Re: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively
On Wed, 2011-09-14 at 11:29 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-09-14 at 14:23 +0200, Martin Kosek wrote: On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote: Add an escape clause to the CSR validator in the cert plugin. If the csr is a file just return and let the load_files() call slurp in the contents. It will still get validated. rob This works fine for CSR file. Shouldn't we fix this also for other File params? For example, entitle-import command will be affected as well: takes_args = ( File('usercertificate*', validate_certificate, cli_name='certificate_file', ), ) We can create a separate ticket for entitle-import if you want. Martin Oh, and one more thing - API.txt has to be updated since you added a label to the CSR parameter. Martin Updated patch with API attached. I had that fixed, dropped my changes, re-made them and forgot to update API again. entitle-import doesn't have stdin_if_missing set so will only read from a file, there is no interactive option. rob ACK. Pushed to master, ipa-2-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Upgrading a machine to use the proxy.
Adam Young wrote: To convert an older build where the PKI system wasn't proxied: awk '{print $0} /Define an AJP 1.3 Connector on port/ {print Connector port=\9447\ protocol=\AJP/1.3\ redirectPort=\9444\ /} }' /etc/pki-ca/server.xml server.xml.new ; mv server.xml.new /etc/pki-ca/server.xml sed -e s/\[PKI_MACHINE_NAME\]/$HOSTNAME/g -e s/\[PKI_AJP_PORT\]/9444/g /usr/share/pki/ca/conf/proxy.conf /etc/pki-ca/proxy.conf I've used the default ports here. Adjest is you've altered yours. IPA copies the proxy.conf file into /etc/httpd/conf.d and renames it. You can do the same thing by hand. I'm not sure if this should go into PKI or IPA. Since these are dogtag configuration files I think dogtag needs to handle updating them. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Upgrading a machine to use the proxy.
On 09/14/2011 04:46 PM, Rob Crittenden wrote: Adam Young wrote: To convert an older build where the PKI system wasn't proxied: awk '{print $0} /Define an AJP 1.3 Connector on port/ {print Connector port=\9447\ protocol=\AJP/1.3\ redirectPort=\9444\ /} }' /etc/pki-ca/server.xml server.xml.new ; mv server.xml.new /etc/pki-ca/server.xml sed -e s/\[PKI_MACHINE_NAME\]/$HOSTNAME/g -e s/\[PKI_AJP_PORT\]/9444/g /usr/share/pki/ca/conf/proxy.conf /etc/pki-ca/proxy.conf I've used the default ports here. Adjest is you've altered yours. IPA copies the proxy.conf file into /etc/httpd/conf.d and renames it. You can do the same thing by hand. I'm not sure if this should go into PKI or IPA. Since these are dogtag configuration files I think dogtag needs to handle updating them. Agree. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Wed, 2011-09-14 at 14:50 +0200, Sumit Bose wrote: a recent commit in master made another change necesary. Additionally I renamed smbinstance to adtrustinstance and check for more samba client binaries which are needed by the utility. New version attached. Tested and works great! ACK, Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 016 Fixed: Some widgets do not have space for validation error message
On 9/14/2011 7:23 AM, Petr Vobornik wrote: Forgot to update tests - to address newly added validation row in table_widget. One issue, in all search and association facets we now have 2 rows of footer (there are 2 horizontal lines at the bottom). I think it would be better to use a single row for both summary/error messages and pagination. The messages will be left aligned, the pagination will be right aligned. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 270 Fixed posix group checkbox.
In the adder dialog for groups the checkbox has been modified to use the correct field name nonposix and be checked by default. Note: This is a temporary fix to minimize the changes due to release schedule. Eventually the field label will be changed into Non-POSIX group and the checkbox will be unchecked by default, which is more consistent with CLI. Ticket #1799 -- Endi S. Dewata From 1dac389949b79ee83a58051c069138affa8c9894 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 14 Sep 2011 12:36:58 -0500 Subject: [PATCH] Fixed posix group checkbox. In the adder dialog for groups the checkbox has been modified to use the correct field name nonposix and be checked by default. Note: This is a temporary fix to minimize the changes due to release schedule. Eventually the field label will be changed into Non-POSIX group and the checkbox will be unchecked by default, which is more consistent with CLI. Ticket #1799 --- install/ui/group.js | 21 ++--- install/ui/widget.js | 24 +++- 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/install/ui/group.js b/install/ui/group.js index 410a295d4ac98da161cee9455b910660ec608469..f8d42ea37fdbb3420008b332ca1a1717b3d36170 100644 --- a/install/ui/group.js +++ b/install/ui/group.js @@ -92,13 +92,28 @@ IPA.entity_factories.group = function () { 'cn', 'description', { -factory:IPA.checkbox_widget, -name: 'posix', +factory: IPA.nonposix_checkbox_widget, +name: 'nonposix', label: IPA.messages.objects.group.posix, undo: false, -checked: 'checked' +checked: true }, 'gidnumber'] }). build(); }; + +IPA.nonposix_checkbox_widget = function (spec) { + +spec = spec || {}; + +var that = IPA.checkbox_widget(spec); + +that.save = function() { +var value = that.checkbox_save()[0]; +// convert posix into non-posix +return [!value]; +}; + +return that; +}; \ No newline at end of file diff --git a/install/ui/widget.js b/install/ui/widget.js index 58698486894ce9e72842ea1cf011a5fb75286421..d4a46bd37a9ccfac48469c312d81081105816b4f 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -760,9 +760,10 @@ IPA.multivalued_text_widget = function(spec) { IPA.checkbox_widget = function (spec) { spec = spec || {}; + var that = IPA.widget(spec); -that.checked = spec.checked || ''; +that.checked = spec.checked; that.create = function(container) { @@ -773,7 +774,7 @@ IPA.checkbox_widget = function (spec) { that.input = $('input/', { type: 'checkbox', name: that.name, -checked : that.checked, +checked: that.checked, title: that.tooltip, change: function() { that.set_dirty(that.test_dirty()); @@ -796,17 +797,22 @@ IPA.checkbox_widget = function (spec) { }; that.update = function() { -var value = that.values that.values.length ? that.values[0] : false; -if (value ===FALSE){ -value = false; -} -if (value ===TRUE){ -value = true; +var checked = that.checked || false; +if (that.values that.values.length) { +var value = that.values[0]; +if (value === FALSE) { +checked = false; +} +if (value === TRUE) { +checked = true; +} } -that.input.attr('checked', value); +that.input.attr('checked', checked); }; +that.checkbox_save = that.save; + return that; }; -- 1.7.5.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry
On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote: On Thu, 2011-07-21 at 23:52 +, JR Aquino wrote: On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote: On Mon, 2011-04-25 at 14:59 +, JR Aquino wrote: On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote: On Thu, 2011-04-21 at 23:28 +, JR Aquino wrote: Hmmm Both Private Groups and the Hostgroup - Netgroup Managed Entries create objects in the container: cn=Managed Entries,cn=plugins,cn=config Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX, and one in the cn=config How will these be treated by replication and the multi masters? Only the common objects in the public suffix are replicated. I think at some point we discussed that we should use a filter in the private config entry made so that we could enable/disable the plugin by simply making the filter result true/false. Thus not ever touch the entries in cn=config but simply enable/disable the functionality by (not)adding the appropriate attributes to objects so that filters would (not) match. Simo. This tool works by toggling the originfilter: objectclass=disabled in order to turn off the plugin. But this is backwards, because originfilter is defined in the configuration entry stored in cn=config Meaning as soon as you change it one server will behave differently from the others until you go and change it on each and every server. Finally able to revisit this Patch / Ticket: (To be used in conjunction with Patch 38) 25 Create Tool for Enabling/Disabling Managed Entry Plugins https://fedorahosted.org/freeipa/ticket/1181 Remove legacy ipa-host-net-manage Add ipa-managed-entries tool Add man page for ipa-managed-entries tool I have found few issues with the patch: 1) I don't think its necessary to change BuildRequires to 389-ds-base-devel = 1.2.8 This is no longer necessary and has been removed. 2) Invalid comment in get_dirman_password() function. There is no verification of the password. It just prompts it This has been corrected 3) ipa-managed entries man pages: copy paste error: +Directory Server will need to be restarted after the schema compatibility plugin has been enabled. Copy / Paste Typo corrected 4) Invalid help of the program: # ipa-managed-entries --help Usage: ipa-managed-entries [options] enable|disable ipa-managed-entries [options] - status action is missing - running program without action is not allowed, i.e. should not be offered Corrected help entries 5) I was thinking if there is a better solution to enabling/disabling of the plugin. Likes setting something like managedEntryEnabled attribute to on/off as we do with compat plugin. Current concept with disabling the definition by damaging the originFilter and then restoring it from an LDIF seems a bit awkward to me. This has been completely changed: Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries. 6) ipa-managed-entries crashes when managed entry is a wrong file: # ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif Directory Manager password: Traceback (most recent call last): File /usr/sbin/ipa-managed-entries, line 245, in module sys.exit(main()) File /usr/sbin/ipa-managed-entries, line 141, in main originFilter = entry_attr['originFilter'][0] KeyError: 'originFilter' This is no longer an issue now that it is no longer using the ldif files. 7) What if there are more managed entries in the LDIF? This concept would not work correctly then. A behavior I would expect: a) User (optionally) passes a directory with managed entries LDIFs b) ipa-managed-entries analyzes all LDIFs and prints available Managed Entry definitions c) I would choose the one I want to enable/disable via ipa-managed-entries option Also no longer an issue. Martin Corrected Patch Attached: binscouuEWzDP.bin Description: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel