[Freeipa-devel] [PATCH] Fixed permission lookup
Lookup based on --filter wasn't implemented at all. It did't show until
now, because of bug sitting on top of it which was resulting in internal
error. This patch fixes the bug and adds the filtering functionality.
https://fedorahosted.org/freeipa/ticket/818
--
Thank you
Jan Zeleny
Red Hat Software Engineer
Brno, Czech Republic
From 4e5cea38d40d75dea0042701a28d235ec60c878b Mon Sep 17 00:00:00 2001
From: Jan Zeleny jzel...@redhat.com
Date: Thu, 27 Jan 2011 05:11:28 -0500
Subject: [PATCH] Fixed permission lookup
Lookup based on --filter wasn't implemented at all. It did't show until
now, because of bug sitting on top of it which was resulting in internal
error. This patch fixes the bug and adds the filtering functionality.
https://fedorahosted.org/freeipa/ticket/818
---
ipalib/plugins/baseldap.py | 10 --
ipalib/plugins/permission.py | 22 ++
2 files changed, 14 insertions(+), 18 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index b20d96012e0dc7f91209a3623d8ad90cd023e006..6d58eb97742a29a584d97913fc26c4ccf5d4c349 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1372,11 +1372,9 @@ class LDAPSearch(CallbackInterface, crud.Search):
for callback in self.POST_CALLBACKS:
if hasattr(callback, 'im_self'):
-more = callback(ldap, entries, truncated, *args, **options)
+callback(ldap, entries, truncated, *args, **options)
else:
-more = callback(self, ldap, entries, truncated, *args, **options)
-if more:
-entries = entries + more
+callback(self, ldap, entries, truncated, *args, **options)
if not options.get('raw', False):
for e in entries:
@@ -1392,8 +1390,8 @@ class LDAPSearch(CallbackInterface, crud.Search):
truncated=truncated,
)
-def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
-return (filter, base_dn, scope)
+def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
+return (filters, base_dn, scope)
def post_callback(self, ldap, entries, truncated, *args, **options):
return []
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 0c2855ff5c181a56455bb9b180b6f22472ce8fa4..1cbdd449763d8fafee0c5bd94669f5a7bb11f3bb 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -319,33 +319,33 @@ class permission_find(LDAPSearch):
)
def post_callback(self, ldap, entries, truncated, *args, **options):
-newentries = []
for entry in entries:
(dn, attrs) = entry
try:
-aci = self.api.Command.aci_show(attrs['cn'][0], aciprefix=ACI_PREFIX)['result']
-
-# copy information from respective ACI to permission entry
+aci = self.api.Command.aci_show(attrs['description'][0])['result']
for attr in self.obj.aci_attributes:
if attr in aci:
attrs[attr] = aci[attr]
except errors.NotFound:
-self.debug('ACI not found for %s' % attrs['cn'][0])
+self.debug('ACI not found for %s' % attrs['description'][0])
# Now find all the ACIs that match. Once we find them, add any that
# aren't already in the list along with their permission info.
-options['aciprefix'] = ACI_PREFIX
-
aciresults = self.api.Command.aci_find(*args, **options)
truncated = truncated or aciresults['truncated']
results = aciresults['result']
-
+if 'filter' in options and not options['filter'].startswith('('):
+options['filter'] = unicode('('+options['filter']+')')
for aci in results:
+if 'filter' in options:
+if 'filter' not in aci or not aci['filter'] or\
+aci['filter'] != options['filter']:
+continue
found = False
if 'permission' in aci:
for entry in entries:
(dn, attrs) = entry
-if aci['permission'] == attrs['cn'][0]:
+if aci['permission'] == attrs['cn']:
found = True
break
if not found:
@@ -357,9 +357,7 @@ class permission_find(LDAPSearch):
dn = attrs['dn']
del attrs['dn']
if (dn, attrs) not in entries:
-newentries.append((dn, attrs))
-
-return newentries
+entries.append((dn, attrs))
api.register(permission_find)
--
1.7.3.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 Add requires
Simo Sorce sso...@redhat.com wrote: First part of ticket #855 Add the requires we will need on F15, tested against jdennis ipa-devel repo, works as expected. Simo. The patch is obviously ok, so ack from this point of view. But I would just like to know if it is necessary. I just inspected F15 pki-ca package from nightly repo - it does Require pki-ca-theme = 9.0.0 (which is provided by dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar situation will be for dogtag-pki-common-theme. So I don't see why we should explicitly Require both packages ourselves. Thanks in advance for explanation Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0075 handle weird values in nolog
Simo Sorce sso...@redhat.com wrote: When using ipa-replica-manage re-initialize with GSSAPI credentials it turns out that the DN password may be set to None and this can end up in the nolog list. Add a check to skip any non-string object in the log substitution list, so that the code doesn't freak out on None objects. Ticket #856 Simo. Ack, but only a code inspection performed, since I'm not sure how to test it exactly. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený jzel...@redhat.com wrote: Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. From what I found I think that making changes necessary to distinguish dnsrecord and dnszone are not worth it, especially that user can use filter for that purpose. Since having both of them doesn't have any additional value, I'm sending new version of the patch, which is only adding dnsrecord type. Jan Just a small reminder that this patch is ready to be re-reviewed. Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed permission lookup
On Thu, 2011-01-27 at 11:15 +0100, Jan Zelený wrote: Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 NACK Did you build this patch on current master? Because in your patch, you removed changes in permission-find from my previous patch 017 ACI plugin supports prefixes. After your patch, permission-find fails: $ ipa permission-find ipa: ERROR: 'aciprefix' is required Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed permission lookup
Martin Kosek mko...@redhat.com wrote:
On Thu, 2011-01-27 at 11:15 +0100, Jan Zelený wrote:
Lookup based on --filter wasn't implemented at all. It did't show until
now, because of bug sitting on top of it which was resulting in internal
error. This patch fixes the bug and adds the filtering functionality.
https://fedorahosted.org/freeipa/ticket/818
NACK
Did you build this patch on current master? Because in your patch, you
removed changes in permission-find from my previous patch 017 ACI
plugin supports prefixes. After your patch, permission-find fails:
$ ipa permission-find
ipa: ERROR: 'aciprefix' is required
Martin
Sorry, I accidentaly mixed the code with a part of the older one. Sending
corrected patch.
Jan
From 717e995250193667cc98b5f16d347dbbeff2802c Mon Sep 17 00:00:00 2001
From: Jan Zeleny jzel...@redhat.com
Date: Thu, 27 Jan 2011 05:11:28 -0500
Subject: [PATCH] Fixed permission lookup
Lookup based on --filter wasn't implemented at all. It did't show until
now, because of bug sitting on top of it which was resulting in internal
error. This patch fixes the bug and adds the filtering functionality.
https://fedorahosted.org/freeipa/ticket/818
---
ipalib/plugins/baseldap.py | 12 +---
ipalib/plugins/permission.py | 11 +++
2 files changed, 12 insertions(+), 11 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index b20d96012e0dc7f91209a3623d8ad90cd023e006..d25deb5270ee2b79c2229e9265fa11c3ccca8b17 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1372,11 +1372,9 @@ class LDAPSearch(CallbackInterface, crud.Search):
for callback in self.POST_CALLBACKS:
if hasattr(callback, 'im_self'):
-more = callback(ldap, entries, truncated, *args, **options)
+callback(ldap, entries, truncated, *args, **options)
else:
-more = callback(self, ldap, entries, truncated, *args, **options)
-if more:
-entries = entries + more
+callback(self, ldap, entries, truncated, *args, **options)
if not options.get('raw', False):
for e in entries:
@@ -1392,11 +1390,11 @@ class LDAPSearch(CallbackInterface, crud.Search):
truncated=truncated,
)
-def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
-return (filter, base_dn, scope)
+def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
+return (filters, base_dn, scope)
def post_callback(self, ldap, entries, truncated, *args, **options):
-return []
+pass
def exc_callback(self, args, options, exc, call_func, *call_args, **call_kwargs):
raise exc
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 0c2855ff5c181a56455bb9b180b6f22472ce8fa4..212a0469b55d19d76030f6384458943d5b8a19a6 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -319,7 +319,6 @@ class permission_find(LDAPSearch):
)
def post_callback(self, ldap, entries, truncated, *args, **options):
-newentries = []
for entry in entries:
(dn, attrs) = entry
try:
@@ -340,7 +339,13 @@ class permission_find(LDAPSearch):
truncated = truncated or aciresults['truncated']
results = aciresults['result']
+if 'filter' in options and not options['filter'].startswith('('):
+options['filter'] = unicode('('+options['filter']+')')
for aci in results:
+if 'filter' in options:
+if 'filter' not in aci or not aci['filter'] or\
+aci['filter'] != options['filter']:
+continue
found = False
if 'permission' in aci:
for entry in entries:
@@ -357,9 +362,7 @@ class permission_find(LDAPSearch):
dn = attrs['dn']
del attrs['dn']
if (dn, attrs) not in entries:
-newentries.append((dn, attrs))
-
-return newentries
+entries.append((dn, attrs))
api.register(permission_find)
--
1.7.3.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/26/2011 09:50 PM, Simo Sorce wrote:
On Mon, 2011-01-24 at 15:51 +0100, Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/21/2011 05:54 PM, Rob Crittenden wrote:
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/20/2011 11:53 PM, Simo Sorce wrote:
On Thu, 20 Jan 2011 17:27:37 -0500
Dmitri Pald...@redhat.com wrote:
Michael Gregg wrote:
Jakub Hrozek wrote:
Hi,
as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019
to delete a DNS RR one has to remove its record types one by one.
This patch modifies the behaviour so that if the user runs
dnsrecord-delzone record-name with no other parameters, the
whole record is removed.
Alternative solutions might be to expose the internal command that
is able to delete the record (although I think it is
counterintuitive to have one command to remove record types and one
for the whole record) or have a special flag (--del-all?) to remove
the whole record.
The patch also fixes the unit tests as they didn't reflect all the
recent changes.
Going with this patch sounds good, but to make sure, I polled
several
people here, and they all seemed to think that having to add a
--del-all or --del-record flag at the end would be better as it would
be less prone to failure where admins would accidentally delete a
entire record because they didn't specify anything after the zone
record
So, maybe we do need a --del-all or --del-record operator.
Agree.
+1
Someone may simply push enter accidentally while checking what to write
after the command. It would be rather unfortunate.
Simo.
Attached is a new version of the patch that implements --del-all. It
also reports failure when deleting a nonexistent RR (new ticket 829).
nack, this isn't working properly for me.
Here is how I tested:
- add a new zone, newzone1
- ipa dnsrecord-add newzone1 as --a-rec 3.4.5.6
- ipa dnsrecord-add newzone1 as
Record name: as
A record: 3.4.5.6
- ipa dnsrecord-show newzone1 as
Record name: as
A record: 3.4.5.6
- ipa dnsrecord-del newzone1 as --del-all
[ no output ]
- ipa dnsrecord-show newzone1 as
ipa: ERROR: as: DNS resource record not found
So a couple of problems:
1. An error should have been thrown when I tried a delete without a
specific record type.
I agree but I was reluctant to do this because it was perfectly OK to
call dnsrecord-add with no options. That would create an empty DNS
record. The interface was orthogonal so dnsrecord-del with no options
would remove the record if it was empty. But I don't think an empty DNS
record makes any sense.
I changed the behaviour such that:
* dnsrecord-add with no attributes is no longer allowed. You have to
specify at least one RR type.
Apparently this is not effective, I was able to add an empty DNS
record.
Thanks for catching this. A fixed patch is attached.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1BZY8ACgkQHsardTLnvCXfwwCgqQDrT6ZwZw20gNM+v+iT0QK5
1gIAoMyIS40UyS4X6VpqPB90U2PiNeLl
=w7gG
-END PGP SIGNATURE-
From e9a0cb849681bb97e0dc5872f977b23a945e2736 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek jhro...@redhat.com
Date: Thu, 20 Jan 2011 07:54:14 -0500
Subject: [PATCH] Delete the whole DNS record with no parameters
Error out when deleting a nonexistent DNS record
Also fixes the DNS unit tests.
https://fedorahosted.org/freeipa/ticket/816
https://fedorahosted.org/freeipa/ticket/829
---
API.txt |3 +-
ipalib/plugins/dns.py| 51 +++--
tests/test_xmlrpc/test_dns_plugin.py | 38 ++---
3 files changed, 70 insertions(+), 22 deletions(-)
diff --git a/API.txt b/API.txt
index 9717acc..c9a56f6 100644
--- a/API.txt
+++ b/API.txt
@@ -580,9 +580,10 @@ output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly
output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('value', type 'unicode', The primary_key value of the entry, e.g. 'jdoe' for a user)
command: dnsrecord_del
-args: 2,41,3
+args: 2,42,3
arg: Str('dnszoneidnsname', cli_name='dnszone', label=Gettext('Zone name', domain='ipa', localedir=None), query=True, required=True)
arg: Str('idnsname', attribute=True, cli_name='name', label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True)
+option: Flag('del_all', autofill=True, default=False, label=Gettext('Delete all associated records', domain='ipa', localedir=None))
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output'])
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output'])
option: Str('version?',
Re: [Freeipa-devel] [PATCH] 0074 Add requires
On Thu, 2011-01-27 at 11:27 +0100, Jan Zelený wrote: Simo Sorce sso...@redhat.com wrote: First part of ticket #855 Add the requires we will need on F15, tested against jdennis ipa-devel repo, works as expected. Simo. The patch is obviously ok, so ack from this point of view. But I would just like to know if it is necessary. I just inspected F15 pki-ca package from nightly repo - it does Require pki-ca-theme = 9.0.0 (which is provided by dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar situation will be for dogtag-pki-common-theme. So I don't see why we should explicitly Require both packages ourselves. Thanks in advance for explanation Sorry I don't know why they are needed I just implemented the ticket Rob opened. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0075 handle weird values in nolog
On Thu, 2011-01-27 at 11:43 +0100, Jan Zelený wrote: Simo Sorce sso...@redhat.com wrote: When using ipa-replica-manage re-initialize with GSSAPI credentials it turns out that the DN password may be set to None and this can end up in the nolog list. Add a check to skip any non-string object in the log substitution list, so that the code doesn't freak out on None objects. Ticket #856 Simo. Ack, but only a code inspection performed, since I'm not sure how to test it exactly. If you want to test: install replica, kinit admin, then run ipa-replica-manage re-initialize --from other.master.com W/o the patch it throws an error after it is done, w/ the patch it terminates w/o errors. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 Add requires
On Thu, 2011-01-27 at 11:27 +0100, Jan Zelený wrote: The patch is obviously ok, so ack from this point of view. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0075 handle weird values in nolog
On Thu, 2011-01-27 at 11:43 +0100, Jan Zelený wrote: Ack, but only a code inspection performed, since I'm not sure how to test it exactly. Pushed to master (I tested it extensively). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed permission lookup
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: On Thu, 2011-01-27 at 11:15 +0100, Jan Zelený wrote: Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 NACK Did you build this patch on current master? Because in your patch, you removed changes in permission-find from my previous patch 017 ACI plugin supports prefixes. After your patch, permission-find fails: $ ipa permission-find ipa: ERROR: 'aciprefix' is required Martin Sorry, I accidentaly mixed the code with a part of the older one. Sending corrected patch. Jan I think the more stuff in baseldap.py:LDAPSearch() was there because adding entries in a post_callback wasn't working. It only let you reduce the number or modify what was already there IIRC. From what I know, lists should allow you to expand them without any problems (not sure how is the concept called in Python, Pavel told me about it). Also I didn't encounter any problems with this approach (and the post callback actually adds some entries), that's why I changed it the way I did. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 Add requires
On 01/27/2011 05:27 AM, Jan Zelený wrote: Simo Sorcesso...@redhat.com wrote: First part of ticket #855 Add the requires we will need on F15, tested against jdennis ipa-devel repo, works as expected. Simo. The patch is obviously ok, so ack from this point of view. But I would just like to know if it is necessary. I just inspected F15 pki-ca package from nightly repo - it does Require pki-ca-theme= 9.0.0 (which is provided by dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar situation will be for dogtag-pki-common-theme. So I don't see why we should explicitly Require both packages ourselves. Have you seen the explanation that Matthew Harmsen put together about all the theme packages? I do not know if this would make things cleaner. I will send it off list. Thanks in advance for explanation Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0076 Fix ipa init script
When I created ipa.init I did it initially by copying the dirsrv init
script.
Remove any remaining reference to the dirsrv stuff.
Ticket: #857
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From fc87f8d93bbd9dfeabd6301ef2b9ae7c67030703 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Thu, 27 Jan 2011 11:39:24 -0500
Subject: [PATCH] Fix ipa init script to not depend on dirsrv init internals
Fixes: https://fedorahosted.org/freeipa/ticket/857
---
ipa.init | 15 ---
1 files changed, 4 insertions(+), 11 deletions(-)
diff --git a/ipa.init b/ipa.init
index 92c9f49185b3032f7dfda9d740546c4c882f9c76..b5a43c31942596c99ee4ef2d00385536cacb9052 100755
--- a/ipa.init
+++ b/ipa.init
@@ -1,12 +1,10 @@
#!/bin/sh
#
-# ipaThis starts and stops ipa
+# ipaThis starts and stops ipa controlled daemons
#
# chkconfig: - 21 79
# description: IPA Server
-# processname: /usr/sbin/ns-slapd
# configdir: /etc/ipa/
-# piddir: /var/run/dirsrv
#
# Source function library.
@@ -25,19 +23,14 @@ then
exit 0
fi
-# Lockfile
-if [ -d /var/lock/subsys ] ; then
-lockfile=/var/lock/subsys/dirsrv
-else
-lockfile=/var/lock/dirsrv/lock
-fi
-
case $1 in
start|stop|restart|status)
/usr/sbin/ipactl $1
;;
condrestart)
-[ ! -f $lockfile ] || /usr/sbin/ipactl restart
+/sbin/service dirsrv status
+RETVAL=$?
+[ $RETVAL = 0 ] /usr/sbin/ipactl restart
;;
*)
echo Usage: $0 {start|stop|status|restart|condrestart}
--
1.7.3.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 042 Enforce that all NS records are resolvable
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bind cannot load a zone if any of its name server records is not
resolvable.
https://fedorahosted.org/freeipa/ticket/838
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1Bs0sACgkQHsardTLnvCVgjACg4YojCm2ULsFZ2smpusWdJncp
+mgAniOndaa4ILr9YpuIwW9i+X97Vid2
=KEtu
-END PGP SIGNATURE-
From e68b5d044902e12dde5d74077b431e5eb1524373 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek jhro...@redhat.com
Date: Thu, 27 Jan 2011 11:16:22 -0500
Subject: [PATCH] Enforce that all NS records are resolvable
Bind cannot load a zone if any of its name server records is not
resolvable.
https://fedorahosted.org/freeipa/ticket/838
---
API.txt |2 +
ipalib/plugins/dns.py| 61 ++
tests/test_xmlrpc/test_dns_plugin.py | 61 +-
3 files changed, 123 insertions(+), 1 deletions(-)
diff --git a/API.txt b/API.txt
index 2f7016d..93ab0c8 100644
--- a/API.txt
+++ b/API.txt
@@ -717,6 +717,8 @@ option: Str('idnsupdatepolicy', attribute=True, cli_name='update_policy', label=
option: Flag('idnsallowdynupdate', attribute=True, autofill=True, cli_name='allow_dynupdate', default=False, label=Gettext('Dynamic update', domain='ipa', localedir=None), multivalue=False, required=True)
option: Str('addattr*', validate_add_attribute, cli_name='addattr', exclude='webui')
option: Str('setattr*', validate_set_attribute, cli_name='setattr', exclude='webui')
+option: Flag('force', autofill=True, default=False,lag('force', autofill=True, default=False, doc=Gettext('force DNS zone even if name server not in DNS', domain='ipa', localedir=None))
+option: Str('ip_address?', _validate_ipaddr,tr('ip_address?', _validate_ipaddr, doc=Gettext('Add the nameserver to DNS with this IP address', domain='ipa', localedir=None))
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output'])
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output'])
option: Str('version?', exclude='webui', flags=['no_option', 'no_output'])
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 8c07a96..56c22cf 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -150,6 +150,24 @@ def has_cli_options(entry, no_option_msg):
raise errors.OptionError(no_option_msg)
return entry
+def is_ns_rec_resolvable(name):
+try:
+return api.Command['dns_resolve'](name)
+except errors.NotFound:
+raise errors.NotFound(reason=_('Nameserver \'%(host)s\' does not have a corresponding A/ record' % {'host':name}))
+
+def add_forward_record(zone, name, str_address):
+addr = netaddr.IPAddress(str_address)
+try:
+if addr.version == 4:
+api.Command['dnsrecord_add'](zone, name, arecord=str_address)
+elif addr.version == 6:
+api.Command['dnsrecord_add'](zone, name, record=str_address)
+else:
+raise ValueError('Invalid address family')
+except errors.EmptyModlist:
+pass # the entry already exists and matches
+
def dns_container_exists(ldap):
try:
ldap.get_entry(api.env.container_dns, [])
@@ -265,6 +283,15 @@ class dnszone_add(LDAPCreate):
Create new DNS zone (SOA record).
+takes_options = LDAPCreate.takes_options + (
+Flag('force',
+ doc=_('force DNS zone even if name server not in DNS'),
+),
+Str('ip_address?', _validate_ipaddr,
+doc=_('Add the nameserver to DNS with this IP address'),
+),
+)
+
def pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
if not dns_container_exists(self.api.Backend.ldap2):
raise errors.NotFound(reason=_('DNS is not configured'))
@@ -274,13 +301,29 @@ class dnszone_add(LDAPCreate):
entry_attrs.get('idnsallowdynupdate', False)
).upper()
+# Check nameserver has a forward record
nameserver = entry_attrs['idnssoamname']
+
+if not 'ip_address' in options and not options['force']:
+is_ns_rec_resolvable(nameserver)
+
if nameserver[-1] != '.':
nameserver += '.'
+
entry_attrs['nsrecord'] = nameserver
entry_attrs['idnssoamname'] = nameserver
return dn
+def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+if 'ip_address' in options:
+nameserver = entry_attrs['idnssoamname'][0][:-1] # ends with a dot
+nsparts = nameserver.split('.')
+add_forward_record('.'.join(nsparts[1:]),
+ nsparts[0],
+ options['ip_address'])
+
+return dn
+
api.register(dnszone_add)
@@ -467,6 +510,8 @@ class dnsrecord_mod_record(LDAPQuery,
Re: [Freeipa-devel] [PATCH] admiyo-0166-declarative-for-aci
On 01/26/2011 04:18 PM, Adam Young wrote:
On 01/26/2011 04:14 PM, Kyle Baker wrote:
ACK
- Original Message -
Fixes https://fedorahosted.org/freeipa/ticket/772
Depends on freeipa-admiyo-0154-1-declarative-defintions.patch
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Hold on that...this requires edewata to sign off on.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Rebased with changes from 154
From 678aa3e30804c7c80aaf8d1e4fb8e00fd2bae25b Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Wed, 26 Jan 2011 13:46:49 -0500
Subject: [PATCH 1/3] declarative for aci
A couple of the ACI definitions were incorrect, and the end result was that fields were not getting initialized. USing the declarative approach cleaned up the cause.
Also fixed a few broken unit tests
---
install/ui/aci.js | 340 ++-
install/ui/serverconfig.js | 34 ++--
install/ui/test/details_tests.js|6 +-
install/ui/test/entity_tests.js | 11 +-
install/ui/test/navigation_tests.js | 10 +-
5 files changed, 121 insertions(+), 280 deletions(-)
diff --git a/install/ui/aci.js b/install/ui/aci.js
index f7d7266f546c75ba5f20872999553b2d4a859cc0..1cc1611caac78163bc7ae88bc2f03426f91f58be 100644
--- a/install/ui/aci.js
+++ b/install/ui/aci.js
@@ -457,9 +457,6 @@ IPA.target_section = function () {
appendTo(dl);
}
-
-
-
that.create = function(container) {
var dl = $('dl class=aci-target/').appendTo(container);
display_filter_target(dl);
@@ -563,111 +560,35 @@ IPA.target_section = function () {
IPA.entity_factories.permission = function () {
-var that = IPA.entity({
+return IPA.entity({
'name': 'permission'
-});
-
-that.init = function() {
-
-var dialog = IPA.permission_add_dialog({
+}).add_dialog(
+IPA.add_dialog({
name: 'add',
-title: 'Add New Permission',
-entity_name: 'permission'
-});
-that.add_dialog(dialog);
-dialog.init();
-
-var facet = IPA.permission_search_facet({
-name: 'search',
-label: 'Search'
-});
-that.add_facet(facet);
-
-facet = IPA.permission_details_facet();
-that.add_facet(facet);
-
-that.entity_init();
-};
-
-return that;
-};
-
-
-
-IPA.permission_add_dialog = function (spec) {
-
-spec = spec || {};
-
-var that = IPA.add_dialog(spec);
-
-that.init = function() {
-
-that.add_field(IPA.text_widget({
-name: 'cn',
-undo: false
-}));
-
-that.add_field(IPA.text_widget({
-name: 'description',
-undo: false
-}));
-
-that.add_field(IPA.rights_widget({name:'permissions'}));
-that.add_field(IPA.hidden_widget({name:'filter','value':'objectClass=changethisvalue'}));
-that.add_dialog_init();
-};
-
-
-return that;
-};
-
-
-IPA.permission_search_facet = function (spec) {
-
-spec = spec || {};
-var that = IPA.search_facet(spec);
-that.init = function() {
-that.create_column({name:'cn'});
-that.create_column({name:'description'});
-that.search_facet_init();
-};
-return that;
-};
-
-
-IPA.permission_details_facet = function () {
-
-var spec = {
-name: 'details'
-};
-var that = IPA.details_facet(spec);
-
-that.init = function() {
-
-var section = that.add_section(IPA.details_list_section({
-name:'identity',label:'Identity' }));
-section.create_field({ name: 'cn', 'read_only': true });
-section.create_field({ name: 'description'});
-
-that.rights_section = IPA.rights_section();
-that.add_section(that.rights_section);
-
-that.target_section = IPA.target_section();
-
-that.add_section(that.target_section);
-that.details_facet_init();
-};
-
-that.superior_load = that.load;
-
-that.load = function(result) {
-that.superior_load(result);
-};
-
-that.superior_update = that.update;
-that.update = function(on_win, on_fail){
-that.superior_update(on_win, on_fail);
-};
+title: 'Add New Permission'
+}).
+field(IPA.text_widget({
+name: 'cn',
+undo: false
+})).
+field(IPA.text_widget({
+name: 'description',
+undo: false
+})).
+field(IPA.rights_widget({name:'permissions'})).
+field(IPA.hidden_widget(
+{name:'filter','value':'objectClass=changethisvalue'}))).
+facet(IPA.search_facet().
+ column({name:'cn'}).
+
Re: [Freeipa-devel] [PATCH] admiyo-0169-reset-target-section
On 01/26/2011 04:52 PM, Adam Young wrote:
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Rebased
From c37d4a2499281980c9a73034a91b012c8fc97fc5 Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Wed, 26 Jan 2011 16:50:43 -0500
Subject: [PATCH 3/3] reset target section
target section needed to cache results for use in results
moved load logic into reset and load now calls reset
---
install/ui/aci.js |9 ++---
1 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/install/ui/aci.js b/install/ui/aci.js
index 1cc1611caac78163bc7ae88bc2f03426f91f58be..3bad384a2b80e3842395ba54004b2808928f28cf 100644
--- a/install/ui/aci.js
+++ b/install/ui/aci.js
@@ -494,6 +494,12 @@ IPA.target_section = function () {
};
that.load = function(result) {
+that.result = result;
+that.reset();
+};
+
+that.reset = function() {
+var result = that.result;
if(result.subtree){
$('#aci_query_text').val(result.subtree);
$('#aci_by_query').click();
@@ -524,9 +530,6 @@ IPA.target_section = function () {
}
};
-that.reset = function() {
-};
-
that.save = function (record){
var record_type = $(input[name='type']:checked).attr('id');
--
1.7.3.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0167-adding-label-for-RBAC
On 01/26/2011 04:14 PM, Kyle Baker wrote:
ACK
- Original Message -
Role Based Access control is supposed to be spelled out in the tabs.
An
earlier patch also broke the Title for the RBAC Action Panel. This
fixes both. Depends on all my previous patches
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Rebased ontop of 166
From 563ab17599c330ee792559455aa32c15afcd531f Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Wed, 26 Jan 2011 14:24:41 -0500
Subject: [PATCH 2/3] adding label for RBAC
---
install/ui/test/data/ipa_init.json | 55
install/ui/webui.js|3 +-
ipalib/plugins/internal.py |3 +-
3 files changed, 41 insertions(+), 20 deletions(-)
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 8fe28684d2640fb74f53b95d8c098624ac4e4f62..a4b9a0f79d6fda0b9f1edad5b79f333602bbb3b9 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -4544,7 +4544,7 @@
type: tuple
},
{
-alwaysask: true,
+alwaysask: false,
attribute: false,
autofill: false,
class: List,
@@ -4553,7 +4553,10 @@
default: null,
doc: Comma-separated list of attributes,
exclude: null,
-flags: [],
+flags: [
+ask_create,
+ask_update
+],
hint: null,
include: null,
label: Attributes,
@@ -4567,7 +4570,7 @@
type: tuple
},
{
-alwaysask: true,
+alwaysask: false,
attribute: false,
autofill: false,
class: StrEnum,
@@ -4576,7 +4579,10 @@
default: null,
doc: Type of IPA object (user, group, host, hostgroup, service, netgroup, dns),
exclude: null,
-flags: [],
+flags: [
+ask_create,
+ask_update
+],
hint: null,
include: null,
label: Type,
@@ -4597,7 +4603,7 @@
]
},
{
-alwaysask: true,
+alwaysask: false,
attribute: false,
autofill: false,
class: Str,
@@ -4606,7 +4612,10 @@
default: null,
doc: Target members of a group,
exclude: null,
-flags: [],
+flags: [
+ask_create,
+ask_update
+],
hint: null,
include: null,
label: Member of group,
@@ -4623,7 +4632,7 @@
type: unicode
},
{
-alwaysask: true,
+alwaysask: false,
attribute: false,
autofill: false,
class: Str,
@@ -4632,7 +4641,10 @@
default: null,
doc: Legal LDAP filter (e.g. ou=Engineering),
exclude: null,
-flags: [],
+flags: [
+ask_create,
+ask_update
+],
hint: null,
include: null,
label: Filter,
@@ -4649,7 +4661,7 @@
type: unicode
},
Re: [Freeipa-devel] [PATCH] Add support for account unlocking
Jan Zelený wrote: Jan Zelenyjzel...@redhat.com wrote: This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344 Jan Just a reminder that this patch needs a review. Thanks Jan This doesn't apply against master due to some changes to delegations. Can you rebase and set the aci name to 'permission:Unlock user accounts. I did manage to test this and it works as expected, I just don't want to mangle the rebase. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0008-Adjusted-aci-s-target-feilds-adjusted-action-panel-s
From ec84d1de06ab1af5fdedc952695750efab4cd212 Mon Sep 17 00:00:00 2001
From: System Administrator r...@dhcp-100-3-211.bos.redhat.com
Date: Thu, 27 Jan 2011 15:05:16 -0500
Subject: [PATCH] Adjusted aci's target feilds, adjusted action panel styles, adjusted Delegation and Configuration.
---
install/ui/caution.png | Bin 438 - 496 bytes
install/ui/check.png | Bin 3209 - 556 bytes
install/ui/ipa.css | 115 +--
3 files changed, 100 insertions(+), 15 deletions(-)
mode change 100755 = 100644 install/ui/caution.png
mode change 100755 = 100644 install/ui/check.png
diff --git a/install/ui/caution.png b/install/ui/caution.png
old mode 100755
new mode 100644
index ce7a68ad960852235b2cb4815cf502cc74939e85..162c96d679bd83dfd9d63aa500ec3539a989e626
GIT binary patch
delta 446
zcmV;v0YUz@1MmZo83+ad001U0oQjblCw~EwNklZc-ovzfZzI6uxV(Efp3LHzyJk
zV;GFa)d7DDhTXxqB8V(43jg94iX0=?oP)4K;rB`G){t17)XdHP}%@(yWXL3KkTi
zzU1qBc|X4Q?n{B|x?mJql~iI}ond4Fck*GaFkjPOqRD|7^R(4OPh3UJg6@W`Fcg
z1h$@?qnk0o$Yn4}vt_e!iGEGcd|J=a8}kwI9RL|VuwHV3Sh|0_e@++o|mDB0l^Xn
zi;-GRc3zJn!~FvU1iwjE037Ent*L13*EYKJDs!EP+`)*%y`SwCjj;NFDoA+^5R
zD(@}%XCN1Xno+-BDKV$6x2dA3x7tLZG;aGj}V1%janTAr$ReIwc@GM6mqrd_P3V
zj^(b`7U`JCW)b`3@6Q9o!K-ehLtW{!C7Ht1QElWC}+$_5P|C-8xlE`tcxGlCj
zZ9oXjTjSPSri-1OY_`g3y(V`3Y5x1F(D0*ML5ORb`5R=LPS?p2V@hiN|b}~A
oNsoYcq2?Y_8995kCbO0Gd03qez|+`v3p{07*qoM6N$f(RbQr~m)}
delta 387
zcmV-}0et@O1GWQ@83+Ra000s3Y`BpjCw~CIP)t-s($Bj3@)517is;lT_xJbY(JJ!Z
zEB^ch_2nV-0b0UF{`ME`}Ga^@D%@;I`Y{rl?u`QrWg2=d=r|Ns5)+CBXD+4bdo
z+1c6j7DlIilCi;ySJA9{PFPGG5GEm`trT=;AHUHH}Tz3r=*6driSqF@aN~}p?{x%
z)6)V@2l(BEA!$e^WZ7y=;-e5?*IP!@!Lu8+ClW=aQEw_2-54#OwScek^Y{{8jp
z*DLkrAouGU($doN;V1w9|CiLGF#rGnj7da6RCwA{$k!HvFc3x22|^Ge9Ti)^-g}P
z|NmD+6I9N_%v~EYk?Y9;@}I9|XmC($m!NNApC;_-u`}gZm!K05Tia9Y)PM!NvF
z9$UP4;7MqvriltfK96p5l!9@1~`@B;VuK`Vlu`mn#S+aYo!nn?lH_GaD14bYTMO
hGp@yqm7yiFaSa8C`ZubbGHBh002ovPDHLkV1o9x=D`2}
diff --git a/install/ui/check.png b/install/ui/check.png
old mode 100755
new mode 100644
index c3646db11272b689616ea1d3cba941fb582901c2..72a73c6c1bd35e76f82b92fd62af4ec79a99e7ca
GIT binary patch
delta 542
zcmV+(0^$9M8LR}58Gi-001U0oQePd02yeSaefwW^{L9a%BKPWN%_+AW3auXJt}l
zVPtu6$z?nM00GWPL_t(|+N6?AC`3^d$IrYG1|u;OO_9RvEC`cABeC#a6osr6JEeRr
z21{!eA`2{NOtP3#7K)XS7)*$K%`g*^l`oztf%REm%x${eSN3o_qiQbIyHN!x*D~
z4QztM)^`+GoBfD{I7mvFnI*x42X~Dh8S%TGt3!IA~DEQyo!mAIVzz{bNW1M{i5
ztoO3F;}@}2_Q+4gJ=zmfo@_|GgZE@LGDs+4{gw=bRsdE(^0BH`jV=--6GFbX}
zRokn**vkqV(0?E{Ccp|YXuRkR|DLnz0Om|=mPOoA?_h2ucgK0--?Q~p%GgZgn`
z7%URgy0on1xP;LG*2`choS9#oN!_A`Pw!vvQALwQbFMI4W;4VW`hLq0FJ;Fky5N2
zIvbo;to-U{pb0%BZc;E_u{fuTSus#DjbA2yv;h?SE`^R$z7a=VRh#j(JC1Y**|G
zwW8!UfUi6)Z@S?WWFCl-2xvHhyi+#o@34_)V1sOsD)VhNV^mvE=bMFo?QzAR1`7
z8F!2l9jAzcnfgS1lBwR*gt4u1A)MeDE(G6^$Oku9~$Aroq3t5B2$d$?i)OVCn0{}
g*QGM~_!kji041n%hgxX5R{#J207*qoM6N$f{rx$2{9
literal 3209
zcmV;440iL0P)h;3K|Lk000e1NJLTq000mG000gM0ssI2sZ9r9a7bBm000XU
z000XU0RWnu7ytkYPiaF#P*7-ZbZKLZ*U+Lqi~NaKm7Y-Iodc-oy)XH-+^7Crag
z^gIBfRsybQWXdwQbLP6pzAqfylh#{fb6;Z(vMMVS~$e@S=j*ftg6;UhiVD~V
zRPMtgQJLw%KPDaqifc@_vX$1wbwr9tn;0-j-K=43bUQ8j=JsX`tR;Dg7+#^K~H
zK!FM*Z~zbpvt%K2{UZSY_lS*DZ%Lz5oGu(+dayz)hRLFdTf59ghTmgWD0l;*T
zI7kC6aYYajzXpYKt=(8otP$50H6c_V9R4-;{Z@C0AMG7=FRxo%or10RUT+Ar%3j
zkpLhQWr#!oXgdI`sK^09Y^p6lP1rIRMx#05C~cW=H_Aw*bJ-5DTZ2n+x)QHX^p
z00esgV8|mQcmRZ%02D^@S3L16t`O%c004NIvOKvYIYoh62rY33S640`D9%Y2D-?i
z0%4j!F2Z@488U%158(66005wo6%pWr^Zj_v4zAA5HjcIqUoGmt2LBrVneh#Q1i
z007~1e$oCcFS8neI|hJl{-P!B1ZZ9hpmq0)X0i`JwE$+E?%_lS*MWK+n+1cgf
zk(8YLR(?VSAG6x!e78w{cQPuJpA|d;J)G{fihizM+Erb!p!tcr5w+a34~(Y=8s4G
zw+sLL9nJjNn*KJDiq^U5^;`1nvC-@r6P$!k}1U{(*I=Q-z@tBKHoI}uxdU5dyy@u
zU1J0GOD7Ombim^G008p4Z^6_k2m^pgW=D2|L;HjN1!DDfM!XOaR2~bL?kX$%CkSm
z2mk;?pn)o|K^yeJ7%adB9Ki+L!3+FgHiSYX#KJ-lLJDMn9CBbOtb#%)hRv`YDqt_v
zKpix|QD}yfa1JiQRk#j4a1Z)n2%fxynzVLC6RbVIkUx0b+_+BaR3cnT7Zv!AJxW
zizFb)h!jyGOOZ85F;a?DAXP{m@;!0_IfqEx{*7`05XF7hP+2Hl!3BQJ=6@fL%FCo
z8iYoo3(#bAF`ADSpqtQgvH8(HlgRxt7s3}k3K`kFu-2Q$QMFfPW!La{h336oX
zu_CMttHv6zR;ZNiS=X8v3CR#fknUxHUxJAYmRsNLWl*PS{AOARHt#5!wki2?K;t
z!Y3k=s7tgax)J%r7-BLphge7~Bi0g+6E6^Zh(p9TBoc{3GAFr^0!gu?RMHaCM$Fl
zBk3%un0uoBa_M6WNWeqIg~6QE69c9o#eyhGvpiOA@W-aonk7r1(?fC{oI5N*U!4
zuv66WtcKSRim0x-Ke2d5jBrmLam{;Qm;{ms1r1GnmNsb7D-E`t)i9F8fX`2_i3-_
zbh;7Ul^#x){xvS=|||7=mYe33=M`AgU5(xCfg=2N-7=cNnjjOr{yriy6mMFgG#l
znCF=fnQv8CDz++o6_Lscl}eQ+l^ZHARH?_s@|##Rr6KLRFA1%Q+=*RRWnoLsR`7U
zt5vFQ0r40Q)j6=sE4XsBct1qfbi3VB2Ov6t@q*0);U*o*SAPZv|vv@2aYYnT0
zb%8a+Cb7-ge0D0knEf5Qi#@8Tp*ce{N;6lpQuCB%KL_KOarm5cP6_8Ire17iry6O
zDdH`rZh~sF=bq9s+O0QSgS~@QL9Jmy*94xr=6y~MY~!1fet~(N+(=M`w@D1)b+p
z*;C!83a1uLJv#NSE~;y#8=IcfW3@?wFpwUVxrVZQdQz32KIeJ}k~{cZZE^+ya?
z2D1z#2HOnI7(B%_ac?{wFUQ;QQA1tBKtrWrm0_3Rgps+?Jfqb{jYbcQX~taRB;#$y
zZN{S}1|}gUOHJxc?wV3fxuz+mJ4`!F$IZ;mqRrNsHJd##*D~ju=bP7?-?v~|cvvB
zsJ6IeNwVZxrdjT`yl#bBIa#GxRa#xMMy;K#CDyyGyQdMSxlWT#tDe?p!?5wT$+oGt
z8L;Kp2HUQ-ZMJ=3XJQv;x5ci*?vuTfeY$;({XGW_huIFR9afJbF^|4I#xQ~n$Dc=
zKYhjYmgz5NSkDm8*fZm{6U!;YX`NG(?@3)XSs8O^N5RyOM=TTmp(3=8^+zpz2r)C
z^JO{deZfso3oq3?Wo(Y?l$ge?uXo;%ru`Vo?(8I_;8Eq#KMS9gFl*neeosSB
[Freeipa-devel] [PATCH]admiyo-0172-default-disable-delete
For ticket https://fedorahosted.org/freeipa/ticket/668
From 664d5f27c9aa8954674bcab9ea89029b9f73d70c Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Thu, 27 Jan 2011 16:37:48 -0500
Subject: [PATCH 172/172] default disable delete
---
install/ui/ipa.css | 16
install/ui/search.js | 16 +++-
2 files changed, 31 insertions(+), 1 deletions(-)
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index e3760f32ae583e25fc4bb84a7f12a6775264caba..6ba60dfff2a0e2568034d5d6ce6ca146dc11bcbc 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -43,6 +43,11 @@ body{
cursor: pointer;
}
+.input_link_disabled {
+cursor: default;
+color:black;
+}
+
.input_link span.ui-icon {
-moz-border-radius: 0.3em;
border: 1px solid #B8B8B8;
@@ -52,6 +57,17 @@ body{
top: 50%;
}
+.input_link_disabled span.ui-icon {
+-moz-border-radius: 0.3em;
+border: 1px solid #B8B8B8;
+margin: -0.9em 0.4em 0em -0.3em;
+position: absolute;
+left: .2em;
+top: 50%;
+}
+
+
+
.ipa-icon {
font-size: 0.7em;
padding-right: 0.3em;
diff --git a/install/ui/search.js b/install/ui/search.js
index b88de20a7c90e59f1bf56bd4aa64fc45ee32e013..20a6f51fc66251f8f8109da8286f8a3a6f935848 100644
--- a/install/ui/search.js
+++ b/install/ui/search.js
@@ -103,10 +103,12 @@ IPA.search_widget = function (spec) {
that.remove_button = IPA.action_button({
'label': IPA.messages.button.remove,
'icon': 'ui-icon-trash',
-'click': function() { that.remove(that.container); }
});
+that.remove_button.addClass('input_link_disabled');
+
button.replaceWith(that.remove_button);
+
button = $('input[name=add]', search_buttons);
that.add_button = IPA.action_button({
'label': IPA.messages.button.add,
@@ -156,6 +158,18 @@ IPA.search_widget = function (spec) {
$('input', action_panel).val(null);
}
+
+if(count === 0){
+var remove_button = $('a[title=Delete]', action_panel);
+remove_button.addClass('input_link_disabled');
+remove_button.unbind('click');
+
+}else{
+var remove_button = $('a[title=Delete]', action_panel);
+remove_button.click(function() { that.remove(that.container); });
+remove_button.removeClass('input_link_disabled');
+}
+
return false;
};
--
1.7.3.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0166-declarative-for-aci
On 01/27/2011 01:55 PM, Adam Young wrote: On 01/26/2011 04:18 PM, Adam Young wrote: On 01/26/2011 04:14 PM, Kyle Baker wrote: ACK - Original Message - Fixes https://fedorahosted.org/freeipa/ticket/772 Depends on freeipa-admiyo-0154-1-declarative-defintions.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hold on that...this requires edewata to sign off on. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased with changes from 154 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0008-Adjusted-aci-s-target-feilds-adjusted-action-panel-s
On 01/27/2011 03:18 PM, Kyle Baker wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0169-reset-target-section
On 01/27/2011 01:57 PM, Adam Young wrote: On 01/26/2011 04:52 PM, Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0170-dirty
On 01/26/2011 10:03 PM, Adam Young wrote: Depends on 154, 154, 166, 167, 169 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 693 changes from Fedora review
I pushed this patch that contains specfile changes pointed out in the
Fedora package review process.
rob
From 88e0d36d8ea341e4ac9a7733a66fae23917b07b2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Thu, 27 Jan 2011 17:02:24 -0500
Subject: [PATCH] Apply changes discovered in Fedora package review process (#672986)
Ticket 804
---
freeipa.spec.in | 35 +++
1 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 19b03f6..0940128 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -3,8 +3,12 @@
%global httpd_conf /etc/httpd/conf.d
%global plugin_dir %{_libdir}/dirsrv/plugins
-%{!?python_sitelib: %global python_sitelib %(%{__python} -c from distutils.sysconfig import get_python_lib; print get_python_lib())}
-%{!?python_sitearch: %global python_sitearch %(%{__python} -c from distutils.sysconfig import get_python_lib; print get_python_lib(1))}
+%if ! (0%{?fedora} 12 || 0%{?rhel} 5)
+%{!?python_sitelib: %global python_sitelib %(%{__python} -c from
+distutils.sysconfig import get_python_lib; print(get_python_lib()))}
+%{!?python_sitearch: %global python_sitearch %(%{__python} -c from
+distutils.sysconfig import get_python_lib; print(get_python_lib(1)))}
+%endif
%global POLICYCOREUTILSVER 1.33.12-1
%global gettext_domain ipa
@@ -82,7 +86,6 @@ Requires: python-ldap
Requires: python-krbV
Requires: acl
Requires: python-pyasn1 = 0.0.9a
-Requires: libcap
Requires: selinux-policy
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.21
@@ -91,7 +94,7 @@ Requires: pki-silent = 9.0.0
Requires(preun): python initscripts chkconfig
Requires(postun): python initscripts chkconfig
-Obsoletes: ipa-server
+Obsoletes: ipa-server = 1.0
%description server
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -106,7 +109,9 @@ this package).
Summary: SELinux rules for freeipa-server daemons
Group: System Environment/Base
Requires: %{name}-server = %{version}-%{release}
-Requires(pre): policycoreutils = %{POLICYCOREUTILSVER} libsemanage
+Requires(pre): policycoreutils = %{POLICYCOREUTILSVER}
+
+Obsoletes: ipa-server-selinux = 1.0
%description server-selinux
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -133,7 +138,7 @@ Requires: sssd = 1.2.1
Requires: certmonger = 0.26
Requires: nss-tools
-Obsoletes: ipa-client
+Obsoletes: ipa-client = 1.0
%description client
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -152,7 +157,7 @@ Requires: %{name}-client = %{version}-%{release}
Requires: python-krbV
Requires: python-ldap
-Obsoletes: ipa-admintools
+Obsoletes: ipa-admintools = 1.0
%description admintools
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -175,7 +180,7 @@ Requires: python-nss = 0.9-8
Requires: python-lxml
Requires: python-netaddr
-Obsoletes: ipa-python
+Obsoletes: ipa-python = 1.0
%description python
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -270,9 +275,6 @@ if [ $1 = 1 ]; then
/sbin/chkconfig --add ipa
/sbin/chkconfig --add ipa_kpasswd
fi
-if [ -e /usr/share/ipa/serial ]; then
-mv /usr/share/ipa/serial /var/lib/ipa/ca_serialno
-fi
/usr/sbin/ipa-upgradeconfig || :
%preun server
@@ -380,13 +382,10 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
-%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%{_usr}/share/ipa/ipa.conf
%{_usr}/share/ipa/ipa-rewrite.conf
-#%dir %{_usr}/share/ipa/ipaserver
-#%{_usr}/share/ipa/ipaserver/*
%dir %{_usr}/share/ipa/updates/
%{_usr}/share/ipa/updates/*
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
@@ -412,6 +411,7 @@ fi
%files server-selinux
%defattr(-,root,root,-)
+%doc COPYING README Contributors.txt
%{_usr}/share/selinux/targeted/ipa_kpasswd.pp
%{_usr}/share/selinux/targeted/ipa_httpd.pp
%{_usr}/share/selinux/targeted/ipa_dogtag.pp
@@ -446,7 +446,7 @@ fi
%{_sbindir}/ipa-compat-manage
%{_sbindir}/ipa-nis-manage
%{_sbindir}/ipa-host-net-manage
-%{_sysconfdir}/bash_completion.d
+%config %{_sysconfdir}/bash_completion.d
%{_mandir}/man1/ipa.1.gz
%{_mandir}/man1/ipa-compat-manage.1.gz
%{_mandir}/man1/ipa-nis-manage.1.gz
@@ -467,9 +467,12 @@ fi
%{python_sitelib}/freeipa-*.egg-info
%{python_sitearch}/python_default_encoding-*.egg-info
%endif
-%config(noreplace) %{_sysconfdir}/ipa/default.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
+* Thu Jan 27 2011 Rob Crittenden rcrit...@redhat.com - 1.99-42
+- Apply changes
[Freeipa-devel] [PATCH] 0077 Fix ipactl script to manage all instances
Ticket #860
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 9a89ffcf05a59e92cec86f9a7b2b93f353ec2cb6 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Thu, 27 Jan 2011 17:10:34 -0500
Subject: [PATCH] Make sure all DS instances are managed by ipactl
Fixes: https://fedorahosted.org/freeipa/ticket/860
---
install/tools/ipactl | 38 ++
1 files changed, 18 insertions(+), 20 deletions(-)
diff --git a/install/tools/ipactl b/install/tools/ipactl
index fc652c9754cf63e8d9d46a3b20866b94df3ab698..20b4a69b704c9004fa9aee40119bdd442a449166 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -85,11 +85,11 @@ def get_config():
return svc_list
-def ipa_start(serverid):
+def ipa_start():
try:
print Starting Directory Service
-service.start('dirsrv', instance_name=serverid, capture_output=False)
+service.start('dirsrv', capture_output=False)
except:
emit_err(Failed to start Directory Service)
return
@@ -100,7 +100,7 @@ def ipa_start(serverid):
except:
emit_err(Failed to read data from Directory Service)
emit_err(Shutting down)
-service.stop('dirsrv', instance_name=serverid, capture_output=False)
+service.stop('dirsrv', capture_output=False)
if len(svc_list) == 0:
return
@@ -120,12 +120,12 @@ def ipa_start(serverid):
except:
pass
try:
-service.stop('dirsrv', instance_name=serverid, capture_output=False)
+service.stop('dirsrv', capture_output=False)
except:
pass
return
-def ipa_stop(serverid):
+def ipa_stop():
svc_list = []
try:
@@ -135,12 +135,12 @@ def ipa_stop(serverid):
# and see if we can get anything. If not throw our hands up and just
# exit
try:
-service.start('dirsrv', instance_name=serverid, capture_output=False)
+service.start('dirsrv', capture_output=False)
svc_list = get_config()
except:
emit_err(Failed to read data from Directory Service)
emit_err(Shutting down)
-service.stop('dirsrv', instance_name=serverid, capture_output=False)
+service.stop('dirsrv', capture_output=False)
if len(svc_list) == 0:
return
@@ -155,16 +155,16 @@ def ipa_stop(serverid):
try:
print Stopping Directory Service
-service.stop('dirsrv', instance_name=serverid, capture_output=False)
+service.stop('dirsrv', capture_output=False)
except:
emit_err(Failed to stop Directory Service)
return
-def ipa_restart(serverid):
+def ipa_restart():
try:
print Restarting Directory Service
-service.restart('dirsrv', instance_name=serverid, capture_output=False)
+service.restart('dirsrv', capture_output=False)
except:
emit_err(Failed to restart Directory Service)
return
@@ -175,7 +175,7 @@ def ipa_restart(serverid):
except:
emit_err(Failed to read data from Directory Service)
emit_err(Shutting down)
-service.stop('dirsrv', instance_name=serverid, capture_output=False)
+service.stop('dirsrv', capture_output=False)
if len(svc_list) == 0:
return
@@ -195,14 +195,14 @@ def ipa_restart(serverid):
except:
pass
try:
-service.stop('dirsrv', instance_name=serverid, capture_output=False)
+service.stop('dirsrv', capture_output=False)
except:
pass
return
-def ipa_status(serverid):
+def ipa_status():
try:
-if service.is_running('dirsrv', instance_name=serverid):
+if service.is_running('dirsrv'):
print Directory Service: RUNNING
else:
print Directory Service: STOPPED
@@ -241,16 +241,14 @@ def main():
api.bootstrap(context='cli', debug=options.debug)
api.finalize()
-serverid = dsinstance.realm_to_serverid(api.env.realm)
-
if args[0].lower() == start:
-ipa_start(serverid)
+ipa_start()
elif args[0].lower() == stop:
-ipa_stop(serverid)
+ipa_stop()
elif args[0].lower() == restart:
-ipa_restart(serverid)
+ipa_restart()
elif args[0].lower() == status:
-ipa_status(serverid)
+ipa_status()
try:
if __name__ == __main__:
--
1.7.3.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0077 Fix ipactl script to manage all instances
Simo Sorce wrote: Ticket #860 Simo. ack. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0173-aci-rights-widget
From bfffe1930465ef7af23c1915e8c22719dc6751e0 Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Thu, 27 Jan 2011 20:30:22 -0500
Subject: [PATCH] aci rights widget
Fixes is_dirty and save
https://fedorahosted.org/freeipa/ticket/77
https://fedorahosted.org/freeipa/ticket/667
---
install/ui/aci.js | 40 +++-
install/ui/ipa.js |8 +++-
2 files changed, 38 insertions(+), 10 deletions(-)
diff --git a/install/ui/aci.js b/install/ui/aci.js
index 3bad384a2b80e3842395ba54004b2808928f28cf..3448b8f457d3bdf0a6a55898761f181a51722512 100644
--- a/install/ui/aci.js
+++ b/install/ui/aci.js
@@ -222,10 +222,40 @@ IPA.rights_widget = function(spec){
};
var values = [];
+function get_selector(){
+return '.'+ that.entity_name +_+ that.name;
+}
+
+that.is_dirty = function(){
+
+var checkboxes = $(get_selector());
+var checked = {};
+
+checkboxes.each(function (){
+checked[this.id] = this.checked;
+});
+
+for (var i = 0; i values.length; i +=1){
+var key = values[i];
+
+if ( !checked[key] ){
+return true;
+}
+checked[key] = false;
+}
+
+for (key in checked){
+if (checked[key] ){
+return true;
+}
+}
+
+return false;
+};
+
that.reset = function(){
-var selector = '.'+ that.entity_name +_+ that.name;
-var checkboxes = $(selector);
+var checkboxes = $(get_selector());
for (var i = 0; i checkboxes.length; i +=1){
checkboxes.attr('checked','');
@@ -233,7 +263,7 @@ IPA.rights_widget = function(spec){
for (var j = 0; j values.length; j +=1){
var value = values[j];
-var cb = $('#'+value+ selector);
+var cb = $('#'+value+ get_selector());
cb.attr('checked', 'checked');
}
@@ -245,7 +275,7 @@ IPA.rights_widget = function(spec){
};
that.save = function(){
-var rights_input = $('.'+ that.entity_name +_+ that.name);
+var rights_input = $(get_selector()+:checked);
var retval = ;
for (var i =0; i rights_input.length; i+=1){
if (i 0) {
@@ -592,7 +622,7 @@ IPA.entity_factories.permission = function () {
input({ name: 'description'})).
section(IPA.rights_section()).
section(IPA.target_section()));
-return that;
+
};
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index 128413b1e6b3e65d66062c7b3329cea399b0552b..a5ad6d0625f888a6bbdb4c808a8dbb81a88b264e 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -155,9 +155,7 @@ var IPA = ( function () {
}
}
return true;
-}
-
-
+};
that.show_page = function (entity_name, facet_name) {
if (!IPA.test_dirty()){
@@ -170,19 +168,19 @@ var IPA = ( function () {
};
that.switch_and_show_page = function (this_entity, facet_name, pkey) {
-
if (!IPA.test_dirty()){
return false;
}
if (!pkey){
that.show_page(this_entity, facet_name);
-return;
+return false;
}
var state = {};
state[this_entity+'-pkey'] = pkey;
state[this_entity + '-facet'] = facet_name;
$.bbq.pushState(state);
+return true;
};
return that;
--
1.7.3.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA Logging (Not Auditing... yet)
I have been working with the project for a while now and it has dawned on me that the FreeIPA ipalib plugins, don't really have a syslog library that they output with. So far I've really just been troubleshooting and getting around with: /var/log/httpd/access_log /var/log/httpd/error_log /var/log/dirsrv/slapd-DOMAIN/access /var/log/dirsrv/slapd-DOMAIN/error This is useful, but it is verbose and doesn't quite capture the cli/webui interactions in 1 line. [27/Jan/2011:17:46:59 -0800] conn=40 op=7 ADD dn=fqdn=test1.example.com,cn=computers,cn=accounts,dc=example,dc=com [27/Jan/2011:17:46:59 -0800] conn=40 op=7 RESULT err=0 tag=105 nentries=0 etime=0 Etc, etc, etc… The cli does a good job of expressing itself to standard out when a command is successfully/unsuccessfully run. I am wondering what the group thinks about the idea of a library that can be loaded either by the api or the plugin itself, to pass the relevant bits of data that end up going to standard out, into a format that would be sane to send to a syslog stream. I'm thinking of something that shows: time/date authenticated_user plugin usage / modification Something like: kinit admin ipa host-add test1.example.com std out --- Added host test1.example.com --- Host name: test1.example.com Principal name: host/test1.example@example.com Managed by: test1.example.com syslog Jan 26 17:46:45 auth1.example.com FreeIPA: user=admin cmd=host-add hostname=test1.example.com principal=host/test1.example@example.com managedby=test1.example.com It feels like a this should be fairly straight forward to address as a library at either the api level or at the plugin level. Python actually has a very competent syslog library I helped to contribute the patch that brought tcp support What does everyone else think? Am I thinking too simplistically? Is the output from standard out much more complex to lasso around? Is there a better approach to capturing the user input and interaction? -JR ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015 block anonymous access to sudo info
On 01/27/2011 06:21 PM, JR Aquino wrote: Aci patch to block anonymous access to sudo info https://fedorahosted.org/freeipa/ticket/865 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Pushed to Master Here's how I tested, in case you are concerned. Without Patch applied, ran LDAP query and saw the SUDO Command I had just created Applied patch, uninstalled and reinstalled, created SUDO Command and I did not see it in the LDAP query ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 Add requires
Dmitri Pal d...@redhat.com wrote: On 01/27/2011 05:27 AM, Jan Zelený wrote: Simo Sorcesso...@redhat.com wrote: First part of ticket #855 Add the requires we will need on F15, tested against jdennis ipa-devel repo, works as expected. Simo. The patch is obviously ok, so ack from this point of view. But I would just like to know if it is necessary. I just inspected F15 pki-ca package from nightly repo - it does Require pki-ca-theme= 9.0.0 (which is provided by dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar situation will be for dogtag-pki-common-theme. So I don't see why we should explicitly Require both packages ourselves. Have you seen the explanation that Matthew Harmsen put together about all the theme packages? I do not know if this would make things cleaner. I will send it off list. Yes, I've read it and I understand now. Thanks for the info. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
