Re: [Freeipa-devel] [SSSD] patchwork: Automatic marking of pushed commits
On Sat, Mar 23, 2013 at 05:30:58PM -0400, Simo Sorce wrote: Just a quick note to say I have created[1] a patch to allow automatic marking of patches in patchwork when they are pushed. I have pushed the patch on our patchwork instance. It works by pulling the trees on my patchwork server regularly. Currently this is done by a cronjob that pulls the trees every 10 minutes. I've tested it on a sssd patch and it worked, however it failed for the last 2 freeipa patches. My guess is that they have been slightly changed during the push (whitespaces stripping maybe ?). Hopefully this will reduce the work needed to maintain the patchwork status some. As an aside is anyone interested in me adding support to parse comments in the emails to set patch status ? Patchwork already has some basic support but requires setting mail headers which is not immediate in many MUAs, but I could try to add support for parsing out patchwork commands in the body of the email if it is plain text. This would be nice even if the detection worked for 80% of the cases. I think a simple regex would cover most of the responses. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0041] Add logging to join command
On 03/22/2013 05:40 PM, Tomas Babej wrote: On 03/22/2013 05:10 PM, Tomas Babej wrote: On 03/22/2013 04:51 PM, Petr Viktorin wrote: On 03/13/2013 03:05 PM, Tomas Babej wrote: Hi, The following is mentioned in the server log now: - existence of host entry (if it already does exist) - missing krbprincipalname and its new value (if there was no principal name set) https://fedorahosted.org/freeipa/ticket/3481 Tomas Here is what I get first trying to re-enroll a wiped host first using admin username/password, and then using a saved keytab. The first succeeded, the second didn't. We discussed this with Petr, this is a typo and actually happend in reversed (and correct) order :) [Fri Mar 22 16:17:14.338411 2013] [:error] [pid 21335] ipa: INFO: Host entry for vm-084.idm.lab.eng.brq.redhat.com already exists [Fri Mar 22 16:17:14.367564 2013] [:error] [pid 21335] ipa: INFO: ad...@idm.lab.eng.brq.redhat.com: join(u'vm-084.idm.lab.eng.brq.redhat.com', nshardwareplatform=u'x86_64', nsosversion=u'3.7.4-204.fc18.x86_64', version=u'2.51'): SUCCESS [Fri Mar 22 16:17:35.395626 2013] [:error] [pid 21336] ipa: INFO: Host entry for vm-084.idm.lab.eng.brq.redhat.com already exists [Fri Mar 22 16:17:35.420830 2013] [:error] [pid 21336] ipa: INFO: host/vm-084.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com: join(u'vm-084.idm.lab.eng.brq.redhat.com', nshardwareplatform=u'x86_64', nsosversion=u'3.7.4-204.fc18.x86_64', version=u'2.51'): SUCCESS [Fri Mar 22 16:17:38.729304 2013] [:error] [pid 21335] ipa: INFO: host/vm-084.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com: host_mod(u'vm-084.idm.lab.eng.brq.redhat.com', random=False, ipasshpubkey=([...], [...]), rights=False, updatedns=False, all=False, raw=False, version=u'2.54'): SUCCESS [Fri Mar 22 16:17:41.763080 2013] [:error] [pid 21336] ipa: INFO: host/vm-084.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com: cert_request([...], principal=u'host/vm-084.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com', add=True, version=u'2.51'): SUCCESS I can see what's going on, but I don't think the admin would be much wiser seeing this. Would we want so say something like Host entry for X already exists; joining may fail on the client side to explain what's going on? I agree with the proposal. Sending updated patch, here's the diff: diff --git a/ipaserver/plugins/join.py b/ipaserver/plugins/join.py index 86d6674..3b66805 100644 --- a/ipaserver/plugins/join.py +++ b/ipaserver/plugins/join.py @@ -101,7 +101,9 @@ class join(Command): dn = attrs_list['dn'] # No error raised so far means that host entry exists -self.log.info('Host entry for %s already exists', hostname) +self.log.info('Host entry for %s already exists, ' + 'joining may fail on the client side ' + 'if not forced', hostname) # If no principal name is set yet we need to try to add # one. ACK from a technical perspective. Attached. Tomas I sent the wrong patch (the previous one) last time. Sorry for the confusion. Tomas ACK -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0042] Allow host re-enrollment using delegation
On 03/22/2013 06:17 PM, Tomas Babej wrote: On Fri 22 Mar 2013 05:54:12 PM CET, Rob Crittenden wrote: Petr Viktorin wrote: On 03/18/2013 02:49 PM, Tomas Babej wrote: On 03/18/2013 02:46 PM, Tomas Babej wrote: Hi, A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Client_install_using_keytab --force-join is not mentioned there. Since you're adding a new option, you need to document it. What is the difference between force-join and force? All force does is let the install continue if the join fails, so if we're forcing join to succeed too... There's more of different behaviour in ipa-client-install with --force option: - in case of install error, changes are not rolled back - in unattended mode, using --force allows to retrieve the CA cert using HTTP - Kerberos and LDAP settings are forced I'm not against merging the options, It just seemed to me as though they provide support for slightly different use cases. Though, man page for ipa-client-install says about --force option the following: Force the settings even if errors occur. That's true, I think that host reenrollment is quite specific action that deserves special force flag. Additionally, people reenrolling a client may not want the changes above. Thus, I am also for special force flag for this operation. Since Petr already checked the patch works, I am giving second ACK. Pushed to master (as agreed with Tomas, I just updated link to wiki page in commit message). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0129] Harden update-policy processing
Hello, Harden update-policy processing. https://fedorahosted.org/bind-dyndb-ldap/ticket/111 This patch should prevent crashes similar to 'zonesub' problem described in the ticket #111. -- Petr^2 Spacek From 05d73392dc6c0f9f6f7a9e570e4382ccb3c66022 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Mon, 25 Mar 2013 10:52:50 +0100 Subject: [PATCH] Harden update-policy processing. https://fedorahosted.org/bind-dyndb-ldap/ticket/111 Signed-off-by: Petr Spacek pspa...@redhat.com --- src/acl.c | 41 - 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/src/acl.c b/src/acl.c index ed3bdebcc027f3f5b7b2e9e084cf328ed4f6b1dd..3b5de00f8a40cbc1a876ea2b74e9c2093e48774c 100644 --- a/src/acl.c +++ b/src/acl.c @@ -178,32 +178,48 @@ parse(cfg_parser_t *parser, const char *string, cfg_type_t **type, #define MATCH(string_rep, return_val) \ do {\ if (!strcasecmp(str, string_rep)) { \ - return return_val;\ + *value = return_val;\ + return ISC_R_SUCCESS;\ } \ } while (0) -static isc_boolean_t -get_mode(const cfg_obj_t *obj) +static isc_result_t +get_mode(const cfg_obj_t *obj, isc_boolean_t *value) { const char *str; + if (!cfg_obj_istuple(obj)) { + log_bug(tuple is expected); + return ISC_R_UNEXPECTED; + } obj = cfg_tuple_get(obj, mode); + if (!cfg_obj_isstring(obj)) { + log_bug(mode is not defined); + return ISC_R_UNEXPECTED; + } str = cfg_obj_asstring(obj); MATCH(grant, ISC_TRUE); MATCH(deny, ISC_FALSE); - INSIST(0); - /* Not reached. */ - return ISC_FALSE; + log_bug(unsupported ACL mode '%s', str); + return ISC_R_NOTIMPLEMENTED; } -static unsigned int -get_match_type(const cfg_obj_t *obj) +static isc_result_t +get_match_type(const cfg_obj_t *obj, unsigned int *value) { const char *str; + if (!cfg_obj_istuple(obj)) { + log_bug(tuple is expected); + return ISC_R_UNEXPECTED; + } obj = cfg_tuple_get(obj, matchtype); + if (!cfg_obj_isstring(obj)) { + log_bug(matchtype is not defined); + return ISC_R_UNEXPECTED; + } str = cfg_obj_asstring(obj); MATCH(name, DNS_SSUMATCHTYPE_NAME); @@ -232,9 +248,8 @@ get_match_type(const cfg_obj_t *obj) MATCH(6to4-self, DNS_SSUMATCHTYPE_6TO4SELF); #endif - INSIST(0); - /* Not reached. */ - return DNS_SSUMATCHTYPE_NAME; + log_bug(unsupported match type '%s', str); + return ISC_R_NOTIMPLEMENTED; } static isc_result_t @@ -422,8 +437,8 @@ acl_configure_zone_ssutable(const char *policy_str, dns_zone_t *zone) types = NULL; stmt = cfg_listelt_value(el); - grant = get_mode(stmt); - match_type = get_match_type(stmt); + CHECK(get_mode(stmt, grant)); + CHECK(get_match_type(stmt, match_type)); CHECK(get_fixed_name(stmt, identity, fident)); -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0041] Add logging to join command
On 03/25/2013 10:30 AM, Petr Viktorin wrote: On 03/22/2013 05:40 PM, Tomas Babej wrote: On 03/22/2013 05:10 PM, Tomas Babej wrote: On 03/22/2013 04:51 PM, Petr Viktorin wrote: On 03/13/2013 03:05 PM, Tomas Babej wrote: Hi, The following is mentioned in the server log now: - existence of host entry (if it already does exist) - missing krbprincipalname and its new value (if there was no principal name set) https://fedorahosted.org/freeipa/ticket/3481 Tomas Here is what I get first trying to re-enroll a wiped host first using admin username/password, and then using a saved keytab. The first succeeded, the second didn't. We discussed this with Petr, this is a typo and actually happend in reversed (and correct) order :) [Fri Mar 22 16:17:14.338411 2013] [:error] [pid 21335] ipa: INFO: Host entry for vm-084.idm.lab.eng.brq.redhat.com already exists [Fri Mar 22 16:17:14.367564 2013] [:error] [pid 21335] ipa: INFO: ad...@idm.lab.eng.brq.redhat.com: join(u'vm-084.idm.lab.eng.brq.redhat.com', nshardwareplatform=u'x86_64', nsosversion=u'3.7.4-204.fc18.x86_64', version=u'2.51'): SUCCESS [Fri Mar 22 16:17:35.395626 2013] [:error] [pid 21336] ipa: INFO: Host entry for vm-084.idm.lab.eng.brq.redhat.com already exists [Fri Mar 22 16:17:35.420830 2013] [:error] [pid 21336] ipa: INFO: host/vm-084.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com: join(u'vm-084.idm.lab.eng.brq.redhat.com', nshardwareplatform=u'x86_64', nsosversion=u'3.7.4-204.fc18.x86_64', version=u'2.51'): SUCCESS [Fri Mar 22 16:17:38.729304 2013] [:error] [pid 21335] ipa: INFO: host/vm-084.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com: host_mod(u'vm-084.idm.lab.eng.brq.redhat.com', random=False, ipasshpubkey=([...], [...]), rights=False, updatedns=False, all=False, raw=False, version=u'2.54'): SUCCESS [Fri Mar 22 16:17:41.763080 2013] [:error] [pid 21336] ipa: INFO: host/vm-084.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com: cert_request([...], principal=u'host/vm-084.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com', add=True, version=u'2.51'): SUCCESS I can see what's going on, but I don't think the admin would be much wiser seeing this. Would we want so say something like Host entry for X already exists; joining may fail on the client side to explain what's going on? I agree with the proposal. Sending updated patch, here's the diff: diff --git a/ipaserver/plugins/join.py b/ipaserver/plugins/join.py index 86d6674..3b66805 100644 --- a/ipaserver/plugins/join.py +++ b/ipaserver/plugins/join.py @@ -101,7 +101,9 @@ class join(Command): dn = attrs_list['dn'] # No error raised so far means that host entry exists -self.log.info('Host entry for %s already exists', hostname) +self.log.info('Host entry for %s already exists, ' + 'joining may fail on the client side ' + 'if not forced', hostname) # If no principal name is set yet we need to try to add # one. ACK from a technical perspective. Attached. Tomas I sent the wrong patch (the previous one) last time. Sorry for the confusion. Tomas ACK Pushed to master, ipa-3-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0078] Use automatic connection management in LDAP modification code to prevent potential deadlock
On Tue, Mar 05, 2013 at 05:24:26PM +0100, Petr Spacek wrote: On 15.10.2012 13:10, Petr Spacek wrote: On 10/09/2012 03:49 PM, Petr Spacek wrote: On 10/09/2012 01:21 PM, Adam Tkac wrote: On Mon, Oct 08, 2012 at 04:46:54PM +0200, Petr Spacek wrote: Hello, Use automatic connection management in LDAP modification code to prevent potential deadlock. Without this patch the plugin will deadlock when modify_ldap_common() is called with PTR synchronization enabled and only single connection is available in the connection pool. Nack If I read the patch correctly, it leaves unused ldap_conn parameters in ldap_modify_do() and modify_soa_record() functions. Those params are always NULL so they can be safely removed. Please also remove the autoconn variable from ldap_modify_do() My intent was to keep the same connection management abilities as are in ldap_query(): You can avoid repetitive ldap_pool_get/putconnection() calls by passing connection via parameter. I can remove it if it isn't worth. (Actually *_modify_*() functions do not use this capability now.) I forgot to send the patch after our discussion on IRC. Attached patch removes unused parameters. Patch rebased on top of master branch. No functional changes. Ack. From 9af7dae883b6f014fdcb5aee8394ad5d8f87aab9 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 5 Mar 2013 17:10:06 +0100 Subject: [PATCH] Use automatic connection management in LDAP modification code to prevent potential deadlock. Without this patch the plugin could deadlock when modify_ldap_common() is called with PTR synchronization enabled and only single connection is available in the connection pool. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 54 +++--- 1 file changed, 23 insertions(+), 31 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index c5c8245ecd664f038781fc98f4b5756ceff87c2e..3ed4a44e043ce98a5503ad351f4e8a91116d5ac3 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -312,8 +312,7 @@ static void ldap_query_free(isc_boolean_t prepare_reuse, ldap_qresult_t **ldap_q /* Functions for writing to LDAP. */ static isc_result_t ldap_modify_do(ldap_instance_t *ldap_inst, - ldap_connection_t *ldap_conn, const char *dn, LDAPMod **mods, - isc_boolean_t delete_node); + const char *dn, LDAPMod **mods, isc_boolean_t delete_node); static isc_result_t ldap_rdttl_to_ldapmod(isc_mem_t *mctx, dns_rdatalist_t *rdlist, LDAPMod **changep); static isc_result_t ldap_rdatalist_to_ldapmod(isc_mem_t *mctx, @@ -2472,31 +2471,19 @@ reconnect: } static isc_result_t -ldap_modify_do(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn, - const char *dn, LDAPMod **mods, isc_boolean_t delete_node) +ldap_modify_do(ldap_instance_t *ldap_inst, const char *dn, LDAPMod **mods, + isc_boolean_t delete_node) { int ret; int err_code; const char *operation_str; isc_result_t result; - isc_boolean_t autoconn = (ldap_conn == NULL); + ldap_connection_t *ldap_conn = NULL; REQUIRE(dn != NULL); REQUIRE(mods != NULL); REQUIRE(ldap_inst != NULL); - if (autoconn) - CHECK(ldap_pool_getconnection(ldap_inst-pool, ldap_conn)); - - if (ldap_conn-handle == NULL) { - /* - * handle can be NULL when the first connection to LDAP wasn't - * successful - * TODO: handle this case inside ldap_pool_getconnection()? - */ - CHECK(ldap_connect(ldap_inst, ldap_conn, ISC_FALSE)); - } - /* Any mod_op can be ORed with LDAP_MOD_BVALUES. */ if ((mods[0]-mod_op ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) operation_str = modifying(add); @@ -2507,7 +2494,17 @@ ldap_modify_do(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn, else { operation_str = modifying(unknown operation); log_bug(%s: 0x%x, operation_str, mods[0]-mod_op); - CHECK(ISC_R_NOTIMPLEMENTED); + CLEANUP_WITH(ISC_R_NOTIMPLEMENTED); + } + + CHECK(ldap_pool_getconnection(ldap_inst-pool, ldap_conn)); + if (ldap_conn-handle == NULL) { + /* + * handle can be NULL when the first connection to LDAP wasn't + * successful + * TODO: handle this case inside ldap_pool_getconnection()? + */ + CHECK(ldap_connect(ldap_inst, ldap_conn, ISC_FALSE)); } if (delete_node) { @@ -2569,8 +2566,7 @@ ldap_modify_do(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn, result = ISC_R_FAILURE; } cleanup: - if (autoconn) - ldap_pool_putconnection(ldap_inst-pool, ldap_conn); +
Re: [Freeipa-devel] [PATCH 0121] Fix crash during invalid zone reload process
On Thu, Mar 21, 2013 at 02:19:10PM +0100, Petr Spacek wrote: Hello, Fix crash during invalid zone reload process. This bug was created during settings refactoring and is present only in master, not in v2 branch. Ack From 79594a484f30c6677dd901e7f8285719e31bab6b Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 21 Mar 2013 14:13:57 +0100 Subject: [PATCH] Fix crash during invalid zone reload process. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 6f21b8407e8c01a98ae5b6f916c964432c651fd5..7ac5ceda26cd9d734f94d9195388db879be1959e 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -3503,7 +3503,7 @@ update_record(isc_task_t *task, isc_event_t *event) ldapdb_rdatalist_t rdatalist; /* Convert domain name from text to struct dns_name_t. */ - settings_set_t *zone_settings = NULL; + settings_set_t *zone_settings; dns_name_t name; dns_name_t origin; dns_name_t prevname; @@ -3569,6 +3569,7 @@ update_restart: /* Do not bump serial during initial database dump. */ if (PSEARCH_ANY(pevent-chgtype)) { + zone_settings = NULL; CHECK(zr_get_zone_settings(inst-zone_register, origin, zone_settings)); CHECK(setting_get_bool(serial_autoincrement, zone_settings, serial_autoincrement)); -- 1.7.11.7 -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 271, 272 Added Web UI support for service PAC type option: NONE
On 03/15/2013 11:47 PM, Endi Sukma Dewata wrote: On 3/7/2013 7:37 AM, Petr Vobornik wrote: Ideally it should be generic enough to combine any widgets. This might be a common scenario somewhere else: Something: ( ) Option 1 ( ) Option 2 (o) Other: [something else ] This design has a flaw: https://fedorahosted.org/freeipa/ticket/3404#comment:5 I think this one makes the most sense to me: PAC Types: ( ) Inherited setting: ... inherited values ... (o) Override inherited setting [ ] MS-PAC [ ] PAD It looks like the NONE option is identical to not using the inherited values but also not selecting any new values, so we don't actually need a separate radio button for NONE because it can be represented by the above UI without redundancy. We just need better labels to explain the radio buttons. Maybe someone can come up with better labels than these. I implemented following design: https://fedorahosted.org/freeipa/ticket/3404#comment:7 It works but I can't imagine how it would look if we have more than two PAC types. I don't think we want to list every possible combinations. The above design is more future proof. You are right. Patch attached (255-1). I have a dilemma. I practically implemented the previous design (and then I've found the flaw..). Patches attached as wip-fre... I wonder if we can use it somehow or we should ditch it. Reimplemented ^^ to match your proposal. Attaching as patches with new numbers (271,272) as they don't have much common with the original patch. -- Petr Vobornik From 5c1b323629fd97014aae1d5c0e6b991aff59003d Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 22 Mar 2013 17:53:04 +0100 Subject: [PATCH] Nestable checkbox/radio widget New component: option_widget_base. It's not a regular widget but it share some of its characteristics. It should extend regular widget or it can be nested in itself alone. checkbox_widget, checkboxes_widget, radio_widget were modified to use it. Built as a prerequisite for: https://fedorahosted.org/freeipa/ticket/3404 --- install/ui/ipa.css | 15 + install/ui/src/freeipa/aci.js| 15 +- install/ui/src/freeipa/rule.js | 3 +- install/ui/src/freeipa/widget.js | 646 ++- 4 files changed, 463 insertions(+), 216 deletions(-) diff --git a/install/ui/ipa.css b/install/ui/ipa.css index 71cad4206fd0780d6578846827922ec4edb56458..3e443d54ecef523c7a47cfaec91bedd9bc3006e8 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -1294,6 +1294,21 @@ table.scrollable tbody { width: 400px; } +.option_widget { +list-style-type: none; +margin: 0; +padding: 0; +} + +.option_widget.nested { +padding-left: 40px; +} + +.option_widget.inline, +.option_widget.inline li { +display: inline; +} + .combobox-widget-input { display: inline-block; position: relative; diff --git a/install/ui/src/freeipa/aci.js b/install/ui/src/freeipa/aci.js index 383848ec635985a9582418ef4a1bb2a26dac9c36..b6825d136333169fe46b43512401f84eb5d05e85 100644 --- a/install/ui/src/freeipa/aci.js +++ b/install/ui/src/freeipa/aci.js @@ -477,7 +477,7 @@ IPA.attributes_widget = function(spec) { 'class': 'aci-attribute-table-container' }).appendTo(container); -that.table = $('table/', { +that.$node = that.table = $('table/', { id:id, 'class':'search-table aci-attribute-table scrollable' }). @@ -520,9 +520,12 @@ IPA.attributes_widget = function(spec) { var tr = $('tr/').appendTo(tbody); var td = $('td/').appendTo(tr); +var name = that.get_input_name(); +var id = that.option_next_id + name; td.append($('input/',{ +id: id, type: 'checkbox', -name: that.name, +name: name, value: value, 'class': 'aci-attribute', change: function() { @@ -531,8 +534,10 @@ IPA.attributes_widget = function(spec) { })); td = $('td/').appendTo(tr); td.append($('label/',{ -text: value +text: value, +'for': id })); +that.new_option_id(); } }; @@ -553,7 +558,7 @@ IPA.attributes_widget = function(spec) { that.populate(that.object_type); that.append(); -that.checkboxes_update(values); +that.owb_update(values); }; that.populate = function(object_type) { @@ -567,6 +572,7 @@ IPA.attributes_widget = function(spec) { var aciattrs = metadata.aciattrs; +that.options = that.prepare_options(aciattrs); that.create_options(aciattrs); }; @@ -585,6 +591,7 @@ IPA.attributes_widget = function(spec) { } if (unmatched.length 0 !that.skip_unmatched) { +
Re: [Freeipa-devel] [PATCH 0078] Use automatic connection management in LDAP modification code to prevent potential deadlock
On 25.3.2013 11:17, Adam Tkac wrote: On Tue, Mar 05, 2013 at 05:24:26PM +0100, Petr Spacek wrote: On 15.10.2012 13:10, Petr Spacek wrote: On 10/09/2012 03:49 PM, Petr Spacek wrote: On 10/09/2012 01:21 PM, Adam Tkac wrote: On Mon, Oct 08, 2012 at 04:46:54PM +0200, Petr Spacek wrote: Hello, Use automatic connection management in LDAP modification code to prevent potential deadlock. Without this patch the plugin will deadlock when modify_ldap_common() is called with PTR synchronization enabled and only single connection is available in the connection pool. Nack If I read the patch correctly, it leaves unused ldap_conn parameters in ldap_modify_do() and modify_soa_record() functions. Those params are always NULL so they can be safely removed. Please also remove the autoconn variable from ldap_modify_do() My intent was to keep the same connection management abilities as are in ldap_query(): You can avoid repetitive ldap_pool_get/putconnection() calls by passing connection via parameter. I can remove it if it isn't worth. (Actually *_modify_*() functions do not use this capability now.) I forgot to send the patch after our discussion on IRC. Attached patch removes unused parameters. Patch rebased on top of master branch. No functional changes. Ack. Pushed to master: 7b8ebb8cf459991d20297913b9abb756981201bb This patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/113 in master branch, v2 branch needs a bit different approach. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins
On 03/18/2013 12:38 PM, Jan Cholasta wrote: Hi, this patch implements https://fedorahosted.org/freeipa/ticket/3329. Because the design is not finished yet, this is a minimal implementation - it uses the krbTicketFlags attribute directly (which means no delegation of rights to modify specific flags to specific admins) and there is no support for per-service type default values. Honza I checked what you have already and this is what I found: 1) Internal error if I try to remove krbticketflags via *attr functions: # ipa service-add foo/`hostname` --setattr=krbticketflags=None ipa: ERROR: an internal error has occurred # ipa service-add foo/`hostname` Added service foo/vm-037.idm.lab.bos.redhat@idm.lab.bos.redhat.com # ipa service-mod foo/`hostname` --setattr=krbticketflags=None ipa: ERROR: an internal error has occurred 2) The RFE page needs updating, it does not reflect current reality. AFAIU, the only thing that's left to be decided is the granularity of the ACIs used to control this flag. Otherwise, the patch works fine. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0120] Fix automatic reloading of invalid zone after each change in zone data
On Thu, Mar 21, 2013 at 01:38:42PM +0100, Petr Spacek wrote: Hello, Fix automatic reloading of invalid zone after each change in zone data. Reload wasn't done when serial_autoincrement feature was disabled. https://fedorahosted.org/bind-dyndb-ldap/ticket/102 Ack. But before the push, please add explicit comment to ldap_get_zone_serial() call that the only reason of this call is to return ISC_R_SUCCESS in case the zone is loaded or DNS_R_NOTLOADED in case it isn't. I studied the patch for more then 15 minutes before I figured this. Thanks, Adam From 1700a5d7dbf6c36ce235091a449e13a5e18fbb8b Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 21 Mar 2013 13:35:17 +0100 Subject: [PATCH] Fix automatic reloading of invalid zone after each change in zone data. Reload wasn't done when serial_autoincrement feature was disabled. https://fedorahosted.org/bind-dyndb-ldap/ticket/102 Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index c10a23929c1536961a37d18e68d0669aa26539de..6f21b8407e8c01a98ae5b6f916c964432c651fd5 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -3572,8 +3572,15 @@ update_restart: CHECK(zr_get_zone_settings(inst-zone_register, origin, zone_settings)); CHECK(setting_get_bool(serial_autoincrement, zone_settings, serial_autoincrement)); + + /* Serial autoincrement does zone state check implicitly. + * Do explicit state check if serial autoincrement is disabled. */ if (serial_autoincrement) CHECK(soa_serial_increment(mctx, inst, origin)); + else { + isc_uint32_t dummy; + CHECK(ldap_get_zone_serial(inst, origin, dummy)); + } } cleanup: -- 1.7.11.7 -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0122] Log successful zone reload after record change.
On Thu, Mar 21, 2013 at 02:45:11PM +0100, Petr Spacek wrote: Hello, Log successful zone reload after record change. This should be last piece of https://fedorahosted.org/bind-dyndb-ldap/ticket/102 Ack From 06c414c2922bb09c18afd9fadc52b2b0f4529f90 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 21 Mar 2013 14:43:56 +0100 Subject: [PATCH] Log successful zone reload after record change. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 19 ++- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 7ac5ceda26cd9d734f94d9195388db879be1959e..72105e6093cea7b0bc9fdfc96229afded7650dce 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -3494,6 +3494,7 @@ update_record(isc_task_t *task, isc_event_t *event) dns_zone_t *zone_ptr = NULL; isc_boolean_t zone_found = ISC_FALSE; isc_boolean_t zone_reloaded = ISC_FALSE; + isc_uint32_t serial; mctx = pevent-mctx; UNUSED(task); @@ -3579,8 +3580,7 @@ update_restart: if (serial_autoincrement) CHECK(soa_serial_increment(mctx, inst, origin)); else { - isc_uint32_t dummy; - CHECK(ldap_get_zone_serial(inst, origin, dummy)); + CHECK(ldap_get_zone_serial(inst, origin, serial)); } } @@ -3594,16 +3594,23 @@ cleanup: result = zr_get_zone_ptr(inst-zone_register, origin, zone_ptr); if (result == ISC_R_SUCCESS) result = dns_zone_load(zone_ptr); - if (zone_ptr != NULL) - dns_zone_detach(zone_ptr); if (result == ISC_R_SUCCESS || result == DNS_R_UPTODATE || result == DNS_R_DYNAMIC || result == DNS_R_CONTINUE) { /* zone reload succeeded, fire current event again */ log_debug(1, restarting update_record after zone reload caused by change in '%s', pevent-dn); zone_reloaded = ISC_TRUE; - goto update_restart; + result = dns_zone_getserial2(zone_ptr, serial); + if (result == ISC_R_SUCCESS) { + dns_zone_log(zone_ptr, ISC_LOG_INFO, + reloaded serial %u, serial); + goto update_restart; + } else { + dns_zone_log(zone_ptr, ISC_LOG_ERROR, + could not get serial after + reload); + } } else { log_error_r(unable to reload invalid zone; reload triggered by change in '%s', @@ -3617,6 +3624,8 @@ cleanup: pevent-dn, pevent-chgtype); } + if (zone_ptr != NULL) + dns_zone_detach(zone_ptr); if (dns_name_dynamic(name)) dns_name_free(name, inst-mctx); if (dns_name_dynamic(prevname)) -- 1.7.11.7 -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0127] Remove orphaned function declaration from ldap_helper.h
On Fri, Mar 22, 2013 at 01:06:12PM +0100, Petr Spacek wrote: Hello, Remove orphaned function declaration from ldap_helper.h. Ack From 9129f3963c8a7d603c02c5a8ea1ce3f08182541f Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 22 Mar 2013 13:04:29 +0100 Subject: [PATCH] Remove orphaned function declaration from ldap_helper.h. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.h | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/ldap_helper.h b/src/ldap_helper.h index fe54687fa1e8ec16d83105e08e1a17cdec68614e..2eb7c7600f45542d92f01dbc878f4862606ade8a 100644 --- a/src/ldap_helper.h +++ b/src/ldap_helper.h @@ -94,9 +94,6 @@ isc_result_t write_to_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, isc_result_t remove_from_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, dns_rdatalist_t *rdlist, isc_boolean_t delete_node); -/* Get cache associated with ldap_inst */ -ldap_cache_t *ldap_instance_getcache(ldap_instance_t *ldap_inst); - settings_set_t * ldap_instance_getsettings_local(ldap_instance_t *ldap_inst); #endif /* !_LD_LDAP_HELPER_H_ */ -- 1.7.11.7 -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0117] Fix crash caused by invalid query/transfer policy
On Mon, Mar 04, 2013 at 02:22:34PM +0100, Petr Spacek wrote: Hello, Fix crash caused by invalid query/transfer policy. Please double-check correctness. The ISC parser is really complex beast! Thank you. Ack From 41061726684211924e453f74d1db3bec6c2e32d6 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Mon, 4 Mar 2013 14:20:56 +0100 Subject: [PATCH] Fix crash caused by invalid query/transfer policy. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/acl.c | 45 +++-- 1 file changed, 35 insertions(+), 10 deletions(-) diff --git a/src/acl.c b/src/acl.c index f95cf431b6363d82085e9cfec7e6c1d6ddd45d7a..076a50375ae1fd132c143aa96379f7c80cc78cb8 100644 --- a/src/acl.c +++ b/src/acl.c @@ -71,6 +71,19 @@ static cfg_type_t *allow_query; static cfg_type_t *allow_transfer; static cfg_type_t *forwarders; +/* Following definitions are necessary for context (map configuration object) + * required during ACL parsing. */ +static cfg_clausedef_t * empty_map_clausesets[] = { + NULL +}; + +static cfg_type_t cfg_type_empty_map = { + empty_map, cfg_parse_map, cfg_print_map, cfg_doc_map, cfg_rep_map, + empty_map_clausesets +}; + +static cfg_type_t *empty_map_p = cfg_type_empty_map; + static cfg_type_t * get_type_from_tuplefield(const cfg_type_t *cfg_type, const char *name) { @@ -469,44 +482,56 @@ acl_from_ldap(isc_mem_t *mctx, const char *aclstr, acl_type_t type, cfg_parser_t *parser = NULL; cfg_obj_t *aclobj = NULL; cfg_aclconfctx_t *aclctx = NULL; + /* ACL parser requires configuration context. The parser looks for + * undefined names in this context. We create empty context (map type), + * i.e. only built-in named lists any, none etc. are supported. */ + cfg_obj_t *cctx = NULL; + cfg_parser_t *parser_empty = NULL; REQUIRE(aclp != NULL *aclp == NULL); CHECK(bracket_str(mctx, aclstr, new_aclstr)); CHECK(cfg_parser_create(mctx, dns_lctx, parser)); + CHECK(cfg_parser_create(mctx, dns_lctx, parser_empty)); + CHECK(parse(parser_empty, {}, empty_map_p, cctx)); + switch (type) { case acl_type_query: - result = parse(parser, str_buf(new_aclstr), allow_query, -aclobj); + CHECK(parse(parser, str_buf(new_aclstr), allow_query, + aclobj)); break; case acl_type_transfer: - result = parse(parser, str_buf(new_aclstr), allow_transfer, -aclobj); + CHECK(parse(parser, str_buf(new_aclstr), allow_transfer, + aclobj)); break; default: /* This is a bug */ REQUIRE(Unhandled ACL type in acl_from_ldap == NULL); } - if (result != ISC_R_SUCCESS) { - log_error(Failed to parse ACL (%s), aclstr); - goto cleanup; - } - CHECK(cfg_aclconfctx_create(mctx, aclctx)); - CHECK(cfg_acl_fromconfig(aclobj, NULL, dns_lctx, aclctx, mctx, 0, acl)); + CHECK(cfg_acl_fromconfig(aclobj, cctx, dns_lctx, aclctx, mctx, 0, acl)); *aclp = acl; result = ISC_R_SUCCESS; cleanup: + if (result != ISC_R_SUCCESS) + log_error_r(%s ACL parsing failed: '%s', + type == acl_type_query ? query : transfer, + aclstr); + if (aclctx != NULL) cfg_aclconfctx_detach(aclctx); if (aclobj != NULL) cfg_obj_destroy(parser, aclobj); if (parser != NULL) cfg_parser_destroy(parser); + if (cctx != NULL) + cfg_obj_destroy(parser_empty, cctx); + if (parser_empty != NULL) + cfg_parser_destroy(parser_empty); str_destroy(new_aclstr); return result; -- 1.7.11.7 -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0128] Fix crash caused by 'zonesub' match-type in update ACL
On Fri, Mar 22, 2013 at 02:51:03PM +0100, Petr Spacek wrote: On 22.3.2013 14:26, Petr Spacek wrote: Hello, Fix crash caused by 'zonesub' match-type in update ACL. Next patchset will improve overall error handling in ACL processing. I forgot to check return value from dns_name_copy(). Fixed patch is attached. Ack From a76a7a2899e1e8b4335c012271f607e438ef0218 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 22 Mar 2013 13:54:39 +0100 Subject: [PATCH] Fix crash caused by 'zonesub' match-type in update ACL. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/acl.c | 23 ++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/src/acl.c b/src/acl.c index f95cf431b6363d82085e9cfec7e6c1d6ddd45d7a..ed3bdebcc027f3f5b7b2e9e084cf328ed4f6b1dd 100644 --- a/src/acl.c +++ b/src/acl.c @@ -208,6 +208,7 @@ get_match_type(const cfg_obj_t *obj) MATCH(name, DNS_SSUMATCHTYPE_NAME); MATCH(subdomain, DNS_SSUMATCHTYPE_SUBDOMAIN); + MATCH(zonesub, DNS_SSUMATCHTYPE_SUBDOMAIN); MATCH(wildcard, DNS_SSUMATCHTYPE_WILDCARD); MATCH(self, DNS_SSUMATCHTYPE_SELF); #if defined(DNS_SSUMATCHTYPE_SELFSUB) defined(DNS_SSUMATCHTYPE_SELFWILD) @@ -246,8 +247,16 @@ get_fixed_name(const cfg_obj_t *obj, const char *name, dns_fixedname_t *fname) REQUIRE(fname != NULL); + if (!cfg_obj_istuple(obj)) { + log_bug(configuration object is not a tuple); + return ISC_R_UNEXPECTED; + } obj = cfg_tuple_get(obj, name); + + if (!cfg_obj_isstring(obj)) + return ISC_R_NOTFOUND; str = cfg_obj_asstring(obj); + len = strlen(str); isc_buffer_init(buf, str, len); @@ -417,7 +426,19 @@ acl_configure_zone_ssutable(const char *policy_str, dns_zone_t *zone) match_type = get_match_type(stmt); CHECK(get_fixed_name(stmt, identity, fident)); - CHECK(get_fixed_name(stmt, name, fname)); + + /* Use zone name for 'zonesub' match type */ + result = get_fixed_name(stmt, name, fname); + if (result == ISC_R_NOTFOUND + match_type == DNS_SSUMATCHTYPE_SUBDOMAIN) { + dns_fixedname_init(fname); + CHECK(dns_name_copy(dns_zone_getorigin(zone), + dns_fixedname_name(fname), + fname.buffer)); + } + else if (result != ISC_R_SUCCESS) + goto cleanup; + CHECK(get_types(mctx, stmt, types, n)); if (match_type == DNS_SSUMATCHTYPE_WILDCARD -- 1.7.11.7 -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0120] Fix automatic reloading of invalid zone after each change in zone data
On 25.3.2013 15:49, Adam Tkac wrote: On Thu, Mar 21, 2013 at 01:38:42PM +0100, Petr Spacek wrote: Hello, Fix automatic reloading of invalid zone after each change in zone data. Reload wasn't done when serial_autoincrement feature was disabled. https://fedorahosted.org/bind-dyndb-ldap/ticket/102 Ack. But before the push, please add explicit comment to ldap_get_zone_serial() call that the only reason of this call is to return ISC_R_SUCCESS in case the zone is loaded or DNS_R_NOTLOADED in case it isn't. I studied the patch for more then 15 minutes before I figured this. I clarified the comment and pushed it to git. V2 branch contains rebased version of the patch. master: 9e7780b067b5d6b4ca74a3cdd0e88a97f3bd84c7 v2: 1c6373b2f8952b76cb8b93ed8cba8d444d129049 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0121] Fix crash during invalid zone reload process
On 25.3.2013 11:25, Adam Tkac wrote: On Thu, Mar 21, 2013 at 02:19:10PM +0100, Petr Spacek wrote: Hello, Fix crash during invalid zone reload process. This bug was created during settings refactoring and is present only in master, not in v2 branch. Ack Pushed to master: da4322499fb60549241aa6c529b6ff4f245266a1 V2 branch is unaffected by this bug. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0130] Add support for 'external' match-type in update-policy
On Mon, Mar 25, 2013 at 12:13:26PM +0100, Petr Spacek wrote: Hello, Add support for 'external' match-type in update-policy. Ack From 00ce71c81d2f486ca193acfd3174dc04e612c901 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Mon, 25 Mar 2013 12:12:52 +0100 Subject: [PATCH] Add support for 'external' match-type in update-policy. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/acl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/acl.c b/src/acl.c index 3b5de00f8a40cbc1a876ea2b74e9c2093e48774c..4614d39a38655377a90a588357e82539ffc00330 100644 --- a/src/acl.c +++ b/src/acl.c @@ -247,6 +247,9 @@ get_match_type(const cfg_obj_t *obj, unsigned int *value) MATCH(tcp-self, DNS_SSUMATCHTYPE_TCPSELF); MATCH(6to4-self, DNS_SSUMATCHTYPE_6TO4SELF); #endif +#if defined(DNS_SSUMATCHTYPE_EXTERNAL) + MATCH(external, DNS_SSUMATCHTYPE_EXTERNAL); +#endif log_bug(unsupported match type '%s', str); return ISC_R_NOTIMPLEMENTED; -- 1.7.11.7 -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0122] Log successful zone reload after record change.
On 25.3.2013 15:56, Adam Tkac wrote: On Thu, Mar 21, 2013 at 02:45:11PM +0100, Petr Spacek wrote: Hello, Log successful zone reload after record change. This should be last piece of https://fedorahosted.org/bind-dyndb-ldap/ticket/102 Ack Pushed to master: 960bcfb93e8e8e5236d8047986dc589e793b3aca v2: 6a69cbc2a4502174c051c82c538eb88b9d9a64e0 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0129] Harden update-policy processing
On Mon, Mar 25, 2013 at 10:56:05AM +0100, Petr Spacek wrote: Hello, Harden update-policy processing. https://fedorahosted.org/bind-dyndb-ldap/ticket/111 This patch should prevent crashes similar to 'zonesub' problem described in the ticket #111. Ack From 05d73392dc6c0f9f6f7a9e570e4382ccb3c66022 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Mon, 25 Mar 2013 10:52:50 +0100 Subject: [PATCH] Harden update-policy processing. https://fedorahosted.org/bind-dyndb-ldap/ticket/111 Signed-off-by: Petr Spacek pspa...@redhat.com --- src/acl.c | 41 - 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/src/acl.c b/src/acl.c index ed3bdebcc027f3f5b7b2e9e084cf328ed4f6b1dd..3b5de00f8a40cbc1a876ea2b74e9c2093e48774c 100644 --- a/src/acl.c +++ b/src/acl.c @@ -178,32 +178,48 @@ parse(cfg_parser_t *parser, const char *string, cfg_type_t **type, #define MATCH(string_rep, return_val) \ do {\ if (!strcasecmp(str, string_rep)) { \ - return return_val; \ + *value = return_val;\ + return ISC_R_SUCCESS; \ } \ } while (0) -static isc_boolean_t -get_mode(const cfg_obj_t *obj) +static isc_result_t +get_mode(const cfg_obj_t *obj, isc_boolean_t *value) { const char *str; + if (!cfg_obj_istuple(obj)) { + log_bug(tuple is expected); + return ISC_R_UNEXPECTED; + } obj = cfg_tuple_get(obj, mode); + if (!cfg_obj_isstring(obj)) { + log_bug(mode is not defined); + return ISC_R_UNEXPECTED; + } str = cfg_obj_asstring(obj); MATCH(grant, ISC_TRUE); MATCH(deny, ISC_FALSE); - INSIST(0); - /* Not reached. */ - return ISC_FALSE; + log_bug(unsupported ACL mode '%s', str); + return ISC_R_NOTIMPLEMENTED; } -static unsigned int -get_match_type(const cfg_obj_t *obj) +static isc_result_t +get_match_type(const cfg_obj_t *obj, unsigned int *value) { const char *str; + if (!cfg_obj_istuple(obj)) { + log_bug(tuple is expected); + return ISC_R_UNEXPECTED; + } obj = cfg_tuple_get(obj, matchtype); + if (!cfg_obj_isstring(obj)) { + log_bug(matchtype is not defined); + return ISC_R_UNEXPECTED; + } str = cfg_obj_asstring(obj); MATCH(name, DNS_SSUMATCHTYPE_NAME); @@ -232,9 +248,8 @@ get_match_type(const cfg_obj_t *obj) MATCH(6to4-self, DNS_SSUMATCHTYPE_6TO4SELF); #endif - INSIST(0); - /* Not reached. */ - return DNS_SSUMATCHTYPE_NAME; + log_bug(unsupported match type '%s', str); + return ISC_R_NOTIMPLEMENTED; } static isc_result_t @@ -422,8 +437,8 @@ acl_configure_zone_ssutable(const char *policy_str, dns_zone_t *zone) types = NULL; stmt = cfg_listelt_value(el); - grant = get_mode(stmt); - match_type = get_match_type(stmt); + CHECK(get_mode(stmt, grant)); + CHECK(get_match_type(stmt, match_type)); CHECK(get_fixed_name(stmt, identity, fident)); -- 1.7.11.7 -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0117] Fix crash caused by invalid query/transfer policy
On 25.3.2013 16:08, Adam Tkac wrote: On Mon, Mar 04, 2013 at 02:22:34PM +0100, Petr Spacek wrote: Hello, Fix crash caused by invalid query/transfer policy. Please double-check correctness. The ISC parser is really complex beast! Thank you. Ack Pushed to master: 8e7ab08b06fe303914b94f42a91467ca5e77f299 v2: 654971e45872471b800fa3f5afd7f7f383d168e9 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0128] Fix crash caused by 'zonesub' match-type in update ACL
On 25.3.2013 16:11, Adam Tkac wrote: On Fri, Mar 22, 2013 at 02:51:03PM +0100, Petr Spacek wrote: On 22.3.2013 14:26, Petr Spacek wrote: Hello, Fix crash caused by 'zonesub' match-type in update ACL. Next patchset will improve overall error handling in ACL processing. I forgot to check return value from dns_name_copy(). Fixed patch is attached. Ack Pushed to master: 7e0976cb448acfbcaa61d36101a01dc48281dab5 v2: 55b623b947b8bef1eb31ad6cd4efe1b846c036c4 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0129] Harden update-policy processing
On 25.3.2013 16:15, Adam Tkac wrote: On Mon, Mar 25, 2013 at 10:56:05AM +0100, Petr Spacek wrote: Hello, Harden update-policy processing. https://fedorahosted.org/bind-dyndb-ldap/ticket/111 This patch should prevent crashes similar to 'zonesub' problem described in the ticket #111. Ack Pushed to master: 995c719205265600bfc548c539cfc99dab1bfdc7 v2: 7ba79d000b508a229fd66103b2da74bef9007548 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0130] Add support for 'external' match-type in update-policy
On 25.3.2013 16:16, Adam Tkac wrote: On Mon, Mar 25, 2013 at 12:13:26PM +0100, Petr Spacek wrote: Hello, Add support for 'external' match-type in update-policy. Ack Pushed to master: 1fc8af6c0a5408db1766386ca82b5ff5fe01ac10 v2: 6fd6222d53ba32122aa1f5bb36db43fab3653d09 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0127] Remove orphaned function declaration from ldap_helper.h
On 25.3.2013 15:56, Adam Tkac wrote: On Fri, Mar 22, 2013 at 01:06:12PM +0100, Petr Spacek wrote: Hello, Remove orphaned function declaration from ldap_helper.h. Ack Pushed to master: eb7c5e436b4c7493c47bd9e7e5d394a8042afa5d V2 branch is not affected. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0100 Enumerate UPN suffixes in ipasam
Hi, following patch allows to enumerate UPN suffixes associated with IPA domain and make them available to AD domain we trust. The patch relies on PASSDB API expansion I'm working on and as such requires Samba built with the change. You can find F18 scratch build at http://koji.fedoraproject.org/koji/taskinfo?taskID=5168969, these patches will be submitted to Samba upstream this week. In the patch I'm filtering out our own DNS domain since its value will be added by Samba by default -- if PASSDB module does not provide the function, its absence will be ignored in the new API. Filtering out is done by freeing the string and moving empty item to last position in the array, reducing the array size but not resizing it -- talloc will hardly win anything from resizing one (char *) pointer and actual lifetime of the array is until the packet is sent so it is acceptable. In order to test the patch, you need updated Samba, then rebuild FreeIPA packages. Once installed and configured, UPN suffixes can be managed via 'ipa realmdomains-mod --{add,dell}-domain' commands. These domains will be exposed to Windows. When you added realm domains, an attempt to establish trust will cause Windows to ask for name suffixes and Samba will serve expanded list of them via netr_GetTrustInformation (opnum 44). In Samba code I've also implemented partially opnum 43 which is giving out the same information via DsRGetTrustInformation but so far Windows AD DC haven't actually tried to use opnum 43. Additionally, you can request Windows to update list of name suffixes via UI. Here is how it looks in Windows 2012 Server: http://abbra.fedorapeople.org/.paste/win2012-multiple-suffixes.png Part of ticket https://fedorahosted.org/freeipa/ticket/2848 -- / Alexander Bokovoy From f400d55eaec99b3e5440e90b6a6d055e26529e7e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 22 Mar 2013 17:30:41 +0200 Subject: [PATCH 2/2] ipasam: add enumeration of UPN suffixes based on the realm domains PASSDB API in Samba adds support for specifying UPN suffixes. The change in ipasam will allow to pass through list of realm domains as UPN suffixes so that Active Directory domain controller will be able to recognize non-primary UPN suffixes as belonging to IPA and properly find our KDC for cross-realm TGT. Since Samba already returns primary DNS domain separately, filter it out from list of UPN suffixes. Also enclose provider of UPN suffixes into #ifdef to support both Samba with and without pdb_enum_upn_suffixes(). Part of https://fedorahosted.org/freeipa/ticket/2848 --- daemons/configure.ac | 10 +++ daemons/ipa-sam/ipa_sam.c | 172 -- 2 files changed, 177 insertions(+), 5 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index d3b6b19..14dc04e 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -252,6 +252,16 @@ AC_CHECK_LIB([wbclient], [$SAMBA40EXTRA_LIBPATH]) AC_SUBST(WBCLIENT_LIBS) +AC_CHECK_LIB([pdb], + [make_pdb_method], + [HAVE_LIBPDB=1], + [AC_MSG_ERROR([libpdb does not have make_pdb_method])], + [$SAMBA40EXTRA_LIBPATH]) +AC_CHECK_LIB([pdb],[pdb_enum_upn_suffixes], + [AC_DEFINE([HAVE_PDB_ENUM_UPN_SUFFIXES], [1], [Ability to enumerate UPN suffixes])], + [AC_MSG_WARN([libpdb does not have pdb_enum_upn_suffixes, no support for realm domains in ipasam])], + [$SAMBA40EXTRA_LIBPATH]) + dnl --- dnl - Check for check unit test framework http://check.sourceforge.net/ dnl --- diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index dd3ad61..1783ca3 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -1,6 +1,7 @@ #define HAVE_IMMEDIATE_STRUCTURES 1 #define LDAP_DEPRECATED 1 +#include config.h #include stdbool.h #include stdint.h #include stdio.h @@ -167,6 +168,12 @@ struct ipasam_privates { struct sss_idmap_ctx *idmap_ctx; }; + +static NTSTATUS ipasam_get_domain_name(struct ldapsam_privates *ldap_state, + TALLOC_CTX *mem_ctx, + char **domain_name); + + static void *idmap_talloc(size_t size, void *pvt) { return talloc_size(pvt, size); @@ -295,6 +302,53 @@ static LDAP *priv2ld(struct ldapsam_privates *priv) return priv-smbldap_state-ldap_struct; } +/* + * get_attribute_values() returns array of all values of the attribute + * allocated over mem_ctx + */ +static char **get_attribute_values(TALLOC_CTX *mem_ctx, LDAP *ldap_struct, + LDAPMessage *entry, const char *attribute, int *num_values) +{ + struct berval **values; + int count, i; + char **result = NULL; + size_t conv_size; + + if
Re: [Freeipa-devel] [PATCH] WIP backup and restore
On 03/23/2013 05:06 AM, Rob Crittenden wrote: TL;DR. Sorry. Here is my current progress on backup and restore. I have not documented any of this in the Implementation section of the wiki yet. I've added two new commands, ipa-backup and ipa-restore. The files go into /var/lib/ipa/backup. When doing a restore you should only reference the directory in backup, not the full path. This needs to change, but it is what it is. There are strict limits on what can be restored where. Only exact matching hostnames and versions are allowed right now. We can probably relax the hostname requirement if we're only restoring data, and the version perhaps for only the the first two values (so you can restore a 3.0.0 backup on 3.0.1 but not on 3.1.0). Do we also need to limit the versions of Dogtag, 389, Kerberos...? Or is what they put in /var/lib guaranteed portable across versions? I've done 99.99% of testing in F-18 with a single instance. I did some initial testing in 6.4 so I think the roots are there, but they are untested currently. I spent a lot of time going in circles when doing a restore and getting replication right. I'm open to discussion on this, but my purpose for restoration was to define a new baseline for the IPA installation. It is basically the catastrophic case, where your data is hosed/untested/whatever and you just want to get back to some sane point. Ok, so given that we need to make sure that any other masters don't send us any updates in their changelog when they come back online. So I use a new feature in 1.3.0 to disable the replication agreements. This works really, really well. The only problem is you have to re-enable the agreement in order to re-initialize a master (https://fedorahosted.org/389/ticket/47304). I have the feeling that this leaves a small window where replication can occur and pollute our restored master. I noticed that we do a force_sync() when doing a full re-init. It may be that if we dropped it that would also mitigate this. I did the majority of my testing using an A - B - C replication topology. This exposed a lot of issues that A - B did not. I don't know if it was the third server or having the extra hop, but I hopefully closed a bunch of the corner cases. So what I would do is either a full or a data restore on A. This would break replication on B and C, as expected. So in this scenario A and B are CAs. Then I'd run this on B: # ipa-replica-manage re-initialize --from=A # ipa-csreplica-manage re-initialize --from=A Once that was done I'd run this on C: # ipa-replica-manage re-initialize --from=B The restoration of the dogtag databases was the last thing I did so it isn't super-well tested. I had to move a fair bit of code around. I think it's the sort of thing that will work when the everything goes well but exceptions may not be well-handled. The man pages are just a shel right now, they need a lot of work. It should also be possible to do a full system restore. I tested with: # ipa-server-install ... # add a bunch of data, 100 entries or more # ipa-backup # add one or more users # ipa-server-install --uninstall -U # ipa-restore ipa-full-... The last batch of users should be gone. I did similar tests with the A/B/C set up. I ran the unit tests against it and all was well. I have done zero testing in a Trust environment, though at least some of the files are backed up in the full case. I did some testing with DNS. I did no testing of a master that was down at the time of restoration and then was brought online later, so it never had its replication agreement disabled. I have the feeling it will hose the data. I have some concern over space requirements. Because I tar things up one basically needs double-the backup space in order to do a restore, and a bit more when encrypted. I'm open to suggestions on how to store the data, but we have many files for the 389-ds bak backup and I didn't want to have to encrypt them all. On that note, that I'm doing a db2bak AND a db2ldif backup and currently using the ldif2db for the restore. My original intention was to use db2bak/bak2db in order to retain the changelog, but retaining the changelog is actually a problem if we're restoring to a known state and forcing a re-init. It wouldn't take much to convince me to drop that, which reduces the # of files we have to deal with. I also snuck in a change to the way that replication is displayed. It has long bothered me that we print out an Updating message during replication because it gives no context. I changed it to be more of a progress indicator, using \r to over-write itself and include the # of seconds elapsed. The log files are still readable but I'd hate to see what this looks like in a typescript :-) Finally, sorry about the huge patch. I looked at the incremental commits I had done and I didn't think they'd tell much of a story. I thought about breaking some of the pieces out, but there is a lot of interdependency, so you'd need everything
Re: [Freeipa-devel] [PATCH] WIP backup and restore
On 03/25/2013 12:08 PM, Petr Viktorin wrote: On 03/23/2013 05:06 AM, Rob Crittenden wrote: TL;DR. Sorry. Here is my current progress on backup and restore. I have not documented any of this in the Implementation section of the wiki yet. I've added two new commands, ipa-backup and ipa-restore. The files go into /var/lib/ipa/backup. When doing a restore you should only reference the directory in backup, not the full path. This needs to change, but it is what it is. There are strict limits on what can be restored where. Only exact matching hostnames and versions are allowed right now. We can probably relax the hostname requirement if we're only restoring data, and the version perhaps for only the the first two values (so you can restore a 3.0.0 backup on 3.0.1 but not on 3.1.0). Do we also need to limit the versions of Dogtag, 389, Kerberos...? No. Or is what they put in /var/lib guaranteed portable across versions? Mostly. We always suggest doing ldif dumps (db2ldif) for more long term storage. I've done 99.99% of testing in F-18 with a single instance. I did some initial testing in 6.4 so I think the roots are there, but they are untested currently. I spent a lot of time going in circles when doing a restore and getting replication right. I'm open to discussion on this, but my purpose for restoration was to define a new baseline for the IPA installation. It is basically the catastrophic case, where your data is hosed/untested/whatever and you just want to get back to some sane point. Ok, so given that we need to make sure that any other masters don't send us any updates in their changelog when they come back online. So I use a new feature in 1.3.0 to disable the replication agreements. This works really, really well. The only problem is you have to re-enable the agreement in order to re-initialize a master (https://fedorahosted.org/389/ticket/47304). I have the feeling that this leaves a small window where replication can occur and pollute our restored master. I noticed that we do a force_sync() when doing a full re-init. It may be that if we dropped it that would also mitigate this. I did the majority of my testing using an A - B - C replication topology. This exposed a lot of issues that A - B did not. I don't know if it was the third server or having the extra hop, but I hopefully closed a bunch of the corner cases. So what I would do is either a full or a data restore on A. This would break replication on B and C, as expected. So in this scenario A and B are CAs. Then I'd run this on B: # ipa-replica-manage re-initialize --from=A # ipa-csreplica-manage re-initialize --from=A Once that was done I'd run this on C: # ipa-replica-manage re-initialize --from=B The restoration of the dogtag databases was the last thing I did so it isn't super-well tested. I had to move a fair bit of code around. I think it's the sort of thing that will work when the everything goes well but exceptions may not be well-handled. The man pages are just a shel right now, they need a lot of work. It should also be possible to do a full system restore. I tested with: # ipa-server-install ... # add a bunch of data, 100 entries or more # ipa-backup # add one or more users # ipa-server-install --uninstall -U # ipa-restore ipa-full-... The last batch of users should be gone. I did similar tests with the A/B/C set up. I ran the unit tests against it and all was well. I have done zero testing in a Trust environment, though at least some of the files are backed up in the full case. I did some testing with DNS. I did no testing of a master that was down at the time of restoration and then was brought online later, so it never had its replication agreement disabled. I have the feeling it will hose the data. I have some concern over space requirements. Because I tar things up one basically needs double-the backup space in order to do a restore, and a bit more when encrypted. I'm open to suggestions on how to store the data, but we have many files for the 389-ds bak backup and I didn't want to have to encrypt them all. On that note, that I'm doing a db2bak AND a db2ldif backup and currently using the ldif2db for the restore. My original intention was to use db2bak/bak2db in order to retain the changelog, but retaining the changelog is actually a problem if we're restoring to a known state and forcing a re-init. It wouldn't take much to convince me to drop that, which reduces the # of files we have to deal with. I also snuck in a change to the way that replication is displayed. It has long bothered me that we print out an Updating message during replication because it gives no context. I changed it to be more of a progress indicator, using \r to over-write itself and include the # of seconds elapsed. The log files are still readable but I'd hate to see what this looks like in a typescript :-) Finally, sorry about the huge patch. I looked at the incremental commits I had done and I didn't think