Re: [Freeipa-devel] [PATCH] 0085 Fix regression which prevents creating a winsync agreement

[Martin Kosek]

On 11/12/2013 09:00 PM, Nathaniel McCallum wrote:
 On Tue, 2013-11-12 at 14:56 +0100, Ana Krivokapic wrote:
 Hello,

 This patch should fix the regression introduced by the original fix for 
 ticket
 https://fedorahosted.org/freeipa/ticket/3989.
 
 ACK
 

Pushed to master, ipa-3-3.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0021 Documentation error in FreeIPA guide Setting up a Kerberized NFS Server

[Martin Kosek]

On 11/12/2013 09:01 PM, Nathaniel McCallum wrote:
 On Tue, 2013-11-12 at 14:12 +0100, Martin Basti wrote:
 One liner, missing example added.

 https://fedorahosted.org/freeipa/ticket/3997
 
 ACK
 

Pushed to master.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0127 Map NT_STATUS_INVALID_PARAMETER to a most likely error cause

[Martin Kosek]

On 11/12/2013 05:05 PM, Ana Krivokapic wrote:
 On 11/12/2013 04:55 PM, Alexander Bokovoy wrote:
 On Tue, 12 Nov 2013, Ana Krivokapic wrote:
 On 11/12/2013 10:41 AM, Alexander Bokovoy wrote:
 +-1073741811: # NT_STATUS_INVALID_PARAMETER
 +error.RemoteRetrieveError(
   ^ should be errors
 +reason=_('AD domain controller complains about communication
 sequence. It may mean unsynchronized time on both sides, for example')),

 With this change, the patch works fine.
 What can you break in three lines? :)

 Thanks!

 Fixed and added the ticket number to commit message.

 
 Thanks, ACK
 

Pushed to master, ipa-3-3.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0080-0081 Add userClass attributes for users and hosts

[Ana Krivokapic]

On 11/12/2013 01:27 PM, Ana Krivokapic wrote:
 On 10/30/2013 09:56 PM, Martin Kosek wrote:
 - Original Message -
 From: Simo Sorce s...@redhat.com
 To: Ana Krivokapic akriv...@redhat.com
 Cc: Martin Kosek mko...@redhat.com, freeipa-devel 
 freeipa-devel@redhat.com
 Sent: Wednesday, October 30, 2013 7:11:20 PM
 Subject: Re: [Freeipa-devel] [PATCHES] 0080-0081 Add userClass attributes 
 for users and hosts

 On Wed, 2013-10-30 at 19:01 +0100, Ana Krivokapic wrote:
 On 10/29/2013 02:04 PM, Simo Sorce wrote:
 On Tue, 2013-10-29 at 12:42 +0100, Martin Kosek wrote:
 On 10/29/2013 10:49 AM, Ana Krivokapic wrote:
 Hello,

 Patch 0080 adds userClass attribute for users to IPA CLI.
 Patch 0081 adds userClass attribute for users and hosts to the web UI.

 Design page:
 http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems

 Tickets:
 https://fedorahosted.org/freeipa/ticket/3588
 https://fedorahosted.org/freeipa/ticket/3590
 NACK to just extending posixAccount objectclass. This is a standard
 objectclass
 defined by RFC 2307 and we cannot just simply extend and overwrite it as
 we wish.
 Uhh indeed this is a big No-no.

 We will need to come up with some custom objectclass, like ipaUser. This
 is the
 reason why I wrote to ticket A second goal of this ticket is to review
 current
 objectClass hierarchy of users and do changes if needed. so that we can
 pick
 the best option where to place it.
 userClass is used in ipaHost, so I guess it could be instead add to an
 ipa objectclass. ipaObject might be used perhaps, otherwise we'll need a
 new ipaUser objectlass.

 Simo.

 If there are no objections to using the ipaObject objectclass, the attached
 patches implement this approach.
 After some thinking ipaObject is more generic than just users, not sure
 that attaching userClass there is appropriate. I think we really need
 ipaUser at this point.
 +1. I also do not think that ipaObject is the right OC to place the 
 attribute, it is just too general.

 Let's go with the ipaUser objectClass, looking something like that:

 ( OID NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 
 'IPA v3' )

 We will need to add the OC when needed, we cannot just add it to default 
 list. Ideally, we could also implement
 https://fedorahosted.org/freeipa/ticket/3922
 in scope of this effort as this need to add additional OCs is piling up.

 Martin
 This implementation introduces a new objectclass 'ipaUser'.



 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel

The web UI patch needed an update as well, as we need to allow writing the
userClass attribute even when the ipaUser objectclass is not (yet) set on the
user object. Thanks Petr for pointing it out.

Attaching both patches again (the CLI patch has not changed since the last
iteration).

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

From ccc42e65ae9f6066e4427af82ddf283894cf0e4b Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Fri, 25 Oct 2013 16:31:50 +0200
Subject: [PATCH] WebUI: Add userClass attribute to user and host pages

Add userClass attribute to:
- user and host adder dialogs
- user and host detail facets

Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
https://fedorahosted.org/freeipa/ticket/3590
---
 install/ui/src/freeipa/host.js | 2 ++
 install/ui/src/freeipa/user.js | 9 +++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/install/ui/src/freeipa/host.js b/install/ui/src/freeipa/host.js
index f5007538e8ad1ea2e372c194b129f6c668d31b3e..460a19a9cda9a7d1d4457bb19f306dd88df8ceac 100644
--- a/install/ui/src/freeipa/host.js
+++ b/install/ui/src/freeipa/host.js
@@ -82,6 +82,7 @@ return {
 $type: 'textarea',
 name: 'description'
 },
+'userclass',
 'l',
 'nshostlocation',
 'nshardwareplatform',
@@ -234,6 +235,7 @@ return {
 {
 name: 'other',
 fields: [
+'userclass',
 {
 name: 'ip_address',
 validators: [ 'ip_address' ],
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index 61bdb43b4ee7d23a5d118c4f29ff81e3b9f56fa1..771d379be793462182123020651f2af286887ccc 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -103,7 +103,11 @@ return {
 'cn',
 'displayname',
 'initials',
-'gecos'
+'gecos',
+{
+name: 'userclass',
+flags: ['w_if_no_aci']
+}
  

[Freeipa-devel] [PATCH 0130] platform: Add Fedora 19 platform file

[Tomas Babej]

Hi,

Part of: https://fedorahosted.org/freeipa/ticket/3504

--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org


From 6c84927497fffdad2b60b1af1f69e79b0471936d Mon Sep 17 00:00:00 2001
From: Tomas Babej tomasba...@gmail.com
Date: Mon, 11 Nov 2013 13:02:40 +0100
Subject: [PATCH] platform: Add Fedora 19 platform file

Part of: https://fedorahosted.org/freeipa/ticket/3504
---
 freeipa.spec.in | 13 
 ipapython/platform/fedora19/__init__.py | 55 +
 ipapython/setup.py.in   |  1 +
 3 files changed, 69 insertions(+)
 create mode 100644 ipapython/platform/fedora19/__init__.py

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 11ae934d928370eb13f45162a13f40a9acd64b74..ba95e8c76f6ba511eb10e40ea8acd9babf3c776c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -318,6 +318,9 @@ This package contains tests that verify IPA functionality.
 %build
 export CFLAGS=$CFLAGS %{optflags}
 export CPPFLAGS=$CPPFLAGS %{optflags}
+%if 0%{?fedora} = 19
+export SUPPORTED_PLATFORM=fedora19
+%else
 %if 0%{?fedora} = 18
 # use fedora18 platform which is based on fedora16 platform with systemd
 # support + fedora18 changes
@@ -325,6 +328,7 @@ export SUPPORTED_PLATFORM=fedora18
 %else
 export SUPPORTED_PLATFORM=fedora16
 %endif
+%endif
 # Force re-generate of platform support
 rm -f ipapython/services.py
 make version-update
@@ -342,6 +346,9 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
 
 %install
 rm -rf %{buildroot}
+%if 0%{?fedora} = 19
+export SUPPORTED_PLATFORM=fedora19
+%else
 %if 0%{?fedora} = 18
 # use fedora18 platform which is based on fedora16 platform with systemd
 # support + fedora18 changes
@@ -349,6 +356,7 @@ export SUPPORTED_PLATFORM=fedora18
 %else
 export SUPPORTED_PLATFORM=fedora16
 %endif
+%endif
 # Force re-generate of platform support
 rm -f ipapython/services.py
 %if ! %{ONLY_CLIENT}
@@ -791,12 +799,14 @@ fi
 %dir %{python_sitelib}/ipapython/platform/base
 %dir %{python_sitelib}/ipapython/platform/fedora16
 %dir %{python_sitelib}/ipapython/platform/fedora18
+%dir %{python_sitelib}/ipapython/platform/fedora19
 %dir %{python_sitelib}/ipapython/platform/redhat
 %{python_sitelib}/ipapython/*.py*
 %{python_sitelib}/ipapython/platform/*.py*
 %{python_sitelib}/ipapython/platform/base/*.py*
 %{python_sitelib}/ipapython/platform/fedora16/*.py*
 %{python_sitelib}/ipapython/platform/fedora18/*.py*
+%{python_sitelib}/ipapython/platform/fedora19/*.py*
 %{python_sitelib}/ipapython/platform/redhat/*.py*
 %dir %{python_sitelib}/ipalib
 %{python_sitelib}/ipalib/*
@@ -832,6 +842,9 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Tue Nov 12 2013 Tomas Babejtba...@redhat.com - 3.3.90-5
+- Add Fedora 19 platform files
+
 * Fri Oct 25 2013 Martin Kosek mko...@redhat.com - 3.3.90-4
 - Remove mod_ssl conflict, it can now live with mod_nss installed
 
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
new file mode 100644
index ..80356d65f4d07483000d57e16b193a857d0988ca
--- /dev/null
+++ b/ipapython/platform/fedora19/__init__.py
@@ -0,0 +1,55 @@
+# Author: Tomas Babej tba...@redhat.com
+#
+# Copyright (C) 2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see http://www.gnu.org/licenses/.
+#
+
+from ipapython.platform import fedora18, base
+
+# All what we allow exporting directly from this module
+
+# Everything else is made available through these symbols when they are
+# directly imported into ipapython.services:
+
+# authconfig -- class reference for platform-specific implementation of
+#   authconfig(8)
+# service-- class reference for platform-specific implementation of a
+#   PlatformService class
+# knownservices -- factory instance to access named services IPA cares about,
+#  names are ipapython.services.wellknownservices
+# backup_and_replace_hostname -- platform-specific way to set hostname and
+#make it persistent over reboots
+# restore_network_configuration -- platform-specific way of restoring network
+#  configuration (e.g. static hostname)
+# restore_context -- platform-sepcific way to restore security context, if
+#applicable
+# 

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

[Tomas Babej]

On 09/27/2013 10:14 AM, Martin Kosek wrote:

On 09/26/2013 04:46 PM, Jan Cholasta wrote:

On 26.9.2013 12:59, Tomas Babej wrote:

On 09/26/2013 12:54 PM, Jan Cholasta wrote:

On 24.9.2013 18:14, Nalin Dahyabhai wrote:

On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote:

We discussed this with Tomáš off-line and it turns out that
ipa-client-install fails if the CA cert is not added to
/etc/pki/nssdb.

However, according to p11-kit docs it should work:
http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html. I
wonder what needs to be done to make it work in IPA...


On my system, there's no symlink to libnssckbi.so (or the right 
location

in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that
database isn't going to automatically pull in the list of trusted CAs
that p11-kit maintains.

Whether the database under /etc/pki/nssdb should automatically 
include

the usual set of trust anchors is probably a different conversation.


Thanks for the info.

Tomáš, the patch is fine then. I have one more nitpick though: why did
you change the default NSS database to the NSS database? The
database in /etc/pki/nssdb *is* the default NSS database, so please
change it back. Also I think systemwide CA trust database is better
than systemwide CA store.

Honza


I fixed the descriptions. Updated patch attached.

Tomas



Thanks.

There's one more thing: we should probably check if 
/usr/bin/update-ca-trust

exists before using it, for the sake of cross-distro compatibility.



Right. I am also thinking if this functionality should not be somehow 
integrated into the platform files so that it can be overriden in 
platforms that do not have the systemwide storage.


Martin


Updated patch attached, requires my patch 130.

--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

From cd0fb864ba45c93c81f4cef68dc470c1fcf05219 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 24 Sep 2013 10:54:57 +0200
Subject: [PATCH] ipa-client-install: Publish CA certificate to systemwide
 store

During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.

This allows browsers to access IPA WebUI without warning out of the
box.

https://fedorahosted.org/freeipa/ticket/3504
---
 ipa-client/ipa-install/ipa-client-install | 14 +++-
 ipapython/platform/fedora19/__init__.py   | 58 ++-
 ipapython/services.py.in  | 13 ++-
 3 files changed, 82 insertions(+), 3 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 1f66ae5d635d98ba45df13d92ca7982068d94752..9299db12015434379916ffa35d7ee7e830cf42ad 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -652,6 +652,9 @@ def uninstall(options, env):
 root_logger.warning('Please remove /etc/ipa/default.conf manually, '
 'as it can cause subsequent installation to fail.')
 
+# Remove the CA cert from the systemwide certificate store
+ret = ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT)
+
 # Remove the CA cert
 try:
 os.remove(CACERT)
@@ -2312,12 +2315,21 @@ def install(options, env, fstore, statestore):
 return CLIENT_INSTALL_ERROR
 root_logger.info(Configured /etc/sssd/sssd.conf)
 
+# Add the CA to the platform-dependant systemwide CA store
+ret = ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT)
+root_logger.info('Returned value from systemwide: %s ' % ret)
+
 # Add the CA to the default NSS database and trust it
 try:
-run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb, -n, IPA CA, -t, CT,C,C, -a, -i, CACERT])
+root_logger.debug(Attempting to add CA directly to the 
+  default NSS database.)
+run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb,
+ -n, IPA CA, -t, CT,C,C, -a, -i, CACERT])
 except CalledProcessError, e:
 root_logger.info(Failed to add CA to the default NSS database.)
 return CLIENT_INSTALL_ERROR
+else:
+root_logger.info('Added the CA to the default NSS database.')
 
 host_principal = 'host/%s@%s' % (hostname, cli_realm)
 if options.on_master:
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
index 80356d65f4d07483000d57e16b193a857d0988ca..1bd2fcdc7af0e016ad58e2d935edd33cefc3a2f2 100644
--- a/ipapython/platform/fedora19/__init__.py
+++ b/ipapython/platform/fedora19/__init__.py
@@ -17,6 +17,14 @@
 # along with this program.  If not, see http://www.gnu.org/licenses/.
 #
 
+import shutil
+import os
+
+from subprocess import CalledProcessError
+
+from ipapython.ipa_log_manager import root_logger
+from ipapython.ipautil import run
+
 from ipapython.platform import 

Re: [Freeipa-devel] [PATCHES] 0068-0070 Automember rebuild membership

[Martin Kosek]

On 10/29/2013 12:30 PM, Ana Krivokapic wrote:
 On 10/15/2013 06:09 PM, Ana Krivokapic wrote:
 On 09/30/2013 10:02 AM, Petr Viktorin wrote:
 On 09/27/2013 03:12 PM, Martin Kosek wrote:
 On 09/27/2013 03:00 PM, Jan Cholasta wrote:
 On 23.9.2013 19:41, Ana Krivokapic wrote:
 On 09/19/2013 03:29 PM, Ana Krivokapic wrote:
 ...
 Patch 69:

 I think the changes in the update file should be also done in the
 right LDIF
 files in install/share, though I don't know what is the recent
 consensus on this.


 Honza

 Last time I checked, we used to do the change both in LDIF and update
 file. Just to avoid the LDIF become obsolete.

 Martin
 Rob recently said his preference is to move everything from LDIF to updates,
 and out of the the LDIF files:
 http://www.redhat.com/archives/freeipa-devel/2013-September/msg00106.html

 I would agree, having two places with the same information is redundant and
 error-prone.

 Thanks Honza for the review.

 I incorporated your suggestions in this updated patchset. I attached all the
 patches for more convenient reviewing, but only patches 68 and 70 have 
 changed.

 I haven't done any changes in the LDIF files since the consensus seems to be 
 not
 to do that.
 
 Patch 70 needed a rebase, attaching the whole patchset again.

This works pretty fine, I have few comments though:

1) 0068: the task should be run only for users/hosts base DN - this is where we
confine our automember and I think admin may be surprised that the rebuild call
is does not respect it.

2) 0068: I am missing some examples for automember-rebuild in the help. At
least for running rebuild for all users/hosts and for running it for specified
user/host.

3) 0068: I think that the labels/doc for the new command/options should be
improved. It is not obvious, that automember-rebuild can run for all
users/hosts, at least from following doc:

# ipa help automember
...
  automember-rebuild   Rebuild auto membership for specified 
entries.
...

Maybe we should remove the for specified entries part?

As for the options, we now have this:

# ipa help automember-rebuild
Usage: ipa [global-options] automember-rebuild [options]

Rebuild auto membership for specified entries.
Options:
  -h, --helpshow this help message and exit
  --type=['group', 'hostgroup']
Grouping to which the rule applies  --completely stray
  --users=STR   Users for which the rebuild task will be run
  --hosts=STR   Hosts for which the rebuild task will be run


We should probably also do not mention specified entries here.

As for option help, maybe the following would better show that it can be run
for all entries?

  --type=['group', 'hostgroup']
Rebuild membership for all members of a grouping
  --users=STR   Rebuild membership for specified users
  --hosts=STR   Rebuild membership for specified hosts

This makes me thinking we may want to forbid entering both --type and
--users/--hosts - i.e. either rebuild all or just selected ones - to make the
selection even more clear. But I am open to discussion on this one.

4) 0069: Add Automember Export Updates Task is currently redundant. I think we
should either have permissions for all 3 possible tasks or for just the one we 
use.

5) 0069: permissions should be of SYSTEM type as the ACI is out of SUFFIX, so
that user does not try to modify them (will be able to in future versions).
Adding Petr3 to CC for heads up on this one.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer

[Tomas Babej]

On 09/26/2013 03:16 PM, Petr Viktorin wrote:

On 09/26/2013 02:58 PM, Martin Kosek wrote:

On 09/26/2013 02:45 PM, Jan Cholasta wrote:

On 26.9.2013 14:38, Martin Kosek wrote:

On 09/26/2013 02:28 PM, Tomas Babej wrote:

On 09/26/2013 12:20 PM, Jan Cholasta wrote:

...
I just found --no-nisdomain more descriptive and explicit. If 
there is a

consensus, I can remove it.



I am not aware of any precedent that would warrant --nisdomain=.


We sort of have precedent in `ipa` in multivalued options, leaving 
those empty deletes the values.


I have seen concerns about the number of ipa-client-install options 
in the past

(not by me).


IMHO, we are currently OK on this front. Having options categorized in
sections, as we already do, helps.


IMO --no-nisdomain is more consistent with rest of the options.


I don't see any other --option=value and --no-option option 
pair in

ipa-client-install, so what consistency are you talking about?


I was referring to --no-ssh, --no-ntp and similar. But it is true 
that these
rather disable entire features than delete a value. I do not punt on 
this,

--nidomain= may be OK as well.


IMO empty option values are awkward; --no-nisdomain is more 
user-friendly, and can be explained more clearly, even though it needs 
an additional option.




OK, we let this rot on the list for a while.

I retest the patch and it still applies and works with the current master.

I think we should keep both options, no-nisdomain is more descriptive 
and an explicit option is more necessary here since we are setting 
nisdomain by default. Hence I would avoid having to use --nisdomain= 
to disable setting the nisdomain, since it is rather implicit (even if 
we commented on it in the option description).


Option-nitpicking aside, I think this patch is ready for a proper 
functional review.


--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0019-0020 Broken Firefox configuration files in freeipa-client package

[Petr Vobornik]

On 11/12/2013 01:48 PM, Martin Basti wrote:

On Fri, 2013-11-08 at 16:28 +0100, Petr Vobornik wrote:

On 11/05/2013 10:34 AM, Martin Basti wrote:

ipa-client-install now allows to configure firefox using
--configure-firefox option and optionally with --firefox-dir=INSTALL_DIR
option.

Old configuration files was removed.

Patches attached.

Ticket: https://fedorahosted.org/freeipa/ticket/3821



Thanks for the patch.

1) Remove pref(network.negotiate-auth.delegation-uris, .$DOMAIN);
from the FIREFOX_CONFIG_TEMPLATE. Delegation is not a thing you want to
have enabled unless there is no other way (Web UI doesn't need it since
version 2.2 or 2.3).

Otherwise it works fine on F19.


Removed line.
Fixed patch attached.
Thanks for review.



ACK
--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0068-0070 Automember rebuild membership

[Ana Krivokapic]

On 11/13/2013 03:08 PM, Martin Kosek wrote:
 On 10/29/2013 12:30 PM, Ana Krivokapic wrote:
 On 10/15/2013 06:09 PM, Ana Krivokapic wrote:
 On 09/30/2013 10:02 AM, Petr Viktorin wrote:
 On 09/27/2013 03:12 PM, Martin Kosek wrote:
 On 09/27/2013 03:00 PM, Jan Cholasta wrote:
 On 23.9.2013 19:41, Ana Krivokapic wrote:
 On 09/19/2013 03:29 PM, Ana Krivokapic wrote:
 ...
 Patch 69:

 I think the changes in the update file should be also done in the
 right LDIF
 files in install/share, though I don't know what is the recent
 consensus on this.


 Honza

 Last time I checked, we used to do the change both in LDIF and update
 file. Just to avoid the LDIF become obsolete.

 Martin
 Rob recently said his preference is to move everything from LDIF to 
 updates,
 and out of the the LDIF files:
 http://www.redhat.com/archives/freeipa-devel/2013-September/msg00106.html

 I would agree, having two places with the same information is redundant and
 error-prone.

 Thanks Honza for the review.

 I incorporated your suggestions in this updated patchset. I attached all the
 patches for more convenient reviewing, but only patches 68 and 70 have 
 changed.

 I haven't done any changes in the LDIF files since the consensus seems to 
 be not
 to do that.
 Patch 70 needed a rebase, attaching the whole patchset again.
 This works pretty fine, I have few comments though:

 1) 0068: the task should be run only for users/hosts base DN - this is where 
 we
 confine our automember and I think admin may be surprised that the rebuild 
 call
 is does not respect it.

Fixed.


 2) 0068: I am missing some examples for automember-rebuild in the help. At
 least for running rebuild for all users/hosts and for running it for specified
 user/host.

I added some examples, as well as a general description of the new command.


 3) 0068: I think that the labels/doc for the new command/options should be
 improved. It is not obvious, that automember-rebuild can run for all
 users/hosts, at least from following doc:

 # ipa help automember
 ...
   automember-rebuild   Rebuild auto membership for specified 
 entries.
 ...

 Maybe we should remove the for specified entries part?

 As for the options, we now have this:

 # ipa help automember-rebuild
 Usage: ipa [global-options] automember-rebuild [options]

 Rebuild auto membership for specified entries.
 Options:
   -h, --helpshow this help message and exit
   --type=['group', 'hostgroup']
 Grouping to which the rule applies  --completely 
 stray
   --users=STR   Users for which the rebuild task will be run
   --hosts=STR   Hosts for which the rebuild task will be run


 We should probably also do not mention specified entries here.

 As for option help, maybe the following would better show that it can be run
 for all entries?

   --type=['group', 'hostgroup']
 Rebuild membership for all members of a grouping
   --users=STR   Rebuild membership for specified users
   --hosts=STR   Rebuild membership for specified hosts

Agreed, labels fixed as per your suggestions.


 This makes me thinking we may want to forbid entering both --type and
 --users/--hosts - i.e. either rebuild all or just selected ones - to make the
 selection even more clear. But I am open to discussion on this one.

Validation prevents any invalid combination of options (e.g. --type=group and
--hosts used together, or --type=hostgroup and --users used together). If, for
example, --users is specified, then --type=group is allowed but not required. I
think it's clear enough.


 4) 0069: Add Automember Export Updates Task is currently redundant. I think we
 should either have permissions for all 3 possible tasks or for just the one 
 we use.

I removed the unused permission.


 5) 0069: permissions should be of SYSTEM type as the ACI is out of SUFFIX, so
 that user does not try to modify them (will be able to in future versions).
 Adding Petr3 to CC for heads up on this one.

Fixed.


 Martin

Thanks for the review, the updated patchset is attached.


-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

From 977867faec9f9c6702dcf8fde904b462d31d9229 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Thu, 19 Sep 2013 14:10:32 +0200
Subject: [PATCH] Add a privilege and a permission needed for automember
 rebuild command

Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3752
---
 install/updates/40-delegation.update | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 64a6432acc8605f3164d267d16609f51ce02a7ef..3fabdf9c7319b261aa3e0bb20d42a80b807df1ec 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -373,3 +373,22 @@ dn: cn=Retrieve Certificates from the 

Re: [Freeipa-devel] [PATCH] 0082 Use EXTERNAL auth mechanism in ldapmodify

[Tomas Babej]

On 11/05/2013 06:44 PM, Ana Krivokapic wrote:

Hello,

This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3895.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


ACK

--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel