[Freeipa-devel] [PATCH] 159 Fix ipa-replica-conncheck port labels
Pushed under the one-liner (two-liner in this case) rule to master, ipa-2-1. Quick self-verification after the change: # ipa-replica-conncheck -m vm-050.idm.lab.bos.redhat.com Check connection from replica to remote master 'vm-050.idm.lab.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK From 7e2e2a16c8228232cc7a3c8f38eb9434612a0bed Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 4 Nov 2011 08:52:52 +0100 Subject: [PATCH] Fix ipa-replica-conncheck port labels https://fedorahosted.org/freeipa/ticket/2057 --- install/tools/ipa-replica-conncheck |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index e9d78a065bba36189d12c9ff6c54a3544e34f0a3..db074fbaebafb0352be58f0581c7298bcfe3221d 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -54,8 +54,8 @@ BASE_PORTS = [ CheckedPort(88, False, Kerberos KDC: UDP), CheckedPort(464, True, Kerberos Kpasswd: TCP), CheckedPort(464, False, Kerberos Kpasswd: UDP), -CheckedPort(80, True, HTTP Server: port 80), -CheckedPort(443, True, HTTP Server: port 443(https)), +CheckedPort(80, True, HTTP Server: Unsecure port), +CheckedPort(443, True, HTTP Server: Secure port), ] CA_PORTS = [ -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #2038 modify salt creation
On Thu, 03 Nov 2011, Simo Sorce wrote: As stated in the bug in order to attain better interoperability with Windows clients we need to change the way we generate the random salt. ACK. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #2038 modify salt creation
On Fri, 2011-11-04 at 10:04 +0200, Alexander Bokovoy wrote: On Thu, 03 Nov 2011, Simo Sorce wrote: As stated in the bug in order to attain better interoperability with Windows clients we need to change the way we generate the random salt. ACK. Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #2038 modify salt creation
On Fri, 2011-11-04 at 11:14 +0100, Martin Kosek wrote: On Fri, 2011-11-04 at 10:04 +0200, Alexander Bokovoy wrote: On Thu, 03 Nov 2011, Simo Sorce wrote: As stated in the bug in order to attain better interoperability with Windows clients we need to change the way we generate the random salt. ACK. Pushed to master. Should we backport this to 2.x as well ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #2038 modify salt creation
On Fri, 2011-11-04 at 07:41 -0400, Simo Sorce wrote: On Fri, 2011-11-04 at 11:14 +0100, Martin Kosek wrote: On Fri, 2011-11-04 at 10:04 +0200, Alexander Bokovoy wrote: On Thu, 03 Nov 2011, Simo Sorce wrote: As stated in the bug in order to attain better interoperability with Windows clients we need to change the way we generate the random salt. ACK. Pushed to master. Should we backport this to 2.x as well ? Simo. Hm, looks important enough to do it. You are talking about daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c right? It should be pretty straightforward to backport it there. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #2038 modify salt creation
On Fri, 2011-11-04 at 12:55 +0100, Martin Kosek wrote: On Fri, 2011-11-04 at 07:41 -0400, Simo Sorce wrote: On Fri, 2011-11-04 at 11:14 +0100, Martin Kosek wrote: On Fri, 2011-11-04 at 10:04 +0200, Alexander Bokovoy wrote: On Thu, 03 Nov 2011, Simo Sorce wrote: As stated in the bug in order to attain better interoperability with Windows clients we need to change the way we generate the random salt. ACK. Pushed to master. Should we backport this to 2.x as well ? Simo. Hm, looks important enough to do it. You are talking about daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c Yes right? It should be pretty straightforward to backport it there. Yes Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 157 Add --delattr option to complement --setattr/--addattr
Martin Kosek wrote: Add a --delattr option to round out multi-valued attribute manipulation. The new option is be available for all LDAPUpdate based commands. --delattr is evaluated last, it can remove any value present either in --addattr/--setattr options or stored in LDAP. https://fedorahosted.org/freeipa/ticket/1929 Should --delattr raise an error if the value doesn't exist? I think it probably should. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] #1791 Tust Effort: Add support for generating MS-PAC
The attached patches are for master and concern the effort of creating
trust relationships between IPA and AD domains.
With these patches if you have run ipa-adtrust-install the IPA kdc will
be able to create a MS-PAC if the user has the right attributes
ipaNTSecurityIdentifier on the user entry and on the primary group entry
are required (or a fallback primary group).
If the objects are not in place the MS-PAC generation is silently
skipped and no MS-PAC will be attached to the tickets.
The MS-PAC is always generated if all data is available, in future we
may think of making this conditional, but that is not in the scope of
this patches.
In order to apply these patches you need the coverity fix patches #2036
#2037 I sent yesterday.
In order to build this code you need samba 4 experimental packages with
the libndr_krb5pac.so librray, header files and pkgconfig configuration
files.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 02cd0398a18ae489dec5ea83bdad55dbb0ab5587 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Mon, 10 Oct 2011 15:42:11 -0400
Subject: [PATCH 1/2] Add support for generating PAC for AS requests for user
principals
---
daemons/configure.ac | 10 +
daemons/ipa-kdb/Makefile.am |3 +
daemons/ipa-kdb/ipa_kdb.c|7 +-
daemons/ipa-kdb/ipa_kdb.h| 38 ++
daemons/ipa-kdb/ipa_kdb_common.c | 85
daemons/ipa-kdb/ipa_kdb_mspac.c | 756 ++
daemons/ipa-kdb/ipa_kdb_principals.c |7 +
7 files changed, 905 insertions(+), 1 deletions(-)
create mode 100644 daemons/ipa-kdb/ipa_kdb_mspac.c
diff --git a/daemons/configure.ac b/daemons/configure.ac
index e238d8b15901e7b46882cddd7d8621969d794039..f89c50d62a3d59c33439f285fe6e5d9b89ee 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -227,6 +227,16 @@ if test x$PYTHON = x ; then
fi
dnl ---
+dnl Check for ndr_krb5pac
+dnl ---
+
+PKG_PROG_PKG_CONFIG()
+PKG_CHECK_MODULES([TALLOC], [talloc])
+PKG_CHECK_MODULES([TEVENT], [tevent])
+PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
+
+
+dnl ---
dnl - Set the data install directory since we don't use pkgdatadir
dnl ---
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 036074f437bdf8e177cd26018c7f611cf553c505..b29f60171116640d0f2b350111017fd8d6bbce59 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -19,6 +19,7 @@ INCLUDES = \
$(KRB5_CFLAGS) \
$(SSL_CFLAGS) \
$(WARN_CFLAGS) \
+ $(NDRPAC_CFLAGS)\
$(NULL)
plugindir = $(libdir)/krb5/plugins/kdb
@@ -33,6 +34,7 @@ ipadb_la_SOURCES = \
ipa_kdb_passwords.c \
ipa_kdb_principals.c \
ipa_kdb_pwdpolicy.c \
+ ipa_kdb_mspac.c \
$(KRB5_UTIL_SRCS) \
$(NULL)
@@ -45,6 +47,7 @@ ipadb_la_LIBADD = \
$(KRB5_LIBS) \
$(SSL_LIBS) \
$(LDAP_LIBS) \
+ $(NDRPAC_LIBS) \
$(NULL)
dist_noinst_DATA = ipa_kdb.exports
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 481b1f392766498c5d7c6333fe73bafefde87dae..05ee18720a11fc6b8579fd00206d1cbb9d5a1a34 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -259,6 +259,11 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
ipactx-supp_encs = kst;
ipactx-n_supp_encs = n_kst;
+ret = ipadb_reinit_mspac(ipactx);
+if (ret ret != ENOENT) {
+/* TODO: log that there is an issue with adtrust settings */
+}
+
ret = 0;
done:
@@ -447,7 +452,7 @@ kdb_vftabl kdb_function_table = {
NULL, /* promote_db */
NULL, /* decrypt_key_data */
NULL, /* encrypt_key_data */
-NULL, /* sign_authdata */
+ipadb_sign_authdata,/* sign_authdata */
NULL, /* check_transited_realms */
NULL, /* check_policy_as */
NULL, /* check_policy_tgs */
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index cfcaca6493fd3f4657fd9f1839b6f3ac9f22546d..8c907c448d0f497786f7b66fb4e17e6590d4cc29 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -39,10 +39,15 @@
#include ctype.h
#include arpa/inet.h
#include endian.h
+#include unistd.h
#include ipa_krb5.h
#include ipa_pwd.h
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 64
+#endif
+
/* easier to copy the defines here than to mess with kadm5/admin.h
* for now */
#define KMASK_PRINCIPAL 0x01
@@ -69,6 +74,13 @@
#define IPA_SETUP ipa-setup-override-restrictions
+struct ipadb_wincompat {
+
Re: [Freeipa-devel] [PATCH] #2038 modify salt creation
On Fri, 2011-11-04 at 08:03 -0400, Simo Sorce wrote:
On Fri, 2011-11-04 at 12:55 +0100, Martin Kosek wrote:
On Fri, 2011-11-04 at 07:41 -0400, Simo Sorce wrote:
On Fri, 2011-11-04 at 11:14 +0100, Martin Kosek wrote:
On Fri, 2011-11-04 at 10:04 +0200, Alexander Bokovoy wrote:
On Thu, 03 Nov 2011, Simo Sorce wrote:
As stated in the bug in order to attain better interoperability with
Windows clients we need to change the way we generate the random
salt.
ACK.
Pushed to master.
Should we backport this to 2.x as well ?
Simo.
Hm, looks important enough to do it. You are talking about
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
Yes
right? It should be pretty straightforward to backport it there.
Yes
Patch against ipa-2-1 attached.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From a94cc05c563240b2ad4058aeac918790065ac886 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Thu, 3 Nov 2011 16:15:10 -0400
Subject: [PATCH] Modify random salt creation for interoperability
port to ipa-2-1
See:
https://fedorahosted.org/freeipa/ticket/2038
---
.../ipa-pwd-extop/ipapwd_encoding.c| 38 +++
1 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
index cd4610c6ffd6f1b4eae61521335a7e26d319fa9d..4cd2451a4ebaae0a8dd642ca2fb88aeea37cebdb 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -47,6 +47,7 @@
#include sys/stat.h
#include fcntl.h
#include unistd.h
+#include errno.h
#include dirsrv/slapi-plugin.h
#include lber.h
@@ -249,6 +250,34 @@ void encode_int16(unsigned int val, unsigned char *p)
p[0] = (val ) 0xff;
}
+static krb5_error_code ipa_get_random_salt(krb5_context krbctx,
+ krb5_data *salt)
+{
+krb5_error_code kerr;
+int i;
+
+/* make random salt */
+salt-length = KRB5P_SALT_SIZE;
+salt-data = malloc(KRB5P_SALT_SIZE);
+if (!salt-data) {
+return ENOMEM;
+}
+kerr = krb5_c_random_make_octets(krbctx, salt);
+if (kerr) {
+return kerr;
+}
+
+/* Windows treats the salt as a string.
+ * To avoid any compatibility issue, limits octects only to
+ * the ASCII printable range, or 0x20 = val = 0x7E */
+for (i = 0; i salt-length; i++) {
+salt-data[i] %= 0x5E; /* 7E - 20 */
+salt-data[i] += 0x20; /* add base */
+}
+
+return 0;
+}
+
static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data,
char **errMesg)
@@ -376,14 +405,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
case KRB5_KDB_SALTTYPE_SPECIAL:
-/* make random salt */
-salt.length = KRB5P_SALT_SIZE;
-salt.data = malloc(KRB5P_SALT_SIZE);
-if (!salt.data) {
-LOG_OOM();
-goto enc_error;
-}
-krberr = krb5_c_random_make_octets(krbctx, salt);
+krberr = ipa_get_random_salt(krbctx, salt);
if (krberr) {
LOG_FATAL(krb5_c_random_make_octets failed [%s]\n,
krb5_get_error_message(krbctx, krberr));
--
1.7.7
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 306 Moved facet code into facet.js.
On 11/04/2011 04:35 AM, Endi Sukma Dewata wrote: Facet-related code has been moved from entity.js into a new facet.js because the file is getting too big. ACK and pushed to master -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 029 Page is cleared before it is visible
On 11/03/2011 10:22 PM, Endi Sukma Dewata wrote: On 11/2/2011 11:01 AM, Petr Vobornik wrote: Regardless, ACK and pushed to master. Found another problem, the krbtpolicy config need to be forced to update. See the attached patch. ACK and pushed to master. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 307 Added extensible UI framework.
On 11/04/2011 04:37 AM, Endi Sukma Dewata wrote: The entity definitions have been converted into classes. The entity init() method will use the builder to construct the facets and dialogs. The UI can be customized by creating a subclass of the original entity in extension.js and then overriding the init() method. Ticket #2043 There is a warning/error in browser when there is no extension.js present. This doesn't affect functionality, but I think we should try to eliminate this kinds of error. Same problem is for develop.js on production machines. This can be fixed separately. ACK and pushed to master -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 307 Added extensible UI framework.
On 11/04/2011 12:10 PM, Petr Vobornik wrote: On 11/04/2011 04:37 AM, Endi Sukma Dewata wrote: The entity definitions have been converted into classes. The entity init() method will use the builder to construct the facets and dialogs. The UI can be customized by creating a subclass of the original entity in extension.js and then overriding the init() method. Ticket #2043 There is a warning/error in browser when there is no extension.js present. This doesn't affect functionality, but I think we should try to eliminate this kinds of error. Same problem is for develop.js on production machines. This can be fixed separately. ACK and pushed to master One solution is to have stub extension.js and develop.js files with nothing in them. In the case of the extension.js file, it should be there, and served out of /etc/ipa/http. develope.jss should be done by converting of develop_blank.js to develop.js when packaging up the RPM ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 030 Extending facet's mechanism of gathering changes
Rebased, ACK, and pushed to master. Some comments below. On 11/4/2011 7:21 AM, Petr Vobornik wrote: I'm considering command builder more as an utility class, than proper builder. If it would gather more functionality it would be better to changed it that way. I think in general a utility class doesn't always have to be a singular object. It involves a loop and you'll be passing the same objects over multiple invocations, we might want to consider refactoring that method into a separate utility class. Also consider enhancing the class itself rather than relying on a utility class. Take a look at IPA.update_info_builder, this class is now handling different objects: update_info, field_info, and command_info. However, it's not clear which class the merge() and copy() are handling unless we look into the implementation or rename the methods to include the class name. In my opinion the code will look a lot cleaner if the methods are moved into the corresponding classes. Just something to think about. 4. The create_fields_update_command() is essentially the same as create_standard_update_command(). When the command_mode is 'save' is it possible to generate an update_info from records so we can just call create_fields_update_command()? Created save_as_update_info(only_dirty, require_value) method which should do the trick. It internally use save(record) method do get all data and the parameters are used to get only the changes. It allowed to delete add_record_to_command and create_fields_update_command methods. Perhaps the save_as_update_info() later can be merged with get_update_info() too because both are essentially generating update_info for dirty fields. Attached preview patch for #1515. Also attaching diff patch of reviewed patch. OK, I see how the enable widget creates the update info. How would you handle the removal of users in HBAC rule when the usercategory is changed to ALL? -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 307 Added extensible UI framework.
On 11/4/2011 12:11 PM, Adam Young wrote: There is a warning/error in browser when there is no extension.js present. This doesn't affect functionality, but I think we should try to eliminate this kinds of error. Same problem is for develop.js on production machines. This can be fixed separately. One solution is to have stub extension.js and develop.js files with nothing in them. In the case of the extension.js file, it should be there, and served out of /etc/ipa/http. develope.jss should be done by converting of develop_blank.js to develop.js when packaging up the RPM I don't actually see any warnings with Firefox, but I agree we shouldn't create a broken link. Ideally when viewing the static files during development we shouldn't have a broken link either, not just in the production machine. How about this, we rename the develop.js into extension.js, but we don't include it in the RPM. Then during RPM install we will touch extension.js so we wouldn't override the existing file, and not remove it during uninstall either? Then we can remove any references to develop.js too. Is it ok to create the extension.js in /usr/share/ipa/ui? -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #2038 modify salt creation
On Thu, Nov 03, 2011 at 06:26:15PM -0400, Simo Sorce wrote: As stated in the bug in order to attain better interoperability with Windows clients we need to change the way we generate the random salt. Nack. The data in a krb5_data is of type 'char', and if it's signed, the math used here doesn't produce a printable result. Might also want to increase KRB5P_SALT_SIZE. Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #2038 modify salt creation
On Fri, 2011-11-04 at 15:15 -0400, Nalin Dahyabhai wrote: On Thu, Nov 03, 2011 at 06:26:15PM -0400, Simo Sorce wrote: As stated in the bug in order to attain better interoperability with Windows clients we need to change the way we generate the random salt. Nack. The data in a krb5_data is of type 'char', and if it's signed, the math used here doesn't produce a printable result. Might also want to increase KRB5P_SALT_SIZE. Ah crap, right. I initially used a safe construct: data[i] = 0x5F Then realized that one of the possible values (5F + 20 = 7F) is unprintable, so I switched to this unsafe one. Will get a revised patch for ipa-2-1 and an amendment for master. Thanks a lot for spotting this one! Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #2038 modify salt creation
On Fri, 2011-11-04 at 15:59 -0400, Simo Sorce wrote:
On Fri, 2011-11-04 at 15:15 -0400, Nalin Dahyabhai wrote:
On Thu, Nov 03, 2011 at 06:26:15PM -0400, Simo Sorce wrote:
As stated in the bug in order to attain better interoperability with
Windows clients we need to change the way we generate the random salt.
Nack. The data in a krb5_data is of type 'char', and if it's signed,
the math used here doesn't produce a printable result. Might also want
to increase KRB5P_SALT_SIZE.
Ah crap, right.
I initially used a safe construct: data[i] = 0x5F
Then realized that one of the possible values (5F + 20 = 7F) is
unprintable, so I switched to this unsafe one.
Will get a revised patch for ipa-2-1 and an amendment for master.
Thanks a lot for spotting this one!
Attached amendment patch for master and an already amended new patch for
ipa-2-1.
--
Simo Sorce * Red Hat, Inc * New York
From 40034df9def29b1a649a5b3d1586966eb186c97e Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Fri, 4 Nov 2011 16:04:19 -0400
Subject: [PATCH] Amend #2038 fix
The math was unsafe, thanks to Nalin for spotting it.
---
util/ipa_krb5.c |7 ++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index ba9d3cefce0944d790715c3249f158b9f0ae232d..0d487fb8aa1df47295c76e09f841f475a6d0e3de 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -30,8 +30,13 @@ static krb5_error_code ipa_get_random_salt(krb5_context krbctx,
* To avoid any compatibility issue, limits octects only to
* the ASCII printable range, or 0x20 = val = 0x7E */
for (i = 0; i salt-length; i++) {
-salt-data[i] %= 0x5E; /* 7E - 20 */
+/* math must be sign-safe as krb5_data octets use signed chars */
+salt-data[i] = 0x5F; /* Cut down and ... */
salt-data[i] += 0x20; /* add base */
+/* add a pseudo random substitute for unprintable DEL */
+if (salt-data[i] == 0x7F) {
+salt-data[i] = 0x30 + i;
+}
}
return 0;
--
1.7.7
From d07db98f70759c98a046042100828d3debc4cdcb Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Thu, 3 Nov 2011 16:15:10 -0400
Subject: [PATCH] Modify random salt creation for interoperability
port to ipa-2-1
ameneded math safety issue
See:
https://fedorahosted.org/freeipa/ticket/2038
---
.../ipa-pwd-extop/ipapwd_encoding.c| 43
1 files changed, 35 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
index cd4610c6ffd6f1b4eae61521335a7e26d319fa9d..6f61e92be54018d0f3d2c35b2879716d16d96512 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -47,6 +47,7 @@
#include sys/stat.h
#include fcntl.h
#include unistd.h
+#include errno.h
#include dirsrv/slapi-plugin.h
#include lber.h
@@ -249,6 +250,39 @@ void encode_int16(unsigned int val, unsigned char *p)
p[0] = (val ) 0xff;
}
+static krb5_error_code ipa_get_random_salt(krb5_context krbctx,
+ krb5_data *salt)
+{
+krb5_error_code kerr;
+int i;
+
+/* make random salt */
+salt-length = KRB5P_SALT_SIZE;
+salt-data = malloc(KRB5P_SALT_SIZE);
+if (!salt-data) {
+return ENOMEM;
+}
+kerr = krb5_c_random_make_octets(krbctx, salt);
+if (kerr) {
+return kerr;
+}
+
+/* Windows treats the salt as a string.
+ * To avoid any compatibility issue, limits octects only to
+ * the ASCII printable range, or 0x20 = val = 0x7E */
+for (i = 0; i salt-length; i++) {
+/* math must be sign-safe as krb5_data octets use signed chars */
+salt-data[i] = 0x5F; /* Cut down and ... */
+salt-data[i] += 0x20; /* add base */
+/* add a pseudo random substitute for unprintable DEL */
+if (salt-data[i] == 0x7F) {
+salt-data[i] = 0x30 + i;
+}
+}
+
+return 0;
+}
+
static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data,
char **errMesg)
@@ -376,14 +410,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
case KRB5_KDB_SALTTYPE_SPECIAL:
-/* make random salt */
-salt.length = KRB5P_SALT_SIZE;
-salt.data = malloc(KRB5P_SALT_SIZE);
-if (!salt.data) {
-LOG_OOM();
-goto enc_error;
-}
-krberr = krb5_c_random_make_octets(krbctx, salt);
+krberr = ipa_get_random_salt(krbctx, salt);
if (krberr) {
LOG_FATAL(krb5_c_random_make_octets failed [%s]\n,
krb5_get_error_message(krbctx, krberr));
--
1.7.7
Re: [Freeipa-devel] [PATCH] #2038 modify salt creation
On Fri, 2011-11-04 at 16:14 -0400, Simo Sorce wrote:
On Fri, 2011-11-04 at 15:59 -0400, Simo Sorce wrote:
On Fri, 2011-11-04 at 15:15 -0400, Nalin Dahyabhai wrote:
On Thu, Nov 03, 2011 at 06:26:15PM -0400, Simo Sorce wrote:
As stated in the bug in order to attain better interoperability with
Windows clients we need to change the way we generate the random salt.
Nack. The data in a krb5_data is of type 'char', and if it's signed,
the math used here doesn't produce a printable result. Might also want
to increase KRB5P_SALT_SIZE.
Ah crap, right.
I initially used a safe construct: data[i] = 0x5F
Then realized that one of the possible values (5F + 20 = 7F) is
unprintable, so I switched to this unsafe one.
Will get a revised patch for ipa-2-1 and an amendment for master.
Thanks a lot for spotting this one!
Attached amendment patch for master and an already amended new patch for
ipa-2-1.
After a quick review with nalin offline I decided for a different
approach that properly covers the range of values we want and is more
similar to the initial code.
New patches attached.
--
Simo Sorce * Red Hat, Inc * New York
From cae692dc4ed817185d51f438a4f1a170b92c324c Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Fri, 4 Nov 2011 16:40:25 -0400
Subject: [PATCH] Amend #2038 fix
The math was unsafe, thanks to Nalin for spotting it.
---
util/ipa_krb5.c |8 +---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index ba9d3cefce0944d790715c3249f158b9f0ae232d..d03680a6ed3bceb73516d17f5dcef8594fbc382e 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -13,7 +13,7 @@ static krb5_error_code ipa_get_random_salt(krb5_context krbctx,
krb5_data *salt)
{
krb5_error_code kerr;
-int i;
+int i, v;
/* make random salt */
salt-length = KRB5P_SALT_SIZE;
@@ -30,8 +30,10 @@ static krb5_error_code ipa_get_random_salt(krb5_context krbctx,
* To avoid any compatibility issue, limits octects only to
* the ASCII printable range, or 0x20 = val = 0x7E */
for (i = 0; i salt-length; i++) {
-salt-data[i] %= 0x5E; /* 7E - 20 */
-salt-data[i] += 0x20; /* add base */
+v = (unsigned char)salt-data[i];
+v %= 0x5E; /* 7E - 20 */
+v += 0x20; /* add base */
+salt-data[i] = v;
}
return 0;
--
1.7.7
From e82ee7c2fed958b2532adb224a8dcb21fa7f6caa Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Thu, 3 Nov 2011 16:15:10 -0400
Subject: [PATCH] Modify random salt creation for interoperability
port to ipa-2-1
ameneded math safety issue
See:
https://fedorahosted.org/freeipa/ticket/2038
---
.../ipa-pwd-extop/ipapwd_encoding.c| 40
1 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
index cd4610c6ffd6f1b4eae61521335a7e26d319fa9d..fd51ed5db50eb25935b7943859c6d29097d73445 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -47,6 +47,7 @@
#include sys/stat.h
#include fcntl.h
#include unistd.h
+#include errno.h
#include dirsrv/slapi-plugin.h
#include lber.h
@@ -249,6 +250,36 @@ void encode_int16(unsigned int val, unsigned char *p)
p[0] = (val ) 0xff;
}
+static krb5_error_code ipa_get_random_salt(krb5_context krbctx,
+ krb5_data *salt)
+{
+krb5_error_code kerr;
+int i, v;
+
+/* make random salt */
+salt-length = KRB5P_SALT_SIZE;
+salt-data = malloc(KRB5P_SALT_SIZE);
+if (!salt-data) {
+return ENOMEM;
+}
+kerr = krb5_c_random_make_octets(krbctx, salt);
+if (kerr) {
+return kerr;
+}
+
+/* Windows treats the salt as a string.
+ * To avoid any compatibility issue, limits octects only to
+ * the ASCII printable range, or 0x20 = val = 0x7E */
+for (i = 0; i salt-length; i++) {
+v = (unsigned char)salt-data[i];
+v %= 0x5E; /* 7E - 20 */
+v += 0x20; /* add base */
+salt-data[i] = v;
+}
+
+return 0;
+}
+
static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data,
char **errMesg)
@@ -376,14 +407,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
case KRB5_KDB_SALTTYPE_SPECIAL:
-/* make random salt */
-salt.length = KRB5P_SALT_SIZE;
-salt.data = malloc(KRB5P_SALT_SIZE);
-if (!salt.data) {
-LOG_OOM();
-goto enc_error;
-}
-krberr = krb5_c_random_make_octets(krbctx, salt);
+krberr =
Re: [Freeipa-devel] [PATCH] 120 Improve DNS record data validation
Martin Kosek wrote: On Wed, 2011-10-19 at 15:38 -0400, Adam Young wrote: On 10/19/2011 08:15 AM, Martin Kosek wrote: On Wed, 2011-09-07 at 15:18 +0200, Martin Kosek wrote: On Wed, 2011-09-07 at 15:05 +0200, Martin Kosek wrote: This is 3.0 Core Effort Backlog patch. The changes to API may look scary, but it should be OK, I just added validators and normalizers. I found a lot of RR types unsupported by bind-dyndb-ldap. I implemented a validator telling this information to the user. I think the message is more user-friendly than the previous LDAP schema error. Enjoy the RFCs! :-) Martin --- Implement missing validators for DNS RR types so that we can capture at least basic user errors. Additionally, a normalizer creating a fully-qualified domain name has been implemented for several RRs to prevent this common user error. https://fedorahosted.org/freeipa/ticket/1106 I noticed a typo in format description for LOC record validation. A fixed patch attached. Martin Rebased for current master. This patch is still waiting for review. As I would like to base my next DNS work (structured DNS commands) on this patch I would like to have it reviewed soon. Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I've just given it a visual review, but it looks right. Probably should have some unit tests to go with it for some of the more commonly used types. Good idea. A, , NS records are already being checked, I added tests for MX and SRV records too. I also refactored DNS tests a little, there were many repeatedly using hard-coded values (like default zone manager) which would be hard to fix of anything changes. Martin I can't tell what your intention is with the split for cname and dname but it seems to allow just about any value. I know there are a ton of data types but is it worthwhile to have a positive and negative case for each to avoid regressions? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #2038 modify salt creation
On Fri, Nov 04, 2011 at 04:45:02PM -0400, Simo Sorce wrote: After a quick review with nalin offline I decided for a different approach that properly covers the range of values we want and is more similar to the initial code. New patches attached. Looks good to me. Please bump up KRB5P_SALT_SIZE, say, to 20, unless there's a good reason not to, though. Either way, ACK. Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 152 Enable automember for upgraded servers
Martin Kosek wrote: automember functionality is depends on predefined data is in LDAP. Since we add it for fresh installs only, automember cannot be used for upgraded servers. Make sure that automember LDAP data is added during upgrade too. https://fedorahosted.org/freeipa/ticket/1992 I think you need that automember schema as well. Can you check with the 389-ds team to see if their upgrade script automatically adds new schema or if we have to handle that ourselves? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 152 Enable automember for upgraded servers
On 11/04/2011 02:02 PM, Rob Crittenden wrote: Martin Kosek wrote: automember functionality is depends on predefined data is in LDAP. Since we add it for fresh installs only, automember cannot be used for upgraded servers. Make sure that automember LDAP data is added during upgrade too. https://fedorahosted.org/freeipa/ticket/1992 I think you need that automember schema as well. Can you check with the 389-ds team to see if their upgrade script automatically adds new schema or if we have to handle that ourselves? The new automember schema should be added by 'setup-ds.pl -u', so I don't expect you need to do anything around schema in FreeIPA. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 55 Parse comma-separated lists of values in all parameter types
Jan Cholasta wrote: Dne 24.10.2011 17:42, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 20.10.2011 13:20, Jan Cholasta napsal(a): Parse comma-separated lists of values in all parameter types. This can enabled for a specific parameter by setting the csvlist option to True. Remove List parameter type and replace all occurences with Str with csvlist enabled. https://fedorahosted.org/freeipa/ticket/2007 This change will be useful for https://fedorahosted.org/freeipa/ticket/1487 and https://fedorahosted.org/freeipa/ticket/1847 Unit tests show no regressions. Honza Self-NACK - I have noticed that the batch command no longer works. Updated patch attached. Honza What is the benefit of this over the List parameter type? rob Mainly because the List parameter type is just a hack. This is the right thing to do if we want to use comma-separated lists of parameters of any type, with all the validation and other parameter type-specific features. For example, I've added a new parameter type for IP addresses in my patch 46 (http://www.redhat.com/archives/freeipa-devel/2011-September/msg00187.html) and use it for A and DNS records. Without this patch, we can either use List for the record parameters and lose validation in dnsrecord-find (because it is based on crud.Search, which strips all the custom validation rules - like _validate_ipaddr - from the command parameters, which is one of the causes of #1627) or use IPAddress for the record parameters and lose the ability to specify them as comma-separated list of values. With this patch, we can have both comma-separated lists and validation at the same time. Besides, the patch is not as big as it looks like, all the interesting stuff is in ipalib/parameters.py, everything else is just search-and-replace. Also I need it to fix #1487 and #1847 without doing ugly hacks. Honza I think this would constitute a major version change. One downside is you can no longer tell in the help with arguments take a CSV and which don't. I think the CSV-related Parameter options should all begin with csv, separator and skipspace. The batch command may eventually be made into a command, how will that affect the Any type? It otherwise seems to work in my spot-testing. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 152 Enable automember for upgraded servers
On Fri, 2011-11-04 at 14:04 -0700, Nathan Kinder wrote: On 11/04/2011 02:02 PM, Rob Crittenden wrote: Martin Kosek wrote: automember functionality is depends on predefined data is in LDAP. Since we add it for fresh installs only, automember cannot be used for upgraded servers. Make sure that automember LDAP data is added during upgrade too. https://fedorahosted.org/freeipa/ticket/1992 I think you need that automember schema as well. Can you check with the 389-ds team to see if their upgrade script automatically adds new schema or if we have to handle that ourselves? The new automember schema should be added by 'setup-ds.pl -u', so I don't expect you need to do anything around schema in FreeIPA. Nathan, when is the setup-ds.pl -u executed? When the dirsrv rpm is updated, just like FreeIPA runs ipa-ldap-updater in rpm update %post? Or does it have to be run manually? I am asking because the schema problem seems like the root cause that one user has here (the last post): https://bugzilla.redhat.com/show_bug.cgi?id=746589 Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 152 Enable automember for upgraded servers
On 11/04/2011 02:26 PM, Martin Kosek wrote: On Fri, 2011-11-04 at 14:04 -0700, Nathan Kinder wrote: On 11/04/2011 02:02 PM, Rob Crittenden wrote: Martin Kosek wrote: automember functionality is depends on predefined data is in LDAP. Since we add it for fresh installs only, automember cannot be used for upgraded servers. Make sure that automember LDAP data is added during upgrade too. https://fedorahosted.org/freeipa/ticket/1992 I think you need that automember schema as well. Can you check with the 389-ds team to see if their upgrade script automatically adds new schema or if we have to handle that ourselves? The new automember schema should be added by 'setup-ds.pl -u', so I don't expect you need to do anything around schema in FreeIPA. Nathan, when is the setup-ds.pl -u executed? When the dirsrv rpm is updated, just like FreeIPA runs ipa-ldap-updater in rpm update %post? Or does it have to be run manually? It is run in the the %posttrans stage for 389-ds-base. I am asking because the schema problem seems like the root cause that one user has here (the last post): https://bugzilla.redhat.com/show_bug.cgi?id=746589 There should be a '/etc/dirsrv/slapd-instance/schema/10automember-plugin.ldif' file if the proper version of 389-ds-base is being used and if 'setup-ds.pl -u' successfully updated the schema. There should also be a '/etc/dirsrv/schema/10automember-plugin.ldif' file present regardless of 'setup-ds.pl -u' having run successfully. -NGK Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 152 Enable automember for upgraded servers
On 11/04/2011 02:35 PM, Nathan Kinder wrote: On 11/04/2011 02:26 PM, Martin Kosek wrote: On Fri, 2011-11-04 at 14:04 -0700, Nathan Kinder wrote: On 11/04/2011 02:02 PM, Rob Crittenden wrote: Martin Kosek wrote: automember functionality is depends on predefined data is in LDAP. Since we add it for fresh installs only, automember cannot be used for upgraded servers. Make sure that automember LDAP data is added during upgrade too. https://fedorahosted.org/freeipa/ticket/1992 I think you need that automember schema as well. Can you check with the 389-ds team to see if their upgrade script automatically adds new schema or if we have to handle that ourselves? The new automember schema should be added by 'setup-ds.pl -u', so I don't expect you need to do anything around schema in FreeIPA. Nathan, when is the setup-ds.pl -u executed? When the dirsrv rpm is updated, just like FreeIPA runs ipa-ldap-updater in rpm update %post? Or does it have to be run manually? It is run in the the %posttrans stage for 389-ds-base. I am asking because the schema problem seems like the root cause that one user has here (the last post): https://bugzilla.redhat.com/show_bug.cgi?id=746589 There should be a '/etc/dirsrv/slapd-instance/schema/10automember-plugin.ldif' file if the proper version of 389-ds-base is being used and if 'setup-ds.pl -u' successfully updated the schema. There should also be a '/etc/dirsrv/schema/10automember-plugin.ldif' file present regardless of 'setup-ds.pl -u' having run successfully. I just tested running 'setup-ds.pl -u' manually with a master build of 389-ds-base, and there is a bug that is preventing the updates from being applied. I logged the following bug for this: https://bugzilla.redhat.com/show_bug.cgi?id=751495 The fix is a one-liner, and I believe Rich is working on getting a fixed build out ASAP. -NGK Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 308 Added current password field.
The reset password dialog for user has been modified to provide
a field to specify the current password when changing the user's
own password.
Ticket #2065
--
Endi S. Dewata
From 004bd7f1676255508fe11cf87e059607978f7593 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 4 Nov 2011 13:48:22 -0500
Subject: [PATCH] Added current password field.
The reset password dialog for user has been modified to provide
a field to specify the current password when changing the user's
own password.
Ticket #2065
---
install/ui/test/data/ipa_init.json |2 ++
install/ui/user.js | 34 --
ipalib/plugins/internal.py |2 ++
3 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 9ebb52aaffa1e412b014d12cfd8e330163e28a8d..44e6b8fc679fda6f8a8c1200c2d121df130cac54 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -332,6 +332,8 @@
}
},
password: {
+current_password: Current Password,
+current_password_required: Current password is required,
new_password: New Password,
password_change_complete: Password change complete,
password_must_match: Passwords must match,
diff --git a/install/ui/user.js b/install/ui/user.js
index 60958cb43cf3f853c370554162600733f3d3d90d..04140afd9a8c00f89122186fcdf0c42e15c336a6 100644
--- a/install/ui/user.js
+++ b/install/ui/user.js
@@ -325,18 +325,29 @@ IPA.user_password_widget = function(spec) {
that.show_dialog = function() {
+that.pkey = IPA.nav.get_state('user-pkey');
+that.self_service = that.pkey === IPA.whoami.uid[0];
+
var dialog = IPA.dialog({
title: IPA.messages.password.reset_password,
width: 400
});
-var password1 = dialog.add_field(IPA.text_widget({
+if (that.self_service) {
+dialog.add_field(IPA.text_widget({
+name: 'current_password',
+label: IPA.messages.password.current_password,
+type: 'password'
+}));
+}
+
+dialog.add_field(IPA.text_widget({
name: 'password1',
label: IPA.messages.password.new_password,
type: 'password'
}));
-var password2 = dialog.add_field(IPA.text_widget({
+dialog.add_field(IPA.text_widget({
name: 'password2',
label: IPA.messages.password.verify_password,
type: 'password'
@@ -350,6 +361,16 @@ IPA.user_password_widget = function(spec) {
var record = {};
dialog.save(record);
+var current_password;
+
+if (that.self_service) {
+current_password = record.current_password[0];
+if (!current_password) {
+alert(IPA.messages.password.current_password_required);
+return;
+}
+}
+
var new_password = record.password1[0];
var repeat_password = record.password2[0];
@@ -359,6 +380,7 @@ IPA.user_password_widget = function(spec) {
}
that.set_password(
+current_password,
new_password,
function(data, text_status, xhr) {
alert(IPA.messages.password.password_change_complete);
@@ -382,20 +404,20 @@ IPA.user_password_widget = function(spec) {
dialog.open(that.container);
};
-that.set_password = function(password, on_success, on_error) {
-var user_pkey = IPA.nav.get_state('user-pkey');
+that.set_password = function(current_password, password, on_success, on_error) {
var args;
-if (user_pkey === IPA.whoami.uid[0]) {
+if (that.self_service) {
args = [];
} else {
-args = [user_pkey];
+args = [that.pkey];
}
var command = IPA.command({
method: 'passwd',
args: args,
options: {
+current_password: current_password,
password: password
},
on_success: on_success,
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index 8c5b0955b1c2e2c1c0c2b15c0e026e24f9b3eefe..63eeba057eef9177db08129b49fdf266898df815 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -426,6 +426,8 @@ class i18n_messages(Command):
},
},
password: {
+current_password: _(Current Password),
+current_password_required: _(Current password is required),
new_password: _(New Password),
Re: [Freeipa-devel] [PATCHES] #1791 Tust Effort: Add support for generating MS-PAC
On Fri, Nov 04, 2011 at 10:49:40AM -0400, Simo Sorce wrote: The attached patches are for master and concern the effort of creating trust relationships between IPA and AD domains. With these patches if you have run ipa-adtrust-install the IPA kdc will be able to create a MS-PAC if the user has the right attributes ipaNTSecurityIdentifier on the user entry and on the primary group entry are required (or a fallback primary group). If the objects are not in place the MS-PAC generation is silently skipped and no MS-PAC will be attached to the tickets. The MS-PAC is always generated if all data is available, in future we may think of making this conditional, but that is not in the scope of this patches. In order to apply these patches you need the coverity fix patches #2036 #2037 I sent yesterday. In order to build this code you need samba 4 experimental packages with the libndr_krb5pac.so librray, header files and pkgconfig configuration files. Please add these dependencies to the BuildRequires in the spec file. Otherwise the patch looks fine. bye, Sumit Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 029 Page is cleared before it is visible
On 11/4/2011 11:02 AM, Petr Vobornik wrote:
ACK and pushed to master.
Found another problem, changing page in the association facet didn't
work because pkey is still the same. See the attached patch.
--
Endi S. Dewata
From 291626e4f4e464b907fae33291b430f8ead95055 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Thu, 3 Nov 2011 23:43:58 -0500
Subject: [PATCH] Fixed problem changing page in association facet.
The association facet has been modified to detect page change to
determine whether the facet needs to be updated.
Ticket #1459
---
install/ui/association.js | 10 --
install/ui/entity.js |6 --
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/install/ui/association.js b/install/ui/association.js
index 6ce8fea46caa57638273d53518ce0472df58ac2d..6ef73dafe445af5c68fb506c2450fa67724efd84 100644
--- a/install/ui/association.js
+++ b/install/ui/association.js
@@ -1165,7 +1165,7 @@ IPA.association_facet = function (spec) {
that.table.total_pages = 1;
}
-that.table.current_page = 1;
+delete that.table.current_page;
that.table.refresh();
that.table.unselect_all();
@@ -1207,8 +1207,14 @@ IPA.association_facet = function (spec) {
that.needs_update = function() {
if (that._needs_update !== undefined) return that._needs_update;
+
var pkey = IPA.nav.get_state(that.entity.name+'-pkey');
-return that.pkey !== pkey;
+if (that.pkey !== pkey) return true;
+
+var page = parseInt(IPA.nav.get_state(that.entity_name+'-page'), 10) || 1;
+if (that.table.current_page !== page) return true;
+
+return false;
};
/*initialization*/
diff --git a/install/ui/entity.js b/install/ui/entity.js
index 75f781e627f39489e464b950dc64f54d3063b64b..f7bf992aada9070ea81fb0271a4dce41706a7914 100644
--- a/install/ui/entity.js
+++ b/install/ui/entity.js
@@ -156,8 +156,10 @@ IPA.entity = function(spec) {
var facet_name = IPA.nav.get_state(that.name+'-facet');
that.facet = that.get_facet(facet_name);
+var needs_update = that.facet.needs_update();
+
// same entity, same facet, and doesn't need updating = return
-if (that == prev_entity that.facet == prev_facet !that.facet.needs_update()) {
+if (that == prev_entity that.facet == prev_facet !needs_update) {
return;
}
@@ -175,7 +177,7 @@ IPA.entity = function(spec) {
that.facet.create(facet_container);
}
-if (that.facet.needs_update()) {
+if (needs_update) {
that.facet.clear();
that.facet.show();
that.facet.header.select_tab();
--
1.7.5.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
