Re: [Freeipa-devel] [PATCH] 0189 Remove option to use custom SSL certificates from ipa-server-install
On 03/05/2013 11:32 AM, Jan Cholasta wrote: Hi, On 26.2.2013 15:50, Petr Viktorin wrote: This removes the --{dirsrv,http,pkinit}-{pkcs12,pin} options. https://fedorahosted.org/freeipa/ticket/3151 The same options are in ipa-replica-prepare. I think we should leave those be, so people with existing servers with custom certs can install replicas. Should we keep them visible, or should we make them hidden and remove them from documentation? Honza They have their own section in --help, with an explanation: SSL certificate options: Only used if the server was installed using custom SSL certificates I think that's enough. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 376-377 Use tkey-gssapi-keytab in named.conf
Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential and tkey-domain and replace them with tkey-gssapi-keytab which avoids unnecessary Kerberos checks on BIND startup and can cause issues when KDC is not available. Both new and current IPA installations are updated. https://fedorahosted.org/freeipa/ticket/3429 From 323856232e40f9678a599a5392eb4826aca8954d Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 5 Mar 2013 12:02:58 +0100 Subject: [PATCH 1/2] Update named.conf parser Refactor the named.conf parsing and editing functions in bindinstance so that both dynamic-db and options sections of named.conf can be read and updated https://fedorahosted.org/freeipa/ticket/3429 --- ipaserver/install/bindinstance.py | 60 --- 1 file changed, 43 insertions(+), 17 deletions(-) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index dff661dd600dfd7933d8094326209fb55884fd5b..057b73f88ba1984a9a82da0bf0fc63dbcf7d1cc9 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -43,8 +43,12 @@ from ipalib.util import (validate_zonemgr, normalize_zonemgr, NAMED_CONF = '/etc/named.conf' RESOLV_CONF = '/etc/resolv.conf' +named_conf_ipa_start = 'dynamic-db ipa' +named_conf_options_start = 'options {' named_conf_ipa_re = re.compile(r'(?Pindent\s*)arg\s+(?Pname\S+)\s(?Pvalue[^]+);') +named_conf_options_re = re.compile(r'(?Pindent\s*)(?Pname\S+)\s+(?Pvalue[^]+)\s*;') named_conf_ipa_template = %(indent)sarg \%(name)s %(value)s\;\n +named_conf_options_template = %(indent)s%(name)s \%(value)s\;\n def check_inst(unattended): has_bind = True @@ -86,26 +90,36 @@ def named_conf_exists(): return True return False -def named_conf_get_directive(name): +NAMED_SECTION_OPTIONS = options +NAMED_SECTION_IPA = ipa +def named_conf_get_directive(name, section=NAMED_SECTION_IPA): Get a configuration option in bind-dyndb-ldap section of named.conf +if section == NAMED_SECTION_IPA: +named_conf_start = named_conf_ipa_start +named_conf_re = named_conf_ipa_re +elif section == NAMED_SECTION_OPTIONS: +named_conf_start = named_conf_options_start +named_conf_re = named_conf_options_re +else: +raise NotImplementedError('Section %s is not supported' % section) with open(NAMED_CONF, 'r') as f: -ipa_section = False +target_section = False for line in f: -if line.startswith('dynamic-db ipa'): -ipa_section = True +if line.startswith(named_conf_start): +target_section = True continue if line.startswith('};'): -if ipa_section: +if target_section: break -if ipa_section: -match = named_conf_ipa_re.match(line) +if target_section: +match = named_conf_re.match(line) if match and name == match.group('name'): return match.group('value') -def named_conf_set_directive(name, value): +def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA): Set configuration option in bind-dyndb-ldap section of named.conf. @@ -117,25 +131,37 @@ def named_conf_set_directive(name, value): new_lines = [] +if section == NAMED_SECTION_IPA: +named_conf_start = named_conf_ipa_start +named_conf_re = named_conf_ipa_re +named_conf_template = named_conf_ipa_template +elif section == NAMED_SECTION_OPTIONS: +named_conf_start = named_conf_options_start +named_conf_re = named_conf_options_re +named_conf_template = named_conf_options_template +else: +raise NotImplementedError('Section %s is not supported' % section) + with open(NAMED_CONF, 'r') as f: -ipa_section = False +target_section = False matched = False last_indent = \t for line in f: -if line.startswith('dynamic-db ipa'): -ipa_section = True +if line.startswith(named_conf_start): +target_section = True if line.startswith('};'): -if ipa_section and not matched: +if target_section and not matched and \ +value is not None: # create a new conf -new_conf = named_conf_ipa_template \ +new_conf = named_conf_template \ % dict(indent=last_indent, name=name, value=value) new_lines.append(new_conf) -ipa_section = False +target_section = False -if ipa_section and not matched: -match = named_conf_ipa_re.match(line) +if target_section and
[Freeipa-devel] [PATCH 0038] Perform secondary rid range overlap check for local ranges
Hi, Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391 Tomas From 1a18bc43b561a1bbcfa1f5da3c2f1d6482571d18 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 5 Mar 2013 09:17:20 +0100 Subject: [PATCH] Perform secondary rid range overlap check for local ranges only Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391 --- .../ipa-range-check/ipa_range_check.c | 19 +-- 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c index 3a607636dc3ad9efc80ac7a2cef27eab524ad251..b7e0ea7af74e761dedd42d71d3b2ca7bc8aa3655 100644 --- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c +++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c @@ -178,6 +178,11 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) bool rid_ranges_set = (r1-base_rid != 0 || r1-secondary_base_rid != 0) (r2-base_rid != 0 || r2-secondary_base_rid != 0); +/** + * ipaNTTrustedDomainSID is not set for local ranges, use it to + * determine the type of the range **/ +bool local_ranges = r1-domain_id == NULL r2-domain_id == NULL; + bool ranges_from_same_domain = (r1-domain_id == NULL r2-domain_id == NULL) || (r1-domain_id != NULL r2-domain_id != NULL @@ -185,8 +190,7 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) /** * in case rid range is not set or ranges belong to different domains - * we can skip rid range tests as they are irrelevant - */ + * we can skip rid range tests as they are irrelevant **/ if (rid_ranges_set ranges_from_same_domain){ /* check if rid range overlaps with existing rid range */ @@ -194,19 +198,22 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) r1-id_range_size, r2-id_range_size)) return 2; -/* check if secondary rid range overlaps with existing secondary rid range */ +/** + * The following 3 checks are relevant only if both ranges are local. + * Check if secondary rid range overlaps with existing secondary rid + * range. **/ if (intervals_overlap(r1-secondary_base_rid, r2-secondary_base_rid, -r1-id_range_size, r2-id_range_size)) +r1-id_range_size, r2-id_range_size) local_ranges) return 3; /* check if rid range overlaps with existing secondary rid range */ if (intervals_overlap(r1-base_rid, r2-secondary_base_rid, -r1-id_range_size, r2-id_range_size)) +r1-id_range_size, r2-id_range_size) local_ranges) return 4; /* check if secondary rid range overlaps with existing rid range */ if (intervals_overlap(r1-secondary_base_rid, r2-base_rid, -r1-id_range_size, r2-id_range_size)) +r1-id_range_size, r2-id_range_size) local_ranges) return 5; } -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 378-380 Improved CNAME and DNAME validation
Hello, please see my comments in-line. On 5.3.2013 12:23, Martin Kosek wrote: These relatively straightforward patches depend on each other, so I am sending them in bulk. Details can be found in commit messages. Martin freeipa-mkosek-379-improve-cname-record-validation.patch From 5afde12a1a3d46a89af340e060fd1c687c7f4948 Mon Sep 17 00:00:00 2001 From: Martin Kosekmko...@redhat.com Date: Mon, 4 Mar 2013 15:05:49 +0100 Subject: [PATCH 2/3] Improve CNAME record validation Refacto DNS RR conflict validator so that it is better extensible in the future. Also check that there is only one CNAME defined for a DNS record. https://fedorahosted.org/freeipa/ticket/3450 --- ipalib/plugins/dns.py| 43 ++-- tests/test_xmlrpc/test_dns_plugin.py | 8 +++ 2 files changed, 35 insertions(+), 16 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index a23d1b8233eec14825ac6b43f509de51ad0ff1f7..a70d69fad181c90466467482a6ac604a166d728b 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2267,23 +2267,34 @@ class dnsrecord(LDAPObject): def check_record_type_collisions(self, old_entry, entry_attrs): # Test that only allowed combination of record types was created -attrs = set(attr for attr in entry_attrs.keys() if attr in _record_attributes -and entry_attrs[attr]) -attrs.update(attr for attr in old_entry.keys() if attr not in entry_attrs) +rrattrs = {} +if old_entry is not None: +old_rrattrs = dict((key, value) for key, value in old_entry.iteritems() +if key in self.params and +isinstance(self.params[key], DNSRecord)) +rrattrs.update(old_rrattrs) +new_rrattrs = dict((key, value) for key, value in entry_attrs.iteritems() +if key in self.params and +isinstance(self.params[key], DNSRecord)) +rrattrs.update(new_rrattrs) + +# CNAME record validation try: -attrs.remove('cnamerecord') +cnames = rrattrs['cnamerecord'] except KeyError: -rec_has_cname = False +pass else: -rec_has_cname = True -# CNAME and PTR record combination is allowed I remember some discussion about PTR and CNAMEs, but now I see that was silly. CNAME can't coexist with any other record (under same name). -attrs.discard('ptrrecord') -rec_has_other_types = True if attrs else False - -if rec_has_cname and rec_has_other_types: -raise errors.ValidationError(name='cnamerecord', - error=_('CNAME record is not allowed to coexist with any other ' - 'records except PTR')) +if cnames is not None: +if len(cnames) 1: +raise errors.ValidationError(name='cnamerecord', +error=_('only one CNAME record is allowed per name (RFC 6672)')) RFC 6672 defines DNAME, not CNAME. For CNAME please use RFC 2136 section 1.1.5. RFCs are huge, so section numbers are really handy! +if any(rrvalue is not None + and rrattr != 'cnamerecord' + and rrattr != 'ptrrecord' + for rrattr, rrvalue in rrattrs.iteritems()): +raise errors.ValidationError(name='cnamerecord', + error=_('CNAME record is not allowed to coexist with any other ' + 'records except PTR')) The same applies here - CNAME is not allowed to co-exist with any other type. api.register(dnsrecord) @@ -2433,7 +2444,7 @@ class dnsrecord_add(LDAPCreate): try: (dn_, old_entry) = ldap.get_entry(dn, _record_attributes) except errors.NotFound: -pass +old_entry = None else: for attr in entry_attrs.keys(): if attr not in _record_attributes: @@ -2446,7 +2457,7 @@ class dnsrecord_add(LDAPCreate): vals = list(entry_attrs[attr]) entry_attrs[attr] = list(set(old_entry.get(attr, []) + vals)) -self.obj.check_record_type_collisions(old_entry, entry_attrs) +self.obj.check_record_type_collisions(old_entry, entry_attrs) return dn def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): diff --git a/tests/test_xmlrpc/test_dns_plugin.py b/tests/test_xmlrpc/test_dns_plugin.py index 1902484949aeb0c96a0f2cda294fd3e6ae6e086f..7b2e5731395a52d26603d1d8fb2f061b7b7e1f8a 100644 --- a/tests/test_xmlrpc/test_dns_plugin.py +++ b/tests/test_xmlrpc/test_dns_plugin.py @@ -785,6 +785,14 @@ class test_dns(Declarative): ), dict( +desc='Try to add multiple CNAME record %r using dnsrecord_add' %
Re: [Freeipa-devel] [PATCH] 0189 Remove option to use custom SSL certificates from ipa-server-install
On 5.3.2013 11:55, Petr Viktorin wrote: On 03/05/2013 11:32 AM, Jan Cholasta wrote: Hi, On 26.2.2013 15:50, Petr Viktorin wrote: This removes the --{dirsrv,http,pkinit}-{pkcs12,pin} options. https://fedorahosted.org/freeipa/ticket/3151 The same options are in ipa-replica-prepare. I think we should leave those be, so people with existing servers with custom certs can install replicas. Should we keep them visible, or should we make them hidden and remove them from documentation? Honza They have their own section in --help, with an explanation: SSL certificate options: Only used if the server was installed using custom SSL certificates I think that's enough. OK, makes sense. Please update ipa-server-install man page to reflect the changes. I think you can remove the pkcs12_info argument of {Ds,Krb}Instance.create_instance, as the only place where it was used is ipa-server-install. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0116] Fix crash caused by invalid wildcard in update policy string
On 4.3.2013 15:15, Adam Tkac wrote: On Mon, Feb 25, 2013 at 03:28:57PM +0100, Petr Spacek wrote: Hello, Fix crash caused by invalid wildcard in update policy string. https://fedorahosted.org/bind-dyndb-ldap/ticket/108 Question: What we should do if update policy string contains an error? Should we disable all updates? Or let the old policy in place? I vote for disallowing all updates. +1. In my opinion disallowing all updates is correct. I will prepare separate patch for this. Ack for the patch. Pushed to master and v2: 33bad9e66f346d40dc3510719898d03ccb79b2f4 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0114] Log name of the zone if zone cannot be created
On 4.3.2013 15:00, Adam Tkac wrote: On Wed, Feb 20, 2013 at 04:57:13PM +0100, Petr Spacek wrote: Hello, Log name of the zone if zone cannot be created. Ack Pushed to master and v2: 972108650e49f9070c39d7404acdfd9a8b43e263 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0111] Automatically reload invalid zone after each change in zone data
On 4.3.2013 15:45, Adam Tkac wrote: On Tue, Feb 12, 2013 at 12:57:44PM +0100, Petr Spacek wrote: Hello, Automatically reload invalid zone after each change in zone data. https://fedorahosted.org/bind-dyndb-ldap/ticket/102 Ack Pushed to master and v2: 655f9b4afa4255c738a228038164215f3f1b91a5 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0112] Make log messages related to Kerberos more verbose
On 4.3.2013 15:17, Adam Tkac wrote: On Wed, Feb 27, 2013 at 04:21:16PM +0100, Petr Spacek wrote: On 12.2.2013 13:58, Petr Spacek wrote: Hello, Make log messages related to Kerberos more verbose. This change should help people supporting bind-dyndb-ldap to figure out what is happening under covers. Added explanatory error message for case where Kerberos context initialization failed. Ack Pushed to master and v2: 751587ea68c3b8e47a030746d11d42e497f2dfa7 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0077] Refactor settings subsystem
On 4.3.2013 16:06, Adam Tkac wrote: On Mon, Mar 04, 2013 at 03:46:39PM +0100, Petr Spacek wrote: Hello, amended patch is attached. Ack Pushed to master: c74cfdaa02ccb206f40a2dff8b8ec6246d19be18 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0115] Add support for DNAME substitution
On 4.3.2013 15:14, Adam Tkac wrote: On Thu, Feb 21, 2013 at 04:27:03PM +0100, Petr Spacek wrote: On 21.2.2013 16:21, Petr Spacek wrote: Hello, Add support for DNAME substitution. https://fedorahosted.org/bind-dyndb-ldap/ticket/63 And now the patch:-) Ack Pushed to master: e1122fde894946d5cf4aa209df4c7060bb877d0a -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0190 Fix installing server with external CA
Hi, On 4.3.2013 15:29, Petr Viktorin wrote: I did not test the external CA case when we merged DS instances some time ago, so it ended up broken. Here is a fix. Our DsInstance class could only be initialized properly by calling create_instance or create_replica. Fr step 2, when the DS is not being installed, I gathered the common setup code to init_info, and called that. Ideally this will one day end up in __init__, but that's for a bigger refactoring. https://fedorahosted.org/freeipa/ticket/3459 I have tried installing IPA with external CA with your patch several times, and ipa-server-install always gets stuck while doing LDAP updates. I am not really sure how these two are connected. Can you please check if that happens to you on IPA from current master as well? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 105 Fix remove while iterating in suppress_netgroup_memberof
On 02/27/2013 02:55 PM, Jan Cholasta wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3464. Honza ACK, thanks. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 94-99 Read and use per-service PAC type
On 03/04/2013 04:22 PM, Sumit Bose wrote: On Fri, Mar 01, 2013 at 08:58:34AM -0500, Simo Sorce wrote: On Fri, 2013-03-01 at 10:08 +0100, Martin Kosek wrote: On 03/01/2013 09:20 AM, Sumit Bose wrote: On Fri, Mar 01, 2013 at 08:33:51AM +0100, Martin Kosek wrote: On 02/28/2013 03:28 PM, Simo Sorce wrote: On Thu, 2013-02-28 at 13:02 +0100, Martin Kosek wrote: On 02/28/2013 12:42 PM, Sumit Bose wrote: On Thu, Feb 28, 2013 at 08:44:35AM +0100, Martin Kosek wrote: On 02/27/2013 06:48 PM, Sumit Bose wrote: Hi Sumit, This looks like a good idea and would prevent the magic default PAC type, yes. Though I would not add this service-specific setting to global IPA config object. I would rather like to see that in the service tree, for example as a configuration option of the service root which could be controlled with serviceconfig-* commands (we already have dnsconfig, trustconfig), e.g: # ipa serviceconfig-add-pacmap --service=nfs --pac-type=NONE # ipa serviceconfig-add-pacmap --service=cifs --pac-type=PAD # ipa serviceconfig-show Default PAC Map: nfs:NONE, cifs:PAD Are you thinking of having this in addition to the for-all-services default values in cn=ipaConfig,cn=etc or shall those be dropped? I don't like the first case because then three different objects needs to be consulted to find out which is the right type. This wouldn't be an issue for the plugin, but I think it is hard for the user/admin to follow. Hm, you are right. If the current defaults shall be dropped I think this is a major change because it will require changes in the current CLI and WebUI which will be visible to the users. I'm not against this change, I'm just wondering if it is worth the effort for the next release? Maybe an argument to keep this is in global default is that the settings are used for the host/*.* services as well which are in a different sub-tree of the cn=accounts container. Additionally in future we might want apply those setting to the user TGTs as well? Yeah, that was actually my point. That we are mixing service-specific PAC rules to the global setting. Which may be shared with host/*.* principals and user principals. This automatic PAC rules may require some designing so that is is generally usable. I think putting everything in the general config is more understandable and discoverable. These per-service defaults are basically exceptions to the general rule so it make sense to keep everything together. Simo. Ok, if these are really just an exceptions to the general rule (and there will not be too many of them), I think we can leave it in config entry. But if we expect to have exceptions for other types of entries (hosts, users), I think we should rather use something like service:nfs:NONE do distinguish this exception. Question is, do we want to implement the interface and processing for that in current Sumit's patches or do we use that is they are? I would like to update the patches so that they can handle the service:TYPE style entry and replace the current update code with just adding nfs:NONE to the global options. I will update the design page accordingly, too. Ok. If the update procedure shrinks just to adding service:nfs:NONE then it'd be great. If we need to distinguish between service principals and user principals I would prefer rather use a special keyword for upns service: is redundant and I do not want here to be able to say upn:martin:NONE because per principal options are available on the principal object. I actually really do not see the need for changing the default just for user principals. If we are worried that one day we might want to really have upn:NONE, then let's use nfs/:NONE, host/:NONE etc... so one day we might add upn:NONE and the lack of / will tell us this is not a service named upn/foo.bar.baz but rather it means user principal names. However I do not see us ever really needing upn:NONE I would prefer if the enhancements needed for the CLI and WebUI can be covered by other/new tickets, but I'm happy to add the needed information to the design page too. bye, Sumit I am OK with adding the interface for this special exception later. In that case, a ticket + note in the design as you mentioned would be enough. Ack. Simo. Please find attached a new version of the patches. 0095 i(updating) is renamed and much simpler now. I opened https://fedorahosted.org/freeipa/ticket/3484 to added the needed change for 'service:TYPE' to CLI and WebUI. For the time being I've added patch 0108 which simply allows 'nfs:NONE' as a type to make sure that it is not deleted accidentally when e.g. using the WebUI. If you do not like it it can simply be dropped, everything is working fine without it. bye, Sumit Patch 0098: If this part does not match (and it will not for all non-nfs service principals): +if (service_type-length == (sep -
Re: [Freeipa-devel] [PATCH] 0190 Fix installing server with external CA
On 5.3.2013 16:12, Jan Cholasta wrote: Hi, On 4.3.2013 15:29, Petr Viktorin wrote: I did not test the external CA case when we merged DS instances some time ago, so it ended up broken. Here is a fix. Our DsInstance class could only be initialized properly by calling create_instance or create_replica. Fr step 2, when the DS is not being installed, I gathered the common setup code to init_info, and called that. Ideally this will one day end up in __init__, but that's for a bigger refactoring. https://fedorahosted.org/freeipa/ticket/3459 I have tried installing IPA with external CA with your patch several times, and ipa-server-install always gets stuck while doing LDAP updates. I am not really sure how these two are connected. Can you please check if that happens to you on IPA from current master as well? Honza Turns out this was an error on my part. Sorry. ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0189 Remove option to use custom SSL certificates from ipa-server-install
On 03/05/2013 02:40 PM, Jan Cholasta wrote: On 5.3.2013 11:55, Petr Viktorin wrote: On 03/05/2013 11:32 AM, Jan Cholasta wrote: Hi, On 26.2.2013 15:50, Petr Viktorin wrote: This removes the --{dirsrv,http,pkinit}-{pkcs12,pin} options. https://fedorahosted.org/freeipa/ticket/3151 The same options are in ipa-replica-prepare. I think we should leave those be, so people with existing servers with custom certs can install replicas. Should we keep them visible, or should we make them hidden and remove them from documentation? Honza They have their own section in --help, with an explanation: SSL certificate options: Only used if the server was installed using custom SSL certificates I think that's enough. OK, makes sense. Please update ipa-server-install man page to reflect the changes. I think you can remove the pkcs12_info argument of {Ds,Krb}Instance.create_instance, as the only place where it was used is ipa-server-install. Honza We had a discussion about this feature on a meeting today and we decided to not retire this feature after all and fix it instead. This decision retires patch 189 and https://fedorahosted.org/freeipa/ticket/3151. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0007 Web UI: Realm Domains page
On 02/27/2013 05:10 PM, Petr Vobornik wrote: On 02/27/2013 04:20 PM, Ana Krivokapic wrote: Add support for Realm Domains to web UI. https://fedorahosted.org/freeipa/ticket/3407 The patch looks good, but there is a issue we don't have a precedence for. The mod command is doing dns check for new domains. Currently we can't specify --force option to bypass the check. I see two possible implementations: 1) On update, when user adds or modifies the values, a dialog would pop up and ask user whether he wants to force it. 2) Another option is to disable edit on the list(deletion would be still allowed) and move the add operation to separate action in action list. I prefer the former. Latter might have issues with two modifications (delete and add) at the same time at two different places (facet and add dialog). Added force option to the error dialog. Updated patch is attached. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From fb6feb8a3a8639a495c5827f8a514f775aa4f7a6 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Tue, 5 Mar 2013 16:40:50 +0100 Subject: [PATCH] Realm Domains page Add support for Realm Domains to web UI. https://fedorahosted.org/freeipa/ticket/3407 --- install/ui/src/freeipa/app.js | 1 + install/ui/src/freeipa/realmdomains.js | 102 install/ui/src/freeipa/webui.js | 3 +- install/ui/test/data/ipa_init.json | 3 + install/ui/test/data/ipa_init_objects.json | 42 install/ui/test/data/realmdomains_show.json | 24 +++ ipalib/plugins/internal.py | 3 + 7 files changed, 177 insertions(+), 1 deletion(-) create mode 100644 install/ui/src/freeipa/realmdomains.js create mode 100644 install/ui/test/data/realmdomains_show.json diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js index 9d89c1aede857ddfc27ebffa306c41172ed56bca..3dcb10f493824923254636c06b715164e419cce5 100644 --- a/install/ui/src/freeipa/app.js +++ b/install/ui/src/freeipa/app.js @@ -41,6 +41,7 @@ define([ './idrange', './netgroup', './policy', +'./realmdomains', './rule', './selinux', './serverconfig', diff --git a/install/ui/src/freeipa/realmdomains.js b/install/ui/src/freeipa/realmdomains.js new file mode 100644 index ..16ef491cd68422772063b3a9e4268e3b580bd8e9 --- /dev/null +++ b/install/ui/src/freeipa/realmdomains.js @@ -0,0 +1,102 @@ +/* Authors: + *Ana Krivokapic akriv...@redhat.com + * + * Copyright (C) 2013 Red Hat + * see file 'COPYING' for use and warranty information + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see http://www.gnu.org/licenses/. + */ + +define(['./ipa', './jquery', './details', './search', './association', +'./entity'], function (IPA, $) { + +IPA.realmdomains = {}; + +IPA.realmdomains.entity = function (spec) { + +var that = IPA.entity(spec); + +that.init = function () { +that.entity_init(); + +that.builder.details_facet({ +factory: IPA.realmdomains_details_facet, +title: IPA.metadata.objects.realmdomains.label, +sections: [ +{ +name: 'identity', +label: IPA.messages.objects.realmdomains.identity, +fields: [ +{ +name: 'associateddomain', +type: 'multivalued' +} +] +} +], +needs_update: true +}); +}; +return that; +}; + +IPA.realmdomains_details_facet = function (spec, no_init) { +spec = spec || {}; +var that = IPA.details_facet(spec, true); + +that.update = function (on_success, on_error) { +var command = that.create_update_command(); + +command.on_success = function (data, text_status, xhr) { +that.update_on_success(data, text_status, xhr); +if (on_success) on_success.call(this, data, text_status, xhr); +}; + +command.on_error = function (xhr, text_status, error_thrown) { +var dialog = IPA.error_dialog({ +
Re: [Freeipa-devel] [WIP] Web UI Refactoring plugins effort - current state
On 03/05/2013 12:34 PM, Petr Vobornik wrote: Hello, Sending current state of $subj. It's main purpose is to get rough review and design comments. Attaching patches of work done. The effort is documented at: http://pvoborni.fedorapeople.org/doc Navigation refactoring -- * http://pvoborni.fedorapeople.org/doc/navigation.html * almost implemented Plugin design - * http://pvoborni.fedorapeople.org/doc/plugins.html * nothing implemented Known problems -- * http://pvoborni.fedorapeople.org/doc/known_problems.html Others -- As a part of the effort I change some Web UI internals. Some of them are documented on pages: * http://pvoborni.fedorapeople.org/doc/phases.html * http://pvoborni.fedorapeople.org/doc/facet_public_state.html * http://pvoborni.fedorapeople.org/doc/registers.html NOTE: all doc pages are written in asciidoc, change extension from .html to .txt to get the source. I use it because our wiki doesn't handle source codes well. I plan to gradually create complete documentation of Web UI. Please at least create a reference wiki page that has all the pointers to those pages. I will create design page in our wiki later - should be less verbose. Update testing server with: $ util/sync.sh --host r...@host.test -cC --dojo --misc --strings --restart $ util/sync.sh --host r...@host.test -fc ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 264-265 Web UI:Certificate pages
On 2/22/2013 10:43 AM, Petr Vobornik wrote: Note: static json files for testing and such will be updated soon (there were several patch which changes API. I rather want to do one mass regeneration than several minor ones in a short period of time. 1) [PATCH] Web UI:Certificate pages Following pages were added to Web UI: * certificated details * certificate search Certificate is not regular object so it gets no metadata. Therefore artificial metadata were created for it to allow usage of search and details facet. Search and details facet were modified to allow removing of add/remove/update/reset buttons - certificates have no mod operation and they are not added by standard means. User can revoke and restore certificated in details facet. https://fedorahosted.org/freeipa/ticket/3419 I have some comments. Some of these can be postponed for future enhancements. 1. As previously discussed, the cert-find is only available with Dogtag CA, so the Certificates page should be disabled with self-signed CA. But if self-signed CA is dropped, then it's not necessary to disable the Certificates page. We may need to keep the ticket open until this is resolved one way or another. 2. Right now the fields in the cert details page are editable although there is no Update button. If you change the value an Undo button will appear. If you try to leave the page it will show the Unsaved Changes dialog. Since there's no cert-mod operation these fields should not be editable. 3. In the cert details page if you revoke the cert it will work but an error will appear below the revocation reason field saying 'Must be an integer'. 4. I think showing an empty revocation reason field on a valid cert is kind of weird. It might be better to create a Status section with two fields: status and revocation reason. If status is valid the revocation reason will be empty or hidden. If revoked then the reason will appear below the status. 5. In host/service details page the View link can be changed to go to the cert details page instead of showing a dialog box. 6. It would be better to organize the fields in the cert details page like the cert view dialog in host/service details page. 7. Certificate can be added/revoked/restored via certificate pages and host/service details pages. We need to make sure that if you do an operation on one page, the other pages won't show outdated information. 2) [PATCH] Web UI:Choose different search option for cert-find This extends certificate search page by search option select. Therefore the search is not restricted to 'subject'. It should be replaced by https://fedorahosted.org/freeipa/ticket/191 in a future. https://fedorahosted.org/freeipa/ticket/3419 8. The revocation reason takes an integer. Probably the search field should change into a drop down list showing all available reasons. 9. The date options take a certain format (-MM-DD), so we should show the format probably as greyed text in the search field. 10. The current design only allows specifying one option at a time. Some of these options are meant to be used as a pair because they represent a range (min max serial number). How about creating an Advanced Search dialog that shows all search options in separate fields so they can be combined? The basic search field can remain simple like the search field in other entities and it will search the cert subject only. 11. The list of search options is a drop down list, but it's surrounded by a rounded box like the text field next to it. This might be just a personal preference but I'm not sure if it's an appropriate look for a drop down list. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel