date:20111020

Re: [Freeipa-devel] LDAP conflicts resolution API

2011-10-20 Thread Martin Kosek

On Wed, 2011-10-19 at 09:51 -0600, Rich Megginson wrote:
 On 10/19/2011 09:46 AM, Simo Sorce wrote:
  On Wed, 2011-10-19 at 17:33 +0200, Martin Kosek wrote:
  Hello all,
 
  I am now investigating how to deal with LDAP conflicts resolution
  between replicas. Conflicting LDAP objects may be created if 2 LDAP
  objects (users, hosts, etc) with the same DN are created on disconnected
  replicas. When the replicas synchronize again, 389-ds renames one of the
  objects to something like this:
 
  nsuniqueid=0a950601-435311e0-86a2f5bd-3cd26022+uid=utest,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
 
  for users OR
 
  fqdn=rhel61-client3.testrelm+nsuniqueid=807bb87f-652211e0-9e848fb2-f0f04a39,cn=computers,cn=accounts,dc=testrelm
 
  for hosts.
 
  Records like this then cannot be handled via IPA commands and can cause
  a wide range of problems. There are already 2 tickets filed:
 
  https://fedorahosted.org/freeipa/ticket/1025
  https://fedorahosted.org/freeipa/ticket/1174
 
  Since we cannot avoid creating these objects, we can at least help
  mitigate the consequences and help user remove the conflicts using our
  CLI (or WebUI in the future).
 
  I would like to propose a simple plugin to manage these conflicts:
 
  1) ipa confict-find
  This command would find all conflicting LDAP objects using filter
  nsds5ReplConflict=*. Since this plugin would work with all LDAP objects
  we support, the most straightforward implementation would be to display
  raw LDAP data.
 
  I am still thinking if we could make the output prettier by finding what
  LDAP object is in conflict (user, host, sudorule) and display the
  objects in standard way as we do in ipa user-show, ipa host-show or ipa
  sudorule-show. I guess we could identify the conflicting object type by
  comparing its parent DN to all known LDAP objects container_dn.
 
  Raw LDAP data output would look like this:
 
  $ ipa conflic-find
  -
  3 conflicts found
  -
  dn: 
  nsuniqueid=02631581-fa5f11e0-bb339359-34a214df+uid=utest2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  memberOf: 
  cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  mepManagedEntry: 
  cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  displayName: User Test
  cn: User Test
  objectClass: top
  objectClass: person
  objectClass: organizationalperson
  objectClass: inetorgperson
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: krbprincipalaux
  objectClass: krbticketpolicyaux
  objectClass: ipaobject
  objectClass: mepOriginEntry
  loginShell: /bin/sh
  sn: Test
  gecos: User Test
  homeDirectory: /home/utest2
  krbPwdPolicyReference: 
  cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,
dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  krbPrincipalName: ute...@idm.lab.bos.redhat.com
  givenName: User
  uid: utest2
  initials: UT
  uidNumber: 145103
  gidNumber: 145103
  ipaUniqueID: 0636d5b6-fa5f-11e0-b85b-00163e6f5efc
 
 
  dn: 
  nsuniqueid=02631582-fa5f11e0-bb339359-34a214df+cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  description: User private group for utest2
  gidNumber: 145103
  objectClass: posixgroup
  objectClass: ipaobject
  objectClass: mepManagedEntry
  objectClass: top
  cn: utest2
  mepManagedBy: 
  uid=utest2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  ipaUniqueID: 0639ee7c-fa5f-11e0-b85b-00163e6f5efc
 
 
  dn: 
  nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  cn: foo.example.com
  objectClass: ipaobject
  objectClass: nshost
  objectClass: ipahost
  objectClass: pkiuser
  objectClass: ipaservice
  objectClass: krbprincipalaux
  objectClass: krbprincipal
  objectClass: top
  fqdn: foo.example.com
  managedBy: 
  fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
dc=redhat,dc=com
  krbPrincipalName: host/foo.example@idm.lab.bos.redhat.com
  serverHostName: foo
  ipaUniqueID: d069dff8-fa60-11e0-874e-00163e6f5efc
 
 
 
  User could then copypaste DNs to manipulate the objects further:
 
  2) ipa conflict-show DN
 
  This command would show chosen conflicting object closer + the original 
  object it conflicts with:
 
  $ ipa conflict-show 
  'nsuniqueid=02631582-fa5f11e0-bb339359-34a214df+cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
  dn: 
  fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  cn: foo.example.com
  objectClass: ipaobject
  objectClass: nshost
  objectClass: ipahost
  objectClass: pkiuser
  objectClass: ipaservice
  objectClass: krbprincipalaux
  objectClass: krbprincipal
  objectClass: top
  fqdn: foo.example.com
  managedBy: 
  fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
dc=redhat,dc=com
  krbPrincipalName: host/foo.example@idm.lab.bos.redhat.com
  serverHostName: foo
  ipaUniqueID:

[Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain

2011-10-20 Thread Lars Sjöström

Hello,

Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006

Best regards,
Lars
From cd62f50c7adba7eb7e240b9b051b90ba9cb3ce70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6str=C3=B6m?= lsjostro@lsjostro.local
Date: Thu, 20 Oct 2011 09:34:19 +0200
Subject: [PATCH] Add kerberos mapping for clients outside the IPA domain

---
 ipa-client/ipa-install/ipa-client-install |   16 ++--
 1 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 85d7867..fc3437e 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -546,7 +546,7 @@ def hardcode_ldap_server(cli_server):
 
 return
 
-def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename):
+def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename, sys_cli_domain=None):
 
 krbconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer)
 krbconf.setOptionAssignment( = )
@@ -589,6 +589,12 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, c
 #[domain_realm]
 dropts = [{'name':'.'+cli_domain, 'type':'option', 'value':cli_realm},
   {'name':cli_domain, 'type':'option', 'value':cli_realm}]
+
+#add mapping if client is outside of IPA domain
+if sys_cli_domain:
+dropts.append({'name':'.'+sys_cli_domain, 'type':'option', 'value':cli_realm})
+dropts.append({'name':sys_cli_domain, 'type':'option', 'value':cli_realm})
+
 opts.append({'name':'domain_realm', 'type':'section', 'value':dropts})
 opts.append({'name':'empty', 'type':'empty'})
 
@@ -895,6 +901,12 @@ def install(options, env, fstore, statestore):
 cli_domain = ds.getDomainName()
 logging.debug(will use domain: %s\n, cli_domain)
 
+p = hostname.find(.)
+sys_cli_domain = hostname[p+1:]
+ 
+if sys_cli_domain == cli_domain:
+sys_cli_domain = None
+
 if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \
 or not ds.getServerName():
 logging.debug(IPA Server not found)
@@ -1015,7 +1027,7 @@ def install(options, env, fstore, statestore):
 print Unable to sync time with IPA NTP server, assuming the time is in sync.
 (krb_fd, krb_name) = tempfile.mkstemp()
 os.close(krb_fd)
-if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
+if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name, sys_cli_domain):
 print Test kerberos configuration failed
 return CLIENT_INSTALL_ERROR
 env['KRB5_CONFIG'] = krb_name
-- 
1.7.6.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 51/51] Ticket 1201 - Unable to Download Certificate with Browser

2011-10-20 Thread John Dennis

Certificates are passed through the IPA XML-RPC and JSON as binary
data in DER X509 format. Queries peformed against the LDAP server
also return binary DER X509 format. In all cases the binary DER
data is base-64 encoded.

PEM is standard text format for certificates. It also uses base64 to
encode the binary DER data, but had specific formatting
requirements. The base64 data must be wrapped inside PEM delimiters
and the base64 data must be line wrapped at 64 characters.

Most external software which accepts certificates as input will only
accept DER or PEM format (e.g. openssl  NSS). Although base64 is
closely related to PEM it is not PEM unless the PEM delimters are
present and the base64 data is line wrapped at 64 characters.

We already convert binary DER certificates which have been passed as
base64 in other parts of the IPA code. However this conversion has not
been available in the web UI. When the web UI presented certificates
it did so by filling a dialog box with a single line of base64 data. A
user could not copy this data and use it as input to openssl or NSS
for example.

We resolve this problem by introducing new javascript functions in
certificate.js. IPA.cert.pem_cert_format(text) will examine the text
input and if it's already in PEM format just return it unmodified,
otherwise it will line wrap the base64 data and add the PEM
delimiters. Thus it is safe to call on either a previously formated
PEM cert or a binary DER cert encoded as base64. This applies to
pem_csr_format() as well for CSR's.

Because pem_cert_format() is safe to call on either format the web UI
will see the use of the flag add_pem_delimiters was eliminated except
in the one case where the IPA.cert.download_dialog() was being abused
to display PKCS12 binary data (pkcs12 is neither a cert nor a cert
request). Because of the abuse of the cert.download_dialog() for
pkcs12 it was necessary to retain the flag which in effect said do
not treat the data as PEM.

Modify the CSR (Certificate Signing Request) dialog box to accept a
PEM formatted CSR. Remove the artifical PEM delimiters above and below
the dialog box which were used to suggest the input needed to be sans
the delimiters. The dialog box continues to accept bare base64 thus
allowing either text format.

Also note this solves the display of certificate data in the UI
without touching anything existing code in the server or command line,
thus it's isolated.

--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
From a77eb8bd018d9a63c23bc881712b21b309bf0611 Mon Sep 17 00:00:00 2001
From: John Dennis jden...@redhat.com
Date: Tue, 18 Oct 2011 18:19:25 -0400
Subject: [PATCH 51/51] Ticket 1201 - Unable to Download Certificate with
 Browser
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Certificates are passed through the IPA XML-RPC and JSON as binary
data in DER X509 format. Queries peformed against the LDAP server
also return binary DER X509 format. In all cases the binary DER
data is base-64 encoded.

PEM is standard text format for certificates. It also uses base64 to
encode the binary DER data, but had specific formatting
requirements. The base64 data must be wrapped inside PEM delimiters
and the base64 data must be line wrapped at 64 characters.

Most external software which accepts certificates as input will only
accept DER or PEM format (e.g. openssl  NSS). Although base64 is
closely related to PEM it is not PEM unless the PEM delimters are
present and the base64 data is line wrapped at 64 characters.

We already convert binary DER certificates which have been passed as
base64 in other parts of the IPA code. However this conversion has not
been available in the web UI. When the web UI presented certificates
it did so by filling a dialog box with a single line of base64 data. A
user could not copy this data and use it as input to openssl or NSS
for example.

We resolve this problem by introducing new javascript functions in
certificate.js. IPA.cert.pem_cert_format(text) will examine the text
input and if it's already in PEM format just return it unmodified,
otherwise it will line wrap the base64 data and add the PEM
delimiters. Thus it is safe to call on either a previously formated
PEM cert or a binary DER cert encoded as base64. This applies to
pem_csr_format() as well for CSR's.

Because pem_cert_format() is safe to call on either format the web UI
will see the use of the flag add_pem_delimiters was eliminated except
in the one case where the IPA.cert.download_dialog() was being abused
to display PKCS12 binary data (pkcs12 is neither a cert nor a cert
request). Because of the abuse of the cert.download_dialog() for
pkcs12 it was necessary to retain the flag which in effect said do
not treat the data as PEM.

Modify the CSR (Certificate Signing Request) dialog box to accept a
PEM formatted CSR. Remove the artifical PEM delimiters above and below
the dialog box which were used to suggest the input

Re: [Freeipa-devel] LDAP conflicts resolution API

2011-10-20 Thread Martin Kosek

On Thu, 2011-10-20 at 07:18 -0700, Nathan Kinder wrote:
On 10/19/2011 11:22 PM, Martin Kosek wrote:
On Wed, 2011-10-19 at 09:51 -0600, Rich Megginson wrote:
On 10/19/2011 09:46 AM, Simo Sorce wrote:
On Wed, 2011-10-19 at 17:33 +0200, Martin Kosek wrote:
...

3) When user decides what to do with the conflicting object, he would
use the following commands:

ipa conflict-rename DN NEW_RDN

This command would change the conflicting LDAP objects RDN to
foo2.example.com:
$ ipa conflict-rename
'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
foo2.example.com

ipa conflict-del DN

This command would delete conflicting LDAP objects altogether:
ipa conflict-del
'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'

I already implemented the conflict-find, conflict-show and
conflict-rename commands. But I really like your idea. Conflicts can
cause quite unpredictable effects for the user. Not every user can be
experienced enough to guess the replication conflicts cause that issues
and use the new conflict-* commands to fix it.

If all conflicts are stored to a special suffix, the end user experience
will be much better. I can adapt new commands so that user can manage
the conflicts when he get to it without side effects other ipa commands.

Nathan, do you think you will be able to implement this change for RHEL
6.3.0? I can create a RFE bugzilla.

Thanks,
Martin

Martin

It would certainly cause some entries to disappear, but it would also
prevent some of the issues with have those entries.

Simo.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 023 Circular entity dependency

2011-10-20 Thread Petr Vobornik


Fix for regression in unit test, introduced by previous patch.

--
Petr Vobornik
From f1a1a99763f38a10304c374da88857c85c9e7748 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Thu, 20 Oct 2011 16:37:48 +0200
Subject: [PATCH] Fixing infinite loop in UI navigation unit test.

https://fedorahosted.org/freeipa/ticket/1531

It's a fix for regression introduced by previous patch.
---
 install/ui/test/navigation_tests.js |   12 +---
 1 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/install/ui/test/navigation_tests.js b/install/ui/test/navigation_tests.js
index 90e708ccb3daeb63031c76884bd69b608fbf5694..6df1926c3efac17c0eada193e00a6dcebf0d7093 100644
--- a/install/ui/test/navigation_tests.js
+++ b/install/ui/test/navigation_tests.js
@@ -45,9 +45,15 @@ test(Testing IPA.navigation.create()., function() {
 IPA.entities = $.ordered_map();
 
 IPA.entity_factories.user =  function() {
-var that = IPA.entity({name: 'user',
-   metadata:IPA.metadata.objects.user});
-that.add_facet(IPA.search_facet({'entity':that}));
+var that = IPA.entity({
+name: 'user',
+metadata:IPA.metadata.objects.user,
+facets: [
+{
+type: 'search'
+}
+]
+});
 
 that.display = function(container){
 user_mock_called = true;
-- 
1.7.6.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 023 Circular entity dependency

2011-10-20 Thread Endi Sukma Dewata


On 10/20/2011 1:03 PM, Petr Vobornik wrote:

Fix for regression in unit test, introduced by previous patch.


ACK and pushed to master.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] LDAP conflicts resolution API

2011-10-20 Thread Nathan Kinder

On 10/20/2011 07:57 AM, Martin Kosek wrote:

On Thu, 2011-10-20 at 07:18 -0700, Nathan Kinder wrote:

On 10/19/2011 11:22 PM, Martin Kosek wrote:

On Wed, 2011-10-19 at 09:51 -0600, Rich Megginson wrote:

On 10/19/2011 09:46 AM, Simo Sorce wrote:

On Wed, 2011-10-19 at 17:33 +0200, Martin Kosek wrote:

...

3) When user decides what to do with the conflicting object, he would use the
following commands:

ipa conflict-rename DN NEW_RDN

This command would change the conflicting LDAP objects RDN to foo2.example.com:
$ ipa conflict-rename
'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
foo2.example.com

ipa conflict-del DN

Thoughts, comments?

Sounds good to me.
But I wonder if we can tell DS to create/move these conflicting objects
into a cn=conflicts subtree by means of configuration ?

Not automatically, no.

So maybe a new DS plugin should do the trick? We would just have to
store original DN to some attribute if we want to enable user to just
rename the conflicting object to its original location.

No, I think an RFE to change the existing replication plug-in to allow
an alternate conflict area would be best. Simo and I had discussed this
possibility a long time back. We would allow one to configure a suffix
to put conflicts in to prevent them from being in the tree that clients use.

Nathan, do you think you will be able to implement this change for RHEL
6.3.0? I can create a RFE bugzilla.
Go ahead and create the RFE bug against 389. We will discuss it in our
weekly DS bug triage on Monday to determine the timeline.

Thanks,
Martin

Martin

It would certainly cause some entries to disappear, but it would also
prevent some of the issues with have those entries.

Simo.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] LDAP conflicts resolution API

2011-10-20 Thread Simo Sorce

On Thu, 2011-10-20 at 07:18 -0700, Nathan Kinder wrote:
  But I wonder if we can tell DS to create/move these conflicting
 objects
  into a cn=conflicts subtree by means of configuration ?
  Not automatically, no.
  So maybe a new DS plugin should do the trick? We would just have to
  store original DN to some attribute if we want to enable user to
 just
  rename the conflicting object to its original location.
 No, I think an RFE to change the existing replication plug-in to
 allow 
 an alternate conflict area would be best.  Simo and I had discussed
 this 
 possibility a long time back.  We would allow one to configure a
 suffix 
 to put conflicts in to prevent them from being in the tree that
 clients use. 

Yep, Martin please open a 389ds RFE.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 295 Fixed inconsistent required/optional attributes.

2011-10-20 Thread Endi Sukma Dewata


The dialogs and details pages have been modified to use the * symbol
to mark required fields. The automount map and the DNS zone dialogs
have been modified to update the required fields according to the
input type.

Ticket #1696

--
Endi S. Dewata
From 1320f4fc2aee116909d13b2dc388b9642815a7d8 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 19 Oct 2011 18:11:09 -0200
Subject: [PATCH] Fixed inconsistent required/optional attributes.

The dialogs and details pages have been modified to use the * symbol
to mark required fields. The automount map and the DNS zone dialogs
have been modified to update the required fields according to the
input type.

Ticket #1696
---
 install/ui/aci.js  |6 +-
 install/ui/add.js  |  136 --
 install/ui/automount.js|   28 +++--
 install/ui/details.js  |   49 +
 install/ui/dns.js  |  222 
 install/ui/hbac.js |3 +-
 install/ui/host.js |   12 +-
 install/ui/ipa.css |7 +-
 install/ui/policy.js   |8 +-
 install/ui/service.js  |   63 ++-
 install/ui/sudo.js |3 +-
 install/ui/test/data/ipa_init.json |2 +-
 install/ui/test/details_tests.js   |5 +-
 install/ui/user.js |5 +-
 install/ui/widget.js   |   34 --
 ipalib/plugins/internal.py |2 +-
 16 files changed, 307 insertions(+), 278 deletions(-)

diff --git a/install/ui/aci.js b/install/ui/aci.js
index 8dcb540b6a030222136e95d5d01b5a11c29acd7f..7a331118afb05df720429f004202b410ed29eac5 100644
--- a/install/ui/aci.js
+++ b/install/ui/aci.js
@@ -35,11 +35,7 @@ IPA.entity_factories.permission = function() {
 {
 name: 'identity',
 fields: [
-{
-factory: IPA.text_widget,
-name: 'cn',
-read_only: true
-}
+'cn'
 ]
 },
 {
diff --git a/install/ui/add.js b/install/ui/add.js
index 17418aaba4f0fe623483323a13c3d5cd608f4c71..3091c921b5fce5235d214b1654ae5cfec0e4ca25 100644
--- a/install/ui/add.js
+++ b/install/ui/add.js
@@ -35,7 +35,72 @@ IPA.add_dialog = function (spec) {
 that.retry = typeof spec.retry !== 'undefined' ? spec.retry : true;
 that.command = null;
 
-function show_edit_page(entity,result){
+that.show_edit_page = spec.show_edit_page || show_edit_page;
+
+var init = function() {
+that.create_button({
+name: 'add',
+label: IPA.messages.buttons.add,
+click: function() {
+that.hide_message();
+that.add(
+function(data, text_status, xhr) {
+var facet = IPA.current_entity.get_facet();
+var table = facet.table;
+table.refresh();
+that.close();
+},
+that.on_error);
+}
+});
+
+that.create_button({
+name: 'add_and_add_another',
+label: IPA.messages.buttons.add_and_add_another,
+click: function() {
+that.hide_message();
+that.add(
+function(data, text_status, xhr) {
+var label = that.entity.metadata.label_singular;
+var message = IPA.messages.dialogs.add_confirmation;
+message = message.replace('${entity}', label);
+that.show_message(message);
+
+var facet = IPA.current_entity.get_facet();
+var table = facet.table;
+table.refresh();
+that.reset();
+},
+that.on_error);
+}
+});
+
+that.create_button({
+name: 'add_and_edit',
+label: IPA.messages.buttons.add_and_edit,
+click: function() {
+that.hide_message();
+that.add(
+function(data, text_status, xhr) {
+that.close();
+var result = data.result.result;
+that.show_edit_page(that.entity, result);
+},
+that.on_error);
+}
+});
+
+that.create_button({
+name: 'cancel',
+label: IPA.messages.buttons.cancel,
+click: function() {
+that.hide_message();
+that.close();
+}
+});
+};
+
+function show_edit_page(entity,result) {
 var pkey_name = entity.metadata.primary_key;
 var pkey = result[pkey_name];
 if (pkey instanceof

Re: [Freeipa-devel] LDAP conflicts resolution API

2011-10-20 Thread Martin Kosek

On Thu, 2011-10-20 at 08:34 -0700, Nathan Kinder wrote:
On 10/20/2011 07:57 AM, Martin Kosek wrote:
On Thu, 2011-10-20 at 07:18 -0700, Nathan Kinder wrote:
On 10/19/2011 11:22 PM, Martin Kosek wrote:
On Wed, 2011-10-19 at 09:51 -0600, Rich Megginson wrote:
On 10/19/2011 09:46 AM, Simo Sorce wrote:
On Wed, 2011-10-19 at 17:33 +0200, Martin Kosek wrote:
...
3) When user decides what to do with the conflicting object, he would
use the following commands:

ipa conflict-rename DN NEW_RDN

ipa conflict-del DN

Thoughts, comments?
Sounds good to me.
But I wonder if we can tell DS to create/move these conflicting objects
into a cn=conflicts subtree by means of configuration ?
Not automatically, no.
So maybe a new DS plugin should do the trick? We would just have to
store original DN to some attribute if we want to enable user to just
rename the conflicting object to its original location.
No, I think an RFE to change the existing replication plug-in to allow
an alternate conflict area would be best. Simo and I had discussed this
possibility a long time back. We would allow one to configure a suffix
to put conflicts in to prevent them from being in the tree that clients
use.
I already implemented the conflict-find, conflict-show and
conflict-rename commands. But I really like your idea. Conflicts can
cause quite unpredictable effects for the user. Not every user can be
experienced enough to guess the replication conflicts cause that issues
and use the new conflict-* commands to fix it.

https://bugzilla.redhat.com/show_bug.cgi?id=747701

Thanks,
Martin

Martin

It would certainly cause some entries to disappear, but it would also
prevent some of the issues with have those entries.

Simo.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] LDAP conflicts resolution API

[Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain

[Freeipa-devel] [PATCH 51/51] Ticket 1201 - Unable to Download Certificate with Browser

Re: [Freeipa-devel] LDAP conflicts resolution API

Re: [Freeipa-devel] [PATCH] 023 Circular entity dependency

Re: [Freeipa-devel] [PATCH] 023 Circular entity dependency

Re: [Freeipa-devel] LDAP conflicts resolution API

Re: [Freeipa-devel] LDAP conflicts resolution API

[Freeipa-devel] [PATCH] 295 Fixed inconsistent required/optional attributes.

Re: [Freeipa-devel] LDAP conflicts resolution API

10 matches

Site Navigation

Mail list logo

Footer information