Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html From 282f9763d0b0cc63a56161b402091c9f1fe7f279 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:05:57 +0200 Subject: [PATCH] Put m4 macros from autotools to separate sub-directory. Signed-off-by: Petr Spacek pspa...@redhat.com --- Makefile.am | 2 ++ configure.ac | 1 + 2 files changed, 3 insertions(+) diff --git a/Makefile.am b/Makefile.am index 8d713c44a889b6a8f1d80ba9780de1287d641227..f5ff369861e3a8fd686f3eb36934df01c38fe597 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,3 +1,5 @@ +ACLOCAL_AMFLAGS = -I m4 + SUBDIRS = doc src doc_DATA = README NEWS diff --git a/configure.ac b/configure.ac index b6d66de1b862a6860226a5f9ae4a3f33842e6100..dfe0ac39adcd779e9df8ba6feab723d32af20c48 100644 --- a/configure.ac +++ b/configure.ac @@ -5,6 +5,7 @@ AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2]) AC_CONFIG_SRCDIR([src/zone_manager.h]) AC_CONFIG_HEADERS([config.h]) +AC_CONFIG_MACRO_DIR([m4]) # Disable static libraries AC_DISABLE_STATIC -- 1.8.3.1 ACK to the 2nd patch LS ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On Wed, Jul 10, 2013 at 10:29:35AM +0200, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html Even better is: m4_pattern_allow([AM_PROG_AR]) AM_PROG_AR ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On (10/07/13 10:48), Jakub Hrozek wrote: On Wed, Jul 10, 2013 at 10:29:35AM +0200, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html You probably did not read this page ^ Even better is: m4_pattern_allow([AM_PROG_AR]) AM_PROG_AR m4_pattern_allow should be used for another things. http://www.gnu.org/software/autoconf/manual/autoconf.html#Forbidden-Patterns LS ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On Wed, Jul 10, 2013 at 10:59:10AM +0200, Lukas Slebodnik wrote: On (10/07/13 10:48), Jakub Hrozek wrote: On Wed, Jul 10, 2013 at 10:29:35AM +0200, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html You probably did not read this page ^ No I didn't :) But what the guy says there isn't true, m4_pattern_allow works just fine even with the old autoconf version in RHEL5. Even better is: m4_pattern_allow([AM_PROG_AR]) AM_PROG_AR m4_pattern_allow should be used for another things. http://www.gnu.org/software/autoconf/manual/autoconf.html#Forbidden-Patterns Dunno, I think it'quite pretty established pattern. Is there something wrong with it? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On (10/07/13 11:14), Jakub Hrozek wrote: On Wed, Jul 10, 2013 at 10:59:10AM +0200, Lukas Slebodnik wrote: On (10/07/13 10:48), Jakub Hrozek wrote: On Wed, Jul 10, 2013 at 10:29:35AM +0200, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html You probably did not read this page ^ No I didn't :) But what the guy says there isn't true, m4_pattern_allow works just fine even with the old autoconf version in RHEL5. Even better is: m4_pattern_allow([AM_PROG_AR]) AM_PROG_AR m4_pattern_allow should be used for another things. http://www.gnu.org/software/autoconf/manual/autoconf.html#Forbidden-Patterns Dunno, I think it'quite pretty established pattern. Is there something wrong with it? Macro m4_pattern_allow only suppresses autotool error possibly undefined macro, but there still will be a warning macro `AM_PROG_AR' not found in library Autreconf will not fail with older versions of automake (=1.11), but macro AM_PROG_AR will not be expanded and you can find this unexpanded text in configure script. It is harmless. Everything will work well, but we don't like warnings. LS ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On 10.7.2013 10:29, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacekpspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacekpspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html Thank you for catching this. Fixed patch is attached. -- Petr^2 Spacek From 3bec5eda866bd9b518c2b11db3abc0cc9dcdfa1a Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..9ecd8a467f255dcdaa82c36547f8b958cb3565a1 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On Monday 08 of July 2013 16:58:18 Ana Krivokapic wrote: On 06/25/2013 05:28 PM, Ana Krivokapic wrote: On 06/24/2013 02:27 PM, Tomas Babej wrote: On 06/11/2013 04:42 PM, Ade Lee wrote: [snip] Just FYI, we plan to do a new release of pki-core today (pki- core-10.0.3-2) to address this issue. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. Ok, so I tested the patch, since pki-core has the PkiExport command fixed now. I'm getting a little bit further now. [tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129 vm-129.idm.lab.eng.brq.redhat.com Directory Manager (existing master) password: Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from vm-127.idm.lab.eng.brq.redhat.com Constraint violation: Failed to update password With debug output, I get (snipped out irrelevant parts): Directory Manager (existing master) password: ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_57668944 ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700ab8 ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_57668944 ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com ipa: DEBUG: Search failed: [Errno -2] Name or service not known ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4c704d0 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not logging to a file ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: ipa-replica-prepare was invoked with arguments ['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None, 'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin': None, 'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file': '/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None, 'password': None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None, 'pkinit_pin': None} ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from vm-127.idm.lab.eng.brq.redhat.com ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700710 ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p /tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12 ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_139884970376144 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site- packages/ipaserver/install/ipa_replica_prepare.py, line 245, in run self.copy_ds_certificate() File /usr/lib/python2.7/site- packages/ipaserver/install/ipa_replica_prepare.py, line 281, in copy_ds_certificate self.update_pki_admin_password() File /usr/lib/python2.7/site- packages/ipaserver/install/ipa_replica_prepare.py, line 520, in update_pki_admin_password ldap.modify_password(dn, self.dirman_password) File /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py, line 332, in modify_password self.conn.passwd_s(dn, old_pass, new_pass) File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__ self.gen.throw(type, value, traceback) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 919, in error_handler raise errors.DatabaseError(desc=desc, info=info) ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: DatabaseError: Constraint violation: Failed to update password ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: Constraint violation: Failed to update password Tomas It seems that this time the culprit is 389-ds-base packages. The password change is rejected when using the latest version of 389-ds-base (389-ds-base-1.3.1.2-1.fc19.x86_64). I tried testing it with a previous version (389-ds-base-1.3.0.5-1.fc19.x86_64) and it works. I open an upstream ticket for the 389
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On Wed, Jul 10, 2013 at 11:59:32AM +0200, Lukas Slebodnik wrote: On (10/07/13 11:14), Jakub Hrozek wrote: On Wed, Jul 10, 2013 at 10:59:10AM +0200, Lukas Slebodnik wrote: On (10/07/13 10:48), Jakub Hrozek wrote: On Wed, Jul 10, 2013 at 10:29:35AM +0200, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html You probably did not read this page ^ No I didn't :) But what the guy says there isn't true, m4_pattern_allow works just fine even with the old autoconf version in RHEL5. Even better is: m4_pattern_allow([AM_PROG_AR]) AM_PROG_AR m4_pattern_allow should be used for another things. http://www.gnu.org/software/autoconf/manual/autoconf.html#Forbidden-Patterns Dunno, I think it'quite pretty established pattern. Is there something wrong with it? Macro m4_pattern_allow only suppresses autotool error possibly undefined macro, but there still will be a warning macro `AM_PROG_AR' not found in library Autreconf will not fail with older versions of automake (=1.11), but macro AM_PROG_AR will not be expanded and you can find this unexpanded text in configure script. It is harmless. Everything will work well, but we don't like warnings. Sounds like we should patch the same in SSSD then. Thanks for the investigation! ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 07/10/2013 01:33 PM, Tomas Babej wrote: On Monday 08 of July 2013 16:58:18 Ana Krivokapic wrote: On 06/25/2013 05:28 PM, Ana Krivokapic wrote: On 06/24/2013 02:27 PM, Tomas Babej wrote: On 06/11/2013 04:42 PM, Ade Lee wrote: [snip] Just FYI, we plan to do a new release of pki-core today (pki-core-10.0.3-2) to address this issue. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. Ok, so I tested the patch, since pki-core has the PkiExport command fixed now. I'm getting a little bit further now. [tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129 vm-129.idm.lab.eng.brq.redhat.com Directory Manager (existing master) password: Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from vm-127.idm.lab.eng.brq.redhat.com Constraint violation: Failed to update password With debug output, I get (snipped out irrelevant parts): Directory Manager (existing master) password: ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_57668944 ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700ab8 ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_57668944 ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com ipa: DEBUG: Search failed: [Errno -2] Name or service not known ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4c704d0 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not logging to a file ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: ipa-replica-prepare was invoked with arguments ['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None, 'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin': None, 'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file': '/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None, 'password': None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None, 'pkinit_pin': None} ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from vm-127.idm.lab.eng.brq.redhat.com ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700710 ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p /tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12 ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_139884970376144 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 245, in run self.copy_ds_certificate() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 281, in copy_ds_certificate self.update_pki_admin_password() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 520, in update_pki_admin_password ldap.modify_password(dn, self.dirman_password) File /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py, line 332, in modify_password self.conn.passwd_s(dn, old_pass, new_pass) File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__ self.gen.throw(type, value, traceback) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 919, in error_handler raise errors.DatabaseError(desc=desc, info=info) ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: DatabaseError: Constraint violation: Failed to update password ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: Constraint violation: Failed to update password Tomas It seems that this time the culprit is 389-ds-base packages. The password change is
Re: [Freeipa-devel] [PATCHES] 0230-0240 Integration testing framework
On 25.6.2013 14:08, Petr Viktorin wrote: Adding two additional patches for better Beaker integration: Patch 0241 allows e.g. adding ticket numbers for automatic test case management Patch 0242 should bring the BeakerLib logging closer to what traditional Beaker tests output make test seems to run fine with patches 230-242 applied, however ipa-run-tests produces the following output: == ERROR: Test that `ipa help` only writes to stdout -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in runTest self.test(*self.arg) File /usr/lib/python2.7/site-packages/ipatests/test_cmdline/test_help.py, line 63, in test_ipa_help return_value = api.Backend.cli.run(['help']) File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 1067, in run result = self.execute(name, **kw) File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 146, in execute raise error #pylint: disable=E0702 InternalError: an internal error has occurred begin captured logging IPA: DEBUG: [ipa.ipalib.cli.help] raw: help(None, version=u'2.60') IPA: DEBUG: [ipa.ipalib.cli.help] help(None, version=u'2.60') IPA: ERROR: [ipa.ipalib.cli.cli] non-public: AttributeError: 'API' object has no attribute 'parser' Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 435, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 765, in run self.api.parser.print_help(outfile) AttributeError: 'API' object has no attribute 'parser' IPA: DEBUG: [ipa.ipalib.rpc.xmlclient] Destroyed connection context.xmlclient - end captured logging - == ERROR: Failure: IOError ([Errno 2] No such file or directory: 'ipatests/test_xmlrpc/service.crt') -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/loader.py, line 413, in loadTestsFromName addr.filename, addr.module) File /usr/lib/python2.7/site-packages/nose/importer.py, line 47, in importFromPath return self.importFromDir(dir_path, fqname) File /usr/lib/python2.7/site-packages/nose/importer.py, line 94, in importFromDir mod = load_module(part_fqname, fh, filename, desc) File /usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/test_host_plugin.py, line 59, in module fd = open('ipatests/test_xmlrpc/service.crt', 'r') IOError: [Errno 2] No such file or directory: 'ipatests/test_xmlrpc/service.crt' == ERROR: Failure: IOError ([Errno 2] No such file or directory: 'ipatests/test_xmlrpc/service.crt') -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/loader.py, line 413, in loadTestsFromName addr.filename, addr.module) File /usr/lib/python2.7/site-packages/nose/importer.py, line 47, in importFromPath return self.importFromDir(dir_path, fqname) File /usr/lib/python2.7/site-packages/nose/importer.py, line 94, in importFromDir mod = load_module(part_fqname, fh, filename, desc) File /usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/test_service_plugin.py, line 42, in module fd = open('ipatests/test_xmlrpc/service.crt', 'r') IOError: [Errno 2] No such file or directory: 'ipatests/test_xmlrpc/service.crt' == FAIL: Test that `ipa` errors out, and prints the help to stderr -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in runTest self.test(*self.arg) File /usr/lib/python2.7/site-packages/ipatests/test_cmdline/test_help.py, line 71, in test_ipa_without_arguments api.Backend.cli.run([]) File /usr/lib/python2.7/site-packages/ipatests/test_cmdline/test_help.py, line 55, in __exit__ assert isinstance(exc_value, self.exception), exc_value AssertionError: 'API' object has no attribute 'parser' begin captured logging IPA: DEBUG: [ipa.ipalib.cli.help] raw: help(None, outfile=StringIO.StringIO instance at 0x486cb48) IPA: DEBUG: [ipa.ipalib.cli.help] help(None, outfile=StringIO.StringIO instance at 0x486cb48) - end captured logging - I guess the location of the test certificate should be made
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On (10/07/13 12:27), Petr Spacek wrote: On 10.7.2013 10:29, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacekpspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacekpspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html Thank you for catching this. Fixed patch is attached. -- Petr^2 Spacek ACK LS ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Tue, 2013-07-09 at 22:39 +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote: On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote: On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: On Mon, 01 Jul 2013, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. s/SALS/SASL/ Thank you for the review, I've fixed the typo and added the numerical values for the well-known RIDs to the commit message. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. I think it is better to change this lookup to cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would explicitly limit us to the IPA masters running AD trusts. I'm not sure if this restriction is needed. With SSSD's ipa_server_mode any IPA master (which networkwise can access an AD server of the trusted domain) can read AD user and group data, no running smbd or winbind is required. So it would be possible to run the extdom plugin or the compat plugin for the legacy clients on any IPA server which would allow a much better load balancing. If there are other concerns I'm happy to add the restriction. bye, Sumit I don't think I know the code good enough to provide a full review, but the patch enables the lookups from an IPA master without any additional hacks. So ack on functionality at least. Ok. I've extended this functionality to generate MS-PAC also for services running on IPA masters. Patch attached. This is needed to finally get rid of access to trust auth material for IPA python code. HTTP/fqdn@REALM will now be able to authenticate against AD LDAP server and look up needed information directly, without elevating privileges to trust admins. This should also help for AD range discovery Tomas is working on. Hi, The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On 07/10/2013 12:27 PM, Petr Spacek wrote: On 10.7.2013 10:29, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacekpspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacekpspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html Thank you for catching this. Fixed patch is attached. ACK Regards, Tomas Hozza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0171-0172] Fix potential problems found by Clang static analyzer
On 07/08/2013 10:51 AM, Petr Spacek wrote: Hello, several warnings from Clang static analyzer popped up after upgrade to Fedora 19. Attached patches should fix all problems found by clang-analyzer-3.3-0.6.rc3.fc19.x86_64. ACK Regards, Tomas Hozza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0067] Add --use-posix option that forces trusted range type
On Monday 24 of June 2013 16:22:01 Petr Viktorin wrote: On 06/20/2013 12:56 PM, Tomas Babej wrote: On 06/17/2013 02:34 PM, Ana Krivokapic wrote: On 06/06/2013 11:10 AM, Tomas Babej wrote: Hi, Adds --use-posix option to ipa trust-add command. It takes two allowed values: 'yes' : the 'ipa-ad-trust-posix' range type is enforced 'no' : the 'ipa-ad-trust' range type is enforced When --use-posix option is not specified, the range type should be determined by ID range discovery. https://fedorahosted.org/freeipa/ticket/3650 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The patch works nicely, but I have a few comments: 1) You added a new option to the API, but you forgot to bump the IPA_API_VERSION_MINOR in the VERSION file. 2) Typo in commit message: shold instead of should. 3) This construct: +if range_type is not None: +if range_type != old_range_type: can be replaced with a more readable variant which also avoids nested ifs: +if range_type and range_type != old_range_type: All fixed. 4) Some unit tests to cover the behavior of the newly added option would be nice. This is not doable at the moment, we have no unit test framework to test the trust-add command. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Tomas I don't know much about AD trusts, but a command-line/API option that takes a 'yes' or 'no' string raised a tiny warning flag for me. It looks like it's possible that there can be other range types in the future than posix and algorithmic? If that's the case, there should be a --range-type option instead. (If not, I'd still go for --range-type but that would just be bikeshedding.) In any case I think an explicit 'auto' option would be nice. But that's just an outsider's view, maybe --use-posix makes more sense. I replaced --use-posix with more versatile --range-type. It supports only trust-related values for now, and can be extended. Rebased patch attached. AFAIK, for CLI changes there should be a a design page; is this covered anywhere? Design page for the umbrella ticket is here: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-develFrom 784021ef93694bb19e8a30c509dbbec8cb06cdf0 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 25 Jun 2013 14:25:44 +0200 Subject: [PATCH] Add --range-type option that forces range type of the trusted domain Adds --range-type option to ipa trust-add command. It takes two allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'. When --range-type option is not specified, the range type should be determined by ID range discovery. https://fedorahosted.org/freeipa/ticket/3650 --- API.txt | 3 ++- VERSION | 2 +- ipalib/plugins/idrange.py | 4 ++-- ipalib/plugins/trust.py | 40 ++-- 4 files changed, 43 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 067955ef77332374bf242655187ef9f912b0c2c0..44b3dd444964c8dac595177f8601c82d0235eabe 100644 --- a/API.txt +++ b/API.txt @@ -3278,12 +3278,13 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('value', type 'unicode', None) command: trust_add -args: 1,12,3 +args: 1,13,3 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Int('base_id?', cli_name='base_id') option: Int('range_size?', autofill=True, cli_name='range_size', default=20) +option: StrEnum('range_type?', cli_name='range_type', values=(u'ipa-ad-trust-posix', u'ipa-ad-trust')) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('realm_admin?', cli_name='admin') option: Password('realm_passwd?', cli_name='password', confirm=False) diff --git a/VERSION b/VERSION index c713b18b7ce42db7fb290912ec6028342015f142..8606d724e6c8c785ba9d554ed3effa905573e25f 100644 --- a/VERSION +++ b/VERSION @@ -89,4 +89,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=60
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, 10 Jul 2013, Simo Sorce wrote: On Tue, 2013-07-09 at 22:39 +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote: On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote: On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: On Mon, 01 Jul 2013, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. s/SALS/SASL/ Thank you for the review, I've fixed the typo and added the numerical values for the well-known RIDs to the commit message. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. I think it is better to change this lookup to cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would explicitly limit us to the IPA masters running AD trusts. I'm not sure if this restriction is needed. With SSSD's ipa_server_mode any IPA master (which networkwise can access an AD server of the trusted domain) can read AD user and group data, no running smbd or winbind is required. So it would be possible to run the extdom plugin or the compat plugin for the legacy clients on any IPA server which would allow a much better load balancing. If there are other concerns I'm happy to add the restriction. bye, Sumit I don't think I know the code good enough to provide a full review, but the patch enables the lookups from an IPA master without any additional hacks. So ack on functionality at least. Ok. I've extended this functionality to generate MS-PAC also for services running on IPA masters. Patch attached. This is needed to finally get rid of access to trust auth material for IPA python code. HTTP/fqdn@REALM will now be able to authenticate against AD LDAP server and look up needed information directly, without elevating privileges to trust admins. This should also help for AD range discovery Tomas is working on. Hi, The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. New patch attached. -- / Alexander Bokovoy From e150e2abd67538db1b53d5b5dd096bd15e2ffe58 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 9 Jul 2013 14:05:02 +0300 Subject: [PATCH 15/15] Generate syntethic MS-PAC for all services running on IPA master MS-PAC is required to be present in TGT if one wants to connect to AD services using this TGT. Users get MS-PAC by default, SSSD in ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP. This patch enables other services running on IPA master to connect to AD services. This is required for IPA python code doing discovery of remote AD domain settings shortly after IPA-AD trust has been established. --- daemons/ipa-kdb/ipa_kdb_mspac.c | 56 +++-- 1 file changed, 49 insertions(+), 7 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 92dc8dd..4944bb8 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -392,13 +392,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, struct dom_sid sid; gid_t prigid = -1; time_t timeres; -char *strres; +char *strres, *strhost, *strat; int intres; int ret; char **objectclasses = NULL; size_t c; bool is_host = false; bool is_user = false; +bool is_service = false; ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, objectClass, objectclasses); @@ -407,6 +408,9 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, if (strcasecmp(objectclasses[c], ipaHost) == 0) { is_host = true; } +if (strcasecmp(objectclasses[c], ipaService) == 0) { +is_service = true; +
Re: [Freeipa-devel] [PATCH] 140 Check trust chain length in CA-less install
Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/3707. Honza This patch seems to work ok but I've been unable to test it with an external CA installation because that seems to be broken (unrelated to this patch). I filed https://fedorahosted.org/freeipa/ticket/3773 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 11:42:00AM +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 10:33:19AM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 07:32:41PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Wed, 03 Jul 2013, Sumit Bose wrote: Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. s/msbd/smbd/ ACK. I need to add 'ipa_server_mode = True' support to the installer code and then these patches can go in. Actually, the code still doesn't work due to some bug in sssd which fails to respond properly to getsidbyname() request in libsss_nss_idmap. Additionally I've found one missing treatment of domain_name for INP_NAME requests. We are working with Jakub on tracking down what's wrong on SSSD side. Indeed, there was a casing issue in sysdb. You can continue testing with lowercase user names in the meantime. A patch is already on the SSSD list. In addition, we need to disqualify user name when returning back a packet from extdom operation as this is what SSSD expects. Attached patch does it for all types of requests. -- / Alexander Bokovoy From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 8 Jul 2013 19:19:56 +0300 Subject: [PATCH] Fix extdom plugin to provide unqualified name in response as sssd expects extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name. --- .../ipa-extdom-extop/ipa_extdom_common.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 8aa22e1..290da4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, grp_result); } } +domain_name = strdup(req-data.name.domain_name); I would prefer if this was a separate patch. But this is a correct change. Separated. Ack to this patch. break; default: ret = LDAP_PROTOCOL_ERROR; @@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, const char *domain_name, struct extdom_res **_res) { int ret = EFAULT; +char *locat = NULL; struct extdom_res *res; res = calloc(1, sizeof(struct extdom_res)); @@ -354,10 +356,20 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, switch(id_type) { case SSS_ID_TYPE_UID: case SSS_ID_TYPE_BOTH: +if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { +if (strstr(locat, domain_name) != NULL ) { strstr doesn't work correctly in my case. In SSSD, the domain names are case-insensitive, so you can use strcasestr here. In my case, the condition is never hit as the domain case differs: 407 res-data.user.domain_name = strdup(domain_name); (gdb) 408 if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { (gdb) n 409 if (strstr(locat, domain_name) != NULL) { (gdb) 414 strdup(pg_data-data.pwd.pw_name); (gdb) p domain_name $1 = 0x7f2e800f0690 AD.EXAMPLE.COM (gdb) p locat $2 = 0x7f2e8006500d @ad.example.com Replaced by strcasestr. Also, this is good enough for the beta
Re: [Freeipa-devel] [PATCHES] 0039-0040 systemd ipactl fixes
On 07/08/2013 08:32 AM, Alexander Bokovoy wrote: On Thu, 20 Jun 2013, Ana Krivokapic wrote: Hello, Attached patches fix systemd and ipactl related bugs: https://fedorahosted.org/freeipa/ticket/3730 https://fedorahosted.org/freeipa/ticket/3729 NACK. For me upgrade case fails (rpm -Uhv), dirsrv didn't restart on upgrade properly and everything else has failed afterwards. This was caused due to 'systemctl is-active' returning exit status 3 ('activating'), and our code treating the non-zero exit status as a failure. I handled this case in the updated patch. As for the ipa.service and dependency ordering, I have done some further testing and found out the adding the '--ignore-dependencies' switch alone solves the shutdown issue. So I think that no modification of ipa.service file is necessary. Updated patches are attached. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From c8d6d367f686d9477f66984e6b18de419cb28242 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Thu, 20 Jun 2013 11:53:29 +0200 Subject: [PATCH] Use correct DS instance in ipactl status Make sure ipactl status check for correct DS instance. It should check for 'dirsrv@IPA-REALM' and not 'dirsrv.target'. https://fedorahosted.org/freeipa/ticket/3730 --- ipapython/ipautil.py | 5 +++-- ipapython/platform/base/systemd.py | 39 +++--- 2 files changed, 31 insertions(+), 13 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 3d174ed021bdad7fef52061ecbb2470ee02ebe19..f2ca9d6a907a4a5fddc8e79b8c07a9d52c1b370e 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -58,9 +58,10 @@ class CalledProcessError(Exception): This exception is raised when a process run by check_call() returns a non-zero exit status. The exit status will be stored in the returncode attribute. -def __init__(self, returncode, cmd): +def __init__(self, returncode, cmd, output=None): self.returncode = returncode self.cmd = cmd +self.output = output def __str__(self): return Command '%s' returned non-zero exit status %d % (self.cmd, self.returncode) @@ -319,7 +320,7 @@ def run(args, stdin=None, raiseonerr=True, root_logger.debug('stderr=%s' % stderr) if p.returncode != 0 and raiseonerr: -raise CalledProcessError(p.returncode, arg_string) +raise CalledProcessError(p.returncode, arg_string, stdout) return (stdout, stderr, p.returncode) diff --git a/ipapython/platform/base/systemd.py b/ipapython/platform/base/systemd.py index a9c1ec03261ae8694b1a308b2e86f342f27e9e62..9721ac1a92077048d8dd0248014ed7cb11bb61a8 100644 --- a/ipapython/platform/base/systemd.py +++ b/ipapython/platform/base/systemd.py @@ -18,8 +18,6 @@ # import os -import shutil -import sys from ipapython import ipautil from ipapython.platform import base @@ -36,12 +34,18 @@ def __init__(self, service_name, systemd_name): self.lib_path = os.path.join(self.SYSTEMD_LIB_PATH, self.systemd_name) self.lib_path_exists = None -def service_instance(self, instance_name): +def service_instance(self, instance_name, operation=None): if self.lib_path_exists is None: self.lib_path_exists = os.path.exists(self.lib_path) elements = self.systemd_name.split(@) +# Make sure the correct DS instance is returned +if (elements[0] == 'dirsrv' and +not instance_name and +operation == 'is-active'): +return 'dirsrv@%s.service' % str(api.env.realm.replace('.', '-')) + # Short-cut: if there is already exact service name, return it if self.lib_path_exists and len(instance_name) == 0: if len(elements) == 1: @@ -118,14 +122,27 @@ def restart(self, instance_name=, capture_output=True, wait=True): self.__wait_for_open_ports(self.service_instance(instance_name)) def is_running(self, instance_name=): -ret = True -try: -(sout, serr, rcode) = ipautil.run([/bin/systemctl, is-active, self.service_instance(instance_name)],capture_output=True) -if rcode != 0: -ret = False -except ipautil.CalledProcessError: -ret = False -return ret +instance = self.service_instance(instance_name, 'is-active') + +while True: +try: +(sout, serr, rcode) = ipautil.run( +[/bin/systemctl, is-active, instance], +capture_output=True +) +except ipautil.CalledProcessError as e: +if e.returncode == 3 and 'activating' in str(e.output): +continue +return False +else: +# activating +if rcode == 3 and 'activating' in str(sout): +
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Wed, 2013-07-10 at 19:15 +0300, Alexander Bokovoy wrote: On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 11:42:00AM +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 10:33:19AM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 07:32:41PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Wed, 03 Jul 2013, Sumit Bose wrote: Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. s/msbd/smbd/ ACK. I need to add 'ipa_server_mode = True' support to the installer code and then these patches can go in. Actually, the code still doesn't work due to some bug in sssd which fails to respond properly to getsidbyname() request in libsss_nss_idmap. Additionally I've found one missing treatment of domain_name for INP_NAME requests. We are working with Jakub on tracking down what's wrong on SSSD side. Indeed, there was a casing issue in sysdb. You can continue testing with lowercase user names in the meantime. A patch is already on the SSSD list. In addition, we need to disqualify user name when returning back a packet from extdom operation as this is what SSSD expects. Attached patch does it for all types of requests. -- / Alexander Bokovoy From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 8 Jul 2013 19:19:56 +0300 Subject: [PATCH] Fix extdom plugin to provide unqualified name in response as sssd expects extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name. --- .../ipa-extdom-extop/ipa_extdom_common.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 8aa22e1..290da4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, grp_result); } } +domain_name = strdup(req-data.name.domain_name); I would prefer if this was a separate patch. But this is a correct change. Separated. Ack to this patch. break; default: ret = LDAP_PROTOCOL_ERROR; @@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, const char *domain_name, struct extdom_res **_res) { int ret = EFAULT; +char *locat = NULL; struct extdom_res *res; res = calloc(1, sizeof(struct extdom_res)); @@ -354,10 +356,20 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, switch(id_type) { case SSS_ID_TYPE_UID: case SSS_ID_TYPE_BOTH: +if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { +if (strstr(locat, domain_name) != NULL ) { strstr doesn't work correctly in my case. In SSSD, the domain names are case-insensitive, so you can use strcasestr here. In my case, the condition is never hit as the domain case differs: 407 res-data.user.domain_name = strdup(domain_name); (gdb) 408 if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { (gdb) n
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, 10 Jul 2013, Alexander Bokovoy wrote: On Wed, 10 Jul 2013, Simo Sorce wrote: On Tue, 2013-07-09 at 22:39 +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote: On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote: On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: On Mon, 01 Jul 2013, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. s/SALS/SASL/ Thank you for the review, I've fixed the typo and added the numerical values for the well-known RIDs to the commit message. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. I think it is better to change this lookup to cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would explicitly limit us to the IPA masters running AD trusts. I'm not sure if this restriction is needed. With SSSD's ipa_server_mode any IPA master (which networkwise can access an AD server of the trusted domain) can read AD user and group data, no running smbd or winbind is required. So it would be possible to run the extdom plugin or the compat plugin for the legacy clients on any IPA server which would allow a much better load balancing. If there are other concerns I'm happy to add the restriction. bye, Sumit I don't think I know the code good enough to provide a full review, but the patch enables the lookups from an IPA master without any additional hacks. So ack on functionality at least. Ok. I've extended this functionality to generate MS-PAC also for services running on IPA masters. Patch attached. This is needed to finally get rid of access to trust auth material for IPA python code. HTTP/fqdn@REALM will now be able to authenticate against AD LDAP server and look up needed information directly, without elevating privileges to trust admins. This should also help for AD range discovery Tomas is working on. Hi, The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. New patch attached. After discussion with Simo on IRC, I decided to use krb5_parse_name() to properly parse krbPrincipalName attribute for the service and veto it against pre-defined set of services we support generating MS-PAC for on the IPA master. The list currently includes only cifs/ipa.master@REALM and HTTP/ipa.master@REALM as host/ipa.master@REALM is handled by the is_host case. I verified it by initializing ccache with /etc/httpd/conf/ipa.keytab and accessing AD over LDAP, it worked well (same result for host/): - # kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipa.example@example.com # ldapsearch -Y GSSAPI -h altai.ad.lan -b dc=ad,dc=lan '(cn=IPAX$)' SASL/GSSAPI authentication started SASL username: HTTP/ipa.example@example.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=ad,dc=lan with scope subtree # filter: (cn=IPAX$) # requesting: ALL # # IPAX$, Users, ad.lan dn: CN=IPAX$,CN=Users,DC=ad,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IPAX$ distinguishedName: CN=IPAX$,CN=Users,DC=ad,DC=lan instanceType: 4 whenCreated: 20130708091622.0Z whenChanged: 20130710123914.0Z uSNCreated: 98603 uSNChanged: 102524 name: IPAX$ objectGUID:: FxL42tGLnEOfKkuMw6sVVw== userAccountControl: 2080 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 130179335549552172 pwdLastSet: 130177485824178582 primaryGroupID: 513 objectSid:: AQUAAAUVzl3L0KYmgQdG8ZPbeQQAAA== accountExpires: 9223372036854775807 logonCount: 1 sAMAccountName: IPAX$ sAMAccountType: 805306370 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=lan isCriticalSystemObject: TRUE
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, 2013-07-10 at 19:55 +0300, Alexander Bokovoy wrote: The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. New patch attached. After discussion with Simo on IRC, I decided to use krb5_parse_name() to properly parse krbPrincipalName attribute for the service and veto it against pre-defined set of services we support generating MS-PAC for on the IPA master. The list currently includes only cifs/ipa.master@REALM and HTTP/ipa.master@REALM as host/ipa.master@REALM is handled by the is_host case. LGTM. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix for small syntax error in OTP schema
https://fedorahosted.org/freeipa/ticket/3765 Due to the potentially bad ramifications of a schema syntax error, I tested this in both single server and replica configurations. The worst case in both is a truncated attribute description. The above patch fixes the problem in both cases with a simple ipa-ldap-updater. Nathaniel From 3cc534671a63970d9ed21c44193347ae41bc192b Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Wed, 10 Jul 2013 14:47:21 -0400 Subject: [PATCH] Fix for small syntax error in OTP schema https://fedorahosted.org/freeipa/ticket/3765 --- install/share/70ipaotp.ldif| 2 +- install/updates/10-70ipaotp.update | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif index 3cfe8723749706f26a44ed99047c23d937e37583..d9ae251905d14648f61c6ee61834cd92608b97f8 100644 --- a/install/share/70ipaotp.ldif +++ b/install/share/70ipaotp.ldif @@ -18,7 +18,7 @@ attributeTypes: (2.16.840.1.113730.3.8.16.1.13 NAME 'ipatokenOwner' DESC 'User e attributeTypes: (2.16.840.1.113730.3.8.16.1.14 NAME 'ipatokenRadiusUserName' DESC 'Corresponding Radius username' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.15 NAME 'ipatokenRadiusConfigLink' DESC 'Corresponding Radius Configuration link' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.16 NAME 'ipatokenRadiusServer' DESC 'Server String Configuration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA OTP') -attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server's Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP') +attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' DESC 'Server Timeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' DESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' DESC 'Attribute to map from the user entry for RADIUS server authentication' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP') diff --git a/install/updates/10-70ipaotp.update b/install/updates/10-70ipaotp.update index 600ef9cf56e12edc7263da49584d33b516ba8b38..ad9e45ba5bd354fdcf9146be63ca5aeba67c0a4e 100644 --- a/install/updates/10-70ipaotp.update +++ b/install/updates/10-70ipaotp.update @@ -15,7 +15,7 @@ add:attributeTypes: (2.16.840.1.113730.3.8.16.1.13 NAME 'ipatokenOwner' DESC 'Us add:attributeTypes: (2.16.840.1.113730.3.8.16.1.14 NAME 'ipatokenRadiusUserName' DESC 'Corresponding Radius username' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP') add:attributeTypes: (2.16.840.1.113730.3.8.16.1.15 NAME 'ipatokenRadiusConfigLink' DESC 'Corresponding Radius Configuration link' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP') add:attributeTypes: (2.16.840.1.113730.3.8.16.1.16 NAME 'ipatokenRadiusServer' DESC 'Server String Configuration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA OTP') -add:attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server's Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP') +add:attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP') add:attributeTypes: (2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' DESC 'Server Timeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') add:attributeTypes: (2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' DESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') add:attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' DESC 'Attribute to map from the user entry for RADIUS server authentication' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP') -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Remove unused variable
Hi, I was doing quite a few builds of freeipa for testing and patch reviews lately and found a couple of unused variables. The attached patch removed the variables. From f3408502fe3e4392dff4085b58670241cd1956ae Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Tue, 9 Jul 2013 21:55:04 +0200 Subject: [PATCH] Remove unused variable --- daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c| 4 daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c | 1 - 2 files changed, 5 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c index fcd4d30a3d813204cc36c499fd9c0fa64156974f..0b3b84108476b0c6fc153b49cd0f65f9279035f2 100644 --- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c +++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c @@ -232,7 +232,6 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry, char **errstr) { int ldrc = 0; -int flags = 0; int type_name_disposition = 0; Slapi_DN *pdn = NULL; @@ -415,7 +414,6 @@ static int ipalockout_postop(Slapi_PBlock *pb) char *lastfail = NULL; int tries = 0; int failure = 1; -int type_name_disposition = 0; char *actual_type_name = NULL; int attr_free_flags = 0; Slapi_ValueSet *values = NULL; @@ -665,7 +663,6 @@ static int ipalockout_preop(Slapi_PBlock *pb) Slapi_Entry *target_entry = NULL; Slapi_Entry *policy_entry = NULL; Slapi_DN *sdn = NULL; -Slapi_DN *pdn = NULL; Slapi_Value *objectclass = NULL; char *errstr = NULL; int ldrc = 0; @@ -678,7 +675,6 @@ static int ipalockout_preop(Slapi_PBlock *pb) time_t last_failed = 0; char *lastfail = NULL; char *unlock_time = NULL; -int type_name_disposition = 0; char *actual_type_name = NULL; int attr_free_flags = 0; Slapi_ValueSet *values = NULL; diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c index ae7adecb6e04b5a736fa04b458d51a6fa3860d05..65ceaea685a276db91aab356dab617e260095873 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c @@ -853,7 +853,6 @@ ipa_winsync_config_refresh_domain( int loopdone = 0; int search_scope = LDAP_SCOPE_SUBTREE; int ret = LDAP_SUCCESS; -Slapi_Value *sv = NULL; int acct_disable; char *inactivated_filter = NULL; char *activated_filter = NULL; -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel