Re: [Freeipa-devel] [PATCH] 0025 Respect UID and GID soft static allocation.
On 03/11/14 10:28, David Kupka wrote: On 10/30/2014 10:42 AM, Martin Basti wrote: On 29/10/14 17:23, David Kupka wrote: On 10/29/2014 02:34 PM, David Kupka wrote: On 10/24/2014 03:05 PM, David Kupka wrote: On 10/24/2014 01:06 PM, David Kupka wrote: On 10/24/2014 10:43 AM, Martin Basti wrote: On 24/10/14 09:51, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4585 NACK 1) Why is there line with 'DS System User?' The comment should depend on service. +args = [ +paths.USERADD, +'-g', group, +'-c', 'DS System User', +'-d', homedir, +'-s', shell, +'-M', '-r', name, +] This was part of the original code and I didn't notice it. Nice catch, thanks. 2) code create_system_user is duplicated between base and redhat tasks with platform dependent changes. IMO it would be better to have one method to create user, with keyword arguments. And then platform dependent method which will call method to create user with appropriate arguments (or with default arguments) You're right it was ugly. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I shouldn't break SOLID principles. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Using super is probably better that explicit naming of parent class. Let user (developer) override UID/GID and hope that he knows why ... ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel In your former patch you had pki homedir path VAR_LIB_PKI_DIR : +if name == 'pkiuser': +uid = 17 +gid = 17 +homedir = paths.VAR_LIB_PKI_DIR +shell = paths.NOLOGIN +comment = 'CA System User' in last patch you change it back to: homedir=paths.VAR_LIB, so what is the correct path? The setup package (soft static allocation) claims that pkiuser should use '/usr/share/pki' as home directory. Since pkiuser has /sbin/nologin set as a login shell it's unable to login and does't need home directory at all. We could use '--system' option of useradd utility to skip home directory creation or change to proposed value or just leave the old value and all will result in no change in behavior. I'm not sure if the '--system' option is available universally. IIRC it used to be Red Hat-like-systems specific extension. If there is no reason to change homedir, don't do it. I will continue with reviewing then. Martin^2 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Question how memberof plugin works
On 31/10/14 18:05, Ludwig Krispenz wrote: On 10/31/2014 05:31 PM, Petr Vobornik wrote: On 31.10.2014 16:54, Martin Basti wrote: Hello list, I ran upgrade (related steps listed in order): ipa-ldap-updater --upgrade - applying update files (including 55-pbacmemberof.update) - updating ACI (new permissions created, added to existing privilege) ipa-upgradeconfig - setting up new service (which uses privilege with new permission) At the end I was expecting, the privilege will missing the new permission (memberOf attribute), but I tested it in lab, and membership was OK. How the memberof plugin works? I know of http://directory.fedoraproject.org/docs/389ds/design/memberof-plugin.html If there is other source, I would like to see it as well. I don't know of another doc, but the mechanism of memberof is quit simple: In the plugin config you define one or more groupattr and a memberofattr, eg |memberofgroupattr: member memberofgroupattr: uniqueMember memberofattr: memberOf then for any occurrence of the groupattr a value for the memberofattr in the referenced entry will be created, eg: ||dn: cn=group,dc=example member: cn=user,dc=example will trigger the addition of the memberofattr to the referenced entry cn=users dn: cn=user,dc=example objectclass: inetUser memberOf: cn=group,dc=example| This happens for any add/delete of a |memberofgroupattr or when the memberof fixup task is run. You have to make sure that the entry which you expect the memberof has an objectclass allowing the memberof attribute, | We had similar issue with new DNS installation, where meberOf attributes was missing, if DNS was installed later. But I cant reproduce this behavior during upgrade. (Fix was use 55-pbacmemberof.update as last step of bind service installation) Was fixed by a fixup task call in: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=895f350ebf5f002a8ba5aff3d521640b12aa3cde PS: we had a case where user had broken DNS privileges and 55-pbacmemberof.update helps. But he had multiple errors and it could be cascade effect. Thank you for explanation Ludwig. -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0249-0250] Propagate DNS updates changes from LDAP to signed version of the zone
On 23.4.2014 18:16, Petr Spacek wrote: Hello, this patch set enables DNS updates to secure zones and also propagates changes made in LDAP to secure zones. NSEC3 doesn't work for some reason so don't waste time messing with NSEC3PARAM :-) This is delayed push notice: 170d38dd1b27a5f78eb96fe8c80141f6dd56ec97 98d3deac7b75dfe71f6b0e1306c4c52e38e27f3f -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0246-0248] Follow query/transfer/update policies for secure zones
On 7.5.2014 15:22, Petr Spacek wrote: On 23.4.2014 18:14, Petr Spacek wrote: This patch set configures secure zones according to policies in LDAP. Patch 246 v2 fixes incorrect ATTR_NONNULLS usage which causes segfaults when compiled with -O0. Patch 246 v2 obsoletes patch 253. This is delayed push notice: b002846b94826d89e7577ad2ed3d852e5296e9d5 748602ed229d3925cc838a9baf2c9888aef7fb3c 0cee0a351c03522aea8ae643644776ed34b5c01f -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0273-0274] Bump NVR to 5.0Update README and NEWS: DNSSEC and changes in forwarding semantics
On 24.6.2014 17:06, Petr Spacek wrote: Hello, it's release time! Bump NVR to 5.0 and update README and NEWS to describe DNSSEC support and changes in forwarding semantics. This is delayed push notice: d093af67072e44ce65be04c7267c4dbaa6cadf08 c12f72dd3edf34c943a108f90c9fd0dac82a716b -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0239-0243] Refactor ldap_parse_master_zoneentry()
On 3.6.2014 10:41, Petr Spacek wrote: On 6.5.2014 22:11, Lukas Slebodnik wrote: On (06/05/14 17:15), Petr Spacek wrote: On 6.5.2014 14:41, Tomas Hozza wrote: - Original Message - Hello, This patch set attempts to move ldap_parse_master_zoneentry() a little bit closer to sane code. It is preparation for https://fedorahosted.org/bind-dyndb-ldap/ticket/56 -- Petr^2 Spacek Patches look good. ACK. ACKing of version 2 of the patch 242 will follow. The patch 243 introduced new compilation warning that Peter is aware of. Unfortunately we are unable to find the root cause of it, so leaving it as is for now... I managed to find fix one problem (see new version of the patch 243) but GCC still complains. ../../src/ldap_helper.c: In function 'update_zone': ../../src/ldap_helper.c:2334:34: error: 'data_changed' may be used uninitialized in this function [-Werror=maybe-uninitialized] if (sync_state == sync_finished data_changed == ISC_TRUE) ^ ../../src/ldap_helper.c:2218:16: note: 'data_changed' was declared here isc_boolean_t data_changed; On my machine with gcc-4.8.2-7.fc20.x86_64 this happens only with -O2. The same problem with -01,-Os,-O2 or -O3 I doubt it is false possibive, because I could reproduce it even with gcc-4.9.0-1.fc21.x86_64 I'm not able to reproduce this with clang-3.4-6.fc20.x86_64 but it is no so surprising - Clang didn't catch even the first case (fixed by patch version 2). Any hint what is wrong or how to refactor code will be appreciated! ;-) I think it can be some kind of optimization in function zone_sync_apex. You can try to debug this function with plugin -O2-build :-) The warning can be suppresed with initialising variable before the 1st CHECK. It will not work if you try to initialize later. Yesterday I have discussed this with jkratoch. We weren't able to find out case where would initialization in ldap_parse_master_zoneentry() cause any problem so I have added initialization there. This is delayed push notice: 1aff693f77ef3f2e7f059b52becb5b178eb7b194 04fa577e67543a0b07db329e1ad7fb86c48896ff 2e45aa1d7b83bc33e31b87e919651530944553fb 4fcbaaabf94d9bf2f6942f2ebbc40fed9d2c41a6 f06a0a7375e97d7d275290d8331172fea73be6a4 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0270-0271] Add TLSA and DLV RR types to LDAP schema
On 25.6.2014 14:29, Martin Basti wrote: On Tue, 2014-06-24 at 17:04 +0200, Petr Spacek wrote: Hello, Add TLSA and DLV RR types to LDAP schema. Those RR types will be handy for DNSSEC users. Patch 270 LGTM Patch 271 NACK: You have to add the 'TLSARecord' attribute to idnsRecord objectclass This is delayed push notice: eae0035df2a510512844f602acc70c096fcde2b4 174190a582825478a555c722e9e0314770b895a5 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0261-0262] Support run-time changes in idnsSecInlineSigning attribute
On 17.6.2014 16:41, Tomas Hozza wrote: - Original Message - Hello, This patch set allows you to change DNSSEC zone configuration at run-time. -- Petr^2 Spacek Looks good. ACK. This is delayed push notice: 5cede8e6f666aeec48aa47ba18a143f2037216f8 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0251-0256] Add support for NSEC3
On 21.5.2014 13:56, Tomas Hozza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/21/2014 11:33 AM, Petr Spacek wrote: On 7.5.2014 15:27, Petr Spacek wrote: On 29.4.2014 23:34, Petr Spacek wrote: This patch set adds support for NSEC3. See commit messages for details. Patch 253 was obsoleted by patches 244v2 and 246v2. You can download latest greatest version from dnssec branch on github: https://github.com/spacekpe/bind-dyndb-ldap/tree/dnssec Patch 256v2 removes dead code from zone_master_reconfigure_nsec3param() function. You can download latest greatest version from dnssec branch on github. This doesn't solve a race condition somewhere in start-up sequence, I'm looking into it. Hi. I tested and reviewed patches 244-256 (all latest versions) and tested thehttps://github.com/spacekpe/bind-dyndb-ldap/tree/dnssec HEAD. Everything works as expected in constraints described in commit messages. There is still a race condition with signing that Petr is aware of and is working on it. (The zone is sometimes not signed if started using systemd). So I'm ACKing the patch-set 244-256 This is delayed push notice: c125ae548b77fffc5af9fc9c5e0f5b3c0b83bfbb 3b120f9a1536b56616f0c2da946039bcdb548025 f72976d1f73470fbbd00791d2cb8f823d9053f61 9ae956c448b0b60123e2d26eb60b37eab08b4393 b26e562c7dc19cca9cfcd51907ecbdeb0d8856f6 Patch 253 was obsoleted by patches 244v2 and 246v2. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0258] Fix run-time zone addition for secure zones
On 17.6.2014 10:36, Tomas Hozza wrote: - Original Message - Subject: Re: [Freeipa-devel] [PATCH 0258] Fix run-time zone addition for secure zones Date: Wed, 04 Jun 2014 17:34:29 +0200 From: Petr Spacekpspa...@redhat.com Organization: Red Hat To:freeipa-devel@redhat.com On 3.6.2014 10:53, Petr Spacek wrote: Hello, Fix run-time zone addition for secure zones. Here comes fix for the fix ... We really need a test-suite for bind-dyndb-ldap. https://fedorahosted.org/bind-dyndb-ldap/ticket/56 -- Petr^2 Spacek ACK. This is delayed push notice: 7589888b70f23c10b0a215cf73d9444677df04d6 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0263-0265] Support root master zone in LDAP Follow BIND semantics for forwarders
On 17.6.2014 16:41, Tomas Hozza wrote: - Original Message - Hello, This patch set contains necessary changes for supporting root master zone in LDAP. I had to remove one hack so now we follow BIND semantics for forwarders. Please see commit messages. https://fedorahosted.org/bind-dyndb-ldap/ticket/122 -- Petr^2 Spacek Looks good. ACK. This is delayed push notice: 1c9b7ec800b0cbdba6032ec4fd1d41cff6ce5e6d bff6d68ac200ea1ab543b090ab2763e2437a48ce 6c212c81f1297bef844cf4c6d6f36fc8231e4a45 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0260] Add wrappers for isc_task_*exclusive()
On 17.6.2014 16:41, Tomas Hozza wrote: - Original Message - Hello, Add wrappers for isc_task_*exclusive(). This patch replaces scattered isc_task_* calls and associated locking to one place. It helps with debugging sometimes. -- Petr^2 Spacek Looks good. ACK. This is delayed push notice: d97e3905fd73839e8abcde8e7ddfb99eefeb22fe -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0269] Silence GCC warning about uninitialized ldap_writeback
On 24.6.2014 17:53, Lukas Slebodnik wrote: On (24/06/14 16:46), Petr Spacek wrote: Hello, Silence GCC warning about uninitialized ldap_writeback. It seems like false positive, I can't imagine how ldap_writeback could be used without prior initialization. -- Petr^2 Spacek From eb253b58d6214b3f94d22c3ec2dcf62d0103ad46 Mon Sep 17 00:00:00 2001 From: Petr Spacekpspa...@redhat.com Date: Mon, 23 Jun 2014 17:02:08 +0200 Subject: [PATCH] Silence GCC warning about uninitialized ldap_writeback. Signed-off-by: Petr Spacekpspa...@redhat.com --- src/ldap_helper.c | 4 1 file changed, 4 insertions(+) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 43bacf779f44a709b0cefd638826633b9d2d8891..a7a782fdfc5ae4d28b50155c9614d66a427dc3e0 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -2130,7 +2130,11 @@ zone_sync_apex(const ldap_instance_t * const inst, isc_boolean_t soa_tuple_alloc = ISC_FALSE; isc_uint32_t curr_serial; + REQUIRE(ldap_writeback != NULL); + INIT_LIST(rdatalist); + *ldap_writeback = ISC_FALSE; /* GCC */ + CHECK(setting_get_str(fake_mname, inst-local_settings, fake_mname)); CHECK(ldap_parse_rrentry(inst-mctx, entry, name, fake_mname, -- 1.9.3 ACK This is delayed push notice: eb253b58d6214b3f94d22c3ec2dcf62d0103ad46 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0259] Fix run-time zone addition for invalid secure zones
On 17.6.2014 16:40, Tomas Hozza wrote: - Original Message - Hello, Fix run-time zone addition for invalid secure zones. It is important*not* to delete invalid zones to prevent ldap_parse_master_zoneentry() from entering infinite cycle. Zone addition in ldap_parse_master_zoneentry() enforces serial write-back to LDAP. This write generates LDAP modify event which again triggers ldap_parse_master_zoneentry() and so on. https://fedorahosted.org/bind-dyndb-ldap/ticket/56 -- Petr^2 Spacek Looks good. ACK. This is delayed push notice: 8fe1300f4e512a62cf9e5c3038538d52c176fa29 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0033] Remove trivial path constants
On 4.10.2014 01:58, Gabe Alford wrote: Thanks Petr. Updated patch attached. Petr^3, is it okay now? Petr^2 Spacek On Tue, Sep 30, 2014 at 10:59 AM, Petr Viktorin pvikt...@redhat.com wrote: On 09/30/2014 05:13 AM, Gabe Alford wrote: Updated patch to fix merge conflicts from recent changes. On Wed, Sep 24, 2014 at 8:34 PM, Gabe Alford redhatri...@gmail.com mailto:redhatri...@gmail.com wrote: Hello, Patch for https://fedorahosted.org/freeipa/ticket/4399. Let me know if I missed any. Thanks, Gabe Thanks for the patch, and sorry for the delay! ipaserver/tools/ipa-upgradeconfig: The `filename` and `ca_file` aren't module-level constants; I think in this case they improve readability. The ticket calls for removing module-level lines like: NSSWITCH_CONF = paths.NSSWITCH_CONF which are just silly, but assigning a name locally to a global constant is a valid thing to do -- even if the local name just says the file we're working on now. -ca_file = paths.ALIAS_CACERT_ASC -if os.path.exists(ca_file): +if os.path.exists(paths.SYSCONFIG_HTTPD): Whoops! install/wsgi/plugins.py: -PLUGINS_DIR = paths.IPA_JS_PLUGINS_DIR - [...] -if not os.path.isdir(PLUGINS_DIR): +if not os.path.isdir(paths.IPA_CA_CSR): Whoops too! ipaplatform/fedora/tasks.py: ipa-client/ipa-install/ipa-client-install: ipaserver/install/dsinstance.py: ipaserver/install/httpinstance.py: Again, I'd not change the target_fname, filepath. ipapython/sysrestore.py: Again, `SYSRESTORE_PATH` describes better what we do with `paths.TMP`, so I'd prefer keeping it. ipaserver/install/adtrustinstance.py: I don't think we want to convert the self.* to constants. ipaserver/install/certs.py: I'd leave NSS_DIR as it is, rather than lose the comment. ipapython/ipautil.py: ipaserver/install/ldapupdate.py: ipalib/session.py: ipaserver/install/bindinstance.py: SHARE_DIR, UPDATES_DIR, and krbccache_dir, NAMED_CONF (respectively) need to stay, unless you also replace them in everything that uses them. Be sure to run make-lint after doing these changes. I've rebased, and I made some of the changes as I went along the review. You can base another revision on the attached patch. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0274] Add TLSARecord to idnsRecord object class
On 27.6.2014 09:34, Petr Spacek wrote: Hello, Add TLSARecord to idnsRecord object class. This is delayed push notice: 2d358ccbc323ea6d4339f22b16d419195054e017 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0257] Fix race condition during zone loading
On 17.6.2014 09:33, Tomas Hozza wrote: - Original Message - On 28.5.2014 13:26, Tomas Hozza wrote: On 05/27/2014 03:59 PM, Petr Spacek wrote: On 27.5.2014 15:54, Petr Spacek wrote: Fix race condition during zone loading. DNS zone has to be added to DNS view before dns_zone_load() is called. It is necessary to prevent dns_zone_load() from racing with dns_zone_setview(). This race condition sometimes prevents zone from being signed. Now the unsigned zone is visible until signing process is complete. This mimics BIND behavior for in-line signed zones. https://fedorahosted.org/bind-dyndb-ldap/ticket/56 And here is the patch... Hi. When I use bind-dyndb-ldap plugin with this patch, named does not start due to: rbt.c:1379: REQUIRE(name-buffer != ((void *)0)) failed, back trace (gdb) bt #0 0x7f3963924c39 in raise () from /lib64/libc.so.6 #1 0x7f3963926348 in abort () from /lib64/libc.so.6 #2 0x7f3966979aee in assertion_failed () #3 0x7f3964b6917a in isc_assertion_failed () from /lib64/libisc.so.95 #4 0x7f39661ca9da in dns_rbt_fullnamefromnode () from /lib64/libdns.so.100 #5 0x7f396011824b in rbt_iter_getnodename (iter=optimized out, nodename=nodename@entry=0x7f39625f8bf0) at rbt_helper.c:46 #6 0x7f396011839b in rbt_iter_next (iterp=iterp@entry=0x7f39625f8b90, nodename=nodename@entry=0x7f39625f8bf0) at rbt_helper.c:144 #7 0x7f3960112d32 in activate_zones (task=task@entry=0x7f39668f5790, inst=0x7f39668e4160) at ldap_helper.c:1164 #8 0x7f396011a20d in barrier_decrement (task=0x7f39668f5790, event=0x7f396005b010) at syncrepl.c:138 #9 0x7f3964b8b836 in run () from /lib64/libisc.so.95 #10 0x7f396473ff33 in start_thread () from /lib64/libpthread.so.0 #11 0x7f39639e3ded in clone () from /lib64/libc.so.6 It looks like you should use INIT_BUFFERED_NAME(name); used in the original code instead of dns_name_init(name, NULL). The macro initializes the buffer in name, which is missing in the new code. Oh yes, it didn't happened on my machine because I have had only single zone defined in LDAP at the time of testing. Thank you for catching this! I'm attaching fixed patch. dns_name_reset() is good enough in this case. -- Petr^2 Spacek Now it works. ACK This is delayed push notice: 129e54db4fb9ccbb85f2445db81d9f0c89722887 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0266] (aka 257.5) Fix zone reloading for in-line signed zones
On 17.6.2014 10:35, Tomas Hozza wrote: - Original Message - Hello, I forgot to send one patch between no. 257 and 258, so here it is:-) Fix zone reloading for in-line signed zones. A invalid secure zone (e.g. without NS records) is now automatically reloaded when data inside the zone are changed. https://fedorahosted.org/bind-dyndb-ldap/ticket/56 -- Petr^2 Spacek ACK. This is delayed push notice: f0bedf45b7ed56717d5dc5566cbbf34938eba0ee -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
On 16.9.2014 10:36, Martin Kosek wrote: On 09/16/2014 10:30 AM, Martin Basti wrote: On 16/09/14 10:29, Petr Spacek wrote: On 16.9.2014 10:09, Martin Kosek wrote: On 09/16/2014 09:57 AM, Martin Basti wrote: On 16/09/14 09:32, Martin Basti wrote: On 15/09/14 20:31, Martin Kosek wrote: On 09/15/2014 05:16 PM, Martin Basti wrote: On 15/09/14 17:10, Petr Spacek wrote: On 12.9.2014 15:19, Martin Basti wrote: On 03/09/14 12:45, Martin Basti wrote: On 03/09/14 12:27, Martin Kosek wrote: On 09/02/2014 05:46 PM, Petr Spacek wrote: On 25.8.2014 14:52, Martin Basti wrote: Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/4149 There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named service is stopped after deleting zone. Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Functional ACK, it works for me. It can be pushed if Python gurus are okay with the code. Is it safe to commit the change given that bind-dyndb-ldap still crash when . is removed? Wouldn't it break our CI tests? Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it would be soon. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel It will broke tests, don't push it until bind-dyndb-ldap is fixed. Currently I'm testing bind-dyndb-ldap related patch. Added patches 120 and 121, which are required by DNS to work correctly. Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server option doesn't add NS record, only changes the SOA MNAME attribute Original and new patches attached. NACK, unfortunately it doesn't work for me: # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME record. To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ --ns-rec=nameserver'. Zone name: tri.test. Active zone: TRUE Authoritative nameserver: ns.test. Administrator e-mail address: hostmaster.tri.test. SOA serial: 1410793406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example idnsname: tri.test. idnszoneactive: TRUE idnssoamname: ns.test. idnssoarname: hostmaster.tri.test. idnssoaserial: 1410793408 idnssoarefresh: 3600 idnssoaretry: 900 idnssoaexpire: 1209600 idnssoaminimum: 3600 idnsallowquery: any; idnsallowtransfer: none; idnsAllowDynUpdate: FALSE idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; nsrecord: vm-035.idm.lab.eng.brq.redhat.com. objectClass: idnszone objectClass: top objectClass: idnsrecord [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). ipa: ERROR: tri.test.: DNS resource record not found NACKing NACK ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). you switched order zone and record, it should be ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname). BTW, since we are so nicely breaking the dnszone-add interface, can we also get rid of always asking for Administrator e-mail address? # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ... Is there any risk in filling that with default as any other attribute? IMO it would simplify adding zones for one more redundant step. CCing Rob in case he knows some historical reasons why this is requested every time. Martin There is no risk, because ipa-replica-prepare do that with default values Then let us do this, as we are already simplifying the dnszone-add command. However, this will not work with root zone ., and I'm not sure how often an admin email is used. I think whois is better utility to get contact email. Also RIPE-203 [1] recommends to use 'hostmaster' alias. [1] http://www.ripe.net/ripe/docs/ripe-203 This will likely generate tons of invalid e-mail addresses which is somehow unfortunate. Please keep in mind that: 1) E-mail hostmaster@ipa.domain.example. will be useful only if ipa.domain.example. has MX record or at least A/ record (which is usually not the case for domains). 2) WHOIS is not useful for internal domains which is the main deployment scenario for IPA, right? DNS zone . is quite an exception, you are not adding that zone every day. So I would not keep asking for admin mail just for this one. You can add a interactive prompt callback to ask in this case and otherwise just use the default - up to you. As for the mail alias, this can
Re: [Freeipa-devel] [PATCH] Coverity fixes for slapi-nis
On 16.9.2013 09:58, Petr Spacek wrote: On 2.9.2013 15:58, Alexander Bokovoy wrote: Hi Nalin, attached please find two patches that fix minor Coverity issues. The first patch is for issue 11937 which is a false positive but caught up wrong use of the helper method -- the method map_data_set_entry() passes key and value length arguments through to map_data_save_list() which expects them to be arrays but we pass pointer to the variable. Luckily, in our case map_data_save_list() never goes beyond element 0 of the array so the fix is mostly cosmetic. The second fix is in PAM wrapper in the tests and minor too -- we would leak a memory if PAM wrapper wasn't called under wrapping condition. The same patches are in my Fedora people slapi-nis tree, branch 'coverity': http://fedorapeople.org/cgit/abbra/public_git/slapi-nis.git/log/?h=coverity ACK This is late push notice: 41b540bc76068355e076ba95e60780bd95905d77 929a68b13defe46c0f8913440ba28f0476dcbdab -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0025 Respect UID and GID soft static allocation.
On 03/11/14 10:28, David Kupka wrote: On 10/30/2014 10:42 AM, Martin Basti wrote: On 29/10/14 17:23, David Kupka wrote: On 10/29/2014 02:34 PM, David Kupka wrote: On 10/24/2014 03:05 PM, David Kupka wrote: On 10/24/2014 01:06 PM, David Kupka wrote: On 10/24/2014 10:43 AM, Martin Basti wrote: On 24/10/14 09:51, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4585 NACK 1) Why is there line with 'DS System User?' The comment should depend on service. +args = [ +paths.USERADD, +'-g', group, +'-c', 'DS System User', +'-d', homedir, +'-s', shell, +'-M', '-r', name, +] This was part of the original code and I didn't notice it. Nice catch, thanks. 2) code create_system_user is duplicated between base and redhat tasks with platform dependent changes. IMO it would be better to have one method to create user, with keyword arguments. And then platform dependent method which will call method to create user with appropriate arguments (or with default arguments) You're right it was ugly. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I shouldn't break SOLID principles. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Using super is probably better that explicit naming of parent class. Let user (developer) override UID/GID and hope that he knows why ... ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel In your former patch you had pki homedir path VAR_LIB_PKI_DIR : +if name == 'pkiuser': +uid = 17 +gid = 17 +homedir = paths.VAR_LIB_PKI_DIR +shell = paths.NOLOGIN +comment = 'CA System User' in last patch you change it back to: homedir=paths.VAR_LIB, so what is the correct path? The setup package (soft static allocation) claims that pkiuser should use '/usr/share/pki' as home directory. Since pkiuser has /sbin/nologin set as a login shell it's unable to login and does't need home directory at all. We could use '--system' option of useradd utility to skip home directory creation or change to proposed value or just leave the old value and all will result in no change in behavior. I'm not sure if the '--system' option is available universally. IIRC it used to be Red Hat-like-systems specific extension. ACK -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0034] Missing requires on python-dns
On 8.10.2014 09:46, Petr Spacek wrote: Hello, this is going to be a little bit more interesting. RHEL/CentOS version of FreeIPA depends on python-dns = 1.11.1-2 but Fedora version should depend on = 1.12.0. RHEL contains Git snapshot which is newer than 1.11.1 but is still not complete 1.12.0. Fedora contains 'proper' 1.11.1 version which is unfortunately too old. Fedora bug for rebase to 1.12.0: https://bugzilla.redhat.com/show_bug.cgi?id=1150396 For now I have copied the necessary method to DNSSEC daemon directly so FreeIPA release is not blocked by necessity of having latest python-dns in Fedora. This thread should be resurrected when Fedora has new-enough python-dns so we can drop our copy of the code from FreeIPA source tree. Petr^2 Spacek On 7.10.2014 19:34, Gabe Alford wrote: Done. Update patch to use python-dns = 1.11.1 On Tue, Oct 7, 2014 at 11:26 AM, Martin Basti mba...@redhat.com wrote: On 07/10/14 15:58, Gabe Alford wrote: Forgot to add patch. On Tue, Oct 7, 2014 at 7:58 AM, Gabe Alford redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4613 Thanks, Gabe Thank you! I prefer to use python-dns = 1.11.1, there are some DNSSEC fixes which we may use in tests. Could you send updated patch please? -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 335 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
On 10/15/2014 04:43 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4629. It depends on my patches 333 and 334, which are also attached. (The original patch was posted at http://www.redhat.com/archives/freeipa-devel/2014-September/msg00454.html.) How to test: 1. install server 2. kinit as admin 3. run ipa-cacert-manage renew --external-ca, it will produce a CSR 4. sign the CSR with some external CA to get new IPA CA certificate 5. run while true; do ldapdelete -H ldap://$HOSTNAME -Y GSSAPI 'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,suffix'; done in background 6. run ipa-cacert-manage renew --external-cert-file=path to new IPA CA certificate --external-cert-file=path to external CA certificate chain 7. stop the loop from step 5 8. run getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca', the request should be in MONITORING state, there should be no ca-error Honza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Works for me, ACK. Please push only the patch freeipa-jcholast-335. Patches freeipa-jcholast-333 and freeipa-jcholast-334 was pushed earlier. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 355 Added vault access control.
On 10/28/2014 5:35 PM, Endi Sukma Dewata wrote: On 10/22/2014 3:04 PM, Endi Sukma Dewata wrote: New LDAP ACIs have been added to allow users to create their own private vault container, to allow owners to manage vaults and containers, and to allow members to use the vaults. New CLIs have been added to manage the owner and member list. For archive and retrieve operations the access control has to be enforced by the plugins because the operations only affects KRA. The LDAP schema has been updated as well. Ticket #3872 This patch depends on #353-2. New patch attached to fix the ticket URL. It depends on #353-3. New patch attached for some cleanups. -- Endi S. Dewata From a9714d34d180ce26c3d484fe313c991fa101ccfb Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Fri, 17 Oct 2014 12:05:34 -0400 Subject: [PATCH] Added vault access control. New LDAP ACIs have been added to allow users to create their own private vault container, to allow owners to manage vaults and containers, and to allow members to use the vaults. New CLIs have been added to manage the owner and member list. For archive and retrieve operations the access control has to be enforced by the plugins because the operations only affects KRA. The LDAP schema has been updated as well. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 134 +++--- VERSION | 4 +- install/share/60basev4.ldif | 4 +- install/updates/40-vault.update | 7 ++ ipalib/plugins/vault.py | 177 +++- 5 files changed, 310 insertions(+), 16 deletions(-) diff --git a/API.txt b/API.txt index b73da0af55a3c514de73ae4e1b2a4d13c01c903d..ee33af74eb2870fcdf1ab7e6781797b348243a8f 100644 --- a/API.txt +++ b/API.txt @@ -4476,12 +4476,13 @@ output: Output('result', type 'bool', None) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) command: vault_add -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Bytes('data?', cli_name='data') option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) option: Str('in?', cli_name='in') +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent', attribute=False, cli_name='parent', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) @@ -4491,13 +4492,40 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: vault_add_member +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent?', cli_name='parent') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', type 'int', None) +output: Output('failed', type 'dict', None) +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: vault_add_owner +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent?', cli_name='parent') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', type 'int', None) +output: Output('failed', type 'dict', None) +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive -args: 1,11,3 +args: 1,12,3 arg:
Re: [Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.
On 10/28/2014 6:26 PM, Endi Sukma Dewata wrote: On 10/23/2014 6:18 AM, Jan Cholasta wrote: Hi, Dne 22.10.2014 v 22:06 Endi Sukma Dewata napsal(a): A new command has been added to retrieve the vault transport certificate and optionally save it into a file. The vault archive and retrieve command has been modified to retrieve the transport certificate and store it locally for subsequent usage. This way it's no longer necessary to manually import the transport certificate into the client's NSS database. As part of the CA certificate renewal feature in 4.1, I have added a LDAP certificate store to IPA, see http://www.freeipa.org/page/V4/CA_certificate_renewal. Currently it supports only CA certificates, but can be extended to support end entity certificates rather easily. If you use it for the vault transport certificate, it can be added to the client NSS database automatically on install. Honza I'm attaching a new patch that's identical to the previous one with ticket URL updated. I'm thinking we should check this patch in first because it's already done, and then investigate the use of CA cert management utility as a separate enhancement since the it seems to need to be generalized before it can be used to manage KRA transport cert. I'll also need to investigate the KRA transport cert replacement process to make sure it can be accommodated via IPA's cert management utility. Revised the patch to always download the transport certificate (no local caching). Further optimization can be done later. -- Endi S. Dewata From ef9af13e577343d3ff2564e81b9b6dc895a03b09 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 22 Oct 2014 10:02:25 -0400 Subject: [PATCH] Added command to retrieve vault transport certificate. A new command has been added to retrieve the vault transport certificate and optionally save it into a file. The vault archive and retrieve command has been modified to retrieve the transport certificate and store it locally for subsequent usage. This way it's no longer necessary to manually import the transport certificate into the client's NSS database. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 5 VERSION | 4 +-- ipalib/plugins/vault.py | 80 +++-- 3 files changed, 84 insertions(+), 5 deletions(-) diff --git a/API.txt b/API.txt index ee33af74eb2870fcdf1ab7e6781797b348243a8f..7668e8ceebb1a2b6e6ebcd6d70c9209f5a874627 100644 --- a/API.txt +++ b/API.txt @@ -4633,6 +4633,11 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: vault_transport_cert +args: 0,2,1 +option: Str('out?', cli_name='out') +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: vaultcontainer_add args: 1,9,3 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) diff --git a/VERSION b/VERSION index c471ed80af6a2c26be7fc89281ae60fac6c68577..d0ada131b700e93faa8c4946b811db36d76341a9 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=110 -# Last change: edewata - added vault access control +IPA_API_VERSION_MINOR=111 +# Last change: edewata - added vault transport certificate diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 20948b267e2c585bd59e801d02f9e0b752399609..00a7a3471d79eee741a1986224c3ad534ec5ff3d 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -24,6 +24,8 @@ import shutil import string import tempfile +import nss.nss as nss + import pki import pki.account import pki.crypto @@ -109,7 +111,6 @@ EXAMPLES: ) register = Registry() -transport_cert_nickname = KRA Transport Certificate @register() class vaultcontainer(LDAPObject): @@ -693,6 +694,63 @@ class vault_show(LDAPRetrieve): @register() +class vault_transport_cert(Command): +__doc__ = _('Retrieve vault transport certificate.') + + +# list of attributes we want exported to JSON +json_friendly_attributes = ( +'takes_args', +) + +takes_options = ( +Str('out?', +cli_name='out', +doc=_('Output file to store the transport certificate'), +), +) + +has_output_params = ( +Str('certificate', +label=_('Certificate'), +), +) + +def __json__(self): +json_dict = dict( +(a, getattr(self, a)) for a in self.json_friendly_attributes +) +
[Freeipa-devel] [PATCH] 357 Added symmetric and asymmetric vaults.
The IPA vault has been modified to support symmetric and asymmetric vaults to allow client to pre-encrypt the data. Due to the status of the crypto library the actual encryption will be added separately later. New LDAP attribute types have been added to store vault type, salt and public key. https://fedorahosted.org/freeipa/ticket/3872 -- Endi S. Dewata From 062d86c4bf4f58eadb863cbcd01bd39ef30691d8 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Fri, 24 Oct 2014 19:53:16 -0400 Subject: [PATCH] Added symmetric and asymmetric vaults. The IPA vault has been modified to support symmetric and asymmetric vaults to allow client to pre-encrypt the data. Due to the status of the crypto library the actual encryption will be added separately later. New LDAP attribute types have been added to store vault type, salt and public key. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 27 +++- VERSION | 4 +- install/share/60basev4.ldif | 7 +- ipalib/plugins/vault.py | 332 +++- 4 files changed, 358 insertions(+), 12 deletions(-) diff --git a/API.txt b/API.txt index 7668e8ceebb1a2b6e6ebcd6d70c9209f5a874627..7c4a87dcab4a523977cc63341801120816088db1 100644 --- a/API.txt +++ b/API.txt @@ -4476,14 +4476,20 @@ output: Output('result', type 'bool', None) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) command: vault_add -args: 1,11,3 +args: 1,17,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Bytes('data?', cli_name='data') option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) option: Str('in?', cli_name='in') +option: Bytes('ipavaultpublickey', attribute=True, cli_name='public_key', multivalue=False, required=False) +option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', multivalue=False, required=False) +option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', default=u'standard', multivalue=False, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent', attribute=False, cli_name='parent', multivalue=False, required=False) +option: Str('password?', cli_name='password') +option: Str('password_file?', cli_name='password_file') +option: Str('public_key_file?', cli_name='public_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('text?', cli_name='text') @@ -4519,7 +4525,7 @@ output: Output('completed', type 'int', None) output: Output('failed', type 'dict', None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive -args: 1,12,3 +args: 1,14,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Bytes('data?', cli_name='data') @@ -4528,6 +4534,8 @@ option: Str('in?', cli_name='in') option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Bytes('nonce?', cli_name='nonce') option: Str('parent?', cli_name='parent') +option: Str('password?', cli_name='password') +option: Str('password_file?', cli_name='password_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('text?', cli_name='text') @@ -4546,11 +4554,14 @@ output: Output('result', type 'dict', None) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: ListOfPrimaryKeys('value', None, None) command: vault_find -args: 1,11,4 +args: 1,14,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('cn', attribute=True, autofill=False, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Bytes('ipavaultpublickey', attribute=True, autofill=False, cli_name='public_key', multivalue=False, query=True, required=False) +option: Bytes('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', multivalue=False, query=True, required=False) +option: Str('ipavaulttype', attribute=True, autofill=False,