[Freeipa-devel] [PATCH] 543 fix whoami plugin

[Rob Crittenden]

Use the principal from the request context. 
ipalib.util.get_current_principal() is designed to work from a client, 
not within the server. I should have noticed this earlier.


rob


freeipa-543-whoami.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] sudo schema

[Dmitri Pal]

JR Aquino wrote:
> I believe there is an oversight in the schema for the ipaSudoCmdGrp object 
> class.
>
> The current listing has it using 'groupOfUniqueNames...
>
> I found that in this format, I could not actually assign a member to 
> reference an ipaSudoCmd DN...
>
> After some digging, it appears that the other 'group' objects in the schema 
> are set to for nestedGroup
>
> Swapping those values allowed me to make the member adding successfully.
>
> < objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA 
> object class to store groups of SUDO commands' SUP groupOfUniqueNames MUST ( 
> ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' )
> ---
>   
>> objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA 
>> object class to store groups of SUDO commands' SUP nestedGroup MUST ( 
>> ipaUniqueID  ) STRUCTURAL X-ORIGIN 'IPA v2' )
>> 
>
>
> Also, there appears to be a compatibility problem with the syntax for 
> hostMask:
> [23/Sep/2010:11:20:40 -0700] attr_syntax_create - Error: the EQUALITY 
> matching rule [caseIgnoreIA5Match] is not compatible with the syntax 
> [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [hostMask]
>
>   

Investigating both issues. Stay tuned.


> ~
> Jr Aquino, GCIH | Information Security Specialist
> Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117
> T:  +1 805.690.3478
> jr.aqu...@citrixonline.com
> http://www.citrixonline.com
>
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>   


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Modal dialog for enrollment

[Adam Young]

On 09/22/2010 07:04 PM, Endi Sukma Dewata wrote:

Modal dialog for enrollment

The enroll facet has been converted into a dialog box. This dialog
box will appear when the user clicks the enroll button above the
association list. When the user clicks the enroll button in the
dialog box, the new associations will be created, then the list will
be refreshed to show the changes.

The SerialAssociator and BulkAssociator have been modified to accept
an on_success function which will be called when the whole operation
is completed successfully. This is used to refresh the list and close
the dialog box appropriately.

Some other changes were also made to improve code clarity.
   

Pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH]admiyo-freeipa-0041-self-service.patch

[Adam Young]

On 09/23/2010 04:32 PM, Adam Young wrote:

On 09/23/2010 02:51 PM, Endi Sukma Dewata wrote:

- "Adam Young"  wrote:


self-service
  Selects the site map based on the presence or absense of 
rolegroups for

  the current user.  If the user has no rolegroups, UI defaults to
  the Details page for that user.

NACK. The window_hashchange() is expecting 2 levels of tabs:

var admin_tabs_lists = [
 ['identity', 'IDENTITY', [
 ['user', 'Users', ipa_entity_setup],
 ]]
];

but the self-service tab is only 1 level:

var self_serv_tabs_lists =
 [['user', 'Users', ipa_entity_setup]];

Currently window_hashchange()will ignore if there's no 2nd level
tabs defined:

for (var i = 0; i<  nav_tabs_lists.length; ++i) {
 var t = nav_tabs_lists[i]; // 1st level tab

 // if no 2nd level tabs ->  skip
 if (typeof t[2] != 'function'&&  t[2].length) {
 for (var j = 0; j<  t[2].length; ++j) {
 var tt = t[2][j]; // 2nd level tab


OK, put back the identity tab


There's also a typo on line 44, the variable name should
have been nav_tabs_lists instead of nav_tabs_list. But the
code will still work anyway.


Yeah, that variable was ignored, and it made an implicit Global.  Fixed.

--
Endi S. Dewata



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACKed on IRC, pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH]admiyo-freeipa-0041-self-service.patch

[Adam Young]

On 09/23/2010 02:51 PM, Endi Sukma Dewata wrote:

- "Adam Young"  wrote:

   

self-service
  Selects the site map based on the presence or absense of rolegroups for
  the current user.  If the user has no rolegroups, UI defaults to
  the Details page for that user.
 

NACK. The window_hashchange() is expecting 2 levels of tabs:

var admin_tabs_lists = [
 ['identity', 'IDENTITY', [
 ['user', 'Users', ipa_entity_setup],
 ]]
];

but the self-service tab is only 1 level:

var self_serv_tabs_lists =
 [['user', 'Users', ipa_entity_setup]];

Currently window_hashchange()will ignore if there's no 2nd level
tabs defined:

for (var i = 0; i<  nav_tabs_lists.length; ++i) {
 var t = nav_tabs_lists[i]; // 1st level tab

 // if no 2nd level tabs ->  skip
 if (typeof t[2] != 'function'&&  t[2].length) {
 for (var j = 0; j<  t[2].length; ++j) {
 var tt = t[2][j]; // 2nd level tab
   


OK, put back the identity tab


There's also a typo on line 44, the variable name should
have been nav_tabs_lists instead of nav_tabs_list. But the
code will still work anyway.
   


Yeah, that variable was ignored, and it made an implicit Global.  Fixed.

--
Endi S. Dewata
   


>From d8b81397936736a0acd4fc4e4d5fc2855a4201f6 Mon Sep 17 00:00:00 2001
From: Adam Young 
Date: Tue, 21 Sep 2010 16:22:45 -0400
Subject: [PATCH] self-service
 Selects the site map based on the presence or absense of rolegroups for
 the current user.  If the user has no rolegroups, UI defaults to the Details page for that user.

Corrected to leave two levels of tabs
---
 install/static/webui.js |   48 ++
 1 files changed, 31 insertions(+), 17 deletions(-)

diff --git a/install/static/webui.js b/install/static/webui.js
index ee80140..153a609 100644
--- a/install/static/webui.js
+++ b/install/static/webui.js
@@ -21,7 +21,7 @@
 /* REQUIRES: everything, this file puts it all togheter */
 
 /* tabs definition for IPA webUI */
-var nav_tabs_lists = [
+var admin_tabs_lists = [
 ['identity', 'IDENTITY', [
 ['user', 'Users', ipa_entity_setup],
 ['group', 'Groups', ipa_entity_setup],
@@ -36,29 +36,43 @@ var nav_tabs_lists = [
 ]]
 ];
 
+
+var self_serv_tabs_lists = 
+[
+['identity', 'IDENTITY', [
+['user', 'Users', ipa_entity_setup;
+
+var nav_tabs_lists;
+
 /* main (document onready event handler) */
 $(function() {
-function set_logged_in_as(principal) {
-$.cookie('whoami', principal);
-$('#loggedinas').find('strong').text(principal);
-};
 
 function whoami_on_win(data, text_status, xhr) {
-if (!data.error)
-set_logged_in_as(data.result.summary);
+$(window).bind('hashchange', window_hashchange);
+if (!data.error){
+var whoami = data.result.result[0];
+$('#loggedinas').find('strong').text(whoami.krbprincipalname[0]);
+if (whoami.hasOwnProperty('memberof_rolegroup') &&
+whoami.memberof_rolegroup.length > 0){
+nav_tabs_lists = admin_tabs_lists;
+window_hashchange(null);
+}else{
+nav_tabs_lists = self_serv_tabs_lists;
+
+var state = {'user-pkey': whoami.uid[0],
+ 'user-facet': jQuery.bbq.getState('user-facet') ||
+ 'details'};
+$.bbq.pushState(state);
+}
+nav_create(nav_tabs_lists, $('#navigation'), 'tabs');
+
+}else{
+alert("Unable to find prinicpal for logged in user");
+}
 };
 
 function init_on_win(data, text_status, xhr) {
-nav_create(nav_tabs_lists, $('#navigation'), 'tabs');
-
-$(window).bind('hashchange', window_hashchange);
-window_hashchange(null);
-
-var whoami = $.cookie('whoami');
-if (whoami)
-set_logged_in_as(whoami);
-else
-ipa_cmd('whoami', [], {}, whoami_on_win, null, null, 'sampledata/whoami.json');
+ipa_cmd('user_find', [], {"whoami":"true","all":"true"}, whoami_on_win, null, null);
 };
 
 ipa_init(null, init_on_win);
-- 
1.7.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 540 fix server install

[Rob Crittenden]

Adam Young wrote:

On 09/23/2010 12:06 PM, Rob Crittenden wrote:

ipa-server-install was picking up random SRV records when configuring
its own client (via ipa-client-install). A change in patch 531 caused
the server install to fail if it found a SRV record elsewhere in the
domain. This fix forces the client installer to use the data we provide.

rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK


pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] admiyo-freeipa-0042-I18N-for-web.patch

[Adam Young]

On 09/23/2010 03:30 PM, Adam Young wrote:

I18N for web

Performing I18N completely on the server, to leverage the existing 
gettext a


Added the additional po files for a set of required languages



Sorry for messing up your filters.  I've been beating on this for a 
while, and was excited to finally get it out for review.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] sudo schema

[JR Aquino]

I believe there is an oversight in the schema for the ipaSudoCmdGrp object 
class.

The current listing has it using 'groupOfUniqueNames...

I found that in this format, I could not actually assign a member to reference 
an ipaSudoCmd DN...

After some digging, it appears that the other 'group' objects in the schema are 
set to for nestedGroup

Swapping those values allowed me to make the member adding successfully.

< objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA 
object class to store groups of SUDO commands' SUP groupOfUniqueNames MUST ( 
ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' )
---
> objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA 
> object class to store groups of SUDO commands' SUP nestedGroup MUST ( 
> ipaUniqueID  ) STRUCTURAL X-ORIGIN 'IPA v2' )


Also, there appears to be a compatibility problem with the syntax for hostMask:
[23/Sep/2010:11:20:40 -0700] attr_syntax_create - Error: the EQUALITY matching 
rule [caseIgnoreIA5Match] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [hostMask]

~
Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
jr.aqu...@citrixonline.com
http://www.citrixonline.com

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH]admiyo-freeipa-0041-self-service.patch

[Endi Sukma Dewata]

- "Adam Young"  wrote:

> self-service
>  Selects the site map based on the presence or absense of rolegroups for
>  the current user.  If the user has no rolegroups, UI defaults to 
>  the Details page for that user.

NACK. The window_hashchange() is expecting 2 levels of tabs:

var admin_tabs_lists = [
['identity', 'IDENTITY', [
['user', 'Users', ipa_entity_setup],
]]
];

but the self-service tab is only 1 level:

var self_serv_tabs_lists =
[['user', 'Users', ipa_entity_setup]];

Currently window_hashchange()will ignore if there's no 2nd level
tabs defined:

for (var i = 0; i < nav_tabs_lists.length; ++i) {
var t = nav_tabs_lists[i]; // 1st level tab

// if no 2nd level tabs -> skip
if (typeof t[2] != 'function' && t[2].length) {
for (var j = 0; j < t[2].length; ++j) {
var tt = t[2][j]; // 2nd level tab

There's also a typo on line 44, the variable name should
have been nav_tabs_lists instead of nav_tabs_list. But the
code will still work anyway.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 542 remove bogus uninstall error

[Adam Young]

On 09/23/2010 12:18 PM, Rob Crittenden wrote:
Remove spurious error in server uninstaller about client uninstall 
failure.


This was meant to catch the case where the client wasn't configured and
it missed the most obvious one: the client was installed and is now
uninstalled.

rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 541 convert ca_serialno

[Adam Young]

On 09/23/2010 12:17 PM, Rob Crittenden wrote:
The file format of ca_serialno changed between v1 and v2. We won't 
support direct upgrades of v1 to v2 but as a developer I install them 
both from time to time and its annoying to have the v2 install fail 
because of this file. This patch converts it to v2 style.


rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 542 remove bogus uninstall error

[Rob Crittenden]

Remove spurious error in server uninstaller about client uninstall failure.

This was meant to catch the case where the client wasn't configured and
it missed the most obvious one: the client was installed and is now
uninstalled.

rob


freeipa-542-uninstall.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 541 convert ca_serialno

[Rob Crittenden]

The file format of ca_serialno changed between v1 and v2. We won't 
support direct upgrades of v1 to v2 but as a developer I install them 
both from time to time and its annoying to have the v2 install fail 
because of this file. This patch converts it to v2 style.


rob


freeipa-541-serialno.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 540 fix server install

[Adam Young]

On 09/23/2010 12:06 PM, Rob Crittenden wrote:
ipa-server-install was picking up random SRV records when configuring 
its own client (via ipa-client-install). A change in patch 531 caused 
the server install to fail if it found a SRV record elsewhere in the 
domain. This fix forces the client installer to use the data we provide.


rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 539 slightly improve help system

[Rob Crittenden]

Adam Young wrote:

On 09/21/2010 04:21 PM, Rob Crittenden wrote:

Rename 'Related commands' to 'Topic commands'. This was confusing with
the hbac plugin because there really *are* related commands that
aren't included in the list.

If a plugin only provides a single command then don't include the
Topic/Related commands at all.

rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK


pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 540 fix server install

[Rob Crittenden]

ipa-server-install was picking up random SRV records when configuring 
its own client (via ipa-client-install). A change in patch 531 caused 
the server install to fail if it found a SRV record elsewhere in the 
domain. This fix forces the client installer to use the data we provide.


rob


freeipa-540-client.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 538 start of PKINIT support

[Rob Crittenden]

Adam Young wrote:

On 09/21/2010 04:00 PM, Rob Crittenden wrote:

Add minimal client configuration for when we eventually get to PKINIT

Also move the unenroll to clients only. This isn't necessary on the
master

rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK


pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 537 add --zonemgr option to installer

[Rob Crittenden]

Adam Young wrote:

On 09/20/2010 03:43 PM, Rob Crittenden wrote:

Add option to set the zone mgr e-mail address during install.

rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK


pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 535 add hbac example of creating service and service group

[Rob Crittenden]

Adam Young wrote:

On 09/20/2010 01:11 PM, Rob Crittenden wrote:

Try to tie together the hbac and hbacsvc/hbacsvcgroup plugins better
via an example.

rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK



pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 534 updates to spec file

[Rob Crittenden]

Adam Young wrote:

On 09/20/2010 12:59 PM, Rob Crittenden wrote:

Drop Requires on python-configobj. It is a leftover from TurboGears.

Remove ipa-ldap-updater message. It was meant to detect when an
upgrade is required, we're doing this differently in v2.

rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK


pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 533 add hostname resolver

[Rob Crittenden]

Adam Young wrote:

On 09/20/2010 12:52 PM, Rob Crittenden wrote:

Basic "here is a hostname see if it is in DNS" resolver. I put it as
part of the DNS plugin because it seemed more of a natural fit there.
It will work whether IPA is configured with a DNS server or not. It
uses a pure DNS resolver library to find a host.

It will append the default IPA domain name if one appears to not be
included but it doesn't do anything smarter than that.

rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK


pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Modal dialog for enrollment

[Pavel Zuna]

On 09/23/2010 01:04 AM, Endi Sukma Dewata wrote:

Hi,

Please review the attached patch. Thanks!

The enroll facet has been converted into a dialog box. This dialog
box will appear when the user clicks the enroll button above the
association list. When the user clicks the enroll button in the
dialog box, the new associations will be created, then the list will
be refreshed to show the changes.

The SerialAssociator and BulkAssociator have been modified to accept
an on_success function which will be called when the whole operation
is completed successfully. This is used to refresh the list and close
the dialog box appropriately.

Some other changes were also made to improve code clarity.

--
Endi S. Dewata



ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel