Re: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs
Hi, Worked those comments into the code. Also added a bit different info message in clean_ruv with ca=True (ipa-replica-manage:430). Also adding stepst to reproduce: 1. Create a master and some replica (3 replicas is a good solution - 1 with CA, 1 without, 1 to be dangling (with CA)) 2. Change domain level to 0 and ipactl restart 3. Remove the "dangling-to-be" replica from masters.ipa.etc and from both ipaca and domain subtrees in mapping tree.config 4. Try to remove the dangling ruvs with the command Cheers, Standa On 01/22/2016 01:22 PM, Martin Basti wrote: Hello, I have a few comments PATCH Automatically detect and remove dangling RUVs 1) +# get the Directory Manager password +if options.dirman_passwd: +dirman_passwd = options.dirman_passwd +else: +dirman_passwd = installutils.read_password('Directory Manager', +confirm=False, validate=False, retry=False) +if dirman_passwd is None: +sys.exit('Directory Manager password is required') + +options.dirman_passwd = dirman_passwd IMO you need only else branch here if not options.dirman_password: dirman_passwd = installutils.read_password('Directory Manager', confirm=False, validate=False, retry=False) if dirman_passwd is None: sys.exit('Directory Manager password is required') options.dirman_passwd = dirman_passwd 2) We should use new formatting in new code (more times in code) +sys.exit( +"Failed to get data from '%s' while trying to list replicas: %s" % +(host, e) +) sys.exit( "Failed to get data from '{host}' while trying to list replicas: {e}".format( host=host, e=e ) ) 3) +# get all masters +masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), +ipautil.realm_to_suffix(realm)) IMO you should use constants: masters_dn = DN(api.env.container_masters, api.env.basedn) 4) +# Get realm string for config tree +s = realm.split('.') +s = ['dc={dc},'.format(dc=x.lower()) for x in s] +realm_config = DN(('cn', ''.join(s)[0:-1])) Can be api.env.basedn used instead of this block of code? 5) +masters = [x.single_value['cn'] for x in masters] +for master in masters: is there any reason why not iterate over the keys in info dict? for master_name, master_data/values/whatever in info.items(): master_data['online'] = True Looks better than: info[master]['online'] = True 6) I asked python gurus, for empty lists and dicts, please use [] and {} instead of list() and dict() It is preferred and faster. 7) +if(info[master]['ca']): +entry = conn.get_entry(csreplica_dn) +csruv = (master, entry.single_value.get('nsDS5ReplicaID')) +if csruv not in csruvs: +csruvs.append(csruv) I dont like too much adding tuples into list and then doing search there, but it is as designed However can you use set() instead of list when the purpose of variable is only testing existence? related to: csruvs ruvs offlines clean_list cleaned 8) conn in finally block may be undefined 9) unused local variables clean_list entry on line 570 10) optional, comment what keys means in info structure From a1421841c88ab233179f175f49000995b2db4acc Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Fri, 18 Dec 2015 10:30:44 +0100 Subject: [PATCH 1/2] Listing and cleaning RUV extended for CA suffix https://fedorahosted.org/freeipa/ticket/5411 --- install/tools/ipa-replica-manage | 44 ++-- ipaserver/install/replication.py | 2 +- 2 files changed, 30 insertions(+), 16 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index e4af7b2fd9a40482dfa75d275d528221a1bc22ad..d0a9598985a0c43a25c04ba9a0005eb231052fd1 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -345,7 +345,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False): return True -def get_ruv(realm, host, dirman_passwd, nolookup=False): +def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False): """ Return the RUV entries as a list of tuples: (hostname, rid) """ @@ -354,7 +354,10 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False): enforce_host_existence(host) try: -thisrepl = replication.ReplicationManager(realm, host, dirman_passwd) +if ca: +thisrepl = replication.get_cs_replication_manager(realm, host, dirman_passwd) +else: +thisrepl = replication.ReplicationManager(realm, host, dirman_passwd) except Exception as e: print("Failed to connect to server %s: %s" % (host, e)) sys.exit(1) @@ -362,7 +365,7 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False): search_filter = '(&(nsuniqueid=fff
Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
On 25.01.2016 15:12, Aleš Mareček wrote: Tested + several other dependent tests executed as well - PASS. The patch looks good, ACK. - Original Message - From: "Filip Skola" To: "Milan Kubík" Cc: freeipa-devel@redhat.com, "Aleš Mareček" Sent: Monday, January 25, 2016 11:55:35 AM Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin - Original Message - On 01/15/2016 03:41 PM, Filip Skola wrote: Hi, sending rebased patch on top of 58c42ddac0964a8cce7c1e1faa7516da53f028ad. Includes a "fix" for the rename-to-invalid-username issue for the new version. F. - Original Message - Hi, I don't know what is causing the \r\n issue. I use vim and than send each email with claws-mail. Didn't spot this issue when trying emailing the patch to my other address. I'm trying to send it from zimbra now, let me know if that helped pls. Fix for the stageuser plugin issues caused by this patch should have been included in the last update; I think the remaining issue is not caused by UserTracker changes. Please correct me, if I'm wrong. There is some issue with "test_rename_to_too_long_login" test. It fails but actually this is false positive because it is possible to create login upto 255 characters. I don't know why test mentions 32 characters without any other modified setup. NACK for now. - alich - This has been changed. This test still fails, though. Filip - Original Message - From: "Aleš Mareček" To: "Filip Škola" Cc: freeipa-devel@redhat.com, "Milan Kubík" Sent: Thursday, December 10, 2015 4:11:47 PM Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin Ah, sorry, haven't realized there had been devel list attached. Ok, there is some problem with \r\n in the patch. Filip, please take a look at it... Thanks... - alich - - Original Message - From: "Filip Škola" To: "Aleš Mareček" Cc: freeipa-devel@redhat.com, "Milan Kubík" Sent: Thursday, December 10, 2015 11:29:52 AM Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin Hi, this if fixed. Also issues with test_stageuser_plugin caused by UserTracker changes should be fixed here. Filip On Mon, 7 Dec 2015 09:29:31 -0500 (EST) Aleš Mareček wrote: NACK. $ ./make-lint * Module ipatests.test_xmlrpc.test_user_plugin ipatests/test_xmlrpc/test_user_plugin.py:42: [E0611(no-name-in-module), ] No name 'ldaptracker' in module 'ipatests.test_xmlrpc') $ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py from ipatests.test_xmlrpc.ldaptracker import Tracker $ ls ipatests/test_xmlrpc/ldaptracker* ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or directory - Original Message - From: "Filip Škola" To: "Milan Kubík" Cc: freeipa-devel@redhat.com Sent: Thursday, December 3, 2015 5:38:43 PM Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin Hi, sending corrected version. F. On Thu, 12 Nov 2015 14:03:19 +0100 Milan Kubík wrote: On 11/10/2015 12:13 PM, Filip Škola wrote: Hi, fixed. F. On Tue, 10 Nov 2015 10:52:45 +0100 Milan Kubík wrote: On 11/09/2015 04:35 PM, Filip Škola wrote: Another patch was applied in the meantime. Attaching an updated version. F. On Mon, 9 Nov 2015 13:35:02 +0100 Milan Kubík wrote: On 11/06/2015 11:32 AM, Filip Škola wrote: Hi, the patch doesn't apply. Please fix this. ipatests/test_xmlrpc/test_user_plugin.py:1419: [E0602(undefined-variable), TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined variable 'user1') Also, use the version numbers for your changed patches. Thanks for the patch. Several issues: 1. Use dict.items instead of dict.iteritems, for python3 compatibility 2. What is the purpose of TestPrepare class? The 'purge' methods do not call any ipa commands. Tracker.make_fixture should be used to make the Tracked resources clean themselves up when they're out of scope. 3. Why reference the resources by hardcoded name if they have a fixture representation? 4. Rewrite {create,delete}_test_group to a fixture. You may want to use different scope (or not). 5. In `def atest_rename_to_invalid_login(self, user):` - use pytest.skipif decorator and provide a reason if you must, do not obfuscate method name in order not to run it. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code NACK, there are errors occuring that do not appear in the respective test cases in the declarative test. In the original module the ` Test a login name that is too long` and `Try to rename to a username that is too long` do not use {add,set}attr. Why do you use them? I'm also postponing the review of your other patches as they depend on c
[Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin
Hello, attaching refactored sudocmd_plugin. FilipFrom ad926d3a9bdf4fae2504c60e0facb26485f91941 Mon Sep 17 00:00:00 2001 From: Filip Skola Date: Mon, 18 Jan 2016 13:56:44 +0100 Subject: [PATCH] Refactor test_sudocmd_plugin --- ipatests/test_xmlrpc/test_sudocmd_plugin.py | 561 +--- 1 file changed, 262 insertions(+), 299 deletions(-) diff --git a/ipatests/test_xmlrpc/test_sudocmd_plugin.py b/ipatests/test_xmlrpc/test_sudocmd_plugin.py index 2056118ba763be45e78ddf6643059e32d7680af8..bf056a606248d001889af3ee8d9dcec7118be502 100644 --- a/ipatests/test_xmlrpc/test_sudocmd_plugin.py +++ b/ipatests/test_xmlrpc/test_sudocmd_plugin.py @@ -21,309 +21,272 @@ Test the `ipalib/plugins/sudocmd.py` module. """ -from ipalib import errors -from ipatests.test_xmlrpc.xmlrpc_test import (Declarative, fuzzy_sudocmddn, -fuzzy_uuid) +from ipalib import api, errors +from ipatests.util import assert_deepequal +from ipatests.test_xmlrpc.xmlrpc_test import (XMLRPC_test, fuzzy_sudocmddn, + fuzzy_uuid, raises_exact) from ipatests.test_xmlrpc import objectclasses +from nose.tools import raises import pytest -sudocmd1 = u'/usr/bin/sudotestcmd1' -sudocmd1_camelcase = u'/usr/bin/sudoTestCmd1' -sudorule1 = u'test_sudorule1' +sudocmd_nonexistent = u'testing_sudocmd' +sudocmd1_desc = u'Test sudo command 1' +sudocmd2_desc = u'Test sudo command 2' + + +def create_sudocmd(command, description): +""" Create sudocmd and check the result """ +result = api.Command['sudocmd_add']( +command, description=description +) +assert_deepequal(dict( +value=command, +summary=u'Added Sudo Command "%s"' % command, +result=dict( +dn=fuzzy_sudocmddn, +sudocmd=[command], +description=[description], +objectclass=objectclasses.sudocmd, +ipauniqueid=[fuzzy_uuid])), +result) + + +def delete_sudocmd(command): +""" Delete sudocmd and check the result """ +result = api.Command['sudocmd_del'](command) +assert_deepequal(dict( +value=[command], +summary=u'Deleted Sudo Command "%s"' % command, +result=dict(failed=[])), +result) + + +@pytest.fixture(scope='class') +def sudocmd1(request): +command = u'/usr/bin/sudotestcmd1' +description = sudocmd1_desc +create_sudocmd(command, description) + +def fin(): +delete_sudocmd(command) +request.addfinalizer(fin) +return command + + +@pytest.fixture(scope='class') +def sudocmd2(request): +command = u'/usr/bin/sudoTestCmd1' +description = sudocmd2_desc +create_sudocmd(command, description) + +def fin(): +delete_sudocmd(command) +request.addfinalizer(fin) +return command + + +@pytest.fixture(scope='class') +def sudorule1(request): +name = u'test_sudorule1' + +def fin(): +api.Command['sudorule_del'](name) +request.addfinalizer(fin) +return name + + +@pytest.mark.tier1 +class TestNonexistentSudoCmd(XMLRPC_test): +@raises(errors.NotFound) +def test_retrieve_nonexistent(self): +""" Try to retrieve non-existent sudocmd """ +api.Command['sudocmd_show'](sudocmd_nonexistent) + +@raises(errors.NotFound) +def test_update_nonexistent(self): +""" Try to update non-existent sudocmd """ +api.Command['sudocmd_mod'](sudocmd_nonexistent, description=u'Nope') + +@raises(errors.NotFound) +def test_delete_nonexistent(self): +""" Try to delete non-existent sudocmd """ +api.Command['sudocmd_del'](sudocmd_nonexistent) + + +@pytest.mark.tier1 +class TestSudoCmd(XMLRPC_test): +def test_create(self, sudocmd1, sudocmd2): +""" Create sudocmd and sudocmd with camelcase'd command """ +# sudocmds get created by the fixtures + +def test_create_duplicate(self, sudocmd1): +""" Try to create duplicate sudocmd """ +with raises_exact(errors.DuplicateEntry( +message=u'sudo command with name "%s" already exists' % sudocmd1)): +create_sudocmd(sudocmd1, '') + +def test_create_duplicate_camelcase(self, sudocmd2): +""" Try to create duplicate camelcase'd sudocmd """ +with raises_exact(errors.DuplicateEntry( +message=u'sudo command with name "%s" already exists' % sudocmd2)): +create_sudocmd(sudocmd2, '') + +def test_retrieve(self, sudocmd1): +""" Retrieve sudocmd """ +result = api.Command['sudocmd_show'](sudocmd1) +assert_deepequal(dict( +value=sudocmd1, +summary=None, +result=dict( +dn=fuzzy_sudocmddn, +sudocmd=[sudocmd1], +description=[sudocmd1_desc])), +result) + +def test_search(self, sudocmd1): +""" Search for sudocmd """ +result = api.Command['sudocmd_find'](sudocmd1) +assert_deepequal(dict( +count=
Re: [Freeipa-devel] [PATCH 0031] ipatests: fix the install of external ca
On 01/22/2016 02:22 PM, Martin Babinsky wrote: On 01/19/2016 05:56 PM, Milan Kubík wrote: On 01/19/2016 05:31 PM, Milan Kubík wrote: Patch attached. This actually has a ticket opened. Patch with fixed commit message. ;) -- Milan Kubik Hi Milan, for the step 1 installation I would rather reuse the tasks:install_master function which already does (nearly) all CLI option-related magic. You can extend its signature by adding a parameter to pass on additional options like this: --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -258,7 +258,7 @@ def enable_replication_debugging(host): stdin_text=logging_ldif) -def install_master(host, setup_dns=True, setup_kra=False): +def install_master(host, setup_dns=True, setup_kra=False, extra_args=()): host.collect_log(paths.IPASERVER_INSTALL_LOG) host.collect_log(paths.IPACLIENT_INSTALL_LOG) inst = host.domain.realm.replace('.', '-') @@ -284,6 +284,8 @@ def install_master(host, setup_dns=True, setup_kra=False): '--auto-reverse' ]) +args.extend(extra_args) + host.run_command(args) enable_replication_debugging(host) setup_sssd_debugging(host) Thanks for the suggestion. Though, this is not possible without larger changes to tasks.install_master. The external ca test needs to skip several steps that occur in the general install task. In this case, I'd remain with customized install in the test itself. -- Milan Kubik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
Tested + several other dependent tests executed as well - PASS. The patch looks good, ACK. - Original Message - > From: "Filip Skola" > To: "Milan Kubík" > Cc: freeipa-devel@redhat.com, "Aleš Mareček" > Sent: Monday, January 25, 2016 11:55:35 AM > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > > > - Original Message - > > On 01/15/2016 03:41 PM, Filip Skola wrote: > > > Hi, > > > > > > sending rebased patch on top of 58c42ddac0964a8cce7c1e1faa7516da53f028ad. > > > > > > Includes a "fix" for the rename-to-invalid-username issue for the new > > > version. > > > > > > F. > > > > > > - Original Message - > > >> Hi, > > >> > > >> I don't know what is causing the \r\n issue. I use vim and than send > > >> each > > >> email with claws-mail. Didn't spot this issue when trying emailing the > > >> patch > > >> to my other address. I'm trying to send it from zimbra now, let me know > > >> if > > >> that helped pls. > > >> > > >> Fix for the stageuser plugin issues caused by this patch should have > > >> been > > >> included in the last update; I think the remaining issue is not caused > > >> by > > >> UserTracker changes. Please correct me, if I'm wrong. > > >> > > >>> There is some issue with "test_rename_to_too_long_login" test. It fails > > >>> but > > >>> actually this is false positive because it is possible to create login > > >>> upto > > >>> 255 characters. I don't know why test mentions 32 characters without > > >>> any > > >>> other modified setup. > > >>> NACK for now. > > >>> - alich - > > >> This has been changed. This test still fails, though. > > >> > > >> Filip > > >> > > >>> > > >>> - Original Message - > > From: "Aleš Mareček" > > To: "Filip Škola" > > Cc: freeipa-devel@redhat.com, "Milan Kubík" > > Sent: Thursday, December 10, 2015 4:11:47 PM > > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > > > Ah, sorry, haven't realized there had been devel list attached. > > Ok, there is some problem with \r\n in the patch. > > Filip, please take a look at it... > > Thanks... > > - alich - > > > > - Original Message - > > > From: "Filip Škola" > > > To: "Aleš Mareček" > > > Cc: freeipa-devel@redhat.com, "Milan Kubík" > > > Sent: Thursday, December 10, 2015 11:29:52 AM > > > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > > > > > Hi, > > > > > > this if fixed. Also issues with test_stageuser_plugin caused by > > > UserTracker changes should be fixed here. > > > > > > Filip > > > > > > > > > On Mon, 7 Dec 2015 09:29:31 -0500 (EST) > > > Aleš Mareček wrote: > > > > > >> NACK. > > >> > > >> $ ./make-lint > > >> * Module ipatests.test_xmlrpc.test_user_plugin > > >> ipatests/test_xmlrpc/test_user_plugin.py:42: > > >> [E0611(no-name-in-module), ] No name 'ldaptracker' in module > > >> 'ipatests.test_xmlrpc') > > >> > > >> $ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py > > >> from ipatests.test_xmlrpc.ldaptracker import Tracker > > >> $ ls ipatests/test_xmlrpc/ldaptracker* > > >> ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or > > >> directory > > >> > > >> > > >> - Original Message - > > >>> From: "Filip Škola" > > >>> To: "Milan Kubík" > > >>> Cc: freeipa-devel@redhat.com > > >>> Sent: Thursday, December 3, 2015 5:38:43 PM > > >>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > >>> > > >>> Hi, > > >>> > > >>> sending corrected version. > > >>> > > >>> F. > > >>> > > >>> On Thu, 12 Nov 2015 14:03:19 +0100 > > >>> Milan Kubík wrote: > > >>> > > On 11/10/2015 12:13 PM, Filip Škola wrote: > > > Hi, > > > > > > fixed. > > > > > > F. > > > > > > On Tue, 10 Nov 2015 10:52:45 +0100 > > > Milan Kubík wrote: > > > > > >> On 11/09/2015 04:35 PM, Filip Škola wrote: > > >>> Another patch was applied in the meantime. > > >>> > > >>> Attaching an updated version. > > >>> > > >>> F. > > >>> > > >>> On Mon, 9 Nov 2015 13:35:02 +0100 > > >>> Milan Kubík wrote: > > >>> > > On 11/06/2015 11:32 AM, Filip Škola wrote: > > Hi, > > the patch doesn't apply. > > > > >> Please fix this. > > >> > > >>ipatests/test_xmlrpc/test_user_plugin.py:1419: > > >> [E0602(undefined-variable), > > >> TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined > > >> variable 'user1') > > >> > > >> Also, use the version numbers for your changed patches. > > >> > > > > > Thanks for the patc
[Freeipa-devel] [PATCH] 0002 Add support for user parameter for /ipa/ui/reset_password.html
Hello again, another patch is ready for reviewing. Now it is the patch which adds support for user parameter for /ipa/ui/reset_password.html page. That means that you can prefill username field by using url parameter 'user'. Here is the ticket link: https://fedorahosted.org/freeipa/ticket/5001 . Pavel Vomacka InternFrom 1ee0ea7aad2ccb39a070e3a5dc4a8732a2ff08cc Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Mon, 25 Jan 2016 14:44:51 +0100 Subject: [PATCH] Add support for the 'user' url parameter for the reset_password.html The /ipa/ui/reset_password.html page is now able to use url paramater 'user'. The value of this parameter is used for pre-filling the username field. https://fedorahosted.org/freeipa/ticket/5001 --- install/ui/reset_password.js | 4 1 file changed, 4 insertions(+) diff --git a/install/ui/reset_password.js b/install/ui/reset_password.js index 2e0db7db8049aa3edc9bccbfe87b7224d3a68878..8dcdefdd03295450a715405a2cf8d66f9bbc44ac 100644 --- a/install/ui/reset_password.js +++ b/install/ui/reset_password.js @@ -207,6 +207,10 @@ RP.redir_count_down = function() { RP.init = function() { +var opts = RP.parse_uri(); +if (opts['user']) { +$("#user").val(opts['user']); +} $('#reset_password').submit(function() { RP.on_submit(); -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 948 stop installer when setup-ds.pl fail
On 22.01.2016 10:17, Martin Babinsky wrote: On 01/21/2016 07:28 PM, Petr Vobornik wrote: Petr Vobornik ACK. Pushed to: master: b0894a84932c3b02c495f29b7c110dd072da745f ipa-4-3: 0b2961e87c1978dc49395aba6df50269ef359ba4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0760 - Split ipa-client/ into ipaclient/ and client/
On 14.1.2016 17:49, Petr Viktorin wrote: On 01/14/2016 11:09 AM, Jan Cholasta wrote: On 14.1.2016 10:48, Petr Viktorin wrote: On 01/14/2016 07:55 AM, Jan Cholasta wrote: Hi, On 13.1.2016 13:03, Martin Babinsky wrote: On 01/13/2016 11:34 AM, Petr Viktorin wrote: Hello, I'm planning to port the ipa-client to Python 3, and I'm likely to end up shaking out some dusty corners of the codebase, rather than doing the minimal amount of work :) So I'd like to get your opinions before I commit significant time to this. Here's a patch for review. (I'm sending the full diff for applying; the result is nicer to look at with `git show -C`) [...] client-tools/ - man/* - *.c - *.h - all the automake stuff - current contents of ipa-install (Python scripts that go in /usr/sbin) I would rather s/client-tools/client/, as this stuff goes into the freeipa-*client* subpackage. OK. It's just that there's no admintools/ or server/ either. Putting the scripts into install/tools/ (or install/client/) is another possibility. Right. I guess we have to decide whether we want a directory layout based on the component/subpackage or not. install/tools/ works for me equally well. I put the scripts in client/. IPA supports building just the client bits, and that's easier if the server and client scripts are separate. I'm not sure if this is what you are suggesting or not, but I would like the man page files to be in the same directory as the corresponding source code files. Do you mean not having the man/ subdirectory? Yes. (I don't insist though.) Even if you did insist, I think it would be better to ditch install/tools/man/ and ipatests/man/ at the same time as client/man/, so I'm leaving this for a potential future patch. It could be done gradually (there already is /ipa.1 for /ipa), but OK. The patch needs a rebase on top of master and ipa-4-3. Otherwise ACK. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] New tool tips for Refresh, Revert, Undo and Undo All buttons
Hello everyone, I just made a patch for the https://fedorahosted.org/freeipa/ticket/5428 ticket. The patch adds tool tips to the buttons in detail views. The text of new tool tips is written in the comment of the ticket. Pavel Vomacka InternFrom 8e291c698b0bb6275ce4cb220815ba54446f62fe Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Mon, 25 Jan 2016 13:23:20 +0100 Subject: [PATCH] Add tool tips for Revert, Refresh, Undo, and Undo All Add tool tips for buttons in detail view. New tooltips: Reload - Reload current settings from the server. Revert - Undo all unsaved changes. Undo - Undo this change. Undo all - Undo all changes in this field. https://fedorahosted.org/freeipa/ticket/5428 --- install/ui/src/freeipa/details.js | 2 ++ install/ui/src/freeipa/widget.js | 2 ++ install/ui/test/data/ipa_init.json | 4 ipalib/plugins/internal.py | 6 -- 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js index c708a878b7d6d29815535b7508da0c4cc30a3b5c..bb3e3ec2170029fcce780939127fa4426fe81d99 100644 --- a/install/ui/src/freeipa/details.js +++ b/install/ui/src/freeipa/details.js @@ -482,6 +482,7 @@ exp.details_facet_pre_op = function(spec, context) { spec.control_buttons.unshift( { name: 'revert', +title: '@i18n:buttons.revert_title', label: '@i18n:buttons.revert', icon: 'fa-undo' }, @@ -494,6 +495,7 @@ exp.details_facet_pre_op = function(spec, context) { spec.control_buttons.unshift( { name: 'refresh', +title: '@i18n:buttons.refresh_title', label: '@i18n:buttons.refresh', icon: 'fa-refresh' }); diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js index 434a4b1bbe2ce1e71914f8543410de9212b389fe..41d75fe0cd80024f6bb44405456bedc5f3fbca47 100644 --- a/install/ui/src/freeipa/widget.js +++ b/install/ui/src/freeipa/widget.js @@ -486,6 +486,7 @@ IPA.input_widget = function(spec) { name: 'undo', style: 'display: none;', 'class': 'undo', +title: text.get('@i18n:widget.undo_title'), label: text.get('@i18n:widget.undo') }).appendTo(container); @@ -1234,6 +1235,7 @@ IPA.multivalued_widget = function(spec) { name: 'undo_all', style: 'display: none;', 'class': 'undo', +title: text.get('@i18n:widget.undo_all_title'), label: text.get('@i18n:widget.undo_all'), click: function() { that.undo_clicked.notify([], that); diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 310eef1055a19dd40f8221c2967b09773595b80b..b25fa9357d264ef5d82d24205cb6be9ec094bed7 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -77,12 +77,14 @@ "issue": "Issue", "ok": "OK", "refresh": "Refresh", +"refresh_title": "Reload current settings from the server.", "remove": "Delete", "reset": "Reset", "reset_password_and_login": "Reset Password and Login", "restore": "Restore", "retry": "Retry", "revert": "Revert", +"revert_title": "Undo all unsaved changes.", "revoke": "Revoke", "save": "Save", "set": "Set", @@ -684,7 +686,9 @@ "page": "Page", "prev": "Prev", "undo": "Undo", +"undo_title": "Undo this change.", "undo_all": "Undo All", +"undo_all_title": "Undo all changes.", "validation": { "error": "Text does not match field pattern", "datetime": "Must be an UTC date/time value (e.g., \"2014-01-20 17:58:01Z\")", diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py index a75772673ae198165e4666271eaa57147e58ab31..7156d4f47004dd702d3896ca736cc1f42227a321 100644 --- a/ipalib/plugins/internal.py +++ b/ipalib/plugins/internal.py @@ -220,12 +220,14 @@ class i18n_messages(Command): "issue": _("Issue"), "ok": _("OK"), "refresh": _("Refresh"), +"refresh_title": _("Reload current settings from the server."), "remove": _("Delete"), "reset": _("Reset"), "reset_password_and_login": _("Reset Password and Login"), "restore": _("Restore"), "retry": _("Retry"), "revert": _("Revert"), +"revert_title": ("Undo all unsav
Re: [Freeipa-devel] [PATCH 0408] CI DNSSEC: add missing glue record
On 23.01.2016 10:34, Petr Spacek wrote: On 22.1.2016 17:47, Martin Basti wrote: -# make BIND happy, and delegate zone which contains A record of master +# make BIND happy: add the glue record and delegate zone +args = [ +"ipa", "dnsrecord-add", root_zone, self.master.domain.name, +"--a-rec=" + self.master.ip +] +self.master.run_command(args) +time.sleep(10) # sleep a bit until data are provided by bind-dyndb-ldap + LGTM, ACK. In the worst case it will not fix the test :-) Pushed to: ipa-4-3: 47422b0f3913e352cd28cac24128afed178701e8 master: cdf08a0a869f83a6111d9560b69c582d2c04f89c -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0751 spec: Split out python-ipap11helper and, python-default_encoding_utf8
On 22.01.2016 16:24, Petr Viktorin wrote: On 01/21/2016 01:14 PM, Jan Cholasta wrote: We got rid of both default_encoding_utf8 and _ipap11helper, so python-ipalib can be packaged as noarch. See the attached patch. The patch looks good to me, so ACK (though an ACK for me probably doesn't count). ACK Pushed to: master: 6896035af2c5ba7468fdab183a385c4a88a1ab77 ipa-4-3: 385693a30862bf370e32e1d66e5efa2f5a641ebb -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
- Original Message - > On 01/15/2016 03:41 PM, Filip Skola wrote: > > Hi, > > > > sending rebased patch on top of 58c42ddac0964a8cce7c1e1faa7516da53f028ad. > > > > Includes a "fix" for the rename-to-invalid-username issue for the new > > version. > > > > F. > > > > - Original Message - > >> Hi, > >> > >> I don't know what is causing the \r\n issue. I use vim and than send each > >> email with claws-mail. Didn't spot this issue when trying emailing the > >> patch > >> to my other address. I'm trying to send it from zimbra now, let me know if > >> that helped pls. > >> > >> Fix for the stageuser plugin issues caused by this patch should have been > >> included in the last update; I think the remaining issue is not caused by > >> UserTracker changes. Please correct me, if I'm wrong. > >> > >>> There is some issue with "test_rename_to_too_long_login" test. It fails > >>> but > >>> actually this is false positive because it is possible to create login > >>> upto > >>> 255 characters. I don't know why test mentions 32 characters without any > >>> other modified setup. > >>> NACK for now. > >>> - alich - > >> This has been changed. This test still fails, though. > >> > >> Filip > >> > >>> > >>> - Original Message - > From: "Aleš Mareček" > To: "Filip Škola" > Cc: freeipa-devel@redhat.com, "Milan Kubík" > Sent: Thursday, December 10, 2015 4:11:47 PM > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > Ah, sorry, haven't realized there had been devel list attached. > Ok, there is some problem with \r\n in the patch. > Filip, please take a look at it... > Thanks... > - alich - > > - Original Message - > > From: "Filip Škola" > > To: "Aleš Mareček" > > Cc: freeipa-devel@redhat.com, "Milan Kubík" > > Sent: Thursday, December 10, 2015 11:29:52 AM > > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > > > Hi, > > > > this if fixed. Also issues with test_stageuser_plugin caused by > > UserTracker changes should be fixed here. > > > > Filip > > > > > > On Mon, 7 Dec 2015 09:29:31 -0500 (EST) > > Aleš Mareček wrote: > > > >> NACK. > >> > >> $ ./make-lint > >> * Module ipatests.test_xmlrpc.test_user_plugin > >> ipatests/test_xmlrpc/test_user_plugin.py:42: > >> [E0611(no-name-in-module), ] No name 'ldaptracker' in module > >> 'ipatests.test_xmlrpc') > >> > >> $ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py > >> from ipatests.test_xmlrpc.ldaptracker import Tracker > >> $ ls ipatests/test_xmlrpc/ldaptracker* > >> ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or > >> directory > >> > >> > >> - Original Message - > >>> From: "Filip Škola" > >>> To: "Milan Kubík" > >>> Cc: freeipa-devel@redhat.com > >>> Sent: Thursday, December 3, 2015 5:38:43 PM > >>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > >>> > >>> Hi, > >>> > >>> sending corrected version. > >>> > >>> F. > >>> > >>> On Thu, 12 Nov 2015 14:03:19 +0100 > >>> Milan Kubík wrote: > >>> > On 11/10/2015 12:13 PM, Filip Škola wrote: > > Hi, > > > > fixed. > > > > F. > > > > On Tue, 10 Nov 2015 10:52:45 +0100 > > Milan Kubík wrote: > > > >> On 11/09/2015 04:35 PM, Filip Škola wrote: > >>> Another patch was applied in the meantime. > >>> > >>> Attaching an updated version. > >>> > >>> F. > >>> > >>> On Mon, 9 Nov 2015 13:35:02 +0100 > >>> Milan Kubík wrote: > >>> > On 11/06/2015 11:32 AM, Filip Škola wrote: > Hi, > the patch doesn't apply. > > >> Please fix this. > >> > >>ipatests/test_xmlrpc/test_user_plugin.py:1419: > >> [E0602(undefined-variable), > >> TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined > >> variable 'user1') > >> > >> Also, use the version numbers for your changed patches. > >> > > > Thanks for the patch. Several issues: > > 1. Use dict.items instead of dict.iteritems, for python3 > compatibility > > 2. What is the purpose of TestPrepare class? The 'purge' methods > do not call any ipa commands. > Tracker.make_fixture should be used to make the Tracked resources > clean themselves up when they're out of scope. > > 3. Why reference the resources by hardcoded name if they have a > fixture representation? > > 4. Rewrite {create,delete}_test_group to a fixture. You may want > to use different scope (or not). >
Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin
- Original Message - > On 01/15/2016 03:38 PM, Filip Skola wrote: > > Hi, > > > > sending rebased patch. > > > > F. > > > > - Original Message - > >> Hello, > >> > >> sorry for delays. The patch no longer applies to master. Rebase it, > >> please. > >> > >> Milan > >> > >> - Original Message - > >> From: "Filip Škola" > >> To: "Milan Kubík" > >> Cc: freeipa-devel@redhat.com > >> Sent: Wednesday, 9 December, 2015 7:01:02 PM > >> Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin > >> > >> On Mon, 7 Dec 2015 17:49:18 +0100 > >> Milan Kubík wrote: > >> > >>> On 12/03/2015 08:15 PM, Filip Škola wrote: > On Mon, 30 Nov 2015 17:18:30 +0100 > Milan Kubík wrote: > > > On 11/23/2015 04:42 PM, Filip Škola wrote: > >> Sending updated patch. > >> > >> F. > >> > >> On Mon, 23 Nov 2015 14:59:34 +0100 > >> Filip Škola wrote: > >> > >>> Found couple of issues (broke some dependencies). > >>> > >>> NACK > >>> > >>> F. > >>> > >>> On Fri, 20 Nov 2015 13:56:36 +0100 > >>> Filip Škola wrote: > >>> > Another one. > > F. > > Hi, the tests look good. Few remarks, though. > > > > 1. Please, use the shortes copyright notice in new modules. > > > ># > ># Copyright (C) 2015 FreeIPA Contributors see COPYING for > > license # > > > > 2. The tests `test_group_remove_group_from_protected_group` and > > `test_group_full_set_of_objectclass_not_available_post_detach` > > were not ported. Please, include them in the patch. > > > > Also, for less hassle, please rebase your patches on top of > > freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch > > Which changes the location of tracker implementations and prevents > > circular imports. > > > > Thanks. > > > > Hi, > > these cases are there, in corresponding classes. They are marked > with the original comments. (However I can move them to separate > class if desirable.) > > The copyright notice is changed. Also included a few changes in the > test with user without private group. > > Filip > >>> NACK > >>> > >>> linter: > >>> * Module tracker.group_plugin > >>> ipatests/test_xmlrpc/tracker/group_plugin.py:257: > >>> [E0102(function-redefined), GroupTracker.check_remove_member] method > >>> already defined line 253) > >>> > >>> Probably a leftover after the rebase made on top of my patch. Please > >>> fix it. You can check youch changes by make-lint script before > >>> sending them. > >>> > >>> Thanks > >>> > >> > >> Hi, > >> > >> I learned to use make-lint! > >> > >> Thanks, > >> F. > >> > Hello, > > NACK, pylint doesn't seem to like the way the fixtures are imported > (pytest does a lot of runtime magic) [1]. > One possible solution would be [2]. Though, I don't think this would be > a good idea in our environment. I suggest to create the fixtures on per > module basis. > > > [1]: http://fpaste.org/311949/53118942/ > [2]: > https://pytest.org/latest/fixture.html#using-fixtures-from-classes-modules-or-projects > > -- > Milan Kubik > > Hi, the fixtures were copied into corresponding module. Please note that this patch has a dependence on my patch 0001 (user plugin). FilipFrom d0f1815a2df4a98354cdd73360fe8e861368c0f3 Mon Sep 17 00:00:00 2001 From: Filip Skola Date: Mon, 9 Nov 2015 16:48:55 +0100 Subject: [PATCH] Refactor test_group_plugin, use GroupTracker for tests --- ipatests/test_xmlrpc/test_group_plugin.py | 1758 + ipatests/test_xmlrpc/test_stageuser_plugin.py |4 +- ipatests/test_xmlrpc/tracker/group_plugin.py | 146 +- 3 files changed, 755 insertions(+), 1153 deletions(-) diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py index 6eb57c12f18d125de04beefa056f53b4caff1d64..41d28f1cfdbc3d47ea9c47292394637770222ac2 100644 --- a/ipatests/test_xmlrpc/test_group_plugin.py +++ b/ipatests/test_xmlrpc/test_group_plugin.py @@ -1,6 +1,7 @@ # Authors: # Rob Crittenden # Pavel Zuna +# Filip Skola # # Copyright (C) 2008 Red Hat # see file 'COPYING' for use and warranty information @@ -23,1141 +24,666 @@ Test the `ipalib/plugins/group.py` module. import pytest -from ipalib import api, errors +from ipalib import errors from ipatests.test_xmlrpc import objectclasses from ipatests.test_xmlrpc.xmlrpc_test import ( -Declarative, -fuzzy_digits, -fuzzy_uuid, -fuzzy_set_ci, -add_sid, -add_oc) -from ipapython.dn import DN -from ipatests.test_xmlrpc.test_user_plugin import get_user_result +fuzzy_digits, fuzzy_uuid, fuzzy_set_ci, add_oc, +XMLRPC_test, raises_exact +) +from ipatests.test_xmlrpc.tracker.group_plugin import GroupTracker +from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker +from ipatests.util impor
Re: [Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
Hi Martin, this is what the guy on freeipa-users said he did: >>> I can now confirm that this is a 100% reproducible bug, and a pretty severe one at that. You should be able to reproduce this issue at will if you follow these steps. It may actually be possible with less servers and less steps, but here is what I did in a test lab today: 1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0 with 3 servers, dc1, dc2, dc3, replicating any way you want. 3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete the server / vm / whatever you have it running on 3. Install Fedora 23 on the same IP address and hostname (dc2.ipatestdomain.net). Install FreeIPA server 4.2.3 from replica file created on CA master (dc1). Check aci on dc2. You will notice it's now missing a bunch of stuff. So basically, all it takes to lose that ACL is to create a Fedora FreeIPA server and join it to a CentOS domain. After I had upgraded all 3 to Fedora, that ACLS was lost permanently as it no longer existed on any server because there were no CentOS servers left. <<< If you have more questions on the test case, could you ask directly on the user list, thanks On 01/25/2016 10:09 AM, Martin Basti wrote: On 25.01.2016 09:30, Ludwig Krispenz wrote: Hi, this is from a discussion on the user-list, there is a difference in acis on 4.2.0 and 4.2.3 this is the aci which is present in 4.2.0 and is missing in 4.2.3: aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai n,dc=net";) does anybody know if and why this was changed ? This ACI is created by ipaserver/install/plugins/update_managed_permissions.py It haven't been touched for a while, did upgrade/install work well? Maybe re-run ipa-server-upgrade should recreate this entry. On 01/24/2016 03:22 AM, Nathan Peters wrote: # config dn: cn=config aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r ead, search, compare) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;) aci: (target ="ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) aci: (targetattr = "cn || createtimestamp ||
Re: [Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
On 25.01.2016 09:30, Ludwig Krispenz wrote: Hi, this is from a discussion on the user-list, there is a difference in acis on 4.2.0 and 4.2.3 this is the aci which is present in 4.2.0 and is missing in 4.2.3: aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai n,dc=net";) does anybody know if and why this was changed ? This ACI is created by ipaserver/install/plugins/update_managed_permissions.py It haven't been touched for a while, did upgrade/install work well? Maybe re-run ipa-server-upgrade should recreate this entry. On 01/24/2016 03:22 AM, Nathan Peters wrote: # config dn: cn=config aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r ead, search, compare) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;) aci: (target ="ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc= ipatestdomain,dc=net";) aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalas
[Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
Hi, this is from a discussion on the user-list, there is a difference in acis on 4.2.0 and 4.2.3 this is the aci which is present in 4.2.0 and is missing in 4.2.3: aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai n,dc=net";) does anybody know if and why this was changed ? On 01/24/2016 03:22 AM, Nathan Peters wrote: # config dn: cn=config aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r ead, search, compare) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;) aci: (target ="ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc= ipatestdomain,dc=net";) aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re plicasessionpausetime ||