Re: [Freeipa-devel] [PATCHES] 98-101 Preserve case of LDAP attribute names
On 19.2.2013 17:30, Rob Crittenden wrote:
I think dropping raw=True in patch 99.3 is going to break a check later
where we look at the managedby attribute. Without raw this will be
managedby_host.
Fixed, thanks for the catch.
I have also made 2 changes to patch 100 (made sure the entry returned by
ldap2.get_ipa_config is using the correct IPASimpleLDAPObject and
changed LDAPEntry.clone to be less fragile).
Updated (and rebased) patches attached.
Honza
--
Jan Cholasta
From 78d3da5cc8837ae2f3be9783df6d19af2683f8fe Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Thu, 31 Jan 2013 11:19:13 +0100
Subject: [PATCH 1/4] Use the dn attribute of LDAPEntry to set/get DNs of
entries.
Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn
attribute instead.
---
install/tools/ipa-compliance | 10 +++
install/tools/ipa-replica-install | 2 +-
ipalib/plugins/automember.py | 9 --
ipalib/plugins/baseldap.py| 58 +++
ipalib/plugins/krbtpolicy.py | 6 ++--
ipalib/plugins/permission.py | 6 ++--
ipalib/plugins/sudorule.py| 8 --
ipalib/plugins/trust.py | 2 +-
ipalib/plugins/user.py| 9 ++
ipaserver/ipaldap.py | 4 +--
ipaserver/plugins/ldap2.py| 2 --
11 files changed, 73 insertions(+), 43 deletions(-)
diff --git a/install/tools/ipa-compliance b/install/tools/ipa-compliance
index c82e415..9b34350 100644
--- a/install/tools/ipa-compliance
+++ b/install/tools/ipa-compliance
@@ -116,7 +116,7 @@ def check_compliance(tmpdir, debug=False):
hostcount = 0
# Get the hosts first
try:
-(entries, truncated) = conn.find_entries('(krblastpwdchange=*)', ['dn'],
+(entries, truncated) = conn.find_entries('(krblastpwdchange=*)', [],
DN(api.env.container_host, api.env.basedn),
conn.SCOPE_ONELEVEL,
size_limit = -1)
@@ -136,10 +136,10 @@ def check_compliance(tmpdir, debug=False):
available = 0
try:
(entries, truncated) = conn.find_entries('(objectclass=ipaentitlement)',
-['dn', 'userCertificate'],
-DN(api.env.container_entitlements, api.env.basedn),
-conn.SCOPE_ONELEVEL,
-size_limit = -1)
+['userCertificate'],
+DN(api.env.container_entitlements, api.env.basedn),
+conn.SCOPE_ONELEVEL,
+size_limit = -1)
for entry in entries:
(dn, attrs) = entry
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 13c3260..846122d 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -572,7 +572,7 @@ def main():
config.dirman_password)
found = False
try:
-entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], DN(api.env.container_host, api.env.basedn))
+entry = conn.find_entries(u'fqdn=%s' % host, ['fqdn'], DN(api.env.container_host, api.env.basedn))
print The host %s already exists on the master server.\nYou should remove it before proceeding: % host
print %% ipa host-del %s % host
found = True
diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py
index af39f6a..520f8a0 100644
--- a/ipalib/plugins/automember.py
+++ b/ipalib/plugins/automember.py
@@ -316,10 +316,12 @@ class automember_add_condition(LDAPUpdate):
except errors.NotFound:
failed['failed'][attr].append(regex)
+entry_attrs = entry_to_dict(entry_attrs, **options)
+
# Set failed and completed to they can be harvested in the execute super
setattr(context, 'failed', failed)
setattr(context, 'completed', completed)
-setattr(context, 'entry_attrs', dict(entry_attrs))
+setattr(context, 'entry_attrs', entry_attrs)
# Make sure to returned the failed results if there is nothing to remove
if completed == 0:
@@ -406,10 +408,13 @@ class automember_remove_condition(LDAPUpdate):
else:
failed['failed'][attr].append(regex)
entry_attrs[attr] = old_entry
+
+entry_attrs = entry_to_dict(entry_attrs, **options)
+
# Set failed and completed to they can be harvested in the execute super
setattr(context, 'failed', failed)
setattr(context, 'completed', completed)
-setattr(context, 'entry_attrs', dict(entry_attrs))
+setattr(context, 'entry_attrs', entry_attrs)
# Make sure to returned the failed results if there is nothing to remove
if completed == 0:
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 44751e1..74e2384 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -229,6 +229,12 @@ def entry_from_entry(entry, newentry):
for e in
Re: [Freeipa-devel] [PATCH 0035] Use default.conf as flag of IPA client being installed
On 02/20/2013 10:31 AM, Tomas Babej wrote: Hi, When installing / uninstalling IPA client, the checks that determine whether IPA client is installed now take the existence of /etc/ipa/default.conf into consideration. The client will not uninstall unless either something is backed up or /etc/ipa/default.conf file does exist. The client will not install if something is backed up or default.conf file does exist (unless it's installation on master). https://fedorahosted.org/freeipa/ticket/3331 Tomas Can we create a function testing if ipa client is installed to avoid duplication of the decision logic? Something like is_ipa_configured present in ipaserver/install/installutils.py. Keep in mind that we cannot use ipaserver package as it may not be present on client. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 240-252 AMD modules and Web UI build
On 01/18/2013 03:16 PM, Petr Vobornik wrote: On 01/18/2013 03:11 AM, Endi Sukma Dewata wrote: On 1/17/2013 8:01 PM, Petr Vobornik wrote: On 01/17/2013 04:24 AM, Endi Sukma Dewata wrote: Nice work! They seem to be working fine so it's ACKed. I found a little error - there is a jsl problem in dojo.profile:86 - comma at the end of a list. Updated patch 243 attached. ACK. Pushed to master. Pushed to ipa-3-1 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 228-237 Confirmation of dialogs by keyboard, better password dialogs
On 01/07/2013 12:53 PM, Petr Vobornik wrote: On 11/27/2012 04:50 PM, Endi Sukma Dewata wrote: On 11/20/2012 6:54 AM, Petr Vobornik wrote: New design page: http://www.freeipa.org/page/V3/WebUI_keyboard_confirmation Link to design page was added to tickets #3200 and #2910. In the ticket list of previous mail is a mistake. This effort is related to tickets #3200, #2910 and #2884. Probably commit messages should be amended. ACK. Pushed to master. Pushed to ipa-3-1 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Web UI: ipa-3-1 and master are equal
I pushed Web UI patches which were in master but not in ipa-3-1 branch to ipa-3-1 branch. 2808a5ac01483275a75c0c0cbf9836a7e21a2041 Fix BuildRequires: rhino replaced with java-1.7.0-openjdk 95a191e98177d56bee32d5844f34241d5b987663 Change tests to use AMD loader aec35465fed1771e45f9755c80781bf478087fa9 Updated makefiles to build FreeIPA Web UI layer 591041d54d22703153ff2d7793d2a45a634152ff Change Web UI sources to simple AMD modules e472a3419e60cda05978994db3915962a241a86f AMD config file 193d0ac9d23b0a8873846e2797e001fe83e1d2f3 Update JavaScript Lint configuration file 5ae3f90500cac3bbe26210635a1fbd304def474c Move of core Web UI files to AMD directory 27d9348139ef7b603bc515cf5bbbac78f1e416a2 Move of Web UI non AMD dep. libs to libs subdirectory 16f9038b3e105d9ac6099be25404c3e6cf31d89c Web UI Sync development utility 146f3a73b00cbbafc734578c767b932030bc1aec Web UI development environment directory structure and configuration 2ae4e649a72838cbbfa68818c183d20fcf11151c Minimal Dojo layer 4a4cbdecc2c1fec377fe6839a1897d2c6dd3 Config files for builder of FreeIPA UI layer e8db24fdb989e6cb68f7a6eb8cdbca1b77c35721 Dojo Builder d7b25b0bd34568d28f74a3dfc27f520bc7f094b9 Use Uglify.js for JS optimization 69cbbd10a11736754e5137e394b3f87291cb0fd2 Enable mod_deflate 06a6ef87d81a0300c716dac47a998dcbc38fbcc2 Focus first input element after 'Add and Add another' 8e3b09310e615036570ab29fb7c2d1f3009aa2b2 Standardize login password reset, user reset password and host set OTP dialogs d68dd2138d546673c1dae90e6dfc977ed0b82cd4 Confirm association dialogs by enter b1632ffa52b2a2f30f3d83aaabc958e4a9928c0e Focus last dialog when some is closed 69185978eb8b9b206fda13af49e9885cc4a150b7 Confirm error dialog by enter 40a5d90cfe2077d847841ce46a859ca9ade97a61 Confirm adder dialog by enter c3de70c77bae2b184b52b6029c4146b8312be784 Confirm mixin c66c8202919f10a65fddf3b97355a87c39b8ba2b Make confirm_dialog a base class for message_dialog 92aa635be56fe6e991e902ece369a7bbf57a018d Make confirm_dialog a base class for deleter dialog 9806eae286764e35a218d9e3f832a6c85a7ca929 Make confirm_dialog a base class of revoke and restore certificate dialogs b238fc13ef98afb0bae4c479be1fc2c7fa94468d Avoid internal error when user is not Trust admin -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0035] Use default.conf as flag of IPA client being installed
On 02/21/2013 01:29 PM, Tomas Babej wrote:
On 02/21/2013 12:47 PM, Martin Kosek wrote:
On 02/20/2013 10:31 AM, Tomas Babej wrote:
Hi,
When installing / uninstalling IPA client, the checks that
determine whether IPA client is installed now take the existence
of /etc/ipa/default.conf into consideration.
The client will not uninstall unless either something is backed
up or /etc/ipa/default.conf file does exist.
The client will not install if something is backed up or
default.conf file does exist (unless it's installation on master).
https://fedorahosted.org/freeipa/ticket/3331
Tomas
Can we create a function testing if ipa client is installed to avoid
duplication of the decision logic? Something like is_ipa_configured present
in
ipaserver/install/installutils.py.
Keep in mind that we cannot use ipaserver package as it may not be present on
client.
Martin
Moved to is_ipa_client_installed function to ipautils.py
Updated patch attached.
Tomas
You just created a nice import loop:
# make rpms
...
if [ != yes ]; then \
./makeapi --validate; \
fi
Traceback (most recent call last):
File ./makeapi, line 457, in module
sys.exit(main())
File ./makeapi, line 428, in main
api.finalize()
File /root/freeipa-master/ipalib/plugable.py, line 674, in finalize
self.__do_if_not_done('load_plugins')
File /root/freeipa-master/ipalib/plugable.py, line 454, in __do_if_not_done
getattr(self, name)()
File /root/freeipa-master/ipalib/plugable.py, line 613, in load_plugins
self.import_plugins('ipalib')
File /root/freeipa-master/ipalib/plugable.py, line 655, in import_plugins
__import__(fullname)
File /root/freeipa-master/ipalib/plugins/cert.py, line 30, in module
from ipalib import pkcs10
File /root/freeipa-master/ipalib/pkcs10.py, line 24, in module
from ipapython import ipautil
File /root/freeipa-master/ipapython/ipautil.py, line 52, in module
from ipapython import sysrestore
File /root/freeipa-master/ipapython/sysrestore.py, line 34, in module
from ipapython import ipautil
ImportError: cannot import name ipautil
make: *** [version-update] Error 1
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0182 Fix permission validation and normalization in aci.py
This patch fixes an internal error in the permission plugin that would
become more noticeable when CSV is dropped.
https://fedorahosted.org/freeipa/ticket/3420
--
Petr³
From c9928467ea776d444208d329cd03bff3eac3b597 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 14 Feb 2013 07:23:06 -0500
Subject: [PATCH] Fix permission validation and normalization in aci.py
The code split the permission string on commas, essentially doing
poor man's CSV parsing. So if a permission contained a
comma-separated list of valid permissions, validation would pass
but we'd get errors later.
https://fedorahosted.org/freeipa/ticket/3420
---
ipalib/plugins/aci.py | 23 ++-
1 files changed, 10 insertions(+), 13 deletions(-)
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 7c4e8a549797a9893d6343d0c7126e0754dbf561..2860ac8b1d33664139ec5b64583c9078c8c1b0ad 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -392,21 +392,18 @@ def _find_aci_by_name(acis, aciprefix, aciname):
return a
raise errors.NotFound(reason=_('ACI with name %s not found') % aciname)
-def validate_permissions(ugettext, permissions):
-valid_permissions = []
-permissions = permissions.split(',')
-for p in permissions:
-p = p.strip().lower()
-if not p in _valid_permissions_values:
- return '%s is not a valid permission' % p
-def _normalize_permissions(permissions):
+def validate_permissions(ugettext, perm):
+perm = perm.strip().lower()
+if perm not in _valid_permissions_values:
+return '%s is not a valid permission' % perm
+
+
+def _normalize_permissions(perm):
valid_permissions = []
-permissions = permissions.split(',')
-for p in permissions:
-p = p.strip().lower()
-if p not in valid_permissions:
-valid_permissions.append(p)
+perm = perm.strip().lower()
+if perm not in valid_permissions:
+valid_permissions.append(perm)
return ','.join(valid_permissions)
_prefix_option = StrEnum('aciprefix',
--
1.7.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0104-0106 Provide means of displaying warning and informational messages on clients
On 02/21/2013 12:50 PM, Petr Viktorin wrote:
On 02/20/2013 05:17 PM, Martin Kosek wrote:
On 02/19/2013 12:15 PM, Petr Viktorin wrote:
On 02/13/2013 11:18 AM, Petr Viktorin wrote:
On 01/29/2013 05:06 PM, Petr Viktorin wrote:
On 01/04/2013 07:20 PM, Petr Viktorin wrote:
On 12/14/2012 09:04 AM, Jan Cholasta wrote:
On 13.12.2012 18:09, Petr Viktorin wrote:
On 12/13/2012 04:43 PM, Martin Kosek wrote:
On 12/13/2012 10:59 AM, Petr Viktorin wrote:
It's time to give this to another set of eyes :)
Design document: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
More info is in commit messages.
Because of https://fedorahosted.org/freeipa/ticket/3294, I needed to
change the
design document: when the client doesn't send the API version, it is
assumed
it's at a version before capabilities were introduced (i.e. 2.47).
The client still gets a warning if the version is missing. Except
for
those
commands where IPA didn't send a version -- ping, cert-show, etc. --
the
warning wouldn't pass validation on old clients. (I'm assuming that
our client
is so far the only one that validates so strictly.)
I did a basic test of this patch and also quickly read through the
patches and
besides nitpicks (like unused inspect module in
tests/test_ipalib/test_messages.py in patch 0105) I did not find any
obvious
errors in the Python code.
Noted, will fix in future versions of the patch.
However, this patch breaks WebUI badly, I did not even get to a
log in
screen.
Cooperation with Petr Vobornik will be needed. In my case, I got
blank
screen
and Javascript error:
TypeError: IPA.messages.dialogs is undefined
https://vm-037.idm.lab.bos.redhat.com/ipa/ui/ipa.js
Line 1460
I assume this is related to the Internal Error that was returned in
the JSON call
{
error: null,
id: null,
principal: ad...@idm.lab.bos.redhat.com,
result: {
count: 5,
results: [
{
error: an internal error has occurred,
error_code: 903,
error_name: InternalError
},
{
...
This can be reproduced with:
# curl -v -H Content-Type:application/json -H
referer:https://`hostname`/ipa; -H Accept:applicaton/json
--negotiate -u :
--cacert /etc/ipa/ca.crt -d
'{method:i18n_messages,params:[[],{}],id:0}' -X POST
https://`hostname`/ipa/json
Good catch! The i18n_messages plugin already defines a messages
output. When I renamed this from warnings to messages I forgot to
check for clashes.
Since i18n_messages is an internal command only used by the Web UI, we
can rename its output to texts without breaking compatibility.
I'm attaching a preliminary fix (for both backend and UI), but
hopefully
it won't be necessary, see below.
I am also not sure I like the requirement of a specific version
option
to be
always passed. I would prefer that missing version option would mean
I use the
most recent version of API instead - it would make the custom
JSONRPC/XMLRPC
calls easier to use.
But since the version option was not being sent for some commands, we
may not
have a choice anyway if we do not want to break old clients in
case we
add some
capabilities to these commands.
I see three other options, all worse:
- Do not use capabilities for the affected commands, meaning no new
functionality can be added to them (and by extension, no new
functionality common to all commands can be added).
- Treat a missing version as the current version
- Break backwards compatibility
And one possibly better (thanks to Petr¹ and Martin for opening my
eyes
off-list!):
- Deprecate XML-RPC. All XML-RPC requests would be pinned to current
version (2.47). Capabilities/messages would only apply to JSON-RPC.
This would also allow us to solve the above name-clashing problem
elegantly. Here is a reminder of what a JSON response looks like:
{
error: null,
id: 0,
principal: ad...@idm.lab.bos.redhat.com,
result: {
summary: IPA server version 3.1.0GIT2e4bd02. API version
2.47
},
version: 3.1.0GIT2e4bd02
}
A XML-RPC response only contains the result part of that.
So with JSON, we can put the messages in the top level, which is much
better design.
Custom info in the top level seems to be a violation of the JSON-RPC
spec. I'd rather not do more of those, so I'm withdrawing this idea.
XML-RPC sucks in other ways too. We already have a workaround for its
inability to attach extra info to errors (commit
88262a75ffe7a25640333dcc4da2100830cae821, Add instructions support to
PublicError).
I've opened a RFC here: https://fedorahosted.org/freeipa/ticket/3299.
+1, XML-RPC sucks. This should have been done a long time ago.
Honza
Here are new patches.
XML-RPC requests with missing version are assumed to be old (the version
before capabilities are introduced, 2.47). This
Re: [Freeipa-devel] [PATCH] 256-258 Web UI: removed build dependency errors
On 02/19/2013 04:12 AM, Endi Sukma Dewata wrote: ACK. Pushed to master, ipa-3-1 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 372 Use fixed test domain in realmdomains test
Fixes test unit broken on some systems. Pushed as a one-liner.
Martin
From c0c07f1f6afc6ddc497545474ec2144f69382a30 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 21 Feb 2013 13:40:20 +0100
Subject: [PATCH] Use fixed test domain in realmdomains test
Random domain name may bring undererministic behavior. It also breaks
the test on some systems as string.lowercase is locale dependent and
can return non-ASCII letters and thus later break the unicode encoding
and raise UnicodeDecodeError.
Use a fixed domain in test TLD instead. This domain is guaranteed to
be not existent.
---
tests/test_xmlrpc/test_realmdomains_plugin.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/test_xmlrpc/test_realmdomains_plugin.py b/tests/test_xmlrpc/test_realmdomains_plugin.py
index 11231638251abd793596f054787c500bdce80b9e..539643b0dab7b8fd25a177d3d17f45f4ab63b748 100644
--- a/tests/test_xmlrpc/test_realmdomains_plugin.py
+++ b/tests/test_xmlrpc/test_realmdomains_plugin.py
@@ -32,7 +32,7 @@ dn = DN(('cn', cn), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
our_domain = api.env.domain
new_domain_1 = u'example1.com'
new_domain_2 = u'example2.com'
-bad_domain = u'this-domain-does-not-exist-%s.com' % ''.join(random.choice(string.lowercase) for x in range(10))
+bad_domain = u'doesnotexist.test'
class test_realmdomains(Declarative):
--
1.8.1.2
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0024-0025] Improvements to idrange.py
On 02/20/2013 03:19 PM, Tomas Babej wrote:
On Wed 20 Feb 2013 02:24:03 PM CET, Alexander Bokovoy wrote:
On Wed, 20 Feb 2013, Tomas Babej wrote:
On 12/21/2012 12:15 PM, Tomas Babej wrote:
Hi,
Sending updated and rebased versions of patches 0024 and 0025.
Tomas
Sending rebased version, these got quite rotten.
Thanks for updating them.
@@ -504,25 +515,37 @@ class idrange_mod(LDAPUpdate):
'not be found. Please specify the SID
directly '
'using dom-sid option.'))
-try:
-(old_dn, old_attrs) = ldap.get_entry(dn,
-['ipabaseid',
-'ipaidrangesize',
-'ipabaserid',
-'ipasecondarybaserid'])
-except errors.NotFound:
-self.obj.handle_not_found(*keys)
+if in_updated_attrs('ipanttrusteddomainsid'):
+if in_updated_attrs('ipasecondarybaserid'):
+raise errors.ValidationError(name='ID Range setup',
+error=_('Options dom_sid and secondary_rid_base
cannot '
+'be used together'))
Since we agreed to refer to options by their CLI name (--dom-sid and
--secondary-rid-base) in the other patch, it makes sense to use it
here too.
-if is_set('ipanttrusteddomainsid'):
-# Validate SID as the one of trusted domains
-
self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid'])
+if not in_updated_attrs('ipabaserid'):
+raise errors.ValidationError(name='ID Range setup',
+error=_('Options dom_sid and rid_base must '
+'be used together'))
Same here.
+# secondary base rid must be set if and only if base rid
is set
+if in_updated_attrs('ipasecondarybaserid') !=\
+in_updated_attrs('ipabaserid'):
+raise errors.ValidationError(name='ID Range setup',
+error=_('Options secondary_rid_base and rid_base
must '
+'be used together'))
Same here.
+dict(
+desc='Try to modify ID range %r so it has only primary
rid range set' % (testrange8),
+command=('idrange_mod', [testrange8],
+ dict(ipabaserid=testrange8_base_rid)),
+expected=errors.ValidationError(
+name='ID Range setup', error='Options
secondary_rid_base and rid_base must be used together'),
+),
And synchronize error message here too.
Thanks!
Sending the updated patch 0024.
Tomas
In patch 0024 your intention is OK, but the checking functions are not:
is_set = lambda x: (x in entry_attrs) and (x is not None)
+in_updated_attrs = lambda x: any((x in attrs and x is not None)
+ for attrs in (entry_attrs, old_attrs))
They return True even when the attribute is None because they check if *x* is
None and not if *attrs[x]* is None. Example:
# ipa idrange-add --base-id=120 --range-size=20 --rid-base=1000
--secondary-rid-base=100 local_range
Added ID range local_range
Range name: local_range
First Posix ID of the range: 120
Number of IDs in the range: 20
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100
Range type: local domain range
This command should be NOOP, but is not:
# ipa idrange-mod local_range --dom-sid=
ipa: ERROR: invalid 'ID Range setup': Options dom-sid and secondary-rid-base
cannot be used together
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] patch for trac 2575
Thanks Brian. I still see few issues though:
1) The patch adds a whitespace error:
$ git apply ~/freeipa-bcook-0001-Add-DNS-Setup-Prompt-to-Install.patch
/home/mkosek/freeipa-bcook-0001-Add-DNS-Setup-Prompt-to-Install.patch:41:
trailing whitespace.
warning: 1 line adds whitespace errors
2) It does unrelated and unnecessary changes to the main function:
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -560,10 +560,16 @@ def set_subject_in_config(realm_name, dm_password,
suffix, subject_base):
conn.disconnect()
def main():
+
+
+
+:return:
+
global ds
global pw_name
global uninstalling
global installation_cleanup
+
ds = None
safe_options, options = parse_options()
3) In the question, I would replace bind with BIND as this is how the
project should be spelled. I see that few lines above we also refer to BIND
with bind (it may have caused the confusion), I think this can be fixed too.
Martin
On 02/15/2013 03:07 AM, Brian Cook wrote:
Thanks Martin and Dmitri. I have attached a patch that I -think- is formatted
correctly... I removed the new variable and added check for --unattended.
Thanks,
Brian
---
*From: *Martin Kosek mko...@redhat.com
*To: *d...@redhat.com
*Cc: *freeipa-devel@redhat.com
*Sent: *Wednesday, February 13, 2013 11:16:51 PM
*Subject: *Re: [Freeipa-devel] patch for trac 2575
On 02/14/2013 03:49 AM, Dmitri Pal wrote:
On 02/13/2013 05:20 PM, Brian Cook wrote:
Please disregard the first patch as it still asked the user if they want to
install DNS even if --setup-dns was passed, this one is fixed.
Brian
Brian,
Thanks for the patch.
Can you please format it following these guidelines:
https://fedorahosted.org/freeipa/wiki/PatchFormat
Thanks
Dmitri
Hello Brian,
Thanks for the patch! Also few technical notes:
1) There is no need to invent the new variable, you can ask and set
options.setup_dns to True. We already to this in other parts incode
2) This patch would --unattended mode when no --setup-dns is passed
Martin
diff --git a/install/tools/ipa-server-install
b/install/tools/ipa-server-install
index 1559107..96ef802 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -564,6 +564,7 @@ def main():
global pw_name
global uninstalling
global installation_cleanup
+
ds = None
safe_options, options = parse_options()
@@ -740,8 +741,18 @@ def main():
admin_password =
reverse_zone = None
-# check bind packages are installed
+# Setup a variable to use instead of options.setup_dns to enable
interactive DNS selection
+setup_dns=False
if options.setup_dns:
+setup_dns=True
+else:
+# Ask user if they want to install DNS
+if ipautil.user_input(Do you want to configure integrated DNS
(bind)?, False):
+setup_dns=True
+
+
+# check bind packages are installed
+if setup_dns:
if not bindinstance.check_inst(options.unattended):
sys.exit(Aborting installation)
@@ -827,7 +838,7 @@ def main():
else:
admin_password = options.admin_password
-if options.setup_dns:
+if setup_dns:
if options.no_forwarders:
dns_forwarders = ()
elif options.forwarders:
@@ -858,7 +869,7 @@ def main():
print Realm name:%s % realm_name
print
-if options.setup_dns:
+if setup_dns:
print BIND DNS server will be configured to serve IPA domain
with:
print Forwarders:%s % (No forwarders if not dns_forwarders
\
else , .join([str(ip) for ip in dns_forwarders]))
@@ -1102,7 +1113,7 @@ def main():
persistent_search=options.persistent_search,
serial_autoincrement=options.serial_autoincrement,
ca_configured=not options.selfsign)
-if options.setup_dns:
+if setup_dns:
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=dm_password)
bind.create_instance()
@@ -1147,11 +1158,11 @@ def main():
print \t\t * 80, 443: HTTP/HTTPS
print \t\t * 389, 636: LDAP/LDAPS
print \t\t * 88, 464: kerberos
-if options.setup_dns:
+if setup_dns:
print \t\t * 53: bind
print \t\tUDP Ports:
print \t\t * 88, 464: kerberos
-if options.setup_dns:
+if setup_dns:
print \t\t * 53: bind
if options.conf_ntp:
print \t\t * 123: ntp
Message: 8
Date: Wed, 13 Feb 2013 13:39:32 -0800
From: Brian Cook bc...@redhat.com
To: freeipa-devel@redhat.com freeipa-devel@redhat.com
Subject: [Freeipa-devel] patch for trac 2575
Message-ID: 9dd1d1bb-6b86-4ea1-b61b-b208e6bc7...@redhat.com
Content-Type: text/plain; charset=windows-1252
This is a patch
Re: [Freeipa-devel] [PATCH 0035] Use default.conf as flag of IPA client being installed
On 02/21/2013 01:50 PM, Martin Kosek wrote:
On 02/21/2013 01:29 PM, Tomas Babej wrote:
On 02/21/2013 12:47 PM, Martin Kosek wrote:
On 02/20/2013 10:31 AM, Tomas Babej wrote:
Hi,
When installing / uninstalling IPA client, the checks that
determine whether IPA client is installed now take the existence
of /etc/ipa/default.conf into consideration.
The client will not uninstall unless either something is backed
up or /etc/ipa/default.conf file does exist.
The client will not install if something is backed up or
default.conf file does exist (unless it's installation on master).
https://fedorahosted.org/freeipa/ticket/3331
Tomas
Can we create a function testing if ipa client is installed to avoid
duplication of the decision logic? Something like is_ipa_configured present in
ipaserver/install/installutils.py.
Keep in mind that we cannot use ipaserver package as it may not be present on
client.
Martin
Moved to is_ipa_client_installed function to ipautils.py
Updated patch attached.
Tomas
You just created a nice import loop:
...
I made the function part of ipa-client-install script then.
We probably will not need to check whether client is installed anywhere
else.
Tomas
From 9351410b0dc3958a7dcd67ef404568f839f22bfe Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 19 Feb 2013 17:59:50 +0100
Subject: [PATCH] Use default.conf as flag of IPA client being installed
When installing / uninstalling IPA client, the checks that
determine whether IPA client is installed now take the existence
of /etc/ipa/default.conf into consideration.
The client will not uninstall unless either something is backed
up or /etc/ipa/default.conf file does exist.
The client will not install if something is backed up or
default.conf file does exist (unless it's installation on master).
https://fedorahosted.org/freeipa/ticket/3331
---
ipa-client/ipa-install/ipa-client-install | 21 ++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 2d32e28ece72c1058152787058c83ae5b06df64c..308c3f8d0ec39e1e7f048d37a34738bf6a4853e2 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -36,7 +36,9 @@ try:
from ipaclient.ipadiscovery import CACERT
import ipaclient.ipachangeconf
import ipaclient.ntpconf
-from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, realm_to_suffix, convert_ldap_error
+from ipapython.ipautil import run, user_input, CalledProcessError,\
+ file_exists, realm_to_suffix,\
+ convert_ldap_error
import ipapython.services as ipaservices
from ipapython import ipautil
from ipapython import sysrestore
@@ -281,9 +283,22 @@ def delete_ipa_domain():
root_logger.warning(IPA domain could not be deleted.
No access to the /etc/sssd/sssd.conf file.)
+def is_ipa_client_installed(on_master=False):
+
+Consider IPA client not installed if nothing is backed up
+and default.conf file does not exist. If on_master is set to True,
+the existence of default.conf file is not taken into consideration,
+since it has been already created by ipa-server-install.
+
+
+installed = fstore.has_files() or \
+ (not on_master and os.path.exists('/etc/ipa/default.conf'))
+
+return installed
+
def uninstall(options, env):
-if not fstore.has_files():
+if not is_ipa_client_installed():
root_logger.error(IPA client is not configured on this system.)
return CLIENT_NOT_CONFIGURED
@@ -2326,7 +2341,7 @@ def main():
if options.uninstall:
return uninstall(options, env)
-if fstore.has_files():
+if is_ipa_client_installed(on_master=options.on_master):
root_logger.error(IPA client is already configured on this system.)
root_logger.info(
If you want to reinstall the IPA client, uninstall it first +
--
1.7.11.7
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0115] Add support for DNAME substitution
On 21.2.2013 16:21, Petr Spacek wrote:
Hello,
Add support for DNAME substitution.
https://fedorahosted.org/bind-dyndb-ldap/ticket/63
And now the patch :-)
--
Petr^2 Spacek
From dc1215e8a82d3993f69436b4de9ff91ea16f4369 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Thu, 21 Feb 2013 13:34:52 +0100
Subject: [PATCH] Add support for DNAME substitution.
https://fedorahosted.org/bind-dyndb-ldap/ticket/63
Signed-off-by: Petr Spacek pspa...@redhat.com
---
src/ldap_driver.c | 22 +++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/src/ldap_driver.c b/src/ldap_driver.c
index cde09ee8aa3c9332f3766a031030a95b0cff3229..9cae66b3950323221d3319649fc7b86ef25a5d68 100644
--- a/src/ldap_driver.c
+++ b/src/ldap_driver.c
@@ -457,7 +457,6 @@ cleanup:
return result;
}
-/* XXX add support for DNAME redirection */
static isc_result_t
find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
@@ -469,6 +468,7 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
ldapdb_node_t *node = NULL;
dns_rdatalist_t *rdlist = NULL;
isc_boolean_t is_cname = ISC_FALSE;
+ isc_boolean_t is_dname = ISC_FALSE;
isc_boolean_t is_delegation = ISC_FALSE;
ldapdb_rdatalist_t rdatalist;
unsigned int labels, qlabels;
@@ -515,7 +515,20 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
continue;
}
- /* TODO: We should check for DNAME records right here */
+ /* RFC 6672 section 2.3.:
+ Unlike a CNAME RR, a DNAME RR redirects DNS names
+ subordinate to its owner name; the owner name of a DNAME
+ is not redirected itself. */
+ if (qlabels dns_name_countlabels(traversename)) {
+ rdlist = NULL;
+ result = ldapdb_rdatalist_findrdatatype(rdatalist,
+dns_rdatatype_dname,
+rdlist);
+ if (result == ISC_R_SUCCESS) {
+is_dname = ISC_TRUE;
+goto skipfind;
+ }
+ }
/*
* Check if there is at least one NS RR. If yes and this is not NS
@@ -527,6 +540,7 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
if (dns_name_countlabels(db-origin)
dns_name_countlabels(traversename)
(options DNS_DBFIND_GLUEOK) == 0) {
+ rdlist = NULL;
result = ldapdb_rdatalist_findrdatatype(rdatalist,
dns_rdatatype_ns,
rdlist);
@@ -582,7 +596,7 @@ found:
skipfind:
CHECK(dns_name_copy(traversename, foundname, NULL));
- if (rdataset != NULL type != dns_rdatatype_any) {
+ if (rdataset != NULL (type != dns_rdatatype_any || is_dname)) {
/* dns_rdatalist_tordataset returns success only */
CHECK(clone_rdatalist_to_rdataset(ldapdb-common.mctx, rdlist,
rdataset));
@@ -600,6 +614,8 @@ skipfind:
return DNS_R_DELEGATION;
else if (is_cname)
return DNS_R_CNAME;
+ else if (is_dname)
+ return DNS_R_DNAME;
else
return ISC_R_SUCCESS;
--
1.7.11.7
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0115] Add support for DNAME substitution
Hello, Add support for DNAME substitution. https://fedorahosted.org/bind-dyndb-ldap/ticket/63 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0104-0106 Provide means of displaying warning and informational messages on clients
On 02/21/2013 03:09 PM, Petr Viktorin wrote:
On 02/21/2013 02:06 PM, Martin Kosek wrote:
On 02/21/2013 12:50 PM, Petr Viktorin wrote:
On 02/20/2013 05:17 PM, Martin Kosek wrote:
On 02/19/2013 12:15 PM, Petr Viktorin wrote:
On 02/13/2013 11:18 AM, Petr Viktorin wrote:
On 01/29/2013 05:06 PM, Petr Viktorin wrote:
On 01/04/2013 07:20 PM, Petr Viktorin wrote:
On 12/14/2012 09:04 AM, Jan Cholasta wrote:
On 13.12.2012 18:09, Petr Viktorin wrote:
On 12/13/2012 04:43 PM, Martin Kosek wrote:
On 12/13/2012 10:59 AM, Petr Viktorin wrote:
It's time to give this to another set of eyes :)
Design document: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
More info is in commit messages.
Because of https://fedorahosted.org/freeipa/ticket/3294, I needed
to
change the
design document: when the client doesn't send the API version, it
is
assumed
it's at a version before capabilities were introduced (i.e. 2.47).
The client still gets a warning if the version is missing. Except
for
those
commands where IPA didn't send a version -- ping, cert-show, etc.
--
the
warning wouldn't pass validation on old clients. (I'm assuming that
our client
is so far the only one that validates so strictly.)
I did a basic test of this patch and also quickly read through the
patches and
besides nitpicks (like unused inspect module in
tests/test_ipalib/test_messages.py in patch 0105) I did not find any
obvious
errors in the Python code.
Noted, will fix in future versions of the patch.
However, this patch breaks WebUI badly, I did not even get to a
log in
screen.
Cooperation with Petr Vobornik will be needed. In my case, I got
blank
screen
and Javascript error:
TypeError: IPA.messages.dialogs is undefined
https://vm-037.idm.lab.bos.redhat.com/ipa/ui/ipa.js
Line 1460
I assume this is related to the Internal Error that was returned in
the JSON call
{
error: null,
id: null,
principal: ad...@idm.lab.bos.redhat.com,
result: {
count: 5,
results: [
{
error: an internal error has occurred,
error_code: 903,
error_name: InternalError
},
{
...
This can be reproduced with:
# curl -v -H Content-Type:application/json -H
referer:https://`hostname`/ipa; -H Accept:applicaton/json
--negotiate -u :
--cacert /etc/ipa/ca.crt -d
'{method:i18n_messages,params:[[],{}],id:0}' -X POST
https://`hostname`/ipa/json
Good catch! The i18n_messages plugin already defines a messages
output. When I renamed this from warnings to messages I forgot to
check for clashes.
Since i18n_messages is an internal command only used by the Web UI,
we
can rename its output to texts without breaking compatibility.
I'm attaching a preliminary fix (for both backend and UI), but
hopefully
it won't be necessary, see below.
I am also not sure I like the requirement of a specific version
option
to be
always passed. I would prefer that missing version option would mean
I use the
most recent version of API instead - it would make the custom
JSONRPC/XMLRPC
calls easier to use.
But since the version option was not being sent for some commands,
we
may not
have a choice anyway if we do not want to break old clients in
case we
add some
capabilities to these commands.
I see three other options, all worse:
- Do not use capabilities for the affected commands, meaning no new
functionality can be added to them (and by extension, no new
functionality common to all commands can be added).
- Treat a missing version as the current version
- Break backwards compatibility
And one possibly better (thanks to Petr¹ and Martin for opening my
eyes
off-list!):
- Deprecate XML-RPC. All XML-RPC requests would be pinned to current
version (2.47). Capabilities/messages would only apply to JSON-RPC.
This would also allow us to solve the above name-clashing problem
elegantly. Here is a reminder of what a JSON response looks like:
{
error: null,
id: 0,
principal: ad...@idm.lab.bos.redhat.com,
result: {
summary: IPA server version 3.1.0GIT2e4bd02. API
version
2.47
},
version: 3.1.0GIT2e4bd02
}
A XML-RPC response only contains the result part of that.
So with JSON, we can put the messages in the top level, which is much
better design.
Custom info in the top level seems to be a violation of the JSON-RPC
spec. I'd rather not do more of those, so I'm withdrawing this idea.
XML-RPC sucks in other ways too. We already have a workaround for its
inability to attach extra info to errors (commit
88262a75ffe7a25640333dcc4da2100830cae821, Add instructions support to
PublicError).
I've opened a RFC here: https://fedorahosted.org/freeipa/ticket/3299.
+1, XML-RPC sucks. This should have been done a long time ago.
Honza
Here are new patches.
[Freeipa-devel] [PATCHES] 0183-0185 Drop CSV support
These patches remove CSV parsing from the client.
Ticket: https://fedorahosted.org/freeipa/ticket/3352
Design: http://freeipa.org/page/V3/Drop_CSV
The design page also talks about adding a warning for the user when they
seem to use CSV, but this will need the JSON transport so it's not
included in these patches.
The csv flag is left on parameters so when that warning is added, we
know for which params to show it.
--
Petr³
From ff0945e5246b06f3ea9a3be2c3b38ab098e42fae Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 14 Feb 2013 11:34:16 -0500
Subject: [PATCH] Remove csv_separator and csv_skipspace Param arguments
These were never set to anything but the defaults.
Part of work for https://fedorahosted.org/freeipa/ticket/3352
---
ipalib/parameters.py | 14 +++---
make-lint|2 +-
tests/test_ipalib/test_parameters.py | 31 ---
3 files changed, 4 insertions(+), 43 deletions(-)
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 2e26923ddc1bd14fbb04b0a4f28d79368f37552a..9fed0fd5dc29b5a86cc681e07ba4e1dfc1311a86 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -356,10 +356,6 @@ class Param(ReadOnly):
- sortorder: used to sort a list of parameters for Command. See
`Command.finalize()` for further information
- csv: this multivalue attribute is given in CSV format
- - csv_separator: character that separates values in CSV (comma by
-default)
- - csv_skipspace: if true, leading whitespace will be ignored in
-individual CSV values
# This is a dummy type so that most of the functionality of Param can be
@@ -393,8 +389,6 @@ class Param(ReadOnly):
('alwaysask', bool, False),
('sortorder', int, 2), # see finalize()
('csv', bool, False),
-('csv_separator', str, ','),
-('csv_skipspace', bool, True),
('option_group', unicode, None),
# The 'default' kwarg gets appended in Param.__init__():
@@ -690,9 +684,8 @@ class Param(ReadOnly):
def __unicode_csv_reader(self, unicode_csv_data, dialect=csv.excel, **kwargs):
# csv.py doesn't do Unicode; encode temporarily as UTF-8:
csv_reader = csv.reader(self.__utf_8_encoder(unicode_csv_data),
-dialect=dialect,
-delimiter=self.csv_separator, quotechar='',
-skipinitialspace=self.csv_skipspace,
+dialect=dialect, delimiter=',', quotechar='',
+skipinitialspace=True,
**kwargs)
try:
for row in csv_reader:
@@ -967,8 +960,7 @@ class Param(ReadOnly):
json_exclude_attrs = (
'alwaysask', 'autofill', 'cli_name', 'cli_short_name', 'csv',
-'csv_separator', 'csv_skipspace', 'sortorder', 'falsehoods', 'truths',
-'version',
+'sortorder', 'falsehoods', 'truths', 'version',
)
def __json__(self):
diff --git a/make-lint b/make-lint
index 1b274b17376765c87e13e27e4c682be6445a36c8..7c5ec924508a9bf410a41d6a039bda616511d981 100755
--- a/make-lint
+++ b/make-lint
@@ -67,7 +67,7 @@ class IPATypeChecker(TypeChecker):
'default', 'doc', 'required', 'multivalue', 'primary_key',
'normalizer', 'default_from', 'autofill', 'query', 'attribute',
'include', 'exclude', 'flags', 'hint', 'alwaysask', 'sortorder',
-'csv', 'csv_separator', 'csv_skipspace', 'option_group'],
+'csv', 'option_group'],
'ipalib.parameters.Bool': ['truths', 'falsehoods'],
'ipalib.parameters.Data': ['minlength', 'maxlength', 'length',
'pattern', 'pattern_errmsg'],
diff --git a/tests/test_ipalib/test_parameters.py b/tests/test_ipalib/test_parameters.py
index 12270a94f391e4ce410d8b08e70a6e0948f18c3f..47c5de1fccec1915d4c3d61db3bcd4ecec3505d2 100644
--- a/tests/test_ipalib/test_parameters.py
+++ b/tests/test_ipalib/test_parameters.py
@@ -203,8 +203,6 @@ class test_Param(ClassChecker):
assert o.flags == frozenset()
assert o.sortorder == 2
assert o.csv is False
-assert o.csv_separator == ','
-assert o.csv_skipspace is True
# Test that doc defaults from label:
o = self.cls('my_param', doc=_('Hello world'))
@@ -635,35 +633,6 @@ class test_Param(ClassChecker):
assert e.name == 'my_list'
assert e.error == u'Improperly formatted CSV value (newline inside string)'
-def test_split_csv_separator(self):
-
-Test the `ipalib.parameters.Param.split_csv` method with csv and a separator.
-
-o = self.cls('my_list+', csv=True, csv_separator='|')
-
-n = o.split_csv('a')
-assert type(n) is tuple
-assert len(n) is 1
-
-n = o.split_csv('a|b')
-assert type(n) is tuple
-
