Re: [Freeipa-devel] [PATCH] 271 Modified dialog to use sections.

[Petr Vobornik]

On 09/21/2011 10:10 PM, Endi Sukma Dewata wrote:
 On 9/21/2011 6:50 AM, Petr Vobornik wrote:

 Fixed. The dialog fields don't need undo, so the text() needs to be
 overridden to disable undo. This can be improved again later.
The override isn't necessary because it wasn't there before and all (at 
least I hope) fields in add dialogs specify undo: false. This feature 
can save some time though. Problem of current implementation is that it 
overrides only the default created section, not the sections specified 
in spec object. But as you wrote - this can be improved later.



 4) host.js:208,217: we should avoid using purely visual inline css
 styles. They should be replaced by class (if cannot be achieved by other
 selector) and styled in css file. This doesn't concern functional styles
 (animations, resizing, hiding, showing).

 Fixed. Yes, we should have a ticket to remove all inline CSS styles.

Are you sure the 'name' attribute is the right way to go? Wouldn't be 
'class' or 'id' (in this case) better? For table data 'name' attribute 
isn't even in HTML spec 
http://dev.w3.org/html5/spec/Overview.html#the-td-element.



--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 125 Remove checks for ds-replication plugin

[Martin Kosek]

On Wed, 2011-09-21 at 10:29 -0400, Rob Crittenden wrote:
 Martin Kosek wrote:
  The replication plugin is no longer shipped as a separate package.
  Remove the code checking its existence.
 
  https://fedorahosted.org/freeipa/ticket/1815
 
 ACK
 

Pushed to master, ipa-2-1.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 44 Fix parameter validation

[Martin Kosek]

On Wed, 2011-09-21 at 15:31 -0400, Rob Crittenden wrote:
 Jan Cholasta wrote:
  On 25.8.2011 18:21, Jan Cholasta wrote:
  What this patch does:
 
  * Make sure arguments are validated and default values are filled in
  before calling a command.
  * Add new parameter flag validate_search to force validation on search
  arguments.
  * Fix validation of IP network parameters in the DNS plugin.
 
  https://fedorahosted.org/freeipa/ticket/1627
 
  Honza
 
 
  Redone the patch and split it to 3 parts:
 
 I haven't tested these yet, these comments are just from reading the 
 patches.
 
 
  * [PATCH 46] Add IP address and IP network parameter types
  Adds two new parameter types, IPAddress and IPNetwork (which replaces
  the validate_search flag, as it was just a hack).
 
 A param type looks like the way to go. There are other IPaddress 
 parameters, such in host, should this be expanded to cover that?
 
 Not sure about replacing List with Str types. It may make no difference 
 since I'm not sure how a List could be passed for some of these. Can you 
 make sure there is no possibility that on the wire someone couldn't pass 
 these as a list and actually do something reasonable in the server? I 
 suspect they can't but this is a rather major datatype change.
 
 
  * [PATCH 44] Fix parameter validation
  Changes Command.get_default so that default_from parameters are
  validated before they are used to create the default value.
 
 Just a heads-up but this will conflict big time with my password patch.
 
 It throws away the ordering that the parameters had. This could impact 
 the order in which interactive prompting happens. Did you verify that it 
 still works sanely?
 
  * [PATCH 47] Remove create_default
  Removes create_default, as it does exactly the same thing as
  default_from, but without the advantage of knowing what parameters are
  used to create the default value. All uses of create_default are
  replaced by default_from with no arguments, because that's all
  create_default is currently used for in IPA.
 
 I'm not sure why you want to remove this, is it causing problems with 
 validation?
 
 In general the patch comments need more details. This patch e-mail has 
 more information on what each patch does than the patches themselves, 
 including lacking ticket info.
 
 rob
 

Hm, by the way I am not very excited about adopting this sort of changes
to framework that close to the 6.2 rebase. Are we sure enough that this
won't cause any collateral damage?

If possible, I would prefer to integrate it to 3.0 branch so that we
have enough time to validate it and fix bugs.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal - summary

[Martin Kosek]

On Wed, 2011-09-21 at 11:22 +0200, Martin Kosek wrote:
 On Tue, 2011-09-20 at 11:22 -0500, Endi Sukma Dewata wrote:
  On 9/20/2011 6:15 AM, Martin Kosek wrote:
   ACK.  Proposal looks like it will work fairly easily with the UI.
   We'll have to make some chagnes due to the Add doing something
   different based on the type, but that is the case anyway.
  
   Yes, I was thinking how can we integrate this new API to WebUI. AFAIK
   you use dnsrecord-add $ZONE $REC --a-rec=... --mx-rec=... for adding a
   new DNS record and dnsrecord-mod $ZONE $REC --mx-rec=... when for
   example the mx record is being modified. All MX values (even the
   unmodified ones) are passed to dnsrecord-mod.
  
   1) I was wondering how the new dnsrecord-rrtype-add commands can be
   used. I suppose WebUI will know a list of DNS record types with these
   new structured commands and offer the user new window to add a record
   for these types instead of typing them directly to the text box as it is
   now.
  
  When adding a DNS record the user will specify the name and the type, 
  then the UI will show a set of fields based on the selected record type.
  
  So instead of a generic 'data' field like below (click Add):
  
  http://edewata.fedorapeople.org/freeipa/install/ui/index.html#dns=dnszoneidentity=dnsnavigation=identitydnszone-facet=defaultdnszone-pkey=ayoung.boston.devel.redhat.com
  
  it will be similar to Permissions (click Add):
  
  http://edewata.fedorapeople.org/freeipa/install/ui/index.html#rolebased=permissionipaserver=rolebasednavigation=ipaserver
  
  The UI will use the type to pick the correct dnsrecord-rrtype-add 
  command and each parameter in that command will have a corresponding 
  field to enter the value.
 
 Yes, I think this will work fine. Would it make sense to create
 dnsrecord-rr-type-add commands also for non-structured DNS records? I
 mean for example for A, , PTR, CNAME, ... record, which have just
 one simple value or let plain old dnsrecord-add --a-rec=... handle it?
 
  
   2) But my main concern here is how the modification of current DNS
   records should work. Say, we have 2 MX records for example.com. How can
   we modify one of it in a new structured interface?
  
   We would have to implement dnsrecord-mx-show method so that you can fill
   all the text areas (preference, mailserver). Question is how to refer
   the value we want to show since DNS records are multivalued. We could
   pass --dnsrecord=... with DNS record value, e.g. 0 mx.example.com.
   and then use the same value for dnsrecord-mx-mod. The whole command
   sequence would look this way:
  
   dnsrecord-find example.com  -- get all DNS records for example.com
   dnsrecord-show example.com @-- show DNS records directly in the zone
   NS: ns.example.com
   MX: 0 mx1.example.com.
   MX: 1 mx2.example.com.  user wants to modify this one -  new window
  
  I think for each record value the primary keys are the zone name, record 
  name, and the value itself. To simplify operations, we should use the 
  value as a single string. For CLI, users can copy  paste the value more 
  easily.
 
 Agreed. As Adam Tkac suggested, we can simplify this with interactive
 prompt so that user doesn't have to copypaste, but just choose a record
 to -show/-mod.
 
  
  For UI it depends whether (1) we're going to keep the current edit page 
  where all records with the same name are considered a single entry, or 
  whether (2) we're going to edit each record value in a separate page. 
  See ticket #1478.
  
  If we stay with (1), the link to the edit page consists of zone name and 
  record name only. But if we pick (2) the link consists of zone name, 
  record name, value, and type (which can be obtained from -find output).
 
 This is more of a UXD decision, server API will remain intact. I just
 see 2 issues here:
 
 1) If you let user edit multiple structured DNS records, you would have
 to call dnsrecord-rr-type-show multiple times so that you can populate
 all the fields. This can slow down things.
 
 2) Some DNS records may be pretty large. MX record data is small, but
 for example CERT records have an entire certificate stored in it.
 Wouldn't there be a problem if we place the large DNS record in URL?
 
  
   dnsrecord-mx-show example.com --dnsrecord=1 mx1.example.com.
   PREFERENCE: 1  user modifies this to 0
   MAILSERVER: mx2.example.com.
  
  For consistency, the record value should be specified as an argument 
  instead of an option (like in automount). So it will be like this:
  
  dnsrecord-mx-show example.com @ 1 mx1.example.com.
  PREFERENCE: 1
  MAILSERVER: mx2.example.com
 
 This can be done.
 
  
  If we stay with (1) the UI will have to call the dnsrecord-rrtype-show 
  for each value to get the value of each fields. The UI will need to 
  implement a new widget (or section) that can handle multiple fields 
  which will be duplicated for each value.
 
 Ah, yes - as I wrote above. This would also take more time 

Re: [Freeipa-devel] [PATCH] include stdint.h for uintptr_t

[Simo Sorce]

On Wed, 2011-09-21 at 10:28 -0400, Rob Crittenden wrote:
 Marko Myllynen wrote:
  Hi,
 
  stdint.h must be included for uintptr_t at least on Ubuntu Oneiric,
  without it ipa-client compilation fails.
 
  There is an ipa-client make target that should make things somewhat
  easier as it doesn't need to build the entire tree.
 
  sure, but gcc bails out with an error when compiling ipa-join.c without
  this patch. And while at it I added the fix also to
  daemons/ipa-slapi-plugins/common/util.h not just for
  ipa-client/ipa-client-common.h.
 
  Cheers,
 
 
 Ok, opened https://fedorahosted.org/freeipa/ticket/1831

Ack and pushed to master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] #1814 Enforce old password requirement in ldappasswd operations

[Rob Crittenden]

Simo Sorce wrote:

Although we were properly checking that the user successfully
authenticated (either through a password bind or a GSSAPI bind) we were
not enforcing the requirement to provide us with the old password, and
this is better security hygiene.

Fixes: https://fedorahosted.org/freeipa/ticket/1814

Tested and works for me.

Properly requires old password for self password changes. Do not require
it for admin password changes.

Simo.



ack, pushed to master and ipa-2-1

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 881 don't log OTP in client install log

[Rob Crittenden]

Obfuscate the one-time password in the client installer log.

rob
From e454f840460b6703d8327a235844adcbc310f48d Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Thu, 22 Sep 2011 11:52:58 -0400
Subject: [PATCH] Don't log one-time password in logs when configuring client.

https://fedorahosted.org/freeipa/ticket/1801
---
 ipa-client/ipa-install/ipa-client-install |8 
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 44c2f5fbc40c9f3a6d5f4378d91e048b63bf0e7a..413e2d2909aed4990905e70579d9a86c07193fe9 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -23,17 +23,15 @@ try:
 import sys
 
 import os
-import stat
 import time
 import socket
 import logging
 import tempfile
 import getpass
-import re
 from ipaclient import ipadiscovery
 import ipaclient.ipachangeconf
 import ipaclient.ntpconf
-from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, install_file
+from ipapython.ipautil import run, user_input, CalledProcessError, file_exists
 import ipapython.services as ipaservices
 from ipapython import ipautil
 from ipapython import dnsclient
@@ -888,6 +886,7 @@ def install(options, env, fstore, statestore):
 return CLIENT_INSTALL_ERROR
 
 if not options.on_master:
+nolog = tuple()
 # First test out the kerberos configuration
 try:
 (krb_fd, krb_name) = tempfile.mkstemp()
@@ -929,6 +928,7 @@ def install(options, env, fstore, statestore):
 print stdout
 return CLIENT_INSTALL_ERROR
 elif options.password:
+nolog = (options.password,)
 join_args.append(-w)
 join_args.append(options.password)
 elif options.prompt_password:
@@ -940,7 +940,7 @@ def install(options, env, fstore, statestore):
 join_args.append(password)
 
 # Now join the domain
-(stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env)
+(stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env, nolog=nolog)
 
 if returncode != 0:
 print sys.stderr, Joining realm failed: %s % stderr,
-- 
1.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 279 Fixed problem enrolling member with the same name.

[Petr Vobornik]

On 09/20/2011 02:19 AM, Endi Sukma Dewata wrote:

The IPA.association_adder_dialog has been modified to use an exclusion
list to hide entries that are already enrolled.

The IPA.adder_dialog has been modified to store the columns directly
in the available  selected tables.

Ticket #1797



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK

--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Don't remove /tmp when removing temp cert dir

[Rob Crittenden]

Marko Myllynen wrote:

Hi,

If /tmp happens to be empty os.removedirs() happily removes it...

Seen on Ubuntu Oneiric.

Cheers,



https://fedorahosted.org/freeipa/ticket/1843

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 279 Fixed problem enrolling member with the same name.

[Endi Sukma Dewata]

On 9/22/2011 11:14 AM, Petr Vobornik wrote:

On 09/20/2011 02:19 AM, Endi Sukma Dewata wrote:

The IPA.association_adder_dialog has been modified to use an exclusion
list to hide entries that are already enrolled.

The IPA.adder_dialog has been modified to store the columns directly
in the available  selected tables.

Ticket #1797



ACK


Pushed to master and ipa-2-1.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 276 Fixed problem enabling/disabling DNS zone.

[Endi Sukma Dewata]

On 9/22/2011 6:59 AM, Petr Vobornik wrote:

On 09/17/2011 12:18 AM, Endi Sukma Dewata wrote:

The details facet for DNS zone has been modified to use dnszone-
enable/disable for idnszoneactive and dnszone-mod for other fields.

Ticket #1813


ACK


Pushed to master and ipa-2-1.


Btw it doesn't matter (besides performance) if you move 'if
(!field.is_dirty()) continue;' in sudo and hbac facet couple lines lower
because to execute member_operation you have to fulfil two conditions,
which won't be never reached - name of the association fields changed so
'if (categories[field.name])' will be never true. Even if it would be
the next condition ('values[0] == 'all) won't be either because of weird
implementation of table_widget.save method.
Anyway if it would be functional it would be IMO bad - checking line
doesn't imply that user wants it to be deleted right now. Even if
marking the line could be used only for deletion.

This code should be cleaned in the future (erased or fixed).


As mentioned on IRC, this fixes a regression in the UI when changing the 
category. The two conditions (remove_values and has_values) are set by 
different fields (category and table), that's why the logic is kind of 
complicated. The server side will be fixed in ticket #1440. Once that's 
fixed we no longer need this code so it can be cleaned up.


--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 871 add hostname regex

[Rob Crittenden]

Rob Crittenden wrote:

Rob Crittenden wrote:

Alexander Bokovoy wrote:

On Tue, 13 Sep 2011, Jan Cholasta wrote:

What about IDN hosts? With this change we would require them to be
always in Punycode?



Oh, hadn't considered that, I was just following the relevent RFCs. Is
there a way we can easily support those as well?


The easiest way would probably be:

normalizer=lambda value: unicode(value.encode('idna'))

That's one part. Another one is visualizing such content -- for both
Web UI and CLI we would need to run encodings.idna.ToUnicode().
Finally, make sure whatever we pass to external applications is
properly formatted as well -- all of them should be able to work with
xn-Punycode form.


The UI also links the DNS hostname to the host entries so I'd think the
names must be matchable in some way. If DNS can only store punycode
names I think the regex will be fine.


I think we're going to need a bit more time to get this right. What I
propose for the short term is to encode in puny code, do the validation,
and reject as required. We still store in full unicode.

Note that special characters may not work that will now but validating
characters won't make it any worse.

rob


As it turns out Kerberos doesn't support this type of hostname so my 
original patch stands for now. We can't allow non-ascii hostnames. I'll 
open a 3.0 ticket to investigate further.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal - summary

[Endi Sukma Dewata]

On 9/22/2011 7:24 AM, Martin Kosek wrote:

2) Some DNS records may be pretty large. MX record data is small, but
for example CERT records have an entire certificate stored in it.
Wouldn't there be a problem if we place the large DNS record in URL?


This is how the DNS record list page could be redesigned:
http://edewata.fedorapeople.org/images/dns-record-list-page.png

It should resemble what you see in the zone file. The content can be 
obtained with a single dnsresource-find operation.


If you click one of the data, it would open a dialog box for that 
particular record type. We will use the raw data as a primary key to 
execute the dnsresource-rrtype-show command. Each attribute in this 
record type will be displayed in separate fields:

http://edewata.fedorapeople.org/images/dns-record-edit-dialog.png

When you save it will call dnsresource-rrtype-mod and put the values 
in separate parameters. It will still use the original raw data as 
primary key, but we don't need to encode the new values into raw data.


If we use a dialog box like this none of the attributes need to be added 
into the URL. It will be passed internally via variables. If we use a 
separate edit page (with a unique URL for each record), we might need to 
specify the entire raw data in the URL, but maybe we can find a 
workaround for CERT record. I'd prefer to use a dialog box because it 
can be used for both add and modify.



OPEN QUESTION: should we implement these new commands also for discrete
DNS records types to be consistent? I mean for example A, , CNAME,
PTR, ... They would look like


ipa dnsrecord--add --ip-address=IPAddress


BENEFITS of this approach (command per RR type):
- use can get all help for RR type by simply typing ipa help
dnsrecord-mx-add
- we would be able to implement helper methods consistently on one
place, for example:
dnsrecord--add --from-mac=00:1D:BA:06:37:64


If we have this for all record types the UI can use a generic code to 
figure out which command to use. Everything will be in this pattern: 
dnsrecord-rrtype-add/mod/del primary keys [parameters*]



OPEN QUESTION: should we implement also -find methods
(dnsrecord-mx-find) so that UI can for example populate text fields for
all (MX) records for one DNS name?


Depending on the UI design, it might not be needed. But it won't hurt to 
have one in case the UI changes, for example suppose we want to have 
separate tabs for each record type.



4) -mod commands shall be implemented for structured RR types:
API would be almost the same as with -add commands. User (WebUI) would
just have to identify which record should be modified:
a) by copypassing the raw DNS value directly to the command:


dnsrecord-mx-mod example.com @ 1 mx1.example.com. --preference=0


The Web UI will use the JSON-RPC version of this command. As discussed 
already, the non-interactive mode for CLI will be useful for writing 
scripts or other applications that will invoke the CLI/API.


Being able to specify the attributes in separate parameters means that 
the client doesn't have to figure out how to encode the attributes into 
a single raw data. They will be encoded consistently by the server.



b) (CLI only) by using an interactive wizard that would let user choose
the modified record like this way:


dnsrecord-mx-mod example.com @ --preference=0

Which record would you like to change?
[1] 1 mx1.example.com.
[2] 10 mx2.example.com.
DNS record:user enters the number


The interactive mode will be useful for people who have to use 
text-based terminal.


--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA and per-machine views

[Dmitri Pal]

On 09/21/2011 10:07 PM, Stephen Gallagher wrote:
 I've ben working on the multiple search base feature in SSSD and I've had 
 some thoughts that might be relevant to the FreeIPA v3 core effort. The idea 
 behind multiple search bases is fairly simple; instead of simply checking one 
 subtree for user or group information, you check several in series, stopping 
 at the first match.

 I was looking into this to identify the primary reasons why a deployment 
 might use such an approach and I came up with two important use-cases.

 1) This is a fairly simple way to extend a network you don't fully control. A 
 classic example might be a Computer Science department at a university. They 
 would want to use the campus user accounts (probably provided by the 
 university IT department), but also add new groups for sharing or access 
 control on CS department machines. This could be done with multiple search 
 bases by setting the first base to the CS department subtree and the second 
 base to a replicated university subtree.

I do not think we want to deal with multiple subtrees of users in the
same IPA instance. We already decided against it in the past when we
flattened the tree. At least I am not convinced that this is actually
needed. I am actually aware of one more use case why people do different
subtrees for users. It is because they have duplication of the uid/gid.
Though it is bad it is a reality that people deal with. And they deal
with it by having subtrees in DS. But it will not help in our case as
IPA is built with the notion of the unified uid/gid namespace. The only
thing will help in both cases is different IPA domains with trust
relations so I suggest we focus on that part rather than support of
multiple subtrees for users. If IPA trusts still do not work for the
user may be staying with a free from DS server is a better choice. 

 2) The second important use-case is for dealing with third-party applications 
 with hard-coded groups. For a hypothetical example, let's say that a 
 closed-source database program requires a user to be in the group 'dbadmins' 
 in order to access a shell for editing the database. However, there may be 
 more than one such database deployed in the network, possibly among different 
 teams. Having multiple search bases allows different machines to have 
 different views of this group.

That is an interesting use case. But rather than creating views I would
suggest a different approach. In IPA we create a way to specify
alternative location for specific override groups. For example we now
have cn=groups, cn=accounts,... where all groups live.
we can have cn=overridegroups, cn=accounts,... and allow creation of
the special subtrees like we do with locations for maps. UI and CLI can
be modified to allow to manage these areas. I do not think that would be
a rocket science.

On the SSSD side we can have an sssd_group_override_base parameter that
would define an override base for that machine. The logic in the SSSD
will be to read groups from override base first (it is expected that
there will be a small subset of groups that are used by specific app
like DB for example) and then the normal groups from the search base but
discard the groups that already have been fetched from the override
location (or something like this. I bet it is more complex and I will
leave it to you to define actual implementation, but I hope it
illustrates good enough what I am trying to propose). May be Jan's
delete group functionality would be really handy for this use case.

The alternative however is to create and support group aliases and use
group aliases as names.

But before we go into all of this we need to realize that contemporary
versions of software most likely would allow configurable groups. Id it
is an old software than SSSD might not be in the picture anyways so it
should be a pure server side solution so may be we should just allow
alternative subtrees for groups but then how we are going to deal with
gids or it does not matter for the apps?



 I think it's definitely worth discussing how we might address these same 
 use-cases in FreeIPA v3. My thought was that we might want to implement 
 custom views of LDAP based on the hostgroups to which a client belongs. I 
 can see a lot of implementation difficulties with this, however. Alternate 
 ideas are most welcome.

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal

[Dmitri Pal]

On 09/22/2011 03:37 AM, Jakub Hrozek wrote:
 On Thu, Sep 22, 2011 at 08:25:01AM +0200, Jan Cholasta wrote:
 On 21.9.2011 23:55, Dmitri Pal wrote:
 On 09/21/2011 10:27 AM, Adam Young wrote:
 On 09/20/2011 11:11 AM, Martin Kosek wrote:
 On Tue, 2011-09-20 at 10:02 -0400, Adam Young wrote:
 This discussion got me thinking, always a dangerous proposal:

 We are currently exposing record add with the lie  that  when you add a
 record, it has a type.  THe reality is that a record is just this big
 collection of multi value attributes, and each of those  is the type
 of the record.
 The way I see it is that we have different types of Resource Records
 with a (domain) name that can be shared.

 If all of the 'records'  have the same idnsname, then they really fall
 under the same Record object in LDAP.
 Yes.

 What if we focuses on the attribtutes themselves, and add the type info
 there.
 I thought we do this already.

 Pie in the sky proposal.   Treat it as a starting point:

   From the webui perspective
 dnsrecord-add   allows the case where it just has the the idnsname with
 no records

 dnsrecordattr-mod  takes record type specific values.

 To add a location entry:

 ipa dnsrecordattr-mod --append location --lat-deg=INT --lat-min=INT
 --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT
 --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT
 --v-precision=FLOAT


 And to remove it

 ipa dnsrecordattr-mod --remove location --lat-deg=INT --lat-min=INT
 --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT
 --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT
 --v-precision=FLOAT
 So if user would want to remove a LOC record, he would have to pass all
 these attributes to refer which attribute value to remove?
 I think that is the case anyway.  Since a DNS record is really just an
 multivalue attribute,   you would now have to do  a dns-record-mod
 with the list of all LOC records that you don't want to delete.  I
 used this as an example because it is the most complex case.

 Just thinking it through...I'm not certain I like the one command per
 record type  as it changes a lot of other assumptions.  DNS is a
 wierd beast already.

 I've spent a lot of time on the DNS ui, and it is pretty tricky  to
 get right.  I'm trying to balance the PI against efficient usage.

 What we really need for the fields is a way to specify the format for
 a given field, much like the format strings used for group names.  For
 example, the LOC  record  is really

 owner   TTL   class   LOC d1 [m1 [s1]] {N|S}  d2 [m2 [s2]]
 {E|W}
   alt[m] [siz[m] [hp[m] [vp[m


 And all the WebUI needs is a way to specify that format  to validate.

 Can we use augeas for this?
 Augeas lenses use this kind of the validation and there is python
 binding so may be we should use augeas as an inspiration or ask for an
 augeas Javascript solution?
 We can't. Augeas knows how to manipulate config files and only that,
 there is no API for anything else.

 Some time ago I wrote a patch to extend Augeas to operate on arbitrary
 strings. I never had time to push it upstream, but I think I still have
 is somewhere.

 Not sure if this approach would help us anyway, we would still have to
 wait until this feature made it to RHEL and solve the JS bindings as
 well


Yes I was thinking about this path at least as an inspiration.

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel