[Freeipa-devel] [PATCH] 105 Fixed checkbox value in table without pkey
When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string). https://fedorahosted.org/freeipa/ticket/2404 -- Petr Vobornik From a17c947f05597ed43a614b4a9fa3368b14bb6fa4 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 8 Mar 2012 10:37:28 +0100 Subject: [PATCH] Fixed checkbox value in table without pkey When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string). https://fedorahosted.org/freeipa/ticket/2404 --- install/ui/widget.js |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/install/ui/widget.js b/install/ui/widget.js index f906d165c6202b3e2b54b9299cfcafed9bccb0e4..d46bbd8aaf919ed6c52bc90f8b9fff0b49dce797 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -1615,6 +1615,7 @@ IPA.table_widget = function (spec) { if (!select_set) { value = record[that.value_attr_name]; +value = value ? value.toString() : ''; $('input[name='+that.name+']', tr).val(value); } -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 233 Fix ipa-replica-manage TLS connection error
New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its ABI and broke our TLS connection in ipa-replica-manage. This makes it impossible to connect for example to Active Directory to set up a winsync replication. We always receive a connection error stating that Peer's certificate is not recognized even though we pass a correct certificate. This patch fixes the way we set up TLS. The change is backwards compatible with older versions of openldap. https://fedorahosted.org/freeipa/ticket/2500 From 7d6012bdca21bae25ab2d4659f68e3297eb43545 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 8 Mar 2012 13:29:04 +0100 Subject: [PATCH] Fix ipa-replica-manage TLS connection error New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its ABI and broke our TLS connection in ipa-replica-manage. This makes it impossible to connect for example to Active Directory to set up a winsync replication. We always receive a connection error stating that Peer's certificate is not recognized even though we pass a correct certificate. This patch fixes the way we set up TLS. The change is backwards compatible with older versions of openldap. https://fedorahosted.org/freeipa/ticket/2500 --- ipaserver/install/replication.py |7 +-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 7e89eeb47f50b1138e6cca078c05eab4468989e4..94f9f294d6caf505737e44907abbdbae3ed9c1c1 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -755,9 +755,12 @@ class ReplicationManager(object): try: # Validate AD connection ad_conn = ldap.initialize('ldap://%s' % ipautil.format_netloc(ad_dc_name)) -#the next one is to workaround bugs arounf opendalp libs+NSS db -ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0) +# the next one is to workaround bugs arounf opendalp libs+NSS db +# we need to first specify the OPT_X_TLS_CACERTFILE and _after_ +# thatinitialize the context to prevent TLS connection errors: +# https://bugzilla.redhat.com/show_bug.cgi?id=800787 ad_conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacert) +ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0) ad_conn.start_tls_s() ad_conn.simple_bind_s(ad_binddn, ad_pwd) res = ad_conn.search_s(, ldap.SCOPE_BASE, '(objectClass=*)', -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 16 Netgroup nisdomain and hosts validation
Netgroup nisdomain and hosts validation nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same patter as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447 hosts validation: Added precallback to netgroup_add_member. It validates the specified hostnames and raises ValidationError exception for invalid hostnames. Unit-test added. https://fedorahosted.org/freeipa/ticket/2448 -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From a796dbb1eea83ecbc1442f5f062f54183b8bbdf3 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Thu, 8 Mar 2012 14:50:14 +0100 Subject: [PATCH] Netgroup nisdomain and hosts validation nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same patter as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447 hosts validation: Added precallback to netgroup_add_member. It validates the specified hostnames and raises ValidationError exception for invalid hostnames. Unit-test added. https://fedorahosted.org/freeipa/ticket/2448 --- API.txt |6 ++-- VERSION |2 +- ipalib/plugins/netgroup.py| 22 tests/test_xmlrpc/test_netgroup_plugin.py | 39 + 4 files changed, 65 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index f21dce7a81079a5f214ecb6a8e451eca4237af2e..d0e04ef754d86a62aa1c3be818c29c381c4bc3ea 100644 --- a/API.txt +++ b/API.txt @@ -1920,7 +1920,7 @@ command: netgroup_add args: 1,9,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, required=True) option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) -option: Str('nisdomainname', attribute=True, cli_name='nisdomain', multivalue=False, required=False) +option: Str('nisdomainname', attribute=True, cli_name='nisdomain', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', required=False) option: StrEnum('usercategory', attribute=True, cli_name='usercat', multivalue=False, required=False, values=(u'all',)) option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', multivalue=False, required=False, values=(u'all',)) option: Str('setattr*', cli_name='setattr', exclude='webui') @@ -1957,7 +1957,7 @@ args: 1,26,4 arg: Str('criteria?', noextrawhitespace=False) option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) -option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, query=True, required=False) +option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', query=True, required=False) option: Str('ipauniqueid', attribute=True, autofill=False, cli_name='uuid', multivalue=False, query=True, required=False) option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, query=True, required=False, values=(u'all',)) option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, query=True, required=False, values=(u'all',)) @@ -1989,7 +1989,7 @@ command: netgroup_mod args: 1,11,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, query=True, required=True) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) -option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, required=False) +option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', required=False) option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, required=False, values=(u'all',)) option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, required=False, values=(u'all',)) option: Str('setattr*', cli_name='setattr',
[Freeipa-devel] [PATCH] 234 Avoid deleting DNS zone when a context is reused
When dnsrecord-del pre_callback detects that the record does not contain any records, it set a flag to connection context and deletes the record object later. However, when more dnsrecord-del share the same context (and this is the case of ipa-replica-manage del $MASTER DNS cleanup), it may reuse a positive flag from previous dnsrecord-del command and delete the root DNS zone record and thus effectively delete the zone. This patch makes sure that this flag is always initialized to sane value in dnsrecord-del pre_callback to make sure that the DNS zone is not deleted. It also fixes pre_callback function definition to prevent adding attrs_list to keys parameter and thus confuse developers. https://fedorahosted.org/freeipa/ticket/2503 From de493ca8ff05dace13f96137b8237325f1c2473c Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 8 Mar 2012 14:46:48 +0100 Subject: [PATCH] Avoid deleting DNS zone when a context is reused When dnsrecord-del pre_callback detects that the record does not contain any records, it set a flag to connection context and deletes the record object later. However, when more dnsrecord-del share the same context (and this is the case of ipa-replica-manage del $MASTER DNS cleanup), it may reuse a positive flag from previous dnsrecord-del command and delete the root DNS zone record and thus effectively delete the zone. This patch makes sure that this flag is always initialized to sane value in dnsrecord-del pre_callback to make sure that the DNS zone is not deleted. It also fixes pre_callback function definition to prevent adding attrs_list to keys parameter and thus confuse developers. https://fedorahosted.org/freeipa/ticket/2503 --- ipalib/plugins/dns.py | 15 +-- 1 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index a10960a2c20b8915b199ed82462a844ce8f5915c..d02528907d195370cf3c0d080bad57ddede4df08 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2213,7 +2213,7 @@ class dnsrecord_mod(LDAPUpdate): self.obj.has_cli_options(options, self.no_option_msg, True) return super(dnsrecord_mod, self).args_options_2_entry(*keys, **options) -def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): +def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): for rtype in options: rtype_cb = '_%s_pre_callback' % rtype if options[rtype] is None and rtype in _record_attributes: @@ -2385,7 +2385,7 @@ class dnsrecord_del(LDAPUpdate): continue yield option -def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): +def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): try: (dn_, old_entry) = ldap.get_entry( dn, _record_attributes, @@ -2414,13 +2414,15 @@ class dnsrecord_del(LDAPUpdate): value=val) entry_attrs[attr] = list(set(old_entry[attr])) +del_all = False if not self.obj.is_pkey_zone_record(*keys): -del_all = True +record_found = False for attr in old_entry: if old_entry[attr]: -del_all = False +record_found = True break -setattr(context, 'del_all', del_all) +del_all = not record_found +setattr(context, 'del_all', del_all) return dn @@ -2436,7 +2438,8 @@ class dnsrecord_del(LDAPUpdate): result = super(dnsrecord_del, self).execute(*keys, **options) -if getattr(context, 'del_all', False): +if getattr(context, 'del_all', False) and not \ +self.obj.is_pkey_zone_record(*keys): return self.obj.methods.delentry(*keys) return result -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 233 Fix ipa-replica-manage TLS connection error
On 03/08/2012 05:33 AM, Martin Kosek wrote: New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its ABI and broke our TLS connection in ipa-replica-manage. This makes it impossible to connect for example to Active Directory to set up a winsync replication. We always receive a connection error stating that Peer's certificate is not recognized even though we pass a correct certificate. This patch fixes the way we set up TLS. The change is backwards compatible with older versions of openldap. https://fedorahosted.org/freeipa/ticket/2500 ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 924 display both hex and decimal serial numbers
On 7.3.2012 17:12, Rob Crittenden wrote: Petr Vobornik wrote: On 03/06/2012 09:56 PM, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: Dne 18.1.2012 00:04, Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 16.1.2012 22:02, Rob Crittenden napsal(a): Rob Crittenden wrote: Jan Cholasta wrote: Dne 13.1.2012 20:53, Rob Crittenden napsal(a): When viewing a certificate it will show the serial number as hex (dec). # ipa service-show HTTP/rawhide.example.com Principal: HTTP/rawhide.example@example.com Certificate: [snip] Keytab: True Managed by: rawhide.example.com Subject: CN=rawhide.example.com,O=EXAMPLE.COM Serial Number: 0x403 (1027) Issuer: CN=EXAMPLE.COM Certificate Authority Not Before: Fri Jan 13 15:00:44 2012 UTC Not After: Thu Jan 13 15:00:44 2022 UTC Fingerprint (MD5): e5:43:17:0d:8d:af:d6:69:d8:fb:eb:ca:79:fb:47:69 Fingerprint (SHA1): c2:9e:8e:de:42:c9:4a:29:cc:b0:a0:de:57:c7:b7:d8:f9:b5:fe:e6 rob NACK Displaying a host or a service in the webUI fails with IPA error 3009: invalid 'serial_number': Decimal or hexadecimal number is required for serial number. I would suggest to do the nifty formatting of serial numbers on the client side, that would fix the webUI issue, allow non-IPA clients to parse the number without dissecting the string representation of it and probably also save me a hack in the type conversion overhaul. You could for example add a parameter flag like format_serial_number to indicate to the client that it should format the value as a serial number. Honza Well, we want to do as little client formatting as possible. The idea is to have a very thin client. It doesn't seem right to me to enforce this specific representation of what is really just an integer at the API level. Doing a little formatting on the client side won't make the client(s) particularly fat, will it? Yes. The current code just outputs labels and data. There is no if it is this attribute then do that logic. IMHO there is too much stuff done on server that would make more sense to do on client anyway (especially CLI-specific stuff such as CSV parsing). What is the reason we want such a thin client? To avoid double work such that every time we want a formatting change we have to change it in multiple places. This lesson was learned in v1. I believe there should be clear separation of presentation and content, but perhaps I'm a little bit too idealistic :-). You have a point, serial number is defined as an integer. Perhaps we should revisit this decision to display hex at all. I'll look into fixing the UI side. I don't see this error in services, it displays correctly. I'm not sure if it is my browser or what but hosts don't display much of anything for me. rob I have just checked both master and ipa-2-2 and I'm getting the same error message (tested in Firefox 9.0.1) when viewing details of a host or a service with the usercertificate attribute set. BTW, wouldn't it make sense to format serial numbers in the cert plugin in the same way? Perhaps. Like I said, I'm not really in favor of this change. rob Maybe we can do a compromise of some sort. What about allowing the client to specify with each request what representation/formatting the server should use for the resulting entries and attributes? That would be mighty flexible but would open a new can of worms. I think long term I'd like to be able to request what attributes to see (ala ldapsearch) but that too is a bit out of scope. This comes down to Output being rather loosely defined and we already have a ticket open on that. It basically just defines the broad types of data to be returned (string, list, dict, etc) but not the internal components of complex types. Took a new approach and created a new output attribute, serial_number_hex, that is displayed separately. UI portion added as well. ACK for the UI part. I attached a patch which extends UI static testing data - to keep things in solid state. I think this approach is still evil (as the whole ticket) but I don't have a better solution (in CLI). We are in agreement. Question: Isn't the '0x' part a bit redundant? The label already says '(hex)'. However I can buy a 'It is a convention.' argument. Yes, I did it for convention, plus to avoid confusion for the case where it looks like a decimal number but isn't, e.g. 10. If you saw: Serial number: 16 Serial number (hex): 10 It might be confusing. 0x10 would be clearer. rob This patch works for me, but let me repeat myself: BTW, wouldn't it make sense to format serial numbers in the cert plugin in the same way? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] More types of replica in FreeIPA
On 03/06/2012 01:30 PM, Ondrej Hamada wrote: On 03/06/2012 05:47 PM, Dmitri Pal wrote: On 03/06/2012 10:59 AM, Simo Sorce wrote: On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote: [...] For a read-only KDC we need to investigate what's the better solution. There are many ways we can handle the issue, one of the simplest is probably to allow the RO KDC to use a special LDAP Extended operation against a full R/W server to get the user keys to sign, authenticating with a special R/O KDC principal. We can also investigate how MS does internal forwarding and do something similar as I suspect that's something samba4-RODC will want to implement too, so we could share some of the development burden there. Simo. I do not think it is a good idea for the remote RO KDC to go back to the main datacenter on every authentication without some sort of caching. This is why I think that some kind of SSSD integration might be due. If RO KDC would just pass the authentication to SSSD in some way and SSSD would do the caching in case the office gets offline. I understand that authhub as is will not work as the client sends time stamp encrypted with password and SSSD needs plain text password as credential. I do not know if there is a way to solve this without actually sending the password in the tunnel. IMO it is more important to make sure that remote office can have uninterrupted operation than to worry about the password being sent inside the encrypted tunnel. It is something that deployment should decide and weight risks against convenience. This is why MS does partial replication, ie allows the RODC to have data about the office users. It's complex and there are many ways to handle it. We need to look at various options and see how they would work against uses cases we want to support. Simo. Then may be Ondrej should start with formulating use cases and requirements based on this discussion. I see three possible use cases here, but only two should be considered when speaking about consumer node: 1) The office that should rely on that replica is quite a big one (hundreds of employees) or many different users are authenticating against its replica or there are located admins, who need to do a lot of write-operations. -- In this case I suppose the best solution is to deploy master replica there. 2) Office that doesn't fulfil the conditions in 1) - not a desperate need for write-operations on ipa-server, but the priority is to allow (some) clients to authenticate and use available services even when the network is down. -- We need a consumer with credentials caching, authentication requests for non-cached users or write operations must be forwarded to master. 3) Office that doesn't fulfil the conditions in 1), but the priority is security, so that the consumer is not allowed to store or cache any confidential data. -- We need a consumer, authentications and write operations must be forwarded to master. If we choose the second use case, both the caching and request forwarding must be implemented. I suppose that there shouldn't be big problem to decide during the installation to turn the caching off by some option like '-no-chaching' so that the consumer could be used for the third use case as well. Can you please now create a set usage scenarios for the 2) and 3). User logs in and he is in cache, he is not in cache, he is redirected and data is cached, he failed and account lockout data is updated locally or on the other server? Admin tries to perform and IPA command or ldapmodify command - what happens? Can those work flows be spelled out in details for caching and non use cases? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0022 Use ipauniqueid for the RDN of sudo commands
Since sudo commands are case-sensitive, we can't use the CN as the RDN. With this patch, the UUID is used instead. It seems like a too easy fix. What am I missing? As far as I understand, the fact that the DN has a different structure now shouldn't cause problems, even if there still are commands created by old IPA versions. For testing, use an unpatched version to create a few of these. The sudo commands are no longer sorted in sudocmd-find output. Doing that would require the ability to use an arbitrary attribute as sort key. Should I file an issue for that? Tests for the case sensitivity are included. https://fedorahosted.org/freeipa/ticket/2482 -- PetrĀ³ From e07451ae2c152feb3ce87c5241793025f12f8b2e Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 8 Mar 2012 07:55:00 -0500 Subject: [PATCH] Use ipauniqueid for the RDN of sudo commands Since sudo commands are case-sensitive, we can't use the CN as the RDN. Tests for case-sensitive behavior included https://fedorahosted.org/freeipa/ticket/2482 --- ipalib/plugins/sudocmd.py |1 + tests/test_xmlrpc/test_sudocmd_plugin.py | 82 + tests/test_xmlrpc/test_sudocmdgroup_plugin.py | 82 +--- tests/test_xmlrpc/xmlrpc_test.py | 13 +++- 4 files changed, 150 insertions(+), 28 deletions(-) diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py index 42068edea3c51804be9ee5919934462afbee578f..f27a58cadd6e6abc16611621387f26125737bf78 100644 --- a/ipalib/plugins/sudocmd.py +++ b/ipalib/plugins/sudocmd.py @@ -62,6 +62,7 @@ class sudocmd(LDAPObject): 'memberof': ['sudocmdgroup'], } uuid_attribute = 'ipauniqueid' +rdn_attribute = 'ipauniqueid' label = _('Sudo Commands') label_singular = _('Sudo Command') diff --git a/tests/test_xmlrpc/test_sudocmd_plugin.py b/tests/test_xmlrpc/test_sudocmd_plugin.py index cbbd26cd7061ee73c44f691692072daaf6f84f50..a9f118460432e9c33f665db05df0340d73da885d 100644 --- a/tests/test_xmlrpc/test_sudocmd_plugin.py +++ b/tests/test_xmlrpc/test_sudocmd_plugin.py @@ -22,17 +22,20 @@ Test the `ipalib/plugins/sudocmd.py` module. from ipalib import api, errors -from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid +from tests.test_xmlrpc.xmlrpc_test import (Declarative, fuzzy_sudocmddn, +fuzzy_uuid) from tests.test_xmlrpc import objectclasses from ipalib.dn import * sudocmd1 = u'/usr/bin/sudotestcmd1' +sudocmd1_camelcase = u'/usr/bin/sudoTestCmd1' class test_sudocmd(Declarative): cleanup_commands = [ ('sudocmd_del', [sudocmd1], {}), +('sudocmd_del', [sudocmd1_camelcase], {}), ] tests = [ @@ -69,9 +72,7 @@ class test_sudocmd(Declarative): value=sudocmd1, summary=u'Added Sudo Command %s' % sudocmd1, result=dict( -dn=lambda x: DN(x) == \ -DN(('sudocmd',sudocmd1),('cn','sudocmds'),('cn','sudo'), - api.env.basedn), +dn=fuzzy_sudocmddn, sudocmd=[sudocmd1], description=[u'Test sudo command 1'], objectclass=objectclasses.sudocmd, @@ -80,6 +81,26 @@ class test_sudocmd(Declarative): ), ), +dict( +desc='Create %r' % sudocmd1_camelcase, +command=('sudocmd_add', [sudocmd1_camelcase], +dict( +description=u'Test sudo command 2', +), +), +expected=dict( +value=sudocmd1_camelcase, +summary=u'Added Sudo Command %s' % sudocmd1_camelcase, +result=dict( +dn=fuzzy_sudocmddn, +sudocmd=[sudocmd1_camelcase], +description=[u'Test sudo command 2'], +objectclass=objectclasses.sudocmd, +ipauniqueid=[fuzzy_uuid], +), +), +), + dict( desc='Try to create duplicate %r' % sudocmd1, @@ -91,6 +112,16 @@ class test_sudocmd(Declarative): expected=errors.DuplicateEntry(), ), +dict( +desc='Try to create duplicate %r' % sudocmd1_camelcase, +command=('sudocmd_add', [sudocmd1_camelcase], +dict( +description=u'Test sudo command 2', +), +), +expected=errors.DuplicateEntry(), +), + dict( desc='Retrieve %r' % sudocmd1, @@ -99,9 +130,7 @@ class test_sudocmd(Declarative): value=sudocmd1, summary=None, result=dict( -dn=lambda x: DN(x) == \ -DN(('sudocmd',sudocmd1),('cn','sudocmds'),('cn','sudo'), - api.env.basedn), +
Re: [Freeipa-devel] [PATCH] 984 fix anonlimits dn
On Wed, 2012-03-07 at 18:02 -0500, Rob Crittenden wrote: The value of nsslapd-anonlimitsdn wasn't being set properly because it wasn't quoted. This will fix it, replacing whatever is there with a correct value. rob The IPA anonlimits DN is now set correctly. However anonlimits in cn=anonymous-limits,cn=etc,SUFFIX are still empty (nsSizeLimit and nsLookThroughLimit values defined in 10-config.update are not set). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error
Hi All, I'm having a problem with my IPA installs; I can't seem to get the NIS mode to work. I tried it with and without 'Migration Mode' enabled. I bind to it and 'getent passwd' and 'getent group' just fine, but when I type my password (post initial kinit password change) in for ssh, I get permission denied and the following in my client-side /var/log/secure log: Mar 8 18:15:07 bastion sshd[18480]: Failed password for bob from 192.168.5.68 port 50788 ssh2 Mar 8 18:15:22 bastion sshd[18480]: Failed password for bob from 192.168.5.68 port 50788 ssh2 Mar 8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68 user=bob Mar 8 18:46:16 bastion sshd[18556]: Failed password for bob from 192.168.5.68 port 50839 ssh2 On the server, I can find no error on the server side, matching the timestamp of when I attempt login from a third host to the bastion host (see below). Am I mistaken that IPAv2 provides backwards compatible NIS, without client-side SSSD, KRB5 and the like? Am I missing a service or something? Thanks very much! Please excuse the long email. Perhaps I'm too eager. lol :-) -Joshua. BACKGROUND INFO FOLLOWS= Here are the details of my install, which is my fourth IPA install, so far. As a side note, however, I've not been able to get the NIS mode working, yet. - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS client) - x86_64 - ext4 over LVM over qcow2 over NFSv3 - using virtio - Scientific Linux 6.2 minimal install from GUI of Install DVD - all available yum updates applied - iptables off - ipv4 only - added self FQDN to both /etc/hosts files - NetworkManager off in favor of network - static public IP's - Used the following commands to install my IPA server: # yum -y install \ ipa-server \ bind \ bind-dyndb-ldap # ipa-server-install \ -a 'admin_pass_example' \ --hostname=ipa.example.com \ -p 'dir_man_password_example' \ -n exampledom.com \ -r EXAMPLE.COM \ --setup-dns \ --forwarder=192.168.2.10 \ --forwarder=192.168.1.20 - After a reboot, logging in with Firefox works well... kinit works well after I create an initial user in the UI... Everything is cool..even enrolling other machine with the ipa-client-install tool works well.. No other changes were made inside the UI - Here are the commands I ran on the server outside the UI, per instructions (here: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html ) [root@ipa ~]# ipa-compat-manage enable Directory Manager password: Plugin already Enabled [root@ipa ~]# rpcinfo program version netid addressserviceowner 104tcp6 ::.0.111 portmapper superuser 103tcp6 ::.0.111 portmapper superuser 104udp6 ::.0.111 portmapper superuser 103udp6 ::.0.111 portmapper superuser 104tcp 0.0.0.0.0.111 portmapper superuser 103tcp 0.0.0.0.0.111 portmapper superuser 102tcp 0.0.0.0.0.111 portmapper superuser 104udp 0.0.0.0.0.111 portmapper superuser 103udp 0.0.0.0.0.111 portmapper superuser 102udp 0.0.0.0.0.111 portmapper superuser 104local /var/run/rpcbind.sock portmapper superuser 103local /var/run/rpcbind.sock portmapper superuser [root@ipa ~]# ipa-nis-manage enable Directory Manager password: Enabling plugin Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. [root@ipa ~]# reboot The system is going down for reboot NOW! sam@bastion:~$ ssh 192.168.5.25 Last login: Thu Mar 8 17:58:58 2012 from 192.168.5.99 [sam@ipa ~]$ su - Password: [root@ipa ~]# rpcinfo program version netid addressserviceowner 104tcp6 ::.0.111 portmapper superuser 103tcp6 ::.0.111 portmapper superuser 104udp6 ::.0.111 portmapper superuser 103udp6 ::.0.111 portmapper superuser 104tcp 0.0.0.0.0.111 portmapper superuser 103tcp 0.0.0.0.0.111 portmapper superuser 102tcp 0.0.0.0.0.111 portmapper superuser 104udp 0.0.0.0.0.111 portmapper superuser 103udp 0.0.0.0.0.111 portmapper superuser 102
Re: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error
0:off 1:on 2:on 3:on 4:on 5:on 6:off ypbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off - /etc/yp.conf (client) (I tried it with the server domain syntax, as well) ypserver 192.168.6.82 #domain example.com server 192.168.6.82 - rpcinfo (client) program version netid addressserviceowner 104tcp6 ::.0.111 portmapper superuser 103tcp6 ::.0.111 portmapper superuser 104udp6 ::.0.111 portmapper superuser 103udp6 ::.0.111 portmapper superuser 104tcp 0.0.0.0.0.111 portmapper superuser 103tcp 0.0.0.0.0.111 portmapper superuser 102tcp 0.0.0.0.0.111 portmapper superuser 104udp 0.0.0.0.0.111 portmapper superuser 103udp 0.0.0.0.0.111 portmapper superuser 102udp 0.0.0.0.0.111 portmapper superuser 104local /var/run/rpcbind.sock portmapper superuser 103local /var/run/rpcbind.sock portmapper superuser 172udp 0.0.0.0.3.46 ypbind superuser 171udp 0.0.0.0.3.46 ypbind superuser 172tcp 0.0.0.0.3.49 ypbind superuser 171tcp 0.0.0.0.3.49 ypbind superuser -- Joshua M. Dotson Systems Administrator Kno.e.sis Center Wright State University - Dayton, OH j...@knoesis.org 937-350-1563 -- next part -- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/freeipa-devel/attachments/20120308/f63089e2/attachment.html -- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel End of Freeipa-devel Digest, Vol 58, Issue 32 * -- Joshua M. Dotson Systems Administrator Kno.e.sis Center Wright State University - Dayton, OH j...@knoesis.org 937-350-1563 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 102-103 UI part of 'Add last missing bits in new bind-dyndb-ldap'
ACK. There are some minor issues. On 3/7/2012 10:10 AM, Petr Vobornik wrote: 1) Add support of new options in dnsconfig dnsconfig was extended of new attributes, so reflecting it in UI. New attributes: * idnsForwardPolicy * idnsAllowSyncPTR * idnsZoneRefresh https://fedorahosted.org/freeipa/ticket/2489 If you click the idnsallowsyncptr checkbox and click again to return to the original value, it will still show the undo button. 2) DNS forwarder's value can consist of IP address and a port. The syntax is 'IP ADDRESS port PORT'. A new validator was created for this purpose. It is based on IP address validator. The validator is rather strict, it allows exactly a single space between the words. If someone mistakenly type an additional space, the validation error could be confusing because two adjacent spaces are sometimes not very obvious. I think either the UI or the server (or both) should normalize the space. Another option is to use separate fields for the IP address and the port in the multivalued field: Global forwarders: [192.168.1.1 ] port [80 ] Delete Add -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 104 Fixed mask validation in network_validator
On 3/7/2012 10:15 AM, Petr Vobornik wrote: Attaching patch file. On 03/07/2012 05:10 PM, Petr Vobornik wrote: Network validator allowed invalid mask format: * leading zeros: 192.168.0.1/0024 * trailing chars: 192.168.0.1/24abcd It was fixed. https://fedorahosted.org/freeipa/ticket/2493 ACK. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 105 Fixed checkbox value in table without pkey
On 3/8/2012 3:47 AM, Petr Vobornik wrote: When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string). https://fedorahosted.org/freeipa/ticket/2404 ACK. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa
On Wed, 07 Mar 2012, Rob Crittenden wrote: Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in enforcing mode. This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow). I would prefer all platform-specific manipulations of security policies to be moved to platform-specific module. Make a HTTP class there (like I did dirsrv class in systemd backend) and perform manipulations on service enable. This way main code will stay clear of platform-specific code. Sorry for not looking into the issue before. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel