Re: [Freeipa-devel] [PATCHES] 172-196 Refactor certificate renewal code
On 03/19/2014 02:33 PM, Jan Cholasta wrote: On 13.3.2014 13:41, Jan Cholasta wrote: On 12.3.2014 19:59, Petr Viktorin wrote: Certmonger is not configured/started in CA-less installs. That's expected. I tested fresh installs and upgrades; renewals work fine for me. 161-184 look OK 185: one more nitpick: cert = entry['usercertificate'][0] Shouldn't that use entry.single_value? I did not feel like changing this, because this is used in the original code and the userCertificate LDAP attribute is multi-value. Could you add a comment saying we don't care which of the certificates is returned? For me `entry[...][0]` is a red flag, since the order usually stays the same but it's not guaranteed, so it can change in the worst moment. If nothing else we shouldn't be leaving it in the code as an example of ipaldap usage. 186-189 look OK 190: Is fqdn = entries[0].dn[1].value return api.env.host == fqdn safe? Can they differ in case, for example? I guess so, will fix. 191-196 look OK Note that patches 178 179 were already pushed. Also, patch 190 was changed to store information about which CA instance is master in LDAP. Updated patches attached. Note that I changed the path for CSR export to /var/lib/ipa/ca.csr to make it more SELinux-friendly (not in the policy yet, see https://bugzilla.redhat.com/show_bug.cgi?id=1077689). -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH]Extending user plugin with employeenumber field
On Fri, 21 Feb 2014 16:06:27 +0100 Petr Vobornik pvobo...@redhat.com wrote: On 21.2.2014 15:45, Adam Misnyovszki wrote: Hi, According to http://tools.ietf.org/html/rfc2798 ipa client and web ui extended with employeenumber field. https://fedorahosted.org/freeipa/ticket/4165 Question is, that should we extend user with other fields which are in the RFC, (carLicense, departmentNumber, employeeType, etc) if we already touched this code? Thanks Adam +Int('employeenumber?', +label=_('Employee ID'), +minvalue=1, +), Why Int and different label? IMO it should be Str and 'Employee Number' 2.4. Employee Number Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization. Single valued. ( 2.16.840.1.113730.3.1.3 NAME 'employeeNumber' DESC 'numerically identifies an employee within an organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) Hi, fixed, also some other fields added. Note, that according to the rfc, licence plate field should be multivalue, should I cange that(it is an existing field). Also, should I write test cases(especially for preferredlanguage)? Greets AdamFrom 097fe5e9460806431bdd759a9e77538d5ed26d15 Mon Sep 17 00:00:00 2001 From: Adam Misnyovszki amisn...@redhat.com Date: Fri, 21 Mar 2014 09:59:01 +0100 Subject: [PATCH] Extending user plugin with inetOrgPerson fields According to http://tools.ietf.org/html/rfc2798 ipa client and web ui extended with inetOrgPerson fields: - employeenumber - employeetype - preferredlanguage - departmentnumber https://fedorahosted.org/freeipa/ticket/4165 --- API.txt| 18 +++--- install/ui/src/freeipa/user.js | 6 +- ipalib/plugins/user.py | 15 +++ 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 8e1f7713ade2b3dc046e9db82fdd6be2d85eec56..16b72963302d39a79a4f961635750ff66412b690 100644 --- a/API.txt +++ b/API.txt @@ -3791,13 +3791,16 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('value', type 'unicode', None) command: user_add -args: 1,39,3 +args: 1,43,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('carlicense', attribute=True, cli_name='carlicense', multivalue=False, required=False) option: Str('cn', attribute=True, autofill=True, cli_name='cn', multivalue=False, required=True) +option: Str('departmentnumber', attribute=True, cli_name='departmentnumber', multivalue=False, required=False) option: Str('displayname', attribute=True, autofill=True, cli_name='displayname', multivalue=False, required=False) +option: Str('employeenumber', attribute=True, cli_name='employeenumber', multivalue=False, required=False) +option: Str('employeetype', attribute=True, cli_name='employeetype', multivalue=False, required=False) option: Str('facsimiletelephonenumber', attribute=True, cli_name='fax', multivalue=True, required=False) option: Str('gecos', attribute=True, autofill=True, cli_name='gecos', multivalue=False, required=False) option: Int('gidnumber', attribute=True, cli_name='gidnumber', minvalue=1, multivalue=False, required=False) @@ -3820,6 +3823,7 @@ option: Bool('nsaccountlock', attribute=True, cli_name='nsaccountlock', multival option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False) option: Str('pager', attribute=True, cli_name='pager', multivalue=True, required=False) option: Str('postalcode', attribute=True, cli_name='postalcode', multivalue=False, required=False) +option: Str('preferredlanguage', attribute=True, cli_name='preferredlanguage', multivalue=False, pattern='^[a-zA-Z]{1,8}[-[a-zA-Z]{1,8}]?$', required=False) option: Flag('random', attribute=False, autofill=True, cli_name='random', default=False, multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui') @@ -3858,12 +3862,15 @@ output: Output('result', type 'bool', None) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('value', type 'unicode', None) command: user_find -args: 1,49,4 +args: 1,53,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=False,
Re: [Freeipa-devel] [PATCH] typo in migrate-ds
On Tue, 18 Mar 2014 19:31:31 -0600 Gabe Alford redhatri...@gmail.com wrote: All, It looks like the only typos exist in the uk and fr .po files for this ticket https://fedorahosted.org/freeipa/ticket/2546 Point me in the right direction if I am wrong. Thanks, Gabe ACK, thanks for the patch! Greets Adam ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added
On 03/20/2014 04:22 PM, Misnyovszki Adam wrote: On Thu, 20 Mar 2014 14:19:51 +0100 Misnyovszki Adam amisn...@redhat.com wrote: On Fri, 14 Mar 2014 13:26:15 -0400 Rob Crittenden rcrit...@redhat.com wrote: Misnyovszki Adam wrote: Hi, automember-rebuild uses asynchronous 389 task, and returned success even if the task didn't run. This patch fixes this issue adding a --nowait parameter to 'ipa automember-rebuild', defaulting to False, thus when the script runs without it, it waits for the 'nstaskexitcode' attribute, which means the task has finished, according to http://directory.fedoraproject.org/wiki/Task_Invocation_Via_LDAP#Implementation. Old usage can be enabled using --nowait. https://fedorahosted.org/freeipa/ticket/4239 Request for comments: - Should I add a parameter to specify the polling time? (now 1ms) - Should I add a parameter to specify the maximum polling number? Now if something fails about creating the task, it polls forever. - Obviously, if these parameters should be added, there should be a reasonable default for them (~ Required=False, Default=X). I don't think you need a polling time, esp since this is hidden from the user, but I think that is probably too short and you may end up hammering the LDAP server. I also wonder if there should be some maximum wait time. I don't like loops that can never exit. I'm at a loss for what that time should be though. And we'd need to spell out that we gave up waiting, not that the task necessarily failed. So rather than having a polling time option, rename nowait into wait_for=20, so wait for 20 seconds. Or something like that. I'd suggest using get_entry since you already know the full DN and there is only ever one. It would make this much more readable. I wonder if some top-level documentation should be added to flesh this out some more. This does, for example, return False in one case. The meaning for that should be spelled out. rob Hi, personally I would keep --no-wait, with a delay of 1 seconds, and a maximum waiting time for 60 seconds. Questions is, do we need to parameterize with other parameters(wait-for to the maximum time, and/or poll-delay for the delay time, both not required), or it is not a case which worth to develop? Greets Adam Hi, here are the corrections Petr asked, also the other patch conatins the plugin registration refactor. Thanks! You forgot an alternate summary for the --no-wait case. (Make sure to output the DN in this case, so it's possible to poll for it.) Instead of `task['nstaskexitcode'][0]` please use `task.single_value['nstaskexitcode']`. Here: raise errors.DatabaseError( desc=_(Automember rebuild membership task failed), info=_(nstaskexitcode = '%s' % str(task['nstaskexitcode'][0]))) there's no need to call str() on %'s argument. Also, use natural language (like Task exit code: %s), otherwise there's no need to mark the message for translation. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added
On 03/21/2014 10:29 AM, Petr Viktorin wrote: On 03/20/2014 04:22 PM, Misnyovszki Adam wrote: On Thu, 20 Mar 2014 14:19:51 +0100 Misnyovszki Adam amisn...@redhat.com wrote: On Fri, 14 Mar 2014 13:26:15 -0400 Rob Crittenden rcrit...@redhat.com wrote: Misnyovszki Adam wrote: Hi, automember-rebuild uses asynchronous 389 task, and returned success even if the task didn't run. This patch fixes this issue adding a --nowait parameter to 'ipa automember-rebuild', defaulting to False, thus when the script runs without it, it waits for the 'nstaskexitcode' attribute, which means the task has finished, according to http://directory.fedoraproject.org/wiki/Task_Invocation_Via_LDAP#Implementation. Old usage can be enabled using --nowait. https://fedorahosted.org/freeipa/ticket/4239 Request for comments: - Should I add a parameter to specify the polling time? (now 1ms) - Should I add a parameter to specify the maximum polling number? Now if something fails about creating the task, it polls forever. - Obviously, if these parameters should be added, there should be a reasonable default for them (~ Required=False, Default=X). I don't think you need a polling time, esp since this is hidden from the user, but I think that is probably too short and you may end up hammering the LDAP server. I also wonder if there should be some maximum wait time. I don't like loops that can never exit. I'm at a loss for what that time should be though. And we'd need to spell out that we gave up waiting, not that the task necessarily failed. So rather than having a polling time option, rename nowait into wait_for=20, so wait for 20 seconds. Or something like that. I'd suggest using get_entry since you already know the full DN and there is only ever one. It would make this much more readable. I wonder if some top-level documentation should be added to flesh this out some more. This does, for example, return False in one case. The meaning for that should be spelled out. rob Hi, personally I would keep --no-wait, with a delay of 1 seconds, and a maximum waiting time for 60 seconds. Questions is, do we need to parameterize with other parameters(wait-for to the maximum time, and/or poll-delay for the delay time, both not required), or it is not a case which worth to develop? Greets Adam Hi, here are the corrections Petr asked, also the other patch conatins the plugin registration refactor. Thanks! You forgot an alternate summary for the --no-wait case. (Make sure to output the DN in this case, so it's possible to poll for it.) Instead of `task['nstaskexitcode'][0]` please use `task.single_value['nstaskexitcode']`. Here: raise errors.DatabaseError( desc=_(Automember rebuild membership task failed), info=_(nstaskexitcode = '%s' % str(task['nstaskexitcode'][0]))) there's no need to call str() on %'s argument. Also, use natural language (like Task exit code: %s), otherwise there's no need to mark the message for translation. And one more thing: Please bump the minor version in the VERSION file when API.txt changes. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH]Extending user plugin with employeenumber field
On Fri, 21 Mar 2014 10:13:55 +0100 Misnyovszki Adam amisn...@redhat.com wrote: On Fri, 21 Feb 2014 16:06:27 +0100 Petr Vobornik pvobo...@redhat.com wrote: On 21.2.2014 15:45, Adam Misnyovszki wrote: Hi, According to http://tools.ietf.org/html/rfc2798 ipa client and web ui extended with employeenumber field. https://fedorahosted.org/freeipa/ticket/4165 Question is, that should we extend user with other fields which are in the RFC, (carLicense, departmentNumber, employeeType, etc) if we already touched this code? Thanks Adam +Int('employeenumber?', +label=_('Employee ID'), +minvalue=1, +), Why Int and different label? IMO it should be Str and 'Employee Number' 2.4. Employee Number Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization. Single valued. ( 2.16.840.1.113730.3.1.3 NAME 'employeeNumber' DESC 'numerically identifies an employee within an organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) Hi, fixed, also some other fields added. Note, that according to the rfc, licence plate field should be multivalue, should I cange that(it is an existing field). Also, should I write test cases(especially for preferredlanguage)? Greets Adam self NACK, VERSION bump because API change Greets Adam From 5b657e13580635a0c7862d22de76841c4c9a13a2 Mon Sep 17 00:00:00 2001 From: Adam Misnyovszki amisn...@redhat.com Date: Fri, 21 Mar 2014 10:59:26 +0100 Subject: [PATCH] Extending user plugin with inetOrgPerson fields According to http://tools.ietf.org/html/rfc2798 ipa client and web ui extended with inetOrgPerson fields: - employeenumber - employeetype - preferredlanguage - departmentnumber https://fedorahosted.org/freeipa/ticket/4165 --- API.txt| 18 +++--- VERSION| 4 ++-- install/ui/src/freeipa/user.js | 6 +- ipalib/plugins/user.py | 15 +++ 4 files changed, 37 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 8e1f7713ade2b3dc046e9db82fdd6be2d85eec56..16b72963302d39a79a4f961635750ff66412b690 100644 --- a/API.txt +++ b/API.txt @@ -3791,13 +3791,16 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('value', type 'unicode', None) command: user_add -args: 1,39,3 +args: 1,43,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('carlicense', attribute=True, cli_name='carlicense', multivalue=False, required=False) option: Str('cn', attribute=True, autofill=True, cli_name='cn', multivalue=False, required=True) +option: Str('departmentnumber', attribute=True, cli_name='departmentnumber', multivalue=False, required=False) option: Str('displayname', attribute=True, autofill=True, cli_name='displayname', multivalue=False, required=False) +option: Str('employeenumber', attribute=True, cli_name='employeenumber', multivalue=False, required=False) +option: Str('employeetype', attribute=True, cli_name='employeetype', multivalue=False, required=False) option: Str('facsimiletelephonenumber', attribute=True, cli_name='fax', multivalue=True, required=False) option: Str('gecos', attribute=True, autofill=True, cli_name='gecos', multivalue=False, required=False) option: Int('gidnumber', attribute=True, cli_name='gidnumber', minvalue=1, multivalue=False, required=False) @@ -3820,6 +3823,7 @@ option: Bool('nsaccountlock', attribute=True, cli_name='nsaccountlock', multival option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False) option: Str('pager', attribute=True, cli_name='pager', multivalue=True, required=False) option: Str('postalcode', attribute=True, cli_name='postalcode', multivalue=False, required=False) +option: Str('preferredlanguage', attribute=True, cli_name='preferredlanguage', multivalue=False, pattern='^[a-zA-Z]{1,8}[-[a-zA-Z]{1,8}]?$', required=False) option: Flag('random', attribute=False, autofill=True, cli_name='random', default=False, multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui') @@ -3858,12 +3862,15 @@ output: Output('result', type 'bool', None) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('value', type 'unicode', None) command: user_find -args: 1,49,4 +args: 1,53,4 arg:
Re: [Freeipa-devel] [PATCHES] 0499-0502 permission CLI: rename --permissions to --right
On 03/20/2014 07:20 PM, Misnyovszki Adam wrote: On Tue, 18 Mar 2014 12:02:06 +0100 Petr Viktorin pvikt...@redhat.com wrote: Hello, This renames --permissions to --right. The old name is kept as a deprecated alias. FreeIPA didn't have a mechanism for doing this, so I added one. Also, while I was digging around in this part, I made the new IntEnum (and all future Enums) act like StrEnum in --help output. https://fedorahosted.org/freeipa/ticket/4231 499 ACK 500 ACK 501 ACK - although should it allow mixing deprecated and current aliases(eg --permission=read --right=write)? You're right, this is a strange edge case, but detecting this would need need a much more complicated approach than sharing the option's `dest`. I don't think it's worth it. - works fine with cli / webui also - help displays nicely 502 - tested with more than one deprecated alias - API.txt validation doesn't match, although it has the same output: Got StrEnum('ipapermright', attribute=True, cli_name='right', deprecated_cli_aliases=set(['testalias', 'permissions']), multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) Expected StrEnum('ipapermright', attribute=True, cli_name='right', deprecated_cli_aliases=set(['testalias','permissions']), multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) API.txt: option: StrEnum('ipapermright', attribute=True, cli_name='right', deprecated_cli_aliases=set(['testalias','permissions']), multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) ipalib/plugins/permission.py: StrEnum( 'ipapermright*', cli_name='right', deprecated_cli_aliases={'permissions','testalias'}, label=_('Granted rights'), doc=_('Rights to grant ' '(read, search, compare, write, add, delete, all)'), values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'), ), don't know if it is a problem anyways - other tests(cli, webui) works fine for me - unit tests related to this ran as expected so besides the multiple deprecated_cli_aliases issue, it's an ACK It looks like you've edited API.txt by hand and forgot a space after the comma in ['testalias','permissions']. Does it work if you use makeapi to regenerate API.txt? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added
On Fri, 21 Mar 2014 10:33:00 +0100 Petr Viktorin pvikt...@redhat.com wrote: On 03/21/2014 10:29 AM, Petr Viktorin wrote: On 03/20/2014 04:22 PM, Misnyovszki Adam wrote: On Thu, 20 Mar 2014 14:19:51 +0100 Misnyovszki Adam amisn...@redhat.com wrote: On Fri, 14 Mar 2014 13:26:15 -0400 Rob Crittenden rcrit...@redhat.com wrote: Misnyovszki Adam wrote: Hi, automember-rebuild uses asynchronous 389 task, and returned success even if the task didn't run. This patch fixes this issue adding a --nowait parameter to 'ipa automember-rebuild', defaulting to False, thus when the script runs without it, it waits for the 'nstaskexitcode' attribute, which means the task has finished, according to http://directory.fedoraproject.org/wiki/Task_Invocation_Via_LDAP#Implementation. Old usage can be enabled using --nowait. https://fedorahosted.org/freeipa/ticket/4239 Request for comments: - Should I add a parameter to specify the polling time? (now 1ms) - Should I add a parameter to specify the maximum polling number? Now if something fails about creating the task, it polls forever. - Obviously, if these parameters should be added, there should be a reasonable default for them (~ Required=False, Default=X). I don't think you need a polling time, esp since this is hidden from the user, but I think that is probably too short and you may end up hammering the LDAP server. I also wonder if there should be some maximum wait time. I don't like loops that can never exit. I'm at a loss for what that time should be though. And we'd need to spell out that we gave up waiting, not that the task necessarily failed. So rather than having a polling time option, rename nowait into wait_for=20, so wait for 20 seconds. Or something like that. I'd suggest using get_entry since you already know the full DN and there is only ever one. It would make this much more readable. I wonder if some top-level documentation should be added to flesh this out some more. This does, for example, return False in one case. The meaning for that should be spelled out. rob Hi, personally I would keep --no-wait, with a delay of 1 seconds, and a maximum waiting time for 60 seconds. Questions is, do we need to parameterize with other parameters(wait-for to the maximum time, and/or poll-delay for the delay time, both not required), or it is not a case which worth to develop? Greets Adam Hi, here are the corrections Petr asked, also the other patch conatins the plugin registration refactor. Thanks! You forgot an alternate summary for the --no-wait case. (Make sure to output the DN in this case, so it's possible to poll for it.) Instead of `task['nstaskexitcode'][0]` please use `task.single_value['nstaskexitcode']`. Here: raise errors.DatabaseError( desc=_(Automember rebuild membership task failed), info=_(nstaskexitcode = '%s' % str(task['nstaskexitcode'][0]))) there's no need to call str() on %'s argument. Also, use natural language (like Task exit code: %s), otherwise there's no need to mark the message for translation. And one more thing: Please bump the minor version in the VERSION file when API.txt changes. Hi, everything is corrected! Greets Adam From 049a163583e18d63716a8419849b5f1880cb567f Mon Sep 17 00:00:00 2001 From: Adam Misnyovszki amisn...@redhat.com Date: Fri, 21 Mar 2014 11:58:44 +0100 Subject: [PATCH] automember rebuild nowait feature added automember-rebuild uses asynchronous 389 task, and returned success even if the task didn't run. this patch fixes this issue adding a --nowait parameter to 'ipa automember-rebuild', defaulting to False, thus when the script runs without it, it waits for the 'nstaskexitcode' attribute, which means the task has finished. Old usage can be enabled using --nowait, and returns the DN of the task for further polling. https://fedorahosted.org/freeipa/ticket/4239 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/automember.py | 56 3 files changed, 50 insertions(+), 13 deletions(-) diff --git a/API.txt b/API.txt index 8e1f7713ade2b3dc046e9db82fdd6be2d85eec56..fa28a88f78270dd5858d97b88ee22ae7cdd8b13c 100644 --- a/API.txt +++ b/API.txt @@ -201,8 +201,9 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('value', type 'unicode', None) command: automember_rebuild -args: 0,4,3 +args: 0,5,3 option: Str('hosts*') +option: Flag('no_wait?', autofill=True, default=False) option: StrEnum('type', cli_name='type', multivalue=False, required=False, values=(u'group', u'hostgroup')) option: Str('users*') option: Str('version?', exclude='webui') diff --git a/VERSION b/VERSION index
Re: [Freeipa-devel] [PATCHES] 0499-0502 permission CLI: rename --permissions to --right
On Fri, 21 Mar 2014 11:14:43 +0100 Petr Viktorin pvikt...@redhat.com wrote: On 03/20/2014 07:20 PM, Misnyovszki Adam wrote: On Tue, 18 Mar 2014 12:02:06 +0100 Petr Viktorin pvikt...@redhat.com wrote: Hello, This renames --permissions to --right. The old name is kept as a deprecated alias. FreeIPA didn't have a mechanism for doing this, so I added one. Also, while I was digging around in this part, I made the new IntEnum (and all future Enums) act like StrEnum in --help output. https://fedorahosted.org/freeipa/ticket/4231 499 ACK 500 ACK 501 ACK - although should it allow mixing deprecated and current aliases(eg --permission=read --right=write)? You're right, this is a strange edge case, but detecting this would need need a much more complicated approach than sharing the option's `dest`. I don't think it's worth it. - works fine with cli / webui also - help displays nicely 502 - tested with more than one deprecated alias - API.txt validation doesn't match, although it has the same output: Got StrEnum('ipapermright', attribute=True, cli_name='right', deprecated_cli_aliases=set(['testalias', 'permissions']), multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) Expected StrEnum('ipapermright', attribute=True, cli_name='right', deprecated_cli_aliases=set(['testalias','permissions']), multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) API.txt: option: StrEnum('ipapermright', attribute=True, cli_name='right', deprecated_cli_aliases=set(['testalias','permissions']), multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) ipalib/plugins/permission.py: StrEnum( 'ipapermright*', cli_name='right', deprecated_cli_aliases={'permissions','testalias'}, label=_('Granted rights'), doc=_('Rights to grant ' '(read, search, compare, write, add, delete, all)'), values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'), ), don't know if it is a problem anyways - other tests(cli, webui) works fine for me - unit tests related to this ran as expected so besides the multiple deprecated_cli_aliases issue, it's an ACK It looks like you've edited API.txt by hand and forgot a space after the comma in ['testalias','permissions']. Does it work if you use makeapi to regenerate API.txt? You are right, my mistake, with ./makeapi, it works, even when the CLI got this for parameters: --right=read --permission=search --testparam=write ACK Greets Adam ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added
On 03/21/2014 12:00 PM, Misnyovszki Adam wrote: On Fri, 21 Mar 2014 10:33:00 +0100 Petr Viktorin pvikt...@redhat.com wrote: On 03/21/2014 10:29 AM, Petr Viktorin wrote: On 03/20/2014 04:22 PM, Misnyovszki Adam wrote: On Thu, 20 Mar 2014 14:19:51 +0100 Misnyovszki Adam amisn...@redhat.com wrote: On Fri, 14 Mar 2014 13:26:15 -0400 Rob Crittenden rcrit...@redhat.com wrote: Misnyovszki Adam wrote: Hi, automember-rebuild uses asynchronous 389 task, and returned success even if the task didn't run. This patch fixes this issue adding a --nowait parameter to 'ipa automember-rebuild', defaulting to False, thus when the script runs without it, it waits for the 'nstaskexitcode' attribute, which means the task has finished, according to http://directory.fedoraproject.org/wiki/Task_Invocation_Via_LDAP#Implementation. Old usage can be enabled using --nowait. https://fedorahosted.org/freeipa/ticket/4239 Request for comments: - Should I add a parameter to specify the polling time? (now 1ms) - Should I add a parameter to specify the maximum polling number? Now if something fails about creating the task, it polls forever. - Obviously, if these parameters should be added, there should be a reasonable default for them (~ Required=False, Default=X). I don't think you need a polling time, esp since this is hidden from the user, but I think that is probably too short and you may end up hammering the LDAP server. I also wonder if there should be some maximum wait time. I don't like loops that can never exit. I'm at a loss for what that time should be though. And we'd need to spell out that we gave up waiting, not that the task necessarily failed. So rather than having a polling time option, rename nowait into wait_for=20, so wait for 20 seconds. Or something like that. I'd suggest using get_entry since you already know the full DN and there is only ever one. It would make this much more readable. I wonder if some top-level documentation should be added to flesh this out some more. This does, for example, return False in one case. The meaning for that should be spelled out. rob Hi, personally I would keep --no-wait, with a delay of 1 seconds, and a maximum waiting time for 60 seconds. Questions is, do we need to parameterize with other parameters(wait-for to the maximum time, and/or poll-delay for the delay time, both not required), or it is not a case which worth to develop? Greets Adam Hi, here are the corrections Petr asked, also the other patch conatins the plugin registration refactor. Thanks! You forgot an alternate summary for the --no-wait case. (Make sure to output the DN in this case, so it's possible to poll for it.) Instead of `task['nstaskexitcode'][0]` please use `task.single_value['nstaskexitcode']`. There's one more `task['nstaskexitcode'][0]`. (Perhaps putting it in a variable would be better?) Here: raise errors.DatabaseError( desc=_(Automember rebuild membership task failed), info=_(nstaskexitcode = '%s' % str(task['nstaskexitcode'][0]))) there's no need to call str() on %'s argument. Also, use natural language (like Task exit code: %s), otherwise there's no need to mark the message for translation. And one more thing: Please bump the minor version in the VERSION file when API.txt changes. Hi, everything is corrected! Greets Adam Sorry for dragging this so long, but: The DN should not be a part of the summary, because that makes it hard to parse when using the API. It should be returned as a part of the result. To do that, you'd need to change the output type: has_output = output.standard_entry has_output_params = ( DNParam( 'dn', label=_('Task automember'), doc=_('DN of the started task'), ), ) and provide a dict in result, instead of True. (And with --no-wait, add the dn to that dict.) -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0499-0502 permission CLI: rename --permissions to --right
On 03/21/2014 12:10 PM, Misnyovszki Adam wrote: On Fri, 21 Mar 2014 11:14:43 +0100 Petr Viktorin pvikt...@redhat.com wrote: On 03/20/2014 07:20 PM, Misnyovszki Adam wrote: On Tue, 18 Mar 2014 12:02:06 +0100 Petr Viktorin pvikt...@redhat.com wrote: Hello, This renames --permissions to --right. The old name is kept as a deprecated alias. FreeIPA didn't have a mechanism for doing this, so I added one. Also, while I was digging around in this part, I made the new IntEnum (and all future Enums) act like StrEnum in --help output. https://fedorahosted.org/freeipa/ticket/4231 499 ACK 500 ACK 501 ACK - although should it allow mixing deprecated and current aliases(eg --permission=read --right=write)? You're right, this is a strange edge case, but detecting this would need need a much more complicated approach than sharing the option's `dest`. I don't think it's worth it. - works fine with cli / webui also - help displays nicely 502 - tested with more than one deprecated alias - API.txt validation doesn't match, although it has the same output: Got StrEnum('ipapermright', attribute=True, cli_name='right', deprecated_cli_aliases=set(['testalias', 'permissions']), multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) Expected StrEnum('ipapermright', attribute=True, cli_name='right', deprecated_cli_aliases=set(['testalias','permissions']), multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) API.txt: option: StrEnum('ipapermright', attribute=True, cli_name='right', deprecated_cli_aliases=set(['testalias','permissions']), multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) ipalib/plugins/permission.py: StrEnum( 'ipapermright*', cli_name='right', deprecated_cli_aliases={'permissions','testalias'}, label=_('Granted rights'), doc=_('Rights to grant ' '(read, search, compare, write, add, delete, all)'), values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'), ), don't know if it is a problem anyways - other tests(cli, webui) works fine for me - unit tests related to this ran as expected so besides the multiple deprecated_cli_aliases issue, it's an ACK It looks like you've edited API.txt by hand and forgot a space after the comma in ['testalias','permissions']. Does it work if you use makeapi to regenerate API.txt? You are right, my mistake, with ./makeapi, it works, even when the CLI got this for parameters: --right=read --permission=search --testparam=write ACK Thanks for the review! Greets Adam Adam commented in person that I should bump VERSION; I did that as an additional one-liner change. Pushed to master: 801b2fd4588b8b40b74140f26b12eb190306d260 -- Petr³ From fb0ace5ad34cf702f240de64664da2935d4accd2 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 18 Mar 2014 10:15:55 +0100 Subject: [PATCH] permission CLI: rename --permissions to --right The old name is kept as a deprecated alias. https://fedorahosted.org/freeipa/ticket/4231 --- API.txt | 6 +++--- VERSION | 4 ++-- ipalib/plugins/permission.py | 5 +++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/API.txt b/API.txt index 8e1f7713ade2b3dc046e9db82fdd6be2d85eec56..ca9a73e510e6426309ac6c47dab3be763a0d0490 100644 --- a/API.txt +++ b/API.txt @@ -2333,7 +2333,7 @@ command: permission_add option: Str('filter', attribute=False, cli_name='filter', multivalue=True, required=False) option: StrEnum('ipapermbindruletype', attribute=True, autofill=True, cli_name='bindtype', default=u'permission', multivalue=False, required=True, values=(u'permission', u'all', u'anonymous')) option: DNOrURL('ipapermlocation', alwaysask=True, attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=False, required=False) -option: StrEnum('ipapermright', attribute=True, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) +option: StrEnum('ipapermright', attribute=True, cli_name='right', deprecated_cli_aliases=set(['permissions']), multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) option: DNParam('ipapermtarget', attribute=True, cli_name='target', multivalue=False, required=False) option: Str('ipapermtargetfilter', attribute=True, cli_name='rawfilter', multivalue=True, required=False) option: Str('memberof', alwaysask=True, attribute=False, autofill=False, cli_name='memberof', multivalue=True, query=False, required=False) @@ -2392,7 +2392,7 @@ command: permission_find option: Str('ipapermexcludedattr', attribute=True, autofill=False,
Re: [Freeipa-devel] [PATCH] typo in migrate-ds
On 03/21/2014 10:29 AM, Misnyovszki Adam wrote: On Tue, 18 Mar 2014 19:31:31 -0600 Gabe Alford redhatri...@gmail.com wrote: All, It looks like the only typos exist in the uk and fr .po files for this ticket https://fedorahosted.org/freeipa/ticket/2546 Point me in the right direction if I am wrong. Thanks, Gabe ACK, thanks for the patch! Greets Adam I am personally not sure this is the right solution. Shouldn't this be rather re-generated from Transifex instead editing .po files directly? CCing Petr. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added
On 03/21/2014 12:38 PM, Petr Viktorin wrote: On 03/21/2014 12:00 PM, Misnyovszki Adam wrote: On Fri, 21 Mar 2014 10:33:00 +0100 Petr Viktorin pvikt...@redhat.com wrote: On 03/21/2014 10:29 AM, Petr Viktorin wrote: On 03/20/2014 04:22 PM, Misnyovszki Adam wrote: On Thu, 20 Mar 2014 14:19:51 +0100 Misnyovszki Adam amisn...@redhat.com wrote: On Fri, 14 Mar 2014 13:26:15 -0400 Rob Crittenden rcrit...@redhat.com wrote: Misnyovszki Adam wrote: Hi, automember-rebuild uses asynchronous 389 task, and returned success even if the task didn't run. This patch fixes this issue adding a --nowait parameter to 'ipa automember-rebuild', defaulting to False, thus when the script runs without it, it waits for the 'nstaskexitcode' attribute, which means the task has finished, according to http://directory.fedoraproject.org/wiki/Task_Invocation_Via_LDAP#Implementation. Old usage can be enabled using --nowait. https://fedorahosted.org/freeipa/ticket/4239 Request for comments: - Should I add a parameter to specify the polling time? (now 1ms) - Should I add a parameter to specify the maximum polling number? Now if something fails about creating the task, it polls forever. - Obviously, if these parameters should be added, there should be a reasonable default for them (~ Required=False, Default=X). I don't think you need a polling time, esp since this is hidden from the user, but I think that is probably too short and you may end up hammering the LDAP server. I also wonder if there should be some maximum wait time. I don't like loops that can never exit. I'm at a loss for what that time should be though. And we'd need to spell out that we gave up waiting, not that the task necessarily failed. So rather than having a polling time option, rename nowait into wait_for=20, so wait for 20 seconds. Or something like that. I'd suggest using get_entry since you already know the full DN and there is only ever one. It would make this much more readable. I wonder if some top-level documentation should be added to flesh this out some more. This does, for example, return False in one case. The meaning for that should be spelled out. rob Hi, personally I would keep --no-wait, with a delay of 1 seconds, and a maximum waiting time for 60 seconds. Questions is, do we need to parameterize with other parameters(wait-for to the maximum time, and/or poll-delay for the delay time, both not required), or it is not a case which worth to develop? Greets Adam Hi, here are the corrections Petr asked, also the other patch conatins the plugin registration refactor. Thanks! You forgot an alternate summary for the --no-wait case. (Make sure to output the DN in this case, so it's possible to poll for it.) Instead of `task['nstaskexitcode'][0]` please use `task.single_value['nstaskexitcode']`. There's one more `task['nstaskexitcode'][0]`. (Perhaps putting it in a variable would be better?) Here: raise errors.DatabaseError( desc=_(Automember rebuild membership task failed), info=_(nstaskexitcode = '%s' % str(task['nstaskexitcode'][0]))) there's no need to call str() on %'s argument. Also, use natural language (like Task exit code: %s), otherwise there's no need to mark the message for translation. And one more thing: Please bump the minor version in the VERSION file when API.txt changes. Hi, everything is corrected! Greets Adam Sorry for dragging this so long, but: The DN should not be a part of the summary, because that makes it hard to parse when using the API. It should be returned as a part of the result. To do that, you'd need to change the output type: has_output = output.standard_entry has_output_params = ( DNParam( 'dn', label=_('Task automember'), doc=_('DN of the started task'), ), ) and provide a dict in result, instead of True. (And with --no-wait, add the dn to that dict.) Do really want to use 'dn' for the DNParam? dn is already used for standard entry DN when --all is used, right? automembertaskdn may be better. Also, Task automember label sounds strange to me, would Automember task DN be better? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] typo in migrate-ds
On 03/21/2014 12:55 PM, Martin Kosek wrote: On 03/21/2014 10:29 AM, Misnyovszki Adam wrote: On Tue, 18 Mar 2014 19:31:31 -0600 Gabe Alford redhatri...@gmail.com wrote: All, It looks like the only typos exist in the uk and fr .po files for this ticket https://fedorahosted.org/freeipa/ticket/2546 Point me in the right direction if I am wrong. Thanks, Gabe ACK, thanks for the patch! Greets Adam I am personally not sure this is the right solution. Shouldn't this be rather re-generated from Transifex instead editing .po files directly? CCing Petr. We generally prefer Transifex, but Git is perfectly fine in my book. Pushed to master: 20c716ec9a69a4a24ff4138471a0ce457cabf99c FWIW, Transifex is a closed-source no-cost-for-FOSS webapp, same model as Github. I'm not entirely sure how having that in our preferred workflow got past Simo -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] typo in migrate-ds
On Fri, 2014-03-21 at 13:09 +0100, Petr Viktorin wrote: On 03/21/2014 12:55 PM, Martin Kosek wrote: On 03/21/2014 10:29 AM, Misnyovszki Adam wrote: On Tue, 18 Mar 2014 19:31:31 -0600 Gabe Alford redhatri...@gmail.com wrote: All, It looks like the only typos exist in the uk and fr .po files for this ticket https://fedorahosted.org/freeipa/ticket/2546 Point me in the right direction if I am wrong. Thanks, Gabe ACK, thanks for the patch! Greets Adam I am personally not sure this is the right solution. Shouldn't this be rather re-generated from Transifex instead editing .po files directly? CCing Petr. We generally prefer Transifex, but Git is perfectly fine in my book. Pushed to master: 20c716ec9a69a4a24ff4138471a0ce457cabf99c FWIW, Transifex is a closed-source no-cost-for-FOSS webapp, same model as Github. I'm not entirely sure how having that in our preferred workflow got past Simo It wasn't like that when we started using it :-/ Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 564 webui-ci: fix test_rebuild_membership_hosts on server without DNS
Host adder dialog differs on installations with and without DNS. Previous test used values for adding hosts which were suitable only for IPA servers installed with DNS. -- Petr Vobornik From 9ca559347b4f233772b2179da725eb28bddbe4e2 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 21 Mar 2014 15:01:24 +0100 Subject: [PATCH] webui-ci: fix test_rebuild_membership_hosts on server without DNS Host adder dialog differs on installations with and without DNS. Previous test used values for adding hosts which were suitable only for IPA servers installed with DNS. --- ipatests/test_webui/test_automember.py | 24 +--- 1 file changed, 5 insertions(+), 19 deletions(-) diff --git a/ipatests/test_webui/test_automember.py b/ipatests/test_webui/test_automember.py index 93cebeb40301558b7237f5ed6524652825a12e57..57cc7c989f9a3e012a609030fc047e24fcf1c6c3 100644 --- a/ipatests/test_webui/test_automember.py +++ b/ipatests/test_webui/test_automember.py @@ -23,6 +23,7 @@ Automember tests from ipatests.test_webui.ui_driver import UI_driver import ipatests.test_webui.data_hostgroup as hostgroup +from ipatests.test_webui.test_host import host_tasks ENTITY = 'automember' @@ -88,6 +89,7 @@ class test_automember(UI_driver): self.init_app() +host_util = host_tasks() domain = self.config.get('ipa_domain') host1 = 'web1.%s' % domain host2 = 'web2.%s' % domain @@ -101,25 +103,9 @@ class test_automember(UI_driver): ] }) -# Add a host -self.add_record('host', { -'pkey': host1, -'add': [ -('textbox', 'hostname', 'web1'), -('combobox', 'dnszone', domain), -('checkbox', 'force', 'checked'), -] -}) - -# Add another host -self.add_record('host', { -'pkey': host2, -'add': [ -('textbox', 'hostname', 'web2'), -('combobox', 'dnszone', domain), -('checkbox', 'force', 'checked'), -] -}) +# Add hosts +self.add_record('host', host_util.get_data(web1, domain)); +self.add_record('host', host_util.get_data(web2, domain)); # Add an automember rule self.add_record( -- 1.8.5.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Talking json/rpc with java client
On 03/20/2014 02:09 PM, Simo Sorce wrote: On Thu, 2014-03-20 at 14:47 +0200, Alexander Bokovoy wrote: On Thu, 20 Mar 2014, Rob Crittenden wrote: Alexander Bokovoy wrote: On Thu, 20 Mar 2014, Massimiliano Perrone (example.com) wrote: On 03/18/2014 05:26 PM, Alexander Bokovoy wrote: On Tue, 18 Mar 2014, Massimiliano Perrone (example.com) wrote: The difference between the two calls is on the last TGS_REQ; because the first one is on ldap/olmo.example@example.com and it's OK whereas the second one is on HTTP/olmo.example@example.com that returns a 401 (I suppose). Where's the error? Am I correct that you have a user connecting to HTTP/ebano.example.com and then HTTP/ebano.example.com wants to talk to HTTP/olmo.example.com using credentials of the user? FreeIPA uses constraint delegation of the credentials, with the help of S4U2Proxy extension. You need to allow HTTP/ebano.example.com to delegate credentials to HTTP/olmo.example.com. I have written an article how to do that: https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html Hi Alexander, thanks for your reply. I read carefully your interesting post and I follow it to delegate HTTP/ebano.example.com credentials to HTTP/olmo.example.com. Now, two questions: 1) How can I check that my configuration, now is ok? Because this ldapsearch returns result: 0 ldapsearch -Y GSSAPI -H ldap://olmo.example.com -b cn=s4u2proxy,cn=etc,dc=example,dc=com cn=ipa-http-delegation-targets dn You need to create these delegation entries yourself, like the article says. Note that your app talks to IPA server's HTTP service, so create dn: cn=ebano-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top cn: ebano-http-delegation memberPrincipal: HTTP/ebano.example@example.com ipaAllowedTarget: cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com This entry says: HTTP/ebano.example.com is allowed to delegate users' credentials to whatever Kerberos principal is a member of cn=ebano-http-delegation-targets group Now, this is the group: dn: cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com objectClass: groupOfPrincipals objectClass: top cn: ebano-http-delegation-targets memberPrincipal: HTTP/olomo.example@example.com With these two entries we would have HTTP/ebano.example.com allowed to delegate users' credentials to HTTP/olomo.example.com Hi Alexander, thanks for your patience. I followed your suggestions but the result is always the same. Trying with curl, of course, it works. My doubt now is why curl generates this log on kerberos server mar 20 10:22:20 olmo.example.com krb5kdc[5091](info): TGS_REQ (1 etypes {18}) 192.168.0.105: ISSUE: authtime 1395301975, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for krbtgt/example@example.com mar 20 10:22:21 olmo.example.com krb5kdc[5091](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime 1395301975, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for ldap/olmo.example@example.com This is effect of S4U extension working correctly. whereas java generates this other one mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH: HTTP/ebano.example@example.com for krbtgt/example@example.com, Additional pre-authentication required mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395307449, etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example@example.com for krbtgt/example@example.com mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 1395307449, etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example@example.com for HTTP/olmo.example@example.com As you can see, the first one uses admin on ldap service, the second one uses HTTP/ebano.example.com on HTTP service. This means your Java application doesn't use S4U extension or doesn't know about that. Can I do the same call with Java? At this point we need to set clear what Java are you using. http://download.java.net/jdk8/docs/technotes/guides/security/jgss/jgss-features.html tells that S4U extensions (we use S4U2Proxy here) was added in Java SE 8. The client doesn't do the S4U2Proxy work though, so this shouldn't matter, right? My point is that the client will not do what he expects unless S4U2Proxy is used in Java and that requires Java 8 platform, released on March 18th 2014. I think you can use earlier Java versions but tell them to use the native GSSAPI library (and perhaps sprinkle a little bit of GSS-Proxy in the back for fun. Here I'm again :) I wrote a GSSClient [1] obtaining: ### java.io.IOException: Server returned HTTP response code: 401 for URL: https://olmo.example.com/ipa/json