Re: [Freeipa-devel] [PATCH] 841 require pki-ca = 9.0.10
On 28.7.2011 20:31, Rob Crittenden wrote: The IPA server cert profile was updated in 9.0.10 to allow the server certs to act as clients. We need pki-ca 9.0.10 for this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules
On 29.07.2011 07:41, Rob Crittenden wrote: Alexander Bokovoy wrote: On 29.07.2011 06:38, Alexander Bokovoy wrote: Fixed that all and added unit test for non-existing rules. Modified description to be more detailed and added real examples. Scratch previous version, while nicely renaming unit tests before commit and after patch testing I didn't keep right order of cleanup and the non-existing rule test. Fixed version. Nack, two very minor issues: ipalib/plugins/hbactest.py:126: [E0602] Undefined variable 'sys' This code can probably be done away with since we have a Requires for it. I won't insist on it though. Yes, removed since package with ipalib will have the dependency. There is a slew of trailing white-space. Fixed. -- / Alexander Bokovoy From ec239a86c0db944dcb4672efd4e120d4a7fae204 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 22 Jul 2011 16:30:44 +0300 Subject: [PATCH] Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh Access granted: True notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail Access granted: True 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule - Access granted: False - notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled Access granted: True notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled - Access granted: False - notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled - Access granted: False - notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled Access granted: True notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output. --- API.txt | 15 ++ VERSION |2 +- freeipa.spec.in |5 + ipalib/plugins/hbactest.py| 327 +
Re: [Freeipa-devel] [PATCH] 842 deprecation some sudorule options
On Thu, 2011-07-28 at 18:53 -0400, Rob Crittenden wrote: I created a validator for each of these three to disallow management. This would be a major API change to remove them. They are useful in the find command so I hedged my bet and didn't mark the docs as deprecated, just as for -find only. rob NACK. The approach looks OK, I just think that the error message is not really what we want: # ipa sudorule-mod srule1 --externaluser=foo ipa: ERROR: invalid 'externaluser': The deny type has been deprecated. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 33/33] Clean up existing DN object usage
On 28.7.2011 21:27, John Dennis wrote: Clean up existing DN object usage: DN's support iteration, no need for loop index. get_cert_nickname() now returns a DN object instead of a dn string. Use DN equality testing instead of string equality. Replace use DN syntax strings with DN constructor args. Remove ipaldap.IPAdmin.normalizeDN() Works fine, ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 840 don't set host passwords as expired
On Wed, 2011-07-27 at 10:16 -0400, Rob Crittenden wrote: Rob Crittenden wrote: When setting a host password once the host has already been enrolled will result in an expired password (like most passwords we set). We can just skip setting this at all on hosts. Test using this method: * ipa host-add --random * ipa-client-install --password '***' * ipa-client-install --uninstall * ipa host-mod --random * ipa-client-install --password '***' If the second enrollment works the patch succeeded. Previously it would fail with Password expired. rob Sorry, talk about overcommit! Here is just the interesting bits. rob ACK. Works fine. Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname
https://fedorahosted.org/freeipa/ticket/1368 also replaces a tab by spaces in one else statement (cosmetic). -- / Alexander Bokovoy From bc02d3098671a2284b5764205b893facdeacf80e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 19 Jul 2011 15:33:53 +0300 Subject: [PATCH] Modify /etc/sysconfig/network on a client when IPA manages hostname https://fedorahosted.org/freeipa/ticket/1368 --- ipa-client/ipa-install/ipa-client-install | 35 ++-- 1 files changed, 32 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e1a28ca087dee9eea04ccc7a9e6e4f8ce89..0199dc69049a484d92fcace3721de0cd04dbe1ad 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -28,10 +28,11 @@ try: import logging import tempfile import getpass +import re from ipaclient import ipadiscovery import ipaclient.ipachangeconf import ipaclient.ntpconf -from ipapython.ipautil import run, user_input, CalledProcessError, file_exists +from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, install_file from ipapython import ipautil from ipapython import dnsclient from ipapython import sysrestore @@ -520,6 +521,30 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options): except: print certmonger request for host certificate failed +def backup_and_replace_hostname(fstore, hostname): +# TODO: this code is for Red Hat-based systems +# it need to be rewritten for cross-paltform support +# so that different configuration backends would be possible +# (GNU/Debian stores this information in a different place) +network_filename = /etc/sysconfig/network +# Backup original /etc/sysconfig/network +fstore.backup_file(network_filename) +hostname_pattern = re.compile('^HOSTNAME=') +temp_filename = None +with tempfile.NamedTemporaryFile(delete=False) as new_config: +temp_filename = new_config.name +with open(network_filename, 'r') as f: +for line in f: +if hostname_pattern.match(line): +new_config.write(HOSTNAME=%s\n % (hostname)) +else: +new_config.write(line) +new_config.flush() +# At this point new_config is closed but not removed due to 'delete=False' above +# Now, install the temporary file as configuration and ensure old version is available as .orig +# While .orig file is not used during uninstall, it is left there for administrator. +install_file(temp_filename, network_filename) + def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.new_config() @@ -566,6 +591,10 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): sssdconfig.save_domain(domain) sssdconfig.write(/etc/sssd/sssd.conf) +# configure /etc/sysconfig/network to contain the hostname we set. +if options.hostname: +backup_and_replace_hostname(fstore, options.hostname) + return 0 def resolve_ipaddress(server): @@ -940,8 +969,8 @@ def main(): if not options.sssd: print sys.stderr, Failed to configure automatic startup of the NSCD daemon print sys.stderr, Caching of users/groups will not be available after reboot - else: - print sys.stderr, Failed to disable NSCD daemon. Please disable it manually. +else: +print sys.stderr, Failed to disable NSCD daemon. Please disable it manually. else: # this is optional service, just log -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname
On Fri, 2011-07-29 at 11:42 +0300, Alexander Bokovoy wrote: https://fedorahosted.org/freeipa/ticket/1368 also replaces a tab by spaces in one else statement (cosmetic). This works fine. But I have few suggestion for improvement: 1) Shouldn't we also run `hostname NEW_HOSTNAME` so that the new hostname is properly set on the system? 2) I would enhance our man pages/help and state that we are changing the system hostname. Current --hostname option is confusing: --hostname The hostname of this server (FQDN). By default of nodename from uname(2) is used. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 841 require pki-ca = 9.0.10
On Fri, 2011-07-29 at 08:17 +0200, Jan Cholasta wrote: On 28.7.2011 20:31, Rob Crittenden wrote: The IPA server cert profile was updated in 9.0.10 to allow the server certs to act as clients. We need pki-ca 9.0.10 for this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Honza Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname
On 29.07.2011 12:01, Martin Kosek wrote: On Fri, 2011-07-29 at 11:42 +0300, Alexander Bokovoy wrote: https://fedorahosted.org/freeipa/ticket/1368 also replaces a tab by spaces in one else statement (cosmetic). This works fine. But I have few suggestion for improvement: 1) Shouldn't we also run `hostname NEW_HOSTNAME` so that the new hostname is properly set on the system? Makes sense. 2) I would enhance our man pages/help and state that we are changing the system hostname. Current --hostname option is confusing: --hostname The hostname of this server (FQDN). By default of nodename from uname(2) is used. Oh, this is not informative at all. I'll get this updated. Thanks for review! -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
Hi, another attempt to refine error/configuration reporting when configuring means to access LDAP on a client. Previous one tried to use rpm to find out package name but this approach is avoiding package names. Instead, it tries to tell configuration file. Ticker https://fedorahosted.org/freeipa/ticket/1369 -- / Alexander Bokovoy From 5497a7b2b39a6f7ffd48d35c37beeb80e9730f66 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 29 Jul 2011 13:05:07 +0300 Subject: [PATCH] Make proper LDAP configuration reporting for ipa-client-install Ticket https://fedorahosted.org/freeipa/ticket/1369 --- ipa-client/ipa-install/ipa-client-install | 26 -- 1 files changed, 16 insertions(+), 10 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e1a28ca087dee9eea04ccc7a9e6e4f8ce89..75a1b3d1f8469433c404ef5f6b1989094a466f25 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -336,6 +336,7 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d opts.append({'name':'empty', 'type':'empty'}) +ret = (0, 'LDAP', '') # Depending on the release and distribution this may exist in any # number of different file names, update what we find for filename in ['/etc/ldap.conf', '/etc/nss_ldap.conf', '/etc/libnss-ldap.conf', '/etc/pam_ldap.conf']: @@ -343,11 +344,12 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d try: fstore.backup_file(filename) ldapconf.newConf(filename, opts) +ret = (0, 'LDAP', filename) except Exception, e: print Creation of %s: %s % (filename, str(e)) -return 1 +return (1, 'LDAP', filename) -return 0 +return ret def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): nslcdconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer) @@ -379,7 +381,7 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, nslcdconf.newConf('/etc/nslcd.conf', opts) except Exception, e: print Creation of %s: %s % ('/etc/nslcd.conf', str(e)) -return 1 +return (1, 'nslcd') if ipautil.service_is_installed('nslcd'): try: @@ -395,7 +397,7 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, else: logging.debug(NSLCD daemon is not installed, skip configuration) -return 0 +return (0, 'NSLCD', '/etc/nslcd.conf') def hardcode_ldap_server(cli_server): @@ -945,7 +947,8 @@ def main(): else: # this is optional service, just log -logging.info(NSCD daemon is not installed, skip configuration) +if not options.sssd: +logging.info(NSCD daemon is not installed, skip configuration) # Modify nsswitch/pam stack if options.sssd: @@ -964,14 +967,17 @@ def main(): run([/usr/sbin/authconfig, --enablekrb5, --update, --nostart]) print Kerberos 5 enabled +(retcode, conf, filename) = (0, 'SSSD', '/etc/sssd.conf') # Update non-SSSD LDAP configuration after authconfig calls as it would # change its configuration otherways if not options.sssd: -if configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): +(retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) +if retcode: return 1 -if configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): +(retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) +if retcode: return 1 -print LDAP configured +print %s configured using configuration file %s % (conf, filename) #Check that nss is working properly if not options.on_master: @@ -989,8 +995,8 @@ def main(): n = n + 1 if not found: -print nss_ldap is not able to use DNS discovery! -print Changing configuration to use hardcoded server name: +cli_server +print Unable to use DNS discovery! Recognized configuration: %s % (conf) +print Changing configuration of /etc/ldap.conf to use hardcoded server name: +cli_server try: hardcode_ldap_server(cli_server) -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname
On Fri, 2011-07-29 at 12:46 +0300, Alexander Bokovoy wrote: On 29.07.2011 12:21, Alexander Bokovoy wrote: On 29.07.2011 12:01, Martin Kosek wrote: On Fri, 2011-07-29 at 11:42 +0300, Alexander Bokovoy wrote: https://fedorahosted.org/freeipa/ticket/1368 also replaces a tab by spaces in one else statement (cosmetic). This works fine. But I have few suggestion for improvement: 1) Shouldn't we also run `hostname NEW_HOSTNAME` so that the new hostname is properly set on the system? Makes sense. 2) I would enhance our man pages/help and state that we are changing the system hostname. Current --hostname option is confusing: --hostname The hostname of this server (FQDN). By default of nodename from uname(2) is used. Oh, this is not informative at all. I'll get this updated. Updated patch attached. Ok, hostname is properly changed now. I still have some issues: 1) Updated --hostname help doc line in the source code is too long. This should be split. 2) I miss new --hostname help in ipa-client-install man pages (there can be the same text as it is in the inline help) 3) When IPA client is uninstalled, I would consider changing the hostname back to where it was. sysrestore.StateFile could be used for storing the old hostname value. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: Hi, another attempt to refine error/configuration reporting when configuring means to access LDAP on a client. Previous one tried to use rpm to find out package name but this approach is avoiding package names. Instead, it tries to tell configuration file. Ticker https://fedorahosted.org/freeipa/ticket/1369 NACK. 1) Return info from LDAP config functions gets overwritten: if not options.sssd: (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 Only one function will do the real configuration, in my case it was the configure_ldap_conf (nslcd was not installed). Due to the overwrite, my ipa-client-install reported invalid information: # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled NSLCD configured using configuration file /etc/nslcd.conf Unable to use DNS discovery! Recognized configuration: NSLCD Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. We need to indicate in the return triple that the service was not configured so that we output correct information. 2) Returning tuple instead of triple (will raise exception when used): -return 1 +return (1, 'nslcd') Plus, NSLCD is referred in upper case in other return statements. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 33/33] Clean up existing DN object usage
On Fri, 2011-07-29 at 09:59 +0200, Jan Cholasta wrote: On 28.7.2011 21:27, John Dennis wrote: Clean up existing DN object usage: DN's support iteration, no need for loop index. get_cert_nickname() now returns a DN object instead of a dn string. Use DN equality testing instead of string equality. Replace use DN syntax strings with DN constructor args. Remove ipaldap.IPAdmin.normalizeDN() Works fine, ACK. Honza Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname
On 29.07.2011 13:52, Martin Kosek wrote: Oh, this is not informative at all. I'll get this updated. Updated patch attached. Ok, hostname is properly changed now. I still have some issues: 1) Updated --hostname help doc line in the source code is too long. This should be split. Now it uses multiple lines. 2) I miss new --hostname help in ipa-client-install man pages (there can be the same text as it is in the inline help) Copied the same text to ipa-client-install.1 3) When IPA client is uninstalled, I would consider changing the hostname back to where it was. sysrestore.StateFile could be used for storing the old hostname value. Added use of sysrestore.StateFile and restoring the hostname from it. Note that /etc/sysconfig/network is restored already via sysrestore.FileStore. -- / Alexander Bokovoy From c1892612c7ad64f8ea9ae14f8077d0a5a4b832bf Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 19 Jul 2011 15:33:53 +0300 Subject: [PATCH] Modify /etc/sysconfig/network on a client when IPA manages hostname https://fedorahosted.org/freeipa/ticket/1368 --- ipa-client/ipa-install/ipa-client-install | 54 ++-- ipa-client/man/ipa-client-install.1 |2 +- 2 files changed, 51 insertions(+), 5 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e1a28ca087dee9eea04ccc7a9e6e4f8ce89..509e67bd02394b1ca62ab6ec0d5bf313cba646dd 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -28,10 +28,11 @@ try: import logging import tempfile import getpass +import re from ipaclient import ipadiscovery import ipaclient.ipachangeconf import ipaclient.ntpconf -from ipapython.ipautil import run, user_input, CalledProcessError, file_exists +from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, install_file from ipapython import ipautil from ipapython import dnsclient from ipapython import sysrestore @@ -87,7 +88,9 @@ def parse_options(): parser.add_option(, --uninstall, dest=uninstall, action=store_true, default=False, help=uninstall an existing installation) parser.add_option(, --hostname, dest=hostname, - help=The hostname of this server (FQDN). By default of nodename from uname(2) is used.) + help=The hostname of this server (FQDN). If specified, the hostname will be set and + the system configuration will be updated to persist over reboot. + By default a nodename result from uname(2) is used.) parser.add_option(, --enable-dns-updates, dest=dns_updates, action=store_true, default=False, help=Configures the machine to attempt dns updates when the ip address changes.) parser.add_option(--no-krb5-offline-passwords, dest=krb5_offline_passwords, action=store_false, @@ -236,6 +239,12 @@ def uninstall(options, env): print Restoring client configuration files fstore.restore_all_files() +old_hostname = statestore.restore_state('network','hostname') +if not hostname is None and old_hostname != hostname: +try: +ipautil.run(['/bin/hostname', old_hostname]) +except CalledProcessError, e: +print sys.stderr, Failed to set this machine hostname to %s (%s). % (old_hostname, str(e)) if ipautil.service_is_installed('nscd'): try: @@ -520,6 +529,36 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options): except: print certmonger request for host certificate failed +def backup_and_replace_hostname(fstore, hostname): +# TODO: this code is for Red Hat-based systems +# it need to be rewritten for cross-paltform support +# so that different configuration backends would be possible +# (GNU/Debian stores this information in a different place) +network_filename = /etc/sysconfig/network +# Backup original /etc/sysconfig/network +fstore.backup_file(network_filename) +hostname_pattern = re.compile('^HOSTNAME=(.*)') +temp_filename = None +with tempfile.NamedTemporaryFile(delete=False) as new_config: +temp_filename = new_config.name +with open(network_filename, 'r') as f: +for line in f: +m = hostname_pattern.match(line) +if m: +new_config.write(HOSTNAME=%s\n % (hostname)) +statestore.backup_state('network', 'hostname', m.group(1)) +else: +new_config.write(line) +new_config.flush() +# At this point new_config is closed but not removed due to 'delete=False' above +# Now, install the temporary file as configuration and ensure old version is available as .orig +# While .orig file
Re: [Freeipa-devel] [PATCH] 842 deprecation some sudorule options
Martin Kosek wrote: On Thu, 2011-07-28 at 18:53 -0400, Rob Crittenden wrote: I created a validator for each of these three to disallow management. This would be a major API change to remove them. They are useful in the find command so I hedged my bet and didn't mark the docs as deprecated, just as for -find only. rob NACK. The approach looks OK, I just think that the error message is not really what we want: # ipa sudorule-mod srule1 --externaluser=foo ipa: ERROR: invalid 'externaluser': The deny type has been deprecated. Martin Yikes, I had meant to go back and fix that up. Updated patch attached. rob freeipa-rcrit-842-2-sudorule.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
On 29.07.2011 14:13, Martin Kosek wrote: On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: Hi, another attempt to refine error/configuration reporting when configuring means to access LDAP on a client. Previous one tried to use rpm to find out package name but this approach is avoiding package names. Instead, it tries to tell configuration file. Ticker https://fedorahosted.org/freeipa/ticket/1369 NACK. 1) Return info from LDAP config functions gets overwritten: if not options.sssd: (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 Only one function will do the real configuration, in my case it was the configure_ldap_conf (nslcd was not installed). Due to the overwrite, my ipa-client-install reported invalid information: Yes, fixed. # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled NSLCD configured using configuration file /etc/nslcd.conf Unable to use DNS discovery! Recognized configuration: NSLCD Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. We need to indicate in the return triple that the service was not configured so that we output correct information. I did this now by returning None: return (0, None, None). 2) Returning tuple instead of triple (will raise exception when used): -return 1 +return (1, 'nslcd') Plus, NSLCD is referred in upper case in other return statements. Fixed. Version 3 attached. -- / Alexander Bokovoy From c2ebbee6c1796874a44a735a843a9453ccaaf4bf Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 29 Jul 2011 13:05:07 +0300 Subject: [PATCH] Make proper LDAP configuration reporting for ipa-client-install Ticket https://fedorahosted.org/freeipa/ticket/1369 --- ipa-client/ipa-install/ipa-client-install | 29 + 1 files changed, 17 insertions(+), 12 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e1a28ca087dee9eea04ccc7a9e6e4f8ce89..5847fea1d3e26bdd0c6182ab0ecf3d19ab0f69bc 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -336,6 +336,7 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d opts.append({'name':'empty', 'type':'empty'}) +ret = (0, None, None) # Depending on the release and distribution this may exist in any # number of different file names, update what we find for filename in ['/etc/ldap.conf', '/etc/nss_ldap.conf', '/etc/libnss-ldap.conf', '/etc/pam_ldap.conf']: @@ -343,11 +344,12 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d try: fstore.backup_file(filename) ldapconf.newConf(filename, opts) +return (0, 'LDAP', filename) except Exception, e: print Creation of %s: %s % (filename, str(e)) -return 1 +return (1, 'LDAP', filename) -return 0 +return ret def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): nslcdconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer) @@ -379,7 +381,7 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, nslcdconf.newConf('/etc/nslcd.conf', opts) except Exception, e: print Creation of %s: %s % ('/etc/nslcd.conf', str(e)) -return 1 +return (1, None, None) if ipautil.service_is_installed('nslcd'): try: @@ -394,8 +396,9 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, logging.error(Failed to enable automatic startup of the NSLCD daemon: %s % str(e)) else: logging.debug(NSLCD daemon is not installed, skip configuration) +return (0, None, None) -return 0 +return (0, 'NSLCD', '/etc/nslcd.conf') def hardcode_ldap_server(cli_server): @@ -945,7 +948,8 @@ def main(): else: # this is optional service, just log -logging.info(NSCD daemon is not installed, skip configuration) +if not options.sssd: +logging.info(NSCD daemon is not installed, skip configuration) # Modify nsswitch/pam stack if options.sssd: @@ -967,11 +971,12 @@ def main(): # Update non-SSSD LDAP configuration after authconfig calls as it would # change its configuration otherways if not
Re: [Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules
Alexander Bokovoy wrote: On 29.07.2011 07:41, Rob Crittenden wrote: Alexander Bokovoy wrote: On 29.07.2011 06:38, Alexander Bokovoy wrote: Fixed that all and added unit test for non-existing rules. Modified description to be more detailed and added real examples. Scratch previous version, while nicely renaming unit tests before commit and after patch testing I didn't keep right order of cleanup and the non-existing rule test. Fixed version. Nack, two very minor issues: ipalib/plugins/hbactest.py:126: [E0602] Undefined variable 'sys' This code can probably be done away with since we have a Requires for it. I won't insist on it though. Yes, removed since package with ipalib will have the dependency. There is a slew of trailing white-space. Fixed. ack Minor rebase because freeipa.spec.in was updated, pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname
On 29.07.2011 14:53, Alexander Bokovoy wrote: On 29.07.2011 13:52, Martin Kosek wrote: Oh, this is not informative at all. I'll get this updated. Updated patch attached. Ok, hostname is properly changed now. I still have some issues: Updated again to use more reliable regexp for parsing. Thanks to ConfParse project for inspiration (http://code.google.com/p/confparse/source/browse/trunk/confparse.py) -- / Alexander Bokovoy From 457b165f50949e4d7d8266de69c4f983424b020d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 19 Jul 2011 15:33:53 +0300 Subject: [PATCH] Modify /etc/sysconfig/network on a client when IPA manages hostname https://fedorahosted.org/freeipa/ticket/1368 --- ipa-client/ipa-install/ipa-client-install | 62 +++-- ipa-client/man/ipa-client-install.1 |2 +- 2 files changed, 59 insertions(+), 5 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e1a28ca087dee9eea04ccc7a9e6e4f8ce89..afe302f25ed64a8b2792fc76817b178ba1cc855c 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -28,10 +28,11 @@ try: import logging import tempfile import getpass +import re from ipaclient import ipadiscovery import ipaclient.ipachangeconf import ipaclient.ntpconf -from ipapython.ipautil import run, user_input, CalledProcessError, file_exists +from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, install_file from ipapython import ipautil from ipapython import dnsclient from ipapython import sysrestore @@ -87,7 +88,9 @@ def parse_options(): parser.add_option(, --uninstall, dest=uninstall, action=store_true, default=False, help=uninstall an existing installation) parser.add_option(, --hostname, dest=hostname, - help=The hostname of this server (FQDN). By default of nodename from uname(2) is used.) + help=The hostname of this server (FQDN). If specified, the hostname will be set and + the system configuration will be updated to persist over reboot. + By default a nodename result from uname(2) is used.) parser.add_option(, --enable-dns-updates, dest=dns_updates, action=store_true, default=False, help=Configures the machine to attempt dns updates when the ip address changes.) parser.add_option(--no-krb5-offline-passwords, dest=krb5_offline_passwords, action=store_false, @@ -236,6 +239,12 @@ def uninstall(options, env): print Restoring client configuration files fstore.restore_all_files() +old_hostname = statestore.restore_state('network','hostname') +if not hostname is None and old_hostname != hostname: +try: +ipautil.run(['/bin/hostname', old_hostname]) +except CalledProcessError, e: +print sys.stderr, Failed to set this machine hostname to %s (%s). % (old_hostname, str(e)) if ipautil.service_is_installed('nscd'): try: @@ -520,6 +529,44 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options): except: print certmonger request for host certificate failed +def backup_and_replace_hostname(fstore, hostname): +# TODO: this code is for Red Hat-based systems +# it need to be rewritten for cross-paltform support +# so that different configuration backends would be possible +# (GNU/Debian stores this information in a different place) +network_filename = /etc/sysconfig/network +# Backup original /etc/sysconfig/network +fstore.backup_file(network_filename) +hostname_pattern = re.compile(''' +(^ +\s* +(?Poption [^\#;]+?) +(\s*=\s*) +(?Pvalue .+?)? +(\s*((\#|;).*)?)? +$)''', re.VERBOSE) +temp_filename = None +with tempfile.NamedTemporaryFile(delete=False) as new_config: +temp_filename = new_config.name +with open(network_filename, 'r') as f: +for line in f: +m = hostname_pattern.match(line) +option, value = m.group('option', 'value') +if option is 'HOSTNAME': +new_config.write(HOSTNAME=%s\n % (hostname)) +statestore.backup_state('network', 'hostname', value) +else: +new_config.write(line) +new_config.flush() +# At this point new_config is closed but not removed due to 'delete=False' above +# Now, install the temporary file as configuration and ensure old version is available as .orig +# While .orig file is not used during uninstall, it is left there for administrator. +install_file(temp_filename, network_filename) +try: +
Re: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname
On Fri, 2011-07-29 at 16:05 +0300, Alexander Bokovoy wrote: On 29.07.2011 14:53, Alexander Bokovoy wrote: On 29.07.2011 13:52, Martin Kosek wrote: Oh, this is not informative at all. I'll get this updated. Updated patch attached. Ok, hostname is properly changed now. I still have some issues: Updated again to use more reliable regexp for parsing. Thanks to ConfParse project for inspiration (http://code.google.com/p/confparse/source/browse/trunk/confparse.py) Hm, the new regex looks robust. 1) But it didn't find hostname in my case: # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --hostname=foo.idm.lab.bos.redhat.com ... Client configuration complete. No sysrestore.state was created, i.e. no hostname was backup-ed. # ls /var/lib/ipa-client/sysrestore/ 688988a01b73872d-networkd35eec0a8128e435-krb5.conf eada0d7ba116bfd7-sssd.conf 9cf989cb60307725-ntp.conf e4d8b217dfce5043-ntpd sysrestore.index IPA client then failed with an exception because we didn't have the hostname: # ipa-client-install --uninstall --unattended Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Restoring client configuration files Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1071, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 737, in main return uninstall(options, env) File /usr/sbin/ipa-client-install, line 245, in uninstall ipautil.run(['/bin/hostname', old_hostname]) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 218, in run close_fds=True, env=env) File /usr/lib64/python2.7/subprocess.py, line 672, in __init__ errread, errwrite) File /usr/lib64/python2.7/subprocess.py, line 1202, in _execute_child raise child_exception TypeError: coercing to Unicode: need string or buffer, NoneType found There should be a check that if we don't have the hostname, we don't restore it. My network configration was: # cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=vm-131.idm.lab.bos.redhat.com 2) Why do we call for backup_and_replace_hostname() only in configure_sssd_conf()? If we run client installation with --no-sssd, hostname wouldn't get backup-ed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 842 deprecation some sudorule options
On Fri, 2011-07-29 at 08:51 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-07-28 at 18:53 -0400, Rob Crittenden wrote: I created a validator for each of these three to disallow management. This would be a major API change to remove them. They are useful in the find command so I hedged my bet and didn't mark the docs as deprecated, just as for -find only. rob NACK. The approach looks OK, I just think that the error message is not really what we want: # ipa sudorule-mod srule1 --externaluser=foo ipa: ERROR: invalid 'externaluser': The deny type has been deprecated. Martin Yikes, I had meant to go back and fix that up. Updated patch attached. rob Yeah, that's better :-) ACK. Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname
On 29.07.2011 16:25, Martin Kosek wrote: On Fri, 2011-07-29 at 16:05 +0300, Alexander Bokovoy wrote: On 29.07.2011 14:53, Alexander Bokovoy wrote: On 29.07.2011 13:52, Martin Kosek wrote: Oh, this is not informative at all. I'll get this updated. Updated patch attached. Ok, hostname is properly changed now. I still have some issues: Updated again to use more reliable regexp for parsing. Thanks to ConfParse project for inspiration (http://code.google.com/p/confparse/source/browse/trunk/confparse.py) Hm, the new regex looks robust. 1) But it didn't find hostname in my case: There was wrong comparison (I wanted to check if option is not None and then compare it to 'HOSTNAME' but brain short-circuited. My bad. # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --hostname=foo.idm.lab.bos.redhat.com ... Client configuration complete. No sysrestore.state was created, i.e. no hostname was backup-ed. # ls /var/lib/ipa-client/sysrestore/ 688988a01b73872d-networkd35eec0a8128e435-krb5.conf eada0d7ba116bfd7-sssd.conf 9cf989cb60307725-ntp.conf e4d8b217dfce5043-ntpd sysrestore.index IPA client then failed with an exception because we didn't have the hostname: # ipa-client-install --uninstall --unattended Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Restoring client configuration files Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1071, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 737, in main return uninstall(options, env) File /usr/sbin/ipa-client-install, line 245, in uninstall ipautil.run(['/bin/hostname', old_hostname]) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 218, in run close_fds=True, env=env) File /usr/lib64/python2.7/subprocess.py, line 672, in __init__ errread, errwrite) File /usr/lib64/python2.7/subprocess.py, line 1202, in _execute_child raise child_exception TypeError: coercing to Unicode: need string or buffer, NoneType found There should be a check that if we don't have the hostname, we don't restore it. Added both checks (it was there in uninstall but checking hostname instead of old_hostname). -- / Alexander Bokovoy From fede69202b873d11400e59a4de615594981aecba Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 19 Jul 2011 15:33:53 +0300 Subject: [PATCH] Modify /etc/sysconfig/network on a client when IPA manages hostname https://fedorahosted.org/freeipa/ticket/1368 --- ipa-client/ipa-install/ipa-client-install | 65 +++-- ipa-client/man/ipa-client-install.1 |2 +- 2 files changed, 62 insertions(+), 5 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e1a28ca087dee9eea04ccc7a9e6e4f8ce89..8a49ce316db3e1765168af41ee2b4a9c9bf6db2c 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -28,10 +28,11 @@ try: import logging import tempfile import getpass +import re from ipaclient import ipadiscovery import ipaclient.ipachangeconf import ipaclient.ntpconf -from ipapython.ipautil import run, user_input, CalledProcessError, file_exists +from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, install_file from ipapython import ipautil from ipapython import dnsclient from ipapython import sysrestore @@ -87,7 +88,9 @@ def parse_options(): parser.add_option(, --uninstall, dest=uninstall, action=store_true, default=False, help=uninstall an existing installation) parser.add_option(, --hostname, dest=hostname, - help=The hostname of this server (FQDN). By default of nodename from uname(2) is used.) + help=The hostname of this server (FQDN). If specified, the hostname will be set and + the system configuration will be updated to persist over reboot. + By default a nodename result from uname(2) is used.) parser.add_option(, --enable-dns-updates, dest=dns_updates, action=store_true, default=False, help=Configures the machine to attempt dns updates when the ip address changes.) parser.add_option(--no-krb5-offline-passwords, dest=krb5_offline_passwords, action=store_false, @@ -236,6 +239,12 @@ def uninstall(options, env): print Restoring client configuration files fstore.restore_all_files() +old_hostname = statestore.restore_state('network','hostname') +if not old_hostname is None and old_hostname != hostname: +try: +ipautil.run(['/bin/hostname', old_hostname]) +except CalledProcessError, e: +print
Re: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname
On 29.07.2011 17:06, Alexander Bokovoy wrote: There was wrong comparison (I wanted to check if option is not None and then compare it to 'HOSTNAME' but brain short-circuited. My bad. ... and one more update, to get common style for comparisons. -- / Alexander Bokovoy From debdf588069ec1c06c29854b80358302470616e0 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 19 Jul 2011 15:33:53 +0300 Subject: [PATCH] Modify /etc/sysconfig/network on a client when IPA manages hostname https://fedorahosted.org/freeipa/ticket/1368 --- ipa-client/ipa-install/ipa-client-install | 65 +++-- ipa-client/man/ipa-client-install.1 |2 +- 2 files changed, 62 insertions(+), 5 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e1a28ca087dee9eea04ccc7a9e6e4f8ce89..c5f66be85361ecb3ab8b0c41908d378702df068d 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -28,10 +28,11 @@ try: import logging import tempfile import getpass +import re from ipaclient import ipadiscovery import ipaclient.ipachangeconf import ipaclient.ntpconf -from ipapython.ipautil import run, user_input, CalledProcessError, file_exists +from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, install_file from ipapython import ipautil from ipapython import dnsclient from ipapython import sysrestore @@ -87,7 +88,9 @@ def parse_options(): parser.add_option(, --uninstall, dest=uninstall, action=store_true, default=False, help=uninstall an existing installation) parser.add_option(, --hostname, dest=hostname, - help=The hostname of this server (FQDN). By default of nodename from uname(2) is used.) + help=The hostname of this server (FQDN). If specified, the hostname will be set and + the system configuration will be updated to persist over reboot. + By default a nodename result from uname(2) is used.) parser.add_option(, --enable-dns-updates, dest=dns_updates, action=store_true, default=False, help=Configures the machine to attempt dns updates when the ip address changes.) parser.add_option(--no-krb5-offline-passwords, dest=krb5_offline_passwords, action=store_false, @@ -236,6 +239,12 @@ def uninstall(options, env): print Restoring client configuration files fstore.restore_all_files() +old_hostname = statestore.restore_state('network','hostname') +if old_hostname is not None and old_hostname != hostname: +try: +ipautil.run(['/bin/hostname', old_hostname]) +except CalledProcessError, e: +print sys.stderr, Failed to set this machine hostname to %s (%s). % (old_hostname, str(e)) if ipautil.service_is_installed('nscd'): try: @@ -520,6 +529,47 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options): except: print certmonger request for host certificate failed +def backup_and_replace_hostname(fstore, hostname): +# TODO: this code is for Red Hat-based systems +# it need to be rewritten for cross-paltform support +# so that different configuration backends would be possible +# (GNU/Debian stores this information in a different place) +network_filename = /etc/sysconfig/network +# Backup original /etc/sysconfig/network +fstore.backup_file(network_filename) +hostname_pattern = re.compile(''' +(^ +\s* +(?Poption [^\#;]+?) +(\s*=\s*) +(?Pvalue .+?)? +(\s*((\#|;).*)?)? +$)''', re.VERBOSE) +temp_filename = None +with tempfile.NamedTemporaryFile(delete=False) as new_config: +temp_filename = new_config.name +with open(network_filename, 'r') as f: +for line in f: +new_line = line +m = hostname_pattern.match(line) +if m: +option, value = m.group('option', 'value') +if option is not None and option == 'HOSTNAME': +if value is not None and hostname != value: +new_line = u'HOSTNAME=%s' % (hostname) +statestore.backup_state('network', 'hostname', value) +new_config.write(new_line) +new_config.flush() + +# At this point new_config is closed but not removed due to 'delete=False' above +# Now, install the temporary file as configuration and ensure old version is available as .orig +# While .orig file is not used during uninstall, it is left there for administrator. +install_file(temp_filename, network_filename) +try: +
Re: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname
On Fri, 2011-07-29 at 17:06 +0300, Alexander Bokovoy wrote: On 29.07.2011 16:25, Martin Kosek wrote: On Fri, 2011-07-29 at 16:05 +0300, Alexander Bokovoy wrote: On 29.07.2011 14:53, Alexander Bokovoy wrote: On 29.07.2011 13:52, Martin Kosek wrote: Oh, this is not informative at all. I'll get this updated. Updated patch attached. Ok, hostname is properly changed now. I still have some issues: Updated again to use more reliable regexp for parsing. Thanks to ConfParse project for inspiration (http://code.google.com/p/confparse/source/browse/trunk/confparse.py) Hm, the new regex looks robust. 1) But it didn't find hostname in my case: There was wrong comparison (I wanted to check if option is not None and then compare it to 'HOSTNAME' but brain short-circuited. My bad. # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --hostname=foo.idm.lab.bos.redhat.com ... Client configuration complete. No sysrestore.state was created, i.e. no hostname was backup-ed. # ls /var/lib/ipa-client/sysrestore/ 688988a01b73872d-networkd35eec0a8128e435-krb5.conf eada0d7ba116bfd7-sssd.conf 9cf989cb60307725-ntp.conf e4d8b217dfce5043-ntpd sysrestore.index IPA client then failed with an exception because we didn't have the hostname: # ipa-client-install --uninstall --unattended Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Restoring client configuration files Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1071, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 737, in main return uninstall(options, env) File /usr/sbin/ipa-client-install, line 245, in uninstall ipautil.run(['/bin/hostname', old_hostname]) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 218, in run close_fds=True, env=env) File /usr/lib64/python2.7/subprocess.py, line 672, in __init__ errread, errwrite) File /usr/lib64/python2.7/subprocess.py, line 1202, in _execute_child raise child_exception TypeError: coercing to Unicode: need string or buffer, NoneType found There should be a check that if we don't have the hostname, we don't restore it. Added both checks (it was there in uninstall but checking hostname instead of old_hostname). ACK. Before pushing, I just replaced constructs like not var is None with var is not None - its more pythonic. Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0282-use-other_entity-for-adder-columns
On 7/28/2011 9:30 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone
Due to my recent huge patch, version -1 patch will not apply. I had to rebase by hand. Please confirm that it still works as intended. On 07/27/2011 09:01 AM, Petr Vobornik wrote: On Tue, 2011-07-26 at 21:32 -0400, Adam Young wrote: On 07/26/2011 07:09 PM, Endi Sukma Dewata wrote: On 7/26/2011 6:27 AM, Petr Vobornik wrote: Fixed adding host without DNS reverse zone https://fedorahosted.org/freeipa/ticket/1481 Shows status dialog instead of error dialog (error 4304 is treated like success). This patch is fixing the problem, but maybe in a wrong way. Main problem was that error has to be treated like success. This decision is done in command.execute() method. There are two ways to do it 1) Interrupt error handling - transform error to success 2) Interrupt success handling - don't let success to be transformed into error. Solution is using the second option. But I think first option is better. But there are obstacles: - handling is done in private function (for me ipa.js line ~ 290) - there is an extend point - setting on_error method. Problem is that this method is executed only if command.retry is false (default is true). Setting it to false will disable usage of error dialog (which is private function). So I would lose functionality for normal errors. Reordering these lines isn't an option because it would affect a lot of code. - one way would be to extract code for error dialog and make it a regular reusable dialog (with command as parameter). This way it can be used in custom error handler. Is it ACKable, or is it better to do it as described? Petr Hi Petr, The new is_custom_success and on_custom_success attributes in IPA.command somehow competes with the original on_success because they serve a similar purpose. I think it's better to make the default error dialog in IPA.command public so it can be used by other code as well. We have a global variable IPA.error_dialog which stores the DOM element for the error dialog. I think we can convert it into a global object which you can open/close to show the default error dialog. The original DOM element can be stored in a 'container' attribute in that object. In other words, convert dialog_open() into IPA.error_dialog.open(), move the original IPA.error_dialog into IPA.error_dialog.container. Set retry to false when invoking IPA.command, then specify an error handler which will catch error 4304. For other errors you'll display the default error dialog. There are also some warnings about trailing whitespaces when applying the patch. You can remove them by adding the --whitespace=fix option when applying the patch with git am. On the whitespace issue, if you are an emacs person, there is a command: alt-x whitespace-cleanup that you should run on a file after you make changes. I have '(show-trailing-whitespace t)) in my .emacs file, which shows all whitespace as red...which properly motivates you to clean it up as soon as possible. I'm not sure the comparable vi settings, but I know they exist. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Reworked. -Refactored error dialog. -Changed context of calling command.on_success and command.on_error methods from $.ajax's object to command. -Added generic message dialog (IPA.message_dialog) (not changed form previous) Should be without trailing whitespaces. :) Petr ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From 672781a3a234eb2b138ff7b198f8cb46641935bd Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 29 Jul 2011 10:53:01 -0400 Subject: [PATCH] Fixed adding host without DNS reverse zone https://fedorahosted.org/freeipa/ticket/1481 Shows status dialog instead of error dialog (error 4304 is treated like success). Refactored error dialog. Changed context of calling command.on_success and command.on_error methods from $.ajax's object to command. Added generic message dialog (IPA.message_dialog) --- install/ui/add.js | 10 +++--- 1 files changed, 7 insertions(+), 3 deletions(-) diff --git a/install/ui/add.js b/install/ui/add.js index 988ea8ff13819ccdd61a2033344e146dbaf09255..a55c5feacf7cf1702c3f4bbe34ba018664c724f3 100644 --- a/install/ui/add.js +++ b/install/ui/add.js @@ -31,6 +31,8 @@ IPA.add_dialog = function (spec) { that.method = spec.method || 'add'; that.pre_execute_hook = spec.pre_execute_hook; +that.on_error = spec.on_error ; +that.retry = typeof spec.retry !== 'undefined' ? spec.retry : true; function show_edit_page(entity,result){ var pkey_name = entity.metadata.primary_key; @@ -51,6 +53,7 @@ IPA.add_dialog = function (spec) { var command = IPA.command({ entity: that.entity.name, method: that.method, +retry: that.retry,
Re: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone
On 07/29/2011 10:58 AM, Adam Young wrote: Due to my recent huge patch, version -1 patch will not apply. I had to rebase by hand. Please confirm that it still works as intended. Missed a few files in my commit. From aaf747c17669b7404a3869a5a1a99108dd08b257 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 29 Jul 2011 10:53:01 -0400 Subject: [PATCH] Fixed adding host without DNS reverse zone https://fedorahosted.org/freeipa/ticket/1481 Shows status dialog instead of error dialog (error 4304 is treated like success). Refactored error dialog. Changed context of calling command.on_success and command.on_error methods from $.ajax's object to command. Added generic message dialog (IPA.message_dialog) --- install/ui/add.js| 10 +++- install/ui/dialog.js | 29 install/ui/host.js | 42 + install/ui/ipa.js| 121 -- 4 files changed, 146 insertions(+), 56 deletions(-) diff --git a/install/ui/add.js b/install/ui/add.js index 988ea8ff13819ccdd61a2033344e146dbaf09255..a55c5feacf7cf1702c3f4bbe34ba018664c724f3 100644 --- a/install/ui/add.js +++ b/install/ui/add.js @@ -31,6 +31,8 @@ IPA.add_dialog = function (spec) { that.method = spec.method || 'add'; that.pre_execute_hook = spec.pre_execute_hook; +that.on_error = spec.on_error ; +that.retry = typeof spec.retry !== 'undefined' ? spec.retry : true; function show_edit_page(entity,result){ var pkey_name = entity.metadata.primary_key; @@ -51,6 +53,7 @@ IPA.add_dialog = function (spec) { var command = IPA.command({ entity: that.entity.name, method: that.method, +retry: that.retry, on_success: on_success, on_error: on_error }); @@ -127,8 +130,8 @@ IPA.add_dialog = function (spec) { var table = facet.table; table.refresh(); that.close(); -} -); +}, +that.on_error); }); that.add_button(IPA.messages.buttons.add_and_add_another, function() { @@ -141,7 +144,8 @@ IPA.add_dialog = function (spec) { var table = facet.table; table.refresh(); that.reset(); -} +}, +that.on_error); ); }); diff --git a/install/ui/dialog.js b/install/ui/dialog.js index 848252d87f4db8418f26ec5c7dfebbfaca5f0275..ad95eceda97fdbf5e93af2dd77de0ab12963f2f3 100644 --- a/install/ui/dialog.js +++ b/install/ui/dialog.js @@ -644,3 +644,32 @@ IPA.deleter_dialog = function (spec) { return that; }; + +IPA.message_dialog = function(spec) { + +var that = IPA.dialog(spec); + +var init = function(spec) { +spec = spec || {}; +that.message = spec.message || ''; +that.on_ok = spec.on_ok; +}; +that.message_dialog_init = init; + +that.create = function() { +$('p/', { +'text': that.message +}).appendTo(that.container); +}; + +that.add_button(IPA.messages.buttons.ok, function() { +that.close(); +if(that.on_ok) { +that.on_ok(); +} +}); + +init(spec); + +return that; +}; diff --git a/install/ui/host.js b/install/ui/host.js index a84f54c190257e19efadcbdf0754b431eb4bd6de..8a40f07b18b20396b537f6d8fac6fe7f3d541e0c 100644 --- a/install/ui/host.js +++ b/install/ui/host.js @@ -102,6 +102,7 @@ IPA.entity_factories.host = function () { }). standard_association_facets(). adder_dialog({ +factory: IPA.host_adder_dialog, width: 400, height: 250, fields:[ @@ -128,6 +129,47 @@ IPA.entity_factories.host = function () { build(); }; +IPA.host_adder_dialog = function(spec) +{ +spec = spec || {}; +spec.retry = typeof spec.retry !== 'undefined' ? spec.retry : false; + +var that = IPA.add_dialog(spec); + +that.on_error = function(xhr, text_status, error_thrown) +{ +var command = this; +var data = error_thrown.data; +var dialog = null; + +if(data data.error data.error.code === 4304) { +dialog = IPA.message_dialog({ +message: data.error.message, +title: spec.title, +on_ok: function() { +data.result = { +result: { +fqdn: that.get_field('fqdn').save() +} +}; +command.on_success(data, text_status, xhr); +} +}); +} else { +dialog = IPA.error_dialog({ +xhr: xhr, +text_status: text_status, +error_thrown: error_thrown, +command: command +}); +} + +dialog.open(that.container); +}; + +return that; +};
Re: [Freeipa-devel] [PATCH] 067 Silence a compilation warning in ipa_kpasswd
On 07/21/2011 02:53 PM, Martin Kosek wrote: On Thu, 2011-07-21 at 14:40 +0200, Jan Cholasta wrote: On 20.7.2011 17:10, Jakub Hrozek wrote: I was playing with ipa_kpasswd (long story short - I needed it running on a non-standard port) and I noticed there was a compilation warning - rtag was set but never checked. Also removes one unused #define. Found just a minor issue: you use spaces for indentation, but the rest of the file uses tabs. Honza To put my 2 cents in - I don't like throwing the same error message in more places. When it really ends with this message we wouldn't know the exact spot with the error. IMO it would make the following investigation simpler if we fix this. Martin A new patch is attached. From c29100c7a74fe7212f10cd935049bed2108d561c Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Tue, 19 Jul 2011 16:07:57 +0200 Subject: [PATCH] Silence a compilation warning in ipa_kpasswd rtag was set but never checked which resulted in a compilation warning --- daemons/ipa-kpasswd/ipa_kpasswd.c | 18 -- 1 files changed, 16 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-kpasswd/ipa_kpasswd.c b/daemons/ipa-kpasswd/ipa_kpasswd.c index acec3db..cfafac3 100644 --- a/daemons/ipa-kpasswd/ipa_kpasswd.c +++ b/daemons/ipa-kpasswd/ipa_kpasswd.c @@ -45,7 +45,6 @@ #define DEFAULT_KEYTAB FILE:/var/kerberos/krb5kdc/kpasswd.keytab #define TMP_TEMPLATE /var/cache/ipa/kpasswd/krb5_cc.XX -#define KPASSWD_PORT 464 /* blacklist entries are released only BLCAKLIST_TIMEOUT seconds * after the children performing the noperation has finished. @@ -576,8 +575,17 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e ber_tag_t rtag, btag; ber_int_t bint; rtag = ber_scanf(sctrl, {t, btag); + if (rtag == LBER_ERROR) { +syslog(LOG_ERR, Could not decode the tag BER element); +goto done; + } + if (btag == LDAP_TAG_PWP_WARNING) { rtag = ber_scanf(sctrl, {ti}, btag, bint); +if (rtag == LBER_ERROR) { + syslog(LOG_ERR, Could not decode the warning BER element); + goto done; +} if (btag == LDAP_TAG_PWP_SECSLEFT) { ret = asprintf(exterr2, (%d seconds left before password expires), bint); } else { @@ -587,10 +595,16 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e syslog(LOG_ERR, OOM while creating error message ...); exterr2 = NULL; } -rtag = ber_scanf(sctrl, t, btag); +/* The next element might or might not be there (the control is a sequence) */ +ber_scanf(sctrl, t, btag); } if (btag == LDAP_TAG_PWP_ERROR) { rtag = ber_scanf(sctrl, e, bint); +if (rtag == LBER_ERROR) { + syslog(LOG_ERR, Could not decode the error BER element); + goto done; +} + switch(bint) { case 0: ret = asprintf(exterr1, Err%d: Password Expired., bint); -- 1.7.6 signature.asc Description: OpenPGP digital signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
On Fri, 2011-07-29 at 15:59 +0300, Alexander Bokovoy wrote: On 29.07.2011 14:13, Martin Kosek wrote: On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: Hi, another attempt to refine error/configuration reporting when configuring means to access LDAP on a client. Previous one tried to use rpm to find out package name but this approach is avoiding package names. Instead, it tries to tell configuration file. Ticker https://fedorahosted.org/freeipa/ticket/1369 NACK. 1) Return info from LDAP config functions gets overwritten: if not options.sssd: (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 Only one function will do the real configuration, in my case it was the configure_ldap_conf (nslcd was not installed). Due to the overwrite, my ipa-client-install reported invalid information: Yes, fixed. # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled NSLCD configured using configuration file /etc/nslcd.conf Unable to use DNS discovery! Recognized configuration: NSLCD Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. We need to indicate in the return triple that the service was not configured so that we output correct information. I did this now by returning None: return (0, None, None). 2) Returning tuple instead of triple (will raise exception when used): -return 1 +return (1, 'nslcd') Plus, NSLCD is referred in upper case in other return statements. Fixed. Version 3 attached. Getting closer, but still not there (although I really like your for configurer in ... construct): # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled LDAP configured using configuration file /etc/ldap.conf Unable to use DNS discovery! Recognized configuration: None Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
Martin Kosek wrote: On Fri, 2011-07-29 at 15:59 +0300, Alexander Bokovoy wrote: On 29.07.2011 14:13, Martin Kosek wrote: On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: Hi, another attempt to refine error/configuration reporting when configuring means to access LDAP on a client. Previous one tried to use rpm to find out package name but this approach is avoiding package names. Instead, it tries to tell configuration file. Ticker https://fedorahosted.org/freeipa/ticket/1369 NACK. 1) Return info from LDAP config functions gets overwritten: if not options.sssd: (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 Only one function will do the real configuration, in my case it was the configure_ldap_conf (nslcd was not installed). Due to the overwrite, my ipa-client-install reported invalid information: Yes, fixed. # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled NSLCD configured using configuration file /etc/nslcd.conf Unable to use DNS discovery! Recognized configuration: NSLCD Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. We need to indicate in the return triple that the service was not configured so that we output correct information. I did this now by returning None: return (0, None, None). 2) Returning tuple instead of triple (will raise exception when used): -return 1 +return (1, 'nslcd') Plus, NSLCD is referred in upper case in other return statements. Fixed. Version 3 attached. Getting closer, but still not there (although I really like your for configurer in ... construct): # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled LDAP configured using configuration file /etc/ldap.conf Unable to use DNS discovery! Recognized configuration: None Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. Martin Backtrace on sssd-based install: # ipa-client-install --server=panther.greyoak.com --domain=greyoak.com --realm=GREYOAK.COM -p admin DNS domain 'greyoak.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: slinky.greyoak.com Realm: GREYOAK.COM DNS Domain: greyoak.com IPA Server: panther.greyoak.com BaseDN: dc=greyoak,dc=com Continue to configure the system with these values? [no]: y Password for ad...@greyoak.com: Enrolled in IPA realm GREYOAK.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm GREYOAK.COM SSSD enabled Kerberos 5 enabled Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1079, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 1054, in main print Unable to use DNS discovery! Recognized configuration: %s % (conf) UnboundLocalError: local variable 'conf' referenced before assignment ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
On 29.07.2011 18:09, Rob Crittenden wrote: Backtrace on sssd-based install: # ipa-client-install --server=panther.greyoak.com --domain=greyoak.com --realm=GREYOAK.COM -p admin DNS domain 'greyoak.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: slinky.greyoak.com Realm: GREYOAK.COM DNS Domain: greyoak.com IPA Server: panther.greyoak.com BaseDN: dc=greyoak,dc=com Continue to configure the system with these values? [no]: y Password for ad...@greyoak.com: Enrolled in IPA realm GREYOAK.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm GREYOAK.COM SSSD enabled Kerberos 5 enabled Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1079, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 1054, in main print Unable to use DNS discovery! Recognized configuration: %s % (conf) UnboundLocalError: local variable 'conf' referenced before assignment Yes. Fixed that. What we also want to show is that after all effort to configure LDAP, DNS, etc, we are unable to find user admin. I have changed the printed statements to be clear. So in case we are unable to find admin, we'll print: Unable to find 'admin' user with 'getent passwd admin'! If we know what we were working with (SSSD, NSLCD, or LDAP), we'll also print: Recognized configuration: (one of SSSD, NSLCD, LDAP) otherwise it will show following statement: No recognized configuration, please check manually NSS setup and will try to hardcode LDAP server in /etc/ldap.conf if that exists. If the latter attempt succeeds, user will see: Changed configuration of /etc/ldap.conf to use hardcoded server name: (name of server) I think it is at most what we can do without referencing hardcoded config files directly (except for /etc/ldap.conf) in 2.1. Ideally, all this code for configuring specific services should go into platform-specific backend and be re-used from there but that is something for 2.1.1 as it would need my cross-platform enablers which are too big for 2.1. -- / Alexander Bokovoy From 5d38060f05d4642761bb62db810d8e6b89a3f150 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 29 Jul 2011 13:05:07 +0300 Subject: [PATCH] Make proper LDAP configuration reporting for ipa-client-install Ticket https://fedorahosted.org/freeipa/ticket/1369 --- ipa-client/ipa-install/ipa-client-install | 35 +++-- 1 files changed, 23 insertions(+), 12 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index c5f66be85361ecb3ab8b0c41908d378702df068d..4a61c1bb08057428153374c046f0223a12aefaf6 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -345,6 +345,7 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d opts.append({'name':'empty', 'type':'empty'}) +ret = (0, None, None) # Depending on the release and distribution this may exist in any # number of different file names, update what we find for filename in ['/etc/ldap.conf', '/etc/nss_ldap.conf', '/etc/libnss-ldap.conf', '/etc/pam_ldap.conf']: @@ -352,11 +353,12 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d try: fstore.backup_file(filename) ldapconf.newConf(filename, opts) +return (0, 'LDAP', filename) except Exception, e: print Creation of %s: %s % (filename, str(e)) -return 1 +return (1, 'LDAP', filename) -return 0 +return ret def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): nslcdconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer) @@ -388,7 +390,7 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, nslcdconf.newConf('/etc/nslcd.conf', opts) except Exception, e: print Creation of %s: %s % ('/etc/nslcd.conf', str(e)) -return 1 +return (1, None, None) if ipautil.service_is_installed('nslcd'): try: @@ -403,8 +405,9 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, logging.error(Failed to enable automatic startup of the NSLCD daemon: %s % str(e)) else: logging.debug(NSLCD daemon is not installed, skip configuration) +return (0, None, None) -return 0 +return (0, 'NSLCD', '/etc/nslcd.conf') def hardcode_ldap_server(cli_server): @@ -422,6 +425,7 @@ def hardcode_ldap_server(cli_server): # Errors raised by this
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
On 07/29/2011 11:35 AM, Alexander Bokovoy wrote: No recognized configuration, please check manually NSS setup May be reword: Unknown configuration, please check NSS setup manually But some time ago, somewhere, some person from doc told me not to use please in any error massages, man pages or help. I do not know whether this is relevant or not but should we avoid using please? So how about: Unknown configuration, check NSS setup manually or Detected unknown configuration, check NSS setup manually -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
On 29.07.2011 18:45, Dmitri Pal wrote: On 07/29/2011 11:35 AM, Alexander Bokovoy wrote: No recognized configuration, please check manually NSS setup May be reword: Unknown configuration, please check NSS setup manually But some time ago, somewhere, some person from doc told me not to use please in any error massages, man pages or help. I do not know whether this is relevant or not but should we avoid using please? So how about: Unknown configuration, check NSS setup manually Thought about it and I think this would be better: Unable to reliably detect configuration. Check NSS setup manually. or Detected unknown configuration, check NSS setup manually I decided to remove all 'please' (there are plenty!). Hopefully, this will not make installing IPA on a client less pleasing process. -- / Alexander Bokovoy From a3554af3c7186a248222398b3ca4411fa6bb6a85 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 29 Jul 2011 13:05:07 +0300 Subject: [PATCH] Make proper LDAP configuration reporting for ipa-client-install Ticket https://fedorahosted.org/freeipa/ticket/1369 --- ipa-client/ipa-install/ipa-client-install | 47 ++--- 1 files changed, 29 insertions(+), 18 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index c5f66be85361ecb3ab8b0c41908d378702df068d..e3b9dfbab5975aade08ee36e98fc9a048df76784 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -147,7 +147,7 @@ def uninstall(options, env): server_fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') if server_fstore.has_files() and not options.on_master: print IPA client is configured as a part of IPA server on this system. -print Please refer to ipa-server-install for uninstallation. +print Refer to ipa-server-install for uninstallation. return 2 sssdconfig = SSSDConfig.SSSDConfig() @@ -345,6 +345,7 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d opts.append({'name':'empty', 'type':'empty'}) +ret = (0, None, None) # Depending on the release and distribution this may exist in any # number of different file names, update what we find for filename in ['/etc/ldap.conf', '/etc/nss_ldap.conf', '/etc/libnss-ldap.conf', '/etc/pam_ldap.conf']: @@ -352,11 +353,12 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d try: fstore.backup_file(filename) ldapconf.newConf(filename, opts) +return (0, 'LDAP', filename) except Exception, e: print Creation of %s: %s % (filename, str(e)) -return 1 +return (1, 'LDAP', filename) -return 0 +return ret def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): nslcdconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer) @@ -388,7 +390,7 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, nslcdconf.newConf('/etc/nslcd.conf', opts) except Exception, e: print Creation of %s: %s % ('/etc/nslcd.conf', str(e)) -return 1 +return (1, None, None) if ipautil.service_is_installed('nslcd'): try: @@ -403,8 +405,9 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, logging.error(Failed to enable automatic startup of the NSLCD daemon: %s % str(e)) else: logging.debug(NSLCD daemon is not installed, skip configuration) +return (0, None, None) -return 0 +return (0, 'NSLCD', '/etc/nslcd.conf') def hardcode_ldap_server(cli_server): @@ -422,6 +425,7 @@ def hardcode_ldap_server(cli_server): # Errors raised by this should be caught by the caller ldapconf.changeConf(/etc/ldap.conf, opts) +print Changed configuration of /etc/ldap.conf to use hardcoded server name: +cli_server return @@ -737,7 +741,7 @@ def main(): if fstore.has_files(): sys.exit(IPA client is already configured on this system.\n -+ If you want to reinstall the IPA client please uninstall it first.) ++ If you want to reinstall the IPA client, uninstall it first.) cli_domain = None cli_server = None @@ -766,7 +770,7 @@ def main(): if ret == ipadiscovery.BAD_HOST_CONFIG: print sys.stderr, Can't get the fully qualified name of this host -print sys.stderr, Please check that the client is properly configured +print sys.stderr, Check that the client is properly configured return ret if ret == ipadiscovery.NOT_FQDN: print sys.stderr, %s is not a fully-qualified hostname %
Re: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone
There was a small error in add.js:162. Fixed! On Fri, 2011-07-29 at 11:00 -0400, Adam Young wrote: On 07/29/2011 10:58 AM, Adam Young wrote: Due to my recent huge patch, version -1 patch will not apply. I had to rebase by hand. Please confirm that it still works as intended. Missed a few files in my commit. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From 75cc2819fafefc19d3feec7daf63b5bbe0aad4ca Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 29 Jul 2011 10:53:01 -0400 Subject: [PATCH] Fixed adding host without DNS reverse zone https://fedorahosted.org/freeipa/ticket/1481 Shows status dialog instead of error dialog (error 4304 is treated like success). Refactored error dialog. Changed context of calling command.on_success and command.on_error methods from $.ajax's object to command. Added generic message dialog (IPA.message_dialog) --- install/ui/add.js| 15 --- install/ui/dialog.js | 29 install/ui/host.js | 42 + install/ui/ipa.js| 121 -- 4 files changed, 148 insertions(+), 59 deletions(-) diff --git a/install/ui/add.js b/install/ui/add.js index 988ea8ff13819ccdd61a2033344e146dbaf09255..b9a22468639fa86a27cb1cd522ad96a785f2eea1 100644 --- a/install/ui/add.js +++ b/install/ui/add.js @@ -31,6 +31,8 @@ IPA.add_dialog = function (spec) { that.method = spec.method || 'add'; that.pre_execute_hook = spec.pre_execute_hook; +that.on_error = spec.on_error ; +that.retry = typeof spec.retry !== 'undefined' ? spec.retry : true; function show_edit_page(entity,result){ var pkey_name = entity.metadata.primary_key; @@ -51,6 +53,7 @@ IPA.add_dialog = function (spec) { var command = IPA.command({ entity: that.entity.name, method: that.method, +retry: that.retry, on_success: on_success, on_error: on_error }); @@ -127,8 +130,8 @@ IPA.add_dialog = function (spec) { var table = facet.table; table.refresh(); that.close(); -} -); +}, +that.on_error); }); that.add_button(IPA.messages.buttons.add_and_add_another, function() { @@ -141,8 +144,8 @@ IPA.add_dialog = function (spec) { var table = facet.table; table.refresh(); that.reset(); -} -); +}, +that.on_error); }); that.add_button(IPA.messages.buttons.add_and_edit, function() { @@ -154,8 +157,8 @@ IPA.add_dialog = function (spec) { that.close(); var result = data.result.result; that.show_edit_page(that.entity,result); -} -); +}, +that.on_error); }); that.add_button(IPA.messages.buttons.cancel, function() { diff --git a/install/ui/dialog.js b/install/ui/dialog.js index 848252d87f4db8418f26ec5c7dfebbfaca5f0275..ad95eceda97fdbf5e93af2dd77de0ab12963f2f3 100644 --- a/install/ui/dialog.js +++ b/install/ui/dialog.js @@ -644,3 +644,32 @@ IPA.deleter_dialog = function (spec) { return that; }; + +IPA.message_dialog = function(spec) { + +var that = IPA.dialog(spec); + +var init = function(spec) { +spec = spec || {}; +that.message = spec.message || ''; +that.on_ok = spec.on_ok; +}; +that.message_dialog_init = init; + +that.create = function() { +$('p/', { +'text': that.message +}).appendTo(that.container); +}; + +that.add_button(IPA.messages.buttons.ok, function() { +that.close(); +if(that.on_ok) { +that.on_ok(); +} +}); + +init(spec); + +return that; +}; diff --git a/install/ui/host.js b/install/ui/host.js index a84f54c190257e19efadcbdf0754b431eb4bd6de..8a40f07b18b20396b537f6d8fac6fe7f3d541e0c 100644 --- a/install/ui/host.js +++ b/install/ui/host.js @@ -102,6 +102,7 @@ IPA.entity_factories.host = function () { }). standard_association_facets(). adder_dialog({ +factory: IPA.host_adder_dialog, width: 400, height: 250, fields:[ @@ -128,6 +129,47 @@ IPA.entity_factories.host = function () { build(); }; +IPA.host_adder_dialog = function(spec) +{ +spec = spec || {}; +spec.retry = typeof spec.retry !== 'undefined' ? spec.retry : false; + +var that = IPA.add_dialog(spec); + +that.on_error = function(xhr, text_status, error_thrown) +{ +var command = this; +var data = error_thrown.data; +var dialog = null; + +if(data data.error data.error.code === 4304) { +dialog = IPA.message_dialog({ +message:
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
Alexander Bokovoy wrote: On 29.07.2011 18:45, Dmitri Pal wrote: On 07/29/2011 11:35 AM, Alexander Bokovoy wrote: No recognized configuration, please check manually NSS setup May be reword: Unknown configuration, please check NSS setup manually But some time ago, somewhere, some person from doc told me not to use please in any error massages, man pages or help. I do not know whether this is relevant or not but should we avoid using please? So how about: Unknown configuration, check NSS setup manually Thought about it and I think this would be better: Unable to reliably detect configuration. Check NSS setup manually. or Detected unknown configuration, check NSS setup manually I decided to remove all 'please' (there are plenty!). Hopefully, this will not make installing IPA on a client less pleasing process. ack, pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone
On 7/29/2011 11:12 AM, Petr Vobornik wrote: There was a small error in add.js:162. Fixed! Nice job on the dialog boxes. There's a problem though, the Retry doesn't quite work. This is because 'this' object passed to IPA.error_dialog actually points to Ajax context instead of the IPA.command, so calling execute() on it will fail. When Ajax call returns, it passes a context via 'this' object to the callback function. The object might contain some useful information which we would not be able to get any other way. The original code tries to maintain the context by passing 'this' object along the chain using call(). Feel free to add comments in the code to clarify this. So in dialog_open() you should pass 'that' into the 'command' parameter. You also need pass 'this' using another parameter so you can use it to call the error handler if you click Cancel. Also these changes should be reverted back to maintain the Ajax context: - that.on_error.call(this, xhr, text_status, error_thrown); + that.on_error(xhr, text_status, error_thrown); - that.on_success.call(this, data, text_status, xhr); + that.on_success(data, text_status, xhr); The IPA.add_dialog can store the command object as an instance variable so the IPA.host_adder_dialog can refer to it from the error handler. Another thing, in the init() you can access the spec object directly, so don't really have to pass it as a parameter. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel