[Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 to
delete a DNS RR one has to remove its record types one by one.
This patch modifies the behaviour so that if the user runs dnsrecord-del
zone record-name with no other parameters, the whole record is removed.
Alternative solutions might be to expose the internal command that is
able to delete the record (although I think it is counterintuitive to
have one command to remove record types and one for the whole record) or
have a special flag (--del-all?) to remove the whole record.
The patch also fixes the unit tests as they didn't reflect all the
recent changes.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk04Ml4ACgkQHsardTLnvCWk3wCZAYEuhUBs3dX5RkBiCvsD/Iev
VcgAoJzk5cCgzmhityA56g830wNnkaxE
=f60L
-END PGP SIGNATURE-
From 091daa04a752f9af7a004c6011ebeb033f824914 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek jhro...@redhat.com
Date: Thu, 20 Jan 2011 07:54:14 -0500
Subject: [PATCH] Delete the whole DNS record with no parameters
Also fixes the DNS unit tests.
https://fedorahosted.org/freeipa/ticket/816
---
ipalib/plugins/dns.py|9 +
tests/test_xmlrpc/test_dns_plugin.py | 26 --
2 files changed, 25 insertions(+), 10 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index e1d9ce6..ffedee1 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -519,6 +519,15 @@ class dnsrecord_del(dnsrecord_mod_record):
Delete DNS resource record.
def update_old_entry_callback(self, entry_attrs, old_entry_attrs):
+# if del was called without any arguments, delete the whole entry
+numattr = reduce(lambda x,y: x+y,
+ map(lambda x: len(x), entry_attrs.values()))
+if numattr == 0:
+for attr in old_entry_attrs.iterkeys():
+old_entry_attrs[attr] = []
+return
+
+# Otherwise just purge the individual values
for (a, v) in entry_attrs.iteritems():
if not isinstance(v, (list, tuple)):
v = [v]
diff --git a/tests/test_xmlrpc/test_dns_plugin.py b/tests/test_xmlrpc/test_dns_plugin.py
index 5fb08fd..614d0f8 100644
--- a/tests/test_xmlrpc/test_dns_plugin.py
+++ b/tests/test_xmlrpc/test_dns_plugin.py
@@ -86,7 +86,8 @@ class test_dns(Declarative):
'dn': u'idnsname=%s,cn=dns,%s' % (dnszone1, api.env.basedn),
'idnsname': [dnszone1],
'idnszoneactive': [u'TRUE'],
-'idnssoamname': [u'ns1.%s' % dnszone1],
+'idnssoamname': [u'ns1.%s.' % dnszone1],
+'nsrecord': [u'ns1.%s.' % dnszone1],
'idnssoarname': [u'root.%s.' % dnszone1],
'idnssoaserial': [fuzzy_digits],
'idnssoarefresh': [fuzzy_digits],
@@ -122,7 +123,8 @@ class test_dns(Declarative):
'dn': u'idnsname=%s,cn=dns,%s' % (dnszone1, api.env.basedn),
'idnsname': [dnszone1],
'idnszoneactive': [u'TRUE'],
-'idnssoamname': [u'ns1.%s' % dnszone1],
+'nsrecord': [u'ns1.%s.' % dnszone1],
+'idnssoamname': [u'ns1.%s.' % dnszone1],
'idnssoarname': [u'root.%s.' % dnszone1],
'idnssoaserial': [fuzzy_digits],
'idnssoarefresh': [fuzzy_digits],
@@ -143,7 +145,8 @@ class test_dns(Declarative):
'result': {
'idnsname': [dnszone1],
'idnszoneactive': [u'TRUE'],
-'idnssoamname': [u'ns1.%s' % dnszone1],
+'nsrecord': [u'ns1.%s.' % dnszone1],
+'idnssoamname': [u'ns1.%s.' % dnszone1],
'idnssoarname': [u'root.%s.' % dnszone1],
'idnssoaserial': [fuzzy_digits],
'idnssoarefresh': [u'5478'],
@@ -157,8 +160,8 @@ class test_dns(Declarative):
dict(
-desc='Search for zones with name server %r' % (u'ns1.%s' % dnszone1),
-command=('dnszone_find', [], {'idnssoamname': u'ns1.%s' % dnszone1}),
+desc='Search for zones with name server %r' % (u'ns1.%s.' % dnszone1),
+command=('dnszone_find', [], {'idnssoamname': u'ns1.%s.' % dnszone1}),
expected={
'summary': None,
'count': 1,
@@ -167,7 +170,8 @@ class test_dns(Declarative):
'dn': u'idnsname=%s,cn=dns,%s' % (dnszone1, api.env.basedn),
'idnsname': [dnszone1],
'idnszoneactive': [u'TRUE'],
-'idnssoamname': [u'ns1.%s' % dnszone1],
+'nsrecord': [u'ns1.%s.' % dnszone1],
+
Re: [Freeipa-devel] [PATCH] admiyo-0153-rename-static-to-ui
- Original Message - I've been having problems with my lite-server install setup even before this patch. Can someone please test against the list server? I'm having a problem with the lite-server too, but it works fine with full server. Need to investigate further. ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info
I think it is safe to give up member. It is necessary for nss_ldap and nis. If we remove member and add the role container I think that should cover the low hanging fruit that discloses authorization data. On 1/19/11 3:28 PM, Simo Sorce sso...@redhat.com wrote: On Wed, 19 Jan 2011 17:51:56 -0500 Rob Crittenden rcrit...@redhat.com wrote: +aci: (targetattr = member || memberOf || memberHost || memberUser)(version 3.0; acl No anonymous access to member information; deny (read,search,compare) userdn != ldap:///all;;) Nack, without 'member', nss_ldap will have no way to determine posixAccount group memberships using anonymous access (the default). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0064 Fix authentication for init scripts
On 1/19/11 3:31 PM, Simo Sorce sso...@redhat.com wrote: In order for ipactl to function even when anonymous access is disabled we need to authenticate. Use sASL/EXTERNAL to let root get access as a very low privileged special user. Ticket #795 This patch is a replacement of 0061 where I was using SASL/GSSAPI Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0154-declarative-defintions
If you ACK, please don't push, but let me do so, as it will likely
conflict with other UI work.
From e41dd7e95a5fd6affd3dc05ac31b50ddcb2fb863 Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Wed, 19 Jan 2011 21:10:18 -0500
Subject: [PATCH] declarative defintions
Delay the creation of entities until after ipa init is called
made the user and group entity definitions declarative
removed unused facet from groups
adjusted unit tests
---
install/ui/aci.js | 27 ++---
install/ui/details.js | 13 +-
install/ui/entity.js| 31 +
install/ui/group.js | 206 ++
install/ui/hbacrule.js |2 +-
install/ui/hbacsvc.js |2 +-
install/ui/hbacsvcgroup.js |2 +-
install/ui/host.js |2 +-
install/ui/hostgroup.js |4 +-
install/ui/ipa.js | 14 ++-
install/ui/netgroup.js |4 +-
install/ui/policy.js| 36 ---
install/ui/search.js|9 ++
install/ui/serverconfig.js | 41 +---
install/ui/service.js |2 +-
install/ui/sudocmd.js |2 +-
install/ui/sudocmdgroup.js |2 +-
install/ui/sudorule.js |2 +-
install/ui/test/details_tests.js| 17 +++-
install/ui/test/entity_tests.js | 35 --
install/ui/test/navigation_tests.js | 48 +
install/ui/user.js | 155 +++
install/ui/webui.js |2 +
install/ui/widget.js|5 +
24 files changed, 303 insertions(+), 360 deletions(-)
diff --git a/install/ui/aci.js b/install/ui/aci.js
index 85cfcaa850a17a94e40c53320c41b11b444b5f3a..ea69209d32ffe419321ece0deec277de0f4c57b9 100644
--- a/install/ui/aci.js
+++ b/install/ui/aci.js
@@ -564,7 +564,7 @@ IPA.target_section = function () {
};
-IPA.permission = function () {
+IPA.register_entity(function () {
var that = IPA.entity({
'name': 'permission'
@@ -593,10 +593,7 @@ IPA.permission = function () {
};
return that;
-};
-
-
-IPA.add_entity(IPA.permission());
+});
@@ -678,7 +675,7 @@ IPA.permission_details_facet = function () {
};
-IPA.add_entity( function() {
+IPA.register_entity( function() {
var that = IPA.entity({
'name': 'privilege'
});
@@ -718,10 +715,10 @@ IPA.add_entity( function() {
that.entity_init();
};
return that;
-}());
+});
-IPA.add_entity( function() {
+IPA.register_entity( function() {
var that = IPA.entity({
'name': 'role'
});
@@ -759,10 +756,10 @@ IPA.add_entity( function() {
that.entity_init();
};
return that;
-}());
+});
-IPA.add_entity( function() {
+IPA.register_entity( function() {
var that = IPA.entity({
'name': 'selfservice'
});
@@ -786,7 +783,8 @@ IPA.add_entity( function() {
that.init = function() {
that.add_section(
-IPA.stanza({name:'general', label:'General'}).
+IPA.stanza({name:'general', label:'General',
+entity_name:'selfservice'}).
input({name:'aciname'}).
custom_input(IPA.attribute_table_widget({
object_type:'user',
@@ -796,7 +794,6 @@ IPA.add_entity( function() {
return that;
}());
-
that.parent_init = that.init;
that.init = function(){
that.parent_init();
@@ -813,10 +810,10 @@ IPA.add_entity( function() {
dialog.init();
};
return that;
-}());
+});
-IPA.add_entity( function() {
+IPA.register_entity( function() {
var that = IPA.entity({
'name': 'delegation'
});
@@ -873,4 +870,4 @@ IPA.add_entity( function() {
};
return that;
-}());
\ No newline at end of file
+});
\ No newline at end of file
diff --git a/install/ui/details.js b/install/ui/details.js
index aad77a9c4a5ff3b05fa3def8c7c300e12d1fcd67..84a5c4098d0e0eef4bfa75517eac59665d3e4d93 100644
--- a/install/ui/details.js
+++ b/install/ui/details.js
@@ -485,6 +485,7 @@ IPA.stanza = function (spec) {
IPA.details_facet = function (spec) {
spec = spec || {};
+spec.name = spec.name || 'details';
var that = IPA.facet(spec);
@@ -498,8 +499,6 @@ IPA.details_facet = function (spec) {
that.refresh = spec.refresh || IPA.details_refresh;
that.sections = [];
-that.sections_by_name = {};
-
that.__defineGetter__(entity_name, function(){
return that._entity_name;
});
@@ -512,17 +511,17 @@ IPA.details_facet = function (spec) {
}
});
-that.get_section = function(name) {
-return that.sections_by_name[name];
-};
-
that.add_section = function(section) {
section.entity_name = that.entity_name;
that.sections.push(section);
-
Re: [Freeipa-devel] [PATCH] 0064 Fix authentication for init scripts
Simo Sorce wrote: In order for ipactl to function even when anonymous access is disabled we need to authenticate. Use sASL/EXTERNAL to let root get access as a very low privileged special user. Ticket #795 This patch is a replacement of 0061 where I was using SASL/GSSAPI Simo. ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc
NACK. Please retest this... I'm not sure how it is related, but I receive an error during the make rpm process: Traceback (most recent call last): File ./makeapi, line 27, in module from ipalib import * File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/__init__.py , line 878, in module from frontend import Command, LocalOrRemote File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/frontend.py , line 36, in module from ipapython.version import API_VERSION File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipapython/version. py, line 25, in module NUM_VERSION=200 NameError: name '__NUM_VERSION__' is not defined make[1]: *** [version-update] Error 1 make[1]: Leaving directory `/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279' error: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) make: *** [rpms] Error 1 On 1/19/11 4:11 PM, Simo Sorce sso...@redhat.com wrote: Long ago we decided to use the ldapi socket to let the KDC access the ldap data in order to avoid comunication over the network (even if it is 127.0.0.1). This patch finally implements that. Although beware that this patch will need you to either create custom policy or to set selinux in permissive mode until the new policy lands in fedora land. Bugs have been opened and I think the policy has already landed in rawhide. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc
On 1/20/11 10:11 AM, Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: NACK. Please retest this... I'm not sure how it is related, but I receive an error during the make rpm process: Traceback (most recent call last): File ./makeapi, line 27, inmodule from ipalib import * File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/__init__. py , line 878, inmodule from frontend import Command, LocalOrRemote File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/frontend. py , line 36, inmodule from ipapython.version import API_VERSION File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipapython/versio n. py, line 25, inmodule NUM_VERSION=200 NameError: name '__NUM_VERSION__' is not defined make[1]: *** [version-update] Error 1 make[1]: Leaving directory `/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279' error: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) make: *** [rpms] Error 1 This error is unrelated though I'm unsure what is broken. The first thing the build should do is run the version-update target which will do substitutions in ipapython/version.py.in into ipapython/version.py. It seems that didn't happen or is otherwise broke. Can you see if version-update is being called by make? rob Thank you for catching that Rob! This was unrelated. Did a full remove and a new clone. Patch works correctly. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0154-declarative-defintions
On 1/20/2011 11:10 PM, Adam Young wrote:
If you ACK, please don't push, but let me do so, as it will likely
conflict with other UI work.
There is no major issues, just some comments:
1. The declarative definition is a bit inconsistent. Some methods like
association() takes a spec, but other methods like facet() takes an
object instance.
association({
'name': 'netgroup',
'associator': 'serial'
}).
facet(
IPA.search_facet({
'name': 'search',
'label': 'Search'
}).
2. The diff tool uses the first line of the function to mark the chunks
like this:
@@ -593,10 +593,7 @@ IPA.permission = function () {
Having a function name in the first line would make it easier to read.
Compare this definition:
IPA.permission = function () {
with this definition:
IPA.register_entity(function () {
3. The following lines (webui.js:128-133):
IPA.start_entities();
for (var i=0; iIPA.entities.length; i++) {
var entity = IPA.entities[i];
entity.init();
}
probably could be combined into a single method:
IPA.init_entities();
I think this method name will make more sense.
4. Entity's init_dialogs() probably could be merged into entity.init().
5. The entity_factories is probably better be named entity_classes.
Factory is usually an object that creates multiple other objects. The
entity 'factory' is really the entity class which is only instantiated once.
6. Typo on search.js:258:
spec.label = spec.lable || IPA.messages.facets.search;
--
Endi S. Dewata
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0067 Fix dns_is_enabled command
Stupid typos broke it. Simo. -- Simo Sorce * Red Hat, Inc * New York From 52f887b2203baa649b9c259df7f902ebd2ecbbde Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Thu, 20 Jan 2011 15:42:50 -0500 Subject: [PATCH] Fix dns_is_enabled command --- ipalib/plugins/dns.py |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index e1d9ce66876b62fce1dc8e6a9ab92d3d219c311a..6d2109741b92da70e3075b1c353d5a5084c02b56 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -624,7 +624,7 @@ class dns_is_enabled(Command): INTERNAL = True has_output = output.standard_value -base_dn = 'cn=master,cn=ipa,cn=etc,%s' % api.env.basedn +base_dn = 'cn=masters,cn=ipa,cn=etc,%s' % api.env.basedn filter = '((objectClass=ipaConfigObject)(cn=DNS))' def execute(self, *args, **options): @@ -632,8 +632,8 @@ class dns_is_enabled(Command): dns_enabled = False try: -ent = ldap.find_entries(filter=filter, base_dn=base_dn) -if len(e): +ent = ldap.find_entries(filter=self.filter, base_dn=self.base_dn) +if len(ent): dns_enabled = True except Exception, e: pass -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc
On Thu, 20 Jan 2011 19:24:59 + JR Aquino jr.aqu...@citrix.com wrote: Patch works correctly. ACK thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0002-Main-UI-migration-and-html-Style-updates 0003-deleteing-migration-css
On 01/20/2011 04:22 PM, Kyle Baker wrote: UI Style Changes ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK In general, with a couple minor caveats: This duplicates the Font files and the jquery-ui assets. We can fix that by using relative URLs. I can fix that, squash these two, and push. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 to delete a DNS RR one has to remove its record types one by one. This patch modifies the behaviour so that if the user runs dnsrecord-del zone record-name with no other parameters, the whole record is removed. Alternative solutions might be to expose the internal command that is able to delete the record (although I think it is counterintuitive to have one command to remove record types and one for the whole record) or have a special flag (--del-all?) to remove the whole record. The patch also fixes the unit tests as they didn't reflect all the recent changes. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk04Ml4ACgkQHsardTLnvCWk3wCZAYEuhUBs3dX5RkBiCvsD/Iev VcgAoJzk5cCgzmhityA56g830wNnkaxE =f60L -END PGP SIGNATURE- Going with this patch sounds good, but to make sure, I polled several people here, and they all seemed to think that having to add a --del-all or --del-record flag at the end would be better as it would be less prone to failure where admins would accidentally delete a entire record because they didn't specify anything after the zone record So, maybe we do need a --del-all or --del-record operator. Michael- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 685 basic filter tests for acis
An aci can take a filter as a target. This adds some bare minimum
validation to it. It disallows empty filters and executes a search with
the filter to see if it is at least well-formed (doesn't mean it will do
what the user expects).
Note that some odd looking things are actually valid search filters such
as 'cn' and 'cn='.
ticket 808
rob
From 1d9c60cfa63f12c57abb1d0e4767cf5b37cb0ebc Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Thu, 20 Jan 2011 16:35:34 -0500
Subject: [PATCH] Add some basic filter validation to permissions and disallow empty filters
Try a query with a filter to see if it is at least legal. This doesn't
guarantee that the filter is at all otherwise sane.
ticket 808
---
ipalib/errors.py | 16
ipalib/plugins/aci.py | 18 ++
ipaserver/plugins/ldap2.py |2 ++
3 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 2250190..faa9e81 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1347,6 +1347,22 @@ class InvalidSyntax(ExecutionError):
format = _('%(attr)s: Invalid syntax.')
+class BadSearchFilter(ExecutionError):
+
+**4209** Raised when an invalid LDAP search filter is used
+
+For example:
+
+ raise BadSearchFilter(info='')
+Traceback (most recent call last):
+ ...
+BadSearchFilter: Bad search filter
+
+
+errno = 4209
+format = _('Bad search filter %(info)s')
+
+
class CertificateError(ExecutionError):
**4300** Base class for Certificate execution errors (*4300 - 4399*).
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 1cdc28f..7f9b0f2 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -163,7 +163,7 @@ aci_output = (
-def _make_aci(current, aciname, kw):
+def _make_aci(ldap, current, aciname, kw):
Given a name and a set of keywords construct an ACI.
@@ -222,6 +222,16 @@ def _make_aci(current, aciname, kw):
entry_attrs = api.Command['group_show'](kw['memberof'])['result']
a.set_target_filter('memberOf=%s' % entry_attrs['dn'])
if 'filter' in kw:
+# Test the filter by performing a simple search on it. The
+# filter is considered valid if either it returns some entries
+# or it returns no entries, otherwise we let whatever exception
+# happened be raised.
+if kw['filter'] in ('', None, u''):
+raise errors.BadSearchFilter(info=_('empty filter'))
+try:
+entries = ldap.find_entries(filter=kw['filter'])
+except errors.NotFound:
+pass
a.set_target_filter(kw['filter'])
if 'type' in kw:
target = _type_map[kw['type']]
@@ -440,7 +450,7 @@ class aci_add(crud.Create):
assert 'aciname' not in kw
ldap = self.api.Backend.ldap2
-newaci = _make_aci(None, aciname, kw)
+newaci = _make_aci(ldap, None, aciname, kw)
(dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci'])
@@ -544,7 +554,7 @@ class aci_mod(crud.Update):
# _make_aci is what is run in aci_add and validates the input.
# Do this before we delete the existing ACI.
-newaci = _make_aci(None, aciname, newkw)
+newaci = _make_aci(ldap, None, aciname, newkw)
if aci.isequal(newaci):
raise errors.EmptyModlist()
@@ -821,7 +831,7 @@ class aci_rename(crud.Update):
# _make_aci is what is run in aci_add and validates the input.
# Do this before we delete the existing ACI.
-newaci = _make_aci(None, kw['newname'], newkw)
+newaci = _make_aci(ldap, None, kw['newname'], newkw)
self.api.Command['aci_del'](aciname)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index e2c83d9..86ea3f8 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -108,6 +108,8 @@ def _handle_errors(e, **kw):
raise errors.LimitsExceeded()
except _ldap.NOT_ALLOWED_ON_RDN:
raise errors.NotAllowedOnRDN(attr=info)
+except _ldap.FILTER_ERROR:
+raise errors.BadSearchFilter(info=info)
except _ldap.SUCCESS:
pass
except _ldap.LDAPError, e:
--
1.7.3.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
Michael Gregg wrote: Jakub Hrozek wrote: Hi, as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 to delete a DNS RR one has to remove its record types one by one. This patch modifies the behaviour so that if the user runs dnsrecord-del zone record-name with no other parameters, the whole record is removed. Alternative solutions might be to expose the internal command that is able to delete the record (although I think it is counterintuitive to have one command to remove record types and one for the whole record) or have a special flag (--del-all?) to remove the whole record. The patch also fixes the unit tests as they didn't reflect all the recent changes. Going with this patch sounds good, but to make sure, I polled several people here, and they all seemed to think that having to add a --del-all or --del-record flag at the end would be better as it would be less prone to failure where admins would accidentally delete a entire record because they didn't specify anything after the zone record So, maybe we do need a --del-all or --del-record operator. Agree. Michael- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
On Thu, 20 Jan 2011 17:27:37 -0500 Dmitri Pal d...@redhat.com wrote: Michael Gregg wrote: Jakub Hrozek wrote: Hi, as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 to delete a DNS RR one has to remove its record types one by one. This patch modifies the behaviour so that if the user runs dnsrecord-del zone record-name with no other parameters, the whole record is removed. Alternative solutions might be to expose the internal command that is able to delete the record (although I think it is counterintuitive to have one command to remove record types and one for the whole record) or have a special flag (--del-all?) to remove the whole record. The patch also fixes the unit tests as they didn't reflect all the recent changes. Going with this patch sounds good, but to make sure, I polled several people here, and they all seemed to think that having to add a --del-all or --del-record flag at the end would be better as it would be less prone to failure where admins would accidentally delete a entire record because they didn't specify anything after the zone record So, maybe we do need a --del-all or --del-record operator. Agree. +1 Someone may simply push enter accidentally while checking what to write after the command. It would be rather unfortunate. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
