Re: [Freeipa-devel] Sudo Schema Bug/Feature
JR Aquino wrote: On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote: Dmitri Pal wrote: Dmitri Pal wrote: Dmitri Pal wrote: How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? So it looks like current schema would not fly well with SUDO due to SUDO bug/feature. SUDO will match just any first rule that satisfies the user-hpost-command combination but we can't guarantee that rules come in the same order. So there is a possibility that allow rule will come before deny rule in our case and will be matched. It is unfortunate and should be fixed by SUDO. In a meantime we need to alter the schema to be able to express allowed and not allowed commands in one rule. It will be up to the admin to know the limitations of SUDO based on the documentation we provide and construct the rules in a non contradicting way. We might be able to add some nice checks in future. So here is current schema: objectClasses: (2.16.840.1.113730.3.8.8.TBD NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( externalUser $ externalHost $ hostMask $ memberCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) X-ORIGIN 'IPA v2' ) We will : * Remove accessRuleType * Add memberNotCmd same a memberCmd attributeTypes: (2.16.840.1.113730.3.8.7.TBD NAME 'memberNotCmd' DESC 'Reference to a command or group of the commands that is not allowed.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) The logic then will be: * If no memberCmd, memberNotCmd or cmdCategory attribute is specified - no command is allowed * If cmdCategory is specified (only value is "all") all other attributes are ignored and all commands are allowed * If cmdCategory is not specified * If memberCmd is specified it defines commands or groups of the commands that are allowed * If memberNotCmd is specified it defines commands or groups of the commands that are not allowed Both attributes are allowed at the same time defining allowed and not allowed commands within the same rule. This does not solve the problem fully but at least gets us into the same boat as current SUDO schema. Comments welcome! If there are no objections by end of Friday I will craft a patch over the weekend. Thanks Dmitri I updated the wiki and implemented the change. Patch is attached. Rebased patch attached. ack, pushed to master. JR, can you fix up the sudo plugins to match this new schema? thanks rob Attached is the patch for modifications to sudorule and its test suite to accommodate the schema redesign. We now create allow rules or deny rules and no longer reference accessruletype. ack, pushed to master. The -del tests are still failing but I confirmed that with Pavel's patches these tests pass. Those patches just need a little more work. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
Pavel Zuna wrote: All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the --continuous flag (off by default). The flag should indicate that the command shouldn't stop on errors and continue operation with the next primary key on the arguments lists. This effectively fixes *-del unit tests, because continuous mode is off by default. (It was on before this patch and there was no option to turn it off.) Ticket #321 Pavel The migration plugin and pending automount plugin patch already define an attribute for continuous operation though it is named continue instead. We should pick one and be consistent. I like continue because it's easier to type. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args.
Pavel Zuna wrote: takes_args defined in a baseldap subclass is now transformed into positional arguments that go after primary keys. Before this patch, takes_args in crud subclasses were ignored. example: --- snip --- class user_something(LDAPRetrieve): takes_args = ( Str('randomarg'), ) --- snip --- # ipa help something Usage: ipa [global-options] user-something LOGIN RANDOMARG Pavel Nack, this breaks the pwpolicy plugin tests (though I'm not 100% sure why). pwpolicy-del defines its own get_args(). I'm guessing it is failing because the local get_args returns a string and the multivalue stuff is expecting a list so pulling the string apart one character at a time. If you run pwpolicy-del testpolicy it will fail with a not found on 't' policy. I think simply removing the get_args() from pwpolicy will fix it: rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 559 update ipa-getkeytab man page
Rob Crittenden wrote: Add some missing options to the ipa-getkeytab man page. rob Can you be consistent with "Kerberos" instead of adding "kerberos" to the mix as well (unless necessary, of course)? If my understanding is correct, I'd update the following: "The LDAP password when not binding with Kerberos." to include "...password to use when not..." cheers -- David O'Brien Red Hat APAC Pty Ltd "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Multicast SSL for Server Broadcast
On Tue, Oct 5, 2010 at 4:25 PM, Simo Sorce wrote: > On Tue, 5 Oct 2010 12:25:30 -0500 > Rob Townley wrote: > >> i was just wondering if multicast ssl (or multicast over a vpn such as >> IPsec) has been considered as a way to efficiently replicate >> information from one server to all other servers. i was specifically >> thinking of multicasting tracking bad password attempts from one >> server to all the other servers. >> >> i don't know anything about multicast ssl except that IBM worked on it >> in the late 1990's and it was supposed to support reliable transport. >> It may simplify things if all the servers had the same certificate... > > Hi Rob, > I didn't know you could do reliable multicasting, do you have any > refernce to an RFC or other document ? > > Anyway the main problem would be changing quite drastically the > replication engine. It would also have impact over the replication > topology. Something we should think about, but it's going to be a very > long term thing. The amount of changes required to do something like > that looks quite big. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > Yes, when i think of multicast, i think udp, therefore unreliable. i do not know a thing about securing multicast communications. But one example is GSAKMP or Group Secure Association Key Management Protocol from the msec group. msec = Multicast Security is a group with a list of rfcs for security as recent as 2010. http://datatracker.ietf.org/wg/msec/charter/ http://tools.ietf.org/html/rfc4535 SecureMulticast.org was the first result of googling "multicast ssl" and a search at the IETF returned some results, all of which expired around ten years ago. At http://datatracker.ietf.org/doc/search/ , enter the terms secure multicast, but many of these expired around 10 years ago. i am sure there are other secure multicast methods and of course just doing multicast over a VPN or IPsec. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] set attribute when changing passwords
Set the sambaPwdLastSet when changing password for a user that has the sambaSamAccount objectclass, so that samba is kept in sync with the status of the user account wrt whether the user need sto change the password or not. fixes trac#313 Simo. -- Simo Sorce * Red Hat, Inc * New York >From 5fdfffbaa95032efd679b52dfe7fbfa124037478 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 5 Oct 2010 18:09:12 -0400 Subject: [PATCH] When dealing with samba password set also the sambaPwdLastSet This attribute is required for samba to properly identify a user has changed it's password and doesn't need to change it again at next login. At the same time, if we are forcing a pssword reset we also need to let samba know the user must change its password. --- .../ipa-pwd-extop/ipapwd_common.c | 22 - .../ipa-pwd-extop/ipapwd_prepost.c | 26 2 files changed, 47 insertions(+), 1 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index a2b11e4..4c1092a 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -1165,6 +1165,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, int is_smb = 0; Slapi_Value *sambaSamAccount; char *errMesg = NULL; +char *modtime = NULL; slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME, "=> ipapwd_SetPassword\n"); @@ -1224,7 +1225,25 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "sambaNTPassword", nt); } - +if (is_smb) { +/* with samba integration we need to also set sambaPwdLastSet or + * samba will decide the user has to change the password again */ +if (data->changetype == IPA_CHANGETYPE_ADMIN) { +/* if it is an admin change instead we need to let know to + * samba as well that the use rmust change its password */ +modtime = slapi_ch_smprintf("0"); +} else { +modtime = slapi_ch_smprintf("%ld", (long)data->timeNow); +} +if (!modtime) { +slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME, +"failed to smprintf string!\n"); +ret = LDAP_OPERATIONS_ERROR; +goto free_and_return; +} +slapi_mods_add_string(smods, LDAP_MOD_REPLACE, + "sambaPwdLastset", modtime); +} /* let DS encode the password itself, this allows also other plugins to * intercept it to perform operations like synchronization with Active * Directory domains through the replication plugin */ @@ -1252,6 +1271,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, free_and_return: if (lm) slapi_ch_free((void **)&lm); if (nt) slapi_ch_free((void **)&nt); +if (modtime) slapi_ch_free((void **)&modtime); slapi_mods_free(&smods); ipapwd_free_slapi_value_array(&svals); ipapwd_free_slapi_value_array(&pwvals); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index 7c95ac8..a486981 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -351,6 +351,19 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt); slapi_ch_free_string(&nt); } + +if (is_smb) { +/* with samba integration we need to also set sambaPwdLastSet or + * samba will decide the user has to change the password again */ +if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) { +/* if it is an admin change instead we need to let know to +* samba as well that the use rmust change its password */ +slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L); +} else { +slapi_entry_attr_set_long(e, "sambaPwdLastset", + (long)pwdop->pwdata.timeNow); +} +} } rc = LDAP_SUCCESS; @@ -736,6 +749,19 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) "sambaNTPassword", nt); slapi_ch_free_string(&nt); } + +if (is_smb) { +/* with samba integration we need to also set sambaPwdLastSet or + * samba will decide the user has to change the password again */ +if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) { +/* if it is an admin change instead we need to let know to +* samba as well that the use rmust change its password */ +slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L); +
[Freeipa-devel] [PATCH] properly check for ldap headers
We need to always use mozldap ldap headers for slapi plugins, untill 389 ds moves to openldap libs. But at the same time we want to move to openldap libs for anything else. Fix configure/makefile to always check for openldap libs and always use them in anything but slapi plugins. (fixes bz#464564/trac#221) Simo. -- Simo Sorce * Red Hat, Inc * New York >From d6425215c92dba5af4dd108a492620b53c649702 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 5 Oct 2010 17:35:16 -0400 Subject: [PATCH] Always detect openldap and mozldap at the same time Slapi plugins must use mozldap because 389 ds is compiled against that. ipa_kpasswd, instead, should be linked against openldap. So always make sure both are available. --- daemons/configure.ac| 72 +-- daemons/ipa-kpasswd/Makefile.am |4 +- 2 files changed, 33 insertions(+), 43 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index 65b79cb..7353c45 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -135,11 +135,9 @@ fi AC_SUBST(KRB5_LIBS) dnl --- -dnl - Check for Mozilla LDAP or OpenLDAP SDK +dnl - Check for Mozilla LDAP *and* OpenLDAP SDK dnl --- -AC_ARG_WITH(openldap, [ --with-openldapUse OpenLDAP]) - dnl The mozldap libraries are always needed because ipa-slapi-plugins/dna/ dnl will not build against OpenLDAP. SAVE_CPPFLAGS=$CPPFLAGS @@ -160,47 +158,39 @@ if test "x$ac_cv_header_mozldap_ldap_h" = "xno" ; then fi PKG_CHECK_MODULES(MOZLDAP, mozldap > 6) -if test x$with_openldap = xyes; then - AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes) - dnl Check for other libraries we need to link with to get the main routines. - test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) } - test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) } - test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) } - dnl Recently, we need -lber even though the main routines are elsewhere, - dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just - dnl check for that (it's a variable not a fun but that doesn't seem to - dnl matter in these checks) and stick in -lber if so. Can't hurt (even to - dnl stick it in always shouldn't hurt, I don't think) ... Someone who - dnl understands LDAP needs to fix this properly. - test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) } - - if test "$with_ldap" = "yes"; then - if test "$with_ldap_des" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -ldes" - fi - if test "$with_ldap_krb" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -lkrb" - fi - if test "$with_ldap_lber" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -llber" - fi - LDAP_LIBS="${LDAP_LIBS} -lldap" - else - AC_MSG_ERROR([OpenLDAP not found]) - fi - - AC_SUBST(LDAP_LIBS) +AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes) +dnl Check for other libraries we need to link with to get the main routines. +test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) } +test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) } +test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) } +dnl Recently, we need -lber even though the main routines are elsewhere, +dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just +dnl check for that (it's a variable not a fun but that doesn't seem to +dnl matter in these checks) and stick in -lber if so. Can't hurt (even to +dnl stick it in always shouldn't hurt, I don't think) ... Someone who +dnl understands LDAP needs to fix this properly. +test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) } - LDAP_CFLAGS="${LDAP_CFLAGS} -DWITH_OPENLDAP" - AC_SUBST(LDAP_CFLAGS) +if test "$with_ldap" = "yes"; then + if test "$with_ldap_des" = "yes" ; then +OPENLDAP_LIBS="${OPENLDAP_LIBS} -ldes" + fi + if test "$with_ldap_krb" = "yes" ; then +OPENLDAP_LIBS="${OPENLDAP_LIBS} -lkrb" + fi + if test "$with_ldap_lber" = "yes" ; then +OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber" + fi + OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap" else - LDAP_LIBS="${MOZLDAP_LIBS}" - AC_SUBST(LDAP_LIBS) - - LDAP_CFLAGS="${LDAP_CFLAGS} -DWITH_MOZLDAP" - AC_SUBST(LDAP_CFLAGS) + AC_MSG_ERROR([OpenLDAP not found]) fi +AC_SUBST(OPENLDAP_LIBS) + +OPENLDAP_CFLAGS="${OPENLDAP_CFLAGS} -DWITH_OPENLDAP" +AC_SUBST(OPENLDAP_CFLAGS) + dnl --
Re: [Freeipa-devel] Multicast SSL for Server Broadcast
On Tue, 5 Oct 2010 12:25:30 -0500 Rob Townley wrote: > i was just wondering if multicast ssl (or multicast over a vpn such as > IPsec) has been considered as a way to efficiently replicate > information from one server to all other servers. i was specifically > thinking of multicasting tracking bad password attempts from one > server to all the other servers. > > i don't know anything about multicast ssl except that IBM worked on it > in the late 1990's and it was supposed to support reliable transport. > It may simplify things if all the servers had the same certificate... Hi Rob, I didn't know you could do reliable multicasting, do you have any refernce to an RFC or other document ? Anyway the main problem would be changing quite drastically the replication engine. It would also have impact over the replication topology. Something we should think about, but it's going to be a very long term thing. The amount of changes required to do something like that looks quite big. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] UI Unit Tests Docs
- "Rob Crittenden" wrote: > >>> http://www.freeipa.org/page/UI_Unit_Tests > >> > >> Looks good to me. Can you add a link from the Testing page here? > > > > You mean the index.html in install/static/test, right? > > OK, I will do that after this. Do we need to store the > > source of this wiki page in git too (e.g. README.txt)? > > The wiki page is already keeping the history. > > > > https://fedorahosted.org/freeipa/ticket/295 > > Heh, no I mean http://freeipa.org/page/Testing OK, the Testing page has been updated. I also added some references to Adam's wiki page. As we discussed over IRC, I added a README file into git pointing to this wiki page. I pushed it to master under One Liner rule. The ticket is now closed. Thanks! -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] UI Unit Tests Docs
Endi Sukma Dewata wrote: - "Rob Crittenden" wrote: Endi Sukma Dewata wrote: Hi, Here are the docs for the UI Unit Tests: http://www.freeipa.org/page/UI_Unit_Tests Any comments are welcome. Thanks! Looks good to me. Can you add a link from the Testing page here? rob You mean the index.html in install/static/test, right? OK, I will do that after this. Do we need to store the source of this wiki page in git too (e.g. README.txt)? The wiki page is already keeping the history. https://fedorahosted.org/freeipa/ticket/295 Heh, no I mean http://freeipa.org/page/Testing rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] UI Unit Tests Docs
- "Rob Crittenden" wrote: > Endi Sukma Dewata wrote: > > Hi, > > > > Here are the docs for the UI Unit Tests: > > http://www.freeipa.org/page/UI_Unit_Tests > > > > Any comments are welcome. Thanks! > > Looks good to me. Can you add a link from the Testing page here? > > rob You mean the index.html in install/static/test, right? OK, I will do that after this. Do we need to store the source of this wiki page in git too (e.g. README.txt)? The wiki page is already keeping the history. https://fedorahosted.org/freeipa/ticket/295 -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] UI Unit Tests Docs
Endi Sukma Dewata wrote: Hi, Here are the docs for the UI Unit Tests: http://www.freeipa.org/page/UI_Unit_Tests Any comments are welcome. Thanks! Looks good to me. Can you add a link from the Testing page here? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] UI Unit Tests Docs
On 10/05/2010 04:39 PM, Endi Sukma Dewata wrote: Hi, Here are the docs for the UI Unit Tests: http://www.freeipa.org/page/UI_Unit_Tests Any comments are welcome. Thanks! -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Nice! Well done. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] UI Unit Tests Docs
Hi, Here are the docs for the UI Unit Tests: http://www.freeipa.org/page/UI_Unit_Tests Any comments are welcome. Thanks! -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 559 update ipa-getkeytab man page
Add some missing options to the ipa-getkeytab man page. rob freeipa-559-man.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args.
On 10/05/2010 10:43 AM, Pavel Zuna wrote: takes_args defined in a baseldap subclass is now transformed into positional arguments that go after primary keys. Before this patch, takes_args in crud subclasses were ignored. example: --- snip --- class user_something(LDAPRetrieve): takes_args = ( Str('randomarg'), ) --- snip --- # ipa help something Usage: ipa [global-options] user-something LOGIN RANDOMARG Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
On 10/05/2010 11:52 AM, Pavel Zuna wrote: On 10/05/2010 04:47 PM, Pavel Zuna wrote: All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the --continuous flag (off by default). The flag should indicate that the command shouldn't stop on errors and continue operation with the next primary key on the arguments lists. This effectively fixes *-del unit tests, because continuous mode is off by default. (It was on before this patch and there was no option to turn it off.) Ticket #321 Pavel I forgot to mention that this depends on my patch number 27, because they modify the same file (baseldap.py). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I still get a slew of test failures. Again, this may be from my setup, but I suspect not. test_group[2]: group_del: Try to delete non-existent u'testgroup1' ... FAIL test_group[13]: group_del: Try to delete non-existent u'testgroup2' ... FAIL test_group[26]: group_del: Try to delete non-existent u'testgroup1' ... FAIL test_group[30]: group_del: Try to delete non-existent u'testgroup2' ... FAIL test_group[37]: group_del: Try to delete a managed group u'tuser1' ... FAIL test_hbacsvcgroup[2]: hbacsvcgroup_del: Try to delete non-existent u'testhbacsvcgroup1' ... FAIL test_host[2]: host_del: Try to delete non-existent u'testhost1.ayoung.boston.devel.redhat.com' ... FAIL test_host[14]: host_del: Try to delete non-existent u'testhost1.ayoung.boston.devel.redhat.com' ... FAIL test_hostgroup[2]: hostgroup_del: Try to delete non-existent u'testhostgroup1' ... FAIL test_rolegroup[2]: rolegroup_del: Try to delete non-existent u'test-rolegroup-1' ... FAIL test_rolegroup[20]: rolegroup_del: Try to delete non-existent u'test-rolegroup-1' ... FAIL test_host[2]: service_del: Try to delete non-existent u'HTTP/testhost1.ayoung.boston.devel.redhat@ayoung.boston.devel.redhat.com' ... FAIL test_host[16]: service_del: Try to delete non-existent u'HTTP/testhost1.ayoung.boston.devel.redhat@ayoung.boston.devel.redhat.com' ... FAIL test_sudocmd[2]: sudocmd_del: Try to delete non-existent u'/usr/bin/sudotestcmd1' ... FAIL test_sudocmd[12]: sudocmd_del: Try to delete non-existent u'/usr/bin/sudotestcmd1' ... FAIL test_sudocmdgroup[4]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup1' ... FAIL test_sudocmdgroup[13]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup2' ... FAIL test_sudocmdgroup[26]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup1' ... FAIL test_sudocmdgroup[30]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup2' ... FAIL test_taskgroup[2]: taskgroup_del: Try to delete non-existent u'test-taskgroup-1' ... FAIL test_taskgroup[19]: taskgroup_del: Try to delete non-existent u'test-taskgroup-1' ... FAIL test_user[2]: user_del: Try to delete non-existent u'tuser1' ... FAIL test_user[15]: user_del: Try to delete non-existent u'tuser1' ... FAIL FAIL: test_group[2]: group_del: Try to delete non-existent u'testgroup1' FAIL: test_group[13]: group_del: Try to delete non-existent u'testgroup2' FAIL: test_group[26]: group_del: Try to delete non-existent u'testgroup1' FAIL: test_group[30]: group_del: Try to delete non-existent u'testgroup2' FAIL: test_group[37]: group_del: Try to delete a managed group u'tuser1' FAIL: test_hbacsvcgroup[2]: hbacsvcgroup_del: Try to delete non-existent u'testhbacsvcgroup1' FAIL: test_host[2]: host_del: Try to delete non-existent u'testhost1.ayoung.boston.devel.redhat.com' FAIL: test_host[14]: host_del: Try to delete non-existent u'testhost1.ayoung.boston.devel.redhat.com' FAIL: test_hostgroup[2]: hostgroup_del: Try to delete non-existent u'testhostgroup1' FAIL: test_rolegroup[2]: rolegroup_del: Try to delete non-existent u'test-rolegroup-1' FAIL: test_rolegroup[20]: rolegroup_del: Try to delete non-existent u'test-rolegroup-1' FAIL: test_host[2]: service_del: Try to delete non-existent u'HTTP/testhost1.ayoung.boston.devel.redhat@ayoung.boston.devel.redhat.com' FAIL: test_host[16]: service_del: Try to delete non-existent u'HTTP/testhost1.ayoung.boston.devel.redhat@ayoung.boston.devel.redhat.com' FAIL: test_sudocmd[2]: sudocmd_del: Try to delete non-existent u'/usr/bin/sudotestcmd1' FAIL: test_sudocmd[12]: sudocmd_del: Try to delete non-existent u'/usr/bin/sudotestcmd1' FAIL: test_sudocmdgroup[4]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup1' FAIL: test_sudocmdgroup[13]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup2' FAIL: test_sudocmdgroup[26]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup1' FAIL: test_sudocmdgroup[30]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup2' FAIL: test_taskgroup[2]: taskgroup_del: Try to delete non-existent u'test-taskgroup-1' FAIL: test_taskgroup[19]: taskgroup_del: Try to delete non-existent u'test-taskgroup-1' F
Re: [Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args.
On 10/05/2010 10:43 AM, Pavel Zuna wrote: takes_args defined in a baseldap subclass is now transformed into positional arguments that go after primary keys. Before this patch, takes_args in crud subclasses were ignored. example: --- snip --- class user_something(LDAPRetrieve): takes_args = ( Str('randomarg'), ) --- snip --- # ipa help something Usage: ipa [global-options] user-something LOGIN RANDOMARG Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I'll take reviewing this and Pavel's follow on patches. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Multicast SSL for Server Broadcast
i was just wondering if multicast ssl (or multicast over a vpn such as IPsec) has been considered as a way to efficiently replicate information from one server to all other servers. i was specifically thinking of multicasting tracking bad password attempts from one server to all the other servers. i don't know anything about multicast ssl except that IBM worked on it in the late 1990's and it was supposed to support reliable transport. It may simplify things if all the servers had the same certificate... ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Rename user-lock and user-unlock to user-enable user-disable.
Pavel Zuna wrote: Also fixes related unit tests and therefore depends on my patch number 28. Ticket #165 Pavel This looks ok but you need to update the examples in the top help block too: Lock a user account: ipa user-lock tuser1 Unlock a user account: ipa user-unlock tuser1 Fix those and you have an ack. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
On 10/05/2010 04:47 PM, Pavel Zuna wrote: All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the --continuous flag (off by default). The flag should indicate that the command shouldn't stop on errors and continue operation with the next primary key on the arguments lists. This effectively fixes *-del unit tests, because continuous mode is off by default. (It was on before this patch and there was no option to turn it off.) Ticket #321 Pavel I forgot to mention that this depends on my patch number 27, because they modify the same file (baseldap.py). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Rename user-lock and user-unlock to user-enable user-disable.
Also fixes related unit tests and therefore depends on my patch number 28. Ticket #165 Pavel >From 9ead34195c3ef1b3be9f9c57ba54fd2849215ab0 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 5 Oct 2010 15:37:37 -0400 Subject: [PATCH] Rename user-lock and user-unlock to user-enable user-disable. Ticket #165 --- ipalib/plugins/user.py| 16 tests/test_xmlrpc/test_user_plugin.py | 12 ++-- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 0746553..daa5cc4 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -274,13 +274,13 @@ class user_show(LDAPRetrieve): api.register(user_show) -class user_lock(LDAPQuery): +class user_disable(LDAPQuery): """ -Lock a user account. +Disable user account. """ has_output = output.standard_value -msg_summary = _('Locked user "%(value)s"') +msg_summary = _('Disabled user account "%(value)s"') def execute(self, *keys, **options): ldap = self.obj.backend @@ -297,16 +297,16 @@ class user_lock(LDAPQuery): value=keys[0], ) -api.register(user_lock) +api.register(user_disable) -class user_unlock(LDAPQuery): +class user_enable(LDAPQuery): """ -Unlock a user account. +Enable user account. """ has_output = output.standard_value -msg_summary = _('Unlocked user "%(value)s"') +msg_summary = _('Enabled user account "%(value)s"') def execute(self, *keys, **options): ldap = self.obj.backend @@ -323,4 +323,4 @@ class user_unlock(LDAPQuery): value=keys[0], ) -api.register(user_unlock) +api.register(user_enable) diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index 1850dc1..7d77131 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -235,27 +235,27 @@ class test_user(Declarative): dict( -desc='Lock %r' % user1, +desc='Disable %r' % user1, command=( -'user_lock', [user1], {} +'user_disable', [user1], {} ), expected=dict( result=True, value=user1, -summary=u'Locked user "tuser1"', +summary=u'Disabled user account "tuser1"', ), ), dict( -desc='Unlock %r' % user1, +desc='Enable %r' % user1, command=( -'user_unlock', [user1], {} +'user_enable', [user1], {} ), expected=dict( result=True, value=user1, -summary=u'Unlocked user "tuser1"', +summary=u'Enabled user account "tuser1"', ), ), -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the --continuous flag (off by default). The flag should indicate that the command shouldn't stop on errors and continue operation with the next primary key on the arguments lists. This effectively fixes *-del unit tests, because continuous mode is off by default. (It was on before this patch and there was no option to turn it off.) Ticket #321 Pavel >From 3c6ad32fd6da79207184c6fbc1fca2126e20f7bd Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 5 Oct 2010 14:34:47 -0400 Subject: [PATCH 2/2] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests. Ticket #321 --- ipalib/plugins/baseldap.py |9 + 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 42d9017..a4dff46 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -353,6 +353,13 @@ class LDAPMultiQuery(LDAPQuery): """ Base class for commands that need to retrieve one or more existing entries. """ +takes_options = ( +Flag('continuous', +cli_name='continuous', +doc=_('Continuous mode: Don\'t stop on errors.'), +), +) + def get_args(self): for key in self.obj.get_ancestor_primary_keys(): yield key @@ -594,6 +601,8 @@ class LDAPDelete(LDAPMultiQuery): if not delete_entry(pkey): result = False except errors.ExecutionError: +if not options.get('continuous', False): +raise failed.append(pkey) else: deleted.append(pkey) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix password history rotation
On Mon, 04 Oct 2010 23:02:18 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > This patch properly roatets the password history so the oldest > > entry is pushed out when we reach the max entries limit. > > > > Fixes bz#527879/trac#256 > > > > Simo. > > This was a little confusing because pH and j are counting from 0 and > i, and data->pwHistoryLen are counting from 1 but it does seem to > work ok. > > ack pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] more style fixes
On Tue, 05 Oct 2010 08:40:03 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 04 Oct 2010 22:42:02 -0400 > > Rob Crittenden wrote: > > > >> Simo Sorce wrote: > >>> > >>> fix style in some more code. > >>> purely cosmetic again. > >>> > >>> Simo. > >>> > >> > >> Shouldn't this contain the __func__ fix as well? > > > > I stopped adding __func__ for now as it introduces a lot of > > warnings. The reason is that __func__ is const char * but the > > logging function takes a simple char * > > > > I need to think a bit what is the best solution, I may add a macro > > later on that basically replaces the logging function with a version > > that discards the const. > > > > But it is not critical, so I decided to just wait a bit. > > > > Simo. > > > > Ok, ack pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Cosmetic fixes
On Mon, 04 Oct 2010 22:38:31 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > Cosmetic changes to fix code style and LDAP attribute descriptions. > > ACK x2 pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Improve NTLM hash generation configuration
On Mon, 04 Oct 2010 22:40:25 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > Long overdue, fix TODOs in the code. > > With this patch it is now possible to configure the password plugin > > so that only certain types of NTLM hashes are created for Samba > > objects. > > > > Simo. > > ACK x2 pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args.
takes_args defined in a baseldap subclass is now transformed into positional arguments that go after primary keys. Before this patch, takes_args in crud subclasses were ignored. example: --- snip --- class user_something(LDAPRetrieve): takes_args = ( Str('randomarg'), ) --- snip --- # ipa help something Usage: ipa [global-options] user-something LOGIN RANDOMARG Pavel >From b67b9f355a31278656285fb2082696b008cf41ef Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 5 Oct 2010 14:33:27 -0400 Subject: [PATCH 1/2] Generate additional positional arguments for baseldap commands from takes_args. --- ipalib/plugins/baseldap.py |8 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index f6b98e2..42d9017 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -240,6 +240,8 @@ class LDAPCreate(CallbackInterface, crud.Create): yield key if self.obj.primary_key: yield self.obj.primary_key.clone(attribute=True) +for arg in super(crud.Create, self).get_args(): +yield arg def execute(self, *keys, **options): ldap = self.obj.backend @@ -343,6 +345,8 @@ class LDAPQuery(CallbackInterface, crud.PKQuery): yield key if self.obj.primary_key: yield self.obj.primary_key.clone(attribute=True, query=True) +for arg in super(crud.PKQuery, self).get_args(): +yield arg class LDAPMultiQuery(LDAPQuery): @@ -356,6 +360,8 @@ class LDAPMultiQuery(LDAPQuery): yield self.obj.primary_key.clone( attribute=True, query=True, multivalue=True ) +for arg in super(crud.PKQuery, self).get_args(): +yield arg class LDAPRetrieve(LDAPQuery): @@ -881,6 +887,8 @@ class LDAPSearch(CallbackInterface, crud.Search): for key in self.obj.get_ancestor_primary_keys(): yield key yield Str('criteria?') +for arg in super(crud.Search, self).get_args(): +yield arg def get_options(self): for option in super(LDAPSearch, self).get_options(): -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix 14 char limit with NT hash
On Mon, 04 Oct 2010 16:23:01 -0400 Adam Young wrote: > On 10/04/2010 04:07 PM, Simo Sorce wrote: > > This patch fixes bz#475051/trac#223 > > > ACK pushed to master -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] more style fixes
Simo Sorce wrote: On Mon, 04 Oct 2010 22:42:02 -0400 Rob Crittenden wrote: Simo Sorce wrote: fix style in some more code. purely cosmetic again. Simo. Shouldn't this contain the __func__ fix as well? I stopped adding __func__ for now as it introduces a lot of warnings. The reason is that __func__ is const char * but the logging function takes a simple char * I need to think a bit what is the best solution, I may add a macro later on that basically replaces the logging function with a version that discards the const. But it is not critical, so I decided to just wait a bit. Simo. Ok, ack rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] more style fixes
On Mon, 04 Oct 2010 22:42:02 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > fix style in some more code. > > purely cosmetic again. > > > > Simo. > > > > Shouldn't this contain the __func__ fix as well? I stopped adding __func__ for now as it introduces a lot of warnings. The reason is that __func__ is const char * but the logging function takes a simple char * I need to think a bit what is the best solution, I may add a macro later on that basically replaces the logging function with a version that discards the const. But it is not critical, so I decided to just wait a bit. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel