Re: [Freeipa-devel] [PATCH] 0273-fix-navigation
On 07/21/2011 11:34 PM, Adam Young wrote: This is a portion of patch 0270, with just the navigation changes. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From 77ea872d496131ac99d85678641d3672278cc58e Mon Sep 17 00:00:00 2001 From: Adam Young Date: Thu, 21 Jul 2011 23:26:35 -0400 Subject: [PATCH] fix navigation --- install/ui/navigation.js | 26 +- 1 files changed, 21 insertions(+), 5 deletions(-) diff --git a/install/ui/navigation.js b/install/ui/navigation.js index be2936dca1a0e86e81658e23cbdb0fc3aca7a4de..f6bd6f160d4ae9724e9decf3ea94a1fb77bbca85 100644 --- a/install/ui/navigation.js +++ b/install/ui/navigation.js @@ -112,13 +112,25 @@ IPA.navigation = function(spec) { var url_state ={}; var key = 'navigation'; + + + while(state[key]){ var value = state[key]; url_state[key] = value; key = value; } -/*We are at the leaf node, which is the sleected entity.*/ +/*We are at the lowest level defined in the heirarchy, which is + either the leaf node or the last containing node in the navigation +site map*/ +var tab = that.get_tab(value); + +while (tab.children){ +tab = tab.children[0]; +} +value = tab.entity.name; + var entity = value; for (var key2 in state){ if ((key2 === entity) || (key2.search('^'+entity +'-') > -1)){ @@ -181,10 +193,14 @@ IPA.navigation = function(spec) { } if (pkeys) { -var current_entity = entity; -while (current_entity){ -state[current_entity.name + '-pkey'] = pkeys.pop(); -current_entity = current_entity.containing_entity; +if (pkeys instanceof Array){ +var current_entity = entity; +while (current_entity){ +state[current_entity.name + '-pkey'] = pkeys.pop(); +current_entity = current_entity.containing_entity; +} +}else{ +state[entity.name + '-pkey'] = pkeys; } } -- 1.7.5.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0273-fix-navigation
This is a portion of patch 0270, with just the navigation changes. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init
On 07/20/2011 11:11 PM, Endi Sukma Dewata wrote: On 7/20/2011 9:18 PM, Adam Young wrote: 8. Triggering a stack trace by calling null function probably will only work with Firebug, normal users will not get any notification about the error. This happens in dialog.js:301 and widget.js:1137. Gonna leave this, as we will catch things in development, and it won't happen on the live servers. These are "never reach" type conditions. Would it be better to throw an exception instead? Possibly. This code is going to get caught by the catch block in ipa.js get_entity anyway, so there is not much difference. Let's use the more common way to report error, which in this case throw an exception rather than invoking null function to do the same thing. We can attach useful information there even though it's only for development. Fixed 12. The search filter doesn't work initially. Reload the UI main page, (make sure there's no URL parameters), enter a filter, then hit Enter or click the icon, there's nothing happening. Go to another tab, then come back to the main page. Now the filter will work. Fixed. Was a pre existing problem in navigation.js, around line 115 It's still not working, now there's a js error in navigation.js:129. Fixed. Issues from the other email (20 on up ) are not yet addressed. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry
On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote: > On Mon, 2011-04-25 at 14:59 +, JR Aquino wrote: >> On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote: >> >>> On Thu, 2011-04-21 at 23:28 +, JR Aquino wrote: Hmmm Both Private Groups and the Hostgroup -> Netgroup Managed Entries create objects in the container: cn=Managed Entries,cn=plugins,cn=config Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX, and one in the cn=config How will these be treated by replication and the multi masters? >>> >>> Only the common objects in the public suffix are replicated. >>> I think at some point we discussed that we should use a filter in the >>> private config entry made so that we could enable/disable the plugin by >>> simply making the filter result true/false. >>> Thus not ever touch the entries in cn=config but simply >>> "enable"/"disable" the functionality by (not)adding the appropriate >>> attributes to objects so that filters would (not) match. >>> >>> Simo. >> >> This tool works by toggling the originfilter: objectclass=disabled in order >> to turn off the plugin. > > But this is backwards, because originfilter is defined in the > configuration entry stored in cn=config > > Meaning as soon as you change it one server will behave differently from > the others until you go and change it on each and every server. Finally able to revisit this Patch / Ticket: (To be used in conjunction with Patch 38) 25 Create Tool for Enabling/Disabling Managed Entry Plugins https://fedorahosted.org/freeipa/ticket/1181 Remove legacy ipa-host-net-manage Add ipa-managed-entries tool Add man page for ipa-managed-entries tool binnZSMRerxG0.bin Description: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space.
Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for migrating any and all custom Managed Entries from the cn=config space into the new container. The Managed Entries plugin configurations weren't being created on replica installs. This patch addresses two seperate tickets and accounts for new installs, replica installs, and upgrades. https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation bin4Vi5JD3D3Q.bin Description: freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch ~ Jr Aquino, GCIH | Information Security Specialist Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aqu...@citrixonline.com http://www.citrixonline.com ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Adding message summary while adding and deleting automount location.
Great Job Shanks!! - Original Message - > On Thu, 2011-07-21 at 18:52 +0530, Gowrishankar Rajaiyan wrote: > > Hi All, > > > > This patch fixes > > - https://fedorahosted.org/freeipa/ticket/1510 > > - https://fedorahosted.org/freeipa/ticket/1509 > > QEs sending patches for the bugs they found - good job there. > > I went one step further and updated all automount summary messages so > that we are consistent on the plugin. > > The proposed patch is attached, tests are clean. > > Martin > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 837 autofill default revocation reason
The default revocation reason wasn't autofilling so trying to retrieve it when it wasn't set caused things to blow up. ticket https://fedorahosted.org/freeipa/ticket/1514 >From ea00b59d3c3ae61cd60d24120a9b9cbe5baa41c6 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 21 Jul 2011 16:46:01 -0400 Subject: [PATCH] Autofill the default revocation reason https://fedorahosted.org/freeipa/ticket/1514 --- API.txt|2 +- ipalib/plugins/cert.py |1 + 2 files changed, 2 insertions(+), 1 deletions(-) diff --git a/API.txt b/API.txt index 863adb0..dea82e2 100644 --- a/API.txt +++ b/API.txt @@ -315,7 +315,7 @@ output: Output('result', , Gettext('Dictionary mapping variable nam command: cert_revoke args: 1,1,1 arg: Str('serial_number', validate_serial_number, label=Gettext('Serial number', domain='ipa', localedir=None), normalizer=normalize_serial_number) -option: Int('revocation_reason?', default=0, label=Gettext('Reason', domain='ipa', localedir=None), maxvalue=10, minvalue=0) +option: Int('revocation_reason?', autofill=True, default=0, label=Gettext('Reason', domain='ipa', localedir=None), maxvalue=10, minvalue=0) output: Output('result', None, None) command: cert_show args: 1,1,1 diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 643e1cd..2c8ab49 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -536,6 +536,7 @@ class cert_revoke(VirtualCommand): minvalue=0, maxvalue=10, default=0, +autofill=True ), ) -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 836 Don't check for leading/trailing spaces on cert
Rob Crittenden wrote: Don't check for leading/trailing spaces when loading an entitlement cert ticket https://fedorahosted.org/freeipa/ticket/1505 With API.txt update, doesn't affect wire protocol. >From cc125874a54e4db66136817eb2a92f15be90d344 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 21 Jul 2011 11:14:10 -0400 Subject: [PATCH] Don't check for leading/trailing spaces when loading an entitlement cert It very well may consist of extra spaces, the MIME encoder will handle these. https://fedorahosted.org/freeipa/ticket/1505 --- API.txt |2 +- freeipa.spec.in |7 +-- ipalib/plugins/entitle.py |1 + 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/API.txt b/API.txt index 0ceb3a7..863adb0 100644 --- a/API.txt +++ b/API.txt @@ -874,7 +874,7 @@ output: Output('count', , 'Number of entries returned') output: Output('truncated', , 'True if not all results were returned') command: entitle_import args: 1,3,1 -arg: File('usercertificate*', validate_certificate, cli_name='certificate_file') +arg: File('usercertificate*', validate_certificate, cli_name='certificate_file', noextrawhitespace=False) option: Str('addattr*', validate_add_attribute, cli_name='addattr', exclude='webui') option: Str('setattr*', validate_set_attribute, cli_name='setattr', exclude='webui') option: Str('uuid?', autofill=True, default=u'IMPORTED', flags=['no_create', 'no_update'], label=Gettext('UUID', domain='ipa', localedir=None)) diff --git a/freeipa.spec.in b/freeipa.spec.in index f476a2c..6ba1536 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -81,7 +81,7 @@ Requires: nss-tools Requires: krb5-server Requires: krb5-server-ldap Requires: krb5-pkinit-openssl -Requires: cyrus-sasl-gssapi +Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd Requires: mod_wsgi @@ -143,7 +143,7 @@ Summary: IPA authentication for use on clients Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: python-ldap -Requires: cyrus-sasl-gssapi +Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: krb5-workstation Requires: authconfig @@ -511,6 +511,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Wed Jul 20 2011 Rob Crittenden - 2.0.90-7 +- Make cyrus-sasl-gssapi requires arch-specific + * Thu Jul 14 2011 Rob Crittenden - 2.0.90-6 - Add ipa-csreplica-manage tool. diff --git a/ipalib/plugins/entitle.py b/ipalib/plugins/entitle.py index 1c1b708..1c945fe 100644 --- a/ipalib/plugins/entitle.py +++ b/ipalib/plugins/entitle.py @@ -596,6 +596,7 @@ class entitle_import(LDAPUpdate): takes_args = ( File('usercertificate*', validate_certificate, cli_name='certificate_file', +noextrawhitespace=False, ), ) -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 836 Don't check for leading/trailing spaces on cert
Don't check for leading/trailing spaces when loading an entitlement cert ticket https://fedorahosted.org/freeipa/ticket/1505 >From 67e91eda119389a10161838dd446aa20b0c43eae Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 21 Jul 2011 11:14:10 -0400 Subject: [PATCH] Don't check for leading/trailing spaces when loading an entitlement cert It very well may consist of extra spaces, the MIME encoder will handle these. https://fedorahosted.org/freeipa/ticket/1505 --- freeipa.spec.in |7 +-- ipalib/plugins/entitle.py |1 + 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 5b6d993..fdb11af 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -81,7 +81,7 @@ Requires: nss-tools Requires: krb5-server Requires: krb5-server-ldap Requires: krb5-pkinit-openssl -Requires: cyrus-sasl-gssapi +Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd Requires: mod_wsgi @@ -143,7 +143,7 @@ Summary: IPA authentication for use on clients Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: python-ldap -Requires: cyrus-sasl-gssapi +Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: krb5-workstation Requires: authconfig @@ -514,6 +514,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Wed Jul 20 2011 Rob Crittenden - 2.0.90-7 +- Make cyrus-sasl-gssapi requires arch-specific + * Thu Jul 14 2011 Rob Crittenden - 2.0.90-6 - Add ipa-csreplica-manage tool. diff --git a/ipalib/plugins/entitle.py b/ipalib/plugins/entitle.py index 1c1b708..1c945fe 100644 --- a/ipalib/plugins/entitle.py +++ b/ipalib/plugins/entitle.py @@ -596,6 +596,7 @@ class entitle_import(LDAPUpdate): takes_args = ( File('usercertificate*', validate_certificate, cli_name='certificate_file', +noextrawhitespace=False, ), ) -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 834 Hide the HBAC access type attribute now that deny is deprecated.
Martin Kosek wrote: On Tue, 2011-07-19 at 20:49 -0400, Rob Crittenden wrote: Hide the HBAC access type attribute now that deny is deprecated. It won't appear in the UI/CLI but is still available via XML-RPC. allow is the default and deny will be rejected. This is not tested in the UI. I'm not sure if this is due to a problem in my tree or something else. https://fedorahosted.org/freeipa/ticket/1495 rob ACK for the CLI part, tests are clean. I checked WebUI, HBAC rules seem to be broken here. With or without your patch. I see a list of rules, the type column is still here. That's OK, there is already a ticket for this task - 1497. However, when I select a HBAC rule to modify it, its data are not filled at all to the edit fields. I will fill a ticket for this bug. Martin pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 066 Remove wrong kpasswd sysconfig
Jan Cholasta wrote: On 20.7.2011 17:09, Jakub Hrozek wrote: I noticed that the file kpasswd init script reads is called "/etc/sysconfig/ipa-kpasswd" but krbinstance.py saved and wrote into "/etc/sysconfig/ipa_kpasswd". I removed the linkes rather than fixing them for two reasons: 1) /var/kerberos/krb5kdc/kpasswd.keytab is the default 2) it probably wouldn't have worked anyway because the ktname must be prefixed with "FILE:". ACK Honza pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 31/31] Ticket 1485 - DN pairwise grouping
John Dennis wrote: On 07/21/2011 08:27 AM, Martin Kosek wrote: On Wed, 2011-07-20 at 19:59 -0400, John Dennis wrote: The pairwise grouping used to form RDN's and AVA's proved to be confusing in practice, this patch removes that functionality thus requiring programmers to explicitly pair attr,value using a tuple or list. In addition it was discovered additional functionality was needed to support some DN operations in freeipa. DN objects now support startswith(), endswith() and the "in" membership test. These functions and operators will accept either a DN or RDN. The unittest was modified to remove the pairwise tests and add new explicit tests. The unittest was augmented to test the new functionality. In addition the unittest was cleaned up a bit to use common utilty functions for improved readabilty and robustness. The documentation was updated. The patch looks good to me. The removed form of creating DN's was indeed confusing. I went through current uses of DN class, I didn't find any using the removed form. DN tests also passes correctly. Martin Actually one of the tests was failing due to the removed form, not sure how I missed it (or how you missed it either). But in any case it's a one line fix test_role_plugin.py, I've rebased the patch to include that and attached it. Whoever commits please use this version with the test_role_plugin. Also, the patch comments failed to mention even though we had a unittest for dn.py, test/test_ipalib/test_dn.py it was not getting called by run-tests because it had the execute permission bit set, the patch fixes that so the unittest gets run by make-test. pushed to master and ipa-2-0. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Adding message summary while adding and deleting automount location.
Martin Kosek wrote: On Thu, 2011-07-21 at 18:52 +0530, Gowrishankar Rajaiyan wrote: Hi All, This patch fixes - https://fedorahosted.org/freeipa/ticket/1510 - https://fedorahosted.org/freeipa/ticket/1509 QEs sending patches for the bugs they found - good job there. I went one step further and updated all automount summary messages so that we are consistent on the plugin. The proposed patch is attached, tests are clean. Martin ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Proposal for Auto Membership plugin
To summarize, I think this is how we will proceed. Create a new plugin, automember, based heavily on the work already done. The container_dn will be cn=automember,cn=etc. If automembership is preferred I can be flexible but using the same name everywhere makes things easy to follow. The DN will be of the form: cn=,cn=,, The pre-defined automembership types (as defined by the type enumerator) will be group and hostgroup. The current LDIF will need to drop the plurality (to become cn=group,cn=automember,cn=etc,$SUFFIX) type is required for all commands. The available commands will be: automember-add Add an automember rule --type=ENUM (hostgroup, group) --desc=STRdescription of this auto membership rule --inclusive-regex=LISTInclusive Regex --exclusive-regex=LISTExclusive Regex automember-add-condition Add conditions to automember rule --type=ENUM (hostgroup, group) --inclusive-regex=LISTInclusive Regex --exclusive-regex=LISTExclusive Regex automember-del Delete an automember rule --type=ENUM (hostgroup, group) automember-find Search for automember rules --type=ENUM (hostgroup, group) automember-mod Modify an automember rule. --type=ENUM (hostgroup, group) --desc=STR NOTE: you cannot manage inclusive or exclusive conditions via the mod command, the helpers need to be used. automember-remove-condition Remove conditions from an automember rule --type=ENUM (hostgroup, group) --inclusive-regex=LISTInclusive Regex --exclusive-regex=LISTExclusive Regex automember-show Display an automember rule --type=ENUM (hostgroup, group) automember-default-group Set a default group for auto membership --type=ENUM (hostgroup, group) --name=STR Name of entity to put entries that don't match The current patch is really not very far off of this. Off the top of my head this is how I'd go about it: - freeipa.spec needs to have a Requires on 1.2.9, not a BuildRequires (though it doesn't hurt for them to be the same) - automembership.ldif, change the container and cns - constants.py, change the container - copy the clarity code from hostgroup.py to automember.py and rename everything - add flags=[no_update, no_create] to automemberinclusiveregex and automemberexclusiveregex. - replace group_dn() with a function dn_exists(). Use the type objects get_dn() to construct a dn and call ldap.get_entry() on it. Something like: class automember(LDAPObject): def dn_exists(type, groupname): ldap = self.api.Backend.ldap2 dn = self.api.Object[type].get_dn(groupname) try: (gdn, entry_attrs) = ldap.get_entry(dn, []) except errors.NotFound: self.obj.handle_not_found(groupname) return gdn - Use symbol names instead of a typle of attr names - Do some sort of validation on the regex. I'm not sure if the python re engine will match the 389-ds one but we should be able to do some sanity checks, like making sure the regex doesn't start with attr = ... - The setting of entry_attrs now looks something like: entry_attrs[attr] = ['fqdn=' + condition ... Since this will be generic it will need to look like: entry_attrs[attr] = ['%s' % self.api.Object[type].primary_key.name + condition ... - tests will need to be updated. I think that using the newer test format such as in test_user_plugin.py is easier to create and manage in the long-run and covers more ground that the older method. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 31/31] Ticket 1485 - DN pairwise grouping
On 07/21/2011 08:27 AM, Martin Kosek wrote: On Wed, 2011-07-20 at 19:59 -0400, John Dennis wrote: The pairwise grouping used to form RDN's and AVA's proved to be confusing in practice, this patch removes that functionality thus requiring programmers to explicitly pair attr,value using a tuple or list. In addition it was discovered additional functionality was needed to support some DN operations in freeipa. DN objects now support startswith(), endswith() and the "in" membership test. These functions and operators will accept either a DN or RDN. The unittest was modified to remove the pairwise tests and add new explicit tests. The unittest was augmented to test the new functionality. In addition the unittest was cleaned up a bit to use common utilty functions for improved readabilty and robustness. The documentation was updated. The patch looks good to me. The removed form of creating DN's was indeed confusing. I went through current uses of DN class, I didn't find any using the removed form. DN tests also passes correctly. Martin Actually one of the tests was failing due to the removed form, not sure how I missed it (or how you missed it either). But in any case it's a one line fix test_role_plugin.py, I've rebased the patch to include that and attached it. Whoever commits please use this version with the test_role_plugin. Also, the patch comments failed to mention even though we had a unittest for dn.py, test/test_ipalib/test_dn.py it was not getting called by run-tests because it had the execute permission bit set, the patch fixes that so the unittest gets run by make-test. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ >From aca9f730ece272c7f62eedc0931552241e4ff3bf Mon Sep 17 00:00:00 2001 From: John Dennis Date: Wed, 20 Jul 2011 19:39:05 -0400 Subject: [PATCH 31/31] Ticket 1485 - DN pairwise grouping Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit The pairwise grouping used to form RDN's and AVA's proved to be confusing in practice, this patch removes that functionality thus requiring programmers to explicitly pair attr,value using a tuple or list. In addition it was discovered additional functionality was needed to support some DN operations in freeipa. DN objects now support startswith(), endswith() and the "in" membership test. These functions and operators will accept either a DN or RDN. The unittest was modified to remove the pairwise tests and add new explicit tests. The unittest was augmented to test the new functionality. In addition the unittest was cleaned up a bit to use common utilty functions for improved readabilty and robustness. The documentation was updated. fix test_role_plugin use of DN to avoid pairwise grouping --- ipalib/dn.py | 434 + tests/test_ipalib/test_dn.py | 184 +- tests/test_xmlrpc/test_role_plugin.py |2 +- 3 files changed, 398 insertions(+), 222 deletions(-) mode change 100755 => 100644 tests/test_ipalib/test_dn.py diff --git a/ipalib/dn.py b/ipalib/dn.py index 89248ca..47c6619 100644 --- a/ipalib/dn.py +++ b/ipalib/dn.py @@ -20,6 +20,7 @@ from ldap.dn import str2dn, dn2str from ldap import DECODING_ERROR from copy import deepcopy +import sys __all__ = ['AVA', 'RDN', 'DN'] @@ -104,10 +105,10 @@ Or compare a value returned by an LDAP query to a known value: if value == 'Bob' -All of these simple coding assumptions are WRONG and will FAIL when -a DN is not one of the simple DN's which are probably the 95% of all -DN's. This is what makes DN handling pernicious. What works in 95% of -the cases and is simple, fails for the 5% of DN's which are not +All of these simple coding assumptions are WRONG and will FAIL when a +DN is not one of the simple DN's (simple DN's are probably the 95% of +all DN's). This is what makes DN handling pernicious. What works in +95% of the cases and is simple, fails for the 5% of DN's which are not simple. Examples of where the simple assumptions fail are: @@ -127,13 +128,13 @@ Examples of where the simple assumptions fail are: To complicate matters a bit more the RFC for the string representation of DN's (RFC 4514) permits a variety of different syntax's each of which can evaluate to exactly the same DN but have different string -representations. For example, the attr "R,W" which contains a reserved +representations. For example, the attr "r,w" which contains a reserved character (the comma) can be encoded as a string in these different ways: -'R\,W' # backslash escape -'R\2cW' # hexadecimal ascii escape -'#522C57' # binary encoded +'r\,w' # backslash escape +'r\2cw' # hexadecimal ascii escape +'#722C77' # binary encoded It should be clear a DN string may NOT be a simple string, rather a DN string is ENCODED. For simple strings the encoding of the DN is @@ -143,10 +144,10 @@ encodings). The openlda
Re: [Freeipa-devel] [PATCH] 33 Fix ipa-compat-manage
On Thu, 2011-07-21 at 16:54 +0200, Jan Cholasta wrote: > Make ipa-compat-manage work again after the changes to ipa-nis-manage > I've done in patch 32. > > (this also fixes https://fedorahosted.org/freeipa/ticket/1147) > > Honza Works fine. But I have few minor issues: 1) No action is printed when compat plugin is being disabled (as it is with enable action): # ipa-compat-manage disable Directory Manager password: This setting will not take effect until you restart Directory Server. 2) A big end line whitespace on line 77 of the patch Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: > Martin Kosek wrote: >> On Thu, 2011-07-21 at 03:37 +, JR Aquino wrote: > Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs > a standard string to represent the possible host group… If i simply > perform a get_dn it will indeed provide a dn, however, it won't verify > that the host group actually exists… (you don't want to create an > assignment rule for a non existent target host group) > > > Martin, (except for the name Clarity), I have addressed your observations > in this latest patch. Could you please have a look and let me know if > there is anything else I need to take care of? > >> >> Great, preparing the command parameters in pre_callback is much cleaner. >> Good point about the LDAP lookup. This looks a lot better but there are still a few issues: If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. >>> >>> Ok, I will give that a shot! >>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: INCLUDE_RE = 'automemberinclusiveregex' EXCLUDE_RE = 'automemberexclusiveregex' >>> >>> That works, I'll swap em. >> >> I agree with Rob here, this will make the code better. >> >>> Is there a way to validate the regex? >>> >>> Now that you mention it, I believe if I import re, we should be able to >>> validate the initial regex and raise an exception if it is bogus. >>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. >>> >>> Well. For the groups, I was thinking it starts to get a little different. >>> I would still reuse the condition, but I believe I would pivot users into >>> groups based upon something like their manager? >>> Adding a clarity with no rules won't let you add rules: # ipa hostgroup-add --desc=hg1 hg1 # ipa hostgroupclarity-add hg1 # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 ipa: ERROR: no modifications to be performed >>> >>> This ^ is deliberate, you cannot add an exclusion rule if there is no >>> existing or simultaneous inclusive rule. :) Martin asked for that, and I >>> think its wise. >> >> Yes, it is wise :-) But the error message is really not clear to the >> user. We should tell him that there must be at least one inclusive rule. >> >> I wonder if we shouldn't force user to create a hostgroupclarity object >> with at least one inclusive rule and than make sure that in all >> operations at least one inclusive rule stays here. Or we could delete >> the empty LDAP object after the last inclusive rule is removed, as we do >> with DNS record LDAP objects in dnsrecord-del. >> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. >>> >>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. >>> automember it is. >>> >>> One final class I have been struggling with that I want to add… >>> >>> The object and attribute which defines the 'default group' is the parent of >>> the actual rules… i.e. cn=hostgroup,cn=automember,cn=etc… >>> >>> The ipa cli seems to only want to let me make mods that assume I am >>> specifying a target object on the cli… "ipa >>> hostgroupautomember-default-group=foo"<- in this scenario, we >>> don't actually want or need a rule name because its the container above… I >>> have had success making the writes, but the cli syntax just doesn't lend >>> itself to that level of abstraction… >>> >>> Any suggestions? >>> >>> >> >> I think the best shot would be to create a new command and overload the >> execute method in that case. Like in hbacrule_enable. You would be able >> to set dn correctly here and do the update. Does it makes sense? Rob? >> >> Martin >> > > I agree. We are better off abstracting things now so we can get the API right. > > I think we can stick more or less with the command names, just in a new > plugin and some new arguments. > > I see the plugin with the following methods: > > Each takes a single argument, the name of the rule. I don't think I'd stick > type into the DN so you wouldn't be able to use the same rule name for > different object types. If we want to allow that then we'd need to add --type > to a lot more commands. > > There is no mod to change types, you have to delete and re-a
Re: [Freeipa-devel] [PATCH] 215 Removed HBAC access time code.
On 07/21/2011 10:34 AM, Endi Sukma Dewata wrote: The HBAC access time is currently not supported, so the related UI code has been removed to reduce maintenance issue. When the feature becomes supported in the future the code may be restored/rewritten. Ticket #546 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 215 Removed HBAC access time code.
On 07/21/2011 10:34 AM, Endi Sukma Dewata wrote: The HBAC access time is currently not supported, so the related UI code has been removed to reduce maintenance issue. When the feature becomes supported in the future the code may be restored/rewritten. Ticket #546 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 216 Removed custom layouts using HTML templates.
On 07/21/2011 10:42 AM, Endi Sukma Dewata wrote: The code for supporting custom layouts using HTML templates has been removed. If it's needed again in the future the code can be restored. Ticket #1501 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
On Thu, 2011-07-21 at 10:31 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-07-21 at 03:37 +, JR Aquino wrote: > Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs > a standard string to represent the possible host group… If i simply > perform a get_dn it will indeed provide a dn, however, it won't verify > that the host group actually exists… (you don't want to create an > assignment rule for a non existent target host group) > > > Martin, (except for the name Clarity), I have addressed your > observations in this latest patch. Could you please have a look and let > me know if there is anything else I need to take care of? > > > > > Great, preparing the command parameters in pre_callback is much cleaner. > > > >>> > >>> Good point about the LDAP lookup. > >>> > >>> This looks a lot better but there are still a few issues: > >>> > >>> If group_dn is in the object then you can use > >>> self.obj.handle_not_found(*keys) for the NotFound. > >> > >> Ok, I will give that a shot! > >> > >>> > >>> Or if it can't be moved, in the calls to group_dn() you can use the ldap > >>> handle passed into pre_callback. > >>> > >>> I guess you are using the includetype tuple to avoid coding long variable > >>> names everywhere? Would a symbol be better, eg: > >>> > >>> INCLUDE_RE = 'automemberinclusiveregex' > >>> EXCLUDE_RE = 'automemberexclusiveregex' > >> > >> That works, I'll swap em. > > > > I agree with Rob here, this will make the code better. > > > >> > >>> Is there a way to validate the regex? > >> > >> Now that you mention it, I believe if I import re, we should be able to > >> validate the initial regex and raise an exception if it is bogus. > >> > >>> If we were to add an equivalent user group handler would it be the same > >>> code in add_condition and remove_condition? It is sort of nice to have > >>> everything together at the moment, I suspect it will need to be > >>> generalized at some point. > >> > >> Well. For the groups, I was thinking it starts to get a little different. > >> I would still reuse the condition, but I believe I would pivot users into > >> groups based upon something like their manager? > >> > >>> Adding a clarity with no rules won't let you add rules: > >>> > >>> # ipa hostgroup-add --desc=hg1 hg1 > >>> # ipa hostgroupclarity-add hg1 > >>> # ipa hostgroupclarity-add-condition > >>> --exclusive-hostname-regex=^web5\.example\.com hg1 > >>> ipa: ERROR: no modifications to be performed > >> > >> This ^ is deliberate, you cannot add an exclusion rule if there is no > >> existing or simultaneous inclusive rule. :) Martin asked for that, and I > >> think its wise. > > > > Yes, it is wise :-) But the error message is really not clear to the > > user. We should tell him that there must be at least one inclusive rule. > > > > I wonder if we shouldn't force user to create a hostgroupclarity object > > with at least one inclusive rule and than make sure that in all > > operations at least one inclusive rule stays here. Or we could delete > > the empty LDAP object after the last inclusive rule is removed, as we do > > with DNS record LDAP objects in dnsrecord-del. > > > >>> The way you explained clarity today in IRC, how it brings clarity to > >>> managing membership with names no human can grok, I got it. Still, > >>> clarity is a bit awkward as a name. automember might be a better choice. > >> > >> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. > >> automember it is. > >> > >> One final class I have been struggling with that I want to add… > >> > >> The object and attribute which defines the 'default group' is the parent > >> of the actual rules… i.e. cn=hostgroup,cn=automember,cn=etc… > >> > >> The ipa cli seems to only want to let me make mods that assume I am > >> specifying a target object on the cli… "ipa > >> hostgroupautomember-default-group=foo"<- in this scenario, we > >> don't actually want or need a rule name because its the container above… > >> I have had success making the writes, but the cli syntax just doesn't lend > >> itself to that level of abstraction… > >> > >> Any suggestions? > >> > >> > > > > I think the best shot would be to create a new command and overload the > > execute method in that case. Like in hbacrule_enable. You would be able > > to set dn correctly here and do the update. Does it makes sense? Rob? > > > > Martin > > > > I agree. We are better off abstracting things now so we can get the API > right. > > I think we can stick more or less with the command names, just in a new > plugin and some new arguments. Yes, this will make more flexible API for the future. We will be able to implement new membership types easily if we want to. > > I see the plugin with the following methods: > > Each takes a single argument, the name of the rule. I don't think I'd > stick type into the DN so you wouldn't be able
Re: [Freeipa-devel] [PATCH] 214 Fixed problem loading data in HBAC/sudo details page.
On 7/21/2011 10:25 AM, Adam Young wrote: On 07/21/2011 10:27 AM, Endi Sukma Dewata wrote: On 7/21/2011 9:23 AM, Endi Sukma Dewata wrote: In a recent change the details page was changed to create and locate field containers with 'details-field' CSS class. The HBAC and sudo custom details pages have been modified to use the same CSS class. Ticket #1508 Patch attached. ACK Pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 213 Removed entitlement registration UUID field.
On 7/21/2011 10:23 AM, Adam Young wrote: On 07/21/2011 10:59 AM, Endi Sukma Dewata wrote: On 7/21/2011 9:47 AM, Adam Young wrote: Close to ACK, but: Either remove all of the references to the field, or comment them out. Suggest going the commented out route. Also, leave the commas inside the commented out code, so that you can just remove the comment and the code will be valid, even if it needs to be reformatted. New patch attached. ACK Pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 214 Fixed problem loading data in HBAC/sudo details page.
On 07/21/2011 10:27 AM, Endi Sukma Dewata wrote: On 7/21/2011 9:23 AM, Endi Sukma Dewata wrote: In a recent change the details page was changed to create and locate field containers with 'details-field' CSS class. The HBAC and sudo custom details pages have been modified to use the same CSS class. Ticket #1508 Patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 213 Removed entitlement registration UUID field.
On 07/21/2011 10:59 AM, Endi Sukma Dewata wrote: On 7/21/2011 9:47 AM, Adam Young wrote: Close to ACK, but: Either remove all of the references to the field, or comment them out. Suggest going the commented out route. Also, leave the commas inside the commented out code, so that you can just remove the comment and the code will be valid, even if it needs to be reformatted. New patch attached. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 213 Removed entitlement registration UUID field.
On 7/21/2011 9:47 AM, Adam Young wrote: Close to ACK, but: Either remove all of the references to the field, or comment them out. Suggest going the commented out route. Also, leave the commas inside the commented out code, so that you can just remove the comment and the code will be valid, even if it needs to be reformatted. New patch attached. -- Endi S. Dewata From 25f11e843535eb3f4162e4abf80d7f80ff930c1d Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Wed, 20 Jul 2011 22:31:37 -0500 Subject: [PATCH] Removed entitlement registration UUID field. The UUID field has been removed from the entitlement registration dialog box because it's currently not supported. The code has been modified not to send empty UUID value should this become supported in the future. Ticket #1506 --- install/ui/entitle.js | 13 + 1 files changed, 9 insertions(+), 4 deletions(-) diff --git a/install/ui/entitle.js b/install/ui/entitle.js index b3b09e562f078be33e8a4a0913bc8d1f4b8cfdcd..bbcf2395c5e5901c3311678e0fd66e18b4cb10da 100644 --- a/install/ui/entitle.js +++ b/install/ui/entitle.js @@ -131,12 +131,14 @@ IPA.entity_factories.entitle = function() { label: IPA.get_method_option('entitle_register', 'password').label, type: 'password', undo: false -}, -{ +} +/* currently not supported +, { name: 'ipaentitlementid', label: IPA.get_method_option('entitle_register', 'ipaentitlementid').label, undo: false } +*/ ] }). dialog({ @@ -254,8 +256,7 @@ IPA.entitle.entity = function(spec) { method: 'register', args: [ username ], options: { -password: password, -ipaentitlementid: ipaentitlementid +password: password }, on_success: function(data, text_status, xhr) { that.status = IPA.entitle.online; @@ -266,6 +267,10 @@ IPA.entitle.entity = function(spec) { on_error: on_error }); +if (ipaentitlementid) { +command.set_option('ipaentitlementid', ipaentitlementid); +} + command.execute(); }; -- 1.7.5.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 33 Fix ipa-compat-manage
Make ipa-compat-manage work again after the changes to ipa-nis-manage I've done in patch 32. (this also fixes https://fedorahosted.org/freeipa/ticket/1147) Honza -- Jan Cholasta >From 007a87ca336a6d8cfcf032724f1ab9dda286964e Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 21 Jul 2011 16:00:27 +0200 Subject: [PATCH] Fix ipa-compat-manage not working after recent ipa-nis-manage change. ticket 1147 --- install/tools/ipa-compat-manage | 106 --- install/tools/ipa-nis-manage|2 +- 2 files changed, 66 insertions(+), 42 deletions(-) diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index 1203b00..a176bb5 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -37,7 +37,8 @@ error was: """ % sys.exc_value sys.exit(1) -netgroup_compat_dn = "cn=ng,cn=Schema Compatibility,cn=plugins,cn=config" +compat_dn = "cn=Schema Compatibility,cn=plugins,cn=config" +nis_config_dn = "cn=NIS Server,cn=plugins,cn=config" def parse_options(): usage = "%prog [options] \n" @@ -64,6 +65,18 @@ def get_dirman_password(): return password +def get_entry(dn, conn): +""" +Return the entry for the given DN. If the entry is not found return +None. +""" +entry = None +try: +(dn, entry) = conn.get_entry(dn, normalize=False) +except errors.NotFound: +pass +return entry + def main(): retval = 0 loglevel = logging.ERROR @@ -104,68 +117,79 @@ def main(): sys.exit("Authentication failed: %s" % e.info) if args[0] == "status": +entry = None try: -conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config', normalize=False) -print "Plugin Enabled" -except errors.NotFound: -print "Plugin Disabled" +entry = get_entry(compat_dn, conn) +if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': +print "Plugin Enabled" +else: +print "Plugin Disabled" except errors.LDAPError, lde: print "An error occurred while talking to the server." print lde -return 0 if args[0] == "enable": +entry = None try: -conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config', normalize=False) -print "Plugin already Enabled" -retval = 2 -except errors.NotFound: -print "Enabling plugin" +entry = get_entry(compat_dn, conn) +if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': +print "Plugin already Enabled" +retval = 2 +else: +print "Enabling plugin" + +if entry is None: +ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) +if not ld.update(files): +print "Updating Directory Server failed." +retval = 1 +else: +mod = {'nsslapd-pluginenabled': 'on'} +conn.update_entry(compat_dn, mod, normalize=False) except errors.ExecutionError, lde: print "An error occurred while talking to the server." print lde retval = 1 -if retval == 0: -ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) -rv = ld.update(files) -if rv: -print "This setting will not take effect until you restart Directory Server." -else: -print "Updating Directory Server failed." -retval = 1 - elif args[0] == "disable": -# We can't disable schema compat if the NIS plugin is enabled -try: -conn.get_entry(netgroup_compat_dn, normalize=False) -print >>sys.stderr, "The NIS plugin is configured, cannot disable compatibility." -print >>sys.stderr, "Run 'ipa-nis-manage disable' first." -sys.exit(2) -except errors.NotFound: -pass -# Make a quick hack for now, directly delete the entries by name, -# In future we should add delete capabilites to LDAPUpdate +entry = None try: -conn.delete_entry('cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config', normalize=False) -conn.delete_entry('cn=groups,cn=Schema Compatibility,cn=plugins,cn=config', normalize=False) -conn.delete_entry('cn=users,cn=Schema Compatibility,cn=plugins,cn=config', normalize=False) -conn.d
Re: [Freeipa-devel] [PATCH] Adding message summary while adding and deleting automount location.
On Thu, 2011-07-21 at 18:52 +0530, Gowrishankar Rajaiyan wrote: > Hi All, > > This patch fixes > - https://fedorahosted.org/freeipa/ticket/1510 > - https://fedorahosted.org/freeipa/ticket/1509 QEs sending patches for the bugs they found - good job there. I went one step further and updated all automount summary messages so that we are consistent on the plugin. The proposed patch is attached, tests are clean. Martin >From d26c03f6a5f16ebb34738f6c4279364e825e900a Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Thu, 21 Jul 2011 16:49:35 +0200 Subject: [PATCH] Add missing automount summaries https://fedorahosted.org/freeipa/ticket/1509 https://fedorahosted.org/freeipa/ticket/1510 --- ipalib/plugins/automount.py | 40 1 files changed, 40 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/automount.py b/ipalib/plugins/automount.py index ce30be7ec090709d04ec4133196cd42c54441c7b..d692b2c866f787f46623abb01dad87e560a9c797 100644 --- a/ipalib/plugins/automount.py +++ b/ipalib/plugins/automount.py @@ -206,6 +206,9 @@ class automountlocation_add(LDAPCreate): """ Create a new automount location. """ + +msg_summary = _('Added automount location "%(value)s"') + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): # create auto.master for the new location self.api.Command['automountmap_add'](keys[-1], u'auto.master') @@ -214,6 +217,7 @@ class automountlocation_add(LDAPCreate): ) return dn + api.register(automountlocation_add) @@ -222,6 +226,8 @@ class automountlocation_del(LDAPDelete): Delete an automount location. """ +msg_summary = _('Deleted automount location "%(value)s"') + api.register(automountlocation_del) @@ -238,6 +244,11 @@ class automountlocation_find(LDAPSearch): Search for an automount location. """ +msg_summary = ngettext( +'%(count)d automount location matched', +'%(count)d automount locations matched', 0 +) + api.register(automountlocation_find) @@ -523,6 +534,8 @@ class automountmap_add(LDAPCreate): Create a new automount map. """ +msg_summary = _('Added automount map "%(value)s"') + api.register(automountmap_add) @@ -530,6 +543,9 @@ class automountmap_del(LDAPDelete): """ Delete an automount map. """ + +msg_summary = _('Deleted automount map "%(value)s"') + def post_callback(self, ldap, dn, *keys, **options): # delete optional parental connection (direct maps may not have this) try: @@ -550,6 +566,8 @@ class automountmap_mod(LDAPUpdate): Modify an automount map. """ +msg_summary = _('Modified automount map "%(value)s"') + api.register(automountmap_mod) @@ -558,6 +576,11 @@ class automountmap_find(LDAPSearch): Search for an automount map. """ +msg_summary = ngettext( +'%(count)d automount map matched', +'%(count)d automount maps matched', 0 +) + api.register(automountmap_find) @@ -719,6 +742,9 @@ class automountkey_add(LDAPCreate): """ Create a new automount key. """ + +msg_summary = _('Added automount key "%(value)s"') + def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): self.obj.check_key_uniqueness(keys[-2], keys[-1], **options) return dn @@ -744,6 +770,9 @@ class automountmap_add_indirect(LDAPCreate): """ Create a new indirect mount point. """ + +msg_summary = _('Added automount indirect map "%(value)s"') + takes_options = LDAPCreate.takes_options + ( Str('key', cli_name='mount', @@ -774,6 +803,9 @@ class automountkey_del(LDAPDelete): """ Delete an automount key. """ + +msg_summary = _('Deleted automount key "%(value)s"') + takes_options = LDAPDelete.takes_options + ( IA5Str('automountkey', cli_name='key', @@ -805,6 +837,9 @@ class automountkey_mod(LDAPUpdate): """ Modify an automount key. """ + +msg_summary = _('Modified automount key "%(value)s"') + takes_options = LDAPUpdate.takes_options + ( IA5Str('newautomountinformation', cli_name='newinfo', @@ -839,6 +874,11 @@ class automountkey_find(LDAPSearch): Search for an automount key. """ +msg_summary = ngettext( +'%(count)d automount key matched', +'%(count)d automount keys matched', 0 +) + api.register(automountkey_find) -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 213 Removed entitlement registration UUID field.
On 07/21/2011 12:13 AM, Endi Sukma Dewata wrote: The UUID field has been removed from the entitlement registration dialog box because it's currently not supported. The code has been modified not to send empty UUID value should this become supported in the future. Ticket #1506 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Close to ACK, but: Either remove all of the references to the field, or comment them out. Suggest going the commented out route. Also, leave the commas inside the commented out code, so that you can just remove the comment and the code will be valid, even if it needs to be reformatted. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 215 Removed HBAC access time code.
The HBAC access time is currently not supported, so the related UI code has been removed to reduce maintenance issue. When the feature becomes supported in the future the code may be restored/rewritten. Ticket #546 -- Endi S. Dewata From 4ae2161ee45bc1749deccb13f0eedb1fb40a32cd Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Thu, 21 Jul 2011 02:23:29 -0500 Subject: [PATCH] Removed HBAC access time code. The HBAC access time is currently not supported, so the related UI code has been removed to reduce maintenance issue. When the feature becomes supported in the future the code may be restored/rewritten. Ticket #546 --- install/ui/hbac.js | 344 1 files changed, 0 insertions(+), 344 deletions(-) diff --git a/install/ui/hbac.js b/install/ui/hbac.js index 387c03cee0f76933f307a8a92130a4022a327e8e..1e2cefb8d73e9db5262cd1065d6695c7b6bab5d8 100644 --- a/install/ui/hbac.js +++ b/install/ui/hbac.js @@ -358,16 +358,6 @@ IPA.hbacrule_details_facet = function(spec) { }) }; -var remove_accesstime = { -'template': IPA.command({ -entity: that.entity_name, -method: 'remove_accesstime', -args: [pkey], -options: {all: true, rights: true} -}), -'commands': [] -}; - var categories = { 'usercategory': { 'remove_values': false @@ -476,17 +466,6 @@ IPA.hbacrule_details_facet = function(spec) { continue; } -if (field.name == 'accesstime') { -// if accesstime is dirty, it means 'Any Time' is selected, -// so existing values have to be removed -for (var k=0; k', { 'name': 'text' }).appendTo(container); - -span.append(that.text); - -for (var i=0; i', { -'type': 'radio', -'name': that.name, -'value': option.value -}).appendTo(container); - -container.append(' '); - -container.append(option.label); - -container.append(' '); -} - -that.create_undo(container); - -container.append(''); - -span = $('', { -name: 'table', -'class': 'details-field' -}).appendTo(container); - -that.table.create(span); - -var buttons = $('span[name=buttons]', span); - -$('', { -'type': 'button', -'name': 'remove', -'value': IPA.messages.buttons.remove -}).appendTo(buttons); - -$('', { -'type': 'button', -'name': 'add', -'value': IPA.messages.buttons.add -}).appendTo(buttons); -}; - -that.setup = function(container) { - -that.widget_setup(container); - -var span = $('.details-field[name="table"]', that.container); -that.table.setup(span); - -var button = $('input[name=remove]', span); -button.replaceWith(IPA.button({ -name: 'remove', -'label': button.val(), -'icon': 'remove-icon', -'click': function() { that.remove(that.container); } -})); - -button = $('input[name=add]', span); -button.replaceWith(IPA.button({ -name: 'add', -'label': button.val(), -'icon': 'add-icon', -'click': function() { that.add(that.container); } -})); - -var input = $('input[name="'+that.name+'"]', that.container); -input.change(function() { -that.set_dirty(true); -}); - -var undo = that.get_undo(); -undo.click(function() { -that.reset(); -}); -}; - -that.save = function() { -var value = $('input[name="'+that.name+'"]:checked', that.container).val(); -if (value === '') { -return that.table.save(); -} else { -return []; -} -}; - -that.load = function(record) { - -that.values = record[that.name] || []; -that.reset(); -}; - -that.update = function() { - -that.set_category(that.container, that.values && that.values.length ? '' : 'all'); - -that.table.tbody.empty(); -for (var i=0; that.values && i').appendTo(dialog.container); - -var tr = $('').appendTo(table); - -var td = $('', { -'style': 'vertical-align: top;' -}).appendTo(tr); -td.append(that.label+': '); - -td = $('').appendTo(tr); - -var span = $('', { 'name': that.name }).appendTo(td); - -$('', { -'type': 'text', -'name': that.name, -'size': 40 -}).appendTo(span); - -tr = $('').appendTo(table); - -td = $('', { -'style': 'vertical-align
Re: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
Martin Kosek wrote: On Thu, 2011-07-21 at 03:37 +, JR Aquino wrote: Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group… If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists… (you don't want to create an assignment rule for a non existent target host group) Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? Great, preparing the command parameters in pre_callback is much cleaner. Good point about the LDAP lookup. This looks a lot better but there are still a few issues: If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. Ok, I will give that a shot! Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: INCLUDE_RE = 'automemberinclusiveregex' EXCLUDE_RE = 'automemberexclusiveregex' That works, I'll swap em. I agree with Rob here, this will make the code better. Is there a way to validate the regex? Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? Adding a clarity with no rules won't let you add rules: # ipa hostgroup-add --desc=hg1 hg1 # ipa hostgroupclarity-add hg1 # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 ipa: ERROR: no modifications to be performed This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. Yes, it is wise :-) But the error message is really not clear to the user. We should tell him that there must be at least one inclusive rule. I wonder if we shouldn't force user to create a hostgroupclarity object with at least one inclusive rule and than make sure that in all operations at least one inclusive rule stays here. Or we could delete the empty LDAP object after the last inclusive rule is removed, as we do with DNS record LDAP objects in dnsrecord-del. The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. One final class I have been struggling with that I want to add… The object and attribute which defines the 'default group' is the parent of the actual rules… i.e. cn=hostgroup,cn=automember,cn=etc… The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli… "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above… I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction… Any suggestions? I think the best shot would be to create a new command and overload the execute method in that case. Like in hbacrule_enable. You would be able to set dn correctly here and do the update. Does it makes sense? Rob? Martin I agree. We are better off abstracting things now so we can get the API right. I think we can stick more or less with the command names, just in a new plugin and some new arguments. I see the plugin with the following methods: Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. There is no mod to change types, you have to delete and re-add. automember-add Add an automember rule --type=ENUM (hostgroup, group) --desc=STRdescription of this auto membership rule --inclusive-regex=LISTInclusive Regex --exclusive-regex=LISTExclusive Regex automember-add-condition Add conditions to automember rule --inclusive-regex=LISTInclusive Regex --exclusive-regex=LISTExclusive Regex automember-del Delete an automember rule automember-
Re: [Freeipa-devel] [PATCH] 214 Fixed problem loading data in HBAC/sudo details page.
On 7/21/2011 9:23 AM, Endi Sukma Dewata wrote: In a recent change the details page was changed to create and locate field containers with 'details-field' CSS class. The HBAC and sudo custom details pages have been modified to use the same CSS class. Ticket #1508 Patch attached. -- Endi S. Dewata From 2e484044b0a281d7493f2545810f9a7b2579333a Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Thu, 21 Jul 2011 09:07:23 -0500 Subject: [PATCH] Fixed problem loading data in HBAC/sudo details page. In a recent change the details page was changed to create and locate field containers with 'details-field' CSS class. The HBAC and sudo custom details pages have been modified to use the same CSS class. Ticket #1508 --- install/ui/hbac.js | 27 +-- install/ui/rule.js |6 -- install/ui/sudo.js | 39 ++- 3 files changed, 51 insertions(+), 21 deletions(-) diff --git a/install/ui/hbac.js b/install/ui/hbac.js index d7c0b94622d678ca6315e8ebac04c5ce2aefc136..387c03cee0f76933f307a8a92130a4022a327e8e 100644 --- a/install/ui/hbac.js +++ b/install/ui/hbac.js @@ -578,7 +578,10 @@ IPA.hbacrule_details_general_section = function(spec) { td = $('').appendTo(tr); var field = that.get_field('cn'); -var span = $('', { 'name': 'cn' }).appendTo(td); +var span = $('', { +name: 'cn', +'class': 'details-field' +}).appendTo(td); $('', { name: 'cn', @@ -603,7 +606,10 @@ IPA.hbacrule_details_general_section = function(spec) { td.append(param_info.label+':'); field = that.get_field('accessruletype'); -span = $('', { 'name': 'accessruletype' }).appendTo(td); +span = $('', { +name: 'accessruletype', +'class': 'details-field' +}).appendTo(td); $('', { 'type': 'radio', @@ -645,7 +651,10 @@ IPA.hbacrule_details_general_section = function(spec) { }).appendTo(tr); field = that.get_field('description'); -span = $('', { 'name': 'description' }).appendTo(td); +span = $('', { +name: 'description', +'class': 'details-field' +}).appendTo(td); $('', { 'name': 'description', @@ -670,7 +679,10 @@ IPA.hbacrule_details_general_section = function(spec) { }).appendTo(tr); field = that.get_field('ipaenabledflag'); -span = $('', { 'name': 'ipaenabledflag' }).appendTo(td); +span = $('', { +name: 'ipaenabledflag', +'class': 'details-field' +}).appendTo(td); $('', { 'type': 'radio', @@ -757,7 +769,10 @@ IPA.hbacrule_accesstime_widget = function(spec) { container.append(''); -span = $('', { 'name': 'table' }).appendTo(container); +span = $('', { +name: 'table', +'class': 'details-field' +}).appendTo(container); that.table.create(span); @@ -780,7 +795,7 @@ IPA.hbacrule_accesstime_widget = function(spec) { that.widget_setup(container); -var span = $('span[name="table"]', that.container); +var span = $('.details-field[name="table"]', that.container); that.table.setup(span); var button = $('input[name=remove]', span); diff --git a/install/ui/rule.js b/install/ui/rule.js index 106b870bbc1767c685e6da158bc141b6f80a8a71..aec86574f023a7e49b8e997de2e46a40e9eaa08e 100644 --- a/install/ui/rule.js +++ b/install/ui/rule.js @@ -45,7 +45,8 @@ IPA.rule_details_section = function(spec) { var span = $('', { name: that.field_name, -title: param_info.doc +title: param_info.doc, +'class': 'details-field' }).appendTo(container); if (that.options.length) { @@ -77,7 +78,8 @@ IPA.rule_details_section = function(spec) { var table_span = $('', { name: table.field_name, -title: param_info ? param_info.doc : table.field_name +title: param_info ? param_info.doc : table.field_name, +'class': 'details-field' }).appendTo(span); field = that.get_field(table.field_name); diff --git a/install/ui/sudo.js b/install/ui/sudo.js index efa5a955ebc1ad9d2a69c7c4beb894ea19f0a75b..fecb0b070c3889470846d12080aca040df42ee08 100644 --- a/install/ui/sudo.js +++ b/install/ui/sudo.js @@ -787,7 +787,8 @@ IPA.sudo.rule_details_general_section = function(spec) { var span = $('', { name: 'cn', -title: param_info ? param_info.doc : 'cn' +title: param_info ? param_info.doc : 'cn', +'class': 'details-field' }).appendTo(td); $('', { @@ -821,7 +822,8 @@ IPA.sudo.rule_details_general_section = function(spec) { span = $('', { name: 'description', -title: param_info ? para
[Freeipa-devel] [PATCH] 214 Fixed problem loading data in HBAC/sudo details page.
In a recent change the details page was changed to create and locate field containers with 'details-field' CSS class. The HBAC and sudo custom details pages have been modified to use the same CSS class. Ticket #1508 -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Adding message summary while adding and deleting automount location.
Hi All, This patch fixes - https://fedorahosted.org/freeipa/ticket/1510 - https://fedorahosted.org/freeipa/ticket/1509 -- Regards, Shanks Looking to carve out IT costs? www.redhat.com/carveoutcosts/ >From 3c2c8c9bde1210c922f0d8814a684712f828949f Mon Sep 17 00:00:00 2001 From: Gowrishankar Rajaiyan Date: Thu, 21 Jul 2011 18:20:58 +0530 Subject: [PATCH] Adding message summary while adding and deleting automount location --- ipalib/plugins/automount.py |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/automount.py b/ipalib/plugins/automount.py index ce30be7ec090709d04ec4133196cd42c54441c7b..077e1938b49827191e2ae0c541ca6569fa6dedc0 100644 --- a/ipalib/plugins/automount.py +++ b/ipalib/plugins/automount.py @@ -214,6 +214,8 @@ class automountlocation_add(LDAPCreate): ) return dn +msg_summary = _('Added automount location "%(value)s"') + api.register(automountlocation_add) @@ -221,6 +223,7 @@ class automountlocation_del(LDAPDelete): """ Delete an automount location. """ +msg_summary = _('Deleted automount location "%(value)s"') api.register(automountlocation_del) -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 067 Silence a compilation warning in ipa_kpasswd
On Thu, 2011-07-21 at 14:40 +0200, Jan Cholasta wrote: > On 20.7.2011 17:10, Jakub Hrozek wrote: > > I was playing with ipa_kpasswd (long story short - I needed it running > > on a non-standard port) and I noticed there was a compilation warning - > > rtag was set but never checked. > > > > Also removes one unused #define. > > > > Found just a minor issue: you use spaces for indentation, but the rest > of the file uses tabs. > > Honza > To put my 2 cents in - I don't like throwing the same error message in more places. When it really ends with this message we wouldn't know the exact spot with the error. IMO it would make the following investigation simpler if we fix this. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 067 Silence a compilation warning in ipa_kpasswd
On 20.7.2011 17:10, Jakub Hrozek wrote: I was playing with ipa_kpasswd (long story short - I needed it running on a non-standard port) and I noticed there was a compilation warning - rtag was set but never checked. Also removes one unused #define. Found just a minor issue: you use spaces for indentation, but the rest of the file uses tabs. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 31/31] Ticket 1485 - DN pairwise grouping
On Wed, 2011-07-20 at 19:59 -0400, John Dennis wrote: > The pairwise grouping used to form RDN's and AVA's proved to be > confusing in practice, this patch removes that functionality thus > requiring programmers to explicitly pair attr,value using a tuple or > list. > > In addition it was discovered additional functionality was needed to > support some DN operations in freeipa. DN objects now support > startswith(), endswith() and the "in" membership test. These functions > and operators will accept either a DN or RDN. > > The unittest was modified to remove the pairwise tests and add new > explicit tests. The unittest was augmented to test the new > functionality. In addition the unittest was cleaned up a bit to use > common utilty functions for improved readabilty and robustness. > > The documentation was updated. > The patch looks good to me. The removed form of creating DN's was indeed confusing. I went through current uses of DN class, I didn't find any using the removed form. DN tests also passes correctly. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 066 Remove wrong kpasswd sysconfig
On 20.7.2011 17:09, Jakub Hrozek wrote: I noticed that the file kpasswd init script reads is called "/etc/sysconfig/ipa-kpasswd" but krbinstance.py saved and wrote into "/etc/sysconfig/ipa_kpasswd". I removed the linkes rather than fixing them for two reasons: 1) /var/kerberos/krb5kdc/kpasswd.keytab is the default 2) it probably wouldn't have worked anyway because the ktname must be prefixed with "FILE:". ACK Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 834 Hide the HBAC access type attribute now that deny is deprecated.
On Tue, 2011-07-19 at 20:49 -0400, Rob Crittenden wrote: > Hide the HBAC access type attribute now that deny is deprecated. > > It won't appear in the UI/CLI but is still available via XML-RPC. allow > is the default and deny will be rejected. > > This is not tested in the UI. I'm not sure if this is due to a problem > in my tree or something else. > > https://fedorahosted.org/freeipa/ticket/1495 > > rob ACK for the CLI part, tests are clean. I checked WebUI, HBAC rules seem to be broken here. With or without your patch. I see a list of rules, the type column is still here. That's OK, there is already a ticket for this task - 1497. However, when I select a HBAC rule to modify it, its data are not filled at all to the edit fields. I will fill a ticket for this bug. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
On Thu, 2011-07-21 at 03:37 +, JR Aquino wrote: > >> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a > >> standard string to represent the possible host group… If i simply perform > >> a get_dn it will indeed provide a dn, however, it won't verify that the > >> host group actually exists… (you don't want to create an assignment rule > >> for a non existent target host group) > >> > >> > >> Martin, (except for the name Clarity), I have addressed your observations > >> in this latest patch. Could you please have a look and let me know if > >> there is anything else I need to take care of? > >> Great, preparing the command parameters in pre_callback is much cleaner. > > > > Good point about the LDAP lookup. > > > > This looks a lot better but there are still a few issues: > > > > If group_dn is in the object then you can use > > self.obj.handle_not_found(*keys) for the NotFound. > > Ok, I will give that a shot! > > > > > Or if it can't be moved, in the calls to group_dn() you can use the ldap > > handle passed into pre_callback. > > > > I guess you are using the includetype tuple to avoid coding long variable > > names everywhere? Would a symbol be better, eg: > > > > INCLUDE_RE = 'automemberinclusiveregex' > > EXCLUDE_RE = 'automemberexclusiveregex' > > That works, I'll swap em. I agree with Rob here, this will make the code better. > > > Is there a way to validate the regex? > > Now that you mention it, I believe if I import re, we should be able to > validate the initial regex and raise an exception if it is bogus. > > > If we were to add an equivalent user group handler would it be the same > > code in add_condition and remove_condition? It is sort of nice to have > > everything together at the moment, I suspect it will need to be generalized > > at some point. > > Well. For the groups, I was thinking it starts to get a little different. I > would still reuse the condition, but I believe I would pivot users into > groups based upon something like their manager? > > > Adding a clarity with no rules won't let you add rules: > > > > # ipa hostgroup-add --desc=hg1 hg1 > > # ipa hostgroupclarity-add hg1 > > # ipa hostgroupclarity-add-condition > > --exclusive-hostname-regex=^web5\.example\.com hg1 > > ipa: ERROR: no modifications to be performed > > This ^ is deliberate, you cannot add an exclusion rule if there is no > existing or simultaneous inclusive rule. :) Martin asked for that, and I > think its wise. Yes, it is wise :-) But the error message is really not clear to the user. We should tell him that there must be at least one inclusive rule. I wonder if we shouldn't force user to create a hostgroupclarity object with at least one inclusive rule and than make sure that in all operations at least one inclusive rule stays here. Or we could delete the empty LDAP object after the last inclusive rule is removed, as we do with DNS record LDAP objects in dnsrecord-del. > > The way you explained clarity today in IRC, how it brings clarity to > > managing membership with names no human can grok, I got it. Still, clarity > > is a bit awkward as a name. automember might be a better choice. > > Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. > automember it is. > > One final class I have been struggling with that I want to add… > > The object and attribute which defines the 'default group' is the parent of > the actual rules… i.e. cn=hostgroup,cn=automember,cn=etc… > > The ipa cli seems to only want to let me make mods that assume I am > specifying a target object on the cli… "ipa > hostgroupautomember-default-group=foo " <- in this scenario, we > don't actually want or need a rule name because its the container above… I > have had success making the writes, but the cli syntax just doesn't lend > itself to that level of abstraction… > > Any suggestions? > > I think the best shot would be to create a new command and overload the execute method in that case. Like in hbacrule_enable. You would be able to set dn correctly here and do the update. Does it makes sense? Rob? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel