Re: [Freeipa-devel] [PATCHES] 172-196 Refactor certificate renewal code
On 03/19/2014 02:33 PM, Jan Cholasta wrote: On 13.3.2014 13:41, Jan Cholasta wrote: On 12.3.2014 19:59, Petr Viktorin wrote: Certmonger is not configured/started in CA-less installs. That's expected. I tested fresh installs and upgrades; renewals work fine for me. 161-184 look OK 185: one more nitpick: cert = entry['usercertificate'][0] Shouldn't that use entry.single_value? I did not feel like changing this, because this is used in the original code and the userCertificate LDAP attribute is multi-value. Could you add a comment saying we don't care which of the certificates is returned? For me `entry[...][0]` is a red flag, since the order usually stays the same but it's not guaranteed, so it can change in the worst moment. If nothing else we shouldn't be leaving it in the code as an example of ipaldap usage. 186-189 look OK 190: Is fqdn = entries[0].dn[1].value return api.env.host == fqdn safe? Can they differ in case, for example? I guess so, will fix. 191-196 look OK Note that patches 178 179 were already pushed. Also, patch 190 was changed to store information about which CA instance is master in LDAP. Updated patches attached. Note that I changed the path for CSR export to /var/lib/ipa/ca.csr to make it more SELinux-friendly (not in the policy yet, see https://bugzilla.redhat.com/show_bug.cgi?id=1077689). -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH]Extending user plugin with employeenumber field
On Fri, 21 Feb 2014 16:06:27 +0100
Petr Vobornik pvobo...@redhat.com wrote:
On 21.2.2014 15:45, Adam Misnyovszki wrote:
Hi,
According to http://tools.ietf.org/html/rfc2798 ipa client and web
ui extended with employeenumber field.
https://fedorahosted.org/freeipa/ticket/4165
Question is, that should we extend user with other fields which are
in the RFC, (carLicense, departmentNumber, employeeType, etc) if we
already touched this code?
Thanks
Adam
+Int('employeenumber?',
+label=_('Employee ID'),
+minvalue=1,
+),
Why Int and different label? IMO it should be Str and 'Employee
Number'
2.4. Employee Number
Numeric or alphanumeric identifier assigned to a person, typically
based on order of hire or association with an organization.
Single valued.
( 2.16.840.1.113730.3.1.3
NAME 'employeeNumber'
DESC 'numerically identifies an employee within an
organization' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
Hi,
fixed, also some other fields added. Note, that according to the rfc,
licence plate field should be multivalue, should I cange that(it is an
existing field). Also, should I write test cases(especially for
preferredlanguage)?
Greets
AdamFrom 097fe5e9460806431bdd759a9e77538d5ed26d15 Mon Sep 17 00:00:00 2001
From: Adam Misnyovszki amisn...@redhat.com
Date: Fri, 21 Mar 2014 09:59:01 +0100
Subject: [PATCH] Extending user plugin with inetOrgPerson fields
According to http://tools.ietf.org/html/rfc2798 ipa client
and web ui extended with inetOrgPerson fields:
- employeenumber
- employeetype
- preferredlanguage
- departmentnumber
https://fedorahosted.org/freeipa/ticket/4165
---
API.txt| 18 +++---
install/ui/src/freeipa/user.js | 6 +-
ipalib/plugins/user.py | 15 +++
3 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/API.txt b/API.txt
index 8e1f7713ade2b3dc046e9db82fdd6be2d85eec56..16b72963302d39a79a4f961635750ff66412b690 100644
--- a/API.txt
+++ b/API.txt
@@ -3791,13 +3791,16 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: Output('value', type 'unicode', None)
command: user_add
-args: 1,39,3
+args: 1,43,3
arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('carlicense', attribute=True, cli_name='carlicense', multivalue=False, required=False)
option: Str('cn', attribute=True, autofill=True, cli_name='cn', multivalue=False, required=True)
+option: Str('departmentnumber', attribute=True, cli_name='departmentnumber', multivalue=False, required=False)
option: Str('displayname', attribute=True, autofill=True, cli_name='displayname', multivalue=False, required=False)
+option: Str('employeenumber', attribute=True, cli_name='employeenumber', multivalue=False, required=False)
+option: Str('employeetype', attribute=True, cli_name='employeetype', multivalue=False, required=False)
option: Str('facsimiletelephonenumber', attribute=True, cli_name='fax', multivalue=True, required=False)
option: Str('gecos', attribute=True, autofill=True, cli_name='gecos', multivalue=False, required=False)
option: Int('gidnumber', attribute=True, cli_name='gidnumber', minvalue=1, multivalue=False, required=False)
@@ -3820,6 +3823,7 @@ option: Bool('nsaccountlock', attribute=True, cli_name='nsaccountlock', multival
option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False)
option: Str('pager', attribute=True, cli_name='pager', multivalue=True, required=False)
option: Str('postalcode', attribute=True, cli_name='postalcode', multivalue=False, required=False)
+option: Str('preferredlanguage', attribute=True, cli_name='preferredlanguage', multivalue=False, pattern='^[a-zA-Z]{1,8}[-[a-zA-Z]{1,8}]?$', required=False)
option: Flag('random', attribute=False, autofill=True, cli_name='random', default=False, multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('setattr*', cli_name='setattr', exclude='webui')
@@ -3858,12 +3862,15 @@ output: Output('result', type 'bool', None)
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: Output('value', type 'unicode', None)
command: user_find
-args: 1,49,4
+args: 1,53,4
arg: Str('criteria?', noextrawhitespace=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=False,
Re: [Freeipa-devel] [PATCH] typo in migrate-ds
On Tue, 18 Mar 2014 19:31:31 -0600 Gabe Alford redhatri...@gmail.com wrote: All, It looks like the only typos exist in the uk and fr .po files for this ticket https://fedorahosted.org/freeipa/ticket/2546 Point me in the right direction if I am wrong. Thanks, Gabe ACK, thanks for the patch! Greets Adam ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added
On 03/20/2014 04:22 PM, Misnyovszki Adam wrote: On Thu, 20 Mar 2014 14:19:51 +0100 Misnyovszki Adam amisn...@redhat.com wrote: On Fri, 14 Mar 2014 13:26:15 -0400 Rob Crittenden rcrit...@redhat.com wrote: Misnyovszki Adam wrote: Hi, automember-rebuild uses asynchronous 389 task, and returned success even if the task didn't run. This patch fixes this issue adding a --nowait parameter to 'ipa automember-rebuild', defaulting to False, thus when the script runs without it, it waits for the 'nstaskexitcode' attribute, which means the task has finished, according to http://directory.fedoraproject.org/wiki/Task_Invocation_Via_LDAP#Implementation. Old usage can be enabled using --nowait. https://fedorahosted.org/freeipa/ticket/4239 Request for comments: - Should I add a parameter to specify the polling time? (now 1ms) - Should I add a parameter to specify the maximum polling number? Now if something fails about creating the task, it polls forever. - Obviously, if these parameters should be added, there should be a reasonable default for them (~ Required=False, Default=X). I don't think you need a polling time, esp since this is hidden from the user, but I think that is probably too short and you may end up hammering the LDAP server. I also wonder if there should be some maximum wait time. I don't like loops that can never exit. I'm at a loss for what that time should be though. And we'd need to spell out that we gave up waiting, not that the task necessarily failed. So rather than having a polling time option, rename nowait into wait_for=20, so wait for 20 seconds. Or something like that. I'd suggest using get_entry since you already know the full DN and there is only ever one. It would make this much more readable. I wonder if some top-level documentation should be added to flesh this out some more. This does, for example, return False in one case. The meaning for that should be spelled out. rob Hi, personally I would keep --no-wait, with a delay of 1 seconds, and a maximum waiting time for 60 seconds. Questions is, do we need to parameterize with other parameters(wait-for to the maximum time, and/or poll-delay for the delay time, both not required), or it is not a case which worth to develop? Greets Adam Hi, here are the corrections Petr asked, also the other patch conatins the plugin registration refactor. Thanks! You forgot an alternate summary for the --no-wait case. (Make sure to output the DN in this case, so it's possible to poll for it.) Instead of `task['nstaskexitcode'][0]` please use `task.single_value['nstaskexitcode']`. Here: raise errors.DatabaseError( desc=_(Automember rebuild membership task failed), info=_(nstaskexitcode = '%s' % str(task['nstaskexitcode'][0]))) there's no need to call str() on %'s argument. Also, use natural language (like Task exit code: %s), otherwise there's no need to mark the message for translation. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added
On 03/21/2014 10:29 AM, Petr Viktorin wrote: On 03/20/2014 04:22 PM, Misnyovszki Adam wrote: On Thu, 20 Mar 2014 14:19:51 +0100 Misnyovszki Adam amisn...@redhat.com wrote: On Fri, 14 Mar 2014 13:26:15 -0400 Rob Crittenden rcrit...@redhat.com wrote: Misnyovszki Adam wrote: Hi, automember-rebuild uses asynchronous 389 task, and returned success even if the task didn't run. This patch fixes this issue adding a --nowait parameter to 'ipa automember-rebuild', defaulting to False, thus when the script runs without it, it waits for the 'nstaskexitcode' attribute, which means the task has finished, according to http://directory.fedoraproject.org/wiki/Task_Invocation_Via_LDAP#Implementation. Old usage can be enabled using --nowait. https://fedorahosted.org/freeipa/ticket/4239 Request for comments: - Should I add a parameter to specify the polling time? (now 1ms) - Should I add a parameter to specify the maximum polling number? Now if something fails about creating the task, it polls forever. - Obviously, if these parameters should be added, there should be a reasonable default for them (~ Required=False, Default=X). I don't think you need a polling time, esp since this is hidden from the user, but I think that is probably too short and you may end up hammering the LDAP server. I also wonder if there should be some maximum wait time. I don't like loops that can never exit. I'm at a loss for what that time should be though. And we'd need to spell out that we gave up waiting, not that the task necessarily failed. So rather than having a polling time option, rename nowait into wait_for=20, so wait for 20 seconds. Or something like that. I'd suggest using get_entry since you already know the full DN and there is only ever one. It would make this much more readable. I wonder if some top-level documentation should be added to flesh this out some more. This does, for example, return False in one case. The meaning for that should be spelled out. rob Hi, personally I would keep --no-wait, with a delay of 1 seconds, and a maximum waiting time for 60 seconds. Questions is, do we need to parameterize with other parameters(wait-for to the maximum time, and/or poll-delay for the delay time, both not required), or it is not a case which worth to develop? Greets Adam Hi, here are the corrections Petr asked, also the other patch conatins the plugin registration refactor. Thanks! You forgot an alternate summary for the --no-wait case. (Make sure to output the DN in this case, so it's possible to poll for it.) Instead of `task['nstaskexitcode'][0]` please use `task.single_value['nstaskexitcode']`. Here: raise errors.DatabaseError( desc=_(Automember rebuild membership task failed), info=_(nstaskexitcode = '%s' % str(task['nstaskexitcode'][0]))) there's no need to call str() on %'s argument. Also, use natural language (like Task exit code: %s), otherwise there's no need to mark the message for translation. And one more thing: Please bump the minor version in the VERSION file when API.txt changes. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH]Extending user plugin with employeenumber field
On Fri, 21 Mar 2014 10:13:55 +0100
Misnyovszki Adam amisn...@redhat.com wrote:
On Fri, 21 Feb 2014 16:06:27 +0100
Petr Vobornik pvobo...@redhat.com wrote:
On 21.2.2014 15:45, Adam Misnyovszki wrote:
Hi,
According to http://tools.ietf.org/html/rfc2798 ipa client and web
ui extended with employeenumber field.
https://fedorahosted.org/freeipa/ticket/4165
Question is, that should we extend user with other fields which
are in the RFC, (carLicense, departmentNumber, employeeType, etc)
if we already touched this code?
Thanks
Adam
+Int('employeenumber?',
+label=_('Employee ID'),
+minvalue=1,
+),
Why Int and different label? IMO it should be Str and 'Employee
Number'
2.4. Employee Number
Numeric or alphanumeric identifier assigned to a person,
typically based on order of hire or association with an
organization. Single valued.
( 2.16.840.1.113730.3.1.3
NAME 'employeeNumber'
DESC 'numerically identifies an employee within an
organization' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
Hi,
fixed, also some other fields added. Note, that according to the rfc,
licence plate field should be multivalue, should I cange that(it is an
existing field). Also, should I write test cases(especially for
preferredlanguage)?
Greets
Adam
self NACK,
VERSION bump because API change
Greets
Adam
From 5b657e13580635a0c7862d22de76841c4c9a13a2 Mon Sep 17 00:00:00 2001
From: Adam Misnyovszki amisn...@redhat.com
Date: Fri, 21 Mar 2014 10:59:26 +0100
Subject: [PATCH] Extending user plugin with inetOrgPerson fields
According to http://tools.ietf.org/html/rfc2798 ipa client
and web ui extended with inetOrgPerson fields:
- employeenumber
- employeetype
- preferredlanguage
- departmentnumber
https://fedorahosted.org/freeipa/ticket/4165
---
API.txt| 18 +++---
VERSION| 4 ++--
install/ui/src/freeipa/user.js | 6 +-
ipalib/plugins/user.py | 15 +++
4 files changed, 37 insertions(+), 6 deletions(-)
diff --git a/API.txt b/API.txt
index 8e1f7713ade2b3dc046e9db82fdd6be2d85eec56..16b72963302d39a79a4f961635750ff66412b690 100644
--- a/API.txt
+++ b/API.txt
@@ -3791,13 +3791,16 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: Output('value', type 'unicode', None)
command: user_add
-args: 1,39,3
+args: 1,43,3
arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('carlicense', attribute=True, cli_name='carlicense', multivalue=False, required=False)
option: Str('cn', attribute=True, autofill=True, cli_name='cn', multivalue=False, required=True)
+option: Str('departmentnumber', attribute=True, cli_name='departmentnumber', multivalue=False, required=False)
option: Str('displayname', attribute=True, autofill=True, cli_name='displayname', multivalue=False, required=False)
+option: Str('employeenumber', attribute=True, cli_name='employeenumber', multivalue=False, required=False)
+option: Str('employeetype', attribute=True, cli_name='employeetype', multivalue=False, required=False)
option: Str('facsimiletelephonenumber', attribute=True, cli_name='fax', multivalue=True, required=False)
option: Str('gecos', attribute=True, autofill=True, cli_name='gecos', multivalue=False, required=False)
option: Int('gidnumber', attribute=True, cli_name='gidnumber', minvalue=1, multivalue=False, required=False)
@@ -3820,6 +3823,7 @@ option: Bool('nsaccountlock', attribute=True, cli_name='nsaccountlock', multival
option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False)
option: Str('pager', attribute=True, cli_name='pager', multivalue=True, required=False)
option: Str('postalcode', attribute=True, cli_name='postalcode', multivalue=False, required=False)
+option: Str('preferredlanguage', attribute=True, cli_name='preferredlanguage', multivalue=False, pattern='^[a-zA-Z]{1,8}[-[a-zA-Z]{1,8}]?$', required=False)
option: Flag('random', attribute=False, autofill=True, cli_name='random', default=False, multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('setattr*', cli_name='setattr', exclude='webui')
@@ -3858,12 +3862,15 @@ output: Output('result', type 'bool', None)
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: Output('value', type 'unicode', None)
command: user_find
-args: 1,49,4
+args: 1,53,4
arg:
Re: [Freeipa-devel] [PATCHES] 0499-0502 permission CLI: rename --permissions to --right
On 03/20/2014 07:20 PM, Misnyovszki Adam wrote:
On Tue, 18 Mar 2014 12:02:06 +0100
Petr Viktorin pvikt...@redhat.com wrote:
Hello,
This renames --permissions to --right. The old name is kept as a
deprecated alias.
FreeIPA didn't have a mechanism for doing this, so I added one.
Also, while I was digging around in this part, I made the new IntEnum
(and all future Enums) act like StrEnum in --help output.
https://fedorahosted.org/freeipa/ticket/4231
499 ACK
500 ACK
501 ACK
- although should it allow mixing deprecated and current aliases(eg
--permission=read --right=write)?
You're right, this is a strange edge case, but detecting this would need
need a much more complicated approach than sharing the option's `dest`.
I don't think it's worth it.
- works fine with cli / webui also
- help displays nicely
502
- tested with more than one deprecated alias - API.txt validation
doesn't match, although it has the same output:
Got StrEnum('ipapermright', attribute=True, cli_name='right',
deprecated_cli_aliases=set(['testalias', 'permissions']),
multivalue=True, required=False, values=(u'read', u'search',
u'compare', u'write', u'add', u'delete', u'all'))
Expected StrEnum('ipapermright', attribute=True, cli_name='right',
deprecated_cli_aliases=set(['testalias','permissions']),
multivalue=True, required=False, values=(u'read', u'search',
u'compare', u'write', u'add', u'delete', u'all'))
API.txt:
option: StrEnum('ipapermright', attribute=True,
cli_name='right',
deprecated_cli_aliases=set(['testalias','permissions']),
multivalue=True, required=False, values=(u'read', u'search',
u'compare', u'write', u'add', u'delete', u'all'))
ipalib/plugins/permission.py:
StrEnum(
'ipapermright*',
cli_name='right',
deprecated_cli_aliases={'permissions','testalias'},
label=_('Granted
rights'),
doc=_('Rights to grant
'
'(read, search, compare, write, add, delete,
all)'),
values=(u'read', u'search',
u'compare',
u'write', u'add', u'delete',
u'all'),
),
don't know if it is a problem anyways
- other tests(cli, webui) works fine for me
- unit tests related to this ran as expected
so besides the multiple deprecated_cli_aliases issue, it's an ACK
It looks like you've edited API.txt by hand and forgot a space after the
comma in ['testalias','permissions']. Does it work if you use makeapi to
regenerate API.txt?
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added
On Fri, 21 Mar 2014 10:33:00 +0100
Petr Viktorin pvikt...@redhat.com wrote:
On 03/21/2014 10:29 AM, Petr Viktorin wrote:
On 03/20/2014 04:22 PM, Misnyovszki Adam wrote:
On Thu, 20 Mar 2014 14:19:51 +0100
Misnyovszki Adam amisn...@redhat.com wrote:
On Fri, 14 Mar 2014 13:26:15 -0400
Rob Crittenden rcrit...@redhat.com wrote:
Misnyovszki Adam wrote:
Hi,
automember-rebuild uses asynchronous 389 task, and returned
success even if the task didn't run. This patch fixes this issue
adding a --nowait parameter to 'ipa automember-rebuild',
defaulting to False, thus when the script runs without it, it
waits for the 'nstaskexitcode' attribute, which means the task
has finished, according to
http://directory.fedoraproject.org/wiki/Task_Invocation_Via_LDAP#Implementation.
Old usage can be enabled using --nowait.
https://fedorahosted.org/freeipa/ticket/4239
Request for comments:
- Should I add a parameter to specify the polling time? (now
1ms)
- Should I add a parameter to specify the maximum polling
number? Now if something fails about creating the task, it
polls forever.
- Obviously, if these parameters should be added, there should
be a reasonable default for them (~ Required=False, Default=X).
I don't think you need a polling time, esp since this is hidden
from the user, but I think that is probably too short and you
may end up hammering the LDAP server.
I also wonder if there should be some maximum wait time. I don't
like loops that can never exit. I'm at a loss for what that time
should be though. And we'd need to spell out that we gave up
waiting, not that the task necessarily failed. So rather than
having a polling time option, rename nowait into wait_for=20, so
wait for 20 seconds. Or something like that.
I'd suggest using get_entry since you already know the full DN
and there is only ever one. It would make this much more
readable.
I wonder if some top-level documentation should be added to flesh
this out some more. This does, for example, return False in one
case. The meaning for that should be spelled out.
rob
Hi,
personally I would keep --no-wait, with a delay of 1 seconds, and
a maximum waiting time for 60 seconds. Questions is, do we need to
parameterize with other parameters(wait-for to the maximum time,
and/or poll-delay for the delay time, both not required), or it is
not a case which worth to develop?
Greets
Adam
Hi,
here are the corrections Petr asked, also the other patch conatins
the plugin registration refactor.
Thanks!
You forgot an alternate summary for the --no-wait case. (Make sure
to output the DN in this case, so it's possible to poll for it.)
Instead of `task['nstaskexitcode'][0]` please use
`task.single_value['nstaskexitcode']`.
Here:
raise errors.DatabaseError(
desc=_(Automember rebuild membership task failed),
info=_(nstaskexitcode = '%s' %
str(task['nstaskexitcode'][0])))
there's no need to call str() on %'s argument.
Also, use natural language (like Task exit code: %s), otherwise
there's no need to mark the message for translation.
And one more thing: Please bump the minor version in the VERSION file
when API.txt changes.
Hi,
everything is corrected!
Greets
Adam
From 049a163583e18d63716a8419849b5f1880cb567f Mon Sep 17 00:00:00 2001
From: Adam Misnyovszki amisn...@redhat.com
Date: Fri, 21 Mar 2014 11:58:44 +0100
Subject: [PATCH] automember rebuild nowait feature added
automember-rebuild uses asynchronous 389 task, and returned
success even if the task didn't run. this patch fixes this
issue adding a --nowait parameter to 'ipa automember-rebuild',
defaulting to False, thus when the script runs without it,
it waits for the 'nstaskexitcode' attribute, which means
the task has finished. Old usage can be enabled using --nowait,
and returns the DN of the task for further polling.
https://fedorahosted.org/freeipa/ticket/4239
---
API.txt | 3 ++-
VERSION | 4 ++--
ipalib/plugins/automember.py | 56
3 files changed, 50 insertions(+), 13 deletions(-)
diff --git a/API.txt b/API.txt
index 8e1f7713ade2b3dc046e9db82fdd6be2d85eec56..fa28a88f78270dd5858d97b88ee22ae7cdd8b13c 100644
--- a/API.txt
+++ b/API.txt
@@ -201,8 +201,9 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: Output('value', type 'unicode', None)
command: automember_rebuild
-args: 0,4,3
+args: 0,5,3
option: Str('hosts*')
+option: Flag('no_wait?', autofill=True, default=False)
option: StrEnum('type', cli_name='type', multivalue=False, required=False, values=(u'group', u'hostgroup'))
option: Str('users*')
option: Str('version?', exclude='webui')
diff --git a/VERSION b/VERSION
index
Re: [Freeipa-devel] [PATCHES] 0499-0502 permission CLI: rename --permissions to --right
On Fri, 21 Mar 2014 11:14:43 +0100
Petr Viktorin pvikt...@redhat.com wrote:
On 03/20/2014 07:20 PM, Misnyovszki Adam wrote:
On Tue, 18 Mar 2014 12:02:06 +0100
Petr Viktorin pvikt...@redhat.com wrote:
Hello,
This renames --permissions to --right. The old name is kept as a
deprecated alias.
FreeIPA didn't have a mechanism for doing this, so I added one.
Also, while I was digging around in this part, I made the new
IntEnum (and all future Enums) act like StrEnum in --help output.
https://fedorahosted.org/freeipa/ticket/4231
499 ACK
500 ACK
501 ACK
- although should it allow mixing deprecated and current
aliases(eg --permission=read --right=write)?
You're right, this is a strange edge case, but detecting this would
need need a much more complicated approach than sharing the option's
`dest`. I don't think it's worth it.
- works fine with cli / webui also
- help displays nicely
502
- tested with more than one deprecated alias - API.txt validation
doesn't match, although it has the same output:
Got StrEnum('ipapermright', attribute=True, cli_name='right',
deprecated_cli_aliases=set(['testalias', 'permissions']),
multivalue=True, required=False, values=(u'read', u'search',
u'compare', u'write', u'add', u'delete', u'all'))
Expected StrEnum('ipapermright', attribute=True, cli_name='right',
deprecated_cli_aliases=set(['testalias','permissions']),
multivalue=True, required=False, values=(u'read', u'search',
u'compare', u'write', u'add', u'delete', u'all'))
API.txt:
option: StrEnum('ipapermright', attribute=True,
cli_name='right',
deprecated_cli_aliases=set(['testalias','permissions']),
multivalue=True, required=False, values=(u'read', u'search',
u'compare', u'write', u'add', u'delete', u'all'))
ipalib/plugins/permission.py:
StrEnum(
'ipapermright*',
cli_name='right',
deprecated_cli_aliases={'permissions','testalias'},
label=_('Granted
rights'),
doc=_('Rights to grant
'
'(read, search, compare, write, add, delete,
all)'),
values=(u'read', u'search',
u'compare',
u'write', u'add', u'delete',
u'all'),
),
don't know if it is a problem anyways
- other tests(cli, webui) works fine for me
- unit tests related to this ran as expected
so besides the multiple deprecated_cli_aliases issue, it's an ACK
It looks like you've edited API.txt by hand and forgot a space after
the comma in ['testalias','permissions']. Does it work if you use
makeapi to regenerate API.txt?
You are right, my mistake, with ./makeapi, it works, even when the CLI
got this for parameters:
--right=read --permission=search --testparam=write
ACK
Greets
Adam
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added
On 03/21/2014 12:00 PM, Misnyovszki Adam wrote:
On Fri, 21 Mar 2014 10:33:00 +0100
Petr Viktorin pvikt...@redhat.com wrote:
On 03/21/2014 10:29 AM, Petr Viktorin wrote:
On 03/20/2014 04:22 PM, Misnyovszki Adam wrote:
On Thu, 20 Mar 2014 14:19:51 +0100
Misnyovszki Adam amisn...@redhat.com wrote:
On Fri, 14 Mar 2014 13:26:15 -0400
Rob Crittenden rcrit...@redhat.com wrote:
Misnyovszki Adam wrote:
Hi,
automember-rebuild uses asynchronous 389 task, and returned
success even if the task didn't run. This patch fixes this issue
adding a --nowait parameter to 'ipa automember-rebuild',
defaulting to False, thus when the script runs without it, it
waits for the 'nstaskexitcode' attribute, which means the task
has finished, according to
http://directory.fedoraproject.org/wiki/Task_Invocation_Via_LDAP#Implementation.
Old usage can be enabled using --nowait.
https://fedorahosted.org/freeipa/ticket/4239
Request for comments:
- Should I add a parameter to specify the polling time? (now
1ms)
- Should I add a parameter to specify the maximum polling
number? Now if something fails about creating the task, it
polls forever.
- Obviously, if these parameters should be added, there should
be a reasonable default for them (~ Required=False, Default=X).
I don't think you need a polling time, esp since this is hidden
from the user, but I think that is probably too short and you
may end up hammering the LDAP server.
I also wonder if there should be some maximum wait time. I don't
like loops that can never exit. I'm at a loss for what that time
should be though. And we'd need to spell out that we gave up
waiting, not that the task necessarily failed. So rather than
having a polling time option, rename nowait into wait_for=20, so
wait for 20 seconds. Or something like that.
I'd suggest using get_entry since you already know the full DN
and there is only ever one. It would make this much more
readable.
I wonder if some top-level documentation should be added to flesh
this out some more. This does, for example, return False in one
case. The meaning for that should be spelled out.
rob
Hi,
personally I would keep --no-wait, with a delay of 1 seconds, and
a maximum waiting time for 60 seconds. Questions is, do we need to
parameterize with other parameters(wait-for to the maximum time,
and/or poll-delay for the delay time, both not required), or it is
not a case which worth to develop?
Greets
Adam
Hi,
here are the corrections Petr asked, also the other patch conatins
the plugin registration refactor.
Thanks!
You forgot an alternate summary for the --no-wait case. (Make sure
to output the DN in this case, so it's possible to poll for it.)
Instead of `task['nstaskexitcode'][0]` please use
`task.single_value['nstaskexitcode']`.
There's one more `task['nstaskexitcode'][0]`. (Perhaps putting it in a
variable would be better?)
Here:
raise errors.DatabaseError(
desc=_(Automember rebuild membership task failed),
info=_(nstaskexitcode = '%s' %
str(task['nstaskexitcode'][0])))
there's no need to call str() on %'s argument.
Also, use natural language (like Task exit code: %s), otherwise
there's no need to mark the message for translation.
And one more thing: Please bump the minor version in the VERSION file
when API.txt changes.
Hi,
everything is corrected!
Greets
Adam
Sorry for dragging this so long, but:
The DN should not be a part of the summary, because that makes it hard
to parse when using the API. It should be returned as a part of the result.
To do that, you'd need to change the output type:
has_output = output.standard_entry
has_output_params = (
DNParam(
'dn',
label=_('Task automember'),
doc=_('DN of the started task'),
),
)
and provide a dict in result, instead of True. (And with --no-wait, add
the dn to that dict.)
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0499-0502 permission CLI: rename --permissions to --right
On 03/21/2014 12:10 PM, Misnyovszki Adam wrote:
On Fri, 21 Mar 2014 11:14:43 +0100
Petr Viktorin pvikt...@redhat.com wrote:
On 03/20/2014 07:20 PM, Misnyovszki Adam wrote:
On Tue, 18 Mar 2014 12:02:06 +0100
Petr Viktorin pvikt...@redhat.com wrote:
Hello,
This renames --permissions to --right. The old name is kept as a
deprecated alias.
FreeIPA didn't have a mechanism for doing this, so I added one.
Also, while I was digging around in this part, I made the new
IntEnum (and all future Enums) act like StrEnum in --help output.
https://fedorahosted.org/freeipa/ticket/4231
499 ACK
500 ACK
501 ACK
- although should it allow mixing deprecated and current
aliases(eg --permission=read --right=write)?
You're right, this is a strange edge case, but detecting this would
need need a much more complicated approach than sharing the option's
`dest`. I don't think it's worth it.
- works fine with cli / webui also
- help displays nicely
502
- tested with more than one deprecated alias - API.txt validation
doesn't match, although it has the same output:
Got StrEnum('ipapermright', attribute=True, cli_name='right',
deprecated_cli_aliases=set(['testalias', 'permissions']),
multivalue=True, required=False, values=(u'read', u'search',
u'compare', u'write', u'add', u'delete', u'all'))
Expected StrEnum('ipapermright', attribute=True, cli_name='right',
deprecated_cli_aliases=set(['testalias','permissions']),
multivalue=True, required=False, values=(u'read', u'search',
u'compare', u'write', u'add', u'delete', u'all'))
API.txt:
option: StrEnum('ipapermright', attribute=True,
cli_name='right',
deprecated_cli_aliases=set(['testalias','permissions']),
multivalue=True, required=False, values=(u'read', u'search',
u'compare', u'write', u'add', u'delete', u'all'))
ipalib/plugins/permission.py:
StrEnum(
'ipapermright*',
cli_name='right',
deprecated_cli_aliases={'permissions','testalias'},
label=_('Granted
rights'),
doc=_('Rights to grant
'
'(read, search, compare, write, add, delete,
all)'),
values=(u'read', u'search',
u'compare',
u'write', u'add', u'delete',
u'all'),
),
don't know if it is a problem anyways
- other tests(cli, webui) works fine for me
- unit tests related to this ran as expected
so besides the multiple deprecated_cli_aliases issue, it's an ACK
It looks like you've edited API.txt by hand and forgot a space after
the comma in ['testalias','permissions']. Does it work if you use
makeapi to regenerate API.txt?
You are right, my mistake, with ./makeapi, it works, even when the CLI
got this for parameters:
--right=read --permission=search --testparam=write
ACK
Thanks for the review!
Greets
Adam
Adam commented in person that I should bump VERSION; I did that as an
additional one-liner change.
Pushed to master: 801b2fd4588b8b40b74140f26b12eb190306d260
--
Petr³
From fb0ace5ad34cf702f240de64664da2935d4accd2 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 18 Mar 2014 10:15:55 +0100
Subject: [PATCH] permission CLI: rename --permissions to --right
The old name is kept as a deprecated alias.
https://fedorahosted.org/freeipa/ticket/4231
---
API.txt | 6 +++---
VERSION | 4 ++--
ipalib/plugins/permission.py | 5 +++--
3 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/API.txt b/API.txt
index 8e1f7713ade2b3dc046e9db82fdd6be2d85eec56..ca9a73e510e6426309ac6c47dab3be763a0d0490 100644
--- a/API.txt
+++ b/API.txt
@@ -2333,7 +2333,7 @@ command: permission_add
option: Str('filter', attribute=False, cli_name='filter', multivalue=True, required=False)
option: StrEnum('ipapermbindruletype', attribute=True, autofill=True, cli_name='bindtype', default=u'permission', multivalue=False, required=True, values=(u'permission', u'all', u'anonymous'))
option: DNOrURL('ipapermlocation', alwaysask=True, attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=False, required=False)
-option: StrEnum('ipapermright', attribute=True, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
+option: StrEnum('ipapermright', attribute=True, cli_name='right', deprecated_cli_aliases=set(['permissions']), multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
option: DNParam('ipapermtarget', attribute=True, cli_name='target', multivalue=False, required=False)
option: Str('ipapermtargetfilter', attribute=True, cli_name='rawfilter', multivalue=True, required=False)
option: Str('memberof', alwaysask=True, attribute=False, autofill=False, cli_name='memberof', multivalue=True, query=False, required=False)
@@ -2392,7 +2392,7 @@ command: permission_find
option: Str('ipapermexcludedattr', attribute=True, autofill=False,
Re: [Freeipa-devel] [PATCH] typo in migrate-ds
On 03/21/2014 10:29 AM, Misnyovszki Adam wrote: On Tue, 18 Mar 2014 19:31:31 -0600 Gabe Alford redhatri...@gmail.com wrote: All, It looks like the only typos exist in the uk and fr .po files for this ticket https://fedorahosted.org/freeipa/ticket/2546 Point me in the right direction if I am wrong. Thanks, Gabe ACK, thanks for the patch! Greets Adam I am personally not sure this is the right solution. Shouldn't this be rather re-generated from Transifex instead editing .po files directly? CCing Petr. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added
On 03/21/2014 12:38 PM, Petr Viktorin wrote:
On 03/21/2014 12:00 PM, Misnyovszki Adam wrote:
On Fri, 21 Mar 2014 10:33:00 +0100
Petr Viktorin pvikt...@redhat.com wrote:
On 03/21/2014 10:29 AM, Petr Viktorin wrote:
On 03/20/2014 04:22 PM, Misnyovszki Adam wrote:
On Thu, 20 Mar 2014 14:19:51 +0100
Misnyovszki Adam amisn...@redhat.com wrote:
On Fri, 14 Mar 2014 13:26:15 -0400
Rob Crittenden rcrit...@redhat.com wrote:
Misnyovszki Adam wrote:
Hi,
automember-rebuild uses asynchronous 389 task, and returned
success even if the task didn't run. This patch fixes this issue
adding a --nowait parameter to 'ipa automember-rebuild',
defaulting to False, thus when the script runs without it, it
waits for the 'nstaskexitcode' attribute, which means the task
has finished, according to
http://directory.fedoraproject.org/wiki/Task_Invocation_Via_LDAP#Implementation.
Old usage can be enabled using --nowait.
https://fedorahosted.org/freeipa/ticket/4239
Request for comments:
- Should I add a parameter to specify the polling time? (now
1ms)
- Should I add a parameter to specify the maximum polling
number? Now if something fails about creating the task, it
polls forever.
- Obviously, if these parameters should be added, there should
be a reasonable default for them (~ Required=False, Default=X).
I don't think you need a polling time, esp since this is hidden
from the user, but I think that is probably too short and you
may end up hammering the LDAP server.
I also wonder if there should be some maximum wait time. I don't
like loops that can never exit. I'm at a loss for what that time
should be though. And we'd need to spell out that we gave up
waiting, not that the task necessarily failed. So rather than
having a polling time option, rename nowait into wait_for=20, so
wait for 20 seconds. Or something like that.
I'd suggest using get_entry since you already know the full DN
and there is only ever one. It would make this much more
readable.
I wonder if some top-level documentation should be added to flesh
this out some more. This does, for example, return False in one
case. The meaning for that should be spelled out.
rob
Hi,
personally I would keep --no-wait, with a delay of 1 seconds, and
a maximum waiting time for 60 seconds. Questions is, do we need to
parameterize with other parameters(wait-for to the maximum time,
and/or poll-delay for the delay time, both not required), or it is
not a case which worth to develop?
Greets
Adam
Hi,
here are the corrections Petr asked, also the other patch conatins
the plugin registration refactor.
Thanks!
You forgot an alternate summary for the --no-wait case. (Make sure
to output the DN in this case, so it's possible to poll for it.)
Instead of `task['nstaskexitcode'][0]` please use
`task.single_value['nstaskexitcode']`.
There's one more `task['nstaskexitcode'][0]`. (Perhaps putting it in a
variable
would be better?)
Here:
raise errors.DatabaseError(
desc=_(Automember rebuild membership task failed),
info=_(nstaskexitcode = '%s' %
str(task['nstaskexitcode'][0])))
there's no need to call str() on %'s argument.
Also, use natural language (like Task exit code: %s), otherwise
there's no need to mark the message for translation.
And one more thing: Please bump the minor version in the VERSION file
when API.txt changes.
Hi,
everything is corrected!
Greets
Adam
Sorry for dragging this so long, but:
The DN should not be a part of the summary, because that makes it hard to
parse
when using the API. It should be returned as a part of the result.
To do that, you'd need to change the output type:
has_output = output.standard_entry
has_output_params = (
DNParam(
'dn',
label=_('Task automember'),
doc=_('DN of the started task'),
),
)
and provide a dict in result, instead of True. (And with --no-wait, add the dn
to that dict.)
Do really want to use 'dn' for the DNParam? dn is already used for standard
entry DN when --all is used, right? automembertaskdn may be better.
Also, Task automember label sounds strange to me, would Automember task DN
be better?
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] typo in migrate-ds
On 03/21/2014 12:55 PM, Martin Kosek wrote: On 03/21/2014 10:29 AM, Misnyovszki Adam wrote: On Tue, 18 Mar 2014 19:31:31 -0600 Gabe Alford redhatri...@gmail.com wrote: All, It looks like the only typos exist in the uk and fr .po files for this ticket https://fedorahosted.org/freeipa/ticket/2546 Point me in the right direction if I am wrong. Thanks, Gabe ACK, thanks for the patch! Greets Adam I am personally not sure this is the right solution. Shouldn't this be rather re-generated from Transifex instead editing .po files directly? CCing Petr. We generally prefer Transifex, but Git is perfectly fine in my book. Pushed to master: 20c716ec9a69a4a24ff4138471a0ce457cabf99c FWIW, Transifex is a closed-source no-cost-for-FOSS webapp, same model as Github. I'm not entirely sure how having that in our preferred workflow got past Simo -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] typo in migrate-ds
On Fri, 2014-03-21 at 13:09 +0100, Petr Viktorin wrote: On 03/21/2014 12:55 PM, Martin Kosek wrote: On 03/21/2014 10:29 AM, Misnyovszki Adam wrote: On Tue, 18 Mar 2014 19:31:31 -0600 Gabe Alford redhatri...@gmail.com wrote: All, It looks like the only typos exist in the uk and fr .po files for this ticket https://fedorahosted.org/freeipa/ticket/2546 Point me in the right direction if I am wrong. Thanks, Gabe ACK, thanks for the patch! Greets Adam I am personally not sure this is the right solution. Shouldn't this be rather re-generated from Transifex instead editing .po files directly? CCing Petr. We generally prefer Transifex, but Git is perfectly fine in my book. Pushed to master: 20c716ec9a69a4a24ff4138471a0ce457cabf99c FWIW, Transifex is a closed-source no-cost-for-FOSS webapp, same model as Github. I'm not entirely sure how having that in our preferred workflow got past Simo It wasn't like that when we started using it :-/ Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 564 webui-ci: fix test_rebuild_membership_hosts on server without DNS
Host adder dialog differs on installations with and without DNS.
Previous test used values for adding hosts which were suitable only for
IPA servers installed with DNS.
--
Petr Vobornik
From 9ca559347b4f233772b2179da725eb28bddbe4e2 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Fri, 21 Mar 2014 15:01:24 +0100
Subject: [PATCH] webui-ci: fix test_rebuild_membership_hosts on server without
DNS
Host adder dialog differs on installations with and without DNS.
Previous test used values for adding hosts which were suitable only for IPA servers installed with DNS.
---
ipatests/test_webui/test_automember.py | 24 +---
1 file changed, 5 insertions(+), 19 deletions(-)
diff --git a/ipatests/test_webui/test_automember.py b/ipatests/test_webui/test_automember.py
index 93cebeb40301558b7237f5ed6524652825a12e57..57cc7c989f9a3e012a609030fc047e24fcf1c6c3 100644
--- a/ipatests/test_webui/test_automember.py
+++ b/ipatests/test_webui/test_automember.py
@@ -23,6 +23,7 @@ Automember tests
from ipatests.test_webui.ui_driver import UI_driver
import ipatests.test_webui.data_hostgroup as hostgroup
+from ipatests.test_webui.test_host import host_tasks
ENTITY = 'automember'
@@ -88,6 +89,7 @@ class test_automember(UI_driver):
self.init_app()
+host_util = host_tasks()
domain = self.config.get('ipa_domain')
host1 = 'web1.%s' % domain
host2 = 'web2.%s' % domain
@@ -101,25 +103,9 @@ class test_automember(UI_driver):
]
})
-# Add a host
-self.add_record('host', {
-'pkey': host1,
-'add': [
-('textbox', 'hostname', 'web1'),
-('combobox', 'dnszone', domain),
-('checkbox', 'force', 'checked'),
-]
-})
-
-# Add another host
-self.add_record('host', {
-'pkey': host2,
-'add': [
-('textbox', 'hostname', 'web2'),
-('combobox', 'dnszone', domain),
-('checkbox', 'force', 'checked'),
-]
-})
+# Add hosts
+self.add_record('host', host_util.get_data(web1, domain));
+self.add_record('host', host_util.get_data(web2, domain));
# Add an automember rule
self.add_record(
--
1.8.5.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Talking json/rpc with java client
On 03/20/2014 02:09 PM, Simo Sorce wrote:
On Thu, 2014-03-20 at 14:47 +0200, Alexander Bokovoy wrote:
On Thu, 20 Mar 2014, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Thu, 20 Mar 2014, Massimiliano Perrone (example.com) wrote:
On 03/18/2014 05:26 PM, Alexander Bokovoy wrote:
On Tue, 18 Mar 2014, Massimiliano Perrone (example.com) wrote:
The difference between the two calls is on the last TGS_REQ;
because the first one is on ldap/olmo.example@example.com and
it's OK whereas the second one is on
HTTP/olmo.example@example.com that returns a 401 (I suppose).
Where's the error?
Am I correct that you have a user connecting to HTTP/ebano.example.com
and then HTTP/ebano.example.com wants to talk to HTTP/olmo.example.com
using credentials of the user?
FreeIPA uses constraint delegation of the credentials, with the
help of
S4U2Proxy extension. You need to allow HTTP/ebano.example.com to
delegate
credentials to HTTP/olmo.example.com.
I have written an article how to do that:
https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
Hi Alexander, thanks for your reply.
I read carefully your interesting post and I follow it to delegate
HTTP/ebano.example.com credentials to HTTP/olmo.example.com.
Now, two questions:
1) How can I check that my configuration, now is ok? Because this
ldapsearch returns result: 0
ldapsearch -Y GSSAPI -H ldap://olmo.example.com -b
cn=s4u2proxy,cn=etc,dc=example,dc=com
cn=ipa-http-delegation-targets dn
You need to create these delegation entries yourself, like the article
says. Note that your app talks to IPA server's HTTP service, so create
dn: cn=ebano-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: ebano-http-delegation
memberPrincipal: HTTP/ebano.example@example.com
ipaAllowedTarget:
cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
This entry says: HTTP/ebano.example.com is allowed to delegate users'
credentials to whatever Kerberos principal is a member of
cn=ebano-http-delegation-targets group
Now, this is the group:
dn:
cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
objectClass: groupOfPrincipals
objectClass: top
cn: ebano-http-delegation-targets
memberPrincipal: HTTP/olomo.example@example.com
With these two entries we would have HTTP/ebano.example.com allowed to
delegate users' credentials to HTTP/olomo.example.com
Hi Alexander, thanks for your patience.
I followed your suggestions but the result is always the same.
Trying with curl, of course, it works.
My doubt now is why curl generates this log on kerberos server
mar 20 10:22:20 olmo.example.com krb5kdc[5091](info): TGS_REQ (1
etypes {18}) 192.168.0.105: ISSUE: authtime 1395301975, etypes {rep=18
tkt=18 ses=18}, ad...@example.com for krbtgt/example@example.com
mar 20 10:22:21 olmo.example.com krb5kdc[5091](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime 1395301975,
etypes {rep=18 tkt=18 ses=18}, ad...@example.com for
ldap/olmo.example@example.com
This is effect of S4U extension working correctly.
whereas java generates this other one
mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH:
HTTP/ebano.example@example.com for krbtgt/example@example.com,
Additional pre-authentication required
mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395307449, etypes
{rep=18 tkt=18 ses=18}, HTTP/ebano.example@example.com for
krbtgt/example@example.com
mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): TGS_REQ (6
etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 1395307449,
etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example@example.com for
HTTP/olmo.example@example.com
As you can see, the first one uses admin on ldap service, the second
one uses HTTP/ebano.example.com on HTTP service.
This means your Java application doesn't use S4U extension or doesn't
know about that.
Can I do the same call with Java?
At this point we need to set clear what Java are you using.
http://download.java.net/jdk8/docs/technotes/guides/security/jgss/jgss-features.html
tells that S4U extensions (we use S4U2Proxy here) was added in Java SE 8.
The client doesn't do the S4U2Proxy work though, so this shouldn't
matter, right?
My point is that the client will not do what he expects unless S4U2Proxy
is used in Java and that requires Java 8 platform, released on March
18th 2014.
I think you can use earlier Java versions but tell them to use the
native GSSAPI library (and perhaps sprinkle a little bit of GSS-Proxy in
the back for fun.
Here I'm again :)
I wrote a GSSClient [1] obtaining:
###
java.io.IOException: Server returned HTTP response code: 401 for URL:
https://olmo.example.com/ipa/json
