[Freeipa-devel] [PATCH] 105 Fixed checkbox value in table without pkey

[Petr Vobornik]

When a table is displaying a record set without entity's pkey attribute. 
A checkbox value isn't properly prepared. This patch adds the 
preparation (converts value to string).


https://fedorahosted.org/freeipa/ticket/2404
--
Petr Vobornik
From a17c947f05597ed43a614b4a9fa3368b14bb6fa4 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Thu, 8 Mar 2012 10:37:28 +0100
Subject: [PATCH] Fixed checkbox value in table without pkey

When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string).

https://fedorahosted.org/freeipa/ticket/2404
---
 install/ui/widget.js |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/install/ui/widget.js b/install/ui/widget.js
index f906d165c6202b3e2b54b9299cfcafed9bccb0e4..d46bbd8aaf919ed6c52bc90f8b9fff0b49dce797 100644
--- a/install/ui/widget.js
+++ b/install/ui/widget.js
@@ -1615,6 +1615,7 @@ IPA.table_widget = function (spec) {
 
 if (!select_set) {
 value = record[that.value_attr_name];
+value = value ? value.toString() : '';
 $('input[name='+that.name+']', tr).val(value);
 }
 
-- 
1.7.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 233 Fix ipa-replica-manage TLS connection error

[Martin Kosek]

New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its
ABI and broke our TLS connection in ipa-replica-manage. This makes
it impossible to connect for example to Active Directory to set up
a winsync replication. We always receive a connection error stating
that Peer's certificate is not recognized even though we pass
a correct certificate.

This patch fixes the way we set up TLS. The change is backwards
compatible with older versions of openldap.

https://fedorahosted.org/freeipa/ticket/2500

From 7d6012bdca21bae25ab2d4659f68e3297eb43545 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 8 Mar 2012 13:29:04 +0100
Subject: [PATCH] Fix ipa-replica-manage TLS connection error

New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its
ABI and broke our TLS connection in ipa-replica-manage. This makes
it impossible to connect for example to Active Directory to set up
a winsync replication. We always receive a connection error stating
that Peer's certificate is not recognized even though we pass
a correct certificate.

This patch fixes the way we set up TLS. The change is backwards
compatible with older versions of openldap.

https://fedorahosted.org/freeipa/ticket/2500
---
 ipaserver/install/replication.py |7 +--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 7e89eeb47f50b1138e6cca078c05eab4468989e4..94f9f294d6caf505737e44907abbdbae3ed9c1c1 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -755,9 +755,12 @@ class ReplicationManager(object):
 try:
 # Validate AD connection
 ad_conn = ldap.initialize('ldap://%s' % ipautil.format_netloc(ad_dc_name))
-#the next one is to workaround bugs arounf opendalp libs+NSS db
-ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+# the next one is to workaround bugs arounf opendalp libs+NSS db
+# we need to first specify the OPT_X_TLS_CACERTFILE and _after_
+# thatinitialize the context to prevent TLS connection errors:
+# https://bugzilla.redhat.com/show_bug.cgi?id=800787
 ad_conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacert)
+ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
 ad_conn.start_tls_s()
 ad_conn.simple_bind_s(ad_binddn, ad_pwd)
 res = ad_conn.search_s(, ldap.SCOPE_BASE, '(objectClass=*)',
-- 
1.7.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 16 Netgroup nisdomain and hosts validation

[Ondrej Hamada]

Netgroup nisdomain and hosts validation

nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same patter as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447

hosts validation:
Added precallback to netgroup_add_member. It validates the specified
hostnames and raises ValidationError exception for invalid hostnames.
Unit-test added.

https://fedorahosted.org/freeipa/ticket/2448

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From a796dbb1eea83ecbc1442f5f062f54183b8bbdf3 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Thu, 8 Mar 2012 14:50:14 +0100
Subject: [PATCH] Netgroup nisdomain and hosts validation

nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same patter as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447

hosts validation:
Added precallback to netgroup_add_member. It validates the specified
hostnames and raises ValidationError exception for invalid hostnames.
Unit-test added.

https://fedorahosted.org/freeipa/ticket/2448
---
 API.txt   |6 ++--
 VERSION   |2 +-
 ipalib/plugins/netgroup.py|   22 
 tests/test_xmlrpc/test_netgroup_plugin.py |   39 +
 4 files changed, 65 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index f21dce7a81079a5f214ecb6a8e451eca4237af2e..d0e04ef754d86a62aa1c3be818c29c381c4bc3ea 100644
--- a/API.txt
+++ b/API.txt
@@ -1920,7 +1920,7 @@ command: netgroup_add
 args: 1,9,3
 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, required=True)
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True)
-option: Str('nisdomainname', attribute=True, cli_name='nisdomain', multivalue=False, required=False)
+option: Str('nisdomainname', attribute=True, cli_name='nisdomain', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', required=False)
 option: StrEnum('usercategory', attribute=True, cli_name='usercat', multivalue=False, required=False, values=(u'all',))
 option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', multivalue=False, required=False, values=(u'all',))
 option: Str('setattr*', cli_name='setattr', exclude='webui')
@@ -1957,7 +1957,7 @@ args: 1,26,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False)
-option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, query=True, required=False)
+option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', query=True, required=False)
 option: Str('ipauniqueid', attribute=True, autofill=False, cli_name='uuid', multivalue=False, query=True, required=False)
 option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, query=True, required=False, values=(u'all',))
 option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, query=True, required=False, values=(u'all',))
@@ -1989,7 +1989,7 @@ command: netgroup_mod
 args: 1,11,3
 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, query=True, required=True)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False)
-option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, required=False)
+option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', required=False)
 option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, required=False, values=(u'all',))
 option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, required=False, values=(u'all',))
 option: Str('setattr*', cli_name='setattr', 

[Freeipa-devel] [PATCH] 234 Avoid deleting DNS zone when a context is reused

[Martin Kosek]

When dnsrecord-del pre_callback detects that the record does
not contain any records, it set a flag to connection context
and deletes the record object later. However, when more
dnsrecord-del share the same context (and this is the case of
ipa-replica-manage del $MASTER DNS cleanup), it may reuse
a positive flag from previous dnsrecord-del command and delete
the root DNS zone record and thus effectively delete the zone.

This patch makes sure that this flag is always initialized to
sane value in dnsrecord-del pre_callback to make sure that the DNS
zone is not deleted. It also fixes pre_callback function definition
to prevent adding attrs_list to keys parameter and thus confuse
developers.

https://fedorahosted.org/freeipa/ticket/2503

From de493ca8ff05dace13f96137b8237325f1c2473c Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 8 Mar 2012 14:46:48 +0100
Subject: [PATCH] Avoid deleting DNS zone when a context is reused

When dnsrecord-del pre_callback detects that the record does
not contain any records, it set a flag to connection context
and deletes the record object later. However, when more
dnsrecord-del share the same context (and this is the case of
ipa-replica-manage del $MASTER DNS cleanup), it may reuse
a positive flag from previous dnsrecord-del command and delete
the root DNS zone record and thus effectively delete the zone.

This patch makes sure that this flag is always initialized to
sane value in dnsrecord-del pre_callback to make sure that the DNS
zone is not deleted. It also fixes pre_callback function definition
to prevent adding attrs_list to keys parameter and thus confuse
developers.

https://fedorahosted.org/freeipa/ticket/2503
---
 ipalib/plugins/dns.py |   15 +--
 1 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index a10960a2c20b8915b199ed82462a844ce8f5915c..d02528907d195370cf3c0d080bad57ddede4df08 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2213,7 +2213,7 @@ class dnsrecord_mod(LDAPUpdate):
 self.obj.has_cli_options(options, self.no_option_msg, True)
 return super(dnsrecord_mod, self).args_options_2_entry(*keys, **options)
 
-def pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
+def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 for rtype in options:
 rtype_cb = '_%s_pre_callback' % rtype
 if options[rtype] is None and rtype in _record_attributes:
@@ -2385,7 +2385,7 @@ class dnsrecord_del(LDAPUpdate):
 continue
 yield option
 
-def pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
+def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 try:
 (dn_, old_entry) = ldap.get_entry(
 dn, _record_attributes,
@@ -2414,13 +2414,15 @@ class dnsrecord_del(LDAPUpdate):
value=val)
 entry_attrs[attr] = list(set(old_entry[attr]))
 
+del_all = False
 if not self.obj.is_pkey_zone_record(*keys):
-del_all = True
+record_found = False
 for attr in old_entry:
 if old_entry[attr]:
-del_all = False
+record_found = True
 break
-setattr(context, 'del_all', del_all)
+del_all = not record_found
+setattr(context, 'del_all', del_all)
 
 return dn
 
@@ -2436,7 +2438,8 @@ class dnsrecord_del(LDAPUpdate):
 
 result = super(dnsrecord_del, self).execute(*keys, **options)
 
-if getattr(context, 'del_all', False):
+if getattr(context, 'del_all', False) and not \
+self.obj.is_pkey_zone_record(*keys):
 return self.obj.methods.delentry(*keys)
 return result
 
-- 
1.7.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 233 Fix ipa-replica-manage TLS connection error

[Rich Megginson]

On 03/08/2012 05:33 AM, Martin Kosek wrote:

New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its
ABI and broke our TLS connection in ipa-replica-manage. This makes
it impossible to connect for example to Active Directory to set up
a winsync replication. We always receive a connection error stating
that Peer's certificate is not recognized even though we pass
a correct certificate.

This patch fixes the way we set up TLS. The change is backwards
compatible with older versions of openldap.

https://fedorahosted.org/freeipa/ticket/2500

ack




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 924 display both hex and decimal serial numbers

[Jan Cholasta]

On 7.3.2012 17:12, Rob Crittenden wrote:

Petr Vobornik wrote:

On 03/06/2012 09:56 PM, Rob Crittenden wrote:

Rob Crittenden wrote:

Jan Cholasta wrote:

Dne 18.1.2012 00:04, Rob Crittenden napsal(a):

Jan Cholasta wrote:

Dne 16.1.2012 22:02, Rob Crittenden napsal(a):

Rob Crittenden wrote:

Jan Cholasta wrote:

Dne 13.1.2012 20:53, Rob Crittenden napsal(a):

When viewing a certificate it will show the serial number as hex
(dec).

# ipa service-show HTTP/rawhide.example.com
Principal: HTTP/rawhide.example@example.com
Certificate: [snip]
Keytab: True
Managed by: rawhide.example.com
Subject: CN=rawhide.example.com,O=EXAMPLE.COM
Serial Number: 0x403 (1027)
Issuer: CN=EXAMPLE.COM Certificate Authority
Not Before: Fri Jan 13 15:00:44 2012 UTC
Not After: Thu Jan 13 15:00:44 2022 UTC
Fingerprint (MD5):
e5:43:17:0d:8d:af:d6:69:d8:fb:eb:ca:79:fb:47:69
Fingerprint (SHA1):
c2:9e:8e:de:42:c9:4a:29:cc:b0:a0:de:57:c7:b7:d8:f9:b5:fe:e6

rob



NACK

Displaying a host or a service in the webUI fails with IPA error
3009:
invalid 'serial_number': Decimal or hexadecimal number is
required
for
serial number.

I would suggest to do the nifty formatting of serial numbers on
the
client side, that would fix the webUI issue, allow non-IPA
clients to
parse the number without dissecting the string representation
of it
and
probably also save me a hack in the type conversion overhaul. You
could
for example add a parameter flag like format_serial_number to
indicate
to the client that it should format the value as a serial number.

Honza



Well, we want to do as little client formatting as possible. The
idea is
to have a very thin client.


It doesn't seem right to me to enforce this specific
representation of
what is really just an integer at the API level. Doing a little
formatting on the client side won't make the client(s) particularly
fat,
will it?


Yes. The current code just outputs labels and data. There is no
if it
is this attribute then do that logic.



IMHO there is too much stuff done on server that would make more
sense
to do on client anyway (especially CLI-specific stuff such as CSV
parsing). What is the reason we want such a thin client?


To avoid double work such that every time we want a formatting
change we
have to change it in multiple places. This lesson was learned in v1.


I believe there should be clear separation of presentation and
content,
but perhaps I'm a little bit too idealistic :-).


You have a point, serial number is defined as an integer. Perhaps we
should revisit this decision to display hex at all.






I'll look into fixing the UI side.


I don't see this error in services, it displays correctly. I'm not
sure
if it is my browser or what but hosts don't display much of
anything
for
me.

rob


I have just checked both master and ipa-2-2 and I'm getting the same
error message (tested in Firefox 9.0.1) when viewing details of a
host
or a service with the usercertificate attribute set.

BTW, wouldn't it make sense to format serial numbers in the cert
plugin
in the same way?


Perhaps. Like I said, I'm not really in favor of this change.

rob


Maybe we can do a compromise of some sort. What about allowing the
client to specify with each request what representation/formatting the
server should use for the resulting entries and attributes?


That would be mighty flexible but would open a new can of worms. I
think
long term I'd like to be able to request what attributes to see (ala
ldapsearch) but that too is a bit out of scope.

This comes down to Output being rather loosely defined and we already
have a ticket open on that. It basically just defines the broad
types of
data to be returned (string, list, dict, etc) but not the internal
components of complex types.


Took a new approach and created a new output attribute,
serial_number_hex, that is displayed separately.

UI portion added as well.



ACK for the UI part. I attached a patch which extends UI static testing
data - to keep things in solid state.

I think this approach is still evil (as the whole ticket) but I don't
have a better solution (in CLI).


We are in agreement.


Question:
Isn't the '0x' part a bit redundant? The label already says '(hex)'.
However I can buy a 'It is a convention.' argument.


Yes, I did it for convention, plus to avoid confusion for the case where
it looks like a decimal number but isn't, e.g. 10. If you saw:

Serial number: 16
Serial number (hex): 10

It might be confusing. 0x10 would be clearer.

rob


This patch works for me, but let me repeat myself:

 BTW, wouldn't it make sense to format serial numbers in the cert
 plugin in the same way?

Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] More types of replica in FreeIPA

[Dmitri Pal]

On 03/06/2012 01:30 PM, Ondrej Hamada wrote:
 On 03/06/2012 05:47 PM, Dmitri Pal wrote:
 On 03/06/2012 10:59 AM, Simo Sorce wrote:
 On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote:
 [...]
 For a read-only KDC we need to investigate what's the better
 solution.
 There are many ways we can handle the issue, one of the simplest is
 probably to allow the RO KDC to use a special LDAP Extended
 operation
 against a full R/W server to get the user keys to sign,
 authenticating
 with a special R/O KDC principal. We can also investigate how MS
 does
 internal forwarding and do something similar as I suspect that's
 something samba4-RODC will want to implement too, so we could share
 some
 of the development burden there.

 Simo.

 I do not think it is a good idea for the remote RO KDC to go back to
 the main datacenter on every authentication without some sort of
 caching. This is why I think that some kind of SSSD integration might
 be due. If RO KDC would just pass the authentication to SSSD in some
 way and SSSD would do the caching in case the office gets offline. I
 understand that authhub as is will not work as the client sends time
 stamp encrypted with password and SSSD needs plain text password as
 credential. I do not know if there is a way to solve this without
 actually sending the password in the tunnel. IMO it is more important
 to make sure that remote office can have uninterrupted operation than
 to worry about the password being sent inside the encrypted tunnel. It
 is something that deployment should decide and weight risks against
 convenience.
 This is why MS does partial replication, ie allows the RODC to have
 data
 about the office users. It's complex and there are many ways to handle
 it. We need to look at various options and see how they would work
 against uses cases we want to support.
 Simo.

 Then may be Ondrej should start with formulating use cases and
 requirements based on this discussion.

 I see three possible use cases here, but only two should be considered
 when speaking about consumer node:

 1) The office that should rely on that replica is quite a big one
 (hundreds of employees) or many different users are authenticating
 against its replica or there are located admins, who need to do a lot
 of write-operations. -- In this case I suppose the best solution is
 to deploy master replica there.


 2) Office that doesn't fulfil the conditions in 1) - not a desperate
 need for write-operations on ipa-server, but the priority is to allow
 (some) clients to authenticate and use available services even when
 the network is down. -- We need a consumer with credentials caching,
 authentication requests for non-cached users or write operations must
 be forwarded to master.

 3) Office that doesn't fulfil the conditions in 1), but the priority
 is security, so that the consumer is not allowed to store or cache any
 confidential data. -- We need a consumer, authentications and write
 operations must be forwarded to master.

 If we choose the second use case, both the caching and request
 forwarding must be implemented. I suppose that there shouldn't be big
 problem to decide during the installation to turn the caching off by
 some option like '-no-chaching' so that the consumer could be used for
 the third use case as well.


Can you please now create a set usage scenarios for the 2) and 3).
User logs in and he is in cache, he is not in cache, he is redirected
and data is cached, he failed and account lockout data is updated
locally or on the other server? Admin tries to perform and IPA command
or ldapmodify command - what happens?

Can those work flows be spelled out in details for caching and non use
cases?
 


-- 

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0022 Use ipauniqueid for the RDN of sudo commands

[Petr Viktorin]

Since sudo commands are case-sensitive, we can't use the CN as the RDN.
With this patch, the UUID is used instead.
It seems like a too easy fix. What am I missing?

As far as I understand, the fact that the DN has a different structure 
now shouldn't cause problems, even if there still are commands created 
by old IPA versions.

For testing, use an unpatched version to create a few of these.

The sudo commands are no longer sorted in sudocmd-find output. Doing 
that would require the ability to use an arbitrary attribute as sort 
key. Should I file an issue for that?


Tests for the case sensitivity are included.

https://fedorahosted.org/freeipa/ticket/2482

--
Petr³


From e07451ae2c152feb3ce87c5241793025f12f8b2e Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 8 Mar 2012 07:55:00 -0500
Subject: [PATCH] Use ipauniqueid for the RDN of sudo commands

Since sudo commands are case-sensitive, we can't use the CN
as the RDN.

Tests for case-sensitive behavior included

https://fedorahosted.org/freeipa/ticket/2482
---
 ipalib/plugins/sudocmd.py |1 +
 tests/test_xmlrpc/test_sudocmd_plugin.py  |   82 +
 tests/test_xmlrpc/test_sudocmdgroup_plugin.py |   82 +---
 tests/test_xmlrpc/xmlrpc_test.py  |   13 +++-
 4 files changed, 150 insertions(+), 28 deletions(-)

diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py
index 42068edea3c51804be9ee5919934462afbee578f..f27a58cadd6e6abc16611621387f26125737bf78 100644
--- a/ipalib/plugins/sudocmd.py
+++ b/ipalib/plugins/sudocmd.py
@@ -62,6 +62,7 @@ class sudocmd(LDAPObject):
 'memberof': ['sudocmdgroup'],
 }
 uuid_attribute = 'ipauniqueid'
+rdn_attribute = 'ipauniqueid'
 label = _('Sudo Commands')
 label_singular = _('Sudo Command')
 
diff --git a/tests/test_xmlrpc/test_sudocmd_plugin.py b/tests/test_xmlrpc/test_sudocmd_plugin.py
index cbbd26cd7061ee73c44f691692072daaf6f84f50..a9f118460432e9c33f665db05df0340d73da885d 100644
--- a/tests/test_xmlrpc/test_sudocmd_plugin.py
+++ b/tests/test_xmlrpc/test_sudocmd_plugin.py
@@ -22,17 +22,20 @@ Test the `ipalib/plugins/sudocmd.py` module.
 
 
 from ipalib import api, errors
-from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid
+from tests.test_xmlrpc.xmlrpc_test import (Declarative, fuzzy_sudocmddn,
+fuzzy_uuid)
 from tests.test_xmlrpc import objectclasses
 from ipalib.dn import *
 
 sudocmd1 = u'/usr/bin/sudotestcmd1'
+sudocmd1_camelcase = u'/usr/bin/sudoTestCmd1'
 
 
 class test_sudocmd(Declarative):
 
 cleanup_commands = [
 ('sudocmd_del', [sudocmd1], {}),
+('sudocmd_del', [sudocmd1_camelcase], {}),
 ]
 
 tests = [
@@ -69,9 +72,7 @@ class test_sudocmd(Declarative):
 value=sudocmd1,
 summary=u'Added Sudo Command %s' % sudocmd1,
 result=dict(
-dn=lambda x: DN(x) == \
-DN(('sudocmd',sudocmd1),('cn','sudocmds'),('cn','sudo'),
-   api.env.basedn),
+dn=fuzzy_sudocmddn,
 sudocmd=[sudocmd1],
 description=[u'Test sudo command 1'],
 objectclass=objectclasses.sudocmd,
@@ -80,6 +81,26 @@ class test_sudocmd(Declarative):
 ),
 ),
 
+dict(
+desc='Create %r' % sudocmd1_camelcase,
+command=('sudocmd_add', [sudocmd1_camelcase],
+dict(
+description=u'Test sudo command 2',
+),
+),
+expected=dict(
+value=sudocmd1_camelcase,
+summary=u'Added Sudo Command %s' % sudocmd1_camelcase,
+result=dict(
+dn=fuzzy_sudocmddn,
+sudocmd=[sudocmd1_camelcase],
+description=[u'Test sudo command 2'],
+objectclass=objectclasses.sudocmd,
+ipauniqueid=[fuzzy_uuid],
+),
+),
+),
+
 
 dict(
 desc='Try to create duplicate %r' % sudocmd1,
@@ -91,6 +112,16 @@ class test_sudocmd(Declarative):
 expected=errors.DuplicateEntry(),
 ),
 
+dict(
+desc='Try to create duplicate %r' % sudocmd1_camelcase,
+command=('sudocmd_add', [sudocmd1_camelcase],
+dict(
+description=u'Test sudo command 2',
+),
+),
+expected=errors.DuplicateEntry(),
+),
+
 
 dict(
 desc='Retrieve %r' % sudocmd1,
@@ -99,9 +130,7 @@ class test_sudocmd(Declarative):
 value=sudocmd1,
 summary=None,
 result=dict(
-dn=lambda x: DN(x) == \
-DN(('sudocmd',sudocmd1),('cn','sudocmds'),('cn','sudo'),
-   api.env.basedn),
+

Re: [Freeipa-devel] [PATCH] 984 fix anonlimits dn

[Martin Kosek]

On Wed, 2012-03-07 at 18:02 -0500, Rob Crittenden wrote:
 The value of nsslapd-anonlimitsdn wasn't being set properly because it 
 wasn't quoted. This will fix it, replacing whatever is there with a 
 correct value.
 
 rob

The IPA anonlimits DN is now set correctly. However anonlimits in
cn=anonymous-limits,cn=etc,SUFFIX are still empty (nsSizeLimit and
nsLookThroughLimit values defined in 10-config.update are not set).

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error

[Joshua Dotson]

Hi All,

I'm having a problem with my IPA installs; I can't seem to get the NIS mode
to work.  I tried it with and without 'Migration Mode' enabled.

I bind to it and 'getent passwd' and 'getent group' just fine, but when I
type my password (post initial kinit password change) in for ssh, I get
permission denied and the following in my client-side /var/log/secure log:

Mar  8 18:15:07 bastion sshd[18480]: Failed password for bob from
192.168.5.68 port 50788 ssh2
Mar  8 18:15:22 bastion sshd[18480]: Failed password for bob from
192.168.5.68 port 50788 ssh2
Mar  8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68  user=bob
Mar  8 18:46:16 bastion sshd[18556]: Failed password for bob from
192.168.5.68 port 50839 ssh2

On the server, I can find no error on the server side, matching the
timestamp of when I attempt login from a third host to the bastion host
(see below).

Am I mistaken that IPAv2 provides backwards compatible NIS, without
client-side SSSD, KRB5 and the like?  Am I missing a service or something?

Thanks very much!  Please excuse the long email.  Perhaps I'm too eager.
lol  :-)

-Joshua.

BACKGROUND INFO FOLLOWS=

Here are the details of my install, which is my fourth IPA install, so far.
 As a side note, however, I've not been able to get the NIS mode working,
yet.


   - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS
   client)
   - x86_64
   - ext4 over LVM over qcow2 over NFSv3
   - using virtio
   - Scientific Linux 6.2 minimal install from GUI of Install DVD
   - all available yum updates applied
   - iptables off
   - ipv4 only
   - added self FQDN to both /etc/hosts files
   - NetworkManager off in favor of network
   - static public IP's
   - Used the following commands to install my IPA server:

# yum -y install \
ipa-server \
bind \
bind-dyndb-ldap

# ipa-server-install \
  -a 'admin_pass_example' \
  --hostname=ipa.example.com \
  -p 'dir_man_password_example' \
  -n exampledom.com \
  -r EXAMPLE.COM \
  --setup-dns \
  --forwarder=192.168.2.10 \
  --forwarder=192.168.1.20


   - After a reboot, logging in with Firefox works well... kinit works well
   after I create an initial user in the UI... Everything is cool..even
   enrolling other machine with the ipa-client-install tool works well.. No
   other changes were made inside the UI
   - Here are the commands I ran on the server outside the UI, per
   instructions (here:
   
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html
   )


[root@ipa ~]# ipa-compat-manage enable
Directory Manager password:

Plugin already Enabled
[root@ipa ~]# rpcinfo
   program version netid addressserviceowner
104tcp6  ::.0.111   portmapper superuser
103tcp6  ::.0.111   portmapper superuser
104udp6  ::.0.111   portmapper superuser
103udp6  ::.0.111   portmapper superuser
104tcp   0.0.0.0.0.111  portmapper superuser
103tcp   0.0.0.0.0.111  portmapper superuser
102tcp   0.0.0.0.0.111  portmapper superuser
104udp   0.0.0.0.0.111  portmapper superuser
103udp   0.0.0.0.0.111  portmapper superuser
102udp   0.0.0.0.0.111  portmapper superuser
104local /var/run/rpcbind.sock  portmapper superuser
103local /var/run/rpcbind.sock  portmapper superuser
[root@ipa ~]# ipa-nis-manage enable
Directory Manager password:

Enabling plugin
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.
[root@ipa ~]# reboot

The system is going down for reboot NOW!


sam@bastion:~$ ssh 192.168.5.25
Last login: Thu Mar  8 17:58:58 2012 from 192.168.5.99
[sam@ipa ~]$ su -
Password:
[root@ipa ~]# rpcinfo
   program version netid addressserviceowner
104tcp6  ::.0.111   portmapper superuser
103tcp6  ::.0.111   portmapper superuser
104udp6  ::.0.111   portmapper superuser
103udp6  ::.0.111   portmapper superuser
104tcp   0.0.0.0.0.111  portmapper superuser
103tcp   0.0.0.0.0.111  portmapper superuser
102tcp   0.0.0.0.0.111  portmapper superuser
104udp   0.0.0.0.0.111  portmapper superuser
103udp   0.0.0.0.0.111  portmapper superuser
102 

Re: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error

[Joshua Dotson]

   0:off 1:on 2:on 3:on 4:on 5:on 6:off
 ypbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off


   - /etc/yp.conf (client) (I tried it with the server domain syntax, as
   well)

 ypserver 192.168.6.82
 #domain example.com server 192.168.6.82


   - rpcinfo (client)

   program version netid addressserviceowner
104tcp6  ::.0.111   portmapper superuser
103tcp6  ::.0.111   portmapper superuser
104udp6  ::.0.111   portmapper superuser
103udp6  ::.0.111   portmapper superuser
104tcp   0.0.0.0.0.111  portmapper superuser
103tcp   0.0.0.0.0.111  portmapper superuser
102tcp   0.0.0.0.0.111  portmapper superuser
104udp   0.0.0.0.0.111  portmapper superuser
103udp   0.0.0.0.0.111  portmapper superuser
102udp   0.0.0.0.0.111  portmapper superuser
104local /var/run/rpcbind.sock  portmapper superuser
103local /var/run/rpcbind.sock  portmapper superuser
172udp   0.0.0.0.3.46   ypbind superuser
171udp   0.0.0.0.3.46   ypbind superuser
172tcp   0.0.0.0.3.49   ypbind superuser
171tcp   0.0.0.0.3.49   ypbind superuser

 --
 Joshua M. Dotson
 Systems Administrator
 Kno.e.sis Center
 Wright State University - Dayton, OH
 j...@knoesis.org
 937-350-1563
 -- next part --
 An HTML attachment was scrubbed...
 URL: 
 https://www.redhat.com/archives/freeipa-devel/attachments/20120308/f63089e2/attachment.html
 

 --

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel

 End of Freeipa-devel Digest, Vol 58, Issue 32
 *




-- 
Joshua M. Dotson
Systems Administrator
Kno.e.sis Center
Wright State University - Dayton, OH
j...@knoesis.org
937-350-1563
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 102-103 UI part of 'Add last missing bits in new bind-dyndb-ldap'

[Endi Sukma Dewata]

ACK. There are some minor issues.

On 3/7/2012 10:10 AM, Petr Vobornik wrote:

1) Add support of new options in dnsconfig

dnsconfig was extended of new attributes, so reflecting it in UI.

New attributes:
* idnsForwardPolicy
* idnsAllowSyncPTR
* idnsZoneRefresh

https://fedorahosted.org/freeipa/ticket/2489


If you click the idnsallowsyncptr checkbox and click again to return to 
the original value, it will still show the undo button.



2) DNS forwarder's value can consist of IP address and a port.

The syntax is 'IP ADDRESS port PORT'. A new validator was created
for this purpose. It is based on IP address validator.


The validator is rather strict, it allows exactly a single space between 
the words. If someone mistakenly type an additional space, the 
validation error could be confusing because two adjacent spaces are 
sometimes not very obvious. I think either the UI or the server (or 
both) should normalize the space. Another option is to use separate 
fields for the IP address and the port in the multivalued field:


Global forwarders: [192.168.1.1  ] port [80  ]  Delete
   Add

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 104 Fixed mask validation in network_validator

[Endi Sukma Dewata]

On 3/7/2012 10:15 AM, Petr Vobornik wrote:

Attaching patch file.

On 03/07/2012 05:10 PM, Petr Vobornik wrote:

Network validator allowed invalid mask format:
* leading zeros: 192.168.0.1/0024
* trailing chars: 192.168.0.1/24abcd

It was fixed.

https://fedorahosted.org/freeipa/ticket/2493


ACK.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 105 Fixed checkbox value in table without pkey

[Endi Sukma Dewata]

On 3/8/2012 3:47 AM, Petr Vobornik wrote:

When a table is displaying a record set without entity's pkey attribute.
A checkbox value isn't properly prepared. This patch adds the
preparation (converts value to string).

https://fedorahosted.org/freeipa/ticket/2404


ACK.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

[Alexander Bokovoy]

On Wed, 07 Mar 2012, Rob Crittenden wrote:

 Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in
 enforcing mode.
 
 This is being done in the HTTP instance so we can set both booleans
 in one step and save a bit of time (it is still slow).
I would prefer all platform-specific manipulations of security 
policies to be moved to platform-specific module.

Make a HTTP class there (like I did dirsrv class in systemd 
backend) and perform manipulations on service enable.

This way main code will stay clear of platform-specific code.

Sorry for not looking into the issue before.

-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel