Re: [Freeipa-devel] [PATCH] 813 fix enrolledBy regression
On Tue, 2011-07-12 at 15:11 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-07-01 at 11:41 -0400, Rob Crittenden wrote: enrolledBy represents the DN of the entry that enrolled a host. We don't want an admin to manipulate this but an aci allowed it. This was a regression. ticket 302 rob Works fine with new IPA installation. Still, I have some concerns: 1) What about ACI in existing installations? This patch won't affect it. 2) There are 2 typos in comment in ldif (admini, --setaddr) Martin Well, I didn't consider the lack of an update to be a huge problem originally. I went ahead and added one. This required changing the syntax of replace slightly, using two colons to distinguish between old and new. Typos fixed too. rob ACK. Works fine. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 823 validate certificate subject base
On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote: Use John's new DN class to verify that the subject base passed into ipa-server-install is valid. https://fedorahosted.org/freeipa/ticket/1176 rob Works fine for basic errors. But what if the DN is syntactically valid, but it makes no sense for CA? For example: # ipa-server-install --subject=FOO=BAR ... Configuring certificate server: Estimated time 6 minutes [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: restarting certificate server [4/16]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-099.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd '' -preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,FOO=BAR -ldap_host vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,FOO=BAR -ca_ocsp_cert_subject_name CN=OCSP Subsystem,FOO=BAR -ca_server_cert_subject_name CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR -ca_audit_signing_cert_subject_name CN=CA Audit,FOO=BAR -ca_sign_cert_subject_name CN=Certificate Authority,FOO=BAR -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Could we cover also these cases in the callback? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0001 (2) Convert nsaccountlock to always work as bool towards Python and JavaScript
On Fri, 2011-07-08 at 00:40 +0300, Alexander Bokovoy wrote: On 08.07.2011 00:29, Adam Young wrote: On 07/07/2011 04:47 PM, Alexander Bokovoy wrote: Hi, this is refactoring of the patch for ticket 1259 (handling of boolean for nsaccountlock in LDAP). Now it is possible to just work with True/False on Python side and JavaScript side also gets true/false via JSON marshalling. At the same time, TRUE/FALSE is provided towards LDAP storage and correctly handled when returned back. Tested with command line tools, WebUI, and make-test. ACK. Updated to include all python tests. JavaScript-based tests are left in old format (nsaccountlock: [ False;], for example) to allow testing all accepted variations of the boolean values in JSON (boolean type, strings, strings in array). ACK for server part too. Tests are OK. Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 29 Configure SSSD to store password if offline
Enable the krb5_store_password_if_offline option in sssd.conf by default. To turn it off, use --no-krb5-offline-passwords option in ipa-client-install. https://fedorahosted.org/freeipa/ticket/1359 Honza -- Jan Cholasta From 7cd7a371fa85410f2dd22250ed9473a6a28ab71e Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 28 Jun 2011 14:19:51 +0200 Subject: [PATCH] Configure SSSD to store user password if offline. ticket 1359 --- ipa-client/ipa-install/ipa-client-install |4 ipa-client/man/ipa-client-install.1 |3 +++ 2 files changed, 7 insertions(+), 0 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 884dd21..6bdeb87 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -90,6 +90,8 @@ def parse_options(): help=The hostname of this server (FQDN). By default of nodename from uname(2) is used.) parser.add_option(, --enable-dns-updates, dest=dns_updates, action=store_true, default=False, help=Configures the machine to attempt dns updates when the ip address changes.) +parser.add_option(--no-krb5-offline-passwords, dest=krb5_offline_passwords, action=store_false, + help=Configure SSSD not to store user password when the server is offline, default=True) options, args = parser.parse_args() safe_opts = parser.get_safe_opts(options) @@ -550,6 +552,8 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): if options.dns_updates: domain.set_option('ipa_dyndns_update', True) +if options.krb5_offline_passwords: +domain.set_option('krb5_store_password_if_offline', True) domain.set_active(True) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 40d53a8..e689177 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -81,6 +81,9 @@ The hostname of this server (FQDN). By default of nodename from uname(2) is used .TP \fB\-\-enable\-dns\-updates\fR This option tells SSSD to automatically update DNS with the IP address of this client. +.TP +\fB\-\-no\-krb5\-offline\-passwords\fR +Configure SSSD not to store user password when the server is offline. .SH EXIT STATUS 0 if the installation was successful -- 1.7.4.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 092 Filter reverse zones in dnszone-find
Implements a new option to filter out reverse zones. This patch also do some clean up in dns plugin - debug prints were accidentally left here in the last dns patch. https://fedorahosted.org/freeipa/ticket/1471 From 905790a18ac39023307d3e46f89f3808d94f02a2 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Wed, 13 Jul 2011 14:01:17 +0200 Subject: [PATCH] Filter reverse zones in dnszone-find Implements a new option to filter out reverse zones. This patch also do some clean up in dns plugin - debug prints were accidentally left here in the last dns patch. https://fedorahosted.org/freeipa/ticket/1471 --- API.txt|3 ++- VERSION|2 +- ipalib/plugins/dns.py | 23 +++ ipaserver/plugins/ldap2.py | 35 --- 4 files changed, 50 insertions(+), 13 deletions(-) diff --git a/API.txt b/API.txt index 4a057d14998a2b0f6032276fede56115240b55f7..44292a988ded6019c00dec6cb67cbcedd1abf3c0 100644 --- a/API.txt +++ b/API.txt @@ -780,7 +780,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly output: Output('result', type 'bool', 'True means the operation was successful') output: Output('value', type 'unicode', The primary_key value of the entry, e.g. 'jdoe' for a user) command: dnszone_find -args: 1,18,4 +args: 1,19,4 arg: Str('criteria?', noextrawhitespace=False) option: Str('idnsname', attribute=True, autofill=False, cli_name='name', label=Gettext('Zone name', domain='ipa', localedir=None), multivalue=False, normalizer=lambda, primary_key=True, query=True, required=False) option: Str('idnssoamname', attribute=True, autofill=False, cli_name='name_server', label=Gettext('Authoritative nameserver', domain='ipa', localedir=None), multivalue=False, query=True, required=False) @@ -797,6 +797,7 @@ option: Bool('idnszoneactive', attribute=True, autofill=False, cli_name='zone_ac option: Bool('idnsallowdynupdate', attribute=True, autofill=False, cli_name='allow_dynupdate', default=False, label=Gettext('Dynamic update', domain='ipa', localedir=None), multivalue=False, query=True, required=False) option: Int('timelimit?', autofill=False, flags=['no_display'], label=Gettext('Time Limit', domain='ipa', localedir=None), minvalue=0) option: Int('sizelimit?', autofill=False, flags=['no_display'], label=Gettext('Size Limit', domain='ipa', localedir=None), minvalue=0) +option: Flag('forward_only', autofill=True, cli_name='forward_only', default=False, label=Gettext('Forward zones only', domain='ipa', localedir=None)) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output']) option: Str('version?', exclude='webui', flags=['no_option', 'no_output']) diff --git a/VERSION b/VERSION index b4b7066895b7dd9f83ffdd2c7e034f197fe60825..224c735674fe920ddfd02ad496ff89299efef2bb 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=8 +IPA_API_VERSION_MINOR=9 diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 5c990ace1938da4933d60c59533ed8337ed74145..e7a0a05a3c5b989fc7125492530c1deccae27f0c 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -458,6 +458,25 @@ class dnszone_find(LDAPSearch): Search for DNS zones (SOA records). +takes_options = LDAPSearch.takes_options + ( +Flag('forward_only', +label=_('Forward zones only'), +cli_name='forward_only', +doc=_('Search for forward zones only'), +), +) + +def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): +if options.get('forward_only', False): +search_kw = {} +search_kw['idnsname'] = _valid_reverse_zones.keys() +rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, exact=False, +trailing_wildcard=False) +filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL) + +return (filter, base_dn, scope) + + api.register(dnszone_find) @@ -823,8 +842,6 @@ class dnsrecord_mod(dnsrecord_mod_record): old_entry_attrs.setdefault(a, []) if v or v is None: # overwrite the old entry old_entry_attrs[a] = v -print DNSRECORD_MOD::update_old_entry_callback: old:, old_entry_attrs -print DNSRECORD_MOD::update_old_entry_callback: new:, entry_attrs def record_options_2_entry(self, **options): entries = dict((t, options.get(t, [])) for t in _record_attributes) @@ -835,12 +852,10 @@ class dnsrecord_mod(dnsrecord_mod_record): rtype_cb = '_%s_pre_callback' % rtype if
Re: [Freeipa-devel] [PATCH] 092 Filter reverse zones in dnszone-find
On Wed, 2011-07-13 at 14:41 +0200, Jan Cholasta wrote: On 13.7.2011 14:08, Martin Kosek wrote: Implements a new option to filter out reverse zones. This patch also do some clean up in dns plugin - debug prints were accidentally left here in the last dns patch. https://fedorahosted.org/freeipa/ticket/1471 ACK Honza Pushed to master. As Rob advised, I changed wording of heading_wilcard parameter to leading_wildcard. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 090 Remove sensitive information from logs
On 12.7.2011 10:16, Martin Kosek wrote: When -w/--password option is passed to ipa-replica-install it is printed to ipareplica-install.log. Make sure that the value of this option is hidden. https://fedorahosted.org/freeipa/ticket/1378 ACK Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 090 Remove sensitive information from logs
On Wed, 2011-07-13 at 15:13 +0200, Jan Cholasta wrote: On 12.7.2011 10:16, Martin Kosek wrote: When -w/--password option is passed to ipa-replica-install it is printed to ipareplica-install.log. Make sure that the value of this option is hidden. https://fedorahosted.org/freeipa/ticket/1378 ACK Honza Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0267-dnsrecord-mod-ui
On 7/12/2011 4:47 PM, Adam Young wrote: Some issues: 1. In DNS record adder dialog, the data field is required but it's not checked before submit. There is no param_info for this field, so the required flag may need to be specified explicitly in the field declaration. 2. Adding/deleting record data in DNS record details page doesn't work because the field.param_info is null. Although the default param_info is specified in the field declaration, the code in widget.js:166 will override it to null. We might want to merge the param_infos using $.extend(). 3. I cannot try this due to issue #2, but in CLI when the last data is removed using -mod the record itself will be deleted. The record has to be re-added before it can be modified again. A user might encounter this issue if he removes all existing data, click Update, then add new data without leaving the details page. The patch doesn't seem to handle this. 4. The interface might be a little confusing. If a DNS record contains multiple data, the search page will show them as separate entries. When a user opens one of the entries he would expect to edit only that particular data. However, the details page now shows all data under that DNS record name. One solution is to drop the data from the search page. Another solution is to change the details page to show only one data. 5. Deleting DNS records from the search page doesn't work because it doesn't specify the data to be deleted. 6. The FQDN field label is probably incorrect because not all DNS records are hostnames. Also, for records that are hostnames, the FQDN field only contains the host's short name, not the full name. 7. DNS records that are not hostnames will be linked to hosts if there happens to be hosts with matching names. The link probably should be limited to certain record types. Same issue from host to DNS record. 8. The IPA.entity_link_widget should use the -show command instead of -find to check the target entry. The -find command returns all entries that match the criteria, which might not be what we want. 9. The following statement in details.js:594 var param_info = field.param_info || IPA.get_entity_param(entity_name, field.name); can be simplified into var param_info = field.param_info; because the field.param_info is obtained using the same get_entity_param() in widget.js:166. 10. The following statement in details.js:594 if (param_info param_info.primary_key) continue; can be simplified into if (param_info.primary_key) continue; because the param_info is already checked by the previous if-statement. 11. The fake_param in widget.js:43 and dns.js:143 is no longer needed. 12. It's not necessary to specify 'primary_key: false' in the param_info because by default it will be false. The param_info can be simplified into just { }. 13. The labels are still hard-coded. Is this going to be done in a separate patch? 14. Some field labels have 'Records' (e.g. A Records) some others don't (e.g. NS). I think they should be consistent. 15. It might be better to use 'other/Other Records' instead of using 'unusual/less common record types' for the third detail section. 16. The other_pkey() in host.js:132 seems to be unnecessary. 17. The show_page() in IPA.navigation can be modified to find the entity object and wrap the pkey then call show_entity_page(). This way we can avoid duplicating the function. 18. Optional: As mentioned over IRC, I think it's better to customize by creating a subclass and override the method (OO style) rather than supplying a callback function via constructor (functional style). So instead of creating a standalone IPA.dns_record_search_load we could create an IPA.dnsrecord_search_facet class and override the load() method. Instead of using 'this' in a function (which is not clear what it's pointing to), we would be using 'that' which points to the containing class. This is similar to IPA.dnsrecord_host_link_widget. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0267-dnsrecord-mod-ui
On 7/13/2011 4:03 PM, Adam Young wrote: 3. I cannot try this due to issue #2, but in CLI when the last data is removed using -mod the record itself will be deleted. The record has to be re-added before it can be modified again. A user might encounter this issue if he removes all existing data, click Update, then add new data without leaving the details page. The patch doesn't seem to handle this. It works that way. Right now, there is an issue where the mod comand comes back, we use it to populate the page, but updates won't work because there is nothing there. We'll need code specific to the dnsrecord-mod command to handle this. Not done yet As discussed over IRC, this will be fixed in a separate ticket. 4. The interface might be a little confusing. If a DNS record contains multiple data, the search page will show them as separate entries. When a user opens one of the entries he would expect to edit only that particular data. However, the details page now shows all data under that DNS record name. One solution is to drop the data from the search page. Another solution is to change the details page to show only one data. I like having the individual records on the search page, and I think it is most intuitive, but it does make the UI hard. Separate ticket. 7. DNS records that are not hostnames will be linked to hosts if there happens to be hosts with matching names. The link probably should be limited to certain record types. Same issue from host to DNS record. Going to leave this as is. If there is truly confusion around this, we can make the logic more complex, but I suspect that the current implementation is what people expect. We'll wait for feedback before filing any ticket. 19. The IPA.dnsrecord_get_delete_values() is getting the column values from the displayed texts. While this is fine for this particular case, sometimes the value is formatted so the displayed text may not match the value stored on the server. We'll address that when that happens. ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel