Re: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default
On Tue, 2012-06-05 at 09:32 +0200, Martin Kosek wrote:
On Mon, 2012-06-04 at 23:49 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2012-05-25 at 17:14 +0200, Martin Kosek wrote:
On Fri, 2012-05-25 at 09:25 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
This set of patches handles enabling psearch both for new installations
(patch 263) and upgraded IPA servers.
For upgraded IPA servers I needed to make sure that psearch is not
enabled for every IPA package update, but at most once, when a user
updates to IPA with this patch for the first time (patch 264). This is
enabled by a new State store located in /var/lib/ipa/sysupgrade (patch
262).
I also improved the way we handled SELinux sebool updates (patch 265),
this can make ipa-upgradeconfig to finish in 0.4 seconds and not in 150
seconds as previously. Details are in the patches.
Martin
262:
The sysupgrade directory isn't created by the RPM install:
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade
Fixed.
263:
It looks like zone_refresh is simply disabled in bindinstance.py, why
not remove it completely?
zone_refresh is used by bindinstance.py. ipa-server-install or
ipa-dns-install may be configured to use zone refresh instead of
persistent search mechanism to update the zones (e.g. --zone-refresh
30).
264:
Small nit, worth doing case-insensitive compare of psearch enabled
status?
Petr2 told me that arg value for boolean configuration option is
case-insensitive, so we can do that - fixed.
We're updating named.conf in place so I don't know that we need to reset
permissions. It at least shouldn't get modified by the write.
Right, I was being too defensive. I removed the check.
I made the upgrade more robust, now it won't crash for example when
named.conf does not exist. I also made sure the upgrade script works
correctly when the IPA is configured without DNS.
Martin
I rebased the patches for current master. I also slightly reworked patch
265, the error message printed in case of an unsuccessful setsebool was
not printed right.
Martin
Trailing whitespace in 264:
# git am /tmp/freeipa-mkosek-264-3-enable-psearch-on-upgrades.patch
Applying: Enable psearch on upgrades
/home/rcrit/redhat/freeipa-nossh/.git/rebase-apply/patch:108: trailing
whitespace.
root_logger.error('Cannot update connections in %s:
%s',
warning: 1 line adds whitespace errors.
Fixed.
I don't think the DNS detection is adequate in 264, testing for
named.conf is not enough. What if someone is running a non-IPA DNS
server on the box?
I assume you are referring to this line:
+if not bindinstance.named_conf_exists():
It checks both if the named.conf exists + if it has bind-dyndb-ldap
configured for IPA:
if line.startswith('dynamic-db ipa'):
I know that I've recently done similar config changes but in 265 is
using line.startswith() going to be fragile?
I assume you mean patch 264. This should be OK - user would need to mess
with the configuration generated by our install scripts to break it. But
in this case, other regex-es would fail too. I did not want to get too
wild with regex-es to keep it simple and safe. The worst case scenario
should be that named.conf is not updated and psearch is not turned on.
In 266 I'd merge in the ipa-upgradeconfig change into 265 or some other
patch.
I assume you mean patch 265. I had this change moved to 264 right after
I sent the patches :-)
In the 'for setting, state' loop should it be catching a
CalledProcessException rather than raw Exception? I think that is all
that should be raised there.
Right, fixed.
I did an upgrade and it seemed to work ok, ended up with these scary
messages in /var/log/messages:
Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP
server
Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server
was lost
Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed:
Can't contact LDAP server
Jun 4 23:39:17 localhost named[18753]: ldap_psearch_watcher failed to
handle LDAP connection error. Reconnection in 60s
Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP
server
Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server
was lost
Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed:
Can't contact LDAP server
Jun 4 23:39:17 localhost ns-slapd[18798]: [04/Jun/2012:23:39:17 -0400]
- Information: Non-Secure Port Disabled
Jun 4 23:40:17 localhost named[18753]: handle_connection_error failed
to obtain ldap error code
Jun 4 23:40:17 localhost named[18753]: connection to the LDAP server
was lost
Jun 4 23:40:17 localhost named[18753]: bind to LDAP server failed:
Re: [Freeipa-devel] [PATCH 0022] fix crash during zone unload when NS is not resolvable
On Thu, 2012-06-07 at 17:51 +0200, Adam Tkac wrote: On Thu, Jun 07, 2012 at 04:03:46PM +0200, Martin Kosek wrote: On Thu, 2012-06-07 at 15:33 +0200, Petr Spacek wrote: Hello, this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/77: bind-dyndb-ldap crashes during zone unload when NS is not resolvable. During investigation I found other two suspicious places. This patch adds only comment near to them. Any changes (as necessary) will be in separate patch. Petr^2 Spacek Thanks Petr for investigation and quick fix! Adam, if this pass your review, I think it would be great to have an F17 build at least in koji so that we can switch psearch on by default so that other developers start testing it (with the new bind-dyndb-ldap build so that their unit tests do not crash named). The patch was ok and update has been submitted to bodhi. It should be in updates-testing very soon. Regards, Adam Thanks a lot Adam! I tested the new bind-dyndb-ldap version and it fixed the issue I found - karma++. I sent a rebased patch to enable psearch in IPA by default - lets get it grilled :-) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0060 Clean keytabs before installing new keys into them
This removes old principals for the newly installed realm from /etc/krb5.keytab before client installation. The ticket also mentioned doing this for server/replica installs, but in that case the keytab is removed and created from scratch. https://fedorahosted.org/freeipa/ticket/2698 -- Petr³ From 693d60a9b9601ee12dc185c38bf68550b10e5d43 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 6 Jun 2012 10:44:06 -0400 Subject: [PATCH] Clean keytabs before installing new keys into them In ipa-client-install (which is also called from server/replica installation), call `ipa-rmkeytab -k keytab -r $REALM` to be sure that there aren't any remnants from a previous install of IPA or another KDC altogether. https://fedorahosted.org/freeipa/ticket/2698 --- ipa-client/ipa-install/ipa-client-install | 15 +++ 1 file changed, 15 insertions(+) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index afc332a99757039679f9e4dfd1bdc63b376e6c6e..79df8972c14a94ca4380b433fa98bbc11476184a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1206,6 +1206,21 @@ def install(options, env, fstore, statestore): if not options.unattended and not user_input(Continue to configure the system with these values?, False): return CLIENT_INSTALL_ERROR +if not options.on_master: +# Try removing old principals from the keytab +try: +ipautil.run(['/usr/sbin/ipa-rmkeytab', +'-k', '/etc/krb5.keytab', '-r', cli_realm]) +except CalledProcessError, e: +if e.returncode not in (3, 5): +# 3 - Unable to open keytab +# 5 - Principal name or realm not found in keytab +root_logger.error(Error trying to clean keytab: + +/usr/sbin/ipa-rmkeytab returned %s % e.returncode) +else: +root_logger.info(Removed old keys for realm %s from %s % ( +cli_realm, '/etc/krb5.keytab')) + if options.hostname and not options.on_master: # configure /etc/sysconfig/network to contain the hostname we set. # skip this step when run by ipa-server-install as it always configures -- 1.7.10.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0059 Fix update plugin order
On 06/08/2012 04:39 AM, Rob Crittenden wrote: Petr Viktorin wrote: While messing with the ipa-ldap-updater, I found the order method was using an algorithm that could give incorrect results. I'm submitting a fix in an extra patch, as it's largely unrelated and shouldn't be so controversial. Can you open a ticket on this? We like to have a ticket for every commit (minus a random one-liner here and there). thanks rob Created a ticket, and added a link to the commit message. https://fedorahosted.org/freeipa/ticket/2820 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0059 Fix update plugin order
On 06/08/2012 12:31 PM, Petr Viktorin wrote: On 06/08/2012 04:39 AM, Rob Crittenden wrote: Petr Viktorin wrote: While messing with the ipa-ldap-updater, I found the order method was using an algorithm that could give incorrect results. I'm submitting a fix in an extra patch, as it's largely unrelated and shouldn't be so controversial. Can you open a ticket on this? We like to have a ticket for every commit (minus a random one-liner here and there). thanks rob Created a ticket, and added a link to the commit message. https://fedorahosted.org/freeipa/ticket/2820 ... and forgot to attach the patch. -- Petr³ From 5a632211bef20bf4d473d8877f6c7c784f8e8c2b Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 30 May 2012 08:03:49 -0400 Subject: [PATCH] Fix update plugin order Sort a filtered list in the update plugin ordering method. Unlike the previous algorithm, this always gives a correct order. It should also be faster and more readable. https://fedorahosted.org/freeipa/ticket/2820 --- ipaserver/install/plugins/updateclient.py | 20 +--- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py index a2a2ce2aa7f2411c97f2b4961423f4e952af6596..10d899abcad091a3396d4315d877b5656068775e 100644 --- a/ipaserver/install/plugins/updateclient.py +++ b/ipaserver/install/plugins/updateclient.py @@ -106,22 +106,12 @@ def create_context(self, dm_password): self.Backend.ldap2.connect(bind_dn='cn=Directory Manager', bind_pw=dm_password, autobind=autobind) def order(self, updatetype): +Return plugins of the given updatetype in sorted order. -Calculate rough order of plugins. - -order = [] -for plugin in api.Updater(): #pylint: disable=E1101 -if plugin.updatetype != updatetype: -continue -if plugin.order == FIRST: -order.insert(0, plugin) -elif plugin.order == MIDDLE: -order.insert(len(order)/2, plugin) -else: -order.append(plugin) - -for o in order: -yield o +ordered = [plugin for plugin in api.Updater() # pylint: disable=E1101 + if plugin.updatetype == updatetype] +ordered.sort(key=lambda p: p.order) +return ordered def update(self, updatetype, dm_password, ldapi, live_run): -- 1.7.10.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default
Martin Kosek wrote:
On Tue, 2012-06-05 at 09:32 +0200, Martin Kosek wrote:
On Mon, 2012-06-04 at 23:49 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2012-05-25 at 17:14 +0200, Martin Kosek wrote:
On Fri, 2012-05-25 at 09:25 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
This set of patches handles enabling psearch both for new installations
(patch 263) and upgraded IPA servers.
For upgraded IPA servers I needed to make sure that psearch is not
enabled for every IPA package update, but at most once, when a user
updates to IPA with this patch for the first time (patch 264). This is
enabled by a new State store located in /var/lib/ipa/sysupgrade (patch
262).
I also improved the way we handled SELinux sebool updates (patch 265),
this can make ipa-upgradeconfig to finish in 0.4 seconds and not in 150
seconds as previously. Details are in the patches.
Martin
262:
The sysupgrade directory isn't created by the RPM install:
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade
Fixed.
263:
It looks like zone_refresh is simply disabled in bindinstance.py, why
not remove it completely?
zone_refresh is used by bindinstance.py. ipa-server-install or
ipa-dns-install may be configured to use zone refresh instead of
persistent search mechanism to update the zones (e.g. --zone-refresh
30).
264:
Small nit, worth doing case-insensitive compare of psearch enabled status?
Petr2 told me that arg value for boolean configuration option is
case-insensitive, so we can do that - fixed.
We're updating named.conf in place so I don't know that we need to reset
permissions. It at least shouldn't get modified by the write.
Right, I was being too defensive. I removed the check.
I made the upgrade more robust, now it won't crash for example when
named.conf does not exist. I also made sure the upgrade script works
correctly when the IPA is configured without DNS.
Martin
I rebased the patches for current master. I also slightly reworked patch
265, the error message printed in case of an unsuccessful setsebool was
not printed right.
Martin
Trailing whitespace in 264:
# git am /tmp/freeipa-mkosek-264-3-enable-psearch-on-upgrades.patch
Applying: Enable psearch on upgrades
/home/rcrit/redhat/freeipa-nossh/.git/rebase-apply/patch:108: trailing
whitespace.
root_logger.error('Cannot update connections in %s:
%s',
warning: 1 line adds whitespace errors.
Fixed.
I don't think the DNS detection is adequate in 264, testing for
named.conf is not enough. What if someone is running a non-IPA DNS
server on the box?
I assume you are referring to this line:
+if not bindinstance.named_conf_exists():
It checks both if the named.conf exists + if it has bind-dyndb-ldap
configured for IPA:
if line.startswith('dynamic-db ipa'):
I know that I've recently done similar config changes but in 265 is
using line.startswith() going to be fragile?
I assume you mean patch 264. This should be OK - user would need to mess
with the configuration generated by our install scripts to break it. But
in this case, other regex-es would fail too. I did not want to get too
wild with regex-es to keep it simple and safe. The worst case scenario
should be that named.conf is not updated and psearch is not turned on.
In 266 I'd merge in the ipa-upgradeconfig change into 265 or some other
patch.
I assume you mean patch 265. I had this change moved to 264 right after
I sent the patches :-)
In the 'for setting, state' loop should it be catching a
CalledProcessException rather than raw Exception? I think that is all
that should be raised there.
Right, fixed.
I did an upgrade and it seemed to work ok, ended up with these scary
messages in /var/log/messages:
Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP
server
Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server
was lost
Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed:
Can't contact LDAP server
Jun 4 23:39:17 localhost named[18753]: ldap_psearch_watcher failed to
handle LDAP connection error. Reconnection in 60s
Jun 4 23:39:17 localhost named[18753]: LDAP error: Can't contact LDAP
server
Jun 4 23:39:17 localhost named[18753]: connection to the LDAP server
was lost
Jun 4 23:39:17 localhost named[18753]: bind to LDAP server failed:
Can't contact LDAP server
Jun 4 23:39:17 localhost ns-slapd[18798]: [04/Jun/2012:23:39:17 -0400]
- Information: Non-Secure Port Disabled
Jun 4 23:40:17 localhost named[18753]: handle_connection_error failed
to obtain ldap error code
Jun 4 23:40:17 localhost named[18753]: connection to the LDAP server
was lost
Jun 4 23:40:17 localhost named[18753]: bind to LDAP server failed:
Can't contact LDAP server
Jun 4 23:40:17 localhost named[18753]: ldap_psearch_watcher failed to
handle LDAP connection error. Reconnection in 60s
Jun 4 23:41:17 localhost named[18753]: handle_connection_error failed
to obtain ldap error code
Jun 4 23:41:17
Re: [Freeipa-devel] [PATCH] 157 Added password reset capabilities to unauthorized dialog
and now the patch...
On 06/08/2012 05:51 PM, Petr Vobornik wrote:
For those of you who are only interest in user perspective I prepared a
set of screenshots to demonstrate workflow of password reset:
http://pvoborni.fedorapeople.org/ux/reset_password_workflow.png
Patch depends on mkosek #274.
Web UI was missing a way how to reset expired password for normal user.
Recent server patch added API for such task. This patch is adding reset
password form to unautorized dialog.
If user tries to login using form-based authentication and his password
is expired login form transforms to reset password form. The username
and current password is populated by values from previous login attempt.
User than have to enter new password and its verification. Then he can
hit enter button on keyboard or click on reset button on dialog to
perform the password reset. Error is displayed if some part of password
reset fails. If it is successful new login with values entered for
password reset is performed. It should login the user. In password reset
form user can click on back button or hit escape on keyboard to go back
to login form.
https://fedorahosted.org/freeipa/ticket/2755
--
Petr Vobornik
From f627eb2709ca2a4176c8c6de45e02ba270b7056d Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Fri, 8 Jun 2012 15:02:25 +0200
Subject: [PATCH] Added password reset capabilities to unauthorized dialog
Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog.
If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and current password is populated by values from previous login attempt. User than have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on back button or hit escape on keyboard to go back to login form.
https://fedorahosted.org/freeipa/ticket/2755
---
install/ui/ipa.js | 349 ++--
install/ui/test/data/ipa_init.json |2 +
ipalib/plugins/internal.py |2 +
3 files changed, 301 insertions(+), 52 deletions(-)
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index 648fcfc31e1f017aeecd597189b5d4a9789194ae..ffee6f5590620318f515b43d18418716fa9e9798 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -402,6 +402,62 @@ IPA.login_password = function(username, password) {
return result;
};
+IPA.reset_password = function(username, old_password, new_password) {
+
+//possible results: 'ok', 'invalid-password', 'policy-error'
+
+var status, result, reason, invalid, failure, data, request;
+
+status = 'invalid';
+result = {
+status: status,
+message: IPA.get_message('password.reset_failure',
+Password reset was not successful.)
+};
+
+function success_handler(data, text_status, xhr) {
+
+result.status = xhr.getResponseHeader(X-IPA-Pwchange-Result) || status;
+
+if (result.status === 'policy-error') {
+result.message = xhr.getResponseHeader(X-IPA-Pwchange-Policy-Error);
+} else if (result.status === 'invalid-password') {
+result.message = IPA.get_message('password.invalid_password',
+ The password or username you entered is incorrect.);
+}
+
+return result;
+}
+
+function error_handler(xhr, text_status, error_thrown) {
+return result;
+}
+
+data = {
+user: username,
+old_password: old_password,
+new_password: new_password
+};
+
+request = {
+url: '/ipa/session/change_password',
+data: data,
+contentType: 'application/x-www-form-urlencoded',
+processData: true,
+dataType: 'html',
+async: false,
+type: 'POST',
+success: success_handler,
+error: error_handler
+};
+
+IPA.display_activity_icon();
+$.ajax(request);
+IPA.hide_activity_icon();
+
+return result;
+};
+
/**
* Call an IPA command over JSON-RPC.
*
@@ -1386,6 +1442,8 @@ IPA.unauthorized_dialog = function(spec) {
spec.sections = [
{
+name: 'login',
+label: 'Login',
fields: [
{
name: 'username',
@@ -1399,6 +1457,35 @@ IPA.unauthorized_dialog = function(spec) {
label: IPA.get_message('login.password', Password)
}
]
+},
+{
+name: 'reset',
+label: 'Reset',
+fields: [
+{
+
[Freeipa-devel] [PATCH] 158 Separate reset password page
This patch adds separate reset password page. It is a complement to
separate login page. It differentiate from reset password capabilities
in Web UI's anauthorized dialog by not performing login. This is useful
for users who wants only to reset the password and not to use Web UI.
And also for users who are using the separate login page.
https://fedorahosted.org/freeipa/ticket/2755
--
Petr Vobornik
From 597c567114d9913acb3cad0924b1eeba6d367573 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Fri, 8 Jun 2012 16:38:17 +0200
Subject: [PATCH] Separate reset password page
This patch adds separate reset password page. It is a complement to separate login page. It differentiate from reset password capabilities in Web UI's anauthorized dialog by not performing login. This is useful for users who wants only to reset the password and not to use Web UI. And also for users who are using the separate login page.
https://fedorahosted.org/freeipa/ticket/2755
---
freeipa.spec.in|4 +
install/ui/Makefile.am |2 +
install/ui/ipa.css | 11 ++-
install/ui/jsl.conf|1 +
install/ui/login.html |3 +-
install/ui/{login.html = reset_password.html} | 27 +++--
install/ui/reset_password.js | 136
7 files changed, 170 insertions(+), 14 deletions(-)
copy install/ui/{login.html = reset_password.html} (56%)
create mode 100644 install/ui/reset_password.js
diff --git a/freeipa.spec.in b/freeipa.spec.in
index de93aecb6142f73528e6aefe89d6bfcb48fc036f..ac61ce8464ddaae84ced189d5e6802a8d500fbb6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -564,6 +564,7 @@ fi
%{_usr}/share/ipa/ui/index.html
%{_usr}/share/ipa/ui/login.html
%{_usr}/share/ipa/ui/logout.html
+%{_usr}/share/ipa/ui/reset_password.html
%{_usr}/share/ipa/ui/*.ico
%{_usr}/share/ipa/ui/*.css
%{_usr}/share/ipa/ui/*.js
@@ -684,6 +685,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Fri Jun 8 2012 Petr Vobornik pvobo...@redhat.com - 2.99.0-30
+- Add Web UI reset password page
+
* Fri May 11 2012 Martin Kosek mko...@redhat.com - 2.99.0-29
- Replace used DNS client library (acutil) with python-dns
diff --git a/install/ui/Makefile.am b/install/ui/Makefile.am
index e4256de913b7d178c529390732075c183a14f247..ea3a2029535c4ca73318779de2579ee6034bca95 100644
--- a/install/ui/Makefile.am
+++ b/install/ui/Makefile.am
@@ -53,6 +53,8 @@ app_DATA =\
overpass_regular-web.ttf \
overpass_regular-web.woff \
policy.js \
+ reset_password.js \
+ reset_password.html \
rule.js \
search.js \
selinux.js \
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 5371070a1c875c0bab4d058eebc5a353df29a79f..1793e7f75616332417a0c4b1822b9dc75b51e862 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -1578,6 +1578,15 @@ span.sshkey-status, a.sshkey-set {
padding: 1em 2em;
}
+#success-box, .success-box {
+-moz-border-radius: 0.3em 0.3em 0.3em 0.3em;
+-webkit-border-radius: 0.3em 0.3em 0.3em 0.3em;
+background-color: #FFEB80;
+border: 1px solid #FFDE2E;
+margin: 0 2em 1em 2em;
+padding: 1em 2em;
+}
+
#formwindow h2 {
background-color: #F0F0F0;
font-size: 1.6em;
@@ -1619,7 +1628,7 @@ span.sshkey-status, a.sshkey-set {
box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.2);
margin-left: 15px;
padding: 2px 10px;
-width: 248px;
+width: 210px;
}
#login li label, #modal li label {
diff --git a/install/ui/jsl.conf b/install/ui/jsl.conf
index 3eebda4e8f6f6cb9ed9b3b502feec3558d723bc4..97789b2f08e96b06f94c4d212df7122fb7dff49d 100644
--- a/install/ui/jsl.conf
+++ b/install/ui/jsl.conf
@@ -159,3 +159,4 @@
+process automember.js
+process webui.js
+process login.js
++process reset_password.js
diff --git a/install/ui/login.html b/install/ui/login.html
index 9902466a70b3deb7e4c7ec5168abc803935d0c32..69e3dea7f0f09906a7586c745e5df8c326803580 100644
--- a/install/ui/login.html
+++ b/install/ui/login.html
@@ -30,7 +30,7 @@
div id=expired class=error-box style=display:none
pstrongPassword expired/strong/p
-pPlease run kinit to reset the password and then try to login again./p
+pPlease a href=reset_password.htmlreset the password/a and then try to login again./p
pIf the problem persists, contact your administrator./p
/div
@@ -52,7 +52,6 @@
/form
/div
/div
-
/body
/html
diff --git a/install/ui/login.html b/install/ui/reset_password.html
similarity index 56%
copy from install/ui/login.html
copy to install/ui/reset_password.html
index 9902466a70b3deb7e4c7ec5168abc803935d0c32..af191cc0780fec6ee023b8dd16626b5196bf1c5d 100644
--- a/install/ui/login.html
+++ b/install/ui/reset_password.html
@@ -8,7 +8,7 @@
script
Re: [Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local
On Thu, Jun 07, 2012 at 12:09:32PM +0200, Sumit Bose wrote:
now with patches :-)
On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote:
Hi,
this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a
consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete.
This first patch is just a minor cleanup which is not related to the
ticket. The second make create_keys() a public function so the it can be
called by the ipasam plugin as well. Finally the third patch removes the
kadmin.local call and calls the KEYTAB_SET_OID extented operation
instead.
bye,
Sumit
Alexander asked to merge the ACI into the existing ACI for the adtrust
agents. New version attached.
bye,
Sumit
From 21fb092ec76e3241e2aeb5aeffa065bcc39c63ea Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 13 Mar 2012 14:06:02 +0100
Subject: [PATCH] Use exop instead of kadmin.local
---
daemons/ipa-sam/Makefile.am |6 +++
daemons/ipa-sam/ipa_sam.c| 101 --
install/updates/60-trusts.update |2 +-
3 Dateien geändert, 81 Zeilen hinzugefügt(+), 28 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
index
b5b9b0b75b276ac14b01ce35bae63af539e596fc..275cce629385b1719544a7832a00e9ee6664b739
100644
--- a/daemons/ipa-sam/Makefile.am
+++ b/daemons/ipa-sam/Makefile.am
@@ -7,6 +7,9 @@ SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH) \
-lsmbconf \
$(NULL)
+KRB5_UTIL_DIR=../../util
+KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c
+
INCLUDES = \
-I. \
-I$(srcdir) \
@@ -18,6 +21,7 @@ INCLUDES =\
-DDATADIR=\$(datadir)\ \
-DLDAPIDIR=\$(localstatedir)/run\ \
-DHAVE_LDAP \
+ -I $(KRB5_UTIL_DIR) \
$(AM_CFLAGS)\
$(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
@@ -34,6 +38,7 @@ plugin_LTLIBRARIES = \
ipasam_la_SOURCES =\
ipa_sam.c \
+ $(KRB5_UTIL_SRCS) \
$(NULL)
ipasam_la_LDFLAGS =\
@@ -43,6 +48,7 @@ ipasam_la_LDFLAGS = \
ipasam_la_LIBADD = \
$(LDAP_LIBS)\
+ $(KRB5_LIBS)\
$(TALLOC_LIBS) \
$(SAMBAUTIL_LIBS) \
$(NDR_LIBS) \
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index
2627025a8f2f757ca62c58b541c002f46e7c3be1..851df8c62f0ffb159610ce0ac311463233eea497
100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -9,6 +9,7 @@
#include pwd.h
#include errno.h
#include ldap.h
+#include krb5/krb5.h
#include talloc.h
@@ -28,17 +29,7 @@
#include sasl/sasl.h
#include krb5/krb5.h
-#include time.h
-
-/* TODO: remove if smbrunsecret() is removed */
-typedef struct connection_structi {} connection_struct;
-struct current_user {
- connection_struct *conn;
- uint16_t vuid;
- struct security_unix_token ut;
- struct security_token *nt_user_token;
-};
-extern struct current_user current_user;
+#include ipa_krb5.h
/* from drsblobs.h */
struct AuthInfoNone {
@@ -104,7 +95,6 @@ char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct
dom_sid *sid); /* avai
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so
*/
bool is_null_sid(const struct dom_sid *sid); /* available in libsecurity.so */
bool strnequal(const char *s1,const char *s2,size_t n); /* available in
libutil_str.so */
-int smbrunsecret(const char *cmd, const char *secret); /* available in
libsmbconf.so */
bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so
*/
bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct
dom_sid *sid, uint32_t *rid); /* available in libsecurity.so */
char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in
libsmbconf.so */
@@ -1382,6 +1372,76 @@ static bool search_krb_princ(struct ldapsam_privates
*ldap_state,
return true;
}
+static int set_cross_realm_pw(struct ldapsam_privates *ldap_state,
+ TALLOC_CTX *mem_ctx,
+ const char *princ, const char *pwd,
+ const char *base_dn)
+{
+ int ret;
+ krb5_error_code krberr;
+ krb5_context krbctx;
+ krb5_principal service_princ;
+ struct keys_container keys;
+ char *err_msg;
+ struct berval *reqdata = NULL;
+ struct berval *retdata = NULL;
+char *retoid;
+
+ krberr = krb5_init_context(krbctx);
+
