Re: [Freeipa-devel] [PATCH] 932 Add support for storing MAC address in host entries.
Dne 20.1.2012 21:15, Rob Crittenden napsal(a): macaddress is a multi-valued attribute and we allow multiple entries. This is from the objectclass ieee802device. This is added manually when doing a mod or add and not as a default to support existing host entries that do not have this objectclass. If this were added to the defaults then existing hosts missing this objectclass would not be found by host-find. It is possible to get ethers data out of nss by configuring nsswitch.conf to use ldap for ethers and running getent ethers hostname I tested nslcd and it only returned one macaddress value. I don't know if this is a deficiency in nslcd or expected behavior. https://fedorahosted.org/freeipa/ticket/1132 rob @@ -442,6 +448,7 @@ class host_add(LDAPCreate): x509.verify_cert_subject(ldap, keys[-1], cert) entry_attrs['usercertificate'] = cert entry_attrs['managedby'] = dn +entry_attrs['objectclass'].append('ieee802device') return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): Why do you add the objectclass here instead of adding it to host plugin's object_class attribute? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] 389 systemd changes
On Mon, 2012-01-23 at 08:03 +0200, Alexander Bokovoy wrote: On Sun, 22 Jan 2012, Simo Sorce wrote: Shouldn't we just 'include' the original file and not copy it ? If we include it a change in the file will be automatically picked up. We can't due to systemd design and use of it in 389-ds. LimitNOFILE needs to be changed in the service file directly, not in the environment file in /etc/sysconfig or otherwise it will not be picked up by the systemd. I am not talking about using /set/sysconfig options, but the .include directive for service files. So, something like this for 389-ds? No, you should include the actual dirsrv default service file (if any, otherwise the sysconfig one might be ok I guess). 888- [Unit] Description=389 Directory Server %i. BindTo=dirsrv.target After=dirsrv.target [Service] Type=forking Environment=PIDDIR=/var/run/dirsrv EnvironmentFile=/etc/sysconfig/dirsrv EnvironmentFile=/etc/sysconfig/dirsrv-%i ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i ${PIDDIR}/slapd-%i.pid -w ${PIDDIR}/slapd-%i.startpid .include /etc/sysconfig/dirsrv.systemd 888- and then with following /etc/sysconfig/dirsrv.systemd: 888- [Service] LimitNOFILE=8192 888- local overrides can be created? Yes I think if you put directives after the include they will override whatever is in the include. Also I would put as much as possible in the include file and put in the specific instance files only the parameters we need to override. It seems to work. You can't use %i macro in .include unfortunately so any configuration change will be global, not per service instance. That's fine we want to put in there only global configuration anyways, and then override in our specific per instance control files. # systemctl show dirsrv@IPA-LOCAL.service|grep LimitNOFILE LimitNOFILE=8192 # systemctl status dirsrv@IPA-LOCAL.service dirsrv@IPA-LOCAL.service - 389 Directory Server IPA-LOCAL. Loaded: loaded (/lib/systemd/system/dirsrv@.service; enabled) Active: active (running) since Mon, 23 Jan 2012 00:47:32 -0500; 11min ago Process: 30927 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i ${PIDDIR}/slapd-%i.pid -w ${PIDDIR}/slapd-%i.startpid (code=exited, status=0/SUCCESS) Main PID: 30929 (ns-slapd) CGroup: name=systemd:/system/dirsrv@.service/IPA-LOCAL └ 30929 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-IPA-LOCAL -i /var/run/dirsrv/slapd-IPA-LOCAL.p... I would still need a ticket to make appropriate removals in ipapython/platform/fedora16.py so that we would modify /etc/sysconfig/dirsrv.systemd and still do symlink re-linking in /etc/systemd/system/dirsrv.target.wants/. ok. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] 389 systemd changes
On Mon, 23 Jan 2012, Simo Sorce wrote: On Mon, 2012-01-23 at 08:03 +0200, Alexander Bokovoy wrote: On Sun, 22 Jan 2012, Simo Sorce wrote: Shouldn't we just 'include' the original file and not copy it ? If we include it a change in the file will be automatically picked up. We can't due to systemd design and use of it in 389-ds. LimitNOFILE needs to be changed in the service file directly, not in the environment file in /etc/sysconfig or otherwise it will not be picked up by the systemd. I am not talking about using /set/sysconfig options, but the .include directive for service files. So, something like this for 389-ds? No, you should include the actual dirsrv default service file (if any, otherwise the sysconfig one might be ok I guess). There is /lib/systemd/system/dirsrv@.service. The content below is from there and I think there is no need to make .include in a /etc/systemd/system/dirsrv@.service copy of it as we can ask Rich to make proper change in the original service unit. This way we only would have settings in /etc/sysconfig (or in /etc/dirsrv if that's better) and you'd have no need to intervene into /etc/systemd/system. Paths are irrelevant but I'd prefer to use common places like /etc/sysconfig. 888- [Unit] Description=389 Directory Server %i. BindTo=dirsrv.target After=dirsrv.target [Service] Type=forking Environment=PIDDIR=/var/run/dirsrv EnvironmentFile=/etc/sysconfig/dirsrv EnvironmentFile=/etc/sysconfig/dirsrv-%i ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i ${PIDDIR}/slapd-%i.pid -w ${PIDDIR}/slapd-%i.startpid .include /etc/sysconfig/dirsrv.systemd 888- and then with following /etc/sysconfig/dirsrv.systemd: 888- [Service] LimitNOFILE=8192 888- local overrides can be created? Yes I think if you put directives after the include they will override whatever is in the include. Depends on directive. Also I would put as much as possible in the include file and put in the specific instance files only the parameters we need to override. There is no specific instance service unit. There is one service unit that processes all instances, that's the whole purpose of @-services (dirsrv@.service). It seems to work. You can't use %i macro in .include unfortunately so any configuration change will be global, not per service instance. That's fine we want to put in there only global configuration anyways, and then override in our specific per instance control files. See above. There are no per-instance control files. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 340 Enabled paging on automount keys.
On 01/19/2012 01:44 AM, Endi Sukma Dewata wrote: On 1/18/2012 10:21 AM, Endi Sukma Dewata wrote: The automount keys search facet has been modified to support paging. Since the automountkey-find command doesn't support --pkey-only option, the facet is configured such that during a refresh operation it will retrieve all entries (including the key and info attributes) and then display only the ones that are supposed to be visible in the current page. Ticket #2093 New patch attached. Some attributes weren't renamed properly. ACK and pushed to master, ipa-2-2 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 342 Fixed inconsistent status labels.
On 01/19/2012 07:04 AM, Endi Sukma Dewata wrote: This patch modifies the status attributes in users, DNS zones, HBAC/sudo rules, HBAC test, and SELinux User Map to use the same label (i.e. Status) and values (i.e. Enabled/Disabled). The method to change the status will be modified separately. Ticket #2247 ACK and pushed to master, ipa-2-2 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 341 Show disabled entries in gray.
On 01/19/2012 01:48 AM, Endi Sukma Dewata wrote: The users, HBAC/sudo rules, HBAC test, and SELinux list pages have been modified to show disabled entries in gray. Icons will be added separately. Ticket #1996 ACK and pushed to master, ipa-2-2 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 931 ship ipa-upgradeconfig man page
On Fri, 2012-01-20 at 13:33 -0500, Rob Crittenden wrote: The ipa-upgradeconfig man page was not being packaged. I updated the man page to include info about the proxy config change and modified the tool so you have to be root to execute it. rob ACK. Pushed to master, ipa-2-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 932 Add support for storing MAC address in host entries.
On Mon, 2012-01-23 at 11:14 +0100, Jan Cholasta wrote: Dne 20.1.2012 21:15, Rob Crittenden napsal(a): macaddress is a multi-valued attribute and we allow multiple entries. This is from the objectclass ieee802device. This is added manually when doing a mod or add and not as a default to support existing host entries that do not have this objectclass. If this were added to the defaults then existing hosts missing this objectclass would not be found by host-find. It is possible to get ethers data out of nss by configuring nsswitch.conf to use ldap for ethers and running getent ethers hostname I tested nslcd and it only returned one macaddress value. I don't know if this is a deficiency in nslcd or expected behavior. https://fedorahosted.org/freeipa/ticket/1132 rob @@ -442,6 +448,7 @@ class host_add(LDAPCreate): x509.verify_cert_subject(ldap, keys[-1], cert) entry_attrs['usercertificate'] = cert entry_attrs['managedby'] = dn +entry_attrs['objectclass'].append('ieee802device') return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): Why do you add the objectclass here instead of adding it to host plugin's object_class attribute? Honza As Rob pointed out, old host records without ieee802device objectclass wouldn't then be matched in host-find command. I checked the patch and it looks ok. I have just 3 minor issues: 1) As you didn't specify the param with csv=True its values cannot be entered in a comma-separated list. I think we can enable this feature for MAC Address 2) I would fix capitalization of label of macaddress. A second word in a label is lowercase in other params. 3) I think we may want to implement a normalizer for MAC address which would make it either lowercase or uppercase so that we provide results with consistent case. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 932 Add support for storing MAC address in host entries.
Dne 23.1.2012 16:24, Martin Kosek napsal(a): On Mon, 2012-01-23 at 11:14 +0100, Jan Cholasta wrote: Dne 20.1.2012 21:15, Rob Crittenden napsal(a): macaddress is a multi-valued attribute and we allow multiple entries. This is from the objectclass ieee802device. This is added manually when doing a mod or add and not as a default to support existing host entries that do not have this objectclass. If this were added to the defaults then existing hosts missing this objectclass would not be found by host-find. It is possible to get ethers data out of nss by configuring nsswitch.conf to use ldap for ethers and running getent ethershostname I tested nslcd and it only returned one macaddress value. I don't know if this is a deficiency in nslcd or expected behavior. https://fedorahosted.org/freeipa/ticket/1132 rob @@ -442,6 +448,7 @@ class host_add(LDAPCreate): x509.verify_cert_subject(ldap, keys[-1], cert) entry_attrs['usercertificate'] = cert entry_attrs['managedby'] = dn +entry_attrs['objectclass'].append('ieee802device') return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): Why do you add the objectclass here instead of adding it to host plugin's object_class attribute? Honza As Rob pointed out, old host records without ieee802device objectclass wouldn't then be matched in host-find command. Whoops, I have missed that. Anyway, it's good to know that, I might have to fix my SSH patches. I checked the patch and it looks ok. I have just 3 minor issues: 1) As you didn't specify the param with csv=True its values cannot be entered in a comma-separated list. I think we can enable this feature for MAC Address 2) I would fix capitalization of label of macaddress. A second word in a label is lowercase in other params. 3) I think we may want to implement a normalizer for MAC address which would make it either lowercase or uppercase so that we provide results with consistent case. Martin Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] 389 systemd changes
On 01/23/2012 07:37 AM, Alexander Bokovoy wrote: On Mon, 23 Jan 2012, Simo Sorce wrote: On Mon, 2012-01-23 at 08:03 +0200, Alexander Bokovoy wrote: On Sun, 22 Jan 2012, Simo Sorce wrote: Shouldn't we just 'include' the original file and not copy it ? If we include it a change in the file will be automatically picked up. We can't due to systemd design and use of it in 389-ds. LimitNOFILE needs to be changed in the service file directly, not in the environment file in /etc/sysconfig or otherwise it will not be picked up by the systemd. I am not talking about using /set/sysconfig options, but the .include directive for service files. So, something like this for 389-ds? No, you should include the actual dirsrv default service file (if any, otherwise the sysconfig one might be ok I guess). There is /lib/systemd/system/dirsrv@.service. The content below is from there and I think there is no need to make .include in a /etc/systemd/system/dirsrv@.service copy of it as we can ask Rich to make proper change in the original service unit. This way we only would have settings in /etc/sysconfig (or in /etc/dirsrv if that's better) and you'd have no need to intervene into /etc/systemd/system. Paths are irrelevant but I'd prefer to use common places like /etc/sysconfig. I have filed this ticket https://fedorahosted.org/freeipa/ticket/2300 What changes do I need to make to 389? 888- [Unit] Description=389 Directory Server %i. BindTo=dirsrv.target After=dirsrv.target [Service] Type=forking Environment=PIDDIR=/var/run/dirsrv EnvironmentFile=/etc/sysconfig/dirsrv EnvironmentFile=/etc/sysconfig/dirsrv-%i ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i ${PIDDIR}/slapd-%i.pid -w ${PIDDIR}/slapd-%i.startpid .include /etc/sysconfig/dirsrv.systemd 888- and then with following /etc/sysconfig/dirsrv.systemd: 888- [Service] LimitNOFILE=8192 888- local overrides can be created? Yes I think if you put directives after the include they will override whatever is in the include. Depends on directive. Also I would put as much as possible in the include file and put in the specific instance files only the parameters we need to override. There is no specific instance service unit. There is one service unit that processes all instances, that's the whole purpose of @-services (dirsrv@.service). It seems to work. You can't use %i macro in .include unfortunately so any configuration change will be global, not per service instance. That's fine we want to put in there only global configuration anyways, and then override in our specific per instance control files. See above. There are no per-instance control files. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 927 fix deleting hbac rules when selinux user maps are involved
On Tue, 2012-01-17 at 17:59 -0500, Rob Crittenden wrote: When deleting an HBAC rule we need to ensure that an SELinux user map isn't pointing at it. The search for this didn't work well at all. This patch corrects the search and makes it more specific. I also tested that it works with the --continue flag of hbacrule-del. The ticket has instructions on testing. rob Works fine. There is just one part that is IMO too complicated: +hbacrule = options['seealso'] +kw = dict(cn=hbacrule, all=True) _entries = api.Command.hbacrule_find(None, **kw)['result'] del options['seealso'] -if _entries: -options['seealso'] = _entries[0]['dn'] +found = False +# look for an exact match. The search may return partial +# matches. +for entry in _entries: +if entry['cn'][0] == hbacrule: +found = True +options['seealso'] = entry['dn'] +if not found: +return dict(count=0, result=[], truncated=False) I think hbacrule_find(None, cn=HBACRULE) should not return partial matches, but just the exact match (tried with hbacrule-find --name=HBACRULE). Then the loop over entries wouldn't be needed. Couldn't we simply call hbacrule_show since we want just one HBAC rule with a known primary key? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 932 Add support for storing MAC address in host entries.
Jan Cholasta wrote: Dne 20.1.2012 21:15, Rob Crittenden napsal(a): macaddress is a multi-valued attribute and we allow multiple entries. This is from the objectclass ieee802device. This is added manually when doing a mod or add and not as a default to support existing host entries that do not have this objectclass. If this were added to the defaults then existing hosts missing this objectclass would not be found by host-find. It is possible to get ethers data out of nss by configuring nsswitch.conf to use ldap for ethers and running getent ethers hostname I tested nslcd and it only returned one macaddress value. I don't know if this is a deficiency in nslcd or expected behavior. https://fedorahosted.org/freeipa/ticket/1132 rob @@ -442,6 +448,7 @@ class host_add(LDAPCreate): x509.verify_cert_subject(ldap, keys[-1], cert) entry_attrs['usercertificate'] = cert entry_attrs['managedby'] = dn + entry_attrs['objectclass'].append('ieee802device') return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): Why do you add the objectclass here instead of adding it to host plugin's object_class attribute? For upgrades. If there are existing hosts that don't have this objectclass in the list then host-find won't find them. The alternative was to create a new class variable, search_objectclass but it seemed like overkill for this one-off. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 927 fix deleting hbac rules when selinux user maps are involved
Martin Kosek wrote: On Tue, 2012-01-17 at 17:59 -0500, Rob Crittenden wrote: When deleting an HBAC rule we need to ensure that an SELinux user map isn't pointing at it. The search for this didn't work well at all. This patch corrects the search and makes it more specific. I also tested that it works with the --continue flag of hbacrule-del. The ticket has instructions on testing. rob Works fine. There is just one part that is IMO too complicated: +hbacrule = options['seealso'] +kw = dict(cn=hbacrule, all=True) _entries = api.Command.hbacrule_find(None, **kw)['result'] del options['seealso'] -if _entries: -options['seealso'] = _entries[0]['dn'] +found = False +# look for an exact match. The search may return partial +# matches. +for entry in _entries: +if entry['cn'][0] == hbacrule: +found = True +options['seealso'] = entry['dn'] +if not found: +return dict(count=0, result=[], truncated=False) I think hbacrule_find(None, cn=HBACRULE) should not return partial matches, but just the exact match (tried with hbacrule-find --name=HBACRULE). Then the loop over entries wouldn't be needed. Couldn't we simply call hbacrule_show since we want just one HBAC rule with a known primary key? Martin hbacrule_show would need to be modified to take a dn, that would be a way to fix this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 341 Show disabled entries in gray.
On 01/23/2012 10:03 AM, Petr Vobornik wrote: On 01/23/2012 03:42 PM, Petr Vobornik wrote: On 01/19/2012 01:48 AM, Endi Sukma Dewata wrote: The users, HBAC/sudo rules, HBAC test, and SELinux list pages have been modified to show disabled entries in gray. Icons will be added separately. Ticket #1996 ACK and pushed to master, ipa-2-2 The patch is completely fine, but I missed that in Kyle's mockup was also shown status icons. I assume we want to do it too. https://fedorahosted.org/freeipa/attachment/ticket/1996/deactivated_column.png I might be confused but the mockup above does not make much sense. Is it intended for user list rather than for HBAC because Account Status for HBAC does not make any sense? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 9 Don't set nsds5replicaupdateschedule in replication agreements
https://fedorahosted.org/freeipa/ticket/1482 The nsDS5ReplicaUpdateSchedule parameter is omitted what results in replication being run all the time. The parameter is still used for forcing replica update but after that action it is always deleted. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From f0c0cd98c30c8557a6b8168cab7b5f50e31e9c9a Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Mon, 23 Jan 2012 17:28:37 +0100 Subject: [PATCH] Leave nsds5replicaupdateschedule parameter unset The nsDS5ReplicaUpdateSchedule parameter is omited what results in replication being run all the time. The parameter is still used for forcing replica update but after that action it is always deleted. https://fedorahosted.org/freeipa/ticket/1482 --- ipaserver/install/replication.py | 19 --- 1 files changed, 8 insertions(+), 11 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 3ac99e6bd75f2990be346c14fce424927c6550fa..052f183468e0f65e410174ba3529c53d69fcdbeb 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -460,7 +460,6 @@ class ReplicationManager(object): entry.setValues('nsds5replicatimeout', str(TIMEOUT)) entry.setValues('nsds5replicaroot', self.suffix) if master is None: -entry.setValues('nsds5replicaupdateschedule', '-2359 0123456') entry.setValues('nsDS5ReplicatedAttributeList', '(objectclass=*) $ EXCLUDE %s' % .join(excludes)) entry.setValues('description', me to %s % b_hostname) @@ -853,22 +852,20 @@ class ReplicationManager(object): dn = entry[0].dn schedule = entry[0].nsds5replicaupdateschedule -if schedule is None: -schedule = '-2359 0123456' # On the remote chance of a match. We force a synch to happen right -# now by changing the schedule to something else and quickly changing -# it back. -if newschedule == schedule: -newschedule = '2358-2359 1' -root_logger.info(Changing agreement %s schedule to %s to force synch % +# now by setting the schedule to something and quickly removing it. +if schedule is not None: +if newschedule == schedule: +newschedule = '2358-2359 1' +root_logger.info(Setting agreement %s schedule to %s to force synch % (dn, newschedule)) mod = [(ldap.MOD_REPLACE, 'nsDS5ReplicaUpdateSchedule', [ newschedule ])] conn.modify_s(dn, mod) time.sleep(1) -root_logger.info(Changing agreement %s to restore original schedule %s % - (dn, schedule)) -mod = [(ldap.MOD_REPLACE, 'nsDS5ReplicaUpdateSchedule', [ schedule ])] +root_logger.info(Deleting schedule %s from agreement %s % + (newschedule, dn)) +mod = [(ldap.MOD_DELETE, 'nsDS5ReplicaUpdateSchedule', None)] conn.modify_s(dn, mod) def get_agreement_type(self, hostname): -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 341 Show disabled entries in gray.
On 1/23/2012 11:23 AM, Dmitri Pal wrote: https://fedorahosted.org/freeipa/attachment/ticket/1996/deactivated_column.png I might be confused but the mockup above does not make much sense. Is it intended for user list rather than for HBAC because Account Status for HBAC does not make any sense? The mockup was only used to show how the icons and the color should be used to indicate deactivated/disabled entries. Per discussion with Kyle we're changing the Enabled and Account Status columns into Status. This way it will be consistent for all entities. https://fedorahosted.org/freeipa/ticket/2247 -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 200 Ease zonemgr restrictions
Martin Kosek wrote: Admin e-mail validator currently requires an email to be in a second-level domain (hostmas...@example.com). This is too restrictive. Top level domain e-mails (hostmaster@testrelm) should also be allowed. This patch also fixes default zonemgr value in help texts and man pages. https://fedorahosted.org/freeipa/ticket/2272 This fixes the problem of single component domain installation but it does seem to really weaken the checking. For example, if you install with your domain as example.com you can set the zonemgr e-mail to hostmaster@example. I don't want to make this too complex, just wanted another opinion. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 194 Fix ipa-server-install for dual NICs
Martin Kosek wrote: On Thu, 2012-01-19 at 17:21 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2012-01-13 at 10:48 -0500, Rob Crittenden wrote: Martin Kosek wrote: It seems I sent two patches with number 189. Sending a patch with a correct number. Martin On Tue, 2012-01-10 at 12:40 +0100, Martin Kosek wrote: Depends on my patch 188 --- A server may have 2 or more NICs and its hostname may thus resolve to 2 and more forward addresses. IP address checks in install scripts does not expect this setup and may fail or crash. This script adds a support for multiple forward addresses for a hostname. The install scripts do not crash now. When one IP address is needed, user is asked to choose from all detected server IP addresses. https://fedorahosted.org/freeipa/ticket/2154 You have a patch 190 already as well :-) Hm, yes :-) This appears to depend on another patch that I haven't applied yet. Can you see if it has unpushed dependencies? (removing the adtrust part was relatively easy and unrelated). rob It depended on patch 188 (it was written in the top of the mail). Since it was pushed today, this patch should be applicable to master branch. I checked it and it should be OK. Martin Still not applying $ patch -p1 --dry-run /tmp/freeipa-mkosek-190-fix-ipa-server-install-for-dual-nics.patch patching file install/tools/ipa-dns-install patching file install/tools/ipa-replica-conncheck patching file install/tools/ipa-replica-install patching file ipapython/dnsclient.py Hunk #3 FAILED at 404. 1 out of 3 hunks FAILED -- saving rejects to file ipapython/dnsclient.py.rej patching file ipaserver/install/bindinstance.py patching file ipaserver/install/installutils.py Hmm, this is a mystery. It applies fine on both my master and ipa-2-2 branches: $ git log --oneline 8c230f1 Replace float with Decimal ea678b5 UI for SELinux user mapping ... $ git apply ~/patches/freeipa-mkosek-194-ipa-2-2.patch $ I wonder why the patch fails on your ipapython/dnsclient.py as its last change is somewhere in 2010. I attached patches for both master and ipa-2-2 (without the trust bits), I hope its OK now. These patch includes a fix for unattended mode which was introduced in previous version. I was even able to finally assign a unique number to this patch :-) Martin ACK, pushed to master and ipa-2-2 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 189 Fix selfservice-find crashes
Martin Kosek wrote: On Fri, 2012-01-13 at 10:55 -0500, Rob Crittenden wrote: Martin Kosek wrote: Ignore empty options when performing an ACI search so that the find command does not crash. https://fedorahosted.org/freeipa/ticket/2011 https://fedorahosted.org/freeipa/ticket/2012 I tested this and it works, I just wanted to confirm that this is the behavior we want. Empty search options are ignored. I think we'll want to document this somewhere at a minimum. rob I think so. This is the way that our -find commands behave: # ipa user-find --last= -- 1 user matched -- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 119800 GID: 119800 Account disabled: False Password: True Kerberos keys available: True Number of entries returned 1 I wondered where to add this information, this is what man ipa says: find commands take an optional criteria string as their only positional argument. If present, all objects with an attribute that contains the criteria string are displayed. If an option representing an attribute is set, only object with the attribute exactly matching the speci‐ fied value are displayed. Without parameters all objects of the corresponding type are dis‐ played. We may enhance this documentation if we find it insufficient. Martin I think adding something like: Options with empty values are ignored or something like that. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 924 display both hex and decimal serial numbers
Jan Cholasta wrote: Dne 18.1.2012 00:04, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 16.1.2012 22:02, Rob Crittenden napsal(a): Rob Crittenden wrote: Jan Cholasta wrote: Dne 13.1.2012 20:53, Rob Crittenden napsal(a): When viewing a certificate it will show the serial number as hex (dec). # ipa service-show HTTP/rawhide.example.com Principal: HTTP/rawhide.example@example.com Certificate: [snip] Keytab: True Managed by: rawhide.example.com Subject: CN=rawhide.example.com,O=EXAMPLE.COM Serial Number: 0x403 (1027) Issuer: CN=EXAMPLE.COM Certificate Authority Not Before: Fri Jan 13 15:00:44 2012 UTC Not After: Thu Jan 13 15:00:44 2022 UTC Fingerprint (MD5): e5:43:17:0d:8d:af:d6:69:d8:fb:eb:ca:79:fb:47:69 Fingerprint (SHA1): c2:9e:8e:de:42:c9:4a:29:cc:b0:a0:de:57:c7:b7:d8:f9:b5:fe:e6 rob NACK Displaying a host or a service in the webUI fails with IPA error 3009: invalid 'serial_number': Decimal or hexadecimal number is required for serial number. I would suggest to do the nifty formatting of serial numbers on the client side, that would fix the webUI issue, allow non-IPA clients to parse the number without dissecting the string representation of it and probably also save me a hack in the type conversion overhaul. You could for example add a parameter flag like format_serial_number to indicate to the client that it should format the value as a serial number. Honza Well, we want to do as little client formatting as possible. The idea is to have a very thin client. It doesn't seem right to me to enforce this specific representation of what is really just an integer at the API level. Doing a little formatting on the client side won't make the client(s) particularly fat, will it? Yes. The current code just outputs labels and data. There is no if it is this attribute then do that logic. IMHO there is too much stuff done on server that would make more sense to do on client anyway (especially CLI-specific stuff such as CSV parsing). What is the reason we want such a thin client? To avoid double work such that every time we want a formatting change we have to change it in multiple places. This lesson was learned in v1. I believe there should be clear separation of presentation and content, but perhaps I'm a little bit too idealistic :-). You have a point, serial number is defined as an integer. Perhaps we should revisit this decision to display hex at all. I'll look into fixing the UI side. I don't see this error in services, it displays correctly. I'm not sure if it is my browser or what but hosts don't display much of anything for me. rob I have just checked both master and ipa-2-2 and I'm getting the same error message (tested in Firefox 9.0.1) when viewing details of a host or a service with the usercertificate attribute set. BTW, wouldn't it make sense to format serial numbers in the cert plugin in the same way? Perhaps. Like I said, I'm not really in favor of this change. rob Maybe we can do a compromise of some sort. What about allowing the client to specify with each request what representation/formatting the server should use for the resulting entries and attributes? That would be mighty flexible but would open a new can of worms. I think long term I'd like to be able to request what attributes to see (ala ldapsearch) but that too is a bit out of scope. This comes down to Output being rather loosely defined and we already have a ticket open on that. It basically just defines the broad types of data to be returned (string, list, dict, etc) but not the internal components of complex types. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 59] Modify spec file to add ipa_memcached service Install , control ipa_memcached instance
This patch supersedes the previous patch, it corrects two issue Rob raised in a later patch review The fixed issues are: * spec file did not install ipa_memcached SysV initscript on SvsV systems. * Typo in the name of the pid file variable in the ipa_memcached initscript -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From d70c159046c86ea40dc704dd27607e7c59d431cf Mon Sep 17 00:00:00 2001 From: John Dennis jden...@redhat.com Date: Wed, 14 Dec 2011 15:19:56 -0500 Subject: [PATCH 59-1] Modify spec file to add ipa_memcached service Install control ipa_memcached instance Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit --- freeipa.spec.in | 22 ++ init/SystemV/ipa_memcached.init | 120 + init/ipa_memcached.conf |5 ++ init/systemd/ipa.conf.tmpfiles|1 + init/systemd/ipa_memcached.service| 13 install/tools/ipa-server-install |7 ++ ipaserver/install/memcacheinstance.py | 26 +++ ipaserver/install/service.py |1 + 8 files changed, 195 insertions(+), 0 deletions(-) create mode 100755 init/SystemV/ipa_memcached.init create mode 100644 init/ipa_memcached.conf create mode 100644 init/systemd/ipa.conf.tmpfiles create mode 100644 init/systemd/ipa_memcached.service create mode 100644 ipaserver/install/memcacheinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 2526a52..7fcbd19 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -109,6 +109,8 @@ Requires: python-ldap Requires: python-krbV Requires: acl Requires: python-pyasn1 = 0.0.9a +Requires: memcached +Requires: python-memcached %if 0%{?fedora} = 16 Requires: systemd-units = 36-3 Requires(pre): systemd-units @@ -349,12 +351,25 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf mkdir -p %{buildroot}%{_initrddir} +mkdir %{buildroot}%{_sysconfdir}/sysconfig/ +install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached + +%if 0%{?fedora} = 15 +mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/ +install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_sysconfdir}/tmpfiles.d/ipa.conf +%endif + +mkdir -p %{buildroot}%{_localstatedir}/run/ +install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ + %if 0%{?fedora} = 16 # Default to systemd initscripts for F16 and above mkdir -p %{buildroot}%{_unitdir} install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service +install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service %else install -m755 init/SystemV/ipa.init %{buildroot}%{_initrddir}/ipa +install -m755 init/SystemV/ipa_memcached.init %{buildroot}%{_initrddir}/ipa_memcached %endif %endif @@ -483,12 +498,19 @@ fi %{_sbindir}/ipa-upgradeconfig %{_sbindir}/ipa-compliance %{_sysconfdir}/cron.d/ipa-compliance +%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached +%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ +%if 0%{?fedora} = 15 +%config %{_sysconfdir}/tmpfiles.d/ipa.conf +%endif %if 0%{?fedora} = 16 # Use systemd scheme %attr(644,root,root) %{_unitdir}/ipa.service +%attr(644,root,root) %{_unitdir}/ipa_memcached.service %else # Use SystemV scheme only before F16 %attr(755,root,root) %{_initrddir}/ipa +%attr(755,root,root) %{_initrddir}/ipa_memcached %endif %dir %{python_sitelib}/ipaserver %{python_sitelib}/ipaserver/* diff --git a/init/SystemV/ipa_memcached.init b/init/SystemV/ipa_memcached.init new file mode 100755 index 000..b30ea50 --- /dev/null +++ b/init/SystemV/ipa_memcached.init @@ -0,0 +1,120 @@ +#! /bin/sh +# +# chkconfig: - 55 45 +# description: The ipa_memcached daemon is a memory cache service for IPA +# processname: memcached +# config: /etc/sysconfig/ipa_memcached +# pidfile: /var/run/ipa_memcached/ipa_memcached.pid + +# Standard LSB functions +#. /lib/lsb/init-functions + +# Source function library. +. /etc/init.d/functions + +SOCKET_PATH=/var/run/ipa_memcached/ipa_memcached +USER=apache +PIDFILE=/var/run/ipa_memcached/ipa_memcached.pid +MAXCONN=1024 +CACHESIZE=64 +OPTIONS= + +if [ -f /etc/sysconfig/ipa_memcached ];then +. /etc/sysconfig/ipa_memcached +fi + +# Check that networking is up. +. /etc/sysconfig/network + +if [ $NETWORKING = no ] +then +exit 0 +fi + +prog=ipa_memcached +pidfile=${PIDFILE-/var/run/ipa_memcached/ipa_memcached.pid} +lockfile=${LOCKFILE-/var/lock/subsys/ipa_memcached} + +start () { +echo -n $Starting $prog: +# Ensure that $pidfile directory has proper permissions and exists +piddir=`dirname $pidfile` +if [ ! -d $piddir ]; then + mkdir $piddir +fi +if [ `stat -c %U $piddir` != $USER ]; then + chown $USER $piddir +fi + +daemon --pidfile ${pidfile} /usr/bin/memcached -d -s
Re: [Freeipa-devel] [PATCH 60] Implement session support in server, Manage sessions in WSGI
This patch is self NAK'ed because it's contents have been rolled into the rebased patch freeipa-jdennis-0061-1-add-session-manager-and-cache-krb-auth.patch -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 61] Cache authentication in session
On 01/17/2012 04:37 PM, Rob Crittenden wrote: John Dennis wrote: Both of these are defined in ipalib/rpc.py (among others): +KRB5_CC_NOTFOUND = -1765328243 # Matching credential not found +KRB5_FCC_NOFILE = -1765328189 # No credentials cache found Perhaps all those defines should be moved to krb_utils.py. RPM build errors on non-SysV systems: File listed twice: /usr/share/ipa/ui/extension.js Installed (but unpackaged) file(s) found: /etc/rc.d/init.d/ipa_memcached make: *** [rpms] Error 1 (extention.js isn't yours) In the ipa_memcached service PID_PATH needs to be PIDFILE. It would be nice if sessions worked with the lite-server. I am unable to view the web UI. It just loops requesting all the the javascript files over and over again. rob Rebased patch attached (includes contents of previous patch 60). The issues with ipa_memcached belonged to patch 59, that patch was rebased and resubmitted. I cannot reproduce the looping problem you saw. The only thing I can think of is that you were running with SELinux enabled and currently ipa_memcached requires SELinux to be disabled otherwise the whole caching mechanism fails. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] 389 systemd changes
On 01/23/2012 07:37 AM, Alexander Bokovoy wrote: On Mon, 23 Jan 2012, Simo Sorce wrote: On Mon, 2012-01-23 at 08:03 +0200, Alexander Bokovoy wrote: On Sun, 22 Jan 2012, Simo Sorce wrote: Shouldn't we just 'include' the original file and not copy it ? If we include it a change in the file will be automatically picked up. We can't due to systemd design and use of it in 389-ds. LimitNOFILE needs to be changed in the service file directly, not in the environment file in /etc/sysconfig or otherwise it will not be picked up by the systemd. I am not talking about using /set/sysconfig options, but the .include directive for service files. So, something like this for 389-ds? No, you should include the actual dirsrv default service file (if any, otherwise the sysconfig one might be ok I guess). There is /lib/systemd/system/dirsrv@.service. The content below is from there and I think there is no need to make .include in a /etc/systemd/system/dirsrv@.service copy of it as we can ask Rich to make proper change in the original service unit. This way we only would have settings in /etc/sysconfig (or in /etc/dirsrv if that's better) and you'd have no need to intervene into /etc/systemd/system. Paths are irrelevant but I'd prefer to use common places like /etc/sysconfig. Done. This will be going out in 1.2.10.a7. I also changed the spec file so that the .pid files are removed after shutting down the servers and before doing the update, so the update to a7 should be smooth even if ipa does not amend the service file. Please test and let me know (once it is available). 888- [Unit] Description=389 Directory Server %i. BindTo=dirsrv.target After=dirsrv.target [Service] Type=forking Environment=PIDDIR=/var/run/dirsrv EnvironmentFile=/etc/sysconfig/dirsrv EnvironmentFile=/etc/sysconfig/dirsrv-%i ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i ${PIDDIR}/slapd-%i.pid -w ${PIDDIR}/slapd-%i.startpid .include /etc/sysconfig/dirsrv.systemd 888- and then with following /etc/sysconfig/dirsrv.systemd: 888- [Service] LimitNOFILE=8192 888- local overrides can be created? Yes I think if you put directives after the include they will override whatever is in the include. Depends on directive. Also I would put as much as possible in the include file and put in the specific instance files only the parameters we need to override. There is no specific instance service unit. There is one service unit that processes all instances, that's the whole purpose of @-services (dirsrv@.service). It seems to work. You can't use %i macro in .include unfortunately so any configuration change will be global, not per service instance. That's fine we want to put in there only global configuration anyways, and then override in our specific per instance control files. See above. There are no per-instance control files. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 927 fix deleting hbac rules when selinux user maps are involved
On Mon, 2012-01-23 at 12:20 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2012-01-17 at 17:59 -0500, Rob Crittenden wrote: When deleting an HBAC rule we need to ensure that an SELinux user map isn't pointing at it. The search for this didn't work well at all. This patch corrects the search and makes it more specific. I also tested that it works with the --continue flag of hbacrule-del. The ticket has instructions on testing. rob Works fine. There is just one part that is IMO too complicated: +hbacrule = options['seealso'] +kw = dict(cn=hbacrule, all=True) _entries = api.Command.hbacrule_find(None, **kw)['result'] del options['seealso'] -if _entries: -options['seealso'] = _entries[0]['dn'] +found = False +# look for an exact match. The search may return partial +# matches. +for entry in _entries: +if entry['cn'][0] == hbacrule: +found = True +options['seealso'] = entry['dn'] +if not found: +return dict(count=0, result=[], truncated=False) I think hbacrule_find(None, cn=HBACRULE) should not return partial matches, but just the exact match (tried with hbacrule-find --name=HBACRULE). Then the loop over entries wouldn't be needed. Couldn't we simply call hbacrule_show since we want just one HBAC rule with a known primary key? Martin hbacrule_show would need to be modified to take a dn, that would be a way to fix this. rob Not sure I see the problem with hbacrule_show. I tested this piece of code and it worked fine: selinuxusermap_find: ... if 'seealso' in options: hbacrule = options['seealso'] try: hbac = api.Command['hbacrule_show'](hbacrule, all=True)['result'] dn = hbac['dn'] except errors.NotFound: return dict(count=0, result=[], truncated=False) options['seealso'] = dn ... Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel