Re: [Freeipa-devel] [PATCH] 830 change enrollment principal prompt
On Mon, 2011-07-18 at 22:49 -0400, Rob Crittenden wrote: > Change the enrollment principal prompt to hopefully be more clear. > > ticket https://fedorahosted.org/freeipa/ticket/1449 ACK. Pushed to master, ipa-2-0. Adding Deon to CC, this will affect at lest the Fedora documentation. In the dobrien's documentation on FedoraPeople I see that sections 8.1.2. Installing the IPA Client on Red Hat Enterprise Linux 8.2.2. Installing the IPA Client on Fedora are affected. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 32 Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable'
On 18.7.2011 18:48, Martin Kosek wrote: On Mon, 2011-07-18 at 17:16 +0200, Jan Cholasta wrote: https://fedorahosted.org/freeipa/ticket/1469 Honza The patch is missing. Martin Is it? ...it is! Sorry. Honza -- Jan Cholasta >From 7ec54681c9eeb89b60ee6d5a7d8c1611be0c4af3 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 18 Jul 2011 16:43:35 +0200 Subject: [PATCH] Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable'. ticket 1469 --- install/tools/ipa-nis-manage | 15 --- 1 files changed, 0 insertions(+), 15 deletions(-) diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage index 6eb619c..3625ae0 100755 --- a/install/tools/ipa-nis-manage +++ b/install/tools/ipa-nis-manage @@ -185,21 +185,6 @@ def main(): print lde retval = 1 -# delete the netgroups compat area. -try: -conn.delete_entry('cn=ng,cn=Schema Compatibility,cn=plugins,cn=config', normalize=False) -except errors.NotFound: -pass -except errors.DatabaseError, dbe: -print "An error occurred while talking to the server." -print dbe -retval = 1 -except errors.ExecutionError, lde: -print "An error occurred while talking to the server." -print lde -retval = 1 - - else: retval = 1 -- 1.7.4.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 817 Add option to wait for values
Martin Kosek wrote: On Sun, 2011-07-17 at 17:42 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: 389-ds postop plugins, such as the managed entry and memberof plugins, add values after the data has been returned to the client. In the case of the managed entry plugin this affects the parent entry as well (adds an objectclass value). This wreaks havoc on our tests as the values don't match what we expect. The solution is to wait for the postop plugins to finish their work, then return. I've added this as an option. The downside is it is going to naturally slow things down, so it is off by default. It is currently only used in the hostgroup plugin. The option is wait_for_attr. Add this to ~/.ipa/default.conf and set it to True and all the current tests will pass (assuming you apply patches 814-816 as well). So now we won't have any excuses for missing test failures in the unit tests... rob Bah, found a small problem. Self-NACK. rob Updated patch attached. Note that I don't think there is a way for us to handle things like memberof_indirect. We wouldn't know to wait. rob Works fine for the hostgroup entry. It's good it can be switched on/off. But what about other managed entries, like user entry? Would it make sense to add a wait here too? Or maybe something systematic to baseldap so that we wouldn't have to implement this wait to every managed entry. Martin I can certainly add it to users to check for managed groups. Making it generic would be difficult because some are conditional (such as users). rob Added support for managed users as well. rob Waiting for managed users work too. However, I have just noticed that the entire solution works only partially. It waits for mepOriginEntry objectclass, but it doesn't add the new LDAP attributes "mepmanagedentry" and "memberof" to the-add result: # ipa hostgroup-add hgroup3 --desc=foo --all --raw - Added hostgroup "hgroup3" - dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: hgroup3 description: foo ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 objectclass: ipaobject objectclass: ipahostgroup objectclass: nestedGroup objectclass: groupOfNames objectclass: top objectclass: mepOriginEntry # ipa hostgroup-show hgroup3 --all --raw dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: hgroup3 description: foo ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 memberof: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com< mepmanagedentry: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com< objectclass: ipaobject objectclass: ipahostgroup objectclass: nestedGroup objectclass: groupOfNames objectclass: top objectclass: mepOriginEntry # ipa user-add --first=Foo --last=Bar fbar2 --all --raw -- Added user "fbar2" -- dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar2 givenname: Foo sn: Bar cn: Foo Bar displayname: Foo Bar initials: FB homedirectory: /home/fbar2 gecos: Foo Bar loginshell: /bin/sh krbprincipalname: fb...@idm.lab.bos.redhat.com uidnumber: 52464 gidnumber: 52464 ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: mepOriginEntry # ipa user-show fbar2 --all --raw dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar2 givenname: Foo sn: Bar cn: Foo Bar displayname: Foo Bar initials: FB homedirectory: /home/fbar2 gecos: Foo Bar loginshell: /bin/sh krbprincipalname: fb...@idm.lab.bos.redhat.com uidnumber: 52464 gidnumber: 52464 nsaccountlock: False ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com< mepmanagedentry: cn=fbar2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com< objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: mepOriginEntry I think there attributes should be added in post
Re: [Freeipa-devel] [PATCH] 3 ipa-client-install tries to start non-existing nscd
Alexander Bokovoy wrote: On 15.07.2011 22:41, Rob Crittenden wrote: Alexander Bokovoy wrote: nack. I don't believe this fixes the reported problem. This patch affects un-installation in which case whether sssd was selected or not doesn't matter, we're just trying to restore the previous state (so tangentially I wonder if we should store the state of at install time). Actually, the patch deals with installation, not uninstallation. As discussed on IRC, I've reworked it to add an alternative warning to sssd configuration path. New version attached. ack, pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 830 change enrollment principal prompt
Change the enrollment principal prompt to hopefully be more clear. ticket https://fedorahosted.org/freeipa/ticket/1449 >From 5a61eb36044ab15b55f42aeee5544983372c992c Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 18 Jul 2011 22:46:44 -0400 Subject: [PATCH] Change client enrollment principal prompt to hopefully be clearer. ticket https://fedorahosted.org/freeipa/ticket/1449 --- ipa-client/ipa-install/ipa-client-install |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 77b1ddfca589b97d74df83087809f0eed521c5dd..68ebb9595796442621656d346403176fbafea39b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -791,7 +791,7 @@ def main(): if not options.unattended: if options.principal is None and options.password is None and options.prompt_password is False: -options.principal = user_input("Enrollment principal", allow_empty=False) +options.principal = user_input("User authorized to enroll computers", allow_empty=False) logging.debug("will use principal: %s\n", options.principal) # Get the CA certificate -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 36 Removed "RunAs External Group" is removed in the output when "--all" switch is used.
JR Aquino wrote: https://fedorahosted.org/freeipa/ticket/1348 Corrected behavior for ipa sudorule-remove-runasgroup rule1 --groups=tgroup2 --all ack, pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 37 Correct sudo runasuser and runasgroup attributes in schema
https://fedorahosted.org/freeipa/ticket/1309 Added .update file to correct the sudo schema during freeipa updates on older systems. Modified Makefile.am to account for new .update file. binuYzjiki10A.bin Description: freeipa-jraquino-0037-Correct-sudo-runasuser-and-runasgroup-attributes.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 36 Removed "RunAs External Group" is removed in the output when "--all" switch is used.
https://fedorahosted.org/freeipa/ticket/1348 Corrected behavior for ipa sudorule-remove-runasgroup rule1 --groups=tgroup2 --all binTRh8Wcv8ho.bin Description: freeipa-jraquino-0036-Removed-RunAs-External-Group-is-removed-in-the-output.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 091 Improve long integer type validation
On 07/15/2011 05:26 PM, Rob Crittenden wrote: Martin Kosek wrote: Passing a number of "long" type to IPA Int parameter invokes user-unfriendly error message about incompatible types. This patch improves Int parameter with user understandable message along with maximum value he can pass. https://fedorahosted.org/freeipa/ticket/1346 nack. We need to limit Int to 32-bit values because that is what XML-RPC supports. So if maxvalue isn't set we need to compare against MAXINT and not sys.maxint. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Is this the wrong forum to point out how wrong XML-RPC is in limiting things to 32 bit values? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] specify ds-replication plugin by name
Like bind and bind-dyndb-ldap specify the replication package by name when it is not found. Pushed under the 1-liner rule. diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index da8e749..7186a18 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -84,7 +84,8 @@ def check_replication_plugin(): """ if not os.path.exists('/usr/lib/dirsrv/plugins/libreplication-plugin.so') and \ not os.path.exists('/usr/lib64/dirsrv/plugins/libreplication-plugin.so'): -print "The 389-ds replication plug-in was not found on this system" +print "The 389-ds replication plug-in was not found on this system." +print "Please install the 'ds-replication' package and start the installation again" return False return True ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 210 Fixed host details fields.
On 07/18/2011 04:13 PM, Endi Sukma Dewata wrote: The host details facet has been fixed to remove a redundant field and include some missing fields. Ticket #1484 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 209 Removed reverse zones from host adder dialog.
On 07/18/2011 03:16 PM, Endi Sukma Dewata wrote: The host adder dialog has been modified to specify the new flag for retrieving the forward zones only. Ticket #1458 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 210 Fixed host details fields.
The host details facet has been fixed to remove a redundant field and include some missing fields. Ticket #1484 -- Endi S. Dewata From 3e3efd2c92454513f004e8c9ae00fe6fd14d842e Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Mon, 18 Jul 2011 15:07:18 -0500 Subject: [PATCH] Fixed host details fields. The host details facet has been fixed to remove a redundant field and include some missing fields. Ticket #1484 --- install/ui/host.js | 22 +++--- 1 files changed, 11 insertions(+), 11 deletions(-) diff --git a/install/ui/host.js b/install/ui/host.js index 14f16d93d918325a0d42b823c43ce7280b0704c5..9994abf31407c6be82ce186713995187620290ab 100644 --- a/install/ui/host.js +++ b/install/ui/host.js @@ -37,20 +37,20 @@ IPA.entity_factories.host = function () { }). details_facet({sections:[ { -name:'details', +name: 'details', fields: [ -{ factory: IPA.host_dnsrecord_entity_link_widget, - name: 'fqdn', - other_entity:'dnsrecord' +{ +factory: IPA.host_dnsrecord_entity_link_widget, +name: 'fqdn', +other_entity:'dnsrecord' }, 'krbprincipalname', -{ -factory: IPA.text_widget, -name: 'cn', -label: IPA.messages.objects.host.cn, -read_only: true -}, -'description' ] +'description', +'l', +'nshostlocation', +'nshardwareplatform', +'nsosversion' +] }, { name:'enrollment', -- 1.7.5.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] 35 remove escapes from the cvs parser in ipaserver/install/ldapupdate
https://fedorahosted.org/freeipa/ticket/1472 Changeset 8e086fd7b8c1edd0ccfec527c0699d396a7954f9 introduced a bug with ldapupdate resulting in incorrect handling of uldif files. Particularly the schema_compat.uldif. binyrC3uyjN7A.bin Description: freeipa-jraquino-0035-remove-escapes-from-the-cvs-parser-in-ldapupdate.patch ~ Jr Aquino, GCIH | Information Security Specialist Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aqu...@citrixonline.com http://www.citrixonline.com ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 35 remove escapes from the cvs parser in ipaserver/install/ldapupdate
On Jul 18, 2011, at 1:08 PM, wrote: > https://fedorahosted.org/freeipa/ticket/1472 > > Changeset 8e086fd7b8c1edd0ccfec527c0699d396a7954f9 introduced a bug with > ldapupdate resulting in incorrect handling of uldif files. Particularly the > schema_compat.uldif. > > Added PATCH to subject line. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 209 Removed reverse zones from host adder dialog.
The host adder dialog has been modified to specify the new flag for retrieving the forward zones only. Ticket #1458 -- Endi S. Dewata From abea002ce23b74db537103658bfbb8a147e2c39e Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Mon, 18 Jul 2011 11:42:22 -0500 Subject: [PATCH] Removed reverse zones from host adder dialog. The host adder dialog has been modified to specify the new flag for retrieving the forward zones only. Ticket #1458 --- install/ui/host.js | 25 ++--- install/ui/widget.js | 15 +-- 2 files changed, 31 insertions(+), 9 deletions(-) diff --git a/install/ui/host.js b/install/ui/host.js index e9adcd4f796860ff41aadda59f0410ca4a28fbf5..14f16d93d918325a0d42b823c43ce7280b0704c5 100644 --- a/install/ui/host.js +++ b/install/ui/host.js @@ -106,10 +106,8 @@ IPA.entity_factories.host = function () { height: 250, fields:[ { -factory: IPA.entity_select_widget, +factory: IPA.dnszone_select_widget, name: 'fqdn', -other_entity: 'dnszone', -other_field: 'idnsname', label: IPA.messages.objects.service.host, editable: true, undo: false @@ -127,6 +125,27 @@ IPA.entity_factories.host = function () { build(); }; +IPA.dnszone_select_widget = function(spec) { + +spec = spec || {}; +spec.other_entity = 'dnszone'; +spec.other_field = 'idnsname'; + +var that = IPA.entity_select_widget(spec); + +that.create_search_command = function() { +return IPA.command({ +entity: that.other_entity, +method: 'find', +args: [that.filter.val()], +options: { +forward_only: true +} +}); +}; + +return that; +}; IPA.host_dnsrecord_entity_link_widget = function(spec){ var that = IPA.entity_link_widget(spec); diff --git a/install/ui/widget.js b/install/ui/widget.js index f5ed036525cf405e5fcf256902848e8995e0e6c3..1932bee7582f1430fe35725b291359d4885de136 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -1821,15 +1821,17 @@ IPA.entity_select_widget = function(spec) { that.other_entity = spec.other_entity; that.other_field = spec.other_field; -that.search = function() { - -var filter = that.filter.val(); - -var command = IPA.command({ +that.create_search_command = function() { +return IPA.command({ entity: that.other_entity, method: 'find', -args: [filter] +args: [that.filter.val()] }); +}; + +that.search = function() { + +var command = that.create_search_command(); command.on_success = function(data, text_status, xhr) { @@ -1837,6 +1839,7 @@ IPA.entity_select_widget = function(spec) { that.create_option(); +var filter = that.filter.val(); var entries = data.result.result; for (var i=0; i___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 3 ipa-client-install tries to start non-existing nscd
On 15.07.2011 22:41, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> > > nack. > > I don't believe this fixes the reported problem. This patch affects > un-installation in which case whether sssd was selected or not doesn't > matter, we're just trying to restore the previous state (so tangentially > I wonder if we should store the state of at install time). Actually, the patch deals with installation, not uninstallation. As discussed on IRC, I've reworked it to add an alternative warning to sssd configuration path. New version attached. -- / Alexander Bokovoy From ba45b67b1847df16f802bfe44d4af68c5536c2ae Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 1 Jul 2011 11:11:38 +0300 Subject: [PATCH] Rearrange logging for NSCD daemon. https://fedorahosted.org/freeipa/ticket/1373 When SSSD is in use, we actually trying to disable NSCD daemon. Telling that we failed to configure automatic _startup_ of the NSCD is wrong then. --- ipa-client/ipa-install/ipa-client-install |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 6bdeb8796b677c3a604083aad54f086c79af322b..c39780c9e59ca61ba952997458cf847f47aeaa4a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -929,9 +929,12 @@ def main(): try: nscd_chkconfig_cmd('nscd') except: -print >>sys.stderr, "Failed to configure automatic startup of the NSCD daemon" if not options.sssd: +print >>sys.stderr, "Failed to configure automatic startup of the NSCD daemon" print >>sys.stderr, "Caching of users/groups will not be available after reboot" + else: + print >>sys.stderr, "Failed to disable NSCD daemon. Please disable it manually." + else: # this is optional service, just log logging.info("NSCD daemon is not installed, skip configuration") -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 208 Entity select widget improvements
On 07/18/2011 02:39 PM, Endi Sukma Dewata wrote: On 7/18/2011 11:52 AM, Endi Sukma Dewata wrote: On 7/18/2011 10:44 AM, Endi Sukma Dewata wrote: The IPA.entity_select_widget has been modified into a searchable and editable drop down list. Ticket #1361 Fixed z-index problem and renamed base class to IPA.combobox_widget. Included new icon provided by ayoung. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 208 Entity select widget improvements
On 7/18/2011 11:52 AM, Endi Sukma Dewata wrote: On 7/18/2011 10:44 AM, Endi Sukma Dewata wrote: The IPA.entity_select_widget has been modified into a searchable and editable drop down list. Ticket #1361 Fixed z-index problem and renamed base class to IPA.combobox_widget. Included new icon provided by ayoung. -- Endi S. Dewata From db48ea67e0569ffc2650dbb651ef6e32f51b789c Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Fri, 15 Jul 2011 12:18:59 -0500 Subject: [PATCH] Entity select widget improvements The IPA.entity_select_widget has been modified into a searchable and editable drop down list. The base functionality has been extracted into IPA.combobox_widget. Ticket #1361 --- install/ui/aci.js| 41 +++-- install/ui/combobox_open.png | Bin 0 -> 274 bytes install/ui/details.js| 53 +++--- install/ui/dialog.js |6 +- install/ui/entitle.js|8 +- install/ui/hbac.js |4 +- install/ui/host.js |9 +- install/ui/ipa.css | 216 -- install/ui/jsl.conf |2 +- install/ui/policy.js |9 +- install/ui/search.js | 11 +- install/ui/serverconfig.js |5 +- install/ui/service.js|7 +- install/ui/test/aci_tests.js |2 +- install/ui/test/details_tests.js | 14 +- install/ui/test/widget_tests.js | 11 +- install/ui/user.js | 12 +- install/ui/widget.js | 378 -- 18 files changed, 472 insertions(+), 316 deletions(-) create mode 100755 install/ui/combobox_open.png diff --git a/install/ui/aci.js b/install/ui/aci.js index 1a95af0e7f9d663fccb98d472aee3b2a8fee2868..54050c79cfa2f88fae87907cae67bb71affb7082 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -50,7 +50,8 @@ IPA.entity_factories.permission = function() { }]}). standard_association_facets(). adder_dialog({ -height: '400', +width: 500, +height: 400, fields:[ 'cn', { @@ -165,12 +166,16 @@ IPA.entity_factories.delegation = function() { fields:[ 'aciname', { -factory:IPA.entity_select_widget, -name: 'group', entity: 'group' +factory: IPA.entity_select_widget, +name: 'group', +other_entity: 'group', +other_field: 'cn' }, { -factory:IPA.entity_select_widget, -name: 'memberof', entity: 'group', +factory: IPA.entity_select_widget, +name: 'memberof', +other_entity: 'group', +other_field: 'cn', join: true }, { @@ -183,13 +188,19 @@ IPA.entity_factories.delegation = function() { fields:[ 'aciname', { -factory:IPA.entity_select_widget, -name: 'group', entity: 'group', undo: false +factory: IPA.entity_select_widget, +name: 'group', +other_entity: 'group', +other_field: 'cn', +undo: false }, { -factory:IPA.entity_select_widget, -name: 'memberof', entity: 'group', -join: true, undo: false +factory: IPA.entity_select_widget, +name: 'memberof', +other_entity: 'group', +other_field: 'cn', +join: true, +undo: false }, { factory:IPA.attributes_widget, @@ -402,8 +413,12 @@ IPA.target_section = function(spec) { cols: 30, rows: 1, undo: that.undo }); -that.group_select = IPA.entity_select_widget( -{name: 'targetgroup', entity:'group', undo: that.undo}); +that.group_select = IPA.entity_select_widget({ +name: 'targetgroup', +other_entity: 'group', +other_field: 'cn', +undo: that.undo +}); that.type_select = IPA.select_widget({name: 'type', undo: that.undo}); that.attribute_table = IPA.attributes_widget({ name: 'attrs', undo: that.undo}); @@ -506,7 +521,7 @@ IPA.target_section = function(spec) { that.group_select.create(span); }, load: function(record){ -that.group_select.entity_select.val(record.targetgroup); +that.group_select.list.val(record.targetgroup); }, save: function(record){
Re: [Freeipa-devel] [PATCH] 25 Update minimum required version of python-netaddr
Jakub Hrozek wrote: On 07/01/2011 09:04 PM, Jan Cholasta wrote: On 1.7.2011 16:34, Jakub Hrozek wrote: On 07/01/2011 06:35 AM, Jan Cholasta wrote: On 28.6.2011 16:14, Jakub Hrozek wrote: On 06/28/2011 08:52 AM, Jan Cholasta wrote: https://fedorahosted.org/freeipa/ticket/1288 Honza I gather this is done in order to get rid of the "try: except all" hack in installer? This works fine with F15 and F16 in mind. However, if the specfile is intended for being usable on RHEL as well (at least for development), some %if magic is required -- the fix is not there yet. Updated so that 0.7.5-3 is required on Fedora>= 15 and RHEL>= 6. Honza Sorry, I wasn't clear in the previous message. The fix so far is *only* in Fedora, not in any RHEL versions. So the versioned requires must apply only to Fedora until we release python-netaddr errata, be it in 6.2 or 6.3 Thanks for the info. I really need to learn more about RHEL :-) Updated patch attached. Honza I missed the new revision - sorry. Ack! pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 829 Generate a database password by default
Simo Sorce wrote: On Sun, 2011-07-17 at 17:47 -0400, Rob Crittenden wrote: If the password passed in when creating a NSS certificate database is None then a random password is generated. If it is empty ('') then an empty password is set. Because of this the HTTP instance on replicas were created with an empty password. https://fedorahosted.org/freeipa/ticket/1407 ACK, Simo. pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 828 set plugin precedence
Simo Sorce wrote: On Sun, 2011-07-17 at 17:46 -0400, Rob Crittenden wrote: The default precedence of slapi plugins is 50 and all of them (ours and the 389-ds plugins) all have this level with the exception of one (Retro changelog). The IPA modrdn plugin should run after all of these so I've bumped up the precedence to 60 as recommended by the 389-ds team. https://fedorahosted.org/freeipa/ticket/1370 ACK. Simo. pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 827 change subject of RA
Simo Sorce wrote: On Sun, 2011-07-17 at 17:45 -0400, Rob Crittenden wrote: Change the subject of the RA to not confuse dogtag users. We used 'RA Subsystem' and this might confuse some to think we're using the dogtag RA which we are not. This won't affect existing installations, only new ones. https://fedorahosted.org/freeipa/ticket/1236 ACK. Simo. pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 825 add dogtag replication management
Rich Megginson wrote: On 07/18/2011 09:34 AM, Rob Crittenden wrote: Jan Cholasta wrote: On 15.7.2011 21:24, Rob Crittenden wrote: Rich Megginson wrote: On 07/15/2011 10:57 AM, Rob Crittenden wrote: Rich Megginson wrote: On 07/15/2011 08:01 AM, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: On 15.7.2011 05:42, Rob Crittenden wrote: Add a separate tool for now to do dogtag replication agreement management. The syntax is the same for IPA agreements with the exception that the DM password is always required and it isn't possible to delegate the management of this. ticket https://fedorahosted.org/freeipa/ticket/1250 rob NACK 'ipa-csreplica-manage list server' doesn't list the peers of the specified server, but the peers of localhost. Connecting already connected pair of replicas duplicates the replication information ('ipa-csreplica-manage list server' shows the same hostname twice). There is trailing whitespace on line 87 of the patch. BTW I don't understand why is it possible (or necessary?) to be able to have CS replication topology that is different from the main IPA replication topology (ipa-csreplica-manage allows you to do that). Is there a reason for this? Honza And some issues from me: 1) Unhelpful error message when force-syncing from a master without a replication agreement: # ipa-csreplica-manage force-sync --from=HOST Directory Manager password: ipa: ERROR: Unable to find replication agreement for vm-060.idm.lab.bos.redhat.com unexpected error: Unable to proceed 2) Minor stuff in man page: Unindented Exit statuses: EXIT STATUS 0 if the command was successful 1 if an error occurred Missing dot: The default is the machine on which the command is run Not honoured by the re-initialize command. Otherwise it looks good. Martin This should address all the issues raised. The reason for different topology has several reasons: 1. A given IPA server may not have a CA installed 2. Some aspects of ipa-replica-manage can be delegated. We can't delegate CS replica management because it is in a different directory server. We don't have users stored there so can't map the GSSAPI credentials. So only Directory Manager can operate on it for now. 3. Flexibility. You may want way more connections for users than for the CA. + if starttls: + self.conn = ipaldap.IPAdmin(hostname, port=port) + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) Why in the starttls case do you not call ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT) ? Because the port is the non-secure port and opening an SSL connection to it failed. Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps. + managers = entry.getValues('nsDS5ReplicaBindDN') + if replica_binddn not in managers: You might want to use the dn.py code, or at least normalize the DNs in managers before comparing That's a good idea. + if master is None: + entry.setValues('nsds5replicaupdateschedule', '-2359 0123456') You should just omit nsds5replicaupdateschedule It failed with an operations erorr when I tried removing the attribute either directly with a MOD_DELETE or doing a MOD_REPLACE with nothing. I assume this is another attribute in cn=config that once set cannot be undone. Right. Ok. When you add the agreement entry, you can just omit it. But if you are trying to modify an existing agreement entry, you can't MOD_DELETE it or MOD_REPLACE with an empty value. Ok, good point about normalizing, updated patch attached. rob Everything I found is fixed. You might want to take a look at what Martin found, though. Honza Updated patch to use the DN class a bit more. ack rob pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 826 fix failing memberof tests
Jan Cholasta wrote: On 15.7.2011 23:20, Rob Crittenden wrote: With the recent object_name/label changes some tests were failing that were expecting the old value which contained a space. This fixes them. rob ACK. Honza pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 824 make more sensible nicknames
Jan Cholasta wrote: On 11.7.2011 23:48, Rob Crittenden wrote: When loading a chained CA from a PKCS#7 or PEM file we used to use very generic nicknames, sometimes as bad as "Imported CA" in the case of winsync. This will use the subject of the cert to get the nickname instead. I also extended the API of some of the x509 functions to optionally take in the NSS database dir. I had originally used this in the patch but did it another way but still thought the changes useful. ticket https://fedorahosted.org/freeipa/ticket/1141 Word of warning, this is going to require a fair bit of testing. The way to test it is to install with an external CA, then install a replica with a CA to be sure that works as well. Testing basic installs would be handy as well. rob ACK, everything seems to work fine. Honza pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 823 validate certificate subject base
Martin Kosek wrote: On Mon, 2011-07-18 at 12:08 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote: Use John's new DN class to verify that the subject base passed into ipa-server-install is valid. https://fedorahosted.org/freeipa/ticket/1176 rob Works fine for basic errors. But what if the DN is syntactically valid, but it makes no sense for CA? For example: # ipa-server-install --subject="FOO=BAR" ... Configuring certificate server: Estimated time 6 minutes [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: restarting certificate server [4/16]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-099.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd '' -preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,FOO=BAR" -ldap_host vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,FOO=BAR" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,FOO=BAR" -ca_server_cert_subject_name "CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR" -ca_audit_signing_cert_subject_name "CN=CA Audit,FOO=BAR" -ca_sign_cert_subject_name "CN=Certificate Authority,FOO=BAR" -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Could we cover also these cases in the callback? Martin Added list of allowed attributes. rob ACK, works fine. I would just recommend to split the line with VALID_SUBJECT_ATTRS before pushing, it's quite long. Martin Fixed and pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 208 Entity select widget improvements
On 7/18/2011 10:44 AM, Endi Sukma Dewata wrote: The IPA.entity_select_widget has been modified into a searchable and editable drop down list. Ticket #1361 Fixed z-index problem and renamed base class to IPA.combobox_widget. -- Endi S. Dewata From 3e68a57cb5e406c556f480f82c53909a7c148fb5 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Fri, 15 Jul 2011 12:18:59 -0500 Subject: [PATCH] Entity select widget improvements The IPA.entity_select_widget has been modified into a searchable and editable drop down list. Ticket #1361 --- install/ui/aci.js| 41 +++-- install/ui/details.js| 53 +++--- install/ui/dialog.js |6 +- install/ui/entitle.js|8 +- install/ui/hbac.js |4 +- install/ui/host.js |9 +- install/ui/ipa.css | 212 +++-- install/ui/jsl.conf |2 +- install/ui/policy.js |9 +- install/ui/search.js | 11 +- install/ui/serverconfig.js |5 +- install/ui/service.js|7 +- install/ui/test/aci_tests.js |2 +- install/ui/test/details_tests.js | 14 +- install/ui/test/widget_tests.js | 11 +- install/ui/user.js | 12 +- install/ui/widget.js | 378 -- 17 files changed, 468 insertions(+), 316 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index 1a95af0e7f9d663fccb98d472aee3b2a8fee2868..54050c79cfa2f88fae87907cae67bb71affb7082 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -50,7 +50,8 @@ IPA.entity_factories.permission = function() { }]}). standard_association_facets(). adder_dialog({ -height: '400', +width: 500, +height: 400, fields:[ 'cn', { @@ -165,12 +166,16 @@ IPA.entity_factories.delegation = function() { fields:[ 'aciname', { -factory:IPA.entity_select_widget, -name: 'group', entity: 'group' +factory: IPA.entity_select_widget, +name: 'group', +other_entity: 'group', +other_field: 'cn' }, { -factory:IPA.entity_select_widget, -name: 'memberof', entity: 'group', +factory: IPA.entity_select_widget, +name: 'memberof', +other_entity: 'group', +other_field: 'cn', join: true }, { @@ -183,13 +188,19 @@ IPA.entity_factories.delegation = function() { fields:[ 'aciname', { -factory:IPA.entity_select_widget, -name: 'group', entity: 'group', undo: false +factory: IPA.entity_select_widget, +name: 'group', +other_entity: 'group', +other_field: 'cn', +undo: false }, { -factory:IPA.entity_select_widget, -name: 'memberof', entity: 'group', -join: true, undo: false +factory: IPA.entity_select_widget, +name: 'memberof', +other_entity: 'group', +other_field: 'cn', +join: true, +undo: false }, { factory:IPA.attributes_widget, @@ -402,8 +413,12 @@ IPA.target_section = function(spec) { cols: 30, rows: 1, undo: that.undo }); -that.group_select = IPA.entity_select_widget( -{name: 'targetgroup', entity:'group', undo: that.undo}); +that.group_select = IPA.entity_select_widget({ +name: 'targetgroup', +other_entity: 'group', +other_field: 'cn', +undo: that.undo +}); that.type_select = IPA.select_widget({name: 'type', undo: that.undo}); that.attribute_table = IPA.attributes_widget({ name: 'attrs', undo: that.undo}); @@ -506,7 +521,7 @@ IPA.target_section = function(spec) { that.group_select.create(span); }, load: function(record){ -that.group_select.entity_select.val(record.targetgroup); +that.group_select.list.val(record.targetgroup); }, save: function(record){ record.targetgroup = that.group_select.save()[0]; diff --git a/install/ui/details.js b/install/ui/details.js index b31305c693de767ec2381192759ca9839ca6894c..82804b538618e884025990907e235a6050b8f2b0 100644 --- a/install/ui/details.js +++ b/install/ui/de
Re: [Freeipa-devel] [PATCH] 32 Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable'
On Mon, 2011-07-18 at 17:16 +0200, Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1469 > > Honza > The patch is missing. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 823 validate certificate subject base
On Mon, 2011-07-18 at 12:08 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote: > >> Use John's new DN class to verify that the subject base passed into > >> ipa-server-install is valid. > >> > >> https://fedorahosted.org/freeipa/ticket/1176 > >> > >> rob > > > > Works fine for basic errors. But what if the DN is syntactically valid, > > but it makes no sense for CA? For example: > > > > # ipa-server-install --subject="FOO=BAR" > > ... > > Configuring certificate server: Estimated time 6 minutes > >[1/16]: creating certificate server user > >[2/16]: creating pki-ca instance > >[3/16]: restarting certificate server > >[4/16]: configuring certificate server instance > > root: CRITICAL failed to configure ca instance Command > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > > vm-099.idm.lab.bos.redhat.com -cs_port 9445 > > -client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd '' > > -preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin > > -admin_email root@localhost -admin_password '' -agent_name > > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > > -agent_cert_subject "CN=ipa-ca-agent,FOO=BAR" -ldap_host > > vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory > > Manager" -bind_password '' -base_dn o=ipaca -db_name ipaca > > -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true > > -backup_pwd '' -subsystem_name pki-cad -token_name internal > > -ca_subsystem_cert_subject_name "CN=CA Subsystem,FOO=BAR" > > -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,FOO=BAR" > > -ca_server_cert_subject_name "CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR" > > -ca_audit_signing_cert_subject_name "CN=CA Audit,FOO=BAR" > > -ca_sign_cert_subject_name "CN=Certificate Authority,FOO=BAR" -external > > false -clone false' returned non-zero exit status 255 > > Unexpected error - see ipaserver-install.log for details: > > Configuration of CA failed > > > > > > Could we cover also these cases in the callback? > > > > Martin > > > > Added list of allowed attributes. > > rob ACK, works fine. I would just recommend to split the line with VALID_SUBJECT_ATTRS before pushing, it's quite long. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 823 validate certificate subject base
Martin Kosek wrote: On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote: Use John's new DN class to verify that the subject base passed into ipa-server-install is valid. https://fedorahosted.org/freeipa/ticket/1176 rob Works fine for basic errors. But what if the DN is syntactically valid, but it makes no sense for CA? For example: # ipa-server-install --subject="FOO=BAR" ... Configuring certificate server: Estimated time 6 minutes [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: restarting certificate server [4/16]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-099.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd '' -preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,FOO=BAR" -ldap_host vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,FOO=BAR" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,FOO=BAR" -ca_server_cert_subject_name "CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR" -ca_audit_signing_cert_subject_name "CN=CA Audit,FOO=BAR" -ca_sign_cert_subject_name "CN=Certificate Authority,FOO=BAR" -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Could we cover also these cases in the callback? Martin Added list of allowed attributes. rob >From fcb39d9ab06242916381a63e922f4b93cb048971 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 7 Jul 2011 11:55:20 -0400 Subject: [PATCH] Validate that the certificate subject base is in valid DN format. https://fedorahosted.org/freeipa/ticket/1176 --- install/tools/ipa-server-install | 21 - 1 files changed, 20 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 35b16dae8c069d510ed0293930a2d026265aa990..8c51154699f84a7e071e3c69883c58eaf2163626 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -58,10 +58,13 @@ from ipapython.ipautil import * from ipalib import api, errors, util from ipalib.parameters import IA5Str from ipapython.config import IPAOptionParser +from ipalib.dn import DN pw_name = None uninstalling = False +VALID_SUBJECT_ATTRS = ['cn', 'st', 'o', 'ou', 'dnqualifier', 'c', 'serialnumber', 'l', 'title', 'sn', 'givenname', 'initials', 'generationqualifier', 'dc', 'mail', 'uid', 'postaladdress', 'postalcode', 'postofficebox', 'houseidentifier', 'e', 'street', 'pseudonym', 'incorporationlocality', 'incorporationstate', 'incorporationcountry', 'businesscategory'] + def zonemgr_callback(option, opt_str, value, parser): """ Make sure the zonemgr is an IA5String. @@ -72,6 +75,21 @@ def zonemgr_callback(option, opt_str, value, parser): ia._convert_scalar(v) parser.values.zonemgr = value +def subject_callback(option, opt_str, value, parser): +""" +Make sure the certificate subject base is a valid DN +""" +name = opt_str.replace('--','') +v = unicode(value, 'utf-8') +try: +dn = DN(v) +for x in xrange(len(dn)): +if dn[x][0].attr.lower() not in VALID_SUBJECT_ATTRS: +raise ValueError('invalid attribute: %s' % dn[x][0].attr.lower()) +except ValueError, e: +raise ValueError('Invalid subject base format: %s' % str(e)) +parser.values.subject = value + def parse_options(): # Guaranteed to give a random 200k range below the 2G mark (uint32_t limit) namespace = random.randint(1, 1) * 20 @@ -142,7 +160,8 @@ def parse_options(): help="The starting value for the IDs range (default random)") parser.add_option("--idmax", dest="idmax", default=0, type=int, help="The max value value for the IDs range (default: idstart+19)") -parser.add_option("--subject", dest="subject", +parser.add_option("--subject", action="callback", callback=subject_callback, + type="string", help="The certificate subject base (default O=)") parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False, action="store_true", -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 25 Update minimum required version of python-netaddr
On 07/01/2011 09:04 PM, Jan Cholasta wrote: > On 1.7.2011 16:34, Jakub Hrozek wrote: >> On 07/01/2011 06:35 AM, Jan Cholasta wrote: >>> On 28.6.2011 16:14, Jakub Hrozek wrote: On 06/28/2011 08:52 AM, Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1288 > > Honza > I gather this is done in order to get rid of the "try: except all" hack in installer? This works fine with F15 and F16 in mind. However, if the specfile is intended for being usable on RHEL as well (at least for development), some %if magic is required -- the fix is not there yet. >>> >>> Updated so that 0.7.5-3 is required on Fedora >= 15 and RHEL >= 6. >>> >>> Honza >>> >> >> Sorry, I wasn't clear in the previous message. >> >> The fix so far is *only* in Fedora, not in any RHEL versions. So the >> versioned requires must apply only to Fedora until we release >> python-netaddr errata, be it in 6.2 or 6.3 > > Thanks for the info. I really need to learn more about RHEL :-) > > Updated patch attached. > > Honza > I missed the new revision - sorry. Ack! signature.asc Description: OpenPGP digital signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 208 Entity select widget improvements
The IPA.entity_select_widget has been modified into a searchable and editable drop down list. Ticket #1361 -- Endi S. Dewata From 5affc4f0a2748a1882b4f883b657ffcc5bfbf7d5 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Fri, 15 Jul 2011 12:18:59 -0500 Subject: [PATCH] Entity select widget improvements The IPA.entity_select_widget has been modified into a searchable and editable drop down list. Ticket #1361 --- install/ui/aci.js| 41 +++-- install/ui/details.js| 53 +++--- install/ui/dialog.js |6 +- install/ui/entitle.js|8 +- install/ui/hbac.js |4 +- install/ui/host.js |9 +- install/ui/ipa.css | 212 +++-- install/ui/jsl.conf |2 +- install/ui/policy.js |9 +- install/ui/search.js | 11 +- install/ui/serverconfig.js |5 +- install/ui/service.js|7 +- install/ui/test/aci_tests.js |2 +- install/ui/test/details_tests.js | 14 +- install/ui/test/widget_tests.js | 11 +- install/ui/user.js | 12 +- install/ui/widget.js | 378 -- 17 files changed, 468 insertions(+), 316 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index 1a95af0e7f9d663fccb98d472aee3b2a8fee2868..54050c79cfa2f88fae87907cae67bb71affb7082 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -50,7 +50,8 @@ IPA.entity_factories.permission = function() { }]}). standard_association_facets(). adder_dialog({ -height: '400', +width: 500, +height: 400, fields:[ 'cn', { @@ -165,12 +166,16 @@ IPA.entity_factories.delegation = function() { fields:[ 'aciname', { -factory:IPA.entity_select_widget, -name: 'group', entity: 'group' +factory: IPA.entity_select_widget, +name: 'group', +other_entity: 'group', +other_field: 'cn' }, { -factory:IPA.entity_select_widget, -name: 'memberof', entity: 'group', +factory: IPA.entity_select_widget, +name: 'memberof', +other_entity: 'group', +other_field: 'cn', join: true }, { @@ -183,13 +188,19 @@ IPA.entity_factories.delegation = function() { fields:[ 'aciname', { -factory:IPA.entity_select_widget, -name: 'group', entity: 'group', undo: false +factory: IPA.entity_select_widget, +name: 'group', +other_entity: 'group', +other_field: 'cn', +undo: false }, { -factory:IPA.entity_select_widget, -name: 'memberof', entity: 'group', -join: true, undo: false +factory: IPA.entity_select_widget, +name: 'memberof', +other_entity: 'group', +other_field: 'cn', +join: true, +undo: false }, { factory:IPA.attributes_widget, @@ -402,8 +413,12 @@ IPA.target_section = function(spec) { cols: 30, rows: 1, undo: that.undo }); -that.group_select = IPA.entity_select_widget( -{name: 'targetgroup', entity:'group', undo: that.undo}); +that.group_select = IPA.entity_select_widget({ +name: 'targetgroup', +other_entity: 'group', +other_field: 'cn', +undo: that.undo +}); that.type_select = IPA.select_widget({name: 'type', undo: that.undo}); that.attribute_table = IPA.attributes_widget({ name: 'attrs', undo: that.undo}); @@ -506,7 +521,7 @@ IPA.target_section = function(spec) { that.group_select.create(span); }, load: function(record){ -that.group_select.entity_select.val(record.targetgroup); +that.group_select.list.val(record.targetgroup); }, save: function(record){ record.targetgroup = that.group_select.save()[0]; diff --git a/install/ui/details.js b/install/ui/details.js index b31305c693de767ec2381192759ca9839ca6894c..82804b538618e884025990907e235a6050b8f2b0 100644 --- a/install/ui/details.js +++ b/install/ui/details.js @@ -26,8 +26,8 @@ /* REQUIRES: ipa.js */ -IPA.expanded_icon = 'ui-icon-expanded'; -IPA.collapsed_icon = 'u
Re: [Freeipa-devel] [PATCH] 825 add dogtag replication management
On 07/18/2011 09:34 AM, Rob Crittenden wrote: Jan Cholasta wrote: On 15.7.2011 21:24, Rob Crittenden wrote: Rich Megginson wrote: On 07/15/2011 10:57 AM, Rob Crittenden wrote: Rich Megginson wrote: On 07/15/2011 08:01 AM, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: On 15.7.2011 05:42, Rob Crittenden wrote: Add a separate tool for now to do dogtag replication agreement management. The syntax is the same for IPA agreements with the exception that the DM password is always required and it isn't possible to delegate the management of this. ticket https://fedorahosted.org/freeipa/ticket/1250 rob NACK 'ipa-csreplica-manage list server' doesn't list the peers of the specified server, but the peers of localhost. Connecting already connected pair of replicas duplicates the replication information ('ipa-csreplica-manage list server' shows the same hostname twice). There is trailing whitespace on line 87 of the patch. BTW I don't understand why is it possible (or necessary?) to be able to have CS replication topology that is different from the main IPA replication topology (ipa-csreplica-manage allows you to do that). Is there a reason for this? Honza And some issues from me: 1) Unhelpful error message when force-syncing from a master without a replication agreement: # ipa-csreplica-manage force-sync --from=HOST Directory Manager password: ipa: ERROR: Unable to find replication agreement for vm-060.idm.lab.bos.redhat.com unexpected error: Unable to proceed 2) Minor stuff in man page: Unindented Exit statuses: EXIT STATUS 0 if the command was successful 1 if an error occurred Missing dot: The default is the machine on which the command is run Not honoured by the re-initialize command. Otherwise it looks good. Martin This should address all the issues raised. The reason for different topology has several reasons: 1. A given IPA server may not have a CA installed 2. Some aspects of ipa-replica-manage can be delegated. We can't delegate CS replica management because it is in a different directory server. We don't have users stored there so can't map the GSSAPI credentials. So only Directory Manager can operate on it for now. 3. Flexibility. You may want way more connections for users than for the CA. + if starttls: + self.conn = ipaldap.IPAdmin(hostname, port=port) + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) Why in the starttls case do you not call ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT) ? Because the port is the non-secure port and opening an SSL connection to it failed. Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps. + managers = entry.getValues('nsDS5ReplicaBindDN') + if replica_binddn not in managers: You might want to use the dn.py code, or at least normalize the DNs in managers before comparing That's a good idea. + if master is None: + entry.setValues('nsds5replicaupdateschedule', '-2359 0123456') You should just omit nsds5replicaupdateschedule It failed with an operations erorr when I tried removing the attribute either directly with a MOD_DELETE or doing a MOD_REPLACE with nothing. I assume this is another attribute in cn=config that once set cannot be undone. Right. Ok. When you add the agreement entry, you can just omit it. But if you are trying to modify an existing agreement entry, you can't MOD_DELETE it or MOD_REPLACE with an empty value. Ok, good point about normalizing, updated patch attached. rob Everything I found is fixed. You might want to take a look at what Martin found, though. Honza Updated patch to use the DN class a bit more. ack rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 825 add dogtag replication management
Jan Cholasta wrote: On 15.7.2011 21:24, Rob Crittenden wrote: Rich Megginson wrote: On 07/15/2011 10:57 AM, Rob Crittenden wrote: Rich Megginson wrote: On 07/15/2011 08:01 AM, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: On 15.7.2011 05:42, Rob Crittenden wrote: Add a separate tool for now to do dogtag replication agreement management. The syntax is the same for IPA agreements with the exception that the DM password is always required and it isn't possible to delegate the management of this. ticket https://fedorahosted.org/freeipa/ticket/1250 rob NACK 'ipa-csreplica-manage list server' doesn't list the peers of the specified server, but the peers of localhost. Connecting already connected pair of replicas duplicates the replication information ('ipa-csreplica-manage list server' shows the same hostname twice). There is trailing whitespace on line 87 of the patch. BTW I don't understand why is it possible (or necessary?) to be able to have CS replication topology that is different from the main IPA replication topology (ipa-csreplica-manage allows you to do that). Is there a reason for this? Honza And some issues from me: 1) Unhelpful error message when force-syncing from a master without a replication agreement: # ipa-csreplica-manage force-sync --from=HOST Directory Manager password: ipa: ERROR: Unable to find replication agreement for vm-060.idm.lab.bos.redhat.com unexpected error: Unable to proceed 2) Minor stuff in man page: Unindented Exit statuses: EXIT STATUS 0 if the command was successful 1 if an error occurred Missing dot: The default is the machine on which the command is run Not honoured by the re-initialize command. Otherwise it looks good. Martin This should address all the issues raised. The reason for different topology has several reasons: 1. A given IPA server may not have a CA installed 2. Some aspects of ipa-replica-manage can be delegated. We can't delegate CS replica management because it is in a different directory server. We don't have users stored there so can't map the GSSAPI credentials. So only Directory Manager can operate on it for now. 3. Flexibility. You may want way more connections for users than for the CA. + if starttls: + self.conn = ipaldap.IPAdmin(hostname, port=port) + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) Why in the starttls case do you not call ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT) ? Because the port is the non-secure port and opening an SSL connection to it failed. Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps. + managers = entry.getValues('nsDS5ReplicaBindDN') + if replica_binddn not in managers: You might want to use the dn.py code, or at least normalize the DNs in managers before comparing That's a good idea. + if master is None: + entry.setValues('nsds5replicaupdateschedule', '-2359 0123456') You should just omit nsds5replicaupdateschedule It failed with an operations erorr when I tried removing the attribute either directly with a MOD_DELETE or doing a MOD_REPLACE with nothing. I assume this is another attribute in cn=config that once set cannot be undone. Right. Ok. When you add the agreement entry, you can just omit it. But if you are trying to modify an existing agreement entry, you can't MOD_DELETE it or MOD_REPLACE with an empty value. Ok, good point about normalizing, updated patch attached. rob Everything I found is fixed. You might want to take a look at what Martin found, though. Honza Updated patch to use the DN class a bit more. rob >From 19eb76779357277b059875803b4fb76791393b02 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 14 Jul 2011 23:35:01 -0400 Subject: [PATCH] Create tool to manage dogtag replication agreements For the most part the existing replication code worked with the following exceptions: - Added more port options - It assumed that initial connections were done to an SSL port. Added ability to use startTLS - It assumed that the name of the agreement was the same on both sides. In dogtag one is marked as master and one as clone. A new option is added, master, the determines which side we're working on or None if it isn't a dogtag agreement. - Don't set the attribute exclude list on dogtag agreements - dogtag doesn't set a schedule by default (which is actually recommended by 389-ds). This causes problems when doing a force-sync though so if one is done we set a schedule to run all the time. Otherwise the temporary schedule can't be removed (LDAP operations error). https://fedorahosted.org/freeipa/ticket/1250 --- freeipa.spec.in |7 +- install/tools/Makefile.am|1 + install/tools/ipa-csreplica-manage | 452 ++ install/tools/man/Makefile.am|1 + install/tools/man/ipa-csreplica-manage.1 | 93 ++ ipaserver/install/dsinstance.py |
[Freeipa-devel] [PATCH] 32 Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable'
https://fedorahosted.org/freeipa/ticket/1469 Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 091 Improve long integer type validation
On Mon, 2011-07-18 at 09:43 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-07-15 at 17:26 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> Passing a number of "long" type to IPA Int parameter invokes > >>> user-unfriendly error message about incompatible types. This patch > >>> improves Int parameter with user understandable message along with > >>> maximum value he can pass. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1346 > >> > >> nack. We need to limit Int to 32-bit values because that is what XML-RPC > >> supports. So if maxvalue isn't set we need to compare against MAXINT and > >> not sys.maxint. > >> > >> rob > > > > You are right. Sending a fixed patch. > > > > Martin > > ACK Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 091 Improve long integer type validation
Martin Kosek wrote: On Fri, 2011-07-15 at 17:26 -0400, Rob Crittenden wrote: Martin Kosek wrote: Passing a number of "long" type to IPA Int parameter invokes user-unfriendly error message about incompatible types. This patch improves Int parameter with user understandable message along with maximum value he can pass. https://fedorahosted.org/freeipa/ticket/1346 nack. We need to limit Int to 32-bit values because that is what XML-RPC supports. So if maxvalue isn't set we need to compare against MAXINT and not sys.maxint. rob You are right. Sending a fixed patch. Martin ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools
On 18.7.2011 15:00, Martin Kosek wrote: On Mon, 2011-07-18 at 14:35 +0200, Jan Cholasta wrote: On 18.7.2011 09:41, Martin Kosek wrote: On Fri, 2011-07-15 at 10:14 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: Martin Kosek wrote: Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347 Can you add a docstring to the check_server_configuration() function? Looking in each utility it isn't necessarily obvious what this does but my meager attempts at renaming it all failed. I considered is_server_installed() but that implies it would return True/False. Then I considered require_server_configured() but that didn't seem to fit either. We have lots of other check_* so I guess it is fine, but some docs on where/why it is used would be nice. rob I see you undertake the same function naming dilemma as I do. I improved documentation for the function, it should help. Martin ACK Merged to current master. Pushed to master, ipa-2-0. Martin I've just tried to build current master and got this: ./make-lint install/tools/ipa-replica-prepare:68: [E0602, parse_options] Undefined variable 'config' Does anyone run make-lint before submitting a patch or during review at all? :( Honza We don't - so that you can rant on the list :-) Of course we do, but this one slipped in. Thanks for catching this. Fixed and pushed under the one-liner rule (patch attached). Martin That's a relief, I got frightened for a moment :-) Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools
On Mon, 2011-07-18 at 14:35 +0200, Jan Cholasta wrote: > On 18.7.2011 09:41, Martin Kosek wrote: > > On Fri, 2011-07-15 at 10:14 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Install tools may fail with unexpected error when IPA server is not > > installed on a system. Improve user experience by implementing > > a check to affected tools. > > > > https://fedorahosted.org/freeipa/ticket/1327 > > https://fedorahosted.org/freeipa/ticket/1347 > > Can you add a docstring to the check_server_configuration() function? > > Looking in each utility it isn't necessarily obvious what this does but > my meager attempts at renaming it all failed. I considered > is_server_installed() but that implies it would return True/False. Then > I considered require_server_configured() but that didn't seem to fit > either. We have lots of other check_* so I guess it is fine, but some > docs on where/why it is used would be nice. > > rob > >>> > >>> I see you undertake the same function naming dilemma as I do. I improved > >>> documentation for the function, it should help. > >>> > >>> Martin > >> > >> ACK > > > > Merged to current master. Pushed to master, ipa-2-0. > > > > Martin > > > > I've just tried to build current master and got this: > > ./make-lint > install/tools/ipa-replica-prepare:68: [E0602, parse_options] Undefined > variable 'config' > > Does anyone run make-lint before submitting a patch or during review at > all? :( > > Honza > We don't - so that you can rant on the list :-) Of course we do, but this one slipped in. Thanks for catching this. Fixed and pushed under the one-liner rule (patch attached). Martin >From 958e8ac090e148f5d7f8c004e8e39aee3804d1ec Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Mon, 18 Jul 2011 14:50:05 +0200 Subject: [PATCH] Fix typo in ipa-replica-prepare https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347 --- install/tools/ipa-replica-prepare |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 14ee539135f0187d576516d640f885eec3602d8a..0c88244b33f46aa87f4f619a0b7053ec14fd7603 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -65,7 +65,6 @@ def parse_options(): default=True, help="disables pkinit setup steps") options, args = parser.parse_args() -config.init_config() if not options.ip_address: if options.reverse_zone: -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools
On 18.7.2011 09:41, Martin Kosek wrote: On Fri, 2011-07-15 at 10:14 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: Martin Kosek wrote: Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347 Can you add a docstring to the check_server_configuration() function? Looking in each utility it isn't necessarily obvious what this does but my meager attempts at renaming it all failed. I considered is_server_installed() but that implies it would return True/False. Then I considered require_server_configured() but that didn't seem to fit either. We have lots of other check_* so I guess it is fine, but some docs on where/why it is used would be nice. rob I see you undertake the same function naming dilemma as I do. I improved documentation for the function, it should help. Martin ACK Merged to current master. Pushed to master, ipa-2-0. Martin I've just tried to build current master and got this: ./make-lint install/tools/ipa-replica-prepare:68: [E0602, parse_options] Undefined variable 'config' Does anyone run make-lint before submitting a patch or during review at all? :( Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 096 Fix ipa-dns-install incorrect warning
On 18.7.2011 12:56, Martin Kosek wrote: ipa-dns-install incorrectly warns about non-local IP addresses when installing without --ip-address parameter. https://fedorahosted.org/freeipa/ticket/1486 IMO the warning message should be removed from parse_ip_address altogether, as the local IP address check is done in CheckedIPAddress.__init__. This makes both parse_ip_address and verify_ip_address unnecessary, because all they do is call CheckedIPAddress, so calls to them should be replaced with calls to CheckedIPAddress directly. I've made a patch that does all of this and also removes some redundant IP address checks from ipa-server-install, see attachment. Honza -- Jan Cholasta >From 947708b36bdf6979e11850217a98738f01f896f0 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 18 Jul 2011 13:36:47 +0200 Subject: [PATCH] Clean up of IP address checks in install scripts. Fixes ipa-dns-install incorrect warning. ticket 1486 --- install/tools/ipa-dns-install | 12 +--- install/tools/ipa-replica-install |4 ++-- install/tools/ipa-server-install | 22 -- ipaserver/install/installutils.py | 13 ++--- 4 files changed, 13 insertions(+), 38 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index cc091dd..917cb1c 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -109,13 +109,11 @@ def main(): ip = options.ip_address else: hostaddr = resolve_host(api.env.host) -ip = hostaddr and ipautil.CheckedIPAddress(hostaddr) - -try: -verify_ip_address(ip) -except Exception, e: -print "Error: Invalid IP Address %s: %s" % (ip, e) -ip = None +try: +ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True) +except Exception, e: +print "Error: Invalid IP Address %s: %s" % (ip, e) +ip = None if not ip: if options.unattended: diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index d499754..6531421 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -186,7 +186,7 @@ def install_bind(config, options): ip_address = resolve_host(config.host_name) if not ip_address: sys.exit("Unable to resolve IP address for host name") -ip = installutils.parse_ip_address(ip_address) +ip = ipautil.CheckedIPAddress(ip_address, match_local=True) ip_address = str(ip) if options.reverse_zone: @@ -225,7 +225,7 @@ def install_dns_records(config, options): ip_address = resolve_host(config.host_name) if not ip_address: sys.exit("Unable to resolve IP address for host name") -ip = installutils.parse_ip_address(ip_address) +ip = ipautil.CheckedIPAddress(ip_address, match_local=True) ip_address = str(ip) reverse_zone = bindinstance.find_reverse_zone(ip) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 35b16da..186b904 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -603,20 +603,11 @@ def main(): if hostaddr is not None: ip = CheckedIPAddress(hostaddr, match_local=True) else: -if not options.ip_address: -print "Unable to resolve IP address for host name" ip = options.ip_address -if ip is None and options.unattended: -sys.exit("Unable to resolve IP address for host name") - -if ip: -try: -verify_ip_address(ip) -except Exception, e: -print "Error: Invalid IP Address %s: %s" % (ip, e) -if options.unattended: -sys.exit(1) -ip = None +if ip is None: +print "Unable to resolve IP address for host name" +if options.unattended: +sys.exit(1) if options.ip_address: if options.ip_address != ip and not options.setup_dns: @@ -626,11 +617,6 @@ def main(): return 1 ip = options.ip_address -try: -verify_ip_address(ip) -except Exception, e: -print "Error: Invalid IP Address %s: %s" % (ip, e) -sys.exit(1) if ip is None: ip = read_ip_address(host_name, fstore) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 68fce7e..0cdc906 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -164,15 +164,6 @@ def verify_fqdn(host_name,no_host_dns=False): else: print "Warning: Hostname (%s) not found in DNS" % host_name -def parse_ip_address(addr, match_local=True, parse_netmask=True): -ip = ipautil.CheckedIPAddress(addr, match_local=match_local, parse_netmask=parse_netmask) -if match_local and not ip.is_local(): -print "Warning: No network interface matches IP address %s" % addr -return ip - -def verify_ip_address
[Freeipa-devel] [PATCH] 096 Fix ipa-dns-install incorrect warning
ipa-dns-install incorrectly warns about non-local IP addresses when installing without --ip-address parameter. https://fedorahosted.org/freeipa/ticket/1486 >From befac1fc7221cddae0fbda67c4a72297b5377906 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Mon, 18 Jul 2011 12:54:03 +0200 Subject: [PATCH] Fix ipa-dns-install incorrect warning ipa-dns-install incorrectly warns about non-local IP addresses when installing without --ip-address parameter. https://fedorahosted.org/freeipa/ticket/1486 --- install/tools/ipa-dns-install |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 7c83dc8694ffec94299979b163818794db57ccf5..56edccadeebd2ece7db9415ebf0aac69eb64ba29 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -112,7 +112,7 @@ def main(): ip = options.ip_address else: hostaddr = resolve_host(api.env.host) -ip = hostaddr and ipautil.CheckedIPAddress(hostaddr) +ip = hostaddr and parse_ip_address(hostaddr) try: verify_ip_address(ip) -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 826 fix failing memberof tests
On 15.7.2011 23:20, Rob Crittenden wrote: With the recent object_name/label changes some tests were failing that were expecting the old value which contained a space. This fixes them. rob ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 824 make more sensible nicknames
On 11.7.2011 23:48, Rob Crittenden wrote: When loading a chained CA from a PKCS#7 or PEM file we used to use very generic nicknames, sometimes as bad as "Imported CA" in the case of winsync. This will use the subject of the cert to get the nickname instead. I also extended the API of some of the x509 functions to optionally take in the NSS database dir. I had originally used this in the patch but did it another way but still thought the changes useful. ticket https://fedorahosted.org/freeipa/ticket/1141 Word of warning, this is going to require a fair bit of testing. The way to test it is to install with an external CA, then install a replica with a CA to be sure that works as well. Testing basic installs would be handy as well. rob ACK, everything seems to work fine. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 817 Add option to wait for values
On Sun, 2011-07-17 at 17:42 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote: > >>> Rob Crittenden wrote: > Rob Crittenden wrote: > > 389-ds postop plugins, such as the managed entry and memberof plugins, > > add values after the data has been returned to the client. In the case > > of the managed entry plugin this affects the parent entry as well > > (adds > > an objectclass value). > > > > This wreaks havoc on our tests as the values don't match what we > > expect. > > > > The solution is to wait for the postop plugins to finish their work, > > then return. I've added this as an option. The downside is it is going > > to naturally slow things down, so it is off by default. > > > > It is currently only used in the hostgroup plugin. > > > > The option is wait_for_attr. Add this to ~/.ipa/default.conf and > > set it > > to True and all the current tests will pass (assuming you apply > > patches > > 814-816 as well). > > > > So now we won't have any excuses for missing test failures in the unit > > tests... > > > > rob > > Bah, found a small problem. Self-NACK. > > rob > >>> > >>> Updated patch attached. > >>> > >>> Note that I don't think there is a way for us to handle things like > >>> memberof_indirect. We wouldn't know to wait. > >>> > >>> rob > >> > >> Works fine for the hostgroup entry. It's good it can be switched on/off. > >> > >> But what about other managed entries, like user entry? Would it make > >> sense to add a wait here too? Or maybe something systematic to baseldap > >> so that we wouldn't have to implement this wait to every managed entry. > >> > >> Martin > >> > > > > I can certainly add it to users to check for managed groups. Making it > > generic would be difficult because some are conditional (such as users). > > > > rob > > Added support for managed users as well. > > rob Waiting for managed users work too. However, I have just noticed that the entire solution works only partially. It waits for mepOriginEntry objectclass, but it doesn't add the new LDAP attributes "mepmanagedentry" and "memberof" to the -add result: # ipa hostgroup-add hgroup3 --desc=foo --all --raw - Added hostgroup "hgroup3" - dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: hgroup3 description: foo ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 objectclass: ipaobject objectclass: ipahostgroup objectclass: nestedGroup objectclass: groupOfNames objectclass: top objectclass: mepOriginEntry # ipa hostgroup-show hgroup3 --all --raw dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: hgroup3 description: foo ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 memberof: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com < mepmanagedentry: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com < objectclass: ipaobject objectclass: ipahostgroup objectclass: nestedGroup objectclass: groupOfNames objectclass: top objectclass: mepOriginEntry # ipa user-add --first=Foo --last=Bar fbar2 --all --raw -- Added user "fbar2" -- dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar2 givenname: Foo sn: Bar cn: Foo Bar displayname: Foo Bar initials: FB homedirectory: /home/fbar2 gecos: Foo Bar loginshell: /bin/sh krbprincipalname: fb...@idm.lab.bos.redhat.com uidnumber: 52464 gidnumber: 52464 ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: mepOriginEntry # ipa user-show fbar2 --all --raw dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar2 givenname: Foo sn: Bar cn: Foo Bar displayname: Foo Bar initials: FB homedirectory: /home/fbar2 gecos: Foo Bar loginshell: /bin/sh krbprincipalname: fb...@idm.lab.bos.redhat.com uidnumber: 52464 gidnumber: 52464 nsaccountlock: False ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com < mepmanagedentry: cn=fbar2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com < objectclass: top objectclass: person objectclass: organizationalperso
Re: [Freeipa-devel] [PATCH] 093 Add new dnszone-find test
On Fri, 2011-07-15 at 13:42 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Implement a test for new dnszone-find option --forward-only. > > Fix example for reverse zone (zone was not fully qualified and > > DNS plugin would forbid adding PTR records). > > > > https://fedorahosted.org/freeipa/ticket/1473 > > This looks ok, just one minor thing: can you add deleting the new > reverse dnszone to the cleanup command? ACK with that. > > thanks > > rob Added 2 missing DNS zones to the test cleanup. Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools
On Fri, 2011-07-15 at 10:14 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> Install tools may fail with unexpected error when IPA server is not > >>> installed on a system. Improve user experience by implementing > >>> a check to affected tools. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1327 > >>> https://fedorahosted.org/freeipa/ticket/1347 > >> > >> Can you add a docstring to the check_server_configuration() function? > >> > >> Looking in each utility it isn't necessarily obvious what this does but > >> my meager attempts at renaming it all failed. I considered > >> is_server_installed() but that implies it would return True/False. Then > >> I considered require_server_configured() but that didn't seem to fit > >> either. We have lots of other check_* so I guess it is fine, but some > >> docs on where/why it is used would be nice. > >> > >> rob > > > > I see you undertake the same function naming dilemma as I do. I improved > > documentation for the function, it should help. > > > > Martin > > ACK Merged to current master. Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 091 Improve long integer type validation
On Fri, 2011-07-15 at 17:26 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Passing a number of "long" type to IPA Int parameter invokes > > user-unfriendly error message about incompatible types. This patch > > improves Int parameter with user understandable message along with > > maximum value he can pass. > > > > https://fedorahosted.org/freeipa/ticket/1346 > > nack. We need to limit Int to 32-bit values because that is what XML-RPC > supports. So if maxvalue isn't set we need to compare against MAXINT and > not sys.maxint. > > rob You are right. Sending a fixed patch. Martin >From ada8023da76e12139593559ddc9b78865faf26bd Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Thu, 14 Jul 2011 09:14:07 +0200 Subject: [PATCH] Improve long integer type validation Passing a number of "long" type to IPA Int parameter invokes user-unfriendly error message about incompatible types. This patch improves Int parameter with user understandable message along with maximum value he can pass. https://fedorahosted.org/freeipa/ticket/1346 --- ipalib/parameters.py | 24 1 files changed, 24 insertions(+), 0 deletions(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index da3b05cf731578a70f32f5b3d922c670c74cb898..982b192a7776f575ac97e7ed2178c9910f0915e4 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -1066,6 +1066,30 @@ class Int(Number): maxvalue=self.maxvalue, ) +def _validate_scalar(self, value, index=None): +if type(value) is long: +# too big number for int type to hold +if self.maxvalue is not None: +raise ValidationError( +name=self.name, +value=value, +index=index, +error=_('can be at most %(maxvalue)d') % dict( +maxvalue=self.maxvalue, +) +) +else: +raise ValidationError( +name=self.name, +value=value, +index=index, +error=_('can be at most %(maxvalue)d') % dict( +maxvalue=MAXINT, +) +) +super(Int, self)._validate_scalar(value, index) + + class Float(Number): """ A parameter for floating-point values (stored in the ``float`` type). -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel