Re: [Freeipa-devel] [PATCH] 019 Disables gid field if not posix group in group adder dialog
On 10/04/2011 11:59 PM, Adam Young wrote:
On 10/04/2011 12:43 PM, Petr Vobornik wrote:
https://fedorahosted.org/freeipa/ticket/1922
gidNumber is not an allowed attribute for a non-posix group. When
adding a non-posix group from the UI, unchecking the Is this a POSIX
group?: box should disable the GID: field.
Patch would not apply, for some reason. I forced it in by hand. I need
to set up another IPA server to test it, which I will do later on tonight
It applies (git am) on ipa-2-1. With -3 even on master. For completeness
I attached rebased patch for master.
--
Petr Vobornik
From 975dba79198755dbea7d5037b8819884b1550108 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Tue, 4 Oct 2011 18:38:08 +0200
Subject: [PATCH] Disables gid field if not posix group in group adder dialog
https://fedorahosted.org/freeipa/ticket/1922
gidNumber is not an allowed attribute for a non-posix group. When adding a non-posix group from the UI, unchecking the Is this a POSIX group?: box should disable the GID: field.
---
install/ui/group.js | 29 -
install/ui/widget.js | 11 +++
2 files changed, 39 insertions(+), 1 deletions(-)
diff --git a/install/ui/group.js b/install/ui/group.js
index b9664ea6141736e7a2415d2548f838ecd15de1fd..a63a7800a0b668152188bfccfd372e8548e484fd 100644
--- a/install/ui/group.js
+++ b/install/ui/group.js
@@ -102,6 +102,7 @@ IPA.entity_factories.group = function () {
}).
standard_association_facets().
adder_dialog({
+factory: IPA.group_adder_dialog,
fields: [
'cn',
{
@@ -133,4 +134,30 @@ IPA.group_nonposix_checkbox_widget = function (spec) {
};
return that;
-};
\ No newline at end of file
+};
+
+IPA.group_adder_dialog = function (spec) {
+
+spec = spec || {};
+
+var that = IPA.add_dialog(spec);
+
+var init = function() {
+
+var posix_field = that.get_field('nonposix');
+posix_field.value_changed.attach(that.on_posix_change);
+};
+
+that.on_posix_change = function (value) {
+
+var gid_field = that.get_field('gidnumber');
+if(value) {
+gid_field.reset();
+}
+gid_field.set_enabled(!value);
+};
+
+init();
+
+return that;
+};
diff --git a/install/ui/widget.js b/install/ui/widget.js
index b25dc8f7f085dedb839d37631509621290008610..d869b57edffeac3078e8b054f30994cec377f5a4 100644
--- a/install/ui/widget.js
+++ b/install/ui/widget.js
@@ -468,6 +468,15 @@ IPA.text_widget = function(spec) {
}
};
+that.set_enabled = function(value) {
+
+if(value) {
+that.input.removeAttr('disabled');
+} else {
+that.input.attr('disabled', 'disabled');
+}
+};
+
// methods that should be invoked by subclasses
that.text_load = that.load;
@@ -771,6 +780,7 @@ IPA.checkbox_widget = function (spec) {
// default value
that.checked = spec.checked || false;
+that.value_changed = IPA.observer();
that.create = function(container) {
@@ -785,6 +795,7 @@ IPA.checkbox_widget = function (spec) {
title: that.tooltip,
change: function() {
that.set_dirty(that.test_dirty());
+that.value_changed.notify(that.save(), that);
}
}).appendTo(container);
--
1.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] make users in nested groups show up in compat groups
On Tue, 2011-10-04 at 18:04 +0200, Jan Zelený wrote: Jan Zeleny notes that users who are members of groups which are themselves members of groups don't show up in the compat entries of the the containing groups. Nalin Ack Jan Pushed to master, ipa-2-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp configuration on the
On Tue, 04 Oct 2011, Alexander Bokovoy wrote:
Reproduced. This happens when the package freeipa-client is upgraded
after client is enrolled with previous version -- in such case there
is no backup state and therefore we can't restore.
Also add fstore to /etc/sysconfig/ntpd to really backup it.
--
/ Alexander Bokovoy
From 0aab495a8175b25ebd48e30715527fcf6737b22b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Tue, 4 Oct 2011 13:56:12 +0300
Subject: [PATCH] Setup and restore ntp configuration on the client side
properly
When setting up the client-side NTP configuration, make sure that
/etc/ntp/step-tickers
point to IPA NTP server as well.
When restoring the client during ipa-client-install --uninstall, make sure NTP
configuration
is fully restored and NTP service is disabled if it was disabled before the
installation.
https://fedorahosted.org/freeipa/ticket/1770
---
ipa-client/ipa-install/ipa-client-install | 26 ++-
ipa-client/ipaclient/ntpconf.py | 52
2 files changed, 62 insertions(+), 16 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install
b/ipa-client/ipa-install/ipa-client-install
index
76f7f1913c804053edb8b90979286a0592fa5737..b8d4867ab3df119132b7d9da35803e50bbd4ea51
100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -320,6 +320,30 @@ def uninstall(options, env, quiet=False):
# this is optional service, just log
logging.info(%s daemon is not installed, skip configuration %
(nslcd.service_name))
+ntp_configured = statestore.has_state('ntp')
+if ntp_configured:
+ntp_enabled = statestore.restore_state('ntp', 'enabled')
+ntp_step_tickers = statestore.restore_state('ntp', 'step-tickers')
+
+try:
+# Restore might fail due to file missing in backup
+# the reason for it might be that freeipa-client was updated
+# to this version but not unenrolled/enrolled again
+# In such case it is OK to fail
+restored = fstore.restore_file(/etc/ntp.conf)
+restored |= fstore.restore_file(/etc/sysconfig/ntpd)
+if ntp_step_tickers:
+ restored |= fstore.restore_file(/etc/ntp/step-tickers)
+except:
+pass
+
+if not ntp_enabled:
+ ipaservices.knownservices.ntpd.stop()
+ ipaservices.knownservices.ntpd.disable()
+else:
+ if restored:
+ ipaservices.knownservices.ntpd.restart()
+
if not options.unattended:
emit_quiet(quiet, The original nsswitch.conf configuration has been
restored.)
emit_quiet(quiet, You may need to restart services or reboot the
machine.)
@@ -1102,7 +1126,7 @@ def install(options, env, fstore, statestore):
ntp_server = options.ntp_server
else:
ntp_server = cli_server
-ipaclient.ntpconf.config_ntp(ntp_server, fstore)
+ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
print NTP enabled
print Client configuration complete.
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index
3042005f41ea3ed6c8fee739b9cf2b833a8d6d59..8e151089c81fe761dc57fc6e8fb7ff5ba30b98fa
100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -20,6 +20,7 @@
from ipapython import ipautil
from ipapython import services as ipaservices
import shutil
+import os
ntp_conf = # Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
@@ -80,30 +81,51 @@ SYNC_HWCLOCK=yes
# Additional options for ntpdate
NTPDATE_OPTIONS=
+ntp_step_tickers = # Use IPA-provided NTP server for initial time
+$SERVER
+
+def __backup_config(path, fstore = None):
+if fstore:
+fstore.backup_file(path)
+else:
+shutil.copy(path, %s.ipasave % (path))
-def config_ntp(server_fqdn, fstore = None):
+def __write_config(path, content):
+fd = open(path, w)
+fd.write(content)
+fd.close()
+
+def config_ntp(server_fqdn, fstore = None, sysstore = None):
+path_step_tickers = /etc/ntp/step-tickers
+path_ntp_conf = /etc/ntp.conf
+path_ntp_sysconfig = /etc/sysconfig/ntpd
sub_dict = { }
sub_dict[SERVER] = server_fqdn
nc = ipautil.template_str(ntp_conf, sub_dict)
+config_step_tickers = False
-if fstore:
-fstore.backup_file(/etc/ntp.conf)
-else:
-shutil.copy(/etc/ntp.conf, /etc/ntp.conf.ipasave)
-fd = open(/etc/ntp.conf, w)
-fd.write(nc)
-fd.close()
+if os.path.exists(path_step_tickers):
+config_step_tickers = True
+ns = ipautil.template_str(ntp_step_tickers, sub_dict)
+__backup_config(path_step_tickers, fstore)
+__write_config(path_step_tickers, ns)
+ipaservices.restore_context(path_step_tickers)
-if fstore:
Re: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp configuration on the
On 5.10.2011 10:38, Alexander Bokovoy wrote: On Tue, 04 Oct 2011, Alexander Bokovoy wrote: Reproduced. This happens when the package freeipa-client is upgraded after client is enrolled with previous version -- in such case there is no backup state and therefore we can't restore. Also add fstore to /etc/sysconfig/ntpd to really backup it. ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining the domain
Hi, https://fedorahosted.org/freeipa/ticket/1773 -- / Alexander Bokovoy From 8b022ee7b1290cabd4e1a54971dc66420d73c1cc Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 5 Oct 2011 15:02:58 +0300 Subject: [PATCH] Before kinit, try to sync time with the NTP servers of the domain we are joining When running ipa-client-install on a system whose clock is not in sync with the master, kinit fails and enrollment is aborted. Manual checking of current time at the master and adjusting on the client-to-be is then needed. The patch tries to fetch SRV records for NTP servers of the domain we aim to join and runs ntpdate to get time synchronized. If no SRV records are found, sync with IPA server itself. If that fails, warn that time might be not in sync with KDC. https://fedorahosted.org/freeipa/ticket/1773 --- ipa-client/ipa-install/ipa-client-install | 14 ++ ipa-client/ipaclient/ipadiscovery.py | 21 + ipa-client/ipaclient/ntpconf.py | 22 ++ 3 files changed, 57 insertions(+), 0 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 70ef811cec5a9107cb110d7ffa2a191fb36ea997..3810caea3eee403d0f225d52e0e5c5b2b8489a78 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -920,6 +920,20 @@ def install(options, env, fstore, statestore): nolog = tuple() # First test out the kerberos configuration try: +# Attempt to sync time with IPA server. +# We assume that NTP servers are discoverable through SRV records in the DNS +# If that fails, we try to sync directly with IPA server, assuming it runs NTP +ntp_servers = ipautil.parse_items(ds.ipadnssearchntp(cli_domain)) +synced_ntp = False +if len(ntp_servers) 0: +for s in ntp_servers: + synced_ntp = ipaclient.ntpconf.synconce_ntp(s) + if synced_ntp: + break +if not synced_ntp: +synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server) +if not synced_ntp: +print Unable to sync time with IPA NTP server, assuming the time is in sync. (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name): diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 3e31cad37dc1883c01e0729e390c5e5c16e022bd..cd5f81bd5147929deca43e502c4f9b2bdb98f99c 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -316,6 +316,27 @@ class IPADiscovery: return servers +def ipadnssearchntp(self, tdomain): +servers = +rserver = + +qname = _ntp._udp.+tdomain +# terminate the name +if not qname.endswith(.): +qname += . +results = ipapython.dnsclient.query(qname, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV) + +for result in results: +if result.dns_type == ipapython.dnsclient.DNS_T_SRV: +rserver = result.rdata.server.rstrip(.) +if servers: +servers += , + rserver +else: +servers = rserver +break + +return servers + def ipadnssearchkrb(self, tdomain): realm = None kdc = None diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py index 8e151089c81fe761dc57fc6e8fb7ff5ba30b98fa..e2d349b166d9fc47bfd48f4c8054e211904778e7 100644 --- a/ipa-client/ipaclient/ntpconf.py +++ b/ipa-client/ipaclient/ntpconf.py @@ -132,3 +132,25 @@ def config_ntp(server_fqdn, fstore = None, sysstore = None): # Restart ntpd ipaservices.knownservices.ntpd.restart() + +def synconce_ntp(server_fqdn): + +Syncs time with specified server using ntpdate. +Primarily designed to be used before Kerberos setup +to get time following the KDC time + +Returns True if sync was successful + +ntpdate=/usr/sbin/ntpdate +result = False +if os.path.exists(ntpdate): +retries = 2 +for retry in range(0,3): +try: +(sout, serr, rcode) = ipautil.run([ntpdate, -U, ntp, -s, -b, server_fqdn],capture_output=True) +if rcode == 0: +result = True +break +except: +pass +return result -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0020 fix 'referenced before assignment'
Hi,
in 1770 due to code moving from one part of the file to another,
restored variable didn't get a proper assignment.
One line patch.
--
/ Alexander Bokovoy
From 8c46d269fb412887cf0eb70ec69bb6861933f56a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Wed, 5 Oct 2011 15:11:29 +0300
Subject: [PATCH 2/2] Fix 'referenced before assignment' warning
---
ipa-client/ipa-install/ipa-client-install |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install
b/ipa-client/ipa-install/ipa-client-install
index
3810caea3eee403d0f225d52e0e5c5b2b8489a78..657c3be4d27e78b6c558697b4bbb27238a421966
100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -324,6 +324,7 @@ def uninstall(options, env, quiet=False):
if ntp_configured:
ntp_enabled = statestore.restore_state('ntp', 'enabled')
ntp_step_tickers = statestore.restore_state('ntp', 'step-tickers')
+restored = False
try:
# Restore might fail due to file missing in backup
--
1.7.6.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 49 Work around pkisilent bugs
On 4.10.2011 20:35, Rob Crittenden wrote:
Jan Cholasta wrote:
Work around pkisilent bugs.
Check directory manager password for invalid characters.
(https://bugzilla.redhat.com/show_bug.cgi?id=658641)
Shell-escape pkisilent command-line arguments.
(https://bugzilla.redhat.com/show_bug.cgi?id=741180)
Once the bugs are fixed, the workarounds should be removed and pkisilent
minimum required version should be bumped.
https://fedorahosted.org/freeipa/ticket/1636
Honza
Potential nack. The code here works I just found a couple more corner
cases.
Some special characters in the subject base also cause pkisilent to
fail. ampersand is one. I wonder if we need to catch this as well.
Tab in the password will cause a failure.
rob
Fixed patch attached.
Honza
--
Jan Cholasta
From 47b2044318c2524c619e45f0d8c383ffd9f5f48e Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 26 Sep 2011 08:27:01 +0200
Subject: [PATCH] Work around pkisilent bugs.
Check directory manager password and certificate subject base for
invalid characters.
(https://bugzilla.redhat.com/show_bug.cgi?id=658641)
Shell-escape pkisilent command-line arguments.
(https://bugzilla.redhat.com/show_bug.cgi?id=741180)
ticket 1636
---
install/tools/ipa-server-install | 31 +--
ipapython/ipautil.py |6 +-
ipaserver/install/cainstance.py | 29 -
ipaserver/install/installutils.py | 17 -
4 files changed, 58 insertions(+), 25 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 7d961cb..4aa9926 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -40,7 +40,7 @@ from ConfigParser import RawConfigParser
import random
import tempfile
import nss.error
-from optparse import OptionGroup
+from optparse import OptionGroup, OptionValueError
from ipaserver.install import dsinstance
from ipaserver.install import krbinstance
@@ -92,15 +92,31 @@ def subject_callback(option, opt_str, value, parser):
name = opt_str.replace('--','')
v = unicode(value, 'utf-8')
+if any(ord(c) 0x20 for c in v):
+raise OptionValueError(Subject base must not contain control characters)
+if '' in v:
+raise OptionValueError(Subject base must not contain an ampersand (\\))
try:
dn = DN(v)
for rdn in dn:
if rdn.attr.lower() not in VALID_SUBJECT_ATTRS:
-raise ValueError('invalid attribute: %s' % rdn.attr)
+raise OptionValueError('invalid attribute: %s' % rdn.attr)
except ValueError, e:
-raise ValueError('Invalid subject base format: %s' % str(e))
+raise OptionValueError('Invalid subject base format: %s' % str(e))
parser.values.subject = str(dn) # may as well normalize it
+def validate_dm_password(password):
+if len(password) 8:
+raise ValueError(Password must be at least 8 characters long)
+if any(ord(c) 0x20 for c in password):
+raise ValueError(Password must not contain control characters)
+if ' ' in password:
+raise ValueError(Password must not contain a space (\ \))
+if '' in password:
+raise ValueError(Password must not contain an ampersand (\\))
+if '\\' in password:
+raise ValueError(Password must not contain a backslash ())
+
def parse_options():
# Guaranteed to give a random 200k range below the 2G mark (uint32_t limit)
namespace = random.randint(1, 1) * 20
@@ -204,8 +220,11 @@ def parse_options():
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
-if options.dm_password is not None and len(options.dm_password) 8:
-parser.error(DS admin password must be at least 8 characters long)
+if options.dm_password is not None:
+try:
+validate_dm_password(options.dm_password)
+except ValueError, e:
+parser.error(DS admin password: + str(e))
if options.admin_password is not None and len(options.admin_password) 8:
parser.error(Admin user password must be at least 8 characters long)
@@ -417,7 +436,7 @@ def read_dm_password():
print The password must be at least 8 characters long.
print
#TODO: provide the option of generating a random password
-dm_password = read_password(Directory Manager)
+dm_password = read_password(Directory Manager, validator=validate_dm_password)
return dm_password
def read_admin_password():
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index cfc979e..b1e48de 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -178,6 +178,9 @@ def write_tmp_file(txt):
return fd
+def shell_quote(string):
+return ' + string.replace(', '\\'') + '
+
def run(args, stdin=None, raiseonerr=True,
nolog=(), env=None, capture_output=True):
@@ -230,7 +233,8 @@ def run(args,
Re: [Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on all connections with SSF1
On Wed, 2011-10-05 at 16:41 +0200, Jan Cholasta wrote:
On 5.10.2011 16:36, Sumit Bose wrote:
On Wed, Oct 05, 2011 at 03:06:19PM +0200, Jan Cholasta wrote:
On 5.10.2011 11:58, Sumit Bose wrote:
On Tue, Oct 04, 2011 at 11:15:04AM +0200, Jan Cholasta wrote:
On 27.9.2011 10:15, Sumit Bose wrote:
Hi,
currently the change password plugin does not check if the connection is
coming from a local LDAPI socket and denies password change requests via
LDAPI. This patch changes the check to just look at the overall SSF of
the connection which covers all types of connection.
There is a similar check in ipa_enrollment.c. But I think enrollments
via
LDAPI does not make much sense so it does not need to be changed.
IMHO it should be changed anyway, for the sake of consistency.
This patch should fix https://fedorahosted.org/freeipa/ticket/1877.
bye,
Sumit
The patch has trailing whitespace on lines 20 and 32-35 and needs to
be rebased.
Tested the patch with ldappasswd over ldap/ldaps/ldapi - works as
expected.
Thank you for the review. I have changed ipa_enrollment.c accordingly
and checked that the patch applies against master as well as against
ipa-2-1 and that git does not complain about trailing whitespace. New
version attached.
bye,
Sumit
git apply still complains about the patch:
$ git status -sb
## ipa-2-1
$ git apply
freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:23:
trailing whitespace.
int ssf;
../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:39:
trailing whitespace.
/* Allow password modify on all connections with a Security Strength
../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:40:
trailing whitespace.
* Factor (SSF) higher than 1 */
../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:41:
trailing whitespace.
if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF,ssf) != 0) {
../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:42:
trailing whitespace.
LOG_TRACE(Could not get SSF from connection\n);
error: patch failed:
daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:80
error: daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:
patch does not apply
error: patch failed:
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:615
error: daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:
patch does not apply
It can be applied with patch, but it complains too:
$ patch -p1
--no-backup-if-mismatchfreeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
(Stripping trailing CRs from patch.)
patching file daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
(Stripping trailing CRs from patch.)
patching file daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
The comment in ipa-enrollment.c should be changed from Allow
password modify on ... to Allow enrollment on
I changed the comment and send the patch not in base64.
bye,
Sumit
Thank you, ACK.
Honza
Added missing trac ticket reference to Sumit's patch.
Pushed to master, ipa-2-1.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] #1900 fix replica-prepare issues with anonynous binds disabled
With anonymous binds disabled we were failing to run ipa-replica-prepare
because some tests were done anonymously.
During the creation of this patch we also hit a NSS Shutdown issue, to
work around this issue ipa-repica-prepare has been hardcoded to use
ldapi:// installed of ldaps://
The patch as is seem to properly allow the creation of a replica file
with anonymous connections disallowed (works also when they are
allowed).
Fixes #1900
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From e4a84beccd2b4f35011870cc14dcb82306fe457f Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Thu, 29 Sep 2011 17:49:20 -0400
Subject: [PATCH] replica-prepare: anonymous binds may be disallowed
Fixes: https://fedorahosted.org/freeipa/ticket/1900
---
install/tools/ipa-replica-install |3 +-
install/tools/ipa-replica-manage |3 +-
install/tools/ipa-replica-prepare | 47 +++-
ipaserver/install/bindinstance.py | 23 +
4 files changed, 46 insertions(+), 30 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 963b1ccc0ded7c595cc4ceaed8f54c810d3bcc3c..cc169ca332503ddbebd5b4ac4edab9b28f78fdd9 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -223,7 +223,8 @@ def install_bind(config, options):
def install_dns_records(config, options):
if not bindinstance.dns_container_exists(config.master_host_name,
- util.realm_to_suffix(config.realm_name)):
+ util.realm_to_suffix(config.realm_name),
+ dm_password=config.dirman_password):
return
# We have to force to connect to the remote master because we do this step
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index c3dd0b3fe9e2efcc32e20286ef42d798bf567e08..1af4d3658ab0bc0e9f8bd5c8835327751e025afa 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -328,7 +328,8 @@ def del_master(realm, hostname, options):
# 5. And clean up the removed replica DNS entries if any.
try:
-if bindinstance.dns_container_exists(options.host, thisrepl.suffix):
+if bindinstance.dns_container_exists(options.host, thisrepl.suffix,
+ dm_password=options.dirman_passwd):
if options.dirman_passwd:
api.Backend.ldap2.connect(bind_dn='cn=Directory Manager',
bind_pw=options.dirman_passwd)
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 05115ac3ccdfdca87960025811dc992c5d6ab530..1936e4d56eebbd2838b9c52e915e0524dc4ca77a 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -27,7 +27,7 @@ import krbV
from ipapython import ipautil
from ipaserver.install import bindinstance, dsinstance, installutils, certs
-from ipaserver.install.bindinstance import add_zone, add_reverse_zone, add_fwd_rr, add_ptr_rr
+from ipaserver.install.bindinstance import add_zone, add_reverse_zone, add_fwd_rr, add_ptr_rr, dns_container_exists
from ipaserver.install.replication import enable_replication_version_checking
from ipaserver.install.installutils import resolve_host
from ipaserver.plugins.ldap2 import ldap2
@@ -248,14 +248,33 @@ def main():
if certs.ipa_self_signed_master() == False:
sys.exit('A selfsign CA backend can only prepare on the original master')
+# get the directory manager password
+dirman_password = options.password
+if not options.password:
+try:
+dirman_password = get_dirman_password()
+except KeyboardInterrupt:
+sys.exit(0)
+
+# Try out the password
+try:
+conn = ldap2(shared_instance=False)
+conn.connect(bind_dn='cn=directory manager', bind_pw=dirman_password)
+conn.disconnect()
+except errors.ACIError:
+sys.exit(\nThe password provided is incorrect for LDAP server %s % api.env.host)
+except errors.LDAPError:
+sys.exit(\nUnable to connect to LDAP server %s % api.env.host)
+
try:
installutils.verify_fqdn(replica_fqdn, system_name_check=False)
except RuntimeError, e:
msg = str(e)
if msg.startswith('Unable to resolve host name'):
if options.ip_address is None:
-if bindinstance.dns_container_exists(api.env.host,
-api.env.basedn):
+if dns_container_exists(api.env.host, api.env.basedn,
+dm_password=dirman_password,
+ldapi=True, realm=api.env.realm):
msg += '\nAdd the --ip-address argument to create a DNS entry.'
sys.exit(msg)
else:
@@ -265,7 +284,9 @@ def main():
Re: [Freeipa-devel] [PATCH] 49 Work around pkisilent bugs
Jan Cholasta wrote: On 4.10.2011 20:35, Rob Crittenden wrote: Jan Cholasta wrote: Work around pkisilent bugs. Check directory manager password for invalid characters. (https://bugzilla.redhat.com/show_bug.cgi?id=658641) Shell-escape pkisilent command-line arguments. (https://bugzilla.redhat.com/show_bug.cgi?id=741180) Once the bugs are fixed, the workarounds should be removed and pkisilent minimum required version should be bumped. https://fedorahosted.org/freeipa/ticket/1636 Honza Potential nack. The code here works I just found a couple more corner cases. Some special characters in the subject base also cause pkisilent to fail. ampersand is one. I wonder if we need to catch this as well. Tab in the password will cause a failure. rob Fixed patch attached. Honza ack, pushed to master and ipa-2-1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 134 Improve handling of GIDs when migrating groups
Martin Kosek wrote: Since IPA v2 server already contain predefined groups that may collide with groups in migrated (IPA v1) server (for example admins, ipausers), users having colliding group as their primary group may happen to belong to an unknown group on new IPA v2 server. Implement --group-overwrite-gid option to overwrite GID of already existing groups to prevent this issue. https://fedorahosted.org/freeipa/ticket/1866 For argument's sake, what is the user going to see the first time they run this? I assume they won't think about these duplicate groups and just do the migration. This means that the result may be some users pointing to non-existent GIDs. If they re-run the migration with this option will it then fix everything up? I'm wondering if we need a --test argument so people can run the migration w/o writing entries to look for problems like this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
