Re: [Freeipa-devel] [PATCH] 1030 Fedora 18 compatibility
On 06/29/2012 05:07 PM, Rob Crittenden wrote: Martin Kosek wrote: On 06/27/2012 07:46 PM, Rob Crittenden wrote: I found a few minor issues when building and installing the master branch on Fedora 18. This patch should address it. rob 1) This will fail for on F17-F18 upgrades, we need to bump VERSION in ipa-rewrite.conf. Besides that, ipa-upgradeconfig needs to be fixed, otherwise it will crash during ipa-rewrite.conf upgrade - ${AUTOREDIR} variable is not set. However, this variable will need to be figured out from current ipa-rewrite.conf contents as it depends on whether the IPA server was installed with --no-ui-redirect or not. 2) Shouldn't we bump tomcat6 version as well since we depend on the tomcat6 fixed in BZ 831464? 3) %changelog entry is missing Martin This should do it rob This looks as a way to go, but this one won't fly yet - the server FQDN is hard-coded to the find_autoredirect function. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0067 Explicitly filter options that permission-{add, mod} passes to aci-{add, mod}
On 06/29/2012 02:57 PM, Alexander Bokovoy wrote: On Fri, 29 Jun 2012, Petr Viktorin wrote: The permission commands were not filtering their options properly before passing them to the underlying ACI commands. This upset the new input validation when --addattr/--setattr was used. This patch adds a filter that only lets options listed in aci_attributes through to the ACI commands. https://fedorahosted.org/freeipa/ticket/2885 ACK. Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] [WIP] 281 Enable SOA serial autoincrement
On 06/29/2012 09:00 PM, Rob Crittenden wrote: Martin Kosek wrote: This patch enables currently developed SOA serial autoincrement feature in bind-dyndb-ldap. The patch may be updated if any assumptions about this feature are changed (or somebody finds a bug). --- SOA serial autoincrement is a requirement for major DNS features, e.g. zone transfers or DNSSEC. Enable it by default in named.conf both for new and upgraded installations. Name of the bind-dyndb-ldap option is serial_autoincrement. From now on, idnsSOAserial attribute also has to be put to replication agreement exclude list as serial will be incremented on each DNS server separately and won't be shared. Exclude list has to be updated both for new replication agreements and the current ones. https://fedorahosted.org/freeipa/ticket/2554 What version of bind/bind-dyndb-ldap is needed for serial_autoincrement? rob Such version is not ready yet, there is only a semi-working patch from Petr Spacek on freeipa-devel list. When a working version of bind-dyndb-ldap package with working serial_autoincrement feature, it should be enough to simply bump package version in bind-dyndb-ldap (that's why I tagged this patch as [WIP]). But otherwise, this patch is reviewable, it should prepare our install tools for the new feature, turn it on in named.conf on upgrades and also update replication agreements to not replicate SOA serial from now on. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 165 Display loginas information only after login
On 06/28/2012 10:47 PM, Endi Sukma Dewata wrote: On 6/28/2012 9:07 AM, Petr Vobornik wrote: Message 'Logged in as: u...@freeipa.org' was displayed before user was logged in. It was wrong. Now 'Logged in as: XXX' is displayed only when user XXX is logged in. So no more u...@freeipa.org :) . https://fedorahosted.org/freeipa/ticket/2882 It might be better to use visibility instead of display to reserve the space. Right now the password expiration warning will initially appear on the right, then shift to the left when the Logged in as appears. Seems like better approach. Updated patch attached. Another improvement might be: display password expiration warning at the same time as login information. What do you think? Does it matter? -- Petr Vobornik From a87d176badc51af248e00dd8548b06be2cce7608 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 28 Jun 2012 14:42:29 +0200 Subject: [PATCH] Display loginas information only after login Message 'Logged in as: u...@freeipa.org' was displayed before user was logged in. It was wrong. Now 'Logged in as: XXX' is displayed only when user XXX is logged in. So no more u...@freeipa.org :) . https://fedorahosted.org/freeipa/ticket/2882 --- install/ui/index.html |4 ++-- install/ui/webui.js |2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/install/ui/index.html b/install/ui/index.html index 33c0923c197d53824d79591488b18dda2ea90ad2..83d628bc440b7218444d9c9431ce8fc296148389 100644 --- a/install/ui/index.html +++ b/install/ui/index.html @@ -71,10 +71,10 @@ /span span class=header-right span class=header-passwordexpires/span -span id=loggedinas class=header-loggedinas +span id=loggedinas class=header-loggedinas style=visibility:hidden; a href=#span id=login_headerLogged in as/span: strongu...@freeipa.org/strong/a /span -span class=header-loggedinas +span class=header-loggedinas style=visibility:hidden; | a href=#logout id=logoutLogout/a /span span id=header-network-activity-indicator class=network-activity-indicator diff --git a/install/ui/webui.js b/install/ui/webui.js index 9b7c31be4c4f5edd2f3bd4bfab3559a5cb2aef4c..989d796ebc74da900c082079bdaabe2efc295d1a 100644 --- a/install/ui/webui.js +++ b/install/ui/webui.js @@ -176,6 +176,8 @@ $(function() { return false; }).text(IPA.messages.login.logout); +$('.header-loggedinas').css('visibility','visible'); + IPA.nav = create_navigation(); IPA.nav.create(); IPA.nav.update(); -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges
On 06/30/2012 12:01 AM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 29 Jun 2012, Sumit Bose wrote: On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote: On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote: On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: to keep track of the different ranges we use for UIDs/GIDs for local users/groups and users from trusted domains new range objects are introduced which are stored below cn=range,cn=etc,$SUFFIX. 0022: LDAP schema update ack 0023: Create a range object during installation fir the local ID range nack, I think we need to find a way to handle adding at least the base range on update. Otherwise an updated server won't be able to have IDs for most of its users. I fully agree, but since we said that we concentrate on update issues in beta2 I wanted to send the version for the fresh install first to allow testing. The reason I'd like updates is that this patchset can be installed on top of existing servers for testing w/o having to reinstall from scratch or manually creating the ipaDomainIDRange object :):) ok, will do. Do you otherwise agree with the patches or is there something I should change while adding the updates? bye, Sumit 0024: add primary and secondary RID base to the local range object during ipa-adtrust-install Not sure if setting the range belongs in the previous patch or this one. I think it is right here, because a plain IPA server does not need the RID related attributes. We might decide to ask questions during ipa-adtrust-install if the range is not available, maybe presenting a set of pre-canned choices if we can detect them. I agree here, too. But as above I would like to handle update issues in a second round. Finally I think we need to do a search with uid/gidNmber base and uid/gidNumber max and prompt/warn the user if we detect any ID the falls outside the configured range (either because we failed to detect ranges on upgrade and the user botched the question or because the admin added arbitrary IDs. If a warning we should warn that missing a range that suitably covers these IDs, those users/groups will not be available for the trust. Maybe we should also have a simple ipa command that can list all users/groups that fall outside the ranges as well. I'm working on the ranges cli plugin to allow 'ipa range-add', 'ipa range-find' etc. I can add it there. Hi, this new series of patches add the cli plugin to create the ID ranges manually. I'm still working on a detection of the locally used id range of an upgrade domain in ipa-adtrust-install and an plugin which rejects new ranges which overlaps with existing ones. bye, Sumit the attached patch adds a preop plugin which checks for overlaps with existing ranges. bye, Sumit Finally I added a method to guess and create the initial ID range, if no one is preset, e.g. when updating from an older version of freeIPA. A full series of patches is attached. bye, Sumit This version of patches fixes review comments by Alexander and also adds some test for the range CLI plugin which were kindly provided by Alexander. ACK These patches aren't applying for me. rob Hmm. Pulled a fresh tree and they imported fine. pushed to master rob I had only pushed 22-24 before, pushed 25 and 29 as well. rob I examined the latest changes and found several rather serious issues which will break this functionality on upgraded servers: https://fedorahosted.org/freeipa/ticket/2891 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges
hi all, when I tried to install FreeIPA 2.99.0 on Fedora 17 I got the following error: [root@linux yum.repos.d]# cat ipa-devel.repo [ipa-devel] name=IPA development $releasever - $basearch baseurl=http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/ enabled=1 gpgcheck=0 new yum update .. [root@linux yum.repos.d]# uname -a Linux linux.fritz.box 3.4.4-3.fc17.x86_64 #1 SMP Tue Jun 26 20:54:56 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux freeipa-server-2.99.0-0.20120630T2358Zgit50ebd1a.fc17.x86_64.. ipa-server-install -a ###t --hostname=linux.fritz.box -r fritz.box -p ## -n fritz.box -U [21/36]: adding default layout Unexpected error - see /var/log/ipaserver-install.log for details: KeyError: 'REALM_id_range' log .. 2012-07-02T10:07:32Z DEBUG [21/36]: adding default layout 2012-07-02T10:07:32Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 696, in run_script return_value = main_function() File /sbin/ipa-server-install, line 958, in main hbac_allow=not options.hbac_allow) File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 249, in create_instance self.start_creation(Configuring directory server, 60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 259, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 569, in __add_default_layout self._ldap_mod(bootstrap-template.ldif, self.sub_dict) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 98, in _ldap_mod txt = ipautil.template_file(path, sub_dict) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 218, in template_file return template_str(txt, vars) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 206, in template_str val = string.Template(txt).substitute(vars) File /usr/lib64/python2.7/string.py, line 172, in substitute return self.pattern.sub(convert, self.template) File /usr/lib64/python2.7/string.py, line 162, in convert val = mapping[named] 2012-07-02T10:07:32Z INFO The ipa-server-install command failed, exception: KeyError: 'REALM_id_range' thx klaus Best Regards, Klaus Eckel, UNIX Consultant HPC (AIX,Linux) GPFS, BIA, SAP ITS/STG (SSIS) Server, Storage Data Infrastructure Services IBM Deutschland GmbH Laatzener str, 1 30539 Hannover Germany Email: kec...@de.ibm.com Phone: +49-(0)52319489906 Handy: +49 (0)170 6323416 Visit the IBM Deutschland ITS Pages. IBM Deutschland GmbH / Vorsitzender des Aufsichtsrats: Erich Clementi Geschäftsführung: Martin Jetter (Vorsitzender), Reinhard Reschke, Dieter Scholz, Klaus Lintelmann, Michael Diemer, Martina Koederitz Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 14562 WEEE-Reg.-Nr. DE 99369940 freeipa-devel-boun...@redhat.com wrote on 07/02/2012 09:55:36 AM: From: Martin Kosek mko...@redhat.com To: Rob Crittenden rcrit...@redhat.com, Cc: freeipa-devel@redhat.com Date: 07/02/2012 09:57 AM Subject: Re: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges Sent by: freeipa-devel-boun...@redhat.com On 06/30/2012 12:01 AM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 29 Jun 2012, Sumit Bose wrote: On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote: On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote: On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: to keep track of the different ranges we use for UIDs/GIDs for local users/groups and users from trusted domains new range objects are introduced which are stored below cn=range,cn=etc,$SUFFIX. 0022: LDAP schema update ack 0023: Create a range object during installation fir the local ID range nack, I think we need to find a way to handle adding at least the base range on update. Otherwise an updated server won't be able to have IDs for most of its users. I fully agree, but since we said that we concentrate on update issues in beta2 I wanted to send the version for the fresh install first to allow testing. The reason I'd like updates is that this patchset can be installed on top of existing servers for testing w/o having to reinstall from scratch or manually creating the ipaDomainIDRange object :):) ok, will do. Do you otherwise agree with the patches or is there
Re: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges
On 07/02/2012 12:16 PM, Klaus Eckel wrote: hi all, when I tried to install FreeIPA 2.99.0 on Fedora 17 I got the following error: [root@linux yum.repos.d]# cat ipa-devel.repo [ipa-devel] name=IPA development $releasever - $basearch baseurl=http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/ enabled=1 gpgcheck=0 new yum update .. [root@linux yum.repos.d]# uname -a Linux linux.fritz.box 3.4.4-3.fc17.x86_64 #1 SMP Tue Jun 26 20:54:56 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux freeipa-server-2.99.0-0.20120630T2358Zgit50ebd1a.fc17.x86_64.. ipa-server-install -a ###t --hostname=linux.fritz.box -r fritz.box -p ## -n fritz.box -U [21/36]: adding default layout Unexpected error - see /var/log/ipaserver-install.log for details: KeyError: 'REALM_id_range' log .. 2012-07-02T10:07:32Z DEBUG [21/36]: adding default layout 2012-07-02T10:07:32Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 696, in run_script return_value = main_function() File /sbin/ipa-server-install, line 958, in main hbac_allow=not options.hbac_allow) File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 249, in create_instance self.start_creation(Configuring directory server, 60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 259, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 569, in __add_default_layout self._ldap_mod(bootstrap-template.ldif, self.sub_dict) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 98, in _ldap_mod txt = ipautil.template_file(path, sub_dict) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 218, in template_file return template_str(txt, vars) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 206, in template_str val = string.Template(txt).substitute(vars) File /usr/lib64/python2.7/string.py, line 172, in substitute return self.pattern.sub(convert, self.template) File /usr/lib64/python2.7/string.py, line 162, in convert val = mapping[named] 2012-07-02T10:07:32Z INFO The ipa-server-install command failed, exception: KeyError: 'REALM_id_range' thx klaus Best Regards, Klaus Eckel http://w3.ibm.com/bluepages/simpleSearch.wss?searchBy=namesearchFor=Eckel, Klaus, UNIX Consultant HPC (AIX,Linux) GPFS, BIA, SAP ITS/STG (SSIS) Server, Storage Data Infrastructure ServicesIBM Deutschland GmbH http://www.ibm.com/de/ Laatzener str, 1 30539 Hannover Germany Email: kec...@de.ibm.com mailto:kec...@de.ibm.com Phone: +49-(0)52319489906 Handy: +49 (0)170 6323416 Visit the IBM Deutschland ITS http://www-03.ibm.com/solutions/sap/Pages. IBM Deutschland GmbH / Vorsitzender des Aufsichtsrats: Erich Clementi Geschäftsführung: Martin Jetter (Vorsitzender), Reinhard Reschke, Dieter Scholz, Klaus Lintelmann, Michael Diemer, Martina Koederitz Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 14562 WEEE-Reg.-Nr. DE 99369940 freeipa-devel-boun...@redhat.com wrote on 07/02/2012 09:55:36 AM: From: Martin Kosek mko...@redhat.com To: Rob Crittenden rcrit...@redhat.com, Cc: freeipa-devel@redhat.com Date: 07/02/2012 09:57 AM Subject: Re: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges Sent by: freeipa-devel-boun...@redhat.com On 06/30/2012 12:01 AM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 29 Jun 2012, Sumit Bose wrote: On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote: On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote: On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: to keep track of the different ranges we use for UIDs/GIDs for local users/groups and users from trusted domains new range objects are introduced which are stored below cn=range,cn=etc,$SUFFIX. 0022: LDAP schema update ack 0023: Create a range object during installation fir the local ID range nack, I think we need to find a way to handle adding at least the base range on update. Otherwise an updated server won't be able to have IDs for most of its users. I fully agree, but since we said that we concentrate on update issues in beta2 I wanted to send the version for the fresh install first to allow testing. The reason I'd
Re: [Freeipa-devel] [PATCH][WIP] LDAP encoding redone
Dne 29.6.2012 21:07, Rob Crittenden napsal(a): Jan Cholasta wrote: Hi, this is the next patch in the input validation handling series https://fedorahosted.org/freeipa/ticket/2357. It changes the way entries are encoded and decoded in the LDAP backend. The patch consists of several changes: * Refactored the Encoder class to be more universally usable. It uses a polymorphic interface, which hopefully makes the encoding code more readable. * Attribute values now use Python data types matching the syntax of the attribute. This removes the need to decode/encode the values from/to raw LDAP values in the CallbackInterface callbacks as well as other parts of IPA. * On command output, attribute values are converted to strings so that the resulting entry is the same as it is without the patch. I don't like this code and I'd like to get rid of at least some parts of it, but I'm not sure how that would affect API compatibility. Removing the special case for boolean values would fix https://fedorahosted.org/freeipa/ticket/2025. * Entries are more strictly checked when they are encoded and decoded. Values of multi-value attributes must be lists (not tuples!) of objects of the appropriate python type, values of single-value attributes must be objects of the appropriate python type. This helps detecting data type errors that would previously go unnoticed. * Some parameters use data type that doesn't match the syntax of the according attribute, or are single-value even when the according attribute is multi-value. Values of such parameters wouldn't pass the new strict checking if they were used in attributes without modifications. To remedy this, added a new parameter option attr_convertor, which allows specifying a custom function for converting parameter values to attribute values. Note that this is work in progress, some things may be (and certainly are) broken, there is some low-quality code and docstrings, comments and tests are TBD. Suggestions and comments are welcome. Honza I haven't tried this yet, but this change jumped out at me: if attr not in ('aciname', 'group', 'memberof', 'nsaccountlock', 'subtree', 'targetgroup', 'type') and self.obj is not None and attr in self.obj.params and 'virtual_attribute' not in self.obj.params[attr].flags: Why exclude this subset of attributes? Generally, attribute are returned in the form returned by python-ldap, that is lists of strings. This rule does not apply to the attributes in the subset (most of them are single strings, nsaccountlock is a single boolean), so they must be excluded from the conversion. Is the big block of code adding to __call__ meant to maintain backwards compatibility? Yes. Like I said above, I'm not sure how much of this is really necessary and what can be safely removed. We can skip the whole thing for new clients and return entries without converting them first, but that would require modifications on the client side as well. If the excluded attribute subset stays, it would be better to introduce a new parameter flag that inhibits the conversion, instead of having a hardcoded list of attributes. This seems to make lists out of a lot of things that weren't previously lists. Is that to satisfy the schema? Exactly. I am concerned about how much we can depend on the schema to be what we expect it to be. I know that an attribute value might not match the syntax of that attribute because of replication (https://fedorahosted.org/freeipa/ticket/2131). It is probably also possible for a single-value attribute to have more than one value this way. But what if someone changes the schema so that an attribute that was previously single-value becomes multi-value? Do we allow that? The code in my patch wouldn't cope with such a situation very well. Maybe it would be better to require all (including single-value) attributes to be represented by lists in IPA...? rob Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 282 Create default range entry after upgrade
Create default range both on new install and on upgrades. Also make sure that all range object classes are present for upgraded machines. Default range LDIF entry for new install was fixed so that new installation does not crash. https://fedorahosted.org/freeipa/ticket/2891 -- Martin Kosek Red Hat Software Engineer Brno, Czech Republic From d10abd3f513d2b8bf3d352567f0f10f6ce6c931c Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Mon, 2 Jul 2012 14:07:01 +0200 Subject: [PATCH] Create default range entry after upgrade Create default range both on new install and on upgrades. Also make sure that all range object classes are present for upgraded machines. Default range LDIF entry for new install was fixed so that new installation does not crash. https://fedorahosted.org/freeipa/ticket/2891 --- install/share/bootstrap-template.ldif |4 +- install/updates/62-ranges.update | 20 - ipaserver/install/plugins/adtrust.py | 74 + 3 files changed, 95 insertions(+), 3 deletions(-) create mode 100644 ipaserver/install/plugins/adtrust.py diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index ece48f80fef7e6162d723c93407895202dabfad9..23510c953817e48767199378cee2e62009c39742 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -415,11 +415,11 @@ objectClass: top objectClass: nsContainer cn: ranges -dn: cn=$REALM_id_range,cn=ranges,cn=etc,$SUFFIX +dn: cn=${REALM}_id_range,cn=ranges,cn=etc,$SUFFIX changetype: add objectClass: top objectClass: ipaIDrange objectClass: ipaDomainIDRange -cn: $REALM_id_range +cn: ${REALM}_id_range ipaBaseID: $IDSTART ipaIDRangeSize: $IDRANGE_SIZE diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update index 42c1e2a98b8b64164ae9ae0292aa7b91beac2b26..9ba47421312c68cd64000866b3f4866a76bfe586 100644 --- a/install/updates/62-ranges.update +++ b/install/updates/62-ranges.update @@ -3,11 +3,29 @@ add:attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First va add:attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) add:attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) add:attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $$ gidNumber $$ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $$ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $$ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) dn: cn=ranges,cn=etc,$SUFFIX -default: obectClass: top +default: objectClass: top default: objectClass: nsContainer default: cn: ranges + +dn: cn=IPA Range-Check,cn=plugins,cn=config +default: changetype: add +default: objectclass: top +default: objectclass: nsSlapdPlugin +default: objectclass: extensibleObject +default: cn: IPA Range-Check +default: nsslapd-pluginpath: libipa_range_check +default: nsslapd-plugininitfunc: ipa_range_check_init +default: nsslapd-plugintype: preoperation +default: nsslapd-pluginenabled: on +default: nsslapd-pluginid: ipa_range_check_version +default: nsslapd-pluginversion: 1.0 +default: nsslapd-pluginvendor: Red Hat, Inc. +default: nsslapd-plugindescription: IPA Range-Check plugin +default: nsslapd-plugin-depends-on-type: database +default: nsslapd-basedn: $SUFFIX diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py new file mode 100644 index ..abd676a2bcbec57f59eb6710560281d945cf0cea --- /dev/null +++ b/ipaserver/install/plugins/adtrust.py @@ -0,0 +1,74 @@ +# Authors: +# Martin Kosek mko...@redhat.com +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without
[Freeipa-devel] [PATCH] 31 Use DN objects instead of strings in adtrustinstance
Hi, as pointed out by John adtrustinstance.py does not use the DN objects but strings to define LDAP DNs. This patch fixes it. bye, Sumit From e91540c323791f06791c973754e7773eaccaf08e Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 2 Jul 2012 12:20:23 +0200 Subject: [PATCH] Use DN objects instead of strings in adtrustinstance --- ipaserver/install/adtrustinstance.py | 41 +- 1 Datei geändert, 25 Zeilen hinzugefügt(+), 16 Zeilen entfernt(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 9646f7e7b1dc7e9954b681550d3ffa7a54a6f139..20feec4df309b5793aa1c29fdf18bc5bfe180943 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -29,6 +29,7 @@ from ipaserver.install.dsinstance import realm_to_serverid from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \ dns_zone_exists from ipalib import errors, api +from ipalib.dn import DN from ipapython import sysrestore from ipapython import ipautil from ipapython.ipa_log_manager import * @@ -129,8 +130,10 @@ class ADTRUSTInstance(service.Service): return S-1-5-21-%d-%d-%d % (sub_ids[0], sub_ids[1], sub_ids[2]) def __add_admin_sids(self): -admin_dn = uid=admin,cn=users,cn=accounts,%s % self.suffix -admin_group_dn = cn=admins,cn=groups,cn=accounts,%s % self.suffix +admin_dn = str(DN(('uid', 'admin'), api.env.container_user, + self.suffix)) +admin_group_dn = str(DN(('cn', 'admins'), api.env.container_group, +self.suffix)) try: dom_entry = self.admin_conn.getEntry(self.smb_dom_dn, \ @@ -184,7 +187,8 @@ class ADTRUSTInstance(service.Service): try: -res = self.admin_conn.search_s(cn=ranges,cn=etc,+self.suffix, +res = self.admin_conn.search_s(str(DN(api.env.container_ranges, + self.suffix)), ldap.SCOPE_ONELEVEL, (objectclass=ipaDomainIDRange)) if len(res) != 1: @@ -227,8 +231,8 @@ class ADTRUSTInstance(service.Service): pass for new_dn in (self.trust_dn, \ - cn=ad,+self.trust_dn, \ - cn=ad,cn=etc,+self.suffix): + str(DN(('cn', 'ad'), self.trust_dn)), \ + str(DN(api.env.container_cifsdomains, self.suffix))): try: self.admin_conn.getEntry(new_dn, ldap.SCOPE_BASE) except errors.NotFound: @@ -469,14 +473,16 @@ class ADTRUSTInstance(service.Service): self.smb_conf = /etc/samba/smb.conf -self.smb_dn = cn=adtrust agents,cn=sysaccounts,cn=etc,%s % self.suffix +self.smb_dn = str(DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'), + ('cn', 'etc'), self.suffix)) -self.trust_dn = cn=trusts,%s % self.suffix -self.smb_dom_dn = cn=%s,cn=ad,cn=etc,%s % (self.domain_name, \ - self.suffix) +self.trust_dn = str(DN(api.env.container_trusts, self.suffix)) +self.smb_dom_dn = str(DN(('cn', self.domain_name), + api.env.container_cifsdomains, self.suffix)) self.cifs_principal = cifs/ + self.fqdn + @ + self.realm_name -self.cifs_agent = krbprincipalname=%s,cn=services,cn=accounts,%s % \ - (self.cifs_principal.lower(), self.suffix) +self.cifs_agent = str(DN(('krbprincipalname', self.cifs_principal.lower()), + api.env.container_service, + self.suffix)) self.selinux_booleans = [samba_portmapper] self.__setup_sub_dict() @@ -484,14 +490,16 @@ class ADTRUSTInstance(service.Service): def find_local_id_range(self): self.ldap_connect() -if self.admin_conn.search_s(cn=ranges,cn=etc, + self.suffix, +if self.admin_conn.search_s(str(DN(api.env.container_ranges, + self.suffix)), ldap.SCOPE_ONELEVEL, objectclass=ipaDomainIDRange): return try: -entry = self.admin_conn.getEntry(cn=admins,cn=groups,cn=accounts, \ - + self.suffix, +entry = self.admin_conn.getEntry(str(DN(('cn', 'admins'), +api.env.container_group, +self.suffix)), ldap.SCOPE_BASE) except errors.NotFound: raise ValueError(No local ID range and no
Re: [Freeipa-devel] [PATCH] 1030 Fedora 18 compatibility
Martin Kosek wrote: On 06/29/2012 05:07 PM, Rob Crittenden wrote: Martin Kosek wrote: On 06/27/2012 07:46 PM, Rob Crittenden wrote: I found a few minor issues when building and installing the master branch on Fedora 18. This patch should address it. rob 1) This will fail for on F17-F18 upgrades, we need to bump VERSION in ipa-rewrite.conf. Besides that, ipa-upgradeconfig needs to be fixed, otherwise it will crash during ipa-rewrite.conf upgrade - ${AUTOREDIR} variable is not set. However, this variable will need to be figured out from current ipa-rewrite.conf contents as it depends on whether the IPA server was installed with --no-ui-redirect or not. 2) Shouldn't we bump tomcat6 version as well since we depend on the tomcat6 fixed in BZ 831464? 3) %changelog entry is missing Martin This should do it rob This looks as a way to go, but this one won't fly yet - the server FQDN is hard-coded to the find_autoredirect function. Martin Updated. rob From 0582531451b3fa5505aa116f51e5c45fa83b46d5 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 20 Jun 2012 14:09:55 -0400 Subject: [PATCH] Fix compatibility with Fedora 18. We need a Requires on openssl, the mod_rewrite syntax has changed so we can dump some unused configuration and we need a newer version of mod_auth_kerb to pick up the new location of delegated ccache. https://fedorahosted.org/freeipa/ticket/2839 --- freeipa.spec.in | 13 + install/conf/ipa-rewrite.conf |5 + install/tools/ipa-upgradeconfig | 23 ++- 3 files changed, 36 insertions(+), 5 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index f7b115202bc8086ba26b25fbe1848fb4ad1fec2a..52878e0f7b272fc9b64cca679a3f334141723781 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -112,7 +112,11 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd Requires: mod_wsgi +%if 0%{?fedora} = 18 +Requires: mod_auth_kerb = 5.4-16 +%else Requires: mod_auth_kerb = 5.4-8 +%endif Requires: mod_nss = 1.0.8-10 Requires: python-ldap Requires: python-krbV @@ -145,10 +149,14 @@ Requires: pki-silent = 9.0.18 Requires: pki-setup = 9.0.18 Requires: dogtag-pki-common-theme Requires: dogtag-pki-ca-theme +%if 0%{?fedora} = 18 +Requires: tomcat6 = 6.0.35-4 +%else %if 0%{?fedora} = 16 # Only tomcat6 greater than this version provides proper systemd support Requires: tomcat6 = 6.0.32-17 %endif +%endif %if 0%{?rhel} Requires: subscription-manager %endif @@ -733,6 +741,11 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Fri Jun 29 2012 Rob Crittenden rcrit...@redhat.com - 2.99.0-37 +- Add Requires on openssl +- Set minimum tomcat6 to 6.0.35-4 in F-18 +- Set minimum mod_auth_kerb to 5.4-16 in F-18 + * Fri Jun 21 2012 Sumit Bose sb...@redhat.com - 2.99.0-36 - Add extdom extop plugin diff --git a/install/conf/ipa-rewrite.conf b/install/conf/ipa-rewrite.conf index 5385f9db027c88fac6e7b0762c60f9a8dc2e1c3c..8da210d0aef95aa8179c00de89850df1f89f140a 100644 --- a/install/conf/ipa-rewrite.conf +++ b/install/conf/ipa-rewrite.conf @@ -1,9 +1,6 @@ -# VERSION 2 - DO NOT REMOVE THIS LINE +# VERSION 3 - DO NOT REMOVE THIS LINE RewriteEngine on -RewriteLog /var/log/httpd/rewrite.log -RewriteLogLevel 0 - # By default forward all requests to /ipa. If you don't want IPA # to be the default on your web server comment this line out. diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index bc8e6a249d96c9998e91c6037321aaa9c53ff00c..248232ac6e8048b6091c56a7824025f39a275fba 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -125,6 +125,26 @@ def find_hostname(): raise RuntimeError(Unable to determine the fully qualified hostname from %s % filename) +def find_autoredirect(fqdn): + +When upgrading ipa-rewrite.conf we need to see if the automatic redirect +was disabled during install time (or afterward). So sift through the +configuration file and see if we can determine the status. + +Returns True if autoredirect is enabled, False otherwise + +filename = '/etc/httpd/conf.d/ipa-rewrite.conf' +if os.path.exists(filename): +pattern = ^RewriteRule \^/\$ https://%s/ipa/ui \[L,NC,R=301\] % fqdn +p = re.compile(pattern) +for line in fileinput.input(filename): +if p.search(line): +fileinput.close() +return True +fileinput.close() +return False +return True + def find_version(filename): Find the version of a configuration file if os.path.exists(filename): @@ -386,7 +406,8 @@ def main(): check_certs() -sub_dict = { REALM : krbctx.default_realm, FQDN: fqdn } +auto_redirect = find_autoredirect(fqdn) +sub_dict = { REALM : krbctx.default_realm, FQDN: fqdn, AUTOREDIR: '' if auto_redirect else '#'} upgrade(sub_dict,
Re: [Freeipa-devel] [PATCH] 1030 Fedora 18 compatibility
On 07/02/2012 02:47 PM, Rob Crittenden wrote: Martin Kosek wrote: On 06/29/2012 05:07 PM, Rob Crittenden wrote: Martin Kosek wrote: On 06/27/2012 07:46 PM, Rob Crittenden wrote: I found a few minor issues when building and installing the master branch on Fedora 18. This patch should address it. rob 1) This will fail for on F17-F18 upgrades, we need to bump VERSION in ipa-rewrite.conf. Besides that, ipa-upgradeconfig needs to be fixed, otherwise it will crash during ipa-rewrite.conf upgrade - ${AUTOREDIR} variable is not set. However, this variable will need to be figured out from current ipa-rewrite.conf contents as it depends on whether the IPA server was installed with --no-ui-redirect or not. 2) Shouldn't we bump tomcat6 version as well since we depend on the tomcat6 fixed in BZ 831464? 3) %changelog entry is missing Martin This should do it rob This looks as a way to go, but this one won't fly yet - the server FQDN is hard-coded to the find_autoredirect function. Martin Updated. rob ACK. Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1014 configurable service timeout
On 06/29/2012 07:52 PM, Rob Crittenden wrote: Martin Kosek wrote: On 05/29/2012 04:31 PM, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2012-05-24 at 11:38 -0400, Rob Crittenden wrote: Petr Viktorin wrote: On 05/18/2012 10:03 PM, Rob Crittenden wrote: Rob Crittenden wrote: A hardcoded timeout was used in ipactl for service restarts, set rather low. A separate timeout was hardcoded into the installer. I centralized them into a single timeout, configurable in the standard way in /etc/ipa/*.conf. On install it will always default to 120 seconds and remain there unless changed in default.conf (not replicated either). I tested this on systemd systems and sysV systems and it works ok for me. You'll also want to double-check that this works when other 389-ds instances are installed. Getting the naming of instances right was a bit tricky. Noticed a problem on upgrades and fixed that. Updated patch attached. rob Please rebase the patch onto current master. Done This is a good start. I just found few places where I found that the remaining wait function calls are redundant: 1) install/tools/ipactl: if lurl.urlscheme == 'ldapi': -wait_for_open_socket(lurl.hostport, timeout=6) +wait_for_open_socket(lurl.hostport, timeout=api.env.startup_timeout) else: (host,port) = lurl.hostport.split(':') -wait_for_open_ports(host, [int(port)], timeout=6) +wait_for_open_ports(host, [int(port)], timeout=api.env.startup_timeout) Aren't these calls redundant? We already wait for ports when dirsrv is started (dirsrv.start()) or restarted (dirsrv.restart()). It is redundant in some cases but there are some calls we make where this is used to determine the availability of the service. This call is needed. 2) ipaserver/install/replication.py: -installutils.wait_for_open_ports('localhost', [389, 636], 300) +ipautil.wait_for_open_ports('localhost', [389, 636], 300) Isn't this now redundant? Port check should be done in service restart. Yes, looks like this call can go. 3) ipaserver/install/plugins/updateclient.py: -installutils.wait_for_open_socket(socket_name) +wait_for_open_socket(socket_name) Also seems redundant, dirsrv should be already up as it was restarted via our Service framework. Though we only check for ports in the Service framework, I wonder if this is enough and we can be sure that when ports are up, the LDAPI socket is also up. No, sockets and ports are separate, particularly when updating. In fact, we disable the ports so a wait_for_port() will always fail which is why I added the wait flag. This may be a case I missed with upgrades. Let me test upgrades again... rob I think we want to either send a revised patch to this ticket to get it to Beta 1 or to defer it to some future version... Martin Here is a rebased patch. rob This rather looks as a SELinux user map test patch... Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1014 configurable service timeout
Martin Kosek wrote: On 06/29/2012 07:52 PM, Rob Crittenden wrote: Martin Kosek wrote: On 05/29/2012 04:31 PM, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2012-05-24 at 11:38 -0400, Rob Crittenden wrote: Petr Viktorin wrote: On 05/18/2012 10:03 PM, Rob Crittenden wrote: Rob Crittenden wrote: A hardcoded timeout was used in ipactl for service restarts, set rather low. A separate timeout was hardcoded into the installer. I centralized them into a single timeout, configurable in the standard way in /etc/ipa/*.conf. On install it will always default to 120 seconds and remain there unless changed in default.conf (not replicated either). I tested this on systemd systems and sysV systems and it works ok for me. You'll also want to double-check that this works when other 389-ds instances are installed. Getting the naming of instances right was a bit tricky. Noticed a problem on upgrades and fixed that. Updated patch attached. rob Please rebase the patch onto current master. Done This is a good start. I just found few places where I found that the remaining wait function calls are redundant: 1) install/tools/ipactl: if lurl.urlscheme == 'ldapi': -wait_for_open_socket(lurl.hostport, timeout=6) +wait_for_open_socket(lurl.hostport, timeout=api.env.startup_timeout) else: (host,port) = lurl.hostport.split(':') -wait_for_open_ports(host, [int(port)], timeout=6) +wait_for_open_ports(host, [int(port)], timeout=api.env.startup_timeout) Aren't these calls redundant? We already wait for ports when dirsrv is started (dirsrv.start()) or restarted (dirsrv.restart()). It is redundant in some cases but there are some calls we make where this is used to determine the availability of the service. This call is needed. 2) ipaserver/install/replication.py: -installutils.wait_for_open_ports('localhost', [389, 636], 300) +ipautil.wait_for_open_ports('localhost', [389, 636], 300) Isn't this now redundant? Port check should be done in service restart. Yes, looks like this call can go. 3) ipaserver/install/plugins/updateclient.py: -installutils.wait_for_open_socket(socket_name) +wait_for_open_socket(socket_name) Also seems redundant, dirsrv should be already up as it was restarted via our Service framework. Though we only check for ports in the Service framework, I wonder if this is enough and we can be sure that when ports are up, the LDAPI socket is also up. No, sockets and ports are separate, particularly when updating. In fact, we disable the ports so a wait_for_port() will always fail which is why I added the wait flag. This may be a case I missed with upgrades. Let me test upgrades again... rob I think we want to either send a revised patch to this ticket to get it to Beta 1 or to defer it to some future version... Martin Here is a rebased patch. rob This rather looks as a SELinux user map test patch... Martin Ouch, off-by-one error. This is the right one. rob From 8a5035ff3e02d97a5ea6b96789bb52d6c7d34416 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 24 May 2012 11:23:36 -0400 Subject: [PATCH] Centralize timeout for waiting for servers to start. All service start/restart currently go through ipapython/platform so move the wait for service to start code there as well. A dictionary of known services and ports to wait on is defined in base.py This is referenced by the platforms by instance name to determine what to wait for. For the case of dirsrv if we get that as a plain name (no specific instance) it is assumed to be the main IPA service. https://fedorahosted.org/freeipa/ticket/2375 --- install/tools/ipactl | 28 --- ipalib/constants.py |2 ++ ipapython/ipautil.py | 54 ipapython/platform/base.py| 56 ++--- ipapython/platform/fedora16.py|4 +-- ipapython/platform/redhat.py | 22 ++-- ipapython/platform/systemd.py | 23 ++-- ipaserver/install/cainstance.py |1 - ipaserver/install/dsinstance.py |3 +- ipaserver/install/installutils.py | 52 --- ipaserver/install/plugins/baseupdate.py |8 + ipaserver/install/plugins/updateclient.py |4 +-- ipaserver/install/replication.py |2 -- ipaserver/install/service.py | 10 +++--- ipaserver/install/upgradeinstance.py |5 +++ ipaserver/ipaldap.py |7 ++-- 16 files changed, 176 insertions(+), 105 deletions(-) diff --git a/install/tools/ipactl b/install/tools/ipactl index c4d26b8df150119e0bc84abac020f8989a2a8ad2..22a4f6e03030e9874a533dd9978823dd3505658d 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -24,7 +24,8
Re: [Freeipa-devel] [PATCH] 282 Create default range entry after upgrade
Martin Kosek wrote: Create default range both on new install and on upgrades. Also make sure that all range object classes are present for upgraded machines. Default range LDIF entry for new install was fixed so that new installation does not crash. https://fedorahosted.org/freeipa/ticket/2891 ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 282 Create default range entry after upgrade
On 07/02/2012 04:20 PM, Rob Crittenden wrote: Martin Kosek wrote: Create default range both on new install and on upgrades. Also make sure that all range object classes are present for upgraded machines. Default range LDIF entry for new install was fixed so that new installation does not crash. https://fedorahosted.org/freeipa/ticket/2891 ACK Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 31 Use DN objects instead of strings in adtrustinstance
Sumit Bose wrote: Hi, as pointed out by John adtrustinstance.py does not use the DN objects but strings to define LDAP DNs. This patch fixes it. bye, Sumit ACK, pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 165 Display loginas information only after login
ACK. Some more comments below. Feel free to fix before push or later separately. On 7/2/2012 2:55 AM, Petr Vobornik wrote: On 06/28/2012 10:47 PM, Endi Sukma Dewata wrote: On 6/28/2012 9:07 AM, Petr Vobornik wrote: Message 'Logged in as: u...@freeipa.org' was displayed before user was logged in. It was wrong. Now 'Logged in as: XXX' is displayed only when user XXX is logged in. So no more u...@freeipa.org :) . It might be better to use visibility instead of display to reserve the space. Right now the password expiration warning will initially appear on the right, then shift to the left when the Logged in as appears. Seems like better approach. Updated patch attached. The message still shifts, but this time from left to right, probably because the loggedinas element doesn't have a fixed width. Another improvement might be: display password expiration warning at the same time as login information. What do you think? Does it matter? Yes, I was thinking about that too. It doesn't really matter much but I agree it would look better if they appear at the same time. The u...@freeipa.org in the HTML code is never visible anymore, so feel free to remove it. You can also replace the strong with a span then define the style in CSS. A separate issue, under IPA Server tab, the Trusts menu comes after Configuration. Would it make more sense to show Configuration last because Configuration is really like Other Settings? -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing FreeIPA v3.0.0 beta 1 Release
The FreeIPA team is proud to announce version FreeIPA v3.0.0 beta 1. It can be downloaded from http://www.freeipa.org/page/Downloads. A build is available in the Fedora rawhide repositories or for Fedora 17 via the freeipa-devel repo on www.freeipa.org: http://freeipa.org/downloads/freeipa-devel.repo . To install in Fedora 17 the updates-repo repository needs to be enabled as well. For additional information see the AD Trust design page http://freeipa.org/page/IPAv3_AD_trust and the AD Trust testing page http://freeipa.org/page/IPAv3_testing_AD_trust. == Highlights in 3.0.0 == * Support for AD Trust * Per-domain DNS permissions * DNS persistent search enabled by default, new zones are seen immediately * New DNS resolver library * Migration improvements * The last administrator cannot be removed * Forms-based password reset * Redesigned action panels in UI * Sessions for command-line users * Tool to configure automount client, ipa-client-automount == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 should work but has not been fully tested. Proceed with caution. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed changelog including 2.2.0 == The development of 3.0 occurred simultaneously with 2.2.0 so there is some overlap. Adam Young (10): * enable proxy for dogtag * split metadata call * Make mod_nss renegotiation configuration a public function * Execute pki proxy setup when server is upgraded if needed * Force the upgrade of pki-setup when upgrading the RPMS * Fix dynamic display of UI tabs based on rights * remove enrolled column * Add priority to pwpolicy list * Remove delegation from browser config * ignore generated services file. Alexander Bokovoy (61): * Propagate environment when it is required. * Incorrect name in examples of ipa help hbactest * Unroll groups when testing HBAC rules * Convert server install code to platform-independent access to system services * Convert client-side tools to platform-independent access to system services * Convert installation tools to platform-independent access to system services * Cleanup whitespace * Introduce platform-specific adaptation for services used by FreeIPA. * When external host is specified in HBAC rule, allow its use in simulation * Unroll StrEnum values when displaying help * Configure pam_krb5 on the client only if sssd is not configured * Setup and restore ntp configuration on the client side properly * Fix 'referenced before assignment' warning * Before kinit, try to sync time with the NTP servers of the domain we are joining * Increase number of 'getent passwd attempts' to 10 * Force kerberos realm to be a string * Include indirect membership and canonicalize hosts during HBAC rules testing * Refactor backup_and_replace_hostname() into a flexible config modification tool * Write KRB5REALM to /etc/sysconfig/krb5kdc and make use of common backup_config_and_replace_variables() tool * Refactor authconfig use in ipa-client-install * Document --preserve-sssd option of ipa-client-install * Use set class instead of dictview class as set is wider supported * hbactest fails while you have svcgroup in hbacrule * Add support for systemd environments and use it to support Fedora 16 * Spin for connection success also when socket is not (yet) available * Update spec file to use systemd on Fedora 16 and above * Quote multiple workers option * Check for Python.h during build of py_default_encoding extension * Add configure check for libintl.h * Create directories for client install * Add Extending FreeIPA developer guide * Small fix to the guide CSS: enable vertical scroll bar * Rename included snippets to avoid problems with pylint * Fix dependency for samba4-devel package * Merge branch 'master' of git+ssh://git.fedorahosted.org/git/freeipa * Check through all LDAP servers in the domain during IPA discovery * Validate sudo RunAsUser/RunAsGroup arguments * Allow hbactest to work with HBAC rules exceeding default IPA limits * Add management of inifiles to allow manipulation of systemd units * Handle upgrade issues with
Re: [Freeipa-devel] Announcing FreeIPA v3.0.0 beta 1 Release
2012/7/2 Rob Crittenden rcrit...@redhat.com The FreeIPA team is proud to announce version FreeIPA v3.0.0 beta 1. It can be downloaded from http://www.freeipa.org/page/**Downloadshttp://www.freeipa.org/page/Downloads . A build is available in the Fedora rawhide repositories or for Fedora 17 via the freeipa-devel repo on www.freeipa.org: http://freeipa.org/downloads/**freeipa-devel.repohttp://freeipa.org/downloads/freeipa-devel.repo. To install in Fedora 17 the updates-repo repository needs to be enabled as well. For additional information see the AD Trust design page http://freeipa.org/page/IPAv3_**AD_trusthttp://freeipa.org/page/IPAv3_AD_trustand the AD Trust testing page http://freeipa.org/page/IPAv3_**testing_AD_trusthttp://freeipa.org/page/IPAv3_testing_AD_trust . Wow! Dmitri told me last week in Boston that something was cooking, but I'm impressed at the changelog. Congrats to the team! Did you update transifex with the new strings for 3.0 for localization? Regards, J. -- Jérôme Fenal - jfenal AT gmail.com - http://fenal.org/ Paris.pm - http://paris.mongueurs.net/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel