[Freeipa-devel] [PATCH] Fixed permission lookup
Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From 4e5cea38d40d75dea0042701a28d235ec60c878b Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 27 Jan 2011 05:11:28 -0500 Subject: [PATCH] Fixed permission lookup Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 --- ipalib/plugins/baseldap.py | 10 -- ipalib/plugins/permission.py | 22 ++ 2 files changed, 14 insertions(+), 18 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index b20d96012e0dc7f91209a3623d8ad90cd023e006..6d58eb97742a29a584d97913fc26c4ccf5d4c349 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1372,11 +1372,9 @@ class LDAPSearch(CallbackInterface, crud.Search): for callback in self.POST_CALLBACKS: if hasattr(callback, 'im_self'): -more = callback(ldap, entries, truncated, *args, **options) +callback(ldap, entries, truncated, *args, **options) else: -more = callback(self, ldap, entries, truncated, *args, **options) -if more: -entries = entries + more +callback(self, ldap, entries, truncated, *args, **options) if not options.get('raw', False): for e in entries: @@ -1392,8 +1390,8 @@ class LDAPSearch(CallbackInterface, crud.Search): truncated=truncated, ) -def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): -return (filter, base_dn, scope) +def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): +return (filters, base_dn, scope) def post_callback(self, ldap, entries, truncated, *args, **options): return [] diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 0c2855ff5c181a56455bb9b180b6f22472ce8fa4..1cbdd449763d8fafee0c5bd94669f5a7bb11f3bb 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -319,33 +319,33 @@ class permission_find(LDAPSearch): ) def post_callback(self, ldap, entries, truncated, *args, **options): -newentries = [] for entry in entries: (dn, attrs) = entry try: -aci = self.api.Command.aci_show(attrs['cn'][0], aciprefix=ACI_PREFIX)['result'] - -# copy information from respective ACI to permission entry +aci = self.api.Command.aci_show(attrs['description'][0])['result'] for attr in self.obj.aci_attributes: if attr in aci: attrs[attr] = aci[attr] except errors.NotFound: -self.debug('ACI not found for %s' % attrs['cn'][0]) +self.debug('ACI not found for %s' % attrs['description'][0]) # Now find all the ACIs that match. Once we find them, add any that # aren't already in the list along with their permission info. -options['aciprefix'] = ACI_PREFIX - aciresults = self.api.Command.aci_find(*args, **options) truncated = truncated or aciresults['truncated'] results = aciresults['result'] - +if 'filter' in options and not options['filter'].startswith('('): +options['filter'] = unicode('('+options['filter']+')') for aci in results: +if 'filter' in options: +if 'filter' not in aci or not aci['filter'] or\ +aci['filter'] != options['filter']: +continue found = False if 'permission' in aci: for entry in entries: (dn, attrs) = entry -if aci['permission'] == attrs['cn'][0]: +if aci['permission'] == attrs['cn']: found = True break if not found: @@ -357,9 +357,7 @@ class permission_find(LDAPSearch): dn = attrs['dn'] del attrs['dn'] if (dn, attrs) not in entries: -newentries.append((dn, attrs)) - -return newentries +entries.append((dn, attrs)) api.register(permission_find) -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 Add requires
Simo Sorce sso...@redhat.com wrote: First part of ticket #855 Add the requires we will need on F15, tested against jdennis ipa-devel repo, works as expected. Simo. The patch is obviously ok, so ack from this point of view. But I would just like to know if it is necessary. I just inspected F15 pki-ca package from nightly repo - it does Require pki-ca-theme = 9.0.0 (which is provided by dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar situation will be for dogtag-pki-common-theme. So I don't see why we should explicitly Require both packages ourselves. Thanks in advance for explanation Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0075 handle weird values in nolog
Simo Sorce sso...@redhat.com wrote: When using ipa-replica-manage re-initialize with GSSAPI credentials it turns out that the DN password may be set to None and this can end up in the nolog list. Add a check to skip any non-string object in the log substitution list, so that the code doesn't freak out on None objects. Ticket #856 Simo. Ack, but only a code inspection performed, since I'm not sure how to test it exactly. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený jzel...@redhat.com wrote: Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. From what I found I think that making changes necessary to distinguish dnsrecord and dnszone are not worth it, especially that user can use filter for that purpose. Since having both of them doesn't have any additional value, I'm sending new version of the patch, which is only adding dnsrecord type. Jan Just a small reminder that this patch is ready to be re-reviewed. Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed permission lookup
On Thu, 2011-01-27 at 11:15 +0100, Jan Zelený wrote: Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 NACK Did you build this patch on current master? Because in your patch, you removed changes in permission-find from my previous patch 017 ACI plugin supports prefixes. After your patch, permission-find fails: $ ipa permission-find ipa: ERROR: 'aciprefix' is required Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed permission lookup
Martin Kosek mko...@redhat.com wrote: On Thu, 2011-01-27 at 11:15 +0100, Jan Zelený wrote: Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 NACK Did you build this patch on current master? Because in your patch, you removed changes in permission-find from my previous patch 017 ACI plugin supports prefixes. After your patch, permission-find fails: $ ipa permission-find ipa: ERROR: 'aciprefix' is required Martin Sorry, I accidentaly mixed the code with a part of the older one. Sending corrected patch. Jan From 717e995250193667cc98b5f16d347dbbeff2802c Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 27 Jan 2011 05:11:28 -0500 Subject: [PATCH] Fixed permission lookup Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 --- ipalib/plugins/baseldap.py | 12 +--- ipalib/plugins/permission.py | 11 +++ 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index b20d96012e0dc7f91209a3623d8ad90cd023e006..d25deb5270ee2b79c2229e9265fa11c3ccca8b17 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1372,11 +1372,9 @@ class LDAPSearch(CallbackInterface, crud.Search): for callback in self.POST_CALLBACKS: if hasattr(callback, 'im_self'): -more = callback(ldap, entries, truncated, *args, **options) +callback(ldap, entries, truncated, *args, **options) else: -more = callback(self, ldap, entries, truncated, *args, **options) -if more: -entries = entries + more +callback(self, ldap, entries, truncated, *args, **options) if not options.get('raw', False): for e in entries: @@ -1392,11 +1390,11 @@ class LDAPSearch(CallbackInterface, crud.Search): truncated=truncated, ) -def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): -return (filter, base_dn, scope) +def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): +return (filters, base_dn, scope) def post_callback(self, ldap, entries, truncated, *args, **options): -return [] +pass def exc_callback(self, args, options, exc, call_func, *call_args, **call_kwargs): raise exc diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 0c2855ff5c181a56455bb9b180b6f22472ce8fa4..212a0469b55d19d76030f6384458943d5b8a19a6 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -319,7 +319,6 @@ class permission_find(LDAPSearch): ) def post_callback(self, ldap, entries, truncated, *args, **options): -newentries = [] for entry in entries: (dn, attrs) = entry try: @@ -340,7 +339,13 @@ class permission_find(LDAPSearch): truncated = truncated or aciresults['truncated'] results = aciresults['result'] +if 'filter' in options and not options['filter'].startswith('('): +options['filter'] = unicode('('+options['filter']+')') for aci in results: +if 'filter' in options: +if 'filter' not in aci or not aci['filter'] or\ +aci['filter'] != options['filter']: +continue found = False if 'permission' in aci: for entry in entries: @@ -357,9 +362,7 @@ class permission_find(LDAPSearch): dn = attrs['dn'] del attrs['dn'] if (dn, attrs) not in entries: -newentries.append((dn, attrs)) - -return newentries +entries.append((dn, attrs)) api.register(permission_find) -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/26/2011 09:50 PM, Simo Sorce wrote: On Mon, 2011-01-24 at 15:51 +0100, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/21/2011 05:54 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2011 11:53 PM, Simo Sorce wrote: On Thu, 20 Jan 2011 17:27:37 -0500 Dmitri Pald...@redhat.com wrote: Michael Gregg wrote: Jakub Hrozek wrote: Hi, as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 to delete a DNS RR one has to remove its record types one by one. This patch modifies the behaviour so that if the user runs dnsrecord-delzone record-name with no other parameters, the whole record is removed. Alternative solutions might be to expose the internal command that is able to delete the record (although I think it is counterintuitive to have one command to remove record types and one for the whole record) or have a special flag (--del-all?) to remove the whole record. The patch also fixes the unit tests as they didn't reflect all the recent changes. Going with this patch sounds good, but to make sure, I polled several people here, and they all seemed to think that having to add a --del-all or --del-record flag at the end would be better as it would be less prone to failure where admins would accidentally delete a entire record because they didn't specify anything after the zone record So, maybe we do need a --del-all or --del-record operator. Agree. +1 Someone may simply push enter accidentally while checking what to write after the command. It would be rather unfortunate. Simo. Attached is a new version of the patch that implements --del-all. It also reports failure when deleting a nonexistent RR (new ticket 829). nack, this isn't working properly for me. Here is how I tested: - add a new zone, newzone1 - ipa dnsrecord-add newzone1 as --a-rec 3.4.5.6 - ipa dnsrecord-add newzone1 as Record name: as A record: 3.4.5.6 - ipa dnsrecord-show newzone1 as Record name: as A record: 3.4.5.6 - ipa dnsrecord-del newzone1 as --del-all [ no output ] - ipa dnsrecord-show newzone1 as ipa: ERROR: as: DNS resource record not found So a couple of problems: 1. An error should have been thrown when I tried a delete without a specific record type. I agree but I was reluctant to do this because it was perfectly OK to call dnsrecord-add with no options. That would create an empty DNS record. The interface was orthogonal so dnsrecord-del with no options would remove the record if it was empty. But I don't think an empty DNS record makes any sense. I changed the behaviour such that: * dnsrecord-add with no attributes is no longer allowed. You have to specify at least one RR type. Apparently this is not effective, I was able to add an empty DNS record. Thanks for catching this. A fixed patch is attached. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1BZY8ACgkQHsardTLnvCXfwwCgqQDrT6ZwZw20gNM+v+iT0QK5 1gIAoMyIS40UyS4X6VpqPB90U2PiNeLl =w7gG -END PGP SIGNATURE- From e9a0cb849681bb97e0dc5872f977b23a945e2736 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Thu, 20 Jan 2011 07:54:14 -0500 Subject: [PATCH] Delete the whole DNS record with no parameters Error out when deleting a nonexistent DNS record Also fixes the DNS unit tests. https://fedorahosted.org/freeipa/ticket/816 https://fedorahosted.org/freeipa/ticket/829 --- API.txt |3 +- ipalib/plugins/dns.py| 51 +++-- tests/test_xmlrpc/test_dns_plugin.py | 38 ++--- 3 files changed, 70 insertions(+), 22 deletions(-) diff --git a/API.txt b/API.txt index 9717acc..c9a56f6 100644 --- a/API.txt +++ b/API.txt @@ -580,9 +580,10 @@ output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', The primary_key value of the entry, e.g. 'jdoe' for a user) command: dnsrecord_del -args: 2,41,3 +args: 2,42,3 arg: Str('dnszoneidnsname', cli_name='dnszone', label=Gettext('Zone name', domain='ipa', localedir=None), query=True, required=True) arg: Str('idnsname', attribute=True, cli_name='name', label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) +option: Flag('del_all', autofill=True, default=False, label=Gettext('Delete all associated records', domain='ipa', localedir=None)) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output']) option: Str('version?',
Re: [Freeipa-devel] [PATCH] 0074 Add requires
On Thu, 2011-01-27 at 11:27 +0100, Jan Zelený wrote: Simo Sorce sso...@redhat.com wrote: First part of ticket #855 Add the requires we will need on F15, tested against jdennis ipa-devel repo, works as expected. Simo. The patch is obviously ok, so ack from this point of view. But I would just like to know if it is necessary. I just inspected F15 pki-ca package from nightly repo - it does Require pki-ca-theme = 9.0.0 (which is provided by dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar situation will be for dogtag-pki-common-theme. So I don't see why we should explicitly Require both packages ourselves. Thanks in advance for explanation Sorry I don't know why they are needed I just implemented the ticket Rob opened. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0075 handle weird values in nolog
On Thu, 2011-01-27 at 11:43 +0100, Jan Zelený wrote: Simo Sorce sso...@redhat.com wrote: When using ipa-replica-manage re-initialize with GSSAPI credentials it turns out that the DN password may be set to None and this can end up in the nolog list. Add a check to skip any non-string object in the log substitution list, so that the code doesn't freak out on None objects. Ticket #856 Simo. Ack, but only a code inspection performed, since I'm not sure how to test it exactly. If you want to test: install replica, kinit admin, then run ipa-replica-manage re-initialize --from other.master.com W/o the patch it throws an error after it is done, w/ the patch it terminates w/o errors. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 Add requires
On Thu, 2011-01-27 at 11:27 +0100, Jan Zelený wrote: The patch is obviously ok, so ack from this point of view. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0075 handle weird values in nolog
On Thu, 2011-01-27 at 11:43 +0100, Jan Zelený wrote: Ack, but only a code inspection performed, since I'm not sure how to test it exactly. Pushed to master (I tested it extensively). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed permission lookup
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: On Thu, 2011-01-27 at 11:15 +0100, Jan Zelený wrote: Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 NACK Did you build this patch on current master? Because in your patch, you removed changes in permission-find from my previous patch 017 ACI plugin supports prefixes. After your patch, permission-find fails: $ ipa permission-find ipa: ERROR: 'aciprefix' is required Martin Sorry, I accidentaly mixed the code with a part of the older one. Sending corrected patch. Jan I think the more stuff in baseldap.py:LDAPSearch() was there because adding entries in a post_callback wasn't working. It only let you reduce the number or modify what was already there IIRC. From what I know, lists should allow you to expand them without any problems (not sure how is the concept called in Python, Pavel told me about it). Also I didn't encounter any problems with this approach (and the post callback actually adds some entries), that's why I changed it the way I did. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 Add requires
On 01/27/2011 05:27 AM, Jan Zelený wrote: Simo Sorcesso...@redhat.com wrote: First part of ticket #855 Add the requires we will need on F15, tested against jdennis ipa-devel repo, works as expected. Simo. The patch is obviously ok, so ack from this point of view. But I would just like to know if it is necessary. I just inspected F15 pki-ca package from nightly repo - it does Require pki-ca-theme= 9.0.0 (which is provided by dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar situation will be for dogtag-pki-common-theme. So I don't see why we should explicitly Require both packages ourselves. Have you seen the explanation that Matthew Harmsen put together about all the theme packages? I do not know if this would make things cleaner. I will send it off list. Thanks in advance for explanation Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0076 Fix ipa init script
When I created ipa.init I did it initially by copying the dirsrv init script. Remove any remaining reference to the dirsrv stuff. Ticket: #857 Simo. -- Simo Sorce * Red Hat, Inc * New York From fc87f8d93bbd9dfeabd6301ef2b9ae7c67030703 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Thu, 27 Jan 2011 11:39:24 -0500 Subject: [PATCH] Fix ipa init script to not depend on dirsrv init internals Fixes: https://fedorahosted.org/freeipa/ticket/857 --- ipa.init | 15 --- 1 files changed, 4 insertions(+), 11 deletions(-) diff --git a/ipa.init b/ipa.init index 92c9f49185b3032f7dfda9d740546c4c882f9c76..b5a43c31942596c99ee4ef2d00385536cacb9052 100755 --- a/ipa.init +++ b/ipa.init @@ -1,12 +1,10 @@ #!/bin/sh # -# ipaThis starts and stops ipa +# ipaThis starts and stops ipa controlled daemons # # chkconfig: - 21 79 # description: IPA Server -# processname: /usr/sbin/ns-slapd # configdir: /etc/ipa/ -# piddir: /var/run/dirsrv # # Source function library. @@ -25,19 +23,14 @@ then exit 0 fi -# Lockfile -if [ -d /var/lock/subsys ] ; then -lockfile=/var/lock/subsys/dirsrv -else -lockfile=/var/lock/dirsrv/lock -fi - case $1 in start|stop|restart|status) /usr/sbin/ipactl $1 ;; condrestart) -[ ! -f $lockfile ] || /usr/sbin/ipactl restart +/sbin/service dirsrv status +RETVAL=$? +[ $RETVAL = 0 ] /usr/sbin/ipactl restart ;; *) echo Usage: $0 {start|stop|status|restart|condrestart} -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 042 Enforce that all NS records are resolvable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bind cannot load a zone if any of its name server records is not resolvable. https://fedorahosted.org/freeipa/ticket/838 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1Bs0sACgkQHsardTLnvCVgjACg4YojCm2ULsFZ2smpusWdJncp +mgAniOndaa4ILr9YpuIwW9i+X97Vid2 =KEtu -END PGP SIGNATURE- From e68b5d044902e12dde5d74077b431e5eb1524373 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Thu, 27 Jan 2011 11:16:22 -0500 Subject: [PATCH] Enforce that all NS records are resolvable Bind cannot load a zone if any of its name server records is not resolvable. https://fedorahosted.org/freeipa/ticket/838 --- API.txt |2 + ipalib/plugins/dns.py| 61 ++ tests/test_xmlrpc/test_dns_plugin.py | 61 +- 3 files changed, 123 insertions(+), 1 deletions(-) diff --git a/API.txt b/API.txt index 2f7016d..93ab0c8 100644 --- a/API.txt +++ b/API.txt @@ -717,6 +717,8 @@ option: Str('idnsupdatepolicy', attribute=True, cli_name='update_policy', label= option: Flag('idnsallowdynupdate', attribute=True, autofill=True, cli_name='allow_dynupdate', default=False, label=Gettext('Dynamic update', domain='ipa', localedir=None), multivalue=False, required=True) option: Str('addattr*', validate_add_attribute, cli_name='addattr', exclude='webui') option: Str('setattr*', validate_set_attribute, cli_name='setattr', exclude='webui') +option: Flag('force', autofill=True, default=False,lag('force', autofill=True, default=False, doc=Gettext('force DNS zone even if name server not in DNS', domain='ipa', localedir=None)) +option: Str('ip_address?', _validate_ipaddr,tr('ip_address?', _validate_ipaddr, doc=Gettext('Add the nameserver to DNS with this IP address', domain='ipa', localedir=None)) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output']) option: Str('version?', exclude='webui', flags=['no_option', 'no_output']) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 8c07a96..56c22cf 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -150,6 +150,24 @@ def has_cli_options(entry, no_option_msg): raise errors.OptionError(no_option_msg) return entry +def is_ns_rec_resolvable(name): +try: +return api.Command['dns_resolve'](name) +except errors.NotFound: +raise errors.NotFound(reason=_('Nameserver \'%(host)s\' does not have a corresponding A/ record' % {'host':name})) + +def add_forward_record(zone, name, str_address): +addr = netaddr.IPAddress(str_address) +try: +if addr.version == 4: +api.Command['dnsrecord_add'](zone, name, arecord=str_address) +elif addr.version == 6: +api.Command['dnsrecord_add'](zone, name, record=str_address) +else: +raise ValueError('Invalid address family') +except errors.EmptyModlist: +pass # the entry already exists and matches + def dns_container_exists(ldap): try: ldap.get_entry(api.env.container_dns, []) @@ -265,6 +283,15 @@ class dnszone_add(LDAPCreate): Create new DNS zone (SOA record). +takes_options = LDAPCreate.takes_options + ( +Flag('force', + doc=_('force DNS zone even if name server not in DNS'), +), +Str('ip_address?', _validate_ipaddr, +doc=_('Add the nameserver to DNS with this IP address'), +), +) + def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): if not dns_container_exists(self.api.Backend.ldap2): raise errors.NotFound(reason=_('DNS is not configured')) @@ -274,13 +301,29 @@ class dnszone_add(LDAPCreate): entry_attrs.get('idnsallowdynupdate', False) ).upper() +# Check nameserver has a forward record nameserver = entry_attrs['idnssoamname'] + +if not 'ip_address' in options and not options['force']: +is_ns_rec_resolvable(nameserver) + if nameserver[-1] != '.': nameserver += '.' + entry_attrs['nsrecord'] = nameserver entry_attrs['idnssoamname'] = nameserver return dn +def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +if 'ip_address' in options: +nameserver = entry_attrs['idnssoamname'][0][:-1] # ends with a dot +nsparts = nameserver.split('.') +add_forward_record('.'.join(nsparts[1:]), + nsparts[0], + options['ip_address']) + +return dn + api.register(dnszone_add) @@ -467,6 +510,8 @@ class dnsrecord_mod_record(LDAPQuery,
Re: [Freeipa-devel] [PATCH] admiyo-0166-declarative-for-aci
On 01/26/2011 04:18 PM, Adam Young wrote: On 01/26/2011 04:14 PM, Kyle Baker wrote: ACK - Original Message - Fixes https://fedorahosted.org/freeipa/ticket/772 Depends on freeipa-admiyo-0154-1-declarative-defintions.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hold on that...this requires edewata to sign off on. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased with changes from 154 From 678aa3e30804c7c80aaf8d1e4fb8e00fd2bae25b Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 26 Jan 2011 13:46:49 -0500 Subject: [PATCH 1/3] declarative for aci A couple of the ACI definitions were incorrect, and the end result was that fields were not getting initialized. USing the declarative approach cleaned up the cause. Also fixed a few broken unit tests --- install/ui/aci.js | 340 ++- install/ui/serverconfig.js | 34 ++-- install/ui/test/details_tests.js|6 +- install/ui/test/entity_tests.js | 11 +- install/ui/test/navigation_tests.js | 10 +- 5 files changed, 121 insertions(+), 280 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index f7d7266f546c75ba5f20872999553b2d4a859cc0..1cc1611caac78163bc7ae88bc2f03426f91f58be 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -457,9 +457,6 @@ IPA.target_section = function () { appendTo(dl); } - - - that.create = function(container) { var dl = $('dl class=aci-target/').appendTo(container); display_filter_target(dl); @@ -563,111 +560,35 @@ IPA.target_section = function () { IPA.entity_factories.permission = function () { -var that = IPA.entity({ +return IPA.entity({ 'name': 'permission' -}); - -that.init = function() { - -var dialog = IPA.permission_add_dialog({ +}).add_dialog( +IPA.add_dialog({ name: 'add', -title: 'Add New Permission', -entity_name: 'permission' -}); -that.add_dialog(dialog); -dialog.init(); - -var facet = IPA.permission_search_facet({ -name: 'search', -label: 'Search' -}); -that.add_facet(facet); - -facet = IPA.permission_details_facet(); -that.add_facet(facet); - -that.entity_init(); -}; - -return that; -}; - - - -IPA.permission_add_dialog = function (spec) { - -spec = spec || {}; - -var that = IPA.add_dialog(spec); - -that.init = function() { - -that.add_field(IPA.text_widget({ -name: 'cn', -undo: false -})); - -that.add_field(IPA.text_widget({ -name: 'description', -undo: false -})); - -that.add_field(IPA.rights_widget({name:'permissions'})); -that.add_field(IPA.hidden_widget({name:'filter','value':'objectClass=changethisvalue'})); -that.add_dialog_init(); -}; - - -return that; -}; - - -IPA.permission_search_facet = function (spec) { - -spec = spec || {}; -var that = IPA.search_facet(spec); -that.init = function() { -that.create_column({name:'cn'}); -that.create_column({name:'description'}); -that.search_facet_init(); -}; -return that; -}; - - -IPA.permission_details_facet = function () { - -var spec = { -name: 'details' -}; -var that = IPA.details_facet(spec); - -that.init = function() { - -var section = that.add_section(IPA.details_list_section({ -name:'identity',label:'Identity' })); -section.create_field({ name: 'cn', 'read_only': true }); -section.create_field({ name: 'description'}); - -that.rights_section = IPA.rights_section(); -that.add_section(that.rights_section); - -that.target_section = IPA.target_section(); - -that.add_section(that.target_section); -that.details_facet_init(); -}; - -that.superior_load = that.load; - -that.load = function(result) { -that.superior_load(result); -}; - -that.superior_update = that.update; -that.update = function(on_win, on_fail){ -that.superior_update(on_win, on_fail); -}; +title: 'Add New Permission' +}). +field(IPA.text_widget({ +name: 'cn', +undo: false +})). +field(IPA.text_widget({ +name: 'description', +undo: false +})). +field(IPA.rights_widget({name:'permissions'})). +field(IPA.hidden_widget( +{name:'filter','value':'objectClass=changethisvalue'}))). +facet(IPA.search_facet(). + column({name:'cn'}). +
Re: [Freeipa-devel] [PATCH] admiyo-0169-reset-target-section
On 01/26/2011 04:52 PM, Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased From c37d4a2499281980c9a73034a91b012c8fc97fc5 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 26 Jan 2011 16:50:43 -0500 Subject: [PATCH 3/3] reset target section target section needed to cache results for use in results moved load logic into reset and load now calls reset --- install/ui/aci.js |9 ++--- 1 files changed, 6 insertions(+), 3 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index 1cc1611caac78163bc7ae88bc2f03426f91f58be..3bad384a2b80e3842395ba54004b2808928f28cf 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -494,6 +494,12 @@ IPA.target_section = function () { }; that.load = function(result) { +that.result = result; +that.reset(); +}; + +that.reset = function() { +var result = that.result; if(result.subtree){ $('#aci_query_text').val(result.subtree); $('#aci_by_query').click(); @@ -524,9 +530,6 @@ IPA.target_section = function () { } }; -that.reset = function() { -}; - that.save = function (record){ var record_type = $(input[name='type']:checked).attr('id'); -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0167-adding-label-for-RBAC
On 01/26/2011 04:14 PM, Kyle Baker wrote: ACK - Original Message - Role Based Access control is supposed to be spelled out in the tabs. An earlier patch also broke the Title for the RBAC Action Panel. This fixes both. Depends on all my previous patches ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased ontop of 166 From 563ab17599c330ee792559455aa32c15afcd531f Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 26 Jan 2011 14:24:41 -0500 Subject: [PATCH 2/3] adding label for RBAC --- install/ui/test/data/ipa_init.json | 55 install/ui/webui.js|3 +- ipalib/plugins/internal.py |3 +- 3 files changed, 41 insertions(+), 20 deletions(-) diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 8fe28684d2640fb74f53b95d8c098624ac4e4f62..a4b9a0f79d6fda0b9f1edad5b79f333602bbb3b9 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -4544,7 +4544,7 @@ type: tuple }, { -alwaysask: true, +alwaysask: false, attribute: false, autofill: false, class: List, @@ -4553,7 +4553,10 @@ default: null, doc: Comma-separated list of attributes, exclude: null, -flags: [], +flags: [ +ask_create, +ask_update +], hint: null, include: null, label: Attributes, @@ -4567,7 +4570,7 @@ type: tuple }, { -alwaysask: true, +alwaysask: false, attribute: false, autofill: false, class: StrEnum, @@ -4576,7 +4579,10 @@ default: null, doc: Type of IPA object (user, group, host, hostgroup, service, netgroup, dns), exclude: null, -flags: [], +flags: [ +ask_create, +ask_update +], hint: null, include: null, label: Type, @@ -4597,7 +4603,7 @@ ] }, { -alwaysask: true, +alwaysask: false, attribute: false, autofill: false, class: Str, @@ -4606,7 +4612,10 @@ default: null, doc: Target members of a group, exclude: null, -flags: [], +flags: [ +ask_create, +ask_update +], hint: null, include: null, label: Member of group, @@ -4623,7 +4632,7 @@ type: unicode }, { -alwaysask: true, +alwaysask: false, attribute: false, autofill: false, class: Str, @@ -4632,7 +4641,10 @@ default: null, doc: Legal LDAP filter (e.g. ou=Engineering), exclude: null, -flags: [], +flags: [ +ask_create, +ask_update +], hint: null, include: null, label: Filter, @@ -4649,7 +4661,7 @@ type: unicode },
Re: [Freeipa-devel] [PATCH] Add support for account unlocking
Jan Zelený wrote: Jan Zelenyjzel...@redhat.com wrote: This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344 Jan Just a reminder that this patch needs a review. Thanks Jan This doesn't apply against master due to some changes to delegations. Can you rebase and set the aci name to 'permission:Unlock user accounts. I did manage to test this and it works as expected, I just don't want to mangle the rebase. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0008-Adjusted-aci-s-target-feilds-adjusted-action-panel-s
From ec84d1de06ab1af5fdedc952695750efab4cd212 Mon Sep 17 00:00:00 2001 From: System Administrator r...@dhcp-100-3-211.bos.redhat.com Date: Thu, 27 Jan 2011 15:05:16 -0500 Subject: [PATCH] Adjusted aci's target feilds, adjusted action panel styles, adjusted Delegation and Configuration. --- install/ui/caution.png | Bin 438 - 496 bytes install/ui/check.png | Bin 3209 - 556 bytes install/ui/ipa.css | 115 +-- 3 files changed, 100 insertions(+), 15 deletions(-) mode change 100755 = 100644 install/ui/caution.png mode change 100755 = 100644 install/ui/check.png diff --git a/install/ui/caution.png b/install/ui/caution.png old mode 100755 new mode 100644 index ce7a68ad960852235b2cb4815cf502cc74939e85..162c96d679bd83dfd9d63aa500ec3539a989e626 GIT binary patch delta 446 zcmV;v0YUz@1MmZo83+ad001U0oQjblCw~EwNklZc-ovzfZzI6uxV(Efp3LHzyJk zV;GFa)d7DDhTXxqB8V(43jg94iX0=?oP)4K;rB`G){t17)XdHP}%@(yWXL3KkTi zzU1qBc|X4Q?n{B|x?mJql~iI}ond4Fck*GaFkjPOqRD|7^R(4OPh3UJg6@W`Fcg z1h$@?qnk0o$Yn4}vt_e!iGEGcd|J=a8}kwI9RL|VuwHV3Sh|0_e@++o|mDB0l^Xn zi;-GRc3zJn!~FvU1iwjE037Ent*L13*EYKJDs!EP+`)*%y`SwCjj;NFDoA+^5R zD(@}%XCN1Xno+-BDKV$6x2dA3x7tLZG;aGj}V1%janTAr$ReIwc@GM6mqrd_P3V zj^(b`7U`JCW)b`3@6Q9o!K-ehLtW{!C7Ht1QElWC}+$_5P|C-8xlE`tcxGlCj zZ9oXjTjSPSri-1OY_`g3y(V`3Y5x1F(D0*ML5ORb`5R=LPS?p2V@hiN|b}~A oNsoYcq2?Y_8995kCbO0Gd03qez|+`v3p{07*qoM6N$f(RbQr~m)} delta 387 zcmV-}0et@O1GWQ@83+Ra000s3Y`BpjCw~CIP)t-s($Bj3@)517is;lT_xJbY(JJ!Z zEB^ch_2nV-0b0UF{`ME`}Ga^@D%@;I`Y{rl?u`QrWg2=d=r|Ns5)+CBXD+4bdo z+1c6j7DlIilCi;ySJA9{PFPGG5GEm`trT=;AHUHH}Tz3r=*6driSqF@aN~}p?{x% z)6)V@2l(BEA!$e^WZ7y=;-e5?*IP!@!Lu8+ClW=aQEw_2-54#OwScek^Y{{8jp z*DLkrAouGU($doN;V1w9|CiLGF#rGnj7da6RCwA{$k!HvFc3x22|^Ge9Ti)^-g}P z|NmD+6I9N_%v~EYk?Y9;@}I9|XmC($m!NNApC;_-u`}gZm!K05Tia9Y)PM!NvF z9$UP4;7MqvriltfK96p5l!9@1~`@B;VuK`Vlu`mn#S+aYo!nn?lH_GaD14bYTMO hGp@yqm7yiFaSa8C`ZubbGHBh002ovPDHLkV1o9x=D`2} diff --git a/install/ui/check.png b/install/ui/check.png old mode 100755 new mode 100644 index c3646db11272b689616ea1d3cba941fb582901c2..72a73c6c1bd35e76f82b92fd62af4ec79a99e7ca GIT binary patch delta 542 zcmV+(0^$9M8LR}58Gi-001U0oQePd02yeSaefwW^{L9a%BKPWN%_+AW3auXJt}l zVPtu6$z?nM00GWPL_t(|+N6?AC`3^d$IrYG1|u;OO_9RvEC`cABeC#a6osr6JEeRr z21{!eA`2{NOtP3#7K)XS7)*$K%`g*^l`oztf%REm%x${eSN3o_qiQbIyHN!x*D~ z4QztM)^`+GoBfD{I7mvFnI*x42X~Dh8S%TGt3!IA~DEQyo!mAIVzz{bNW1M{i5 ztoO3F;}@}2_Q+4gJ=zmfo@_|GgZE@LGDs+4{gw=bRsdE(^0BH`jV=--6GFbX} zRokn**vkqV(0?E{Ccp|YXuRkR|DLnz0Om|=mPOoA?_h2ucgK0--?Q~p%GgZgn` z7%URgy0on1xP;LG*2`choS9#oN!_A`Pw!vvQALwQbFMI4W;4VW`hLq0FJ;Fky5N2 zIvbo;to-U{pb0%BZc;E_u{fuTSus#DjbA2yv;h?SE`^R$z7a=VRh#j(JC1Y**|G zwW8!UfUi6)Z@S?WWFCl-2xvHhyi+#o@34_)V1sOsD)VhNV^mvE=bMFo?QzAR1`7 z8F!2l9jAzcnfgS1lBwR*gt4u1A)MeDE(G6^$Oku9~$Aroq3t5B2$d$?i)OVCn0{} g*QGM~_!kji041n%hgxX5R{#J207*qoM6N$f{rx$2{9 literal 3209 zcmV;440iL0P)h;3K|Lk000e1NJLTq000mG000gM0ssI2sZ9r9a7bBm000XU z000XU0RWnu7ytkYPiaF#P*7-ZbZKLZ*U+Lqi~NaKm7Y-Iodc-oy)XH-+^7Crag z^gIBfRsybQWXdwQbLP6pzAqfylh#{fb6;Z(vMMVS~$e@S=j*ftg6;UhiVD~V zRPMtgQJLw%KPDaqifc@_vX$1wbwr9tn;0-j-K=43bUQ8j=JsX`tR;Dg7+#^K~H zK!FM*Z~zbpvt%K2{UZSY_lS*DZ%Lz5oGu(+dayz)hRLFdTf59ghTmgWD0l;*T zI7kC6aYYajzXpYKt=(8otP$50H6c_V9R4-;{Z@C0AMG7=FRxo%or10RUT+Ar%3j zkpLhQWr#!oXgdI`sK^09Y^p6lP1rIRMx#05C~cW=H_Aw*bJ-5DTZ2n+x)QHX^p z00esgV8|mQcmRZ%02D^@S3L16t`O%c004NIvOKvYIYoh62rY33S640`D9%Y2D-?i z0%4j!F2Z@488U%158(66005wo6%pWr^Zj_v4zAA5HjcIqUoGmt2LBrVneh#Q1i z007~1e$oCcFS8neI|hJl{-P!B1ZZ9hpmq0)X0i`JwE$+E?%_lS*MWK+n+1cgf zk(8YLR(?VSAG6x!e78w{cQPuJpA|d;J)G{fihizM+Erb!p!tcr5w+a34~(Y=8s4G zw+sLL9nJjNn*KJDiq^U5^;`1nvC-@r6P$!k}1U{(*I=Q-z@tBKHoI}uxdU5dyy@u zU1J0GOD7Ombim^G008p4Z^6_k2m^pgW=D2|L;HjN1!DDfM!XOaR2~bL?kX$%CkSm z2mk;?pn)o|K^yeJ7%adB9Ki+L!3+FgHiSYX#KJ-lLJDMn9CBbOtb#%)hRv`YDqt_v zKpix|QD}yfa1JiQRk#j4a1Z)n2%fxynzVLC6RbVIkUx0b+_+BaR3cnT7Zv!AJxW zizFb)h!jyGOOZ85F;a?DAXP{m@;!0_IfqEx{*7`05XF7hP+2Hl!3BQJ=6@fL%FCo z8iYoo3(#bAF`ADSpqtQgvH8(HlgRxt7s3}k3K`kFu-2Q$QMFfPW!La{h336oX zu_CMttHv6zR;ZNiS=X8v3CR#fknUxHUxJAYmRsNLWl*PS{AOARHt#5!wki2?K;t z!Y3k=s7tgax)J%r7-BLphge7~Bi0g+6E6^Zh(p9TBoc{3GAFr^0!gu?RMHaCM$Fl zBk3%un0uoBa_M6WNWeqIg~6QE69c9o#eyhGvpiOA@W-aonk7r1(?fC{oI5N*U!4 zuv66WtcKSRim0x-Ke2d5jBrmLam{;Qm;{ms1r1GnmNsb7D-E`t)i9F8fX`2_i3-_ zbh;7Ul^#x){xvS=|||7=mYe33=M`AgU5(xCfg=2N-7=cNnjjOr{yriy6mMFgG#l znCF=fnQv8CDz++o6_Lscl}eQ+l^ZHARH?_s@|##Rr6KLRFA1%Q+=*RRWnoLsR`7U zt5vFQ0r40Q)j6=sE4XsBct1qfbi3VB2Ov6t@q*0);U*o*SAPZv|vv@2aYYnT0 zb%8a+Cb7-ge0D0knEf5Qi#@8Tp*ce{N;6lpQuCB%KL_KOarm5cP6_8Ire17iry6O zDdH`rZh~sF=bq9s+O0QSgS~@QL9Jmy*94xr=6y~MY~!1fet~(N+(=M`w@D1)b+p z*;C!83a1uLJv#NSE~;y#8=IcfW3@?wFpwUVxrVZQdQz32KIeJ}k~{cZZE^+ya? z2D1z#2HOnI7(B%_ac?{wFUQ;QQA1tBKtrWrm0_3Rgps+?Jfqb{jYbcQX~taRB;#$y zZN{S}1|}gUOHJxc?wV3fxuz+mJ4`!F$IZ;mqRrNsHJd##*D~ju=bP7?-?v~|cvvB zsJ6IeNwVZxrdjT`yl#bBIa#GxRa#xMMy;K#CDyyGyQdMSxlWT#tDe?p!?5wT$+oGt z8L;Kp2HUQ-ZMJ=3XJQv;x5ci*?vuTfeY$;({XGW_huIFR9afJbF^|4I#xQ~n$Dc= zKYhjYmgz5NSkDm8*fZm{6U!;YX`NG(?@3)XSs8O^N5RyOM=TTmp(3=8^+zpz2r)C z^JO{deZfso3oq3?Wo(Y?l$ge?uXo;%ru`Vo?(8I_;8Eq#KMS9gFl*neeosSB
[Freeipa-devel] [PATCH]admiyo-0172-default-disable-delete
For ticket https://fedorahosted.org/freeipa/ticket/668 From 664d5f27c9aa8954674bcab9ea89029b9f73d70c Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 27 Jan 2011 16:37:48 -0500 Subject: [PATCH 172/172] default disable delete --- install/ui/ipa.css | 16 install/ui/search.js | 16 +++- 2 files changed, 31 insertions(+), 1 deletions(-) diff --git a/install/ui/ipa.css b/install/ui/ipa.css index e3760f32ae583e25fc4bb84a7f12a6775264caba..6ba60dfff2a0e2568034d5d6ce6ca146dc11bcbc 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -43,6 +43,11 @@ body{ cursor: pointer; } +.input_link_disabled { +cursor: default; +color:black; +} + .input_link span.ui-icon { -moz-border-radius: 0.3em; border: 1px solid #B8B8B8; @@ -52,6 +57,17 @@ body{ top: 50%; } +.input_link_disabled span.ui-icon { +-moz-border-radius: 0.3em; +border: 1px solid #B8B8B8; +margin: -0.9em 0.4em 0em -0.3em; +position: absolute; +left: .2em; +top: 50%; +} + + + .ipa-icon { font-size: 0.7em; padding-right: 0.3em; diff --git a/install/ui/search.js b/install/ui/search.js index b88de20a7c90e59f1bf56bd4aa64fc45ee32e013..20a6f51fc66251f8f8109da8286f8a3a6f935848 100644 --- a/install/ui/search.js +++ b/install/ui/search.js @@ -103,10 +103,12 @@ IPA.search_widget = function (spec) { that.remove_button = IPA.action_button({ 'label': IPA.messages.button.remove, 'icon': 'ui-icon-trash', -'click': function() { that.remove(that.container); } }); +that.remove_button.addClass('input_link_disabled'); + button.replaceWith(that.remove_button); + button = $('input[name=add]', search_buttons); that.add_button = IPA.action_button({ 'label': IPA.messages.button.add, @@ -156,6 +158,18 @@ IPA.search_widget = function (spec) { $('input', action_panel).val(null); } + +if(count === 0){ +var remove_button = $('a[title=Delete]', action_panel); +remove_button.addClass('input_link_disabled'); +remove_button.unbind('click'); + +}else{ +var remove_button = $('a[title=Delete]', action_panel); +remove_button.click(function() { that.remove(that.container); }); +remove_button.removeClass('input_link_disabled'); +} + return false; }; -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0166-declarative-for-aci
On 01/27/2011 01:55 PM, Adam Young wrote: On 01/26/2011 04:18 PM, Adam Young wrote: On 01/26/2011 04:14 PM, Kyle Baker wrote: ACK - Original Message - Fixes https://fedorahosted.org/freeipa/ticket/772 Depends on freeipa-admiyo-0154-1-declarative-defintions.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hold on that...this requires edewata to sign off on. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased with changes from 154 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0008-Adjusted-aci-s-target-feilds-adjusted-action-panel-s
On 01/27/2011 03:18 PM, Kyle Baker wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0169-reset-target-section
On 01/27/2011 01:57 PM, Adam Young wrote: On 01/26/2011 04:52 PM, Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0170-dirty
On 01/26/2011 10:03 PM, Adam Young wrote: Depends on 154, 154, 166, 167, 169 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 693 changes from Fedora review
I pushed this patch that contains specfile changes pointed out in the Fedora package review process. rob From 88e0d36d8ea341e4ac9a7733a66fae23917b07b2 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 27 Jan 2011 17:02:24 -0500 Subject: [PATCH] Apply changes discovered in Fedora package review process (#672986) Ticket 804 --- freeipa.spec.in | 35 +++ 1 files changed, 19 insertions(+), 16 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 19b03f6..0940128 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -3,8 +3,12 @@ %global httpd_conf /etc/httpd/conf.d %global plugin_dir %{_libdir}/dirsrv/plugins -%{!?python_sitelib: %global python_sitelib %(%{__python} -c from distutils.sysconfig import get_python_lib; print get_python_lib())} -%{!?python_sitearch: %global python_sitearch %(%{__python} -c from distutils.sysconfig import get_python_lib; print get_python_lib(1))} +%if ! (0%{?fedora} 12 || 0%{?rhel} 5) +%{!?python_sitelib: %global python_sitelib %(%{__python} -c from +distutils.sysconfig import get_python_lib; print(get_python_lib()))} +%{!?python_sitearch: %global python_sitearch %(%{__python} -c from +distutils.sysconfig import get_python_lib; print(get_python_lib(1)))} +%endif %global POLICYCOREUTILSVER 1.33.12-1 %global gettext_domain ipa @@ -82,7 +86,6 @@ Requires: python-ldap Requires: python-krbV Requires: acl Requires: python-pyasn1 = 0.0.9a -Requires: libcap Requires: selinux-policy Requires(post): selinux-policy-base Requires: slapi-nis = 0.21 @@ -91,7 +94,7 @@ Requires: pki-silent = 9.0.0 Requires(preun): python initscripts chkconfig Requires(postun): python initscripts chkconfig -Obsoletes: ipa-server +Obsoletes: ipa-server = 1.0 %description server IPA is an integrated solution to provide centrally managed Identity (machine, @@ -106,7 +109,9 @@ this package). Summary: SELinux rules for freeipa-server daemons Group: System Environment/Base Requires: %{name}-server = %{version}-%{release} -Requires(pre): policycoreutils = %{POLICYCOREUTILSVER} libsemanage +Requires(pre): policycoreutils = %{POLICYCOREUTILSVER} + +Obsoletes: ipa-server-selinux = 1.0 %description server-selinux IPA is an integrated solution to provide centrally managed Identity (machine, @@ -133,7 +138,7 @@ Requires: sssd = 1.2.1 Requires: certmonger = 0.26 Requires: nss-tools -Obsoletes: ipa-client +Obsoletes: ipa-client = 1.0 %description client IPA is an integrated solution to provide centrally managed Identity (machine, @@ -152,7 +157,7 @@ Requires: %{name}-client = %{version}-%{release} Requires: python-krbV Requires: python-ldap -Obsoletes: ipa-admintools +Obsoletes: ipa-admintools = 1.0 %description admintools IPA is an integrated solution to provide centrally managed Identity (machine, @@ -175,7 +180,7 @@ Requires: python-nss = 0.9-8 Requires: python-lxml Requires: python-netaddr -Obsoletes: ipa-python +Obsoletes: ipa-python = 1.0 %description python IPA is an integrated solution to provide centrally managed Identity (machine, @@ -270,9 +275,6 @@ if [ $1 = 1 ]; then /sbin/chkconfig --add ipa /sbin/chkconfig --add ipa_kpasswd fi -if [ -e /usr/share/ipa/serial ]; then -mv /usr/share/ipa/serial /var/lib/ipa/ca_serialno -fi /usr/sbin/ipa-upgradeconfig || : %preun server @@ -380,13 +382,10 @@ fi %config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html %config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html -%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf %{_usr}/share/ipa/ipa.conf %{_usr}/share/ipa/ipa-rewrite.conf -#%dir %{_usr}/share/ipa/ipaserver -#%{_usr}/share/ipa/ipaserver/* %dir %{_usr}/share/ipa/updates/ %{_usr}/share/ipa/updates/* %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so @@ -412,6 +411,7 @@ fi %files server-selinux %defattr(-,root,root,-) +%doc COPYING README Contributors.txt %{_usr}/share/selinux/targeted/ipa_kpasswd.pp %{_usr}/share/selinux/targeted/ipa_httpd.pp %{_usr}/share/selinux/targeted/ipa_dogtag.pp @@ -446,7 +446,7 @@ fi %{_sbindir}/ipa-compat-manage %{_sbindir}/ipa-nis-manage %{_sbindir}/ipa-host-net-manage -%{_sysconfdir}/bash_completion.d +%config %{_sysconfdir}/bash_completion.d %{_mandir}/man1/ipa.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz @@ -467,9 +467,12 @@ fi %{python_sitelib}/freeipa-*.egg-info %{python_sitearch}/python_default_encoding-*.egg-info %endif -%config(noreplace) %{_sysconfdir}/ipa/default.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Thu Jan 27 2011 Rob Crittenden rcrit...@redhat.com - 1.99-42 +- Apply changes
[Freeipa-devel] [PATCH] 0077 Fix ipactl script to manage all instances
Ticket #860 Simo. -- Simo Sorce * Red Hat, Inc * New York From 9a89ffcf05a59e92cec86f9a7b2b93f353ec2cb6 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Thu, 27 Jan 2011 17:10:34 -0500 Subject: [PATCH] Make sure all DS instances are managed by ipactl Fixes: https://fedorahosted.org/freeipa/ticket/860 --- install/tools/ipactl | 38 ++ 1 files changed, 18 insertions(+), 20 deletions(-) diff --git a/install/tools/ipactl b/install/tools/ipactl index fc652c9754cf63e8d9d46a3b20866b94df3ab698..20b4a69b704c9004fa9aee40119bdd442a449166 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -85,11 +85,11 @@ def get_config(): return svc_list -def ipa_start(serverid): +def ipa_start(): try: print Starting Directory Service -service.start('dirsrv', instance_name=serverid, capture_output=False) +service.start('dirsrv', capture_output=False) except: emit_err(Failed to start Directory Service) return @@ -100,7 +100,7 @@ def ipa_start(serverid): except: emit_err(Failed to read data from Directory Service) emit_err(Shutting down) -service.stop('dirsrv', instance_name=serverid, capture_output=False) +service.stop('dirsrv', capture_output=False) if len(svc_list) == 0: return @@ -120,12 +120,12 @@ def ipa_start(serverid): except: pass try: -service.stop('dirsrv', instance_name=serverid, capture_output=False) +service.stop('dirsrv', capture_output=False) except: pass return -def ipa_stop(serverid): +def ipa_stop(): svc_list = [] try: @@ -135,12 +135,12 @@ def ipa_stop(serverid): # and see if we can get anything. If not throw our hands up and just # exit try: -service.start('dirsrv', instance_name=serverid, capture_output=False) +service.start('dirsrv', capture_output=False) svc_list = get_config() except: emit_err(Failed to read data from Directory Service) emit_err(Shutting down) -service.stop('dirsrv', instance_name=serverid, capture_output=False) +service.stop('dirsrv', capture_output=False) if len(svc_list) == 0: return @@ -155,16 +155,16 @@ def ipa_stop(serverid): try: print Stopping Directory Service -service.stop('dirsrv', instance_name=serverid, capture_output=False) +service.stop('dirsrv', capture_output=False) except: emit_err(Failed to stop Directory Service) return -def ipa_restart(serverid): +def ipa_restart(): try: print Restarting Directory Service -service.restart('dirsrv', instance_name=serverid, capture_output=False) +service.restart('dirsrv', capture_output=False) except: emit_err(Failed to restart Directory Service) return @@ -175,7 +175,7 @@ def ipa_restart(serverid): except: emit_err(Failed to read data from Directory Service) emit_err(Shutting down) -service.stop('dirsrv', instance_name=serverid, capture_output=False) +service.stop('dirsrv', capture_output=False) if len(svc_list) == 0: return @@ -195,14 +195,14 @@ def ipa_restart(serverid): except: pass try: -service.stop('dirsrv', instance_name=serverid, capture_output=False) +service.stop('dirsrv', capture_output=False) except: pass return -def ipa_status(serverid): +def ipa_status(): try: -if service.is_running('dirsrv', instance_name=serverid): +if service.is_running('dirsrv'): print Directory Service: RUNNING else: print Directory Service: STOPPED @@ -241,16 +241,14 @@ def main(): api.bootstrap(context='cli', debug=options.debug) api.finalize() -serverid = dsinstance.realm_to_serverid(api.env.realm) - if args[0].lower() == start: -ipa_start(serverid) +ipa_start() elif args[0].lower() == stop: -ipa_stop(serverid) +ipa_stop() elif args[0].lower() == restart: -ipa_restart(serverid) +ipa_restart() elif args[0].lower() == status: -ipa_status(serverid) +ipa_status() try: if __name__ == __main__: -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0077 Fix ipactl script to manage all instances
Simo Sorce wrote: Ticket #860 Simo. ack. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0173-aci-rights-widget
From bfffe1930465ef7af23c1915e8c22719dc6751e0 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 27 Jan 2011 20:30:22 -0500 Subject: [PATCH] aci rights widget Fixes is_dirty and save https://fedorahosted.org/freeipa/ticket/77 https://fedorahosted.org/freeipa/ticket/667 --- install/ui/aci.js | 40 +++- install/ui/ipa.js |8 +++- 2 files changed, 38 insertions(+), 10 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index 3bad384a2b80e3842395ba54004b2808928f28cf..3448b8f457d3bdf0a6a55898761f181a51722512 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -222,10 +222,40 @@ IPA.rights_widget = function(spec){ }; var values = []; +function get_selector(){ +return '.'+ that.entity_name +_+ that.name; +} + +that.is_dirty = function(){ + +var checkboxes = $(get_selector()); +var checked = {}; + +checkboxes.each(function (){ +checked[this.id] = this.checked; +}); + +for (var i = 0; i values.length; i +=1){ +var key = values[i]; + +if ( !checked[key] ){ +return true; +} +checked[key] = false; +} + +for (key in checked){ +if (checked[key] ){ +return true; +} +} + +return false; +}; + that.reset = function(){ -var selector = '.'+ that.entity_name +_+ that.name; -var checkboxes = $(selector); +var checkboxes = $(get_selector()); for (var i = 0; i checkboxes.length; i +=1){ checkboxes.attr('checked',''); @@ -233,7 +263,7 @@ IPA.rights_widget = function(spec){ for (var j = 0; j values.length; j +=1){ var value = values[j]; -var cb = $('#'+value+ selector); +var cb = $('#'+value+ get_selector()); cb.attr('checked', 'checked'); } @@ -245,7 +275,7 @@ IPA.rights_widget = function(spec){ }; that.save = function(){ -var rights_input = $('.'+ that.entity_name +_+ that.name); +var rights_input = $(get_selector()+:checked); var retval = ; for (var i =0; i rights_input.length; i+=1){ if (i 0) { @@ -592,7 +622,7 @@ IPA.entity_factories.permission = function () { input({ name: 'description'})). section(IPA.rights_section()). section(IPA.target_section())); -return that; + }; diff --git a/install/ui/ipa.js b/install/ui/ipa.js index 128413b1e6b3e65d66062c7b3329cea399b0552b..a5ad6d0625f888a6bbdb4c808a8dbb81a88b264e 100644 --- a/install/ui/ipa.js +++ b/install/ui/ipa.js @@ -155,9 +155,7 @@ var IPA = ( function () { } } return true; -} - - +}; that.show_page = function (entity_name, facet_name) { if (!IPA.test_dirty()){ @@ -170,19 +168,19 @@ var IPA = ( function () { }; that.switch_and_show_page = function (this_entity, facet_name, pkey) { - if (!IPA.test_dirty()){ return false; } if (!pkey){ that.show_page(this_entity, facet_name); -return; +return false; } var state = {}; state[this_entity+'-pkey'] = pkey; state[this_entity + '-facet'] = facet_name; $.bbq.pushState(state); +return true; }; return that; -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA Logging (Not Auditing... yet)
I have been working with the project for a while now and it has dawned on me that the FreeIPA ipalib plugins, don't really have a syslog library that they output with. So far I've really just been troubleshooting and getting around with: /var/log/httpd/access_log /var/log/httpd/error_log /var/log/dirsrv/slapd-DOMAIN/access /var/log/dirsrv/slapd-DOMAIN/error This is useful, but it is verbose and doesn't quite capture the cli/webui interactions in 1 line. [27/Jan/2011:17:46:59 -0800] conn=40 op=7 ADD dn=fqdn=test1.example.com,cn=computers,cn=accounts,dc=example,dc=com [27/Jan/2011:17:46:59 -0800] conn=40 op=7 RESULT err=0 tag=105 nentries=0 etime=0 Etc, etc, etc… The cli does a good job of expressing itself to standard out when a command is successfully/unsuccessfully run. I am wondering what the group thinks about the idea of a library that can be loaded either by the api or the plugin itself, to pass the relevant bits of data that end up going to standard out, into a format that would be sane to send to a syslog stream. I'm thinking of something that shows: time/date authenticated_user plugin usage / modification Something like: kinit admin ipa host-add test1.example.com std out --- Added host test1.example.com --- Host name: test1.example.com Principal name: host/test1.example@example.com Managed by: test1.example.com syslog Jan 26 17:46:45 auth1.example.com FreeIPA: user=admin cmd=host-add hostname=test1.example.com principal=host/test1.example@example.com managedby=test1.example.com It feels like a this should be fairly straight forward to address as a library at either the api level or at the plugin level. Python actually has a very competent syslog library I helped to contribute the patch that brought tcp support What does everyone else think? Am I thinking too simplistically? Is the output from standard out much more complex to lasso around? Is there a better approach to capturing the user input and interaction? -JR ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015 block anonymous access to sudo info
On 01/27/2011 06:21 PM, JR Aquino wrote: Aci patch to block anonymous access to sudo info https://fedorahosted.org/freeipa/ticket/865 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Pushed to Master Here's how I tested, in case you are concerned. Without Patch applied, ran LDAP query and saw the SUDO Command I had just created Applied patch, uninstalled and reinstalled, created SUDO Command and I did not see it in the LDAP query ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 Add requires
Dmitri Pal d...@redhat.com wrote: On 01/27/2011 05:27 AM, Jan Zelený wrote: Simo Sorcesso...@redhat.com wrote: First part of ticket #855 Add the requires we will need on F15, tested against jdennis ipa-devel repo, works as expected. Simo. The patch is obviously ok, so ack from this point of view. But I would just like to know if it is necessary. I just inspected F15 pki-ca package from nightly repo - it does Require pki-ca-theme= 9.0.0 (which is provided by dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar situation will be for dogtag-pki-common-theme. So I don't see why we should explicitly Require both packages ourselves. Have you seen the explanation that Matthew Harmsen put together about all the theme packages? I do not know if this would make things cleaner. I will send it off list. Yes, I've read it and I understand now. Thanks for the info. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel