[Freeipa-devel] Heads-up: pylint 1.0 breaks the build
Hello, Pylint 1.0 was released recently[0], and found its way into fedora-updates-testing. It has some changed internals, and currently breaks our build. Please don't update until the issue[1] is fixed. I'm working on a fix, since this breaks tests. [0] http://www.logilab.org/blogentry/163292 [1] https://fedorahosted.org/freeipa/ticket/3865 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 0270-0271 Support for Pylint 1.0
Hello, The first patch fixes a minor problem that Pylint 1.0 finds in our code. The second patch makes make-lint compatible with Pylint 1.0. It contains a workaround for a Pylint bug; before pushing this we should wait for a while to see if a fixed Pylint is released. -- Petr³ From 969ead2e3fbdf9cfbd6bffefef24316d37803a13 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Mon, 19 Aug 2013 12:01:54 +0200 Subject: [PATCH] Remove __all__ specifications in ipaclient and ipaserver.install The __all__ list does not cause submodules to be imported, e.g. one would still have to `import ipaclient.ipachangeconf` rather than just `import ipaclient` to use `ipaclient.ipachangeconf`. Even if they did do anything, the lists were incomplete, and (since `import *` is not used on these modules) unnecessary. Pylint 1.0 reports undeclared names in __all__ as a warning. --- ipa-client/ipaclient/__init__.py | 3 --- ipaserver/install/__init__.py| 2 -- 2 files changed, 5 deletions(-) diff --git a/ipa-client/ipaclient/__init__.py b/ipa-client/ipaclient/__init__.py index 39c97d2fd6b3113eaab6384fe97f0ef27e4e67f3..65ab6ac3ed33541bd8a6d9a50ddc1f04ecaa5e6f 100644 --- a/ipa-client/ipaclient/__init__.py +++ b/ipa-client/ipaclient/__init__.py @@ -16,6 +16,3 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see http://www.gnu.org/licenses/. # - -__all__ = [ipadiscovery, ipachangeconf] - diff --git a/ipaserver/install/__init__.py b/ipaserver/install/__init__.py index bc2229415f278dca3294d34578e454f1971a54fc..fc08ea43921b27216df7d5e9d8cba46e1123422a 100644 --- a/ipaserver/install/__init__.py +++ b/ipaserver/install/__init__.py @@ -17,5 +17,3 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see http://www.gnu.org/licenses/. # - -__all__ = [dsinstance, krbinstance] -- 1.8.3.1 From 67f7a0368bc84ef98c1892401549418f093b79b4 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Mon, 19 Aug 2013 12:18:54 +0200 Subject: [PATCH] Make make-lint compatible with Pylint 1.0 Pylint 1.0 was released[0] and it brings some incompatibilities, as well as a bug[1] that's triggered by FreeIPA code. This patch updates make-lint to be compatible with Pylint 1.0, while keeping support for version 0.26. [0] http://www.logilab.org/blogentry/163292 [1] https://bitbucket.org/logilab/pylint/issue/47 Ticket: https://fedorahosted.org/freeipa/ticket/3865 --- make-lint | 38 ++ 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/make-lint b/make-lint index fd7bea2130b94f07ff3e19f8168f95fa561b50fc..69cce6e5fc3c9ad6ec98634b122dbbec95700ea9 100755 --- a/make-lint +++ b/make-lint @@ -28,18 +28,33 @@ from fnmatch import fnmatch, fnmatchcase try: from pylint import checkers from pylint.lint import PyLinter -from pylint.reporters.text import ParseableTextReporter from pylint.checkers.typecheck import TypeChecker -from logilab.astng import Class, Instance, InferenceError +try: +# Pylint 1.0 +from astroid import Class, Instance, InferenceError +from pylint.reporters.text import TextReporter +have_pylint_1_0 = True +except ImportError: +# Older Pylint +from logilab.astng import Class, Instance, InferenceError +from pylint.reporters.text import ParseableTextReporter +have_pylint_1_0 = False except ImportError: print sys.stderr, To use {0}, please install pylint..format(sys.argv[0]) sys.exit(32) # File names to ignore when searching for python source files IGNORE_FILES = ('.*', '*~', '*.in', '*.pyc', '*.pyo') IGNORE_PATHS = ('build', 'rpmbuild', 'dist', 'install/po/test_i18n.py', 'lite-server.py', 'make-lint', 'make-test', 'ipatests') +# FIXME: The following classes cause the following Pylint error: +# https://bitbucket.org/logilab/pylint/issue/47 +IGNORE_RELATED_CLASSES = [ +'urlparse.SplitResult', +'ArgSpec.ArgSpec', +] + class IPATypeChecker(TypeChecker): NAMESPACE_ATTRS = ['Command', 'Object', 'Method', 'Property', 'Backend', 'Updater', 'Advice'] @@ -58,6 +73,11 @@ class IPATypeChecker(TypeChecker): 'fragment', 'username', 'password', 'hostname', 'port'], 'urlparse.ParseResult': ['params'], +# Related to IGNORE_RELATED_CLASSES +'urlparse.SplitResult': ['netloc'], +'ArgSpec.ArgSpec': ['args'], +'ldap.LDAPError': ['args'], + # IPA classes 'ipalib.base.NameSpace': ['add', 'mod', 'del', 'show', 'find'], 'ipalib.cli.Collector': ['__options'], @@ -91,6 +111,11 @@ class IPATypeChecker(TypeChecker): def _related_classes(self, klass): yield klass + +if any(str(klass) == 'Instance of %s' % n + for n in IGNORE_RELATED_CLASSES): +return + for base in klass.ancestors():
Re: [Freeipa-devel] [PATCH] 441 Add base-id, range-size and range-type options to trust-add dialog
On 08/15/2013 12:33 PM, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/3049 New version. This version adds option for range type auto-detection. Previous patch forced some range type. -- Petr Vobornik From 2e8b9c4d7932684bd389f776c534ac2f10b0fa41 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 15 Aug 2013 12:31:32 +0200 Subject: [PATCH] Add base-id, range-size and range-type options to trust-add dialog https://fedorahosted.org/freeipa/ticket/3049 --- install/ui/src/freeipa/trust.js| 47 ++ install/ui/test/data/ipa_init.json | 1 + ipalib/plugins/internal.py | 1 + 3 files changed, 49 insertions(+) diff --git a/install/ui/src/freeipa/trust.js b/install/ui/src/freeipa/trust.js index 5f3458d29f37bdd13435e7ed494774b1333ea07e..53a536763a7e640c2248322c455481c2b137a05d 100644 --- a/install/ui/src/freeipa/trust.js +++ b/install/ui/src/freeipa/trust.js @@ -130,7 +130,26 @@ return { $type: 'same_password', other_field: 'trust_secret' }] +}, +{ +$type: 'radio', +name: 'range_type', +metadata: '@mc-opt:trust_add:range_type', +widget: 'range.range_type' +}, +{ +name: 'base_id', +label: '@i18n:objects.idrange.ipabaseid', +metadata: '@mc-opt:trust_add:base_id', +widget: 'range.base_id' +}, +{ +name: 'range_size', +label: '@i18n:objects.idrange.ipaidrangesize', +metadata: '@mc-opt:trust_add:range_size', +widget: 'range.range_size' } + ], widgets: [ { @@ -176,6 +195,34 @@ return { name: 'trust_secret_verify' } ] +}, +{ +$type: 'details_table_section_nc', +name: 'range', +widgets: [ +{ +$type: 'radio', +name: 'range_type', +layout: 'vertical', +default_value: '', +options: [ +{ +value: '', +label: '@i18n:objects.idrange.type_detect' +}, +{ +value: 'ipa-ad-trust', +label: '@i18n:objects.idrange.type_ad' +}, +{ +value: 'ipa-ad-trust-posix', +label: '@i18n:objects.idrange.type_ad_posix' +} +] +}, +'base_id', +'range_size' +] } ], policies: [ diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 9cc7d23f7d25827bdccba0cb89524964720d1dab..8e0b2a33cc45d2a68878b7f3ab49b1491ae7c3f5 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -382,6 +382,7 @@ type: Range type, type_ad: Active Directory domain, type_ad_posix: Active Directory domain with POSIX attributes, +type_detect: Detect, type_local: Local domain, type_ipa: IPA trust, type_winsync: Active Directory winsync diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py index b837412c78630dbb81a632850050d09e0ab0d029..83b505dae1c6349097f7ad5ed20ab25b5a262aa8 100644 --- a/ipalib/plugins/internal.py +++ b/ipalib/plugins/internal.py @@ -517,6 +517,7 @@ class i18n_messages(Command): type: _(Range type), type_ad: _(Active Directory domain), type_ad_posix: _(Active Directory domain with POSIX attributes), +type_detect: _(Detect), type_local: _(Local domain), type_ipa: _(IPA trust), type_winsync: _(Active Directory winsync), -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 152-158 ipa-server-certinstall fixes
On 07/15/2013 10:16 AM, Jan Cholasta wrote: On 11.7.2013 14:10, Jan Cholasta wrote: Hi, this is the first batch of patches for https://fedorahosted.org/freeipa/ticket/3641. It contains port of ipa-server-certinstall to the admintool framework and fixes some bugs. Note that there's still some work I have to do to make ipa-server-certinstall work properly for installs with CA, currently it works reliably only on CA-less installs. This patchset also does not make it possible to change the CA certificate (as requested in the ticket). We discussed this with Rob and agreed that it should instead be done as part of https://fedorahosted.org/freeipa/ticket/3737. Unless there are any objections, that's what is going to happen. Added patches (157 and 158) to support installs with CA. Honza Thanks! I've read the patches and have some initial comments; I'll get to functional testing (and writing related CA-less tests) right away. The patches need a small rebase (attached since I did it anyway). Patch 152: OK (I saw some issues but they're fixed later on) Patch 153: You can use log_file_name = '/var/log/ipa/default.log' on the ServerCertInstall class to keep the default log file. Patch 154: OK Patch 155: All this is removed by patch 157, please squash them together. Patch 156: OK Patch 157: Please add the delete_cert method to the NSSDatabase class, and have CertDB call it (see e.g. run_certutil, find_server_certs, import_pkcs12). The CertDB is only meant for IPA-specific functionality. Patch 158: OK -- Petr³ From 4735e1c351f1b29cae892013ed614420143fdcd3 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 4 Jul 2013 15:45:42 + Subject: [PATCH 153/158] Port ipa-server-certinstall to the admintool framework. https://fedorahosted.org/freeipa/ticket/3641 --- install/tools/ipa-server-certinstall| 145 +- ipaserver/install/ipa_server_certinstall.py | 154 2 files changed, 158 insertions(+), 141 deletions(-) create mode 100644 ipaserver/install/ipa_server_certinstall.py diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index 01a7ac0..9bb0ef8 100755 --- a/install/tools/ipa-server-certinstall +++ b/install/tools/ipa-server-certinstall @@ -1,7 +1,7 @@ #! /usr/bin/python -E -# Authors: Karl MacMillan kmacmil...@mentalrootkit.com +# Authors: Jan Cholasta jchol...@redhat.com # -# Copyright (C) 2007 Red Hat +# Copyright (C) 2013 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -18,143 +18,6 @@ # along with this program. If not, see http://www.gnu.org/licenses/. # -import sys -import os -import pwd -import tempfile +from ipaserver.install.ipa_server_certinstall import ServerCertInstall -import traceback - -import krbV - -from ipapython.ipautil import user_input - -from ipaserver.install import certs, dsinstance, httpinstance, installutils -from ipalib import api -from ipapython import admintool -from ipapython.ipa_log_manager import * -from ipapython.dn import DN -from ipaserver.plugins.ldap2 import ldap2 - -CACERT = /etc/ipa/ca.crt - -def get_realm_name(): -c = krbV.default_context() -return c.default_realm - -def parse_options(): -from optparse import OptionParser -parser = OptionParser() - -parser.add_option(-d, --dirsrv, dest=dirsrv, action=store_true, - default=False, help=install certificate for the directory server) -parser.add_option(-w, --http, dest=http, action=store_true, - default=False, help=install certificate for the http server) -parser.add_option(--dirsrv_pin, dest=dirsrv_pin, - help=The password of the Directory Server PKCS#12 file) -parser.add_option(--http_pin, dest=http_pin, - help=The password of the Apache Server PKCS#12 file) - -options, args = parser.parse_args() - -if not options.dirsrv and not options.http: -parser.error(you must specify dirsrv and/or http) -if ((options.dirsrv and not options.dirsrv_pin) or -(options.http and not options.http_pin)): -parser.error(you must provide the password for the PKCS#12 file) - -if len(args) != 1: -parser.error(you must provide a pkcs12 filename) - -return options, args[0] - -def set_ds_cert_name(cert_name, dm_password): -conn = ldap2(shared_instance=False, base_dn='') -conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password) -mod = {'nssslpersonalityssl': cert_name} -conn.update_entry(DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')), mod) -conn.disconnect() - -def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password): -[pw_fd, pw_name] = tempfile.mkstemp() -os.write(pw_fd, pkcs12_passwd) -os.close(pw_fd) - -try: -server_cert = installutils.check_pkcs12( -
[Freeipa-devel] [PATCH 0091] Perform dirsrv tuning at platform level
Hi, When configuring the 389 Directory Server instance, we tune it so that number of file descriptors available to the DS is increased from the default 1024 to 8192. There are platform specific steps that need to be conducted differently on systemd compatible platforms and sysV compatible platforms. systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv set ulimit - nofile 8192 in /etc/security/limits.conf https://fedorahosted.org/freeipa/ticket/3823 -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 30cf5bf24a4ca52ec8dcc9c7c79c0b92608e Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 6 Aug 2013 17:09:15 +0200 Subject: [PATCH] Perform dirsrv tuning at platform level When configuring the 389 Directory Server instance, we tune it so that number of file descriptors available to the DS is increased from the default 1024 to 8192. There are platform specific steps that need to be conducted differently on systemd compatible platforms and sysV compatible platforms. systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv set ulimit - nofile 8192 in /etc/security/limits.conf https://fedorahosted.org/freeipa/ticket/3823 --- ipapython/platform/fedora16/service.py | 30 --- ipapython/platform/redhat/service.py | 69 ++ ipaserver/install/dsinstance.py| 67 +++-- 3 files changed, 107 insertions(+), 59 deletions(-) diff --git a/ipapython/platform/fedora16/service.py b/ipapython/platform/fedora16/service.py index bceb87cd5bb2111d5c3460ddcd9940edee5443f4..297e68332df0375d51f7bbf971a05b05339a84af 100644 --- a/ipapython/platform/fedora16/service.py +++ b/ipapython/platform/fedora16/service.py @@ -21,7 +21,7 @@ import os import time from ipapython import ipautil, dogtag -from ipapython.platform import base, redhat +from ipapython.platform import base from ipapython.platform.base import systemd from ipapython.platform.fedora16 import selinux from ipapython.ipa_log_manager import root_logger @@ -78,20 +78,38 @@ class Fedora16Service(systemd.SystemdService): # If we wouldn't do this, our instances will not be started as systemd would # not have any clue about instances (PKI-IPA and the domain we serve) at all. # Thus, hook into dirsrv.restart(). + + class Fedora16DirectoryService(Fedora16Service): -def enable(self, instance_name=): -super(Fedora16DirectoryService, self).enable(instance_name) + +def tune_nofile_platform(self, num=8192, fstore=None): + +Increase the number of files descriptors available to directory server +from the default 1024 to 8192. This will allow to support a greater +number of clients out of the box. + +This is a part of the implementation that is systemd-specific. + +Returns False if the setting of the nofile limit needs to be skipped. + + dirsrv_systemd = /etc/sysconfig/dirsrv.systemd + if os.path.exists(dirsrv_systemd): # We need to enable LimitNOFILE=8192 in the dirsrv@.service # Since 389-ds-base-1.2.10-0.8.a7 the configuration of the # service parameters is performed via # /etc/sysconfig/dirsrv.systemd file which is imported by systemd # into dirsrv@.service unit -replacevars = {'LimitNOFILE':'8192'} -ipautil.inifile_replace_variables(dirsrv_systemd, 'service', replacevars=replacevars) +replacevars = {'LimitNOFILE': str(num)} +ipautil.inifile_replace_variables(dirsrv_systemd, + 'service', + replacevars=replacevars) selinux.restore_context(dirsrv_systemd) -ipautil.run([/bin/systemctl, --system, daemon-reload],raiseonerr=False) +ipautil.run([/bin/systemctl, --system, daemon-reload], +raiseonerr=False) + +return True def restart(self, instance_name=, capture_output=True, wait=True): if len(instance_name) 0: diff --git a/ipapython/platform/redhat/service.py b/ipapython/platform/redhat/service.py index 61511b4899721869a015abfccb945660faa0aacf..a07ea2d94d21817e145109353cc408a2f12c45a0 100644 --- a/ipapython/platform/redhat/service.py +++ b/ipapython/platform/redhat/service.py @@ -25,6 +25,7 @@ from ipapython.ipa_log_manager import root_logger from ipapython.platform import base from ipalib import api + class RedHatService(base.PlatformService): def __wait_for_open_ports(self, instance_name=): @@ -107,11 +108,79 @@ class RedHatHTTPDService(RedHatService): time.sleep(5) self.start(instance_name, capture_output, wait) + +class
Re: [Freeipa-devel] [PATCHES] 152-158 ipa-server-certinstall fixes
On 19.8.2013 14:02, Petr Viktorin wrote: Thanks! I've read the patches and have some initial comments; I'll get to functional testing (and writing related CA-less tests) right away. The patches need a small rebase (attached since I did it anyway). Patch 152: OK (I saw some issues but they're fixed later on) Patch 153: You can use log_file_name = '/var/log/ipa/default.log' on the ServerCertInstall class to keep the default log file. What is the benefit in doing this? All ipa-server-certinstall did when using this file was complain about /var/log/ipa being non-existent. Patch 154: OK Patch 155: All this is removed by patch 157, please squash them together. Patch 156: OK Patch 157: Please add the delete_cert method to the NSSDatabase class, and have CertDB call it (see e.g. run_certutil, find_server_certs, import_pkcs12). The CertDB is only meant for IPA-specific functionality. Patch 158: OK Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 445 Web UI integration tests: ID range types
https://fedorahosted.org/freeipa/ticket/3834 -- Petr Vobornik From a3d1a12c112bc1cf9b47a6b5fb9a55e817ad47a1 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 16 Aug 2013 18:18:53 +0200 Subject: [PATCH] Web UI integration tests: ID range types https://fedorahosted.org/freeipa/ticket/3834 --- .../test_webui/{test_range.py = task_range.py}| 55 + ipatests/test_webui/test_range.py | 124 - ipatests/test_webui/test_trust.py | 93 +--- ipatests/test_webui/ui_driver.py | 36 +- 4 files changed, 215 insertions(+), 93 deletions(-) copy ipatests/test_webui/{test_range.py = task_range.py} (64%) diff --git a/ipatests/test_webui/test_range.py b/ipatests/test_webui/task_range.py similarity index 64% copy from ipatests/test_webui/test_range.py copy to ipatests/test_webui/task_range.py index 0a7da7e4f3a804c1b4469cac225488b29dcd3138..2251e7cb9b1f107c7d9669e0788ea15e9c7b21dd 100644 --- a/ipatests/test_webui/test_range.py +++ b/ipatests/test_webui/task_range.py @@ -18,16 +18,13 @@ # along with this program. If not, see http://www.gnu.org/licenses/. -User tests +Range tasks from ipatests.test_webui.ui_driver import UI_driver -ENTITY = 'idrange' -PKEY = 'itest-range' - -class test_range(UI_driver): +class range_tasks(UI_driver): def get_shifts(self, idranges=None): @@ -64,27 +61,43 @@ class test_range(UI_driver): self.sec_rid_shift = rid_shift + 1000 self.shift = 0 -def get_data(self, pkey, size=50, shift=100): -self.shift += shift +def get_sid(self): +result = self.execute_api_from_ui('trust_find', [], {}) +trusts = result['result']['result'] +sid = None +if trusts: +sid = trusts[0]['ipanttrusteddomainsid'] +return sid + +def get_data(self, pkey, size=50, add_data=None): + +if not add_data: +sec_rid = self.has_trusts() +add_data = self.get_add_data(pkey, size=size, sec_rid=sec_rid) + data = { 'pkey': pkey, -'add': [ -('textbox', 'cn', pkey), -('textbox', 'ipabaseid', str(self.id_shift + self.shift)), -('textbox', 'ipaidrangesize', str(size)), -('textbox', 'ipabaserid', str(self.rid_shift + self.shift)), -('textbox', 'ipasecondarybaserid', str(self.sec_rid_shift + self.shift)), -], +'add': add_data, 'mod': [ ('textbox', 'ipaidrangesize', str(size + 1)), ], } return data -def test_crud(self): - -Basic CRUD: range - -self.init_app() -self.get_shifts() -self.basic_crud(ENTITY, self.get_data(PKEY)) +def get_add_data(self, pkey, range_type='ipa-local', size=50, shift=100, sec_rid=False, sid=None): + +self.shift += shift +add = [ +('textbox', 'cn', pkey), +('textbox', 'ipabaseid', str(self.id_shift + self.shift)), +('textbox', 'ipaidrangesize', str(size)), +('textbox', 'ipabaserid', str(self.rid_shift + self.shift)), +('radio', 'iparangetype', range_type), +] + +if sec_rid: +add.append(('textbox', 'ipasecondarybaserid', str(self.sec_rid_shift + self.shift))) +if sid: +add.append(('textbox', 'ipanttrusteddomainsid', sid)) + +return add diff --git a/ipatests/test_webui/test_range.py b/ipatests/test_webui/test_range.py index 0a7da7e4f3a804c1b4469cac225488b29dcd3138..b1c2506a9860cfcca65e9c6b7ba02e456664a51c 100644 --- a/ipatests/test_webui/test_range.py +++ b/ipatests/test_webui/test_range.py @@ -18,68 +18,17 @@ # along with this program. If not, see http://www.gnu.org/licenses/. -User tests +Range tests -from ipatests.test_webui.ui_driver import UI_driver +import ipatests.test_webui.test_trust as trust_mod +from ipatests.test_webui.task_range import range_tasks ENTITY = 'idrange' PKEY = 'itest-range' -class test_range(UI_driver): - -def get_shifts(self, idranges=None): - -if not idranges: -result = self.execute_api_from_ui('idrange_find', [], {}) -idranges = result['result']['result'] - -id_shift = 0 -rid_shift = 0 - -for idrange in idranges: -size = int(idrange['ipaidrangesize'][0]) -base_id = int(idrange['ipabaseid'][0]) - -id_end = base_id + size -rid_end = 0 - -if 'ipabaserid' in idrange: -base_rid = int(idrange['ipabaserid'][0]) -rid_end = base_rid + size - -if 'ipasecondarybaserid' in idrange: -secondary_base_rid = int(idrange['ipasecondarybaserid'][0]) -rid_end = max(base_rid, secondary_base_rid) + size - -if id_shift id_end: -
[Freeipa-devel] [PATCH] 0056 Fix broken replication
Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3868. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From cdcb28b9b3b8e45db1b7a61f0df6f41e7a61450a Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Mon, 19 Aug 2013 17:45:31 +0200 Subject: [PATCH] Fix broken replication Make sure the subject base parameter is correctly passed and used during the creation of the DS instance on a replica. https://fedorahosted.org/freeipa/ticket/3868 --- install/tools/ipa-replica-install | 14 ++ ipaserver/install/dsinstance.py | 4 ++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..b9590ed990a17001c9ca75a8f26161ebce664b23 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -162,10 +162,16 @@ def install_replica_ds(config): config.dir + /dirsrv_pin.txt) ds = dsinstance.DsInstance() -ds.create_replica(config.realm_name, - config.master_host_name, config.host_name, - config.domain_name, config.dirman_password, - pkcs12_info, ca_file = config.dir + /ca.crt) +ds.create_replica( +config.realm_name, +config.master_host_name, +config.host_name, +config.domain_name, +config.dirman_password, +pkcs12_info, +ca_file=config.dir + /ca.crt, +subject_base=config.subject_base +) return ds diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 8815757290efd0812bb551b4185a6afe91970211..a72559853e514659d36879811eb2d080e287b22d 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -275,7 +275,7 @@ def create_instance(self, realm_name, fqdn, domain_name, def create_replica(self, realm_name, master_fqdn, fqdn, domain_name, dm_password, pkcs12_info=None, - ca_file=None): + ca_file=None, subject_base=None): # idstart and idmax are configured so that the range is seen as # depleted by the DNA plugin and the replica will go and get a # new range from the master. @@ -284,7 +284,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn, idmax = 1100 self.init_info( -realm_name, fqdn, domain_name, dm_password, None, +realm_name, fqdn, domain_name, dm_password, subject_base, idstart, idmax, pkcs12_info, ca_file=ca_file) self.master_fqdn = master_fqdn -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 152-158 ipa-server-certinstall fixes
On 08/19/2013 03:50 PM, Jan Cholasta wrote: On 19.8.2013 14:02, Petr Viktorin wrote: Thanks! I've read the patches and have some initial comments; I'll get to functional testing (and writing related CA-less tests) right away. The patches need a small rebase (attached since I did it anyway). Patch 152: OK (I saw some issues but they're fixed later on) Patch 153: You can use log_file_name = '/var/log/ipa/default.log' on the ServerCertInstall class to keep the default log file. What is the benefit in doing this? All ipa-server-certinstall did when using this file was complain about /var/log/ipa being non-existent. Ah, okay. If it was a deliberate change, please mention it in the commit message. Patch 154: OK Patch 155: All this is removed by patch 157, please squash them together. Patch 156: OK Patch 157: Please add the delete_cert method to the NSSDatabase class, and have CertDB call it (see e.g. run_certutil, find_server_certs, import_pkcs12). The CertDB is only meant for IPA-specific functionality. Patch 158: OK The usage looks a bit strange to me. Having the --dirsrv_pin and --http_pin options doesn't make sense if there's only one certificate. Should we add a --pin option, and make these deprecated aliases of it? Or make the -d and -w options take individual arguments (which would be backwards incompatible)? Also, it should be possible to enter the pin(s) and DM password interactively. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0056 Fix broken replication
Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3868. I think for clarity, this should be replica installation is broken and not replication is broken. A subtle but important difference. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0056 Fix broken replication
On 08/19/2013 06:01 PM, Petr Viktorin wrote: On 08/19/2013 05:50 PM, Ana Krivokapic wrote: Hello, This patch addresses tickethttps://fedorahosted.org/freeipa/ticket/3868. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. freeipa-akrivoka-0056-Fix-broken-replication.patch From cdcb28b9b3b8e45db1b7a61f0df6f41e7a61450a Mon Sep 17 00:00:00 2001 From: Ana Krivokapicakriv...@redhat.com Date: Mon, 19 Aug 2013 17:45:31 +0200 Subject: [PATCH] Fix broken replication Make sure the subject base parameter is correctly passed and used during the creation of the DS instance on a replica. https://fedorahosted.org/freeipa/ticket/3868 --- [...] --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -275,7 +275,7 @@ def create_instance(self, realm_name, fqdn, domain_name, def create_replica(self, realm_name, master_fqdn, fqdn, domain_name, dm_password, pkcs12_info=None, - ca_file=None): + ca_file=None, subject_base=None): Does it ever make sense to have subject_base=None here? I don't think so. Fixed. Also changed the commit message and ticket summary, as suggested by Rob. Updated patch is attached. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 0730de02f665da080956175e78c263a011416dc2 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Mon, 19 Aug 2013 17:45:31 +0200 Subject: [PATCH] Fix broken replica installation Make sure the subject base parameter is correctly passed and used during the creation of the DS instance on a replica. https://fedorahosted.org/freeipa/ticket/3868 --- install/tools/ipa-replica-install | 14 ++ ipaserver/install/dsinstance.py | 6 +++--- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..8be57bf7d6f5ed956f3d666b6518ea18055d9df6 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -162,10 +162,16 @@ def install_replica_ds(config): config.dir + /dirsrv_pin.txt) ds = dsinstance.DsInstance() -ds.create_replica(config.realm_name, - config.master_host_name, config.host_name, - config.domain_name, config.dirman_password, - pkcs12_info, ca_file = config.dir + /ca.crt) +ds.create_replica( +config.realm_name, +config.master_host_name, +config.host_name, +config.domain_name, +config.dirman_password, +config.subject_base, +pkcs12_info, +ca_file=config.dir + /ca.crt, +) return ds diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 8815757290efd0812bb551b4185a6afe91970211..c1a112d143976d79c0408cb015b692d17e8f4e6b 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -274,8 +274,8 @@ def create_instance(self, realm_name, fqdn, domain_name, self.start_creation(runtime=60) def create_replica(self, realm_name, master_fqdn, fqdn, - domain_name, dm_password, pkcs12_info=None, - ca_file=None): + domain_name, dm_password, subject_base, + pkcs12_info=None, ca_file=None): # idstart and idmax are configured so that the range is seen as # depleted by the DNA plugin and the replica will go and get a # new range from the master. @@ -284,7 +284,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn, idmax = 1100 self.init_info( -realm_name, fqdn, domain_name, dm_password, None, +realm_name, fqdn, domain_name, dm_password, subject_base, idstart, idmax, pkcs12_info, ca_file=ca_file) self.master_fqdn = master_fqdn -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 442 Hide 'New Certificate' action on CA-less install
On 08/15/2013 04:00 PM, Petr Vobornik wrote: This action calls cert-request command which is not available on CA-less installs. Thus this action won't be enabled and therefore there is no reason to keep it visible. https://fedorahosted.org/freeipa/ticket/3363 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel