Re: [Freeipa-devel] [PATCH] 1018 enforce sizelimit when searching for permissions

2012-05-29 Thread Martin Kosek
On Tue, 2012-05-29 at 16:44 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2012-05-23 at 13:55 -0400, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> Martin Kosek wrote: > On Fri, 2012-05-18 at 10:17 -0400, Rob Crittenden wrote: > > Rob Crittenden wrote: > >> Mar

Re: [Freeipa-devel] [PATCH] 79 SSH configuration fixes

2012-05-29 Thread Martin Kosek
On Tue, 2012-05-29 at 17:21 +0200, Jan Cholasta wrote: > On 25.5.2012 18:09, Martin Kosek wrote: > > On Wed, 2012-05-23 at 11:16 +0200, Jan Cholasta wrote: > >> Hi, > >> > >> this fixes https://fedorahosted.org/freeipa/ticket/2769 as well as some > >> other issues with SSH configuration in ipa-clie

[Freeipa-devel] [PATCH] 269 permission-find missed some results with --pkey-only option

2012-05-29 Thread Martin Kosek
When permission-find post callback detected a --pkey-only option, it just terminated. However, this way the results that could have been added from aci_find matches were not included. Fix the post callback to go through the entire matching process. Also make sure that DNS permissions have a correc

[Freeipa-devel] [PATCH] Fix mspac code

2012-05-29 Thread Simo Sorce
Hey, I pushed the attached oneliner. -- Simo Sorce * Red Hat, Inc * New York >From 43701d273525b01fd7a0f3611166653218daf11d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 29 May 2012 17:41:38 -0400 Subject: [PATCH] Fix setting domain_sid 'sid' is a stack variable, by assigning its address

Re: [Freeipa-devel] [PATCH] 0054 Provide a better error message when deleting nonexistent attributes

2012-05-29 Thread Rob Crittenden
Petr Viktorin wrote: This fixes "misleading/invalid" error messages given when using --delattr to delete values from an attribute that doesn't exist on the entry. Please see the trac comment for details. https://fedorahosted.org/freeipa/ticket/2699 ACK, pushed to master rob _

Re: [Freeipa-devel] [PATCH] 147 Set network.http.sendRefererHeader to 2 on browser config

2012-05-29 Thread Rob Crittenden
Petr Vobornik wrote: IPA web UI isn't functional when browser doesn't send http headers. This patch adds a functionality which sets Firefox network.http.sendRefererHeader configuration option to value '2' which enables it. Possible values: http://kb.mozillazine.org/Network.http.sendRefererHeade

Re: [Freeipa-devel] [PATCH] 1019 require policycoreutils if SELinux is enabled

2012-05-29 Thread Rob Crittenden
Martin Kosek wrote: On Fri, 2012-05-18 at 11:53 -0400, Rob Crittenden wrote: We don't have an explicit requires on the policycoreutils package in the client because SELinux is not required (just recommended). SELinux can be enabled without this package so check for that condition and don't allo

Re: [Freeipa-devel] [PATCH] 1018 enforce sizelimit when searching for permissions

2012-05-29 Thread Rob Crittenden
Martin Kosek wrote: On Wed, 2012-05-23 at 13:55 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2012-05-18 at 10:17 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2012-05-17 at 16:11 -0400, Rob Crittenden wrote: We do two searc

Re: [Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC

2012-05-29 Thread Simo Sorce
On Fri, 2012-05-25 at 18:36 -0400, Simo Sorce wrote: > The original ldap driver we used up to 2.2 had 2 options admins could > set to limit the amount of writes to the database on certain auditing > related operations. > In particular disable_last_success is really important to reduce the > load on

Re: [Freeipa-devel] routing requests to local servers - DNS SRV [discussion needed]

2012-05-29 Thread Simo Sorce
On Wed, 2012-05-30 at 01:28 +0930, William Brown wrote: > > The best benefit of this, would be that policies of "views" could be > edited with the CLI tool or the web interface, rather than having to > edit the named.conf file. This would again simplify administration of > DNS services. > Well sa

Re: [Freeipa-devel] routing requests to local servers - DNS SRV [discussion needed]

2012-05-29 Thread William Brown
On 25/05/12 11:40 PM, Simo Sorce wrote: >> It do not require any change in bind-dyndb-ldap code. All merges/overrides >> > will be done on Directory server. > Given we do persistent searches and we also do some caching in > bind-dyndb-ldap we almost certainly do not want to 'fool' it by > returnin

Re: [Freeipa-devel] routing requests to local servers - DNS SRV [discussion needed]

2012-05-29 Thread Simo Sorce
On Tue, 2012-05-29 at 17:16 +0200, Petr Spacek wrote: > Hello, > > for clarity: I'm not going to implement it (now). There are another features > on the table. > > I'm trying to find simplest solution/workaround, because several people asked > for this feature and I think it is quite important.

Re: [Freeipa-devel] [PATCH] 79 SSH configuration fixes

2012-05-29 Thread Jan Cholasta
On 25.5.2012 18:09, Martin Kosek wrote: On Wed, 2012-05-23 at 11:16 +0200, Jan Cholasta wrote: Hi, this fixes https://fedorahosted.org/freeipa/ticket/2769 as well as some other issues with SSH configuration in ipa-client-install. Honza This fixed the basic functionality, but I discovered an

Re: [Freeipa-devel] routing requests to local servers - DNS SRV [discussion needed]

2012-05-29 Thread Petr Spacek
Hello, for clarity: I'm not going to implement it (now). There are another features on the table. I'm trying to find simplest solution/workaround, because several people asked for this feature and I think it is quite important. (Besides load-balancing purpose it can be handy for environments

Re: [Freeipa-devel] [PATCH] 268 Add rename option for DNS records

2012-05-29 Thread Martin Kosek
On Tue, 2012-05-29 at 16:40 +0200, Jan Cholasta wrote: > On 29.5.2012 16:01, Martin Kosek wrote: > > This option will make renaming DNS records much easier. > > Add a unit test for this new functionality. > > > > https://fedorahosted.org/freeipa/ticket/2600 > > > > I wonder, how hard would it be t

Re: [Freeipa-devel] [PATCH] 268 Add rename option for DNS records

2012-05-29 Thread Jan Cholasta
On 29.5.2012 16:01, Martin Kosek wrote: This option will make renaming DNS records much easier. Add a unit test for this new functionality. https://fedorahosted.org/freeipa/ticket/2600 I wonder, how hard would it be to modify the patch to allow --rename on all objects, as requested in

Re: [Freeipa-devel] [PATCH] 1014 configurable service timeout

2012-05-29 Thread Rob Crittenden
Martin Kosek wrote: On Thu, 2012-05-24 at 11:38 -0400, Rob Crittenden wrote: Petr Viktorin wrote: On 05/18/2012 10:03 PM, Rob Crittenden wrote: Rob Crittenden wrote: A hardcoded timeout was used in ipactl for service restarts, set rather low. A separate timeout was hardcoded into the installe

[Freeipa-devel] [PATCH] 268 Add rename option for DNS records

2012-05-29 Thread Martin Kosek
This option will make renaming DNS records much easier. Add a unit test for this new functionality. https://fedorahosted.org/freeipa/ticket/2600 >From d30b98c2fa4a2e4cb907d1727879cab616d166a6 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Tue, 29 May 2012 15:58:36 +0200 Subject: [PATCH] Add r

Re: [Freeipa-devel] [PATCH] 266 Reset krbtpolicy when a unit test is finished

2012-05-29 Thread Martin Kosek
On Tue, 2012-05-29 at 09:47 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Pushed to master under the one-liner rule. > > > > --- > > > > Kerberos ticket maximum life was being set to 1 hour which then > > affected lifetime of Kerberos tickets returned by IPA server under > > the test. > >

Re: [Freeipa-devel] [PATCH] 266 Reset krbtpolicy when a unit test is finished

2012-05-29 Thread Rob Crittenden
Martin Kosek wrote: Pushed to master under the one-liner rule. --- Kerberos ticket maximum life was being set to 1 hour which then affected lifetime of Kerberos tickets returned by IPA server under the test. Make sure that the policy is reset before and after the unit test to keep the IPA serv

[Freeipa-devel] [PATCH] 267 Allow relative DNS name in NS validator

2012-05-29 Thread Martin Kosek
Precallback validator was failing when a zone-relative name was used as a NS record (for example record "ns" in a zone "example.com"). However, this is valid in BIND and we should allow it as well. Imports in dns module had to be switched to absolute imports (available from Python 2.5) to deal wit

Re: [Freeipa-devel] [PATCH] 1014 configurable service timeout

2012-05-29 Thread Martin Kosek
On Thu, 2012-05-24 at 11:38 -0400, Rob Crittenden wrote: > Petr Viktorin wrote: > > On 05/18/2012 10:03 PM, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> A hardcoded timeout was used in ipactl for service restarts, set rather > >>> low. A separate timeout was hardcoded into the installer.

Re: [Freeipa-devel] [PATCH] 0040 Move install script error handling to a common function

2012-05-29 Thread Martin Kosek
On Tue, 2012-05-22 at 15:45 +0200, Petr Viktorin wrote: > On 2012-04-23 17:05, John Dennis wrote: > > On 04/23/2012 05:19 AM, Petr Viktorin wrote: > >> This fixes https://fedorahosted.org/freeipa/ticket/2071 (Add final debug > >> message in installers). > >> > >> I submitted an earlier version of t

Re: [Freeipa-devel] [PATCH] 1019 require policycoreutils if SELinux is enabled

2012-05-29 Thread Martin Kosek
On Fri, 2012-05-18 at 11:53 -0400, Rob Crittenden wrote: > We don't have an explicit requires on the policycoreutils package in the > client because SELinux is not required (just recommended). > > SELinux can be enabled without this package so check for that condition > and don't allow installat

Re: [Freeipa-devel] [PATCH] 0053 Disallow setattr on no_update/no_create params

2012-05-29 Thread Martin Kosek
On Mon, 2012-05-21 at 13:58 +0200, Petr Viktorin wrote: > Only use no_create/no_update for things we really don't want the user to > change (even through setattr). This is stuff like ipacertificatesubjectbase. > Make --{set,add,del}attr refuse to modify these params. > > For things we just don't