Re: [Freeipa-devel] [PATCH 0238] ipaldap: Override conversion of nsds5replicalastupdatestart
On 1.7.2014 16:45, Tomas Babej wrote: Hi, The replication related attributes nsds5replicalastupdatestart and nsds5replicalastupdateend have special behaviour implemented in 389, as follows: In case they are explicitly requested for and not set, 0 is returned. However, 0 is not a valid value for LDAP Generalized time. Thus we need to add these attributes to the _SYNTAX_OVERRIDE dictionary, overriding their conversion to datetime and converting them to string instead, which preserves the old behaviour expected by the replication codebase. https://fedorahosted.org/freeipa/ticket/4350 Note: This makes patch 236 obsolete. Note II: This is a short-term fix from my point of view. Ticket to resolve the underlying issue has been filed to 389: https://fedorahosted.org/389/ticket/47836 It should be unicode, not str, if you want old behavior. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 692 webui: capitalize labels of undo and undo all buttons
On 07/02/2014 07:11 AM, Fraser Tweedale wrote:
On Mon, Jun 30, 2014 at 10:54:28AM +0200, Petr Vobornik wrote:
On 30.6.2014 09:13, Fraser Tweedale wrote:
On Fri, Jun 27, 2014 at 02:11:47PM +0200, Petr Vobornik wrote:
Make the label of these buttons consistent with other buttons which have
capital first letters.
--
Petr Vobornik
From 7214242fb0c5accc45b6af476a8ff7e7b1a7883f Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Fri, 27 Jun 2014 13:59:11 +0200
Subject: [PATCH] webui: capitalize labels of undo and undo all buttons
Make the label of these buttons consistent with other buttons which have
capital first letters.
---
install/ui/test/data/ipa_init.json | 4 ++--
ipalib/plugins/internal.py | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/install/ui/test/data/ipa_init.json
b/install/ui/test/data/ipa_init.json
index
0c32395ee7d68440aea0271359b0ac88fed86c42..20a462fff3b664d2320946765d1dac21ac2b1929
100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -563,8 +563,8 @@
next: Next,
page: Page,
prev: Prev,
-undo: undo,
-undo_all: undo all,
+undo: Undo,
+undo_all: Undo All,
validation: {
error: Text does not match field pattern,
datetime: Must be an UTC date/time value
(e.g., \2014-01-20 17:58:01Z\),
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index
f9ae831dc665b1282ded798023856dacec480e3b..cda9fdc7ba5237bc5bcfddbce20f47abbc210a40
100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -708,8 +708,8 @@ class i18n_messages(Command):
next: _(Next),
page: _(Page),
prev: _(Prev),
-undo: _(undo),
-undo_all: _(undo all),
+undo: _(Undo),
+undo_all: _(Undo All),
Does this affect translations? The msgid undo all is present in
the PO files.
Yes
Translations are lost as a result of this change, due to case
sensitive translation lookup by msgid. I guess our translation
workflow takes care of this - in which case, ACK.
Speaking of which, I couldn't find anything on the wiki about how we
do our translations (i.e., how or when stuff gets pulled into/out of
transifex, who's responsible for that part of the process). Would
be good to find out more about it :)
Petr Viktorin takes care of pulling the translations before the release.
However, I must admit we do not have a firm translation workflow defined yet,
we try not to mess with translations close to the release, but we do not
announce official string freeze.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On 07/01/2014 03:15 PM, Martin Basti wrote: On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached Rebased patches attached 0084: in dns.py, you'll also want to remove NSEC3PARAMRecord from _dns_records. Otherwise I still see it in API.txt for dnsrecord_add friends. 0085: _nsec3param_errmsg will not get picked up by xgettext, so it won't be translated. The argument to _() must be a literal string, not a variable. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0087] Fix: missing tlsarecord in 40-dns.update
On 1.7.2014 17:28, Martin Basti wrote: Patch attached I'm not able to apply it on top of current master (21e1e4ac3bd62c20c6331ea3dc09793e3a869c22). -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 692 webui: capitalize labels of undo and undo all buttons
On 07/02/2014 08:52 AM, Martin Kosek wrote:
On 07/02/2014 07:11 AM, Fraser Tweedale wrote:
On Mon, Jun 30, 2014 at 10:54:28AM +0200, Petr Vobornik wrote:
On 30.6.2014 09:13, Fraser Tweedale wrote:
On Fri, Jun 27, 2014 at 02:11:47PM +0200, Petr Vobornik wrote:
Make the label of these buttons consistent with other buttons which have
capital first letters.
--
Petr Vobornik
From 7214242fb0c5accc45b6af476a8ff7e7b1a7883f Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Fri, 27 Jun 2014 13:59:11 +0200
Subject: [PATCH] webui: capitalize labels of undo and undo all buttons
Make the label of these buttons consistent with other buttons which have
capital first letters.
---
install/ui/test/data/ipa_init.json | 4 ++--
ipalib/plugins/internal.py | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/install/ui/test/data/ipa_init.json
b/install/ui/test/data/ipa_init.json
index
0c32395ee7d68440aea0271359b0ac88fed86c42..20a462fff3b664d2320946765d1dac21ac2b1929
100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -563,8 +563,8 @@
next: Next,
page: Page,
prev: Prev,
-undo: undo,
-undo_all: undo all,
+undo: Undo,
+undo_all: Undo All,
validation: {
error: Text does not match field pattern,
datetime: Must be an UTC date/time value (e.g.,
\2014-01-20 17:58:01Z\),
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index
f9ae831dc665b1282ded798023856dacec480e3b..cda9fdc7ba5237bc5bcfddbce20f47abbc210a40
100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -708,8 +708,8 @@ class i18n_messages(Command):
next: _(Next),
page: _(Page),
prev: _(Prev),
-undo: _(undo),
-undo_all: _(undo all),
+undo: _(Undo),
+undo_all: _(Undo All),
Does this affect translations? The msgid undo all is present in
the PO files.
Yes
Translations are lost as a result of this change, due to case
sensitive translation lookup by msgid. I guess our translation
workflow takes care of this - in which case, ACK.
Speaking of which, I couldn't find anything on the wiki about how we
do our translations (i.e., how or when stuff gets pulled into/out of
transifex, who's responsible for that part of the process). Would
be good to find out more about it :)
Petr Viktorin takes care of pulling the translations before the release.
However, I must admit we do not have a firm translation workflow defined yet,
we try not to mess with translations close to the release, but we do not
announce official string freeze.
Martin
Hi,
I'd rather delay pushing this until 4.0.1, as with all non-essential
changes.
Due to patches coming in late in the release cycle we can't release with
translations for all the new features. I guess that's acceptable, but we
don't need to break the string Undo.
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0087] Fix: missing tlsarecord in 40-dns.update
On Wed, 2014-07-02 at 09:40 +0200, Petr Spacek wrote: On 1.7.2014 17:28, Martin Basti wrote: Patch attached I'm not able to apply it on top of current master (21e1e4ac3bd62c20c6331ea3dc09793e3a869c22). Sorry I lost myself in ACIs, it depends on the patch mbasti-0084-2 and 0085-2 -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0087] Fix: missing tlsarecord in 40-dns.update
On 2.7.2014 10:23, Martin Basti wrote: On Wed, 2014-07-02 at 09:40 +0200, Petr Spacek wrote: On 1.7.2014 17:28, Martin Basti wrote: Patch attached I'm not able to apply it on top of current master (21e1e4ac3bd62c20c6331ea3dc09793e3a869c22). Sorry I lost myself in ACIs, it depends on the patch mbasti-0084-2 and 0085-2 Okay, I will test it when you send new versions of 0084 and 0085. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On 1.7.2014 15:15, Martin Basti wrote:
On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote:
Ticket: https://fedorahosted.org/freeipa/ticket/4413
Patches attached
Rebased patches attached
Besides #1, mostly minor stuff.
1. The regex r'^\d+ \d+ \d+ ([0-9a-fA-F]+|-)$' should be extended to
validate even number of hex chars, e.g.:
^\d+ \d+ \d+ ((([0-9a-fA-F]{2})+)|-)$
Should be then also reflected in _nsec3param_errmsg
This change will make Web UI more usable.
2. abbreviation 'alg' in 'hash_alg' is not so common as, for example,
'arg'. Full 'hash_algorithm' is more clear, there is enough space.
+doc=_('NSEC3PARAM record for zone in format: hash_alg flags
iterations salt'),
3. I think we should rather catch TypeError
+try:
+binascii.a2b_hex(salt)
+except Exception, e:
+return _('salt value: %(err)s') % {'err': e}
4. Extra empty line
+pattern_errmsg=_nsec3param_errmsg,
+
+),
Unrelated:
5. IMO framework should be extended to support translations in
`pattern_errmsg`
--
Petr Vobornik
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0238] ipaldap: Override conversion of nsds5replicalastupdatestart
On 07/02/2014 08:14 AM, Jan Cholasta wrote:
On 1.7.2014 16:45, Tomas Babej wrote:
Hi,
The replication related attributes nsds5replicalastupdatestart and
nsds5replicalastupdateend have special behaviour implemented in 389,
as follows:
In case they are explicitly requested for and not set, 0 is returned.
However, 0 is not a valid value for LDAP Generalized time. Thus
we need to add these attributes to the _SYNTAX_OVERRIDE dictionary,
overriding their conversion to datetime and converting them to
string instead, which preserves the old behaviour expected by the
replication codebase.
https://fedorahosted.org/freeipa/ticket/4350
Note: This makes patch 236 obsolete.
Note II: This is a short-term fix from my point of view. Ticket to
resolve the underlying issue has been filed to 389:
https://fedorahosted.org/389/ticket/47836
It should be unicode, not str, if you want old behavior.
Since Tomáš is on vacation now, I made the change and tested it.
As Rob noted in the other patch thread, this problem also appears in
`ipa-replica-manage list -v host`, where it's not benign as in the
install case (the command aborts).
The ipa-replica-manage list case will also fail on
nsds5replicalastinit{start,end} conversion (note init instead of
update).
Updated patch attached.
--
Petr³
From bc47e379bd50f4fef117b411d20b1c6c1c3da51c Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 1 Jul 2014 13:29:13 +0200
Subject: [PATCH] ipaldap: Override conversion of
nsds5replicalast{update,init}{start,end}
The replication related attributes with generalized time syntax have
special behaviour implemented in 389, as follows:
In case they are explicitly requested for and not set, 0 is returned.
However, 0 is not a valid value for LDAP Generalized time. Thus
we need to add these attributes to the _SYNTAX_OVERRIDE dictionary,
overriding their conversion to datetime and converting them to
string instead, which perserves the old behaviour expected by the
replication codebase.
https://fedorahosted.org/freeipa/ticket/4350
---
ipapython/ipaldap.py | 4
1 file changed, 4 insertions(+)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 21706cff08a0d8be07db8a1b5fdb0367c10ad53d..44918c39a131b1c19338dd198a2275539624 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -263,6 +263,10 @@ class IPASimpleLDAPObject(object):
'idnssoamname':DNSName,
'idnssoarname':DNSName,
'dnszoneidnsname': DNSName,
+'nsds5replicalastupdatestart': unicode,
+'nsds5replicalastupdateend': unicode,
+'nsds5replicalastinitstart': unicode,
+'nsds5replicalastinitend': unicode,
})
_SINGLE_VALUE_OVERRIDE = CIDict({
'nsslapd-ssl-check-hostname': True,
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0088] Use documentation addresses in dns help
Patch attached. (Forward zones help preparation) -- Martin^2 Basti From c27017724dcce01d3ba901dc81c129c699952a44 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 2 Jul 2014 12:52:14 +0200 Subject: [PATCH] Use documentation addresses in dns help --- ipalib/plugins/dns.py | 30 +++--- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 35bcaed1fd5f3f5561587eb419b84239c59478a8..35fcc246e46f338a5f316ff424e2d3b0a1112a2e 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -83,7 +83,7 @@ EXAMPLES: Add new zone: ipa dnszone-add example.com --name-server=ns \\ --admin-email=ad...@example.com \\ - --ip-address=10.0.0.1 + --ip-address=192.0.2.1 Add system permission that can be used for per-zone privilege delegation: ipa dnszone-add-permission example.com @@ -96,10 +96,10 @@ EXAMPLES: --update-policy=grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * ; grant EXAMPLE.COM krb5-self * SSHFP; Modify the zone to allow zone transfers for local network only: - ipa dnszone-mod example.com --allow-transfer=10.0.0.0/8 + ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24 Add new reverse zone specified by network IP address: - ipa dnszone-add --name-from-ip=80.142.15.0/24 \\ + ipa dnszone-add --name-from-ip=192.0.2.0/24 \\ --name-server=ns.example.com. Add second nameserver for example.com: @@ -132,11 +132,11 @@ EXAMPLES: Add new A record for www.example.com. Create a reverse record in appropriate reverse zone as well. In this case a PTR record 2 pointing to www.example.com - will be created in zone 15.142.80.in-addr.arpa. - ipa dnsrecord-add example.com www --a-rec=80.142.15.2 --a-create-reverse + will be created in zone 2.0.192.in-addr.arpa. + ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse Add new PTR record for www.example.com - ipa dnsrecord-add 15.142.80.in-addr.arpa. 2 --ptr-rec=www.example.com. + ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com. Add new SRV records for LDAP servers. Three quarters of the requests should go to fast.example.com, one quarter to slow.example.com. If neither @@ -171,12 +171,12 @@ EXAMPLES: Delete all? Yes/No (default No): (do not delete all records) Current DNS record contents: - A record: 1.2.3.4, 11.22.33.44 + A record: 192.0.2.2, 192.0.2.3 - Delete A record '1.2.3.4'? Yes/No (default No): - Delete A record '11.22.33.44'? Yes/No (default No): y + Delete A record '192.0.2.2'? Yes/No (default No): + Delete A record '192.0.2.3'? Yes/No (default No): y Record name: www - A record: 1.2.3.4 (A record 11.22.33.44 has been deleted) + A record: 192.0.2.2 (A record 192.0.2.3 has been deleted) Show zone example.com: ipa dnszone-show example.com @@ -187,14 +187,14 @@ EXAMPLES: Find records for resources with www in their name in zone example.com: ipa dnsrecord-find example.com www - Find A records with value 10.10.0.1 in zone example.com - ipa dnsrecord-find example.com --a-rec=10.10.0.1 + Find A records with value 192.0.2.2 in zone example.com + ipa dnsrecord-find example.com --a-rec=192.0.2.2 Show records for resource www in zone example.com ipa dnsrecord-show example.com www Delegate zone sub.example to another nameserver: - ipa dnsrecord-add example.com ns.sub --a-rec=10.0.100.5 + ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1 ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com. If global forwarder is configured, all requests to sub.example.com will be @@ -207,7 +207,7 @@ EXAMPLES: a first policy (it will send the queries to the selected forwarder and if not answered it will use global resolvers): ipa dnszone-add external.com - ipa dnszone-mod external.com --forwarder=10.20.0.1 \\ + ipa dnszone-mod external.com --forwarder=203.0.113.1 \\ --forward-policy=first Delete zone example.com with all resource records: @@ -230,7 +230,7 @@ server: ipa dnsconfig-show Modify global DNS configuration and set a list of global forwarders: - ipa dnsconfig-mod --forwarder=10.0.0.1 + ipa dnsconfig-mod --forwarder=203.0.113.113 ) register = Registry() -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0088] Use documentation addresses in dns help
On 07/02/2014 01:02 PM, Martin Basti wrote: Patch attached. (Forward zones help preparation) /me sighs This will invalidate all translations of the DNS plugin help. Is it really necessary for 4.0? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On Wed, 2014-07-02 at 09:39 +0200, Petr Viktorin wrote: On 07/01/2014 03:15 PM, Martin Basti wrote: On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached Rebased patches attached 0084: in dns.py, you'll also want to remove NSEC3PARAMRecord from _dns_records. Otherwise I still see it in API.txt for dnsrecord_add friends. If remove it, it breaks dns.py. I havent add NSEC3PARAMRecord into _dns_records in original patch. 0085: _nsec3param_errmsg will not get picked up by xgettext, so it won't be translated. The argument to _() must be a literal string, not a variable. -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0088] Use documentation addresses in dns help
On Wed, 2014-07-02 at 13:09 +0200, Petr Viktorin wrote: On 07/02/2014 01:02 PM, Martin Basti wrote: Patch attached. (Forward zones help preparation) /me sighs This will invalidate all translations of the DNS plugin help. Is it really necessary for 4.0? Ask petr2, but I have ticket where I need to add some description about forward zones to help. -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0088] Use documentation addresses in dns help
On 07/02/2014 01:43 PM, Martin Basti wrote: On Wed, 2014-07-02 at 13:09 +0200, Petr Viktorin wrote: On 07/02/2014 01:02 PM, Martin Basti wrote: Patch attached. (Forward zones help preparation) /me sighs This will invalidate all translations of the DNS plugin help. Is it really necessary for 4.0? Ask petr2, but I have ticket where I need to add some description about forward zones to help. If it's really absolutely unavoidable to change the strings at the last minute, please do it as fast as possible so translators can get a bit of time to retranslate. Whenever you touch a long docstring, please split up the text according to http://www.freeipa.org/page/Coding_Best_Practices#Split_long_translatable_strings (preferably in a separate patch). -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On Wed, 2014-07-02 at 13:17 +0200, Martin Basti wrote: On Wed, 2014-07-02 at 09:39 +0200, Petr Viktorin wrote: On 07/01/2014 03:15 PM, Martin Basti wrote: On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached Rebased patches attached 0084: in dns.py, you'll also want to remove NSEC3PARAMRecord from _dns_records. Otherwise I still see it in API.txt for dnsrecord_add friends. If remove it, it breaks dns.py. I havent add NSEC3PARAMRecord into _dns_records in original patch. 0085: _nsec3param_errmsg will not get picked up by xgettext, so it won't be translated. The argument to _() must be a literal string, not a variable. Updated patch attached (API.txt updated) -- Martin^2 Basti From e5e567aae2e7fb8641fdfb8d59e361c533b6c0a5 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Mon, 30 Jun 2014 18:29:40 +0200 Subject: [PATCH 2/3] Add NSEC3PARAM to zone settings Ticket: https://fedorahosted.org/freeipa/ticket/4413 --- ACI.txt | 4 ++-- API.txt | 9 +--- VERSION | 4 ++-- install/share/60ipadns.ldif | 2 +- install/ui/src/freeipa/dns.js | 3 ++- install/updates/40-dns.update | 2 +- ipalib/plugins/dns.py | 50 --- 7 files changed, 61 insertions(+), 13 deletions(-) diff --git a/ACI.txt b/ACI.txt index b8dfb56a2abea937823cdaed08322dea3dc0c0ef..8e73c5c8541154e73c201994de828aa43c3777b1 100644 --- a/ACI.txt +++ b/ACI.txt @@ -39,11 +39,11 @@ aci: (targetattr = idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Add DNS Entries;allow (add) groupdn = ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read DNS Entries;allow (compare,read,search) groupdn = ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read DNS Entries;allow (compare,read,search) groupdn = ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Remove DNS Entries;allow (delete) groupdn = ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On 2.7.2014 14:27, Martin Basti wrote: On Wed, 2014-07-02 at 13:17 +0200, Martin Basti wrote: On Wed, 2014-07-02 at 09:39 +0200, Petr Viktorin wrote: On 07/01/2014 03:15 PM, Martin Basti wrote: On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached Rebased patches attached 0084: in dns.py, you'll also want to remove NSEC3PARAMRecord from _dns_records. Otherwise I still see it in API.txt for dnsrecord_add friends. If remove it, it breaks dns.py. I havent add NSEC3PARAMRecord into _dns_records in original patch. 0085: _nsec3param_errmsg will not get picked up by xgettext, so it won't be translated. The argument to _() must be a literal string, not a variable. Updated patch attached (API.txt updated) ACK pushed to master: * ff7b44e3b09b2e94fde66f918a6d1fb6db043d80 Remove NSEC3PARAM record * 30551a8aa30dcd39b3ae4c2fe97a163620773730 Add NSEC3PARAM to zone settings * 01b95805ab1428e10c79abf70c9bc9e2baf9de21 NSEC3PARAM tests -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0083] Add DNSSEC experimental support warning message
On Tue, 2014-07-01 at 12:23 +0200, Petr Spacek wrote:
On 1.7.2014 12:20, Martin Kosek wrote:
On 07/01/2014 10:55 AM, Petr Spacek wrote:
On 1.7.2014 10:49, Petr Viktorin wrote:
On 07/01/2014 10:43 AM, Petr Spacek wrote:
On 30.6.2014 17:10, Martin Basti wrote:
On Mon, 2014-06-30 at 16:57 +0200, Petr Spacek wrote:
On 30.6.2014 14:33, Martin Basti wrote:
On Mon, 2014-06-30 at 12:49 +0200, Martin Basti wrote:
Patch attached.
It works for me.
Please change the string little bit, I have realized that we should
ensure
that file permissions are correct:
chown named: *
chmod u= *
(the chmod part new)
Thanks!
Updated patch attached
I'm really sorry, I had to change the message once again :-)
None of us noticed that chmod command was completely incorrect. I'm
attaching fixed patch as an apology.
It works for me when applied to master
(50c30c8401c21d43414404bd5caa157196449e4c).
Functional self-ACK :-)
IMHO it can be pushed if Python-review is okay.
Once again, please define new message classes in messages.py instead of
just
using PublicMessage with a custom string.
Also, these messages will work for console output, but I'm not sure
pre-wrapped text would look good in web UI.
I'm not sold on the idea of giving instructions in warning messages.
Would a
link to some documentation be better?
Well, the idea was to provide copypaste instructions directly in the
console,
not speaking about problems with URLs downstream.
If you insist on URL ... here it is:
http://www.freeipa.org/page/Releases/4.0.0#Experimental_DNSSEC_Support
Please use something more stable, like
http://www.freeipa.org/page/DNSSEC
which we would use as a gathering place for information about FreeIPA and
DNSSEC.
IMHO this particular warning should point to version-specific information.
I'm not opposing to /page/DNSSEC idea in general but this warning should
point
to very specific steps which will be valid only to very specific version of
FreeIPA.
Updated patch attached
--
Martin^2 Basti
From 5a13587cf7b4a4887a9e1cc97abc26964a63ef86 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Mon, 30 Jun 2014 12:32:31 +0200
Subject: [PATCH] Add DNSSEC experimental support warning message
Ticket: https://fedorahosted.org/freeipa/ticket/4408
---
ipalib/messages.py| 10 ++
ipalib/plugins/dns.py | 19 +++
2 files changed, 29 insertions(+)
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 3087cf7c921c8211fe32f68d4a4c5240f3f32e51..f637e5b17de816f3a88645c65f4a01179d97552c 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -147,6 +147,16 @@ class ForwardersWarning(PublicMessage):
uYou may want to use forward zones (dnsforwardzone-*) instead.\n
uFor more details read the docs.)
+
+class DNSSECWarning(PublicMessage):
+
+**13003** Used when user change DNSSEC settings
+
+
+errno = 13003
+type = warning
+format = _(DNSSEC support is experimental.\n%(additional_info)s)
+
def iter_messages(variables, base):
Return a tuple with all subclasses
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index b8e3c135a4d78e46530bfd8e07d7729f14ff33b6..b0df60ef1413330c9b7830cb34380b71cbe061c5 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2212,6 +2212,23 @@ class dnszone(DNSZoneBase):
messages.add_message(options.get('version', VERSION_WITHOUT_CAPABILITIES),
result, messages.ForwardersWarning())
+def _warning_dnssec_experimental(self, result, *keys, **options):
+# add warning when user use option --dnssec
+if 'idnssecinlinesigning' in options:
+if options['idnssecinlinesigning'] is True:
+messages.add_message(options['version'], result,
+messages.DNSSECWarning(
+additional_info=_(Manual configuration needed, please
+visit 'http://www.freeipa.org/page/Releases/4.0.0#;
+Experimental_DNSSEC_Support')
+))
+else:
+messages.add_message(options['version'], result,
+messages.DNSSECWarning(
+additional_info=_(If you encounter any problems please
+report them and restart 'named' service on affected IPA
+server.)
+))
@register()
@@ -2303,6 +2320,7 @@ class dnszone_add(DNSZoneBase_add):
def execute(self, *keys, **options):
result = super(dnszone_add, self).execute(*keys, **options)
self.obj._warning_forwarding(result, **options)
+self.obj._warning_dnssec_experimental(result, *keys, **options)
return result
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -2385,6 +2403,7 @@ class dnszone_mod(DNSZoneBase_mod):
def execute(self,
[Freeipa-devel] [PATCH 0089] Add help about forward zones
Required patch: mbasti-0088 Patch attached I will split docstring after ACK -- Martin^2 Basti From 52af35570fad39941a69952163b9a2d9e724746d Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 2 Jul 2014 12:16:48 +0200 Subject: [PATCH] Help for forward zones Ticket: https://fedorahosted.org/freeipa/ticket/3210 --- ipalib/plugins/dns.py | 60 ++- 1 file changed, 50 insertions(+), 10 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index d06f5e0bbdd2c14754d26f6d0abd90e7bd7e7467..d410726fc0678635a8ef5ce87accd562f08c01ab 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -51,6 +51,11 @@ Domain Name System (DNS) Manage DNS zone and resource records. +SUPPORTED ZONE TYPES + + * Master zone (dnszone-*), contains authoritative data. + * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders + (a set of DNS servers). USING STRUCTURED PER-TYPE OPTIONS @@ -197,18 +202,53 @@ EXAMPLES: ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1 ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com. - If global forwarder is configured, all requests to sub.example.com will be - routed through the global forwarder. To change the behavior for example.com - zone only and forward the request directly to ns.sub.example.com., global - forwarding may be disabled per-zone: + If a global forwarder is configured, all queries for which this server is not + authoritative (e.g. sub.example.com) will be routed to the global forwarder. + Global forwarding configuration can be overriden per-zone. To change behavior + for a particular zone you can specify forwarders and forward-policy per zone. + + Semantics of forwarding in IPA matches BIND sematics and depends on type + of the zone: + * Master zone: local BIND replies authoritatively to queries for data in + the given zone (including authoritative NXDOMAIN answers) and forwarding + affects only queries for names bellow zone cuts (NS records) of locally + served zones. + + * Forward zone: forward zone contains no authoritative data. BIND forwards + queries, which cannot be answered from its local cache, to configured + forwarders. + + Semantics of the --forwarder-policy option: + * none - disable forwarding for the given zone. + * first - forward all queries to configured forwarders. If they fail, + do resolution using DNS root servers. + * only - forward all queries to configured forwarders and if they fail, + return failure. + + Disable global forwarding for given sub-tree: ipa dnszone-mod example.com --forward-policy=none - Forward all requests for the zone external.com to another nameserver using - a first policy (it will send the queries to the selected forwarder and if - not answered it will use global resolvers): - ipa dnszone-add external.com - ipa dnszone-mod external.com --forwarder=203.0.113.1 \\ ---forward-policy=first + This configuration forwards all queries for names outside the example.com + sub-tree to global forwarders. Normal recursive resolution process is used + for names inside the example.com sub-tree (i.e. NS records are followed etc.). + + Forward all requests for the zone external.example.com to another nameserver + using a first policy (it will send the queries to the selected forwarder + and if not answered it will use global resolvers): + ipa dnsforwardzone-add external.example.com --forward-policy=first \\ + --forwarder=203.0.113.1 + + Change forward-policy for external.example.com: + ipa dnsforwardzone-mod external.example.com --forward-policy=only + + Show forward zone external.example.com: + ipa dnsforwardzone-show external.example.com + + List all forward zones: + ipa dnsforwardzone-find + + Delelete forward zone external.example.com: + ipa dnsforwardzone-del external.example.com Delete zone example.com with all resource records: ipa dnszone-del example.com -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0083] Add DNSSEC experimental support warning message
On 2.7.2014 14:57, Martin Basti wrote: On Tue, 2014-07-01 at 12:23 +0200, Petr Spacek wrote: On 1.7.2014 12:20, Martin Kosek wrote: On 07/01/2014 10:55 AM, Petr Spacek wrote: On 1.7.2014 10:49, Petr Viktorin wrote: On 07/01/2014 10:43 AM, Petr Spacek wrote: On 30.6.2014 17:10, Martin Basti wrote: On Mon, 2014-06-30 at 16:57 +0200, Petr Spacek wrote: On 30.6.2014 14:33, Martin Basti wrote: On Mon, 2014-06-30 at 12:49 +0200, Martin Basti wrote: Patch attached. It works for me. Please change the string little bit, I have realized that we should ensure that file permissions are correct: chown named: * chmod u= * (the chmod part new) Thanks! Updated patch attached I'm really sorry, I had to change the message once again :-) None of us noticed that chmod command was completely incorrect. I'm attaching fixed patch as an apology. It works for me when applied to master (50c30c8401c21d43414404bd5caa157196449e4c). Functional self-ACK :-) IMHO it can be pushed if Python-review is okay. Once again, please define new message classes in messages.py instead of just using PublicMessage with a custom string. Also, these messages will work for console output, but I'm not sure pre-wrapped text would look good in web UI. I'm not sold on the idea of giving instructions in warning messages. Would a link to some documentation be better? Well, the idea was to provide copypaste instructions directly in the console, not speaking about problems with URLs downstream. If you insist on URL ... here it is: http://www.freeipa.org/page/Releases/4.0.0#Experimental_DNSSEC_Support Please use something more stable, like http://www.freeipa.org/page/DNSSEC which we would use as a gathering place for information about FreeIPA and DNSSEC. IMHO this particular warning should point to version-specific information. I'm not opposing to /page/DNSSEC idea in general but this warning should point to very specific steps which will be valid only to very specific version of FreeIPA. Updated patch attached I have bad news for you: Patch freeipa-mbasti-0083-4-DNSSEC-experimental-support-warning-message.patch cannot be applied on top of: current master (01b95805ab1428e10c79abf70c9bc9e2baf9de21) freeipa-mbasti-0080-Allow-to-add-non-string-values-to-named-conf.patch freeipa-mbasti-0081-DNSSEC-Add-experimental-support-for-DNSSEC.patch freeipa-mbasti-0082-Add-warning-about-semantic-change-for-zones.patch -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0083] Add DNSSEC experimental support warning message
On Wed, 2014-07-02 at 15:21 +0200, Petr Spacek wrote: On 2.7.2014 14:57, Martin Basti wrote: On Tue, 2014-07-01 at 12:23 +0200, Petr Spacek wrote: On 1.7.2014 12:20, Martin Kosek wrote: On 07/01/2014 10:55 AM, Petr Spacek wrote: On 1.7.2014 10:49, Petr Viktorin wrote: On 07/01/2014 10:43 AM, Petr Spacek wrote: On 30.6.2014 17:10, Martin Basti wrote: On Mon, 2014-06-30 at 16:57 +0200, Petr Spacek wrote: On 30.6.2014 14:33, Martin Basti wrote: On Mon, 2014-06-30 at 12:49 +0200, Martin Basti wrote: Patch attached. It works for me. Please change the string little bit, I have realized that we should ensure that file permissions are correct: chown named: * chmod u= * (the chmod part new) Thanks! Updated patch attached I'm really sorry, I had to change the message once again :-) None of us noticed that chmod command was completely incorrect. I'm attaching fixed patch as an apology. It works for me when applied to master (50c30c8401c21d43414404bd5caa157196449e4c). Functional self-ACK :-) IMHO it can be pushed if Python-review is okay. Once again, please define new message classes in messages.py instead of just using PublicMessage with a custom string. Also, these messages will work for console output, but I'm not sure pre-wrapped text would look good in web UI. I'm not sold on the idea of giving instructions in warning messages. Would a link to some documentation be better? Well, the idea was to provide copypaste instructions directly in the console, not speaking about problems with URLs downstream. If you insist on URL ... here it is: http://www.freeipa.org/page/Releases/4.0.0#Experimental_DNSSEC_Support Please use something more stable, like http://www.freeipa.org/page/DNSSEC which we would use as a gathering place for information about FreeIPA and DNSSEC. IMHO this particular warning should point to version-specific information. I'm not opposing to /page/DNSSEC idea in general but this warning should point to very specific steps which will be valid only to very specific version of FreeIPA. Updated patch attached I have bad news for you: Patch freeipa-mbasti-0083-4-DNSSEC-experimental-support-warning-message.patch cannot be applied on top of: current master (01b95805ab1428e10c79abf70c9bc9e2baf9de21) freeipa-mbasti-0080-Allow-to-add-non-string-values-to-named-conf.patch freeipa-mbasti-0081-DNSSEC-Add-experimental-support-for-DNSSEC.patch freeipa-mbasti-0082-Add-warning-about-semantic-change-for-zones.patch You need 0082-2 -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0089] Add help about forward zones
I have only few nitpicks I didn't notice in the first round: The original proposal contained also this header: SUPPORTED ZONE TYPES * Master zone (dnszone-*) contains authoritative data. * Forward zone (dnsforwardzone-*) forwards queries to configured forwarders (a set of DNS servers). I can't see it in the patch. Rest of nit picks is in-line: On 2.7.2014 15:17, Martin Basti wrote: - If global forwarder is configured, all requests to sub.example.com will be - routed through the global forwarder. To change the behavior for example.com - zone only and forward the request directly to ns.sub.example.com., global - forwarding may be disabled per-zone: + If a global forwarder is configured, all queries for which this server is not + authoritative (e.g. sub.example.com) will be routed to the global forwarder. + Global forwarding configuration can be overriden per-zone. To change behavior + for a particular zone you can specify forwarders and forward-policy per zone. overriden = overridden (according to my spell checker :-) Sentence To change behavior for a particular zone you can specify forwarders and forward-policy per zone. seems redundant to me. + Semantics of forwarding in IPA matches BIND sematics and depends on type + of the zone: + * Master zone: local BIND replies authoritatively to queries for data in + the given zone (including authoritative NXDOMAIN answers) and forwarding + affects only queries for names bellow zone cuts (NS records) of locally + served zones. + + * Forward zone: forward zone contains no authoritative data. BIND forwards + queries, which cannot be answered from its local cache, to configured + forwarders. + + Semantics of the --forwarder-policy option: + * none - disable forwarding for the given zone. + * first - forward all queries to configured forwarders. If they fail, should be replaced by + do resolution using DNS root servers. + * only - forward all queries to configured forwarders and if they fail, + return failure. + + Disable global forwarding for given sub-tree: ipa dnszone-mod example.com --forward-policy=none - Forward all requests for the zone external.com to another nameserver using - a first policy (it will send the queries to the selected forwarder and if - not answered it will use global resolvers): - ipa dnszone-add external.com - ipa dnszone-mod external.com --forwarder=203.0.113.1 \\ ---forward-policy=first + This configuration forwards all queries for names outside the example.com + sub-tree to global forwarders. Normal recursive resolution process is used + for names inside the example.com sub-tree (i.e. NS records are followed etc.). + + Forward all requests for the zone external.example.com to another nameserver nameserver = forwarder (to keep terminology consistent) + using a first policy (it will send the queries to the selected forwarder + and if not answered it will use global resolvers): resolvers = root servers + ipa dnsforwardzone-add external.example.com --forward-policy=first \\ + --forwarder=203.0.113.1 + + Change forward-policy for external.example.com: + ipa dnsforwardzone-mod external.example.com --forward-policy=only + + Show forward zone external.example.com: + ipa dnsforwardzone-show external.example.com + + List all forward zones: + ipa dnsforwardzone-find + + Delelete forward zone external.example.com: Delelete = Delete (nice typo! :-)) + ipa dnsforwardzone-del external.example.com Delete zone example.com with all resource records: ipa dnszone-del example.com Is there section with examples for master zones? Please move it there if the answer is yes, otherwise it can stay here. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0153 ipa-ldap-updater does not work with hardened LDAP configuration
When nsslapd-minssf is greater than 0, running as root ipa-ldap-updater [-l] will fail even if we force use of autobind for root over LDAPI. The reason for this is that schema updater doesn't get ldapi flag passed and attempts to connect to LDAP port instead and for hardened configurations using simple bind over LDAP is not enough. Additionally, report properly previously unhandled LDAP exceptions. https://fedorahosted.org/freeipa/ticket/3468 Note that the ticket is in 'Future releases' but we have this bug in 3.3 and in my view it is serious enough to fix it. -- / Alexander Bokovoy From 03c9f67bf7855a9507a9ccf219a3bfeb9bb3ad1f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 2 Jul 2014 16:30:18 +0300 Subject: [PATCH] ipa-ldap-updater: make possible to use LDAPI with autobind in case of hardened LDAP configuration When nsslapd-minssf is greater than 0, running as root ipa-ldap-updater [-l] will fail even if we force use of autobind for root over LDAPI. The reason for this is that schema updater doesn't get ldapi flag passed and attempts to connect to LDAP port instead and for hardened configurations using simple bind over LDAP is not enough. Additionally, report properly previously unhandled LDAP exceptions. https://fedorahosted.org/freeipa/ticket/3468 --- ipapython/ipaldap.py | 4 ipaserver/install/ipa_ldap_updater.py | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 21706cf..c5bd08b 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -1200,6 +1200,10 @@ class LDAPClient(object): pass except ldap.CONNECT_ERROR: raise errors.DatabaseError(desc=desc, info=info) +except ldap.UNWILLING_TO_PERFORM: +raise errors.DatabaseError(desc=desc, info=info) +except ldap.AUTH_UNKNOWN: +raise errors.ACIError(info='%s (%s)' % (info,desc)) except ldap.LDAPError, e: if 'NOT_ALLOWED_TO_DELEGATE' in info: raise errors.ACIError( diff --git a/ipaserver/install/ipa_ldap_updater.py b/ipaserver/install/ipa_ldap_updater.py index fbbef14..18970ce 100644 --- a/ipaserver/install/ipa_ldap_updater.py +++ b/ipaserver/install/ipa_ldap_updater.py @@ -204,7 +204,8 @@ class LDAPUpdater_NonUpgrade(LDAPUpdater): modified = schemaupdate.update_schema( options.schema_files, dm_password=self.dirman_password, -live_run=not options.test) or modified +live_run=not options.test, +ldapi=options.ldapi) or modified if not self.files: self.files = ld.get_all_files(UPDATES_DIR) -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0238] ipaldap: Override conversion of nsds5replicalastupdatestart
On 07/02/2014 08:14 AM, Jan Cholasta wrote:
On 1.7.2014 16:45, Tomas Babej wrote:
Hi,
The replication related attributes nsds5replicalastupdatestart and
nsds5replicalastupdateend have special behaviour implemented in 389,
as follows:
In case they are explicitly requested for and not set, 0 is returned.
However, 0 is not a valid value for LDAP Generalized time. Thus
we need to add these attributes to the _SYNTAX_OVERRIDE dictionary,
overriding their conversion to datetime and converting them to
string instead, which preserves the old behaviour expected by the
replication codebase.
https://fedorahosted.org/freeipa/ticket/4350
Note: This makes patch 236 obsolete.
Note II: This is a short-term fix from my point of view. Ticket to
resolve the underlying issue has been filed to 389:
https://fedorahosted.org/389/ticket/47836
It should be unicode, not str, if you want old behavior.
Given that Tomas is away and we want this in 4.0, I revisited the patch add
fixed the conversion + added 2 more date attributes which would cause issues
with ipa-replica-manage HOST -v. Now it works:
# ipa-replica-manage list server.example.com -v
vm-086.idm.lab.bos.redhat.com: replica
last init status: None
last init ended: None
last update status: 0 Replica acquired successfully: Incremental update
started
last update ended: None
# ipa-replica-manage list -v replica.example.com
vm-111.idm.lab.bos.redhat.com: replica
last init status: 0 Total update succeeded
last init ended: 2014-07-02 13:42:12+00:00
last update status: 0 Replica acquired successfully: Incremental update
succeeded
last update ended: 2014-07-02 14:02:03+00:00
Martin
From e4e6ce3dd760b6bb66cd444527fe0010263dfb7b Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 2 Jul 2014 16:04:34 +0200
Subject: [PATCH] ipaldap: Override conversion replication agreement values
The replication related date attributes have special behaviour
implemented in 389, as follows:
In case they are explicitly requested for and not set, 0 is returned.
However, 0 is not a valid value for LDAP Generalized time. Thus
the attributes need to be added to the _SYNTAX_OVERRIDE dictionary,
overriding their conversion to datetime and converting them to
string instead, which perserves the old behaviour expected by the
replication codebase.
Based on a patch by Tomas Babej tba...@redhat.com.
https://fedorahosted.org/freeipa/ticket/4350
---
ipapython/ipaldap.py | 4
1 file changed, 4 insertions(+)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 21706cff08a0d8be07db8a1b5fdb0367c10ad53d..44918c39a131b1c19338dd198a2275539624 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -263,6 +263,10 @@ class IPASimpleLDAPObject(object):
'idnssoamname':DNSName,
'idnssoarname':DNSName,
'dnszoneidnsname': DNSName,
+'nsds5replicalastupdatestart': unicode,
+'nsds5replicalastupdateend': unicode,
+'nsds5replicalastinitstart': unicode,
+'nsds5replicalastinitend': unicode,
})
_SINGLE_VALUE_OVERRIDE = CIDict({
'nsslapd-ssl-check-hostname': True,
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 694 webui: new navigation structure
https://fedorahosted.org/freeipa/ticket/4418
according to latest
proposal:http://www.redhat.com/archives/freeipa-devel/2014-June/msg00839.html
--
Petr Vobornik
From 97cc94163e8ae57058b07741c7d70e44697c113f Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 2 Jul 2014 15:09:22 +0200
Subject: [PATCH] webui: new navigation structure
https://fedorahosted.org/freeipa/ticket/4418
---
install/ui/src/freeipa/certificate.js | 2 +-
install/ui/src/freeipa/dns.js | 2 +-
install/ui/src/freeipa/navigation/menu_spec.js | 195 +++--
install/ui/test/data/ipa_init.json | 2 +
ipalib/plugins/internal.py | 2 +
ipatests/test_webui/test_navigation.py | 62 +---
ipatests/test_webui/ui_driver.py | 2 +-
7 files changed, 160 insertions(+), 107 deletions(-)
diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js
index 01dfee2b64c14f487b66b91d449f63b6415dea69..6a11d959398517db6f720a36ff2a323e1d0c74a7 100755
--- a/install/ui/src/freeipa/certificate.js
+++ b/install/ui/src/freeipa/certificate.js
@@ -1293,7 +1293,7 @@ IPA.cert.cert_update_policy = function(spec) {
exp.remove_menu_item = function() {
if (!IPA.cert.is_enabled()) {
-menu.remove_item('identity/cert');
+menu.remove_item('authentication/cert');
}
};
diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js
index c7143ca91fef9bbc372654080fe899be1ae8367f..a566ccf61adcf4f688ac803bf5e3658b4f3a0253 100644
--- a/install/ui/src/freeipa/dns.js
+++ b/install/ui/src/freeipa/dns.js
@@ -2543,7 +2543,7 @@ IPA.network_validator = function(spec) {
exp.remove_menu_item = function() {
if (!IPA.dns_enabled) {
-menu.remove_item('identity/dns');
+menu.remove_item('network_services/dns');
}
};
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index 01738cbe60b10bc0f1671093fc1616980780bac1..9182d11bf56c73e1fce724d438fe2211105b75ad 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -43,101 +43,134 @@ var nav = {};
{ entity: 'netgroup' },
{ entity: 'service' },
{
+name: 'automember',
+label: '@i18n:tabs.automember',
+children: [
+{
+name: 'amgroup',
+entity: 'automember',
+facet: 'searchgroup',
+label: '@i18n:objects.automember.usergrouprules',
+children: [
+{
+entity: 'automember',
+facet: 'usergrouprule',
+hidden: true
+}
+]
+},
+{
+name: 'amhostgroup',
+entity: 'automember',
+facet: 'searchhostgroup',
+label: '@i18n:objects.automember.hostgrouprules',
+children: [
+{
+entity: 'automember',
+facet: 'hostgrouprule',
+hidden: true
+}
+]
+}
+]
+}
+]
+},
+{
+name: 'policy',
+label: '@i18n:tabs.policy',
+children: [
+{
+name: 'hbac',
+label: '@i18n:tabs.hbac',
+children: [
+{ entity: 'hbacrule' },
+{ entity: 'hbacsvc' },
+{ entity: 'hbacsvcgroup' },
+{ entity: 'hbactest' }
+]
+},
+{
+name: 'sudo',
+label: '@i18n:tabs.sudo',
+children: [
+{ entity: 'sudorule' },
+{ entity: 'sudocmd' },
+{ entity: 'sudocmdgroup' }
+]
+},
+{ entity: 'selinuxusermap' },
+{ entity: 'pwpolicy' },
+{ entity: 'krbtpolicy' }
+]
+},
+{
+name: 'authentication',
+label: '@i18n:tabs.authentication',
+children: [
+{ entity: 'cert', label: '@i18n:tabs.cert' },
+{ entity: 'otptoken' },
+{ entity: 'radiusproxy' }
+]
+},
+
Re: [Freeipa-devel] [PATCH 0238] ipaldap: Override conversion of nsds5replicalastupdatestart
On 07/02/2014 12:49 PM, Petr Viktorin wrote:
On 07/02/2014 08:14 AM, Jan Cholasta wrote:
On 1.7.2014 16:45, Tomas Babej wrote:
Hi,
The replication related attributes nsds5replicalastupdatestart and
nsds5replicalastupdateend have special behaviour implemented in 389,
as follows:
In case they are explicitly requested for and not set, 0 is returned.
However, 0 is not a valid value for LDAP Generalized time. Thus
we need to add these attributes to the _SYNTAX_OVERRIDE dictionary,
overriding their conversion to datetime and converting them to
string instead, which preserves the old behaviour expected by the
replication codebase.
https://fedorahosted.org/freeipa/ticket/4350
Note: This makes patch 236 obsolete.
Note II: This is a short-term fix from my point of view. Ticket to
resolve the underlying issue has been filed to 389:
https://fedorahosted.org/389/ticket/47836
It should be unicode, not str, if you want old behavior.
Since Tomáš is on vacation now, I made the change and tested it.
As Rob noted in the other patch thread, this problem also appears in
`ipa-replica-manage list -v host`, where it's not benign as in the install
case (the command aborts).
The ipa-replica-manage list case will also fail on
nsds5replicalastinit{start,end} conversion (note init instead of update).
Updated patch attached.
Ah, I see you sent the same patch as I did :-) In that case, it is an ACK,
obviously.
Pushed to master: a5bb758978ffdccc5a985487d57856290428abf1
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0090] Split dns.py doctring
Required patches mbasti-0088, mbasti-0089-2 Patch attached -- Martin^2 Basti From f2b31bb820f6995d2b285f1f487afa4aca5139af Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 2 Jul 2014 15:56:29 +0200 Subject: [PATCH] Split dns docstring --- ipalib/plugins/dns.py | 94 +-- 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 97d8dc168101d7f8b94c111c13f1d701a465d4ee..e8e4e33a17c935f81c66cb029af6bfdfd0a5a8e1 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -48,23 +48,23 @@ from ipapython.dnsutil import DNSName __doc__ = _( Domain Name System (DNS) - +) + _( Manage DNS zone and resource records. - +) + _( SUPPORTED ZONE TYPES * Master zone (dnszone-*), contains authoritative data. * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders (a set of DNS servers). - +) + _( USING STRUCTURED PER-TYPE OPTIONS - +) + _( There are many structured DNS RR types where DNS data stored in LDAP server is not just a scalar value, for example an IP address or a domain name, but a data structure which may be often complex. A good example is a LOC record [RFC1876] which consists of many mandatory and optional parts (degrees, minutes, seconds of latitude and longitude, altitude or precision). - +) + _( It may be difficult to manipulate such DNS records without making a mistake and entering an invalid value. DNS module provides an abstraction over these raw records and allows to manipulate each RR type with specific options. For @@ -72,7 +72,7 @@ each supported RR type, DNS module provides a standard option to manipulate a raw records with format --rrtype-rec, e.g. --mx-rec, and special options for every part of the RR structure with format --rrtype-partname, e.g. --mx-preference and --mx-exchanger. - +) + _( When adding a record, either RR specific options or standard option for a raw value can be used, they just should not be combined in one add operation. When modifying an existing entry, new RR specific options can be used to change @@ -81,41 +81,41 @@ to specify the modified value. The following example demonstrates a modification of MX record preference from 0 to 1 in a record without modifying the exchanger: ipa dnsrecord-mod --mx-rec=0 mx.example.com. --mx-preference=1 - +) + _( EXAMPLES: - +) + _( Add new zone: ipa dnszone-add example.com --name-server=ns \\ --admin-email=ad...@example.com \\ --ip-address=192.0.2.1 - +) + _( Add system permission that can be used for per-zone privilege delegation: ipa dnszone-add-permission example.com - +) + _( Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: ipa dnszone-mod example.com --dynamic-update=TRUE - +) + _( This is the equivalent of: ipa dnszone-mod example.com --dynamic-update=TRUE \\ --update-policy=grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * ; grant EXAMPLE.COM krb5-self * SSHFP; - +) + _( Modify the zone to allow zone transfers for local network only: ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24 - +) + _( Add new reverse zone specified by network IP address: ipa dnszone-add --name-from-ip=192.0.2.0/24 \\ --name-server=ns.example.com. - +) + _( Add second nameserver for example.com: ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com - +) + _( Add a mail server for example.com: ipa dnsrecord-add example.com @ --mx-rec=10 mail1 - +) + _( Add another record using MX record specific options: ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2 - +) + _( Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod, or dnsrecord-del are executed with no options): ipa dnsrecord-add example.com @ @@ -128,28 +128,28 @@ EXAMPLES: Record name: example.com MX record: 10 mail1, 20 mail2, 30 mail3 NS record: nameserver.example.com., nameserver2.example.com. - +) + _( Delete previously added nameserver from example.com: ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com. - +) + _( Add LOC record for example.com: ipa dnsrecord-add example.com @ --loc-rec=49 11 42.4 N 16 36 29.6 E 227.64m - +) + _( Add new A record for www.example.com. Create a reverse record in appropriate reverse zone as well. In this case a PTR record 2 pointing to www.example.com will be created in zone 2.0.192.in-addr.arpa. ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse - +) + _( Add new PTR record for www.example.com ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com. - +) + _( Add new SRV records for LDAP servers. Three quarters of the requests should go to fast.example.com, one quarter to slow.example.com. If neither is
Re: [Freeipa-devel] [PATCH 0089] Add help about forward zones
On Wed, 2014-07-02 at 15:46 +0200, Petr Spacek wrote: I have only few nitpicks I didn't notice in the first round: The original proposal contained also this header: SUPPORTED ZONE TYPES * Master zone (dnszone-*) contains authoritative data. * Forward zone (dnsforwardzone-*) forwards queries to configured forwarders (a set of DNS servers). I can't see it in the patch. It is there Delete zone example.com with all resource records: ipa dnszone-del example.com Is there section with examples for master zones? Please move it there if the answer is yes, otherwise it can stay here. Moved Updated patch attached -- Martin^2 Basti From 75a5abf2a372ccc8773b8e43a15e37e645c026c7 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 2 Jul 2014 12:16:48 +0200 Subject: [PATCH] Help for forward zones Ticket: https://fedorahosted.org/freeipa/ticket/3210 --- ipalib/plugins/dns.py | 65 --- 1 file changed, 52 insertions(+), 13 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index d06f5e0bbdd2c14754d26f6d0abd90e7bd7e7467..97d8dc168101d7f8b94c111c13f1d701a465d4ee 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -51,6 +51,11 @@ Domain Name System (DNS) Manage DNS zone and resource records. +SUPPORTED ZONE TYPES + + * Master zone (dnszone-*), contains authoritative data. + * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders + (a set of DNS servers). USING STRUCTURED PER-TYPE OPTIONS @@ -197,22 +202,56 @@ EXAMPLES: ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1 ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com. - If global forwarder is configured, all requests to sub.example.com will be - routed through the global forwarder. To change the behavior for example.com - zone only and forward the request directly to ns.sub.example.com., global - forwarding may be disabled per-zone: - ipa dnszone-mod example.com --forward-policy=none - - Forward all requests for the zone external.com to another nameserver using - a first policy (it will send the queries to the selected forwarder and if - not answered it will use global resolvers): - ipa dnszone-add external.com - ipa dnszone-mod external.com --forwarder=203.0.113.1 \\ ---forward-policy=first - Delete zone example.com with all resource records: ipa dnszone-del example.com + If a global forwarder is configured, all queries for which this server is not + authoritative (e.g. sub.example.com) will be routed to the global forwarder. + Global forwarding configuration can be overridden per-zone. + + Semantics of forwarding in IPA matches BIND sematics and depends on type + of the zone: + * Master zone: local BIND replies authoritatively to queries for data in + the given zone (including authoritative NXDOMAIN answers) and forwarding + affects only queries for names bellow zone cuts (NS records) of locally + served zones. + + * Forward zone: forward zone contains no authoritative data. BIND forwards + queries, which cannot be answered from its local cache, to configured + forwarders. + + Semantics of the --forwarder-policy option: + * none - disable forwarding for the given zone. + * first - forward all queries to configured forwarders. If they fail, + do resolution using DNS root servers. + * only - forward all queries to configured forwarders and if they fail, + return failure. + + Disable global forwarding for given sub-tree: + ipa dnszone-mod example.com --forward-policy=none + + This configuration forwards all queries for names outside the example.com + sub-tree to global forwarders. Normal recursive resolution process is used + for names inside the example.com sub-tree (i.e. NS records are followed etc.). + + Forward all requests for the zone external.example.com to another forwarder + using a first policy (it will send the queries to the selected forwarder + and if not answered it will use global root servers): + ipa dnsforwardzone-add external.example.com --forward-policy=first \\ + --forwarder=203.0.113.1 + + Change forward-policy for external.example.com: + ipa dnsforwardzone-mod external.example.com --forward-policy=only + + Show forward zone external.example.com: + ipa dnsforwardzone-show external.example.com + + List all forward zones: + ipa dnsforwardzone-find + + Delete forward zone external.example.com: + ipa dnsforwardzone-del external.example.com + Resolve a host name to see if it exists (will add default IPA domain if one is not included): ipa dns-resolve www.example.com -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0589 Do not fail if there are multiple nsDS5ReplicaId values in cn=replication, cn=etc
On 06/18/2014 01:21 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/4375 Yup, works like a charm, ACK. Pushed to master: 8c98561c209d0ccaa692a335e3e9a10aec23ee0e Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
On 28.6.2014 00:19, Rob Crittenden wrote: I'm going to consolidate all reviews for 241 - 303 here. I'm not doing this in any particular order. OK, I will send further patches only in this thread. Missing man page for ipa-certupdate I did not want to delay the patch, so I have sent it without man page. Will fix. Not a very nice error from ipa-cacert-manage install when loading a bad cert: # ipa-cacert-manage install /etc/group Installing CA certificate, please wait (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. Right. Fixed. The ipa-cacert-manage makes no mention of changing the cert chaining. It just adds the options, not what they do. Here is what happened when I tried it: # ipa-cacert-manage renew --external-ca Exporting CA certificate signing request, please wait The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as: ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-ca-file=/path/to/external_ca_certificate The ipa-cacert-manage command was successful [ go off and sign it ] # ipa-cacert-manage renew --external-cert-file=/home/rcrit/ca_db/ipa.crt --external-ca-file=/home/rcrit/ca_db/ca.crt Importing the renewed CA certificate, please wait Resubmitting certmonger request '20140627134654' timed out, please check the request manually The request was actually in MONITORING, so ok. But the CA is now not working # ipa cert-request --principal test/`hostname` csr ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) # ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) The CA database doesn't have my external CA # certutil -Ld /etc/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-caCTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u Not sure if this is related: # pki cert-find PKIException: Internal Server Error The problem is not in the missing external CA cert (the CA always worked fine without it for me, so I never bothered adding it). The problem is that Dogtag can't connect to DS, because it does not like its server certificate. Which is weird, because when I try doing the same using ldapsearch everything seems to work fine: # LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias LDAPTLS_CERT='subsystemCert cert-pki-ca' ldapsearch -H ldaps://$HOSTNAME -Y EXTERNAL -b o=ipaca -s base Please enter pin, password, or pass phrase for security token 'ldap(0)': SASL/EXTERNAL authentication started SASL username: cn=CA Subsystem,o=EXAMPLE.COM SASL SSF: 0 # extended LDIF # # LDAPv3 # base o=ipaca with scope baseObject # filter: (objectclass=*) # requesting: ALL # # ipaca dn: o=ipaca objectClass: top objectClass: organization o: ipaca # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 Adding the old CA cert back to /etc/pki/pki-tomcat/alias does not fix this, although the error is different (ipa cert-show fails with internal error caused by XMLSyntaxError: None, pki cert-find fails with PKIException: Error searching certs in CertService.searchCerts!). Adding the external CA cert does not fix this either. I'm pretty sure chaining change from self-signed to signed by external CA worked for me the last time I have tested it, but it has been some time. Maybe something changed in Dogtag? I don't know. Any ideas? Note that I tried again with a fresh external install, this time without the --external-ca flag and it basically went through the same steps but this time it was successful. Good. I did a re-install and tried a renewal (with just ipa-server-install). I moved time forward and saw this: Request ID '20140627150913': status: MONITORING ca-error: Server at https://sif.greyoak.com:8443/ca/agent/ca/profileProcess; replied: 1: Invalid Credential. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='323234924210' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=GREYOAK.COM subject: CN=CA Audit,O=GREYOAK.COM expires: 2016-06-16 15:08:34 UTC key usage: digitalSignature,nonRepudiation pre-save command:
[Freeipa-devel] [PATCH] test_ipaserver: Add OTP token test data to ipatests package
Hello,
Some data is not put in the ipatests package. This prevents OTP token
import tests from passing when run out of tree.
Fix included.
--
Petr³
From 51b894668d4c940deca006d069335f8e446a954e Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 2 Jul 2014 16:35:27 +0200
Subject: [PATCH] test_ipaserver: Add OTP token test data to ipatests package
The missing files caused test failures when running tests out of tree.
---
freeipa.spec.in | 1 +
ipatests/setup.py.in | 4 +++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 50df60280cfee34c301bdb23083e2b448b413803..774cd8fd18d3e6574164718a101124ec38990e8b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -836,6 +836,7 @@ fi
%dir %{python_sitelib}/ipatests/test_ipapython
%dir %{python_sitelib}/ipatests/test_ipaserver
%dir %{python_sitelib}/ipatests/test_ipaserver/test_install
+%dir %{python_sitelib}/ipatests/test_ipaserver/data
%dir %{python_sitelib}/ipatests/test_pkcs10
%dir %{python_sitelib}/ipatests/test_webui
%dir %{python_sitelib}/ipatests/test_xmlrpc
diff --git a/ipatests/setup.py.in b/ipatests/setup.py.in
index b50cb6026cb5ba68af33207dcdfc13a59d309b38..7f041465c132b6a5ab941ba253c2fb6e011b458e 100644
--- a/ipatests/setup.py.in
+++ b/ipatests/setup.py.in
@@ -80,7 +80,9 @@ def setup_package():
package_data = {
'ipatests.test_install': ['*.update'],
'ipatests.test_integration': ['scripts/*'],
-'ipatests.test_pkcs10': ['*.csr']}
+'ipatests.test_pkcs10': ['*.csr'],
+ipatests.test_ipaserver: ['data/*'],
+}
)
finally:
del sys.path[0]
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0080-0081] DNSSEC: Add experimental support for DNSSEC
On 27.6.2014 17:11, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4408 Patches attached. Both patches works for me. I have tested clean installation and upgrade from 3.3.5. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0614 test_ipagetkeytab: Fix expected error message
It looks like ipa-getkeytab error message for a non-existent service changed. Simo, is this expected? Is the new message final, or should we just check for the PrincipalName not found. substring? -- Petr³ From f4c2b789efcdc5c9c9f33de89040b042bfe2898d Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 2 Jul 2014 18:25:45 +0200 Subject: [PATCH] test_ipagetkeytab: Fix expected error message --- ipatests/test_cmdline/test_ipagetkeytab.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipatests/test_cmdline/test_ipagetkeytab.py b/ipatests/test_cmdline/test_ipagetkeytab.py index ee2fdecf041c2af14c435db0f93493cd49a3999b..5d8708241ad6a8941f5c340769c1097ee322a5cf 100644 --- a/ipatests/test_cmdline/test_ipagetkeytab.py +++ b/ipatests/test_cmdline/test_ipagetkeytab.py @@ -86,7 +86,10 @@ def test_1_run(self): -k, self.keytabname, ] (out, err, rc) = ipautil.run(new_args, stdin=None, raiseonerr=False) -assert err == 'Operation failed! PrincipalName not found.\n\n' +assert err == ( +'Failed to parse result! PrincipalName not found.\n\n' +'Failed to get keytab\n' +), err def test_2_run(self): -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0080-0081] DNSSEC: Add experimental support for DNSSEC
On 07/02/2014 06:25 PM, Petr Spacek wrote: On 27.6.2014 17:11, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4408 Patches attached. Both patches works for me. I have tested clean installation and upgrade from 3.3.5. Code looks okay, pushed to master: 3b310d6b4f8063149d1abe823b64bc9796a97ab2 Is this all for the ticket? Can we close it? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Jan Cholasta wrote: On 28.6.2014 00:19, Rob Crittenden wrote: I'm going to consolidate all reviews for 241 - 303 here. I'm not doing this in any particular order. Trimming to respond to your questions. Not sure if this is related: # pki cert-find PKIException: Internal Server Error I'm pretty sure the cert-find error is related to the fact that I had a test build of dogtag installed, so that can be ignored. ipa-client-install still fails for me in RHEL-5 with an external CA: 2014-06-27 14:04:31,202 DEBUG trying to retrieve CA cert via LDAP from ldap://sif.greyoak.com 2014-06-27 14:04:32,312 INFO Successfully retrieved CA cert Subject: /O=GREYOAK.COM/CN=Certificate Authority Issuer: /CN=External Authority 2014-06-27 14:04:32,467 DEBUG args=/usr/sbin/ipa-join -s sif.greyoak.com -b dc=greyoak,dc=com 2014-06-27 14:04:32,467 DEBUG stdout= 2014-06-27 14:04:32,467 DEBUG stderr=libcurl failed to execute the HTTP POST transaction. SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed This is the query that is being done: [27/Jun/2014:14:04:31 -0400] conn=18 op=3 SRCH base=CN=CAcert,CN=ipa,CN=etc,dc=greyoak,dc=com scope=0 filter=(objectClass=pkiCA) attrs=cacertificate;binary It returns a single object, the dogtag-issued CA certificate, not the entire chain, hence the failure. I doubt this ever worked, as there can be only one certificate in cn=CAcert. Can't do much about this, unless you want to fix it in RHEL 5. Ok, as it is not a regression I won't let that block these patches. Similarly /etc/ipa/ca.crt on the master contains only the IPA CA while /usr/share/ipa/html/ca.crt contains the full chain. Right, will fix. This works: # wget -O /tmp/ca.crt http://sif.greyoak.com/ipa/config/ca.crt # ipa-client-install --server=sif.greyoak.com --domain=greyoak.com -p admin -w password -U --ca-cert-file=/tmp/ca.crt Enrollment on RHEL-6 also puts a single CA in /etc/ipa/ca.crt but enrollment succeeds. That's expected, it also uses cn=CAcert. Any idea why it works on RHEL 6 but not on RHEL 5? I'd guess it has something to do with OpenSSL vs NSS. Patch 303. Is the context as cli_installer a cut-n-paste or a conscious choice? It is indeed copy-paste. Is it wrong? The context is completely arbitrary and rarely used. But it is used in a few places, though IIRC mostly on the server side. It probably doesn't matter much but being client-specific is good future-proofing. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
On 2.7.2014 19:08, Rob Crittenden wrote: Trimming to respond to your questions. Not sure if this is related: # pki cert-find PKIException: Internal Server Error I'm pretty sure the cert-find error is related to the fact that I had a test build of dogtag installed, so that can be ignored. It does not work for me as well, with the current F20 dogtag packages, but like I said, it worked some time ago. Patch 303. Is the context as cli_installer a cut-n-paste or a conscious choice? It is indeed copy-paste. Is it wrong? The context is completely arbitrary and rarely used. But it is used in a few places, though IIRC mostly on the server side. It probably doesn't matter much but being client-specific is good future-proofing. OK, thought this was something more serious :-) I copied the context from ipa-client-automount, since ipa-certupdate is also client-side installer-like command. rob -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
