Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan We still need to enforce that we get the schema, some low-level functions depend on it. Also, if the UI doesn't get its aciattrs (which are derived from the schema) then nothing will be editable. I'm getting this backtrace if I force no schema by disabling get_schema: Ok, I'm sending new version, it should handle these exceptions better and the operation should fail if it needs the schema and the schema is not available for some reason. This breaks the XML-RPC server. I fixed one problem: --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): def get_syntax(self, attr, value): if not self.schema: -self.schema = get_schema(self.ldap_uri, self.conn) -if not self.schema: +schema = get_schema(self.ldap_uri, self.conn) +if not schema: return None +object.__setattr__(self, 'schema', schema) obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is not None: return obj.syntax But simply things like get_entry() return an InternalError now. I'm not sure where you were going by adding this. rob Ok, no problem. It's possible that I simply did a mistake thinking I can do something in Python what is not really possible. About that InternalError: I think raising InternalError when we cannot load the schema to do the decoding is the right thing to do. Do you have a better solution? I thought about returning empty result, but that would mean we have to check the result in every funtction that is calling them and raising InternalError there. I'm sending updated patch. I modified the get_syntax() as you suggested and I slightly modified raising that InternalError - currently it isn't raised when results from get_entry() are not required by calling method. Currently I'm running some tests, preliminary results looked ok. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From bdab2d3b9b8a7397e13acdad9d2809ae355cd5a7 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 09:37:58 +0100 Subject: [PATCH] Don't load the LDAP schema during startup https://fedorahosted.org/freeipa/ticket/583 --- ipalib/encoder.py | 11 +++-- ipalib/plugins/baseldap.py | 21 - ipalib/plugins/dns.py |2 +- ipalib/plugins/host.py |2 +- ipalib/plugins/permission.py|4 +- ipalib/plugins/sudocmd.py |2 +- ipaserver/install/dsinstance.py |2 +- ipaserver/plugins/ldap2.py | 90 --- 8 files changed, 96 insertions(+), 38 deletions(-) diff --git a/ipalib/encoder.py b/ipalib/encoder.py index f23e5659e848d37db1072ff59aa7e11796b0836c..fbcae1739ee6541bdb989d6d01f8a4c9fb614b62 100644 --- a/ipalib/encoder.py +++ b/ipalib/encoder.py @@ -56,11 +56,12 @@ class Encoder(object): self.encoder_settings = EncoderSettings() def _decode_dict_val(self, key, val): -f = self.encoder_settings.decode_dict_vals_table.get( -self.encoder_settings.decode_dict_vals_table_keygen(key, val) -) +k = self.encoder_settings.decode_dict_vals_table_keygen(key, val) +if k is False: +return False +f = self.encoder_settings.decode_dict_vals_table.get(key) if f: -return val +return f(val) return self.decode(val) def encode(self, var): @@ -155,6 +156,8 @@ class Encoder(object): self.encoder_settings.decode_postprocessor = lambda x: x for (k, v) in dct.iteritems(): dct[k] = self._decode_dict_val(k, v) +if dct[k] is False: +return False if not self.encoder_settings.decode_dict_vals_postprocess: self.encoder_settings.decode_postprocessor = tmp return dct diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 3cb72d7b09cc8c8a77bd4e594660ee376d668013..adc19fec8ff96eef2750ad08715e9324c1c536c6 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -189,6 +189,9 @@ def get_effective_rights(ldap, dn, attrs=None): if attrs is None: attrs = ['*', 'nsaccountlock', 'cospriority'] rights = ldap.get_effective_rights(dn, attrs) +if rights[1] in None: +return None + rdict = {} if 'attributelevelrights' in rights[1]: rights =
[Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/1000 I hope this doesn't break anything..my testing went OK. I've seen some unit test failures (group tests, for instance), but they don't seem to be related. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1k9IkACgkQHsardTLnvCUh/ACfbV10+PZJiLfThJufBlxEB9Ww ZicAnj1wzu7JKQxUHjiopc753x5oog21 =LB3i -END PGP SIGNATURE- From 260e39be806c6c95376ab7c6266654bac436bca4 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Wed, 23 Feb 2011 06:32:01 -0500 Subject: [PATCH] Replace only if old and new have nothing in common https://fedorahosted.org/freeipa/ticket/1000 --- ipaserver/plugins/ldap2.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index d1e31f5..8eefa3b 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -798,7 +798,7 @@ class ldap2(CrudBackend, Encoder): force_replace = False if k in self._FORCE_REPLACE_ON_UPDATE_ATTRS or is_single_value: force_replace = True -elif len(adds) == 1 and len(rems) == 1: +elif len(v.intersection(old_v)) == 0: force_replace = True if adds: -- 1.7.4 jhrozek-freeipa-065-replace.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 113 Fixed buttons for DNS records.
On 02/22/2011 06:18 PM, Endi Sukma Dewata wrote: The order of the Add and Delete buttons has been reversed to be consistent with those in other facets. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 113 Fixed buttons for DNS records.
On 02/22/2011 06:18 PM, Endi Sukma Dewata wrote: The order of the Add and Delete buttons has been reversed to be consistent with those in other facets. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] one liner to add new image for banner text.
pushed to master under the one line rule commit 49b2c0bb6203d23ff0c56945b447b7da8f2a3f84 Author: Adam Young ayo...@redhat.com Date: Wed Feb 23 11:23:16 2011 -0500 splitting banner requires new file in Makefile.am diff --git a/install/ui/Makefile.am b/install/ui/Makefile.am index e6ffed1..e8c11c2 100644 --- a/install/ui/Makefile.am +++ b/install/ui/Makefile.am @@ -48,6 +48,7 @@ app_DATA = \ widget.js \ user.js \ ipalogo.png \ + ipabanner.png \ gray-fade-line.png \ Mainnav-background.png \ Mainnav-offtab.png \ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
On 2/22/11 7:45 PM, JR Aquino jr.aqu...@citrix.com wrote: This patch addressees ticket #998 It adds: * ldif to create a default sudo bind user: dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX * modifications to dsinstance.py to add the ldif * modifications to dsinstance.py to add a call to ipautil.ipa_generate_password() for an random password. It is added to the sub_dict as 'RANDOM_PASSWORD' * addition to the Makefile.am in install/share to account for the new ldif file Corrections / Additions: * Correction to dsinstance.py to remove the unnecessary sha1 call and library * Addition of docstring for the ipa help sudorule to explain usage of the sudo binddn freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch Description: freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 739 update permission help text
David O'Brien wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob I think you sent a wrong patch, this is the default.conf manpage one. D'oh, here you go. rob I agree with the changes, but now I realized that davido mentioned privilege not permission. The privilege docstring contains the same errors as permission, can you also copy the changes into ipalib/plugins/privilege.py ? Good idea, updated patch attached. rob This is heaps better. ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 738 default.conf man page
David O'Brien wrote: Rob Crittenden wrote: David O'Brien wrote: Rob Crittenden wrote: Add a man page for the IPA configuration file default.conf. ticket 969 rob NACK A few too many typos and other errors. Spaces between the equals sign are ignored. Do you mean, Spaces surrounding equals signs are ignored.? +Specifies the base DN to use when performan LDAP operations. performing +Specfies the secure CA agent port. The defauilt is 9443. Specifies default +Specifies the unsecure CA end user port. The default is 9190. insecure For example. if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server add the verbose option to \fI/etc/ipa/cli.conf\fR. comma after example, not a period. add a comma after enabled on the server +Specifies whether the CA is acting is an RA agent, as an RA agent +Specifies the name of the CA backend to use. The current options are \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. Changing this value is not recommended as the CA backend is only set up during ininitial installation. s/backend/back end/ s/selfsign/self-sign/ s/ininitial/initial/ +Specifies the kerberos realm. Kerberos ...and show the server(s) the client contacts. s/server(s)/servers/ +user IPA configurationf ile configuration file +Optional configuration files used in a particular context are. The value of mode is used to attempt to load these files, if they exist: I'm not sure what this means Fixes applied. rob +Specfies the secure CA agent port. The default is 9443. Specifies Changing this value is not recommended as the CA backend is only set up during initial installation. s/backend/back end/ +Optional configuration files used in a particular context are. The value of the context setting (\fBcli\fR or \fBserver\fR) is used to attempt to load these files, if they exist: I still don't understand this. Bear in mind that I'm reading the raw patch; I haven't applied it or tried to format this as a man page. Maybe that would help. Everything else is fine. ACK with those couple of fixes. /dob Fixed, pushed to master. I added a bit more discussion about the context-specific files. I think it is clearer now. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
On 2/23/11 11:23 AM, Simo Sorce sso...@redhat.com wrote: On Wed, 23 Feb 2011 13:50:37 -0500 Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: On 2/22/11 7:45 PM, JR Aquinojr.aqu...@citrix.com wrote: This patch addressees ticket #998 It adds: * ldif to create a default sudo bind user: dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX * modifications to dsinstance.py to add the ldif * modifications to dsinstance.py to add a call to ipautil.ipa_generate_password() for an random password. It is added to the sub_dict as 'RANDOM_PASSWORD' * addition to the Makefile.am in install/share to account for the new ldif file Corrections / Additions: * Correction to dsinstance.py to remove the unnecessary sha1 call and library * Addition of docstring for the ipa help sudorule to explain usage of the sudo binddn We need to make sure we don't log random passwords. Can you add this to your patch? --- service.py 2011-02-14 20:18:23.0 -0500 +++ /tmp/service.py 2011-02-23 13:49:56.0 -0500 @@ -137,6 +137,8 @@ # do not log passwords if sub_dict.has_key('PASSWORD'): nologlist = sub_dict['PASSWORD'], +if sub_dict.has_key('RANDOM_PASSWORD'): +nologlist = sub_dict['RANDOM_PASSWORD'], Should you append to nologlist ? If I read this right otherwise you'll replace the previous one. Simo. New corrections posted for the full patch. Adding a correction to nologlist to initialize it as a dict rather than a tuple. Then correctly appending the various sub_dict objects to the list. Also corrected 2 trailing whitespace bugs that were present in the previous patch. freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch Description: freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 114 Save changes before modifying association.
In a details page, usually any changes done to the fields will not be applied until the user clicks the Update button. However, if the page contains an association table, any addition/deletion to the table will be applied immediately. To avoid any confusion, the user is now required to save or reset all changes to the page before modifying the association. A dialog box will appear if the page contains any unsaved changes. -- Endi S. Dewata From e3e26e9dae6ad228c6bbbe98e649e3e0abbd2131 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 23 Feb 2011 12:35:45 -0600 Subject: [PATCH] Save changes before modifying association. In a details page, usually any changes done to the fields will not be applied until the user clicks the Update button. However, if the page contains an association table, any addition/deletion to the table will be applied immediately. To avoid any confusion, the user is now required to save or reset all changes to the page before modifying the association. A dialog box will appear if the page contains any unsaved changes. --- install/ui/associate.js | 42 -- install/ui/ipa.js |4 +- install/ui/test/data/i18n_messages.json |3 +- install/ui/test/data/ipa_init.json |3 +- ipalib/plugins/internal.py |7 +++-- 5 files changed, 49 insertions(+), 10 deletions(-) diff --git a/install/ui/associate.js b/install/ui/associate.js index 600cd55c3abb99f810c8e322da83262c21b5e2c3..2f1a28d5a66e989d562c3605fa335763bcd00324 100644 --- a/install/ui/associate.js +++ b/install/ui/associate.js @@ -351,6 +351,28 @@ IPA.association_table_widget = function (spec) { that.table_setup(container); +var dialog = $('div/', { +html: IPA.messages.dialogs.dirty_message +}).appendTo(container); + +var buttons = {}; + +buttons[IPA.messages.buttons.ok] = function() { +dialog.dialog('close'); +}; + +dialog.dialog({ +autoOpen: false, +title: IPA.messages.dialogs.dirty_title, +modal: true, +width: '20em', +buttons: buttons +}); + +var entity = IPA.get_entity(that.entity_name); +var facet_name = IPA.current_facet(entity); +var facet = entity.get_facet(facet_name); + var button = $('input[name=remove]', container); button.replaceWith(IPA.action_button({ 'label': button.val(), @@ -359,7 +381,13 @@ IPA.association_table_widget = function (spec) { if ($(this).hasClass('action-button-disabled')) { return false; } -that.show_remove_dialog(); + +if (facet.is_dirty()) { +dialog.dialog('open'); +} else { +that.show_remove_dialog(); +} + return false; } })); @@ -369,8 +397,16 @@ IPA.association_table_widget = function (spec) { 'label': button.val(), 'icon': 'ui-icon-plus', 'click': function() { -if ($(this).hasClass('action-button-disabled')) return false; -that.show_add_dialog(); +if ($(this).hasClass('action-button-disabled')) { +return false; +} + +if (facet.is_dirty()) { +dialog.dialog('open'); +} else { +that.show_add_dialog(); +} + return false; } })); diff --git a/install/ui/ipa.js b/install/ui/ipa.js index 2c07d742a71b3e0428eac0637fc75f5fc0419280..ec15332f4a3d56fd54412bba99898b8e73986ef4 100644 --- a/install/ui/ipa.js +++ b/install/ui/ipa.js @@ -137,7 +137,7 @@ var IPA = ( function () { var facet = IPA.current_entity.facets_by_name[facet_name]; if (facet.is_dirty()){ var message_box = $(div/,{ -html: IPA.messages.dirty +html: IPA.messages.dialogs.dirty_message }). appendTo($(#navigation)); @@ -148,7 +148,7 @@ var IPA = ( function () { }; message_box.dialog({ -title: 'Dirty', +title: IPA.messages.dialogs.dirty_title, modal:true, width: '20em', buttons: buttons diff --git a/install/ui/test/data/i18n_messages.json b/install/ui/test/data/i18n_messages.json index f5aa841ec1483618a3851871362477e2a6756241..076bdbf4c94694401f8079e1f5adfc189473dce4 100644 --- a/install/ui/test/data/i18n_messages.json +++ b/install/ui/test/data/i18n_messages.json @@ -42,12 +42,13 @@ }, dialogs: { available: Available, +dirty_message: This page has unsaved changes.
[Freeipa-devel] [PATCH] 741 fix sudocmd membership
We weren't searching the cn=sudo container so all members of a sudocmdgroup looked indirect. Add a label for sudo command groups. Update the tests to include verifying that membership is done properly. ticket 1003 rob freeipa-rcrit-741-sudocmd.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting
On 02/23/2011 05:15 PM, Rob Crittenden wrote: It was a design decision to now allow nesting sudo command groups, remove it. *Not* allow, right? ticket 1004 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.com wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=config,cn=ldbm database,cn=plugins,cn=config with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base cn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting
Rob Crittenden wrote: It was a design decision to now allow nesting sudo command groups, remove it. ticket 1004 rob Updated patch attached. This is going to require an API change. rob freeipa-rcrit-742-2-sudocmdgroup.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
On 2011-02-23 20:26, Rob Crittenden wrote: Pavel Zůna wrote: Rebased patch 81 and 83 (pygettext). Created a new patch to fix these latest test failures - it was easier than doing a complex rebase. All latest versions of localization patches are attached to this email for review. I tried to apply them on a clean master clone, build RPMs, installed and run all unit tests. So hopefully, we're finally going to get this in. :) Pavel I don't understand some of these (and past changes): - Updated patch 83-2 just changes the commit message slightly I rebased everything and did, generated new patches and did a diff to see if anything has changed. This patch had differences in line numbers, so I decided to make a new one, just to make sure it applies cleanly on master. - Patch 84 comments out several lines in the tests.There isn't any explaination what these changes do and why they are needed. It seems to be disabling a confirmation that changing locale works. It comments out parts that tests the deprecated code removed by patch 69. I probably should have removed the lines completely, but wanted to keep them for reference - guess there's no point really. We no longer setup languages in the code, but rather get them from what is passed from the terminal OR from what is requested over XML-RPC. All localization code that uses the context thread local variable doesn't work anyway - that's why the tests were failing. - Patch 82 drops a bunch of the old ugettext code which is fine, but I think one of the purposes was to make sure that translation was occurring. - Patch 82 in test_text.py changing the languages is removed. Are we really exercising this code? Same deal as 84. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůna pz...@redhat.com wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.com wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=config,cn=ldbm database,cn=plugins,cn=config with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base cn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 115 Fixed attribute for SUDO command group membership.
The correct attribute name for SUDO command group membership is memberof_sudocmdgroup and it contains the group name instead of dn. -- Endi S. Dewata From db1bb27fe8fd3f04ae976e2b0ab6444e033299d5 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 23 Feb 2011 17:15:42 -0600 Subject: [PATCH] Fixed attribute for SUDO command group membership. The correct attribute name for SUDO command group membership is memberof_sudocmdgroup and it contains the group name instead of dn. --- install/ui/sudocmd.js |7 ++- 1 files changed, 2 insertions(+), 5 deletions(-) diff --git a/install/ui/sudocmd.js b/install/ui/sudocmd.js index b98f2d4dc9a33894cf69dd4df981437c7482bbf9..748ec4b8862aa94fd9346e3a155e44ed52f3f4ca 100644 --- a/install/ui/sudocmd.js +++ b/install/ui/sudocmd.js @@ -115,7 +115,7 @@ IPA.sudocmd_details_facet = function (spec) { that.add_section(section); var field = IPA.sudocmd_member_sudocmdgroup_table_widget({ -'name': 'memberof', +'name': 'memberof_sudocmdgroup', 'label': IPA.messages.objects.sudocmd.groups, 'other_entity': 'sudocmdgroup', 'save_values': false @@ -194,10 +194,7 @@ IPA.sudocmd_member_sudocmdgroup_table_widget = function (spec) { }); for (var i=0; ithat.values.length; i++) { -var dn = that.values[i]; -var j = dn.indexOf('='); -var k = dn.indexOf(','); -var value = dn.substring(j+1, k); +var value = that.values[i]; var command = IPA.command({ 'method': that.other_entity+'_show', -- 1.6.6.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting
On 2/23/2011 4:50 PM, Rob Crittenden wrote: It was a design decision to now allow nesting sudo command groups, remove it. ticket 1004 Updated patch attached. This is going to require an API change. ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel