS_USER else: print "" ds_user = user_input_plain("Which account name do you want to use for the DS instance?", allow_empty = False, allow_spaces = False) print "" except KeyError: -ds_user = "dirsrv" +ds_user = DEF_DS_USER return ds_user -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0071 Make -u optional in unattended mode
On 01/24/2011 09:27 PM, Simo Sorce wrote: We have a default user name, which is also the recommended one, it made no sense to force users to specify it at the command line for unattended installations. Just use the default if none is provided. Ticket #836 Simo. Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0066 remove binddn when using GSSAPI for replication
On 01/20/2011 01:43 AM, Simo Sorce wrote: See ticket #817 Simo. Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0071 Make -u optional in unattended mode
On Mon, 24 Jan 2011 22:00:37 +0100 Jakub Hrozek wrote: > On 01/24/2011 09:27 PM, Simo Sorce wrote: > > > > We have a default user name, which is also the recommended one, it > > made no sense to force users to specify it at the command line for > > unattended installations. Just use the default if none is provided. > > > > Ticket #836 > > > > Simo. > > > > Ack Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0066 remove binddn when using GSSAPI for replication
On Mon, 24 Jan 2011 22:28:57 +0100 Jakub Hrozek wrote: > On 01/20/2011 01:43 AM, Simo Sorce wrote: > > > > See ticket #817 > > > > Simo. > > > > Ack Pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 690 add brackets around optional prompts
When prompting for arguments in the cli there is no way to tell what is optional and what is required. This sticks brackets around optional arguments. Ticket 832 rob >From 493040768759d1d215c26456198e0af5354333fe Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 24 Jan 2011 16:59:52 -0500 Subject: [PATCH] Add brackets around optional parameters when prompting. ticket 832 --- ipalib/cli.py | 12 1 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 2cd3a97..493ddba 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -505,15 +505,19 @@ class textui(backend.Backend): def print_error(self, text): print ' ** %s **' % unicode(text) -def prompt(self, label, default=None, get_values=None): +def prompt(self, label, default=None, get_values=None, optional=False): """ Prompt user for input. """ # TODO: Add tab completion using readline +if optional: +prompt = u'[%s]' % label +else: +prompt = u'%s' % label if default is None: -prompt = u'%s: ' % label +prompt = u'%s: ' % prompt else: -prompt = u'%s [%s]: ' % (label, default) +prompt = u'%s [%s]: ' % (prompt, default) try: data = raw_input(self.encode(prompt)) except EOFError: @@ -1001,7 +1005,7 @@ class cli(backend.Executioner): while True: if error is not None: print '>>> %s: %s' % (unicode(param.label), unicode(error)) -raw = self.Backend.textui.prompt(param.label, default) +raw = self.Backend.textui.prompt(param.label, default, optional=param.alwaysask or not param.required) try: value = param(raw, **kw) if value is not None: -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas
On 01/23/2011 02:09 AM, Simo Sorce wrote: Do it always when the dns tree is available, even if the replica being installed doesn't provide dns service itself. Ticket #824 Simo. I tried applying this on top of both origin/master and 068 but did not succeed. Can you rebase, please? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 691 add --hostname option to ipa-client-install
Let the installer override the detected hostname value with the --hostname flag. This is likely to lead to a non-working installation so let the buyer beware. ticket 834 rob >From 08b985fc9deae2f8f46e5b5acda9e12fc8ace578 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 24 Jan 2011 17:32:49 -0500 Subject: [PATCH] Add an option for overriding the hostname value. Ticket 834 --- ipa-client/ipa-install/ipa-client-install |5 + ipa-client/man/ipa-client-install.1 |3 +++ 2 files changed, 8 insertions(+), 0 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index b233097..66e4a14 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -81,6 +81,8 @@ def parse_options(): help="create home directories for users on their first login", default=False) parser.add_option("", "--uninstall", dest="uninstall", action="store_true", default=False, help="uninstall an existing installation") +parser.add_option("", "--hostname", dest="hostname", + help="The hostname of this server (FQDN). By default of nodename from uname(2) is used.") options, args = parser.parse_args() safe_opts = parser.get_safe_opts(options) @@ -643,6 +645,9 @@ def main(): join_args = ["/usr/sbin/ipa-join", "-s", cli_server] if options.debug: join_args.append("-d") +if options.hostname: +join_args.append("-h") +join_args.append(options.hostname) if options.principal is not None: stdin = None principal = options.principal diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 415ef9a..b708496 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -40,6 +40,9 @@ Set the IPA server to connect to \fB\-\-realm\fR=\fIREALM_NAME\fR Set the IPA realm name to REALM_NAME .TP +\fB\-\-hostname\fR +The hostname of this server (FQDN). By default of nodename from uname(2) is used. +.TP \fB\-f\fR, \fB\-\-force\fR Force the settings even if errors occur .TP -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] No luck using ds-migrate to import Apple Open Directory
Apple Open Directory is as follows: cn=users,dc=host,dc=domain,dc=tld cn=groups,dc=host,dc=domain,dc=tld User records have the following object classes: - person - top - organizationalPerson - extensibleObject - apple-user - shadowAccount - posixAccount - inetOrgPerson Group records have the following object classes: - top - extensibleObject - apple-group - posixGroup The data is mostly what you would expect for posixAccount and the other common object classes. When I try to import data to IPA I get this error for every user and group like this: --- migrate-ds: --- Migrated: Failed user: : unknown object class "apple-user" : unknown object class "apple-user" : unknown object class "apple-user" ... And the rest Failed group: : unknown object class "apple-group" : unknown object class "apple-group" : unknown object class "apple-group" ... And the rest -- Here are some of the migrate options I've tried: ipa -d migrate-ds --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld" ldap://10.0.0.1:389 --user-objectclass="posixAccount" --group-objectclass="posixGroups" --user-container="cn=users" --group-container="cn=groups" ipa -d migrate-ds --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld" ldap://10.0.0.1:389 --user-objectclass="apple-user" --group-objectclass="apple-group" --user-container="cn=users" --group-container="cn=groups" I've tried combinations of the two. I've tried changing the --schema with no change in outcome. The only time the outcome is different is when I don't include the --group-objectclass or the --user-objectclass It fails before it even tries to import the data in the directory. I get this error: ipa: DEBUG: Caught fault 4001 from server https://ipa0.myrealm.com/ipa/xml: Container for group not found ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: Container for group not found If I add only the --group-objectclass it tries to migrate and gives me the list of errors for every user and group having an unknown object class as described at the top. Would one expect that I should be able to migrate this data, or would one it fail because it differs from the two supported schemas? I was hoping since it was based off of posixAccount and posixGroup that it was close enough to work. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 691 add --hostname option to ipa-client-install
Rob Crittenden wrote: > Let the installer override the detected hostname value with the > --hostname flag. This is likely to lead to a non-working installation > so let the buyer beware. > > ticket 834 I do not think this is enough. There is a part of the ipa-client-install other than ipa-join that assumes that host name will match. I saw that in the log. I do not have it in front of me now. It is on hame machine. If the -h option is provided this check/enforcement should be suppressed. Please try running ipa-client-install with the mismatching name you will see what I mean. Thanks Dmitri > > rob > > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 691 add --hostname option to ipa-client-install
Dmitri Pal wrote: Rob Crittenden wrote: Let the installer override the detected hostname value with the --hostname flag. This is likely to lead to a non-working installation so let the buyer beware. ticket 834 I do not think this is enough. There is a part of the ipa-client-install other than ipa-join that assumes that host name will match. I saw that in the log. I do not have it in front of me now. It is on hame machine. If the -h option is provided this check/enforcement should be suppressed. Please try running ipa-client-install with the mismatching name you will see what I mean. I did a successful install with the --hostname option, using another hostname in DNS. I verified that this hostname was used as the name in the host service principal in /etc/krb5.keytab. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] No luck using ds-migrate to import Apple Open Directory
Jeff B wrote: Apple Open Directory is as follows: cn=users,dc=host,dc=domain,dc=tld cn=groups,dc=host,dc=domain,dc=tld User records have the following object classes: - person - top - organizationalPerson - extensibleObject - apple-user - shadowAccount - posixAccount - inetOrgPerson Group records have the following object classes: - top - extensibleObject - apple-group - posixGroup The data is mostly what you would expect for posixAccount and the other common object classes. When I try to import data to IPA I get this error for every user and group like this: --- migrate-ds: --- Migrated: Failed user: : unknown object class "apple-user" : unknown object class "apple-user" : unknown object class "apple-user" ... And the rest Failed group: : unknown object class "apple-group" : unknown object class "apple-group" : unknown object class "apple-group" ... And the rest -- Here are some of the migrate options I've tried: ipa -d migrate-ds --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld" ldap://10.0.0.1:389 --user-objectclass="posixAccount" --group-objectclass="posixGroups" --user-container="cn=users" --group-container="cn=groups" ipa -d migrate-ds --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld" ldap://10.0.0.1:389 --user-objectclass="apple-user" --group-objectclass="apple-group" --user-container="cn=users" --group-container="cn=groups" I've tried combinations of the two. I've tried changing the --schema with no change in outcome. The only time the outcome is different is when I don't include the --group-objectclass or the --user-objectclass It fails before it even tries to import the data in the directory. I get this error: ipa: DEBUG: Caught fault 4001 from server https://ipa0.myrealm.com/ipa/xml: Container for group not found ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: Container for group not found If I add only the --group-objectclass it tries to migrate and gives me the list of errors for every user and group having an unknown object class as described at the top. Would one expect that I should be able to migrate this data, or would one it fail because it differs from the two supported schemas? I was hoping since it was based off of posixAccount and posixGroup that it was close enough to work. Hmm, interesting problem, I don't think we really thought about this. In the broadest sense apple-user could be just about any unknown objectclass. If we *just* aim at migrating over POSIX information we can simply target the attributes we want and migrate those and ignore the rest. This might not be so nice for some users. Or we can try to run through the schema for every entry and delete objectclasses and attributes we know nothing about. Or we could do both, with the default setting perhaps to migrate the minimum with an --aggressive option perhaps? Or we could have a --objectclass option to list all the objectclasses to migrate. Or even better, perhaps we should have a --test mode where you can test the migration before actually having to move users over. Basically try to migrate one user and if successful delete it from IPA when done and, if unsuccessful report whatever errors were raised. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0156-remove-icons-from-association-buttons.
From b4313a5605bdd9de95d4bb245196d13aa54a7e46 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Mon, 24 Jan 2011 22:00:38 -0500 Subject: [PATCH] remove icons from association buttons --- install/ui/widget.js |2 -- 1 files changed, 0 insertions(+), 2 deletions(-) diff --git a/install/ui/widget.js b/install/ui/widget.js index 138526fb3520e71643769ee8ad841be6769d0d70..90f6dac8bf47dec2ef17bcd4a84648ffd829d99d 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -1191,7 +1191,6 @@ IPA.adder_dialog = function (spec) { button = $('input[name=remove]', that.container); that.remove_button = IPA.button({ 'label': button.val(), -'icon': 'ui-icon-trash', 'click': function() { that.remove(); } @@ -1201,7 +1200,6 @@ IPA.adder_dialog = function (spec) { button = $('input[name=add]', that.container); that.add_button = IPA.button({ 'label': button.val(), -'icon': 'ui-icon-plus', 'click': function() { that.add(); } -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0157-aci-attribute-table-two-columns.patc
From 9611600891b8e594f25cd04f8aa5b2f0c1ca79f9 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Mon, 24 Jan 2011 22:21:31 -0500 Subject: [PATCH] aci attribute table two columns --- install/ui/aci.js | 31 +++ install/ui/ipa.css |9 + 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index 85cfcaa850a17a94e40c53320c41b11b444b5f3a..eb941cb97a3f201bb17b8cc5828b1e19d1e539b8 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -42,6 +42,7 @@ IPA.populate_attribute_table = function (table, entity){ id:'aciattr-'+aciattrs[a].toLowerCase(), "class":'aci-attribute' })); +td = $('').appendTo(aci_tr); td.append($('',{ text:aciattrs[a].toLowerCase()})); } @@ -58,25 +59,23 @@ IPA.attribute_table_widget= function (spec){ var dd = $('').appendTo(container); table = $('',{ id:id, -'class':'search-table'}). +'class':'search-table aci-attribute-table'}). append(''). -append($('',{ -style:"height:30em; overflow:auto;" -})). +append($('')). appendTo(dd); -$(''). -append($('',{ -style:"height:2em; vertical-align:bottom;", -html:$('',{ -type: "checkbox", -click: function(){ -$('.aci-attribute'). -attr('checked', $(this).attr('checked')); -}}). -after('Attribute') -})). -appendTo($('thead', table)); +var tr = $('').appendTo($('thead', table)); +tr.append($('',{ +style:"height:2em; vertical-align:bottom;", +html:$('',{ +type: "checkbox", +click: function(){ +$('.aci-attribute'). +attr('checked', $(this).attr('checked')); +}}) +})). +append('Attribute'); + IPA.populate_attribute_table(table, object_type); }; diff --git a/install/ui/ipa.css b/install/ui/ipa.css index 5726ad99cae139ea8b7b99f09445579c6ad5d95a..37324f891666872fca91a3c7f4a1df057e310fd8 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -597,12 +597,13 @@ a.action-button-disabled { margin-top: 2em; } -.search-table tr:nth-child(even){ -#background-color:#CCC; +.aci-attribute-table tbody{ +height:30em; +overflow:auto; } -.search-table tr:nth-child(odd){ -#background-color:#FFF; +.aci-attribute-table th.aci-attribute-column{ +width: 25em; } .entity-views{ -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený wrote: Rob Crittenden wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. Can the type be made more specific? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0158-action-buttons-for-dns
From 27660b175d90b1d7b96958aa537a96ff46b498b8 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Mon, 24 Jan 2011 22:30:28 -0500 Subject: [PATCH] action buttons for dns --- install/ui/policy.js |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/ui/policy.js b/install/ui/policy.js index eeec44e35b144b911bcdb4abdb047f17432594a6..208b7c9ec55f82166d876fea250c93a37bf85880 100644 --- a/install/ui/policy.js +++ b/install/ui/policy.js @@ -333,13 +333,13 @@ IPA.records_facet = function (spec){ "class":"action-controls"}).appendTo(action_panel_ul); -IPA.button({ +IPA.action_button({ 'label': IPA.messages.button.add, 'icon': 'ui-icon-plus', 'click': add_click }).appendTo(action_controls); -IPA.button({ +IPA.action_button({ 'label': IPA.messages.button.remove, 'icon': 'ui-icon-trash', 'click': function(){delete_records(records_table);} -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Disable renaming to empty string
Simo Sorce wrote: On Mon, 24 Jan 2011 09:38:45 +0100 Jan Zelený wrote: So far it was possible to rename any object using LDAPUpdate to a name with empty primary key. Since this can cause nasty problems, this patch disables empty string in --rename argument. https://fedorahosted.org/freeipa/ticket/827 ack Simo. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys
Jakub Hrozek wrote: On 01/21/2011 05:55 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/10/2011 05:15 PM, Jakub Hrozek wrote: On 12/20/2010 03:33 PM, Jakub Hrozek wrote: On 12/20/2010 02:49 PM, Jakub Hrozek wrote: Attached is a patch that changes the uniqueness constraint of automount keys from (key) to (key,info) pairs. The patch is not really standard baseldap style. The reason is that during development, I found that baseldap is really dependent on having a single primary key and also during many operations accessing it as keys[-1]. Please note that the ipa automountkey-* commands used to have three args, now its two args and two required options (that compose the tuple that is primary key). I know next to nothing about UI, but I assume this has consequences as the JSON marshalled call needs to be different now. Can someone point me to the place in code that I need to fix now? Fixes: https://fedorahosted.org/freeipa/ticket/293 Sorry, I left some debugging statements in. Attached is a new patch. Attached is a patch that applies cleanly on top of origin/master. Can you provide some guidance on how to test this patch? thanks rob Sure: The main change to CLI is that both key and info must be provided. These are put into the description attribute, at the same time this (key,info) tuple is checked for uniqueness. The automount test is a good start for testing the patch. It also tests a duplicate direct map. To test the duplicates manually: ipa automountlocation-add baltimore ipa automountmap-add baltimore auto.direct2 ipa automountkey-add baltimore auto.master --key=/- --info=auto.direct2 ipa automountlocation-tofiles baltimore You should see something like: /etc/auto.master: /- /etc/auto.direct /- /etc/auto.direct2 --- /etc/auto.direct: --- /etc/auto.direct2: Ack with two conditions and a question: Conditions: 1. Check with qe to see if they already have tests for automount. If they do we'll need to coordinate getting their tests updated. 2. The samples in the command help don't use the --key argument, can you update them? Question: Can you import multiple direct maps? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix crash when displaying values composed of white chars only in CLI.
Simo Sorce wrote: On Fri, 21 Jan 2011 14:31:11 -0500 Rob Crittenden wrote: Pavel Zůna wrote: Fix #825 Pavel Should we instead prevent storing white space instead? On the cli someone would have to go through the trouble of quoting the space but in the UI I think it would be pretty easy to accidentally hit a space on a field and save it. Someone may want to store a space on purpose, or have some other program do it underneath the UI. So fixing the crash is necessary. Whether we also want to prevent storing whitespace is a separate question IMHO. Simo. Ok, pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel