Re: [Freeipa-devel] [PATCH] Modified ipa help behavior

2010-12-06 Thread Dmitri Pal 
Jan Zelený wrote:
 Rob Crittenden rcrit...@redhat.com wrote:
   
 Jan Zelený wrote:
 
 Jan Zelenýjzel...@redhat.com  wrote:
   
 Now each plugin can define its topic as a 2-tuple, where the first
 item is the name of topic it belongs to and the second item is
 a description of such topic. Topic descriptions must be the same
 for all modules belonging to the topic.

 By using this topics, it is possible to group plugins as we see fit.
 When asking for help for a particular topic, help for all modules
 in given topic is written.

 ipa help - show all topics (until now it showed all plugins)
 ipa helptopic  - show details to given topic

 https://fedorahosted.org/freeipa/ticket/410
 
 Sorry for the wrong sequence number, sending the correct one now.
   
 I think this is a good start but I find the output hard to read, both
 with a single topic (like user) or multiple (like sudo). The dashed
 lines and the extra spaces make my eyes cross a bit

 What I don't have is any good suggestion to change it up. I realize you
 are jamming together discrete things that may or may not look nice
 together.

 I suppose a few suggestions might be:

 - a SEEALSO-like where you print the topics at the bottom so it is
 obvious that multiple things are jammed together
 - A single dashed-line all the way across (more or less) with a single
 space before and after might be a less jarring separator. IIRC we have
 some output code that should handle screen sizes for you.
 - I'm not sure if combining all the commands into a single list is the
 right thing or not. It may not be necessary with the SEEALSO.

 So nack for now but this is headed in the right direction.

 rob
 

 After the last discussion at the meeting, I started to work on this again. 
 The 
 goal is to implement suggested idea with SEE ALSO topics. But there is one 
 more issue to solve. It occurred to me that hbac topic would contain 3 
 subtopics: hbac, hbacsvc and hbacsvcgroup. Now the issue is when I type:

 ipa help hbac

 How should the program distinguish the topic hbac from the hbac subtopic? The 
 simplest solution here is to rename the module, but that doesn't seem right 
 to 
 me. Other solution could be to rename the topic, but that would be against 
 the 
 basic reason why we should implement topic grouping. Any suggestions?

 Frankly, I'm wonder if the topic-based grouping is worth the effort, but I 
 have 
 an idea a little bit different from this approach. When typing

 ipa help hbac*

 user would receive a filtered list of topics, where only topics with module 
 name starting with hbac would be. The result would look like this:

 ipa help hbac*
 Usage: ipa [global-options] COMMAND ...

 Help topics:
   hbac  Host-based access control
   hbacsvc   HBAC Services
   hbacsvcgroup  HBAC Service Groups

 The only limitation of this concept is that topic groups wouldn't be 
 stable. 
 For example the result of ipa help hbac would be different from ipa help 
 hbacsvc. Also some incorrect grouping might occur (host and hostgroup at the 
 moment). Before I start working on this, I'd like to know your opinions.

   
May be use hbac for the high level topic group and hbacrule for the hbac
rule management?
This way there is no name collision. I do not know how big of a change
it is and how it would affect UI/CLI/man etc.
At this point of the project we need to try to minimize changes. It will
affect SUDO too...

Other approach might be to allow subtopics as another parameter:

Usage: ipa help topic subtopic

ipa help hbac hbac

May be for the purpose of help we can do:

ipa help hbac
Usage: ipa [global-options] COMMAND ...

Help subtopics:
  rule  Host-based access control rules
  service   HBAC Services
  group HBAC Service Groups


ipa help hbac rule

...

ipa help hbac service

...

ipa help hbac group

...

Will that work? AFAIU this will not have any impact on the commands and
would not require any changes to the UI/CLI other than to the help
system itself.

Thanks
Dmitri

 Thanks
 Jan

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel
   


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0023 Compiles plugin against the right ldap libraries

2010-12-06 Thread Rob Crittenden 

Jan Zelený wrote:

Simo Sorcesso...@redhat.com  wrote:

On Fri, 03 Dec 2010 17:25:20 -0700

Rich Megginsonrmegg...@redhat.com  wrote:

On 12/03/2010 04:26 PM, Simo Sorce wrote:

In Fedora 14, 389-ds started linking against openldap libraries
instead of the old mozldap libraries.

This patch allows us to conditionally build plugins against
openldap as well. Failure to do so may cause symbol clashes when
the plugin is used by directory server because then we get 2
different ldap libraries loaded at the same time.

The spec file has already been changed to build plugins
--with-openldap by default.


ack but only if the goal is to remove use of #define LDAP_DEPRECATED
1 - I can help with this


The only reason I kept that is that we use ldap_explode_dn(), that
function is not itself deprecated (ie it is not under LDAP_DEPRECATED
ifdefs although a comment syas it is deprecated), but it returns char
**, and the only function that frees a char ** is ldap_free_value().
This one is under LDAP_DEPRECATED and says you shoud use
ldap_free_value_len(), but that functions takes a struct berval as
argument.

I think there are only 2 places/plugins where those deprecated
functions are used. So if you want to open a ticket to remove them feel
free, but I would do that as a separate patch.
The goal of this patch was to do as few modifications as possible to
the plugins themselves.


I can confirm this patch solves some installation issues on F14, so if Rob
agrees, I'd like to ack this.


Works for me too, ack.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Document that the default group has to exist

2010-12-06 Thread Rob Crittenden 

Jan Zelený wrote:

Rob Crittendenrcrit...@redhat.com  wrote:

Jan Zelený wrote:

Jan Zelenýjzel...@redhat.com   wrote:

https://bugzilla.redhat.com/show_bug.cgi?id=654117#c4


Sending corrected patch. A little modification of the doc formulation and
renaming the patch so it follows the guidelines.

Jan


Can't we do a group-show in the mod pre_callback to see if the group
exists?

rob


Here is the patch, thanks for that suggestion.

Jan


ack, pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 629 optimize queries when searching for indirect members

2010-12-06 Thread Rob Crittenden 

Jan Zelený wrote:

Rob Crittendenrcrit...@redhat.com  wrote:

Ensure list of attrs to retrieve is unique, optimize getting indirect
members

This fixes search where we were asking for the member attribute 10 or
more  times.

When retrieving indirect members make sure we always pass around the
size and time limits so we don't have to look it up with every call to
find_entries()

I saw this while doing a group_find and watching the LDAP access log.

ticket 557

rob


ACK



pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 619 more aci target docs

2010-12-06 Thread Rob Crittenden 

David O'Brien wrote:

Rob Crittenden wrote:

Rob Crittenden wrote:

David O'Brien wrote:

Rob Crittenden wrote:

I added some more documentation and examples to the aci plugin on
targets.

ticket 310

rob


NACK

Running behind with reviews, sorry. Just a few minor fixes:

s/targetted/targeted/
s/This is primarily meant to be able to allow users to add/remove
members of a specific group only./This is primarily designed to
enable
users to add or remove members of a specific group.

(I _think_ I understood that ok, and didn't change the meaning.
Further,
if this target is only designed for this purpose, you don't need
primarily. If it does something else, what is it?)

I couldn't grok 100% the subtree target description.

s/... the ACI is allowed to do, they are one or more of:/... the ACI
is allowed to do, and are one or more of:

For consistency's sake, s/lets/allows/ etc. Also see below:
allows members of the addusers taskgroup
lets members of the editors... group?
lets members of the admin group

You might need to review the examples a bit.

cheers


Updated patch.

rob



Ok, the right updated patch this time.

rob

I might be nit-picking now...

This might be a function of how the underlying code works in combination
with using US English, but why do we have both zip code and postal
code?

+ Add an ACI that allows members of the admin group manage the street
and zipcode of those in the editors group:
+ ipa aci-add --permissions=write --memberof=editors --group=admins
--attrs=street,postalcode admins edit address of editors

If postalcode is required in the ACI, and Zip Code is en-US, then
that's fine.

And,
...the admin group TO manage...
admins edit THE address of editors

Like I said, this might be nit-picking for man pages, but what can I
say? I'm a writer.

ACK from me with those couple of updates.


Yeah, the LDAP attribute is postalCode.

Updates applied, pushed to master.

thanks

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Modified ipa help behavior

2010-12-06 Thread Adam Young 

On 12/06/2010 07:19 AM, Jan Zelený wrote:

Rob Crittendenrcrit...@redhat.com  wrote:
   

Jan Zelený wrote:
 

Jan Zelenýjzel...@redhat.com   wrote:
   

Now each plugin can define its topic as a 2-tuple, where the first
item is the name of topic it belongs to and the second item is
a description of such topic. Topic descriptions must be the same
for all modules belonging to the topic.

By using this topics, it is possible to group plugins as we see fit.
When asking for help for a particular topic, help for all modules
in given topic is written.

ipa help - show all topics (until now it showed all plugins)
ipa helptopic   - show details to given topic

https://fedorahosted.org/freeipa/ticket/410
 

Sorry for the wrong sequence number, sending the correct one now.
   

I think this is a good start but I find the output hard to read, both
with a single topic (like user) or multiple (like sudo). The dashed
lines and the extra spaces make my eyes cross a bit

What I don't have is any good suggestion to change it up. I realize you
are jamming together discrete things that may or may not look nice
together.

I suppose a few suggestions might be:

- a SEEALSO-like where you print the topics at the bottom so it is
obvious that multiple things are jammed together
- A single dashed-line all the way across (more or less) with a single
space before and after might be a less jarring separator. IIRC we have
some output code that should handle screen sizes for you.
- I'm not sure if combining all the commands into a single list is the
right thing or not. It may not be necessary with the SEEALSO.

So nack for now but this is headed in the right direction.

rob
 

After the last discussion at the meeting, I started to work on this again. The
goal is to implement suggested idea with SEE ALSO topics. But there is one
more issue to solve. It occurred to me that hbac topic would contain 3
subtopics: hbac, hbacsvc and hbacsvcgroup. Now the issue is when I type:

ipa help hbac

How should the program distinguish the topic hbac from the hbac subtopic? The
simplest solution here is to rename the module, but that doesn't seem right to
me. Other solution could be to rename the topic, but that would be against the
basic reason why we should implement topic grouping. Any suggestions?

Frankly, I'm wonder if the topic-based grouping is worth the effort, but I have
an idea a little bit different from this approach. When typing

ipa help hbac*

user would receive a filtered list of topics, where only topics with module
name starting with hbac would be. The result would look like this:

ipa help hbac*
   
That syntax  would break in a bASH.  It would try to match files in the 
PWD that start with habc, and report an error if there were none.




Usage: ipa [global-options] COMMAND ...

Help topics:
   hbac  Host-based access control
   hbacsvc   HBAC Services
   hbacsvcgroup  HBAC Service Groups

The only limitation of this concept is that topic groups wouldn't be stable.
For example the result of ipa help hbac would be different from ipa help
hbacsvc. Also some incorrect grouping might occur (host and hostgroup at the
moment). Before I start working on this, I'd like to know your opinions.

Thanks
Jan

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
   


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] admiyo-0112-entity-i18n

2010-12-06 Thread Adam Young 
Note that this does not cover HBAC or SUDO, as Edewate is currently 
working on those.
From 07c07de994de1a22d38e270841f75a83b74f9c5c Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Sat, 4 Dec 2010 00:29:05 -0500
Subject: [PATCH] entity i18n

Updated the user,group,host, hostgroup, netgroup, service, and all policy
entities to use the newer framework functions, in order to
replaced the old array style definitions which did not support i18n.
update a few of the newer framerwork functions to get the lables from the
meta data.

Fixed the unit tests which were expecting a details facet for users,
no longer automatically created
---
 install/static/details.js   |4 +-
 install/static/group.js |   37 ++
 install/static/host.js  |   29 ++---
 install/static/hostgroup.js |   65 +++---
 install/static/netgroup.js  |   60 ++---
 install/static/policy.js|  242 ++
 install/static/search.js|7 +
 install/static/service.js   |6 +-
 install/static/test/entity_tests.js |9 +-
 install/static/user.js  |  146 +-
 install/static/widget.js|   10 ++-
 11 files changed, 382 insertions(+), 233 deletions(-)

diff --git a/install/static/details.js b/install/static/details.js
index b6503a1c743eb39b26031c94283e05880f0fd12c..59b9aad9fb2d4d15239b2c8b8855043298e10c61 100644
--- a/install/static/details.js
+++ b/install/static/details.js
@@ -339,7 +339,7 @@ function ipa_details_list_section(spec){
 }
 };
 
-// Deprecated: Used for backward compatibility only.
+// This is to allow declarative style programming for details
 function input(spec){
 that.create_field(spec);
 return that;
@@ -350,7 +350,7 @@ function ipa_details_list_section(spec){
 return that;
 }
 
-// Deprecated: Used for backward compatibility only.
+// shorthand notation used for declarative definitions of details pages
 function ipa_stanza(spec) {
 return ipa_details_list_section(spec);
 }
diff --git a/install/static/group.js b/install/static/group.js
index b44463439d73d6059b32751c07530c41b6d1a4dc..8c2087f66f3ca4a9feac2001aba18ec0d446eb7b 100644
--- a/install/static/group.js
+++ b/install/static/group.js
@@ -89,10 +89,14 @@ function ipa_group_add_dialog(spec) {
 
 that.add_dialog_init();
 
-that.add_field(ipa_text_widget({name:'cn', label:'Name', undo: false}));
-that.add_field(ipa_text_widget({name:'description', label:'Description', undo: false}));
-that.add_field(ipa_checkbox_widget({name:'posix', label:'Is this a POSIX group?', undo: false}));
-that.add_field(ipa_text_widget({name:'gidnumber', label:'GID', undo: false}));
+that.add_field(ipa_text_widget({name:'cn', entity_name:'group',
+undo: false}));
+that.add_field(ipa_text_widget({name:'description',
+entity_name:'group', undo: false}));
+that.add_field(ipa_checkbox_widget({name:'posix', entity_name:'group',
+undo: false}));
+that.add_field(ipa_text_widget({name:'gidnumber', entity_name:'group',
+undo: false}));
 };
 
 return that;
@@ -105,11 +109,9 @@ function ipa_group_search_facet(spec) {
 var that = ipa_search_facet(spec);
 
 that.init = function() {
-
-that.create_column({name:'cn', label:'Name'});
-that.create_column({name:'gidnumber', label:'GID'});
-that.create_column({name:'description', label:'Description'});
-
+that.create_column({name:'cn'});
+that.create_column({name:'gidnumber'});
+that.create_column({name:'description'});
 that.search_facet_init();
 };
 
@@ -130,20 +132,9 @@ function ipa_group_details_facet(spec) {
 });
 that.add_section(section);
 
-section.create_field({
-name: 'cn',
-label: 'Group Name'
-});
-
-section.create_field({
-name: 'description',
-label: 'Description'
-});
-
-section.create_field({
-name: 'gidnumber',
-label: 'Group ID'
-});
+section.create_field({name: 'cn' });
+section.create_field({name: 'description'});
+section.create_field({name: 'gidnumber' });
 
 that.details_facet_init();
 };
diff --git a/install/static/host.js b/install/static/host.js
index 484b64771ecf6f1be948974f424606476375a276..4a60bbccd3ca965f2ff8263e3859d6ac4710e2cc 100644
--- a/install/static/host.js
+++ b/install/static/host.js
@@ -87,7 +87,7 @@ function ipa_host_add_dialog(spec) {
 
 that.add_field(ipa_text_widget({
 'name': 'fqdn',
-'label': 'Name',
+entity_name:'host',
 'size': 40,
 'undo': false
 }));
@@

Re: [Freeipa-devel] [PATCH] 0023 Compiles plugin against the right ldap libraries

2010-12-06 Thread Simo Sorce 
On Mon, 06 Dec 2010 11:22:38 -0500
Rob Crittenden rcrit...@redhat.com wrote:

 Jan Zelený wrote:
  Simo Sorcesso...@redhat.com  wrote:
  On Fri, 03 Dec 2010 17:25:20 -0700
 
  Rich Megginsonrmegg...@redhat.com  wrote:
  On 12/03/2010 04:26 PM, Simo Sorce wrote:
  In Fedora 14, 389-ds started linking against openldap libraries
  instead of the old mozldap libraries.
 
  This patch allows us to conditionally build plugins against
  openldap as well. Failure to do so may cause symbol clashes when
  the plugin is used by directory server because then we get 2
  different ldap libraries loaded at the same time.
 
  The spec file has already been changed to build plugins
  --with-openldap by default.
 
  ack but only if the goal is to remove use of #define
  LDAP_DEPRECATED 1 - I can help with this
 
  The only reason I kept that is that we use ldap_explode_dn(), that
  function is not itself deprecated (ie it is not under
  LDAP_DEPRECATED ifdefs although a comment syas it is deprecated),
  but it returns char **, and the only function that frees a char **
  is ldap_free_value(). This one is under LDAP_DEPRECATED and says
  you shoud use ldap_free_value_len(), but that functions takes a
  struct berval as argument.
 
  I think there are only 2 places/plugins where those deprecated
  functions are used. So if you want to open a ticket to remove them
  feel free, but I would do that as a separate patch.
  The goal of this patch was to do as few modifications as possible
  to the plugins themselves.
 
  I can confirm this patch solves some installation issues on F14, so
  if Rob agrees, I'd like to ack this.
 
 Works for me too, ack.

Pushed to master

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Hostgroups - Netgroups Managed Entries

2010-12-06 Thread JR Aquino 
Hello,

Please review the attached patch.

It is meant to address:
https://fedorahosted.org/freeipa/ticket/543

This patch adds support for the default behavior of
adding/deleting/modifing an ipaNetgroup anytime an ipaHostgroup is
added/deleted/modified.

As requested by the ticket, the cli does not display these managed entries
when performing: ipa netgroup-find



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] admiyo-0112-entity-i18n

2010-12-06 Thread Endi Sukma Dewata 

On 12/6/2010 11:16 AM, Adam Young wrote:

Note that this does not cover HBAC or SUDO, as Edewate is currently
working on those.


ACK and pushed to master.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 631 Add IA5String type

2010-12-06 Thread Rob Crittenden 
Some attributes we use are IA5Strings which have a very limited 
character set. Add a parameter type for that so we can catch the bad 
type up front and give a more reasonable error message than syntax error.


ticket 496

rob
From d1c650311b66e822667d76f46416cc2039519f22 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Mon, 6 Dec 2010 15:09:03 -0500
Subject: [PATCH] Add new parameter type IA5Str and use this to enforce the right charset.

ticket 496
---
 install/share/60ipaconfig.ldif   |2 +-
 ipalib/__init__.py   |2 +-
 ipalib/errors.py |   16 
 ipalib/parameters.py |   19 +++
 ipalib/plugins/automount.py  |   28 ++--
 ipalib/plugins/config.py |8 
 ipaserver/plugins/ldap2.py   |2 ++
 tests/test_ipalib/test_parameters.py |   23 +++
 8 files changed, 80 insertions(+), 20 deletions(-)

diff --git a/install/share/60ipaconfig.ldif b/install/share/60ipaconfig.ldif
index e93b55e..d7b4ebd 100644
--- a/install/share/60ipaconfig.ldif
+++ b/install/share/60ipaconfig.ldif
@@ -22,7 +22,7 @@ attributetypes: ( 2.16.840.1.113730.3.8.1.4 NAME 'ipaSearchRecordsLimit' EQUALIT
 ## ipaCustomFields - custom fields to show in the UI in addition to pre-defined ones
 attributetypes: ( 2.16.840.1.113730.3.8.1.5 NAME 'ipaCustomFields' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
 ## ipaHomesRootDir - default posix home directory root dir to use when creating new accounts
-attributetypes: ( 2.16.840.1.113730.3.8.1.6 NAME 'ipaHomesRootDir' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
+attributetypes: ( 2.16.840.1.113730.3.8.1.6 NAME 'ipaHomesRootDir' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
 ## ipaDefaultLoginShell - default posix login shell to use when creating new accounts
 attributetypes: ( 2.16.840.1.113730.3.8.1.7 NAME 'ipaDefaultLoginShell' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
 ## ipaDefaultPrimaryGroup - default posix primary group to assign when creating new accounts
diff --git a/ipalib/__init__.py b/ipalib/__init__.py
index 2589cf1..169b47a 100644
--- a/ipalib/__init__.py
+++ b/ipalib/__init__.py
@@ -878,7 +878,7 @@ from backend import Backend
 from frontend import Command, LocalOrRemote
 from frontend import Object, Method, Property
 from crud import Create, Retrieve, Update, Delete, Search
-from parameters import DefaultFrom, Bool, Flag, Int, Float, Bytes, Str, Password,List
+from parameters import DefaultFrom, Bool, Flag, Int, Float, Bytes, Str, IA5Str, Password,List
 from parameters import BytesEnum, StrEnum, AccessTime, File
 from errors import SkipPluginModule
 from text import _, ngettext, GettextFactory, NGettextFactory
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 5b983cc..5d77bc2 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1252,6 +1252,22 @@ class OnlyOneValueAllowed(ExecutionError):
 format = _('%(attr)s: Only one value allowed.')
 
 
+class InvalidSyntax(ExecutionError):
+
+**4208** Raised when trying to set more than one value to single-value attributes
+
+For example:
+
+ raise OnlyOneValueAllowed(attr='ipahomesrootdir')
+Traceback (most recent call last):
+  ...
+InvalidSyntax: ipahomesrootdir: Invalid syntax
+
+
+errno = 4208
+format = _('%(attr)s: Invalid syntax.')
+
+
 class CertificateError(ExecutionError):
 
 **4300** Base class for Certificate execution errors (*4300 - 4399*).
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index cf4f3ba..f3b13bd 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -1278,6 +1278,25 @@ class Str(Data):
 )
 
 
+class IA5Str(Str):
+
+An IA5String per RFC 4517
+
+
+def __init__(self, name, *rules, **kw):
+super(IA5Str, self).__init__(name, *rules, **kw)
+
+def _convert_scalar(self, value, index=None):
+if isinstance(value, basestring):
+for i in xrange(len(value)):
+if ord(value[i])  127:
+raise ConversionError(name=self.name, index=index,
+error=_('The character \'%(char)r\' is not allowed.') %
+dict(char=value[i],)
+)
+return super(IA5Str, self)._convert_scalar(value, index)
+
+
 class Password(Str):
 
 A parameter for passwords (stored in the ``unicode`` type).
diff --git a/ipalib/plugins/automount.py b/ipalib/plugins/automount.py
index df9b341..958b4c2 100644
--- a/ipalib/plugins/automount.py
+++ b/ipalib/plugins/automount.py
@@ -168,7 +168,7 @@ automountInformation: -ro,soft,rsize=8192,wsize=8192 nfs.example.com:/vol/arch
 
 from ipalib import api, errors
 from ipalib import Object, Command
-from ipalib import Flag, Str
+from ipalib import Flag, Str, IA5Str
 from

Re: [Freeipa-devel] [PATCH] HBAC Service Groups adjustments

2010-12-06 Thread Adam Young 

On 12/06/2010 12:12 PM, Endi Sukma Dewata wrote:

Hi,

Please review the attached patch. Thanks!

The association facet for HBAC Service Groups has been removed
and replaced with an association table in the details page.

The ipa_association_table_widget has been modified to support
multiple columns in the table itself and in the adder dialog.
The ipa_association_adder_dialog and ipa_association_facet have
been refactored.

The ipa_sudorule_association_widget and ipa_rule_association_widget
has been removed because their functionalities have been merged into
ipa_association_table_widget.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK.  Pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Column i18n

2010-12-06 Thread Endi Sukma Dewata 

Hi,

Please review the attached patch. Thanks!

The ipa_column has been modified to get the label from metadata
during initialization. The ipa_table_widget has been modified to
initialize the columns. Hard-coded labels have been removed from
column declarations.

The ipa_adder_dialog has been modified to execute a search at the
end of setup.

--
Endi S. Dewata
From ee1025e731f2aa5b49f82aecdbdadffc988ff148 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Mon, 6 Dec 2010 13:51:49 -0600
Subject: [PATCH] Column i18n

The ipa_column has been modified to get the label from metadata
during initialization. The ipa_table_widget has been modified to
initialize the columns. Hard-coded labels have been removed from
column declarations.

The ipa_adder_dialog has been modified to execute a search at the
end of setup.
---
 install/static/associate.js|   37 +++---
 install/static/group.js|   13 ---
 install/static/hbac.js |   16 --
 install/static/hbacsvc.js  |8 +++---
 install/static/hbacsvcgroup.js |   12 +++---
 install/static/host.js |5 +---
 install/static/search.js   |   11 +++--
 install/static/service.js  |9 +++
 install/static/sudocmd.js  |8 +++---
 install/static/sudocmdgroup.js |   12 +++---
 install/static/sudorule.js |   12 +-
 install/static/widget.js   |   43 +++
 12 files changed, 100 insertions(+), 86 deletions(-)

diff --git a/install/static/associate.js b/install/static/associate.js
index 1a96362f5955ba217a921d43c3711e3266e9bd52..48bb0225f24bed8438db3745d8fafb7a36922e2a 100644
--- a/install/static/associate.js
+++ b/install/static/associate.js
@@ -153,15 +153,9 @@ function ipa_association_adder_dialog(spec) {
 }
 
 that.adder_dialog_init();
-execute_search('');
-
 };
 
 that.search = function() {
-execute_search(that.get_filter());
-};
-
-function execute_search(filter){
 function on_success(data, text_status, xhr) {
 var results = data.result;
 that.clear_available_values();
@@ -172,8 +166,8 @@ function ipa_association_adder_dialog(spec) {
 }
 }
 
-ipa_cmd('find', [filter], {'all': true}, on_success, null, that.other_entity);
-}
+ipa_cmd('find', [that.get_filter()], {'all': true}, on_success, null, that.other_entity);
+};
 
 return that;
 }
@@ -250,7 +244,6 @@ function ipa_association_table_widget(spec) {
 };
 
 that.add_adder_column = function(column) {
-column.entity_name = that.entity_name;
 that.adder_columns.push(column);
 that.adder_columns_by_name[column.name] = column;
 };
@@ -284,6 +277,16 @@ function ipa_association_table_widget(spec) {
 });
 }
 
+for (var i=0; ithat.columns.length; i++) {
+var column = that.columns[i];
+column.entity_name = that.other_entity;
+}
+
+for (var i=0; ithat.adder_columns.length; i++) {
+var column = that.adder_columns[i];
+column.entity_name = that.other_entity;
+}
+
 that.table_init();
 };
 
@@ -523,7 +526,6 @@ function ipa_association_facet(spec) {
 };
 
 that.add_column = function(column) {
-column.entity_name = that.entity_name;
 that.columns.push(column);
 that.columns_by_name[column.name] = column;
 };
@@ -539,7 +541,6 @@ function ipa_association_facet(spec) {
 };
 
 that.add_adder_column = function(column) {
-column.entity_name = that.entity_name;
 that.adder_columns.push(column);
 that.adder_columns_by_name[column.name] = column;
 };
@@ -552,6 +553,8 @@ function ipa_association_facet(spec) {
 
 that.init = function() {
 
+that.facet_init();
+
 var entity = IPA.get_entity(that.entity_name);
 var association = entity.get_association(that.other_entity);
 
@@ -608,7 +611,17 @@ function ipa_association_facet(spec) {
 };
 }
 
-that.facet_init();
+for (var i=0; ithat.columns.length; i++) {
+var column = that.columns[i];
+column.entity_name = that.other_entity;
+}
+
+for (var i=0; ithat.adder_columns.length; i++) {
+var column = that.adder_columns[i];
+column.entity_name = that.other_entity;
+}
+
+that.table.init();
 };
 
 that.is_dirty = function() {
diff --git a/install/static/group.js b/install/static/group.js
index 8c2087f66f3ca4a9feac2001aba18ec0d446eb7b..f3dba7b03169273fd68c9d97c0f3ff0470270a73 100644
--- a/install/static/group.js
+++ b/install/static/group.js
@@ -150,11 +150,10 @@ function ipa_group_member_user_facet(spec) {
 
 that.init = function() {
 
-that.create_column({name: 'cn', label: 'Name'});
+that.create_column({name: 'cn'});

[Freeipa-devel] [PATCH] 0024 - Better random ranges

2010-12-06 Thread Simo Sorce 

This patch reduced the size of the default range (from 1 million to
200.000) and also changes the way the range is selected.
Instead of starting at a completely random number, it selects 1 out of
1 random 200k ranges so that the range starts at multiples of 200k.

This makes it so that 2 different installs either do not overlap at all
or overlap completely (once in 10k times) instead of potentially
partially overlapping.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From 7a4573918ea62a007a785332cdec2670bd9c4b2c Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Mon, 6 Dec 2010 16:16:49 -0500
Subject: [PATCH] Give back smaller and more readable ranges by default.

Instead of allocating a completely random start between 1M and 2G and a range
of 1M values, give 1 possible 200k ranges. They all start at a 200k
boundary so they generate more readable IDs, at least until there arent't too
many users/replicas involved.
---
 install/tools/ipa-server-install |   11 ++-
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 020fc8ff8aa7b627ba9cb7366635c6ed4f864a79..aa0f8ba072ef43cdcdaf9f4ba42cd4c7961e123f 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1,7 +1,9 @@
 #! /usr/bin/python -E
 # Authors: Karl MacMillan kmacmil...@mentalrootkit.com
+#  Simo Sorce sso...@redhat.com
+#  Rob Crittended rcrit...@redhat.com
 #
-# Copyright (C) 2007  Red Hat
+# Copyright (C) 2007-2010  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or
@@ -60,11 +62,10 @@ from ipapython.config import IPAOptionParser
 pw_name = None
 uninstalling = False
 
-# Used to determine the the highest possible uid/gid
-MAXINT_32BIT = 2147483648
 
 def parse_options():
-namespace = random.randint(100, (MAXINT_32BIT - 100))
+# Guaranteed to give a random 200k range below the 2G mark (uint32_t limit)
+namespace = random.randint(1, 1) * 20
 parser = IPAOptionParser(version=version.VERSION)
 parser.add_option(-u, --user, dest=ds_user,
   help=ds user)
@@ -177,7 +178,7 @@ def parse_options():
 parser.error(--external-cert-file must use an absolute path)
 
 if options.idmax == 0:
-options.idmax = int(options.idstart) + 100 - 1
+options.idmax = int(options.idstart) + 20 - 1
 
 if options.idmax  options.idstart:
 parse.error(idmax (%u) cannot be smaller than idstart (%u) %
-- 
1.7.3.2

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Column i18n

2010-12-06 Thread Adam Young 

On 12/06/2010 04:17 PM, Endi Sukma Dewata wrote:

Hi,

Please review the attached patch. Thanks!

The ipa_column has been modified to get the label from metadata
during initialization. The ipa_table_widget has been modified to
initialize the columns. Hard-coded labels have been removed from
column declarations.

The ipa_adder_dialog has been modified to execute a search at the
end of setup.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK and pushed to master.  I appended the ipa_init.json metadate update.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] SUDO Command Groups adjustments

2010-12-06 Thread Adam Young 

On 12/06/2010 04:33 PM, Endi Sukma Dewata wrote:

Hi,

Please review the attached patch. Thanks!

The association facet for SUDO Command Groups has been removed and
replaced with an association table in the details page.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK and pushed to master.

Note that the buttons on my machine are superimposed over the 
Description column.  We'll need to adjust that, along with the rest of 
the buttons cleanup.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel