Re: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
On 04/04/2011 03:47 PM, Simo Sorce wrote: On Mon, 28 Mar 2011 15:27:46 -0700 Nathan Kinder wrote: On 03/28/2011 03:20 PM, Dmitri Pal wrote: On 03/28/2011 04:38 PM, Pavel Zůna wrote: This patch handles the issue in a kind of stupid way, but I couldn't think of anything better. It adds a new flag parameter to user-add (--noprivate). With this flag, the command marks the private group about to be created for deletion and is deleted after the user is created. The only exception is when there is a group, that is named the same way as the user, but isn't a private group - then the group is left there. Private groups are created automatically by the managed entry DS plugin and I didn't find a way to disable its creation for a specific user. The idea that comes to mind is to define some magical attribute that the DS plugin would recognize and skip the creation of the managed entry as well as strip the entry of this magic attribute/value. I remember that other plugins might take advantage of the similar approach. Is something like this possible? You are probably thinking of the DNA plug-in and it's use of a magic value used to tell the plug-in to allocate a value from a range. I would not like to use this approach here, as it requires additional coding and complexity that I don't think is needed. I would prefer that we use the originFilter to deal with this. We could have an auxiliary objectclass that IPA usually adds when creating an IPA user. The originFilter can key off of this objectclass to create managed groups. When a user is added with the --noprivate option, this objectclass is not included in the user entry that is added. Rob and I discussed this approach on IRC earlier today. Ack, this sounds like a better approach, although it doesn't necessarily need to be an objectclass it can also be an attribute with a specific value that is checked in the filter as (!(attrib=value)) Simo. New patch with new approach attached. It sets the checked filter to: (&(objectclass=posixAccount)(!(description=__no_upg__))) If a user entry is created with the description attribute equal to the string "__no_upg__", the DS plugin will not trigger and no UPG is going to be created. After this patch, the user-add plugin adds this description attribute (NO_UPG_MAGIC = "__no_upg__") in the pre_callback and deletes it in the post_callback if necessary. I think the description attribute is the best choice, because it's part of the posixAccount objectClass and we don't use it for anything on user entries. Pavel >From 57f3b82bc4b3180a8b0a27733cc0632b813a7736 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Mon, 28 Mar 2011 15:10:57 -0400 Subject: [PATCH] Add a new user-add flag param to disable the creation of UPG. Ticket #1131 --- install/share/user_private_groups.ldif |2 +- ipalib/plugins/user.py | 53 --- 2 files changed, 42 insertions(+), 13 deletions(-) diff --git a/install/share/user_private_groups.ldif b/install/share/user_private_groups.ldif index 9df729a..41a78ba 100644 --- a/install/share/user_private_groups.ldif +++ b/install/share/user_private_groups.ldif @@ -15,7 +15,7 @@ changetype: add objectclass: extensibleObject cn: UPG Definition originScope: cn=users,cn=accounts,$SUFFIX -originFilter: objectclass=posixAccount +originFilter: (&(objectclass=posixAccount)(!(description=__no_upg__))) managedBase: cn=groups,cn=accounts,$SUFFIX managedTemplate: cn=UPG Template,cn=etc,$SUFFIX diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 9015144..9a658a9 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -63,6 +63,9 @@ from ipalib import _, ngettext from ipalib.request import context from time import gmtime, strftime + +NO_UPG_MAGIC = '__no_upg__' + def validate_nsaccountlock(entry_attrs): if 'nsaccountlock' in entry_attrs: if not isinstance(entry_attrs['nsaccountlock'], basestring): @@ -70,6 +73,7 @@ def validate_nsaccountlock(entry_attrs): if entry_attrs['nsaccountlock'].lower() not in ('true','false'): raise errors.ValidationError(name='nsaccountlock', error='must be TRUE or FALSE') + class user(LDAPObject): """ User object. @@ -250,22 +254,35 @@ class user_add(LDAPCreate): """ Add a new user. """ - msg_summary = _('Added user "%(value)s"') +takes_options = LDAPCreate.takes_args + ( +Flag('noprivate', +cli_name='noprivate', +doc=_('don\'t create user private group'), +), +) + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): -try: -# The Managed Entries plugin will allow a user
Re: [Freeipa-devel] [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr.
On 04/06/2011 05:08 PM, Pavel Zuna wrote: Ticket #744 Pavel New fixed version of patch attached. Pavel >From c61c329c1fd4f806a64f4fa6b660b0baeea38377 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 6 Apr 2011 09:08:03 -0400 Subject: [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr. Ticket #744 --- ipalib/plugins/krbtpolicy.py | 20 ipalib/plugins/user.py |1 + 2 files changed, 21 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index c9d86ea..8cefc90 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -83,6 +83,10 @@ class krbtpolicy(LDAPObject): label=_('User name'), doc=_('Manage ticket policy for specific user'), primary_key=True, +pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', +pattern_errmsg='may only include letters, numbers, _, -, . and $', +maxlength=255, +normalizer=lambda value: value.lower(), ), Int('krbmaxticketlife?', cli_name='maxlife', @@ -96,6 +100,14 @@ class krbtpolicy(LDAPObject): doc=_('Maximum renewable age (seconds)'), minvalue=1, ), +Int('uidnumber?', +minvalue=1, +flags=['no_create', 'no_update', 'no_search'], +), +Int('gidnumber?', +minvalue=1, +flags=['no_create', 'no_update', 'no_search'], +), ) def get_dn(self, *keys, **kwargs): @@ -115,6 +127,14 @@ class krbtpolicy_mod(LDAPUpdate): # ticket policies are attached to objects with unrelated attributes if options.get('all'): options['all'] = False +if keys[-1] is not None: +# we're modifying an user entry and it's possible to change its +# attribute unrelated to ticket policy using --{set,add}-attr +# we need to validate/normalize them here: +if 'mail' in entry_attrs: +entry_attrs['mail'] = self.api.Object['user']._normalize_email( +entry_attrs['mail'] +) return dn api.register(krbtpolicy_mod) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index e71c21b..d18ba18 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -176,6 +176,7 @@ class user(LDAPObject): label=_('GID'), doc=_('Group ID Number'), default_from=lambda uid: uid, +minvalue=1, ), Str('street?', cli_name='street', -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr.
Ticket #744 Pavel freeipa-pzuna-89-validatekrbt.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix gidnumber option of user-add command.
With this patch, the gidNumber is set automatically only if it wasn't specified explicitly by the user. Ticket #1127 Pavel freeipa-pzuna-87-fixgidnumber.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 752 fix SELinux AVCs
On 03/14/2011 09:33 PM, Rob Crittenden wrote: Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085 ACK!! Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Wait for Directory Server ports to open
On 03/14/2011 06:03 PM, Martin Kosek wrote: I know this is a 2.1 ticket, but the patch is probably also a solution of #1047 - a 2.0.5 bucket critical bug. When Directory Server operation is run right after the server restart the listening ports may not be opened yet. This makes the installation fail. This patch fixes this issue by waiting for both secure and insecure Directory Server ports to open after every restart. https://fedorahosted.org/freeipa/ticket/1076 ACK. Seems to also fix #1047, as I couldn't reproduce after this patch was applied. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix error in user plugin email normalizer for empty --setattr=mail=.
On 03/03/2011 04:23 PM, Pavel Zuna wrote: An exception was raised when you tried to reset user email addresses and setting new ones using: ipa user-add SOMEUSER --setattr=mail= --addattr=mail=someu...@redhat.com Pavel Just a correction: The example above should read 'ipa user-mod ...' ofc. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix error in user plugin email normalizer for empty --setattr=mail=.
An exception was raised when you tried to reset user email addresses and setting new ones using: ipa user-add SOMEUSER --setattr=mail= --addattr=mail=someu...@redhat.com Pavel freeipa-pzuna-85-fixemailnorm.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common
On 03/02/2011 08:50 PM, Jakub Hrozek wrote: On Wed, Feb 23, 2011 at 12:36:06PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2011 04:47 PM, Rob Crittenden wrote: Jakub Hrozek wrote: Replace only if old and new have nothing in common This has problems when removing the last member. There is no adds, rems has a single value (the member being removed). The intersection is 0 so force_replace gets set to True and nothing ends up getting done. I added a len(v)> 0 to this conditional and it seems to work. I also added a small test case based on Endi's initial report. I'm getting a 100% test pass rate. rob I hit one more problem with the patch, although I'm not entirely sure how is that possible - when a user is renamed, his memberof becomes indirect memberof: # ipa user-mod --rename test2 test - Modified user "test" - User login: test2 First name: Test Last name: User Home directory: /home/test Login shell: /bin/sh Account disabled: False Indirect Member of group: ipausers I think this is another timing issue with 389-ds postop plugins, this time the referential integrity plugin. I don't think this is related to this change. We start with: dn: uid=test, ... uid: test memberOf: ipausers dn: cn=ipausers, ... cn: ipausers member: uid=test,... When we we do the rename we immediately end up with: dn: uid=test2, .. uid: test2 memberOf: ipausers dn: cn=ipausers, ... cn: ipausers member: uid=test, ... We determine indirect membership by comparing the user's memberOf with the results of a query for member=uid=test2 If the refint plugin hasn't updated the ipausers group by the time we do the query the user will appear to be an indirect member. rob OK, you're probably right, I can't reproduce the issue anymore. This patch has an ACK from me. Since this is a very low-level change at a late stage, I have asked Martin to take a second look. Jakub Tested a few corner cases and it seems to be cool. ACK from me too. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
On 02/23/2011 07:09 PM, Pavel Zůna wrote: On 2011-02-22 20:16, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 22:52, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 05:09, Rob Crittenden wrote: Pavel Zůna wrote: My efforts in fixing localization all around the framework and preparing it for localizing docstrings have resulted in a lot of patches. Because I understand they have become a bit hard to track, I decided to post them all together in this thread to make review easier. After this is committed, there will be one more patch that switches xgettext for pygettext. Then hopefully, we'll be pretty much set when it comes to i18n. Pavel Patch 81 isn't applying for me. Help is not working for me either, this is due to patch 80. $ ipa help user ipa: ERROR: NameError: global name '_' is not defined Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in run api.finalize() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619, in finalize plugin_iter(base, (magic[k] for k in magic)) File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in __init__ sorted(members, key=lambda m: getattr(m, name_attr)) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608, in plugin_iter plugins[klass] = PluginInstance(klass) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585, in __init__ self.instance = klass() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184, in __init__ self.doc = _(inspect.getdoc(cls)) NameError: global name '_' is not defined ipa: ERROR: an internal error has occurred Patches 69, 71 and 73 are still working fine. What is switching from xgettext to pygettext going to do? This was answered by John Dennis: xgettext doesn't parse python docstrings. rob Rebased version of 81 attached. It should also fix the traceback you're getting. Pavel Something is still not working. I'm having a hard time reproducing how I got this but with LANG=es_US.UTF-8 for a while I was getting this with every ipa user-* request: ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in run sys.exit(api.Backend.cli.run(argv)) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953, in output_for_cli textui.print_entries(result, order, labels, flags, print_all) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in print_entries self.print_entry(entry, order, labels, flags, print_all, format, indent) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in print_entry label, value, format, indent, one_value_per_line File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in print_attribute self.print_indented(format % (attr, text[0]), indent) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in print_indented print (CLI_TAB * indent + text) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) ipa: ERROR: ha ocurrido un error interno I think it is blowing up on this user: User login: jose First name: Jose Last name: contraseñas Home directory: /home/jose Login shell: /bin/sh Account disabled: TRUE Member of groups: ipausers Then all of a sudden things started working fine, so I'm not sure what's going on. Is this traceback meaningful to you? rob This looks like a bug in the textui backend. You get this error when you do something like this: >>> a = u'\xf1' >>> a.decode('utf-8') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode return codecs.utf_8_decode(input, errors, True) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 0: ordinal not in range(128) It means we're not handling encoding/decoding from/to the CLI right somewhere. The character \xf1 corresponds to the small N with tilde in Jose's last name. I'm going to look into it, but I don't think it's related to the localization patches. Pavel I'm seeing 2 test failures: == FAIL: Test the `ipalib.plugable.Plugin.__init__` method. -- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in runTest self.test(*self.arg) File "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py", line 237, in test_init assert o.summary == 'Do sub-classy things.' AssertionError == FAIL: Test gettext translation ---
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůna wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, "Simo Sorce" wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zuna wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as "cn=directory manager": [root@vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. Thanks for advice! New version of the patch attached. Pavel freeipa-pzuna-78-4-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůna wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, "Simo Sorce" wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zuna wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as "cn=directory manager": [root@vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. I need it for IPA tools like ipa-nis-manage. SIMPLE bind is probably not good enough because of the SSF requirements and I'm not sure if it's OK to require a Kerberos ticket to run them. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix setattr mail bug in user plugin.
The email normalizer expects a list or tuple, but when using setattr it gets a string and interates on it as if it was a list/tuple. Before patch: [root@ipadev freeipa]# ./ipa user-mod testuser --setattr mail=testu...@example.com Modified user "testuser" User login: testuser First name: f Last name: l Home directory: /home/testuser Login shell: /bin/sh Email address: c@pzuna, @, x@pzuna, o@pzuna, .@pzuna, t@pzuna, e@pzuna, s@pzuna, r@pzuna, a@pzuna, m@pzuna, p@pzuna, u@pzuna, l@pzuna Account disabled: False Member of groups: ipausers Pavel freeipa-pzuna-79-normemail.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/14/2011 04:56 PM, JR Aquino wrote: On 2/10/11 2:42 AM, "Pavel Zuna" wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK It looks like LDAPUpdate calls may want to include ldapi=True? -=- # ipa-nis-manage enable Directory Manager password: Enabling plugin Traceback (most recent call last): File "/usr/sbin/ipa-nis-manage", line 211, in sys.exit(main()) File "/usr/sbin/ipa-nis-manage", line 151, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 101, in __init__ conn.do_simple_bind(bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 350, in do_simple_bind self.simple_bind_s(binddn, bindpw) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 207, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 181, in inner objtype, data = f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 436, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 440, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 446, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'} I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/14/2011 04:53 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel This isn't applying cleanly to master, can you rebase it? rob Rebased patch attached. Pavel freeipa-pzuna-78-3-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel freeipa-pzuna-78-2-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 050 Fix migration page
On 02/09/2011 02:09 PM, Jakub Hrozek wrote: During some UI rewrite, the password migration form completely lost the action= field and defaulted to GET instead of POST. ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit.
On 02/08/2011 12:34 AM, David O'Brien wrote: Pavel Zuna wrote: Fix #837 Pavel /me hesitantly asks... Doesn't this mean that "1" is illegal? doc=_('Max. amount of time (sec.) for a search (> 1 or -1 for unlimited)'), Neither is there any mention of zero being illegal. It may be implicit or self-evident, but I don't rely on that in doc. I'd be inclined to change it to (> 0, or -1 for unlimited) but remember, I'm not a coder :) cheers You're right. :) Fixed version attached. Pavel freeipa-pzuna-73-2-configdoc.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
The patch also corrects exception handling in some of the tools. Fix #874 Pavel freeipa-pzuna-78-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed.
It seems that restarting krb5kdc is only needed when changes to the global policy are made. Per-user policies take effect immediately for newly requested tickets. Can someone please confirm? Fix #844 Pavel freeipa-pzuna-77-krbtpdoc.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 76 Fallback to default locale (en_US) if env. setting is corrupt.
This is a follow-up to my patches 69 and 71 (70 is garbage). It prevents a crash when user misconfigures his locale settings. Pavel freeipa-pzuna-76-deflocale.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights.
On 02/03/2011 08:04 PM, Simo Sorce wrote: On Tue, 18 Jan 2011 13:25:28 +0100 Pavel Zuna wrote: On 01/07/2011 08:59 PM, Rob Crittenden wrote: Pavel Zůna wrote: LDAPObject sub-classes can define a custom list of attributes for effective rights retrieval. Fix #677 Pavel Nack. --rights should only return data when --all is also included. Otherwise it looks ok. rob Fixed version attached. Pavel Is this one still on the table ? Or did some other patch supersede it ? Simo. We can throw this one away. The problem was somewhere else and the ticket is already closed. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 72 Set minimum for Kerberos policy max life and max renew
On 02/07/2011 01:10 PM, Jakub Hrozek wrote: On Mon, Feb 07, 2011 at 11:13:56AM +0100, Pavel Zuna wrote: Fix #847 Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Nack, please update API.txt Forgot about that, sorry. Version with updated API.txt attached. Pavel freeipa-pzuna-72-2-krbtpmin.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 75 Display error messages for failed manageby in service-add/remove-host.
Fix #830 Pavel freeipa-pzuna-75-managedbyerr.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 74 Fix crash in DNS installer.
Fix #927 Pavel freeipa-pzuna-74-dnsinstallcrash.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit.
Fix #837 Pavel freeipa-pzuna-73-configdoc.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 72 Set minimum for Kerberos policy max life and max renew
Fix #847 Pavel freeipa-pzuna-72-krbtpmin.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it.
On 02/04/2011 04:03 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 02/02/2011 09:36 PM, Rob Crittenden wrote: Pavel Zuna wrote: This ticket effectively fixes the translation of exception messages. Ticket #903 Pavel On hold for now, see also patch 'Translate exception messages on the client side.' rob This should get pushed for the translation in exceptions to work. It only removes the defunct code and replaces it with something functional. Pavel If the server locale is not en_US.UTF-8 then messages are translated. rob I know, but it's not the purpose of this patch to do the right translation for the client. It's purpose is to fix the code to actually perform the translation. There's another patch (71) to do the right thing and it depends on this one. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] python i18n options
On 02/03/2011 05:13 PM, John Dennis wrote: On 02/03/2011 09:34 AM, Pavel Zuna wrote: Python 2.6+ provides secure ways to encode and decode literal types to/from strings. I'm not sure what you mean by this, could you elaborate please? http://docs.python.org/library/ast.html#ast.literal_eval We could use it to send data about the exception and have the client translate it for itself. However I decided to drop this idea, because it would require changes in a lot of places where we construct exceptions and that's just not worth it. Summary: Unless we agree on a better way; I'm going to try the pygettext patch and see how usable it is. If it's not then I'll try the solution with merging pygettext and xgettext output. We also need to rethink the PublicError class and it's encoding/decoding in {JSON,XML}-RPC to have them translated on the client. I think your proposal sounds fine if we expect the message catalog on the client to be in sync with the server. I'm not sure that's a good assumption. When they drift apart the effect will be that some messages appear localized and others won't. That will be a poor user experience. One way we could address this problem is by following the web model. The client sends their language preference in each request. When the server responds it performs the message translation prior to sending it back to the client. We're already doing this for the web UI, any reason not to follow the same model for other clients? Yes, we're going to use the same model in the end. Already posted a patch on the list that does just that (71). I can't comment on the quality of the upstream pygettext patch, but one way to find out is to start using it :-) That's exactly what I'm planning to do. :) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Send Accept-Language header over XML-RPC and translate on server.
This patch makes the ipa client send the Accept-Language header, so that the server can translate things like exceptions, that cannot be translated on the client. It also fixes the language recognition for the webUI. The values in Accept-Language header are a bit different than what is accepted by the LANG variable as a valid locale - some additional parsing was needed. For example: >>> Accept-Language: es-es;q=1 needs to translate to >>> es_ES otherwise it won't be recognized by gettext Fix #904 Fix #917 Pavel freeipa-pzuna-71-acceptlang.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it.
On 02/02/2011 09:36 PM, Rob Crittenden wrote: Pavel Zuna wrote: This ticket effectively fixes the translation of exception messages. Ticket #903 Pavel On hold for now, see also patch 'Translate exception messages on the client side.' rob This should get pushed for the translation in exceptions to work. It only removes the defunct code and replaces it with something functional. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] python i18n options
I've been playing around with localizing python strings for a while and this is what I figured out: Currently we use xgettext to get strings to be translated from python files. From withing python we call the gettext library wrapped in ipalib/text.py classes to provide on request translation. We need on request translation, so that we can translate strings on the client. Apart from the classes in ipalib/text.py, there are also localization functions in ipalib/request.py. These function are old and deprecated. Despite this they are still used when translating exception messages. That's why exceptions aren't currently being localized. Rob posted a patch recently that fixes this, but it wasn't fixing the problem at its root. There's another patch by me (69: Remove deprecated i18n code...) that removes references to ipalib/request.py and replaces it with ipalib/text.py classes. This patch should definitely be accepted. It doesn't change anything - it just removes code that shouldn't be there anyway. There's another problem with exceptions. They are localized when they are first created on the server. When transmitting exceptions from server to client, the data is wrapped in a xmlrpclib.Fault class. This class can only contain an error code and string making it impossible to reconstruct on the client especially if it contains template strings (i.e. '%(reason)s'). I propose we change the way exceptions are created and encode information about them as Fault string data. We can then reconstruct them on the client a perform localization there. Python 2.6+ provides secure ways to encode and decode literal types to/from strings. This will require changes to the PublicError class. Now there's the issue of localizing the built-in help system ('ipa help') which translates to localizing python docstrings. xgettext can't do that on its own. There's an alternative called pygettext. Unfortunately pygettext can't translated ngettext string (meaning strings that have a singular and plural form). I found two solutions around this: 1) a) use both xgettext and pygettext b) merge the resulting .po files c) use msguniq utility to get unique translatable strings 2) theres a patch for pygettext to handle ngettext string Solution 1) will probably works fine, but it's not very effective. I would prefer the second solution, but I still have to determine how good the patch is since it was sent by some random guy on the python mailing list. Links: http://bugs.python.org/issue8502 http://bugs.python.org/file17639/pygettext.py.patch Opinions? Summary: Unless we agree on a better way; I'm going to try the pygettext patch and see how usable it is. If it's not then I'll try the solution with merging pygettext and xgettext output. We also need to rethink the PublicError class and it's encoding/decoding in {JSON,XML}-RPC to have them translated on the client. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Translate exception messages on the client side.
Ticket #904 Pavel >From ee8e1db4c07d7d2d6e2bff6a80fc9643f46b4c6b Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 2 Feb 2011 16:23:25 -0500 Subject: [PATCH] Translate exception messages on the client side. Ticket #904 --- ipalib/cli.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 9735d2e..606fe4d 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -1059,5 +1059,5 @@ def run(api): error = InternalError() if error is not None: assert isinstance(error, PublicError) -api.log.error(error.strerror) +api.log.error(_(error.format) % error.kw) sys.exit(error.rval) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it.
This ticket effectively fixes the translation of exception messages. Ticket #903 Pavel >From b051be4d816f94ebab3fc932b3d2372d1cf0345a Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 2 Feb 2011 15:37:14 -0500 Subject: [PATCH] Remove deprecated i18n code from ipalib/request and all references to it. Ticket #903 --- ipalib/errors.py |2 +- ipalib/parameters.py |2 +- ipalib/request.py | 40 - tests/test_ipalib/test_request.py | 161 - 4 files changed, 2 insertions(+), 203 deletions(-) delete mode 100644 tests/test_ipalib/test_request.py diff --git a/ipalib/errors.py b/ipalib/errors.py index 20cd52b..63648d2 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -101,7 +101,7 @@ current block assignments: """ from inspect import isclass -from request import ugettext, ungettext +from text import _ as ugettext, ngettext as ungettext from constants import TYPE_ERROR diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 22b0321..23177b3 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -102,7 +102,7 @@ a more detailed description for clarity. import re from types import NoneType from util import make_repr -from request import ugettext +from text import _ as ugettext from plugable import ReadOnly, lock, check_name from errors import ConversionError, RequirementError, ValidationError from errors import PasswordMismatch diff --git a/ipalib/request.py b/ipalib/request.py index 9a11fb9..15b26f5 100644 --- a/ipalib/request.py +++ b/ipalib/request.py @@ -23,8 +23,6 @@ Per-request thread-local data. """ import threading -import locale -import gettext from base import ReadOnly, lock from constants import OVERRIDE_ERROR, CALLABLE_ERROR @@ -58,41 +56,3 @@ def destroy_context(): value.disconnect() context.__dict__.clear() - -def ugettext(message): -if hasattr(context, 'ugettext'): -return context.ugettext(message) -return message.decode('UTF-8') - - -def ungettext(singular, plural, n): -if hasattr(context, 'ungettext'): -return context.ungettext(singular, plural, n) -if n == 1: -return singular.decode('UTF-8') -return plural.decode('UTF-8') - - -def set_languages(*languages): -if hasattr(context, 'languages'): -raise StandardError(OVERRIDE_ERROR % -('context', 'languages', context.languages, languages) -) -if len(languages) == 0: -languages = locale.getdefaultlocale()[:1] -context.languages = languages -assert type(context.languages) is tuple - - -def create_translation(domain, localedir, *languages): -if hasattr(context, 'ugettext') or hasattr(context, 'ungettext'): -raise StandardError( -'create_translation() already called in thread %r' % -threading.currentThread().getName() -) -set_languages(*languages) -translation = gettext.translation(domain, -localedir=localedir, languages=context.languages, fallback=True -) -context.ugettext = translation.ugettext -context.ungettext = translation.ungettext diff --git a/tests/test_ipalib/test_request.py b/tests/test_ipalib/test_request.py deleted file mode 100644 index 548156d..000 --- a/tests/test_ipalib/test_request.py +++ /dev/null @@ -1,161 +0,0 @@ -# Authors: -# Jason Gerard DeRose -# -# Copyright (C) 2008 Red Hat -# see file 'COPYING' for use and warranty contextrmation -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -""" -Test the `ipalib.request` module. -""" - -import threading -import locale -from tests.util import raises, assert_equal -from tests.util import TempDir, dummy_ugettext, dummy_ungettext -from ipalib.constants import OVERRIDE_ERROR -from ipalib import request - - -def test_ugettext(): -""" -Test the `ipalib.request.ugettext` function. -""" -f = request.ugettext -context = request.context -message = 'Hello, world!' - -# Test with no context.ugettext: -assert not hasattr(context, 'ugettext') -assert_equal(f(message), u'Hello, world!') - -
Re: [Freeipa-devel] [PATCH] 698 Translate exception messages
On 02/01/2011 11:36 PM, Rob Crittenden wrote: Pavel mentioned this morning that translations didn't seem to be working. I remembered that I did some things on the cli so I re-tested. Turned out that exceptions aren't being translated. I'm not at all sure this patch does the right thing, so take it with a grain of salt. What it does is translates the message before stuffing it into the exception. Note that this will also translate messages returned via XML-RPC so I wonder if we need to force LANG to en_US.UTF-8 there. In any case, this seems to fix the client side anyway. I'm open to criticism on this one. To test do something like: $ kinit admin $ export LANG=es_US.UTF-8 $ ipa user-add --first=Kermit --last=Frog kfrog $ ipa user-add --first=Kermit --last=Frog kfrog You should get a DuplicateEntry() response in Spanish. rob nack. While this patch works, it doesn't solve the problem at its root. After some investigation I figured out, that functions initializing translations in ipalib/request.py are not called from anywhere. All the translation code in ipalib/request.py is currently deprecated in favor of ipalib/text.py. I'm preparing a patch, that removes the unused code and replaces references to it. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix minor bug in host-add logic.
Fix #798 Pavel >From c5872d7d532429341c86cf1ba10a24709b510664 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 2 Feb 2011 13:47:21 -0500 Subject: [PATCH] Fix minor bug in host-add logic. Ticket #798 --- ipalib/plugins/host.py |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index d5c5174..e3f38fc 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -323,9 +323,9 @@ class host_add(LDAPCreate): entry_attrs['krbprincipalname'] = 'host/%s@%s' % ( keys[-1], self.api.env.realm ) -if 'krbprincipalaux' not in entry_attrs: +if 'krbprincipalaux' not in entry_attrs['objectclass']: entry_attrs['objectclass'].append('krbprincipalaux') -if 'krbprincipal' not in entry_attrs: +if 'krbprincipal' not in entry_attrs['objectclass']: entry_attrs['objectclass'].append('krbprincipal') else: if 'krbprincipalaux' in entry_attrs['objectclass']: -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix crash in ipa help for NO_CLI plugins.
Fix #854 Pavel >From 6c9f25fa6c50034db4967e64590cc9d46bdf8e0b Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 2 Feb 2011 12:47:34 -0500 Subject: [PATCH] Fix crash in ipa help for NO_CLI plugins. Fix #854 --- ipalib/cli.py | 16 ++-- 1 files changed, 2 insertions(+), 14 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 5543301..9735d2e 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -730,19 +730,6 @@ class help(frontend.Local): for t in topics: topic = self._topics[t] print ' %s %s' % (to_cli(t).ljust(self._mtl), topic[0]) - -if False: -topic_commands = self._topics[t][2] -mod_list = [self._get_command_module(c.module) for c in topic_commands] -mod_list = list(set(mod_list)) - -for mod in mod_list: -m = '%s.%s' % (self._PLUGIN_BASE_MODULE, mod) -if 'topic' in dir(sys.modules[m]): -doc = sys.modules[m].topic[1] -else: -doc = (sys.modules[m].__doc__ or '').strip().split('\n', 1)[0] -print ' %s %s' % (to_cli(t).ljust(self._mtl), doc) print '' print 'Try `ipa --help` for a list of global options.' @@ -759,6 +746,7 @@ class help(frontend.Local): mcl = self._topics[topic][1] commands = self._topics[topic][2] else: +commands = [] for t in self._topics: if type(self._topics[t][2]) is not dict: continue @@ -772,8 +760,8 @@ class help(frontend.Local): doc = (sys.modules[m].__doc__ or '').strip() print doc -print '' if len(commands) > 1: +print '' print 'Topic commands:' for c in commands: print ' %s %s' % (to_cli(c.name).ljust(mcl), c.summary) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make 'ipa help' localizable.
On 02/01/2011 03:08 PM, John Dennis wrote: On 02/01/2011 08:16 AM, Pavel Zuna wrote: For a long time, I was trying to find a way to localize python docstrings, that we use to generate the built-in documentation system. Unfortunately, python docstrings aren't meant to be localized and therefore I had to use a dirty trick: setting the __doc__ variable manually to a gettext instance. There is one major disadvantage: tools that generate developer documentation (like epydoc) won't display docstrings set like this. One solution would be to have docstrings twice in each module: once normally and once set using __doc__, but that would be very ugly. This patch doesn't update .po files, because it's already big as it is. They are regenerated automatically anyway. Ticket #179 Pavel Hi Pavel: I'm not sure this is the right approach. What we really want is to be able to extract the docstrings and put them in a pot file. Normally xgettext is used to "xtract" translatable strings but I don't think the python parser in xgettext is docstring aware (we should probably confirm that). However pygettext in the python-tools package is docstring aware. From it's help text: -D --docstrings Extract module, class, method, and function docstrings. These do not need to be wrapped in _() markers, and in fact cannot be for Python to consider them docstrings. (See also the -X option). So rather than changing all the source code and making it non-standard I think we're better off using a more appropriate tool when building the pot file. Use of pygettext is discussed and documented in this Python documentation link: http://docs.python.org/library/gettext.html#internationalizing-your-programs-and-modules You can find an interesting discussion of the docstring extraction issue in this thread: http://mail.python.org/pipermail/i18n-sig/2001-August/001292.html BTW, Barry Warsaw is the man behind Mailman and is one of the Python community luminaries. Thanks for the tips! I'll see what I can do. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Make 'ipa help' localizable.
For a long time, I was trying to find a way to localize python docstrings, that we use to generate the built-in documentation system. Unfortunately, python docstrings aren't meant to be localized and therefore I had to use a dirty trick: setting the __doc__ variable manually to a gettext instance. There is one major disadvantage: tools that generate developer documentation (like epydoc) won't display docstrings set like this. One solution would be to have docstrings twice in each module: once normally and once set using __doc__, but that would be very ugly. This patch doesn't update .po files, because it's already big as it is. They are regenerated automatically anyway. Ticket #179 Pavel >From 033d3480be0c4a48b0976ed719a2724330990aca Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 1 Feb 2011 13:07:50 -0500 Subject: [PATCH] Make 'ipa help' localizable. --- ipalib/cli.py | 17 - ipalib/plugins/aci.py |7 --- ipalib/plugins/automount.py|6 -- ipalib/plugins/batch.py|5 ++--- ipalib/plugins/cert.py |6 +++--- ipalib/plugins/config.py |7 --- ipalib/plugins/delegation.py |8 +--- ipalib/plugins/dns.py |7 --- ipalib/plugins/group.py|7 --- ipalib/plugins/hbacrule.py |7 --- ipalib/plugins/hbacsvc.py |8 +--- ipalib/plugins/hbacsvcgroup.py |7 --- ipalib/plugins/host.py |7 --- ipalib/plugins/hostgroup.py|8 +--- ipalib/plugins/krbtpolicy.py |7 --- ipalib/plugins/migration.py|7 --- ipalib/plugins/netgroup.py |7 --- ipalib/plugins/passwd.py |7 --- ipalib/plugins/permission.py |8 +--- ipalib/plugins/pkinit.py |7 --- ipalib/plugins/privilege.py|8 +--- ipalib/plugins/pwpolicy.py |7 --- ipalib/plugins/role.py |8 +--- ipalib/plugins/selfservice.py |8 +--- ipalib/plugins/service.py |8 +--- ipalib/plugins/sudocmd.py |7 --- ipalib/plugins/sudocmdgroup.py |7 --- ipalib/plugins/user.py |7 --- 28 files changed, 125 insertions(+), 85 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 5543301..1fdcc30 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -663,12 +663,16 @@ class help(frontend.Local): self._topics[topic_name][2].append(c) else: m = '%s.%s' % (self._PLUGIN_BASE_MODULE, topic_name) -doc = (sys.modules[m].__doc__ or '').strip().split('\n', 1)[0] +doc = '' +if sys.modules[m].__doc__: +doc = unicode(sys.modules[m].__doc__).strip().split('\n', 1)[0] self._topics[topic_name] = [doc, 0, [c]] mcl = max((self._topics[topic_name][1], len(c.name))) self._topics[topic_name][1] = mcl else: # a module grouped in a topic -doc = (sys.modules[c.module].__doc__ or '').strip().split('\n', 1)[0] +doc = '' +if sys.modules[c.module].__doc__: +doc = unicode(sys.modules[c.module].__doc__).strip().split('\n', 1)[0] mod_name = c.module.rsplit('.',1)[1] if topic_name in self._topics: if mod_name in self._topics[topic_name][2]: @@ -738,10 +742,11 @@ class help(frontend.Local): for mod in mod_list: m = '%s.%s' % (self._PLUGIN_BASE_MODULE, mod) +doc = '' if 'topic' in dir(sys.modules[m]): doc = sys.modules[m].topic[1] -else: -doc = (sys.modules[m].__doc__ or '').strip().split('\n', 1)[0] +elif sys.modules[m].__doc__: +doc = unicode(sys.modules[m].__doc__).strip().split('\n', 1)[0] print ' %s %s' % (to_cli(t).ljust(self._mtl), doc) print '' print 'Try `ipa --help` for a list of global options.' @@ -769,7 +774,9 @@ class help(frontend.Local): break m = '%s.%s' % (self._PLUGIN_BASE_MODULE, topic) -doc = (sys.modules[m].__doc__ or '').strip() +doc = '' +if sys.modules[m].__doc__: +doc = unicode(sys.modules[m].__doc__).strip() print doc print '' diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 4ddaf98..395bc21
[Freeipa-devel] [PATCH] Raise ValidationError when adding unallowed attribute to search fields.
Depends on my previous patch number 64 (posted on the list 2 minutes ago). Ticket #845 Pavel >From 275f22f718af14f3f3c5e29c1f03471ab152b386 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 25 Jan 2011 15:25:52 -0500 Subject: [PATCH 2/2] Raise ValidationError when adding unallowed attribute to search fields. Ticket #845 --- ipalib/plugins/config.py | 16 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index ccd06ca..f779732 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -198,6 +198,22 @@ class config_mod(LDAPUpdate): api.Command['group_show'](group) except errors.NotFound: raise errors.NotFound(message=unicode("The group doesn't exist")) +kw = {} +if 'ipausersearchfields' in entry_attrs: +kw['ipausersearchfields'] = 'ipauserobjectclasses' +if 'ipagroupsearchfields' in entry_attrs: +kw['ipagroupsearchfields'] = 'ipagroupobjectclasses' +if kw: +config = ldap.get_ipa_config(kw.values()) +for (k, v) in kw.iteritems(): +allowed_attrs = ldap.get_allowed_attributes(config[1][v]) +fields = entry_attrs[k].split(',') +for a in fields: +a = a.strip() +if a not in allowed_attrs: +raise errors.ValidationError( +name=k, error='attribute "%s" not allowed' % a +) return dn api.register(config_mod) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add ldap2 method to retrieve allowed attributes for specified objectClasses.
ldap2.get_allowed_attributes(['posixuser']) returns a list of unicode all lower case attribute names allowed for the object class 'posixuser' You can enter as many object classes as you want. Pavel >From 044476963a96136f951ccf8232debc1b1c48513f Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 25 Jan 2011 15:24:03 -0500 Subject: [PATCH 1/2] Add ldap2 method to retrieve allowed attributes for specified objectClasses. ldap2.get_allowed_attribute(['posixuser']) returns a list of unicode all lower case attribute names allowed for the object class 'posixuser' --- ipaserver/plugins/ldap2.py | 20 +--- 1 files changed, 17 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 86ea3f8..7490dfb 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -266,6 +266,16 @@ class ldap2(CrudBackend, Encoder): else: return None +def get_allowed_attributes(self, objectclasses): +if not self.schema: +return [] +allowed_attributes = [] +for oc in objectclasses: +obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc) +if obj is not None: +allowed_attributes += obj.must + obj.may +return [unicode(a).lower() for a in list(set(allowed_attributes))] + def get_single_value(self, attr): """ Check the schema to see if the attribute is single-valued. @@ -597,15 +607,19 @@ class ldap2(CrudBackend, Encoder): Keyword arguments: attrs_list - list of attributes to return, all if None (default None) """ -return self.find_entries(None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit, size_limit=size_limit, normalize=normalize)[0][0] +return self.find_entries( +None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit, +size_limit=size_limit, normalize=normalize +)[0][0] config_defaults = {'ipasearchtimelimit': [2], 'ipasearchrecordslimit': [0]} -def get_ipa_config(self): +def get_ipa_config(self, attrs_list=None): """Returns the IPA configuration entry (dn, entry_attrs).""" cdn = "%s,%s" % (api.Object.config.get_dn(), api.env.basedn) try: (cdn, config_entry) = self.find_entries( -base_dn=cdn, scope=self.SCOPE_BASE, time_limit=2, size_limit=10 +None, attrs_list, base_dn=cdn, scope=self.SCOPE_BASE, +time_limit=2, size_limit=10 )[0][0] except errors.NotFound: config_entry = {} -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] test speedup patch
On 01/19/2011 04:17 AM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Attached is a rough cut of a patch to try to speed up the cli a little bit. Basically in production mode it will skip some things during initialization. My concept is that we develop in mode != production and release in mode == production. I managed to knock a second or so off time to do a user-show on average. There may be some other things we can do to speed things up, I'm still looking. Some feedback on the approach would be appreciated. Note that I've completely ruled out SSL/Negotiate. I did my testing on lite-server which doesn't use SSL or Negotiate and it was STILL taking on average 3-4+ seconds per command. The server side was consistently taking < 1 second to complete. rob oh, and the patch. I ran a couple of moderate tests this evening that executed 42 separate operations like add, delete, and managing group membership. I ran this 10 times each on 2 identical VMs, one with a bit older code and one with this patch then averaged the times. With the patch the average was 1.3 seconds per operation, without 2.6. A 50% improvement is more than I expected, I saw a 33% improvement on individual runs. I'll keep at it but this seems promising. I was also a bit surprised that the average time without the patch was so low, I was expecting something over 3 seconds. Specifically what this patch does is it avoids doing some self-validation. There is some amount of risk that the framework could blow up but in a deployed situation I think the risk is rather low. A side-effect of the API tester makeapi is that it loads the framework. We can force it to be run in production mode so the product shouldn't be buildable if it has inconsistencies. rob I find it hard to believe this patch causes such a big improvement in performance. Especially the parts skipping asserts, that shouldn't be significantly slower than your average ifs. Instance locking shouldn't be a time consuming operation either. Bypassing check routines for parameter namespaces might provide a performance boost as it is called for every single plugin we have (~250). On the other hand, it is only used for positional arguments and most plugins only have 1 or 2 of those. Personally, I would do some more tests on a single machine, because there's no guarantee, that two VMs with an identical image have the same performance. If it really provides a significant improvement, than it's awesome, because I like the philosophy of this patch. It removes self-checking and instance locking, that is completely useless in a production environment and kind of limiting in non-production. I think there's more places likes this in the framework. Long story short: It's improbable, but not impossible, for the changes introduced by this patch to cause such a big performance improvement. Even if it doesn't, the patch is still good. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
Fix #798 Pavel >From a013e19957b33ca84102efdc0be7448eb3a83423 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 18 Jan 2011 15:43:07 -0500 Subject: [PATCH 2/2] Fix password/random logic in host plugin. Fix #798 --- ipalib/plugins/host.py | 15 +-- 1 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 0a40705..6947d90 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -319,16 +319,19 @@ class host_add(LDAPCreate): del entry_attrs['locality'] entry_attrs['cn'] = keys[-1] entry_attrs['serverhostname'] = keys[-1].split('.', 1)[0] -if 'userpassword' not in entry_attrs and \ -options.get('random', False) == False: +if 'userpassword' not in entry_attrs and not options.get('random', False): entry_attrs['krbprincipalname'] = 'host/%s@%s' % ( keys[-1], self.api.env.realm ) -if 'krbprincipalaux' not in entry_attrs['objectclass']: -entry_attrs['objectclass'].append('krbprincipalaux') +if 'krbprincipal' not in entry_attrs: entry_attrs['objectclass'].append('krbprincipal') -elif 'krbprincipalaux' in entry_attrs['objectclass']: -entry_attrs['objectclass'].remove('krbprincipalaux') +if 'krbprincipal' not in entry_attrs: +entry_attrs['objectclass'].append('krbprincipalaux') +else: +if 'krbprincipal' in entry_attrs['objectclass']: +entry_attrs['objectclass'].remove('krbprincipal') +if 'krbprincipalaux' in entry_attrs['objectclass']: +entry_attrs['objectclass'].remove('krbprincipalaux') if 'random' in options: if options.get('random'): entry_attrs['userpassword'] = ipa_generate_password() -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix updating of DNS records by the host plugin.
Fix #799 Pavel >From e97aa6d78e0ec32b160bf17deb894b1ba091541c Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 18 Jan 2011 15:33:40 -0500 Subject: [PATCH 1/2] Fix updating of DNS records by the host plugin. Fix #799 --- ipalib/plugins/host.py | 10 +- 1 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index d09f0eb..0a40705 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -345,9 +345,9 @@ class host_add(LDAPCreate): parts = keys[-1].split('.') domain = unicode('.'.join(parts[1:])) if ':' in options['ip_address']: -addkw = { u'record' : options['ip_address'] } +addkw = { 'record' : options['ip_address'] } else: -addkw = { u'arecord' : options['ip_address'] } +addkw = { 'arecord' : options['ip_address'] } try: api.Command['dnsrecord_add'](domain, parts[0], **addkw) except errors.EmptyModlist: @@ -355,7 +355,7 @@ class host_add(LDAPCreate): pass revzone, revname = get_reverse_zone(options['ip_address']) try: -addkw = { u'ptrrecord' : keys[-1]+'.' } +addkw = { 'ptrrecord' : keys[-1]+'.' } api.Command['dnsrecord_add'](revzone, revname, **addkw) except errors.EmptyModlist: # the entry already exists and matches @@ -443,12 +443,12 @@ class host_del(LDAPDelete): self.debug('deleting ipaddr %s' % ipaddr) revzone, revname = get_reverse_zone(ipaddr) try: -delkw = { u'ptrrecord' : fqdn+'.' } +delkw = { 'ptrrecord' : fqdn+'.' } api.Command['dnsrecord_del'](revzone, revname, **delkw) except errors.NotFound: pass try: -delkw = { u'arecord' : ipaddr } +delkw = { 'arecord' : ipaddr } api.Command['dnsrecord_del'](domain, parts[0], **delkw) except errors.NotFound: pass -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix crash when building DN of host with name ending with period.
Fix #797 Pavel >From 509a77949474b429bb4d4ee6fa871bdade446625 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 18 Jan 2011 13:28:37 -0500 Subject: [PATCH 1/2] Fix crash when building DN of host with name ending with period. Fix #797 --- ipalib/plugins/host.py |9 + 1 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 8639ce5..d09f0eb 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -240,15 +240,16 @@ class host(LDAPObject): ) def get_dn(self, *keys, **options): -if keys[-1].endswith('.'): -keys[-1] = keys[-1][:-1] -dn = super(host, self).get_dn(*keys, **options) +hostname = keys[-1] +if hostname.endswith('.'): +hostname = hostname[:-1] +dn = super(host, self).get_dn(hostname, **options) try: self.backend.get_entry(dn, ['']) except errors.NotFound: try: (dn, entry_attrs) = self.backend.find_entry_by_attr( -'serverhostname', keys[-1], self.object_class, [''], +'serverhostname', hostname, self.object_class, [''], self.container_dn ) except errors.NotFound: -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Remove SOA maximum parameter from DNS zone.
There's no such thing as "maximum" in SOA record RDATA format according to RFC 1035 and there's also no such attribute in the schema. Fix #788 https://bugzilla.redhat.com/show_bug.cgi?id=670343 Pavel >From ee65cb0fc69384f2777537d222a762a4f7be5bfe Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 18 Jan 2011 13:29:58 -0500 Subject: [PATCH 2/2] Remove SOA maximum parameters from DNS zone. There's no such thing as "maximum" in SOA record RDATA format according to RFC 1035 and there's also no such attribute in the schema. Fix #788 --- ipalib/plugins/dns.py |5 - 1 files changed, 0 insertions(+), 5 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index cf58098..a2d0b8b 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -198,11 +198,6 @@ class dnszone(LDAPObject): default=3600, autofill=True, ), -Int('idnssoamaximum?', -cli_name='maximum', -label=_('SOA maximum'), -doc=_('SOA record maximum value'), -), Int('dnsttl?', cli_name='ttl', label=_('SOA time to live'), -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix import API_VERSION import error.
On 01/18/2011 01:40 PM, Pavel Zuna wrote: Fixes import errors in the framework cause by recent API version changes. Fix #796 Pavel self-NACK. Ignore this patch, didn't realize the API_VERSION constant is auto-generated. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix import API_VERSION import error.
Fixes import errors in the framework cause by recent API version changes. Fix #796 Pavel >From 3532c0f551edc79e63843ee112dee097dfb6aadf Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 18 Jan 2011 12:35:59 -0500 Subject: [PATCH] Fix import API_VERSION import error. Fix #796 --- ipalib/cli.py |2 +- ipalib/frontend.py |2 +- ipalib/plugins/batch.py |2 +- ipalib/plugins/ping.py |2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index c634d49..54ab1c4 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -49,7 +49,7 @@ from errors import PublicError, CommandError, HelpError, InternalError, NoSuchNa from constants import CLI_TAB from parameters import Password, Bytes, File from text import _ -from ipapython.version import API_VERSION +from ipapython.version import VERSION as API_VERSION def to_cli(name): diff --git a/ipalib/frontend.py b/ipalib/frontend.py index eeed398..e514932 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -33,7 +33,7 @@ from text import _, ngettext from errors import ZeroArgumentError, MaxArgumentError, OverlapError, RequiresRoot, VersionError, RequirementError from errors import InvocationError from constants import TYPE_ERROR -from ipapython.version import API_VERSION +from ipapython.version import VERSION as API_VERSION from distutils import version diff --git a/ipalib/plugins/batch.py b/ipalib/plugins/batch.py index f6f662f..deaee5b 100644 --- a/ipalib/plugins/batch.py +++ b/ipalib/plugins/batch.py @@ -51,7 +51,7 @@ from ipalib import Str, List from ipalib.output import Output from ipalib import output from ipalib.text import _ -from ipapython.version import API_VERSION +from ipapython.version import VERSION as API_VERSION class batch(Command): INTERNAL = True diff --git a/ipalib/plugins/ping.py b/ipalib/plugins/ping.py index c2f9b6b..db021b9 100644 --- a/ipalib/plugins/ping.py +++ b/ipalib/plugins/ping.py @@ -23,7 +23,7 @@ Ping the remote IPA server from ipalib import api from ipalib import Command from ipalib import output -from ipapython.version import VERSION, API_VERSION +from ipapython.version import VERSION as API_VERSION class ping(Command): """ -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights.
On 01/07/2011 08:59 PM, Rob Crittenden wrote: Pavel Zůna wrote: LDAPObject sub-classes can define a custom list of attributes for effective rights retrieval. Fix #677 Pavel Nack. --rights should only return data when --all is also included. Otherwise it looks ok. rob Fixed version attached. Pavel >From abfe7eb176534b1d7cf0deae81f1bd2c2ebb7aef Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Thu, 30 Dec 2010 08:48:12 -0500 Subject: [PATCH] Enable custom list of attributes to retrieve effective rights. Fix #677 --- ipalib/plugins/baseldap.py | 34 ++ ipalib/plugins/config.py |4 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index e7ccb77..27d5950 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -166,20 +166,6 @@ def get_attributes(attrs): return attrlist -def get_effective_rights(ldap, dn, attrs=None): -if attrs is None: -attrs = ['*', 'nsaccountlock', 'cospriority'] -rights = ldap.get_effective_rights(dn, attrs) -rdict = {} -if 'attributelevelrights' in rights[1]: -rights = rights[1]['attributelevelrights'] -rights = rights[0].split(', ') -for r in rights: -(k,v) = r.split(':') -rdict[k.strip().lower()] = v - -return rdict - def wait_for_memberof(keys, entry_start, completed, show_command, adding=True): """ When adding or removing reverse members we are faking an update to @@ -244,6 +230,7 @@ class LDAPObject(Object): search_attributes_config = None default_attributes = [] hidden_attributes = ['objectclass', 'aci'] +rights_attributes = ['*', 'nsaccountlock', 'cospriority'] # set rdn_attribute only if RDN attribute differs from primary key! rdn_attribute = '' uuid_attribute = '' @@ -301,6 +288,19 @@ class LDAPObject(Object): pass return dn[len(self.primary_key.name) + 1:dn.find(',')] +def get_effective_rights(self, dn, attrs=None): +rdict = {} +if attrs is None: +attrs = self.rights_attributes +rights = self.backend.get_effective_rights(dn, attrs) +if 'attributelevelrights' in rights[1]: +rights = rights[1]['attributelevelrights'] +rights = rights[0].split(', ') +for r in rights: +(k, v) = r.split(':') +rdict[k.strip().lower()] = v +return rdict + def get_ancestor_primary_keys(self): if self.parent_object: parent_obj = self.api.Object[self.parent_object] @@ -688,7 +688,8 @@ class LDAPRetrieve(LDAPQuery): self.obj.handle_not_found(*keys) if options.get('rights', False) and options.get('all', False): -entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn) +rights = self.obj.get_effective_rights(dn) +entry_attrs['attributelevelrights'] = rights for callback in self.POST_CALLBACKS: if hasattr(callback, 'im_self'): @@ -844,7 +845,8 @@ class LDAPUpdate(LDAPQuery, crud.Update): ) if options.get('rights', False) and options.get('all', False): -entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn) +rights = self.obj.get_effective_rights(dn) +entry_attrs['attributelevelrights'] = rights for callback in self.POST_CALLBACKS: if hasattr(callback, 'im_self'): diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 438f663..ccd06ca 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -87,6 +87,9 @@ class config(LDAPObject): 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields', 'ipamigrationenabled', 'ipacertificatesubjectbase', ] +rights_attributes = LDAPObject.rights_attributes + [ +'ipahomesrootdir', 'ipagroupsearchfields', +] label = _('Configuration') @@ -206,3 +209,4 @@ class config_show(LDAPRetrieve): """ api.register(config_show) + -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Retype (when cloning) Flag parameters to Bool for search commands.
Flag parameters are always autofill by definition, causing unexpected search results. This patch retypes them to Bool for search commands, so that users have to/can enter the desired value manually. A good example of the Flag parameters causing problems in search commands is `dnszone-find` (ticket #689). Ticket #689 Ticket #701 Pavel >From 2206dd739dabf3e08555126b545a6cc62d6cd93c Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 5 Jan 2011 10:07:23 -0500 Subject: [PATCH] Retype (when cloning) Flag parameters to Bool for search commands. Flag parameters are always autofill by definition, causing unexpected search results. This patch retypes them to Bool for search commands, so that users have to/can enter the desired value manually. Ticket #689 Ticket #701 --- ipalib/crud.py | 12 +--- ipalib/parameters.py |8 +++- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ipalib/crud.py b/ipalib/crud.py index 86e1756..6df3c73 100644 --- a/ipalib/crud.py +++ b/ipalib/crud.py @@ -210,9 +210,15 @@ class Search(Method): for option in self.obj.params_minus(self.args): if 'no_search' in option.flags: continue -yield option.clone( -attribute=True, query=True, required=False, autofill=False -) +if isinstance(option, parameters.Flag): +yield option.clone_retype( +option.name, parameters.Bool, +attribute=True, query=True, required=False, autofill=False +) +else: +yield option.clone( +attribute=True, query=True, required=False, autofill=False +) if not self.extra_options_first: for option in super(Search, self).get_options(): yield option diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 5c386c3..128c8a4 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -585,9 +585,15 @@ class Param(ReadOnly): """ Return a new `Param` instance similar to this one, but named differently """ +return self.clone_retype(name, self.__class__, **overrides) + +def clone_retype(self, name, klass, **overrides): +""" +Return a new `Param` instance similar to this one, but of a different type +""" kw = dict(self.__clonekw) kw.update(overrides) -return self.__class__(name, *self.rules, **kw) +return klass(name, *self.rules, **kw) def normalize(self, value): """ -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Make it impossible to add an object as a member of itself in webUI.
Ticket #700 Pavel >From 793314369f6587fa1819a17bb0b196e09939c3f3 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 5 Jan 2011 09:31:02 -0500 Subject: [PATCH] Make it impossible to add an object as a member of itself in webUI. Ticket #700 --- install/static/associate.js |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/install/static/associate.js b/install/static/associate.js index 6517cca..60e7c09 100644 --- a/install/static/associate.js +++ b/install/static/associate.js @@ -164,9 +164,12 @@ function ipa_association_adder_dialog(spec) { var results = data.result; that.clear_available_values(); +var pkey_attr = IPA.metadata[that.entity_name].primary_key; + for (var i=0; i___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Improvements to enrollments in the webUI.
The patch is a bit bigger and more complex, so I expect this to be the first shot at it. There are some places where we need to handle localization better and be more generic when it comes to non-standard relationships like 'enrolledby' etc., but that can be done later. (I put a few TODOs in the code.) Anyway, here's the changelog for this patch: - Enrollement links in the action panel are now sorted by relationships. - You can only enroll members. (The webUI made the impression you can enroll parents as well, but it was broken.) - When enrolling new members, you can choose not to display already enrolled ones. (On by default.) - Couple cosmetic changes. IT DEPENDS ON MY PATCH NUMBER 54 (Improve filtering of enrollments search results.) Pavel >From 830c2c5f2780b461f62509ae044c82da76607dc3 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 4 Jan 2011 15:21:18 -0500 Subject: [PATCH 2/2] Improvements to enrollments in the webUI. TAKE 1 - Enrollement links in the action panel are now sorted by relationships. - You can only enroll members. (The webUI made the impression you can enroll parents as well, but it was broken.) - When enrolling new members, you can choose not to display already enrolled ones. (On by default.) - Couple cosmetic changes. --- install/static/associate.js | 72 +++ install/static/entity.js| 45 -- install/static/group.js |9 +- install/static/ipa.css | 10 +- install/static/widget.js| 21 5 files changed, 124 insertions(+), 33 deletions(-) diff --git a/install/static/associate.js b/install/static/associate.js index 66db171..6517cca 100644 --- a/install/static/associate.js +++ b/install/static/associate.js @@ -140,6 +140,7 @@ function ipa_association_adder_dialog(spec) { that.entity_name = spec.entity_name; that.pkey = spec.pkey; that.other_entity = spec.other_entity; +that.attribute_member = spec.attribute_member; that.init = function() { if (!that.columns.length) { @@ -152,6 +153,9 @@ function ipa_association_adder_dialog(spec) { }); } +/* FIXME: event not firing? */ +$('input[name=hidememb]', that.container).click(that.search); + that.adder_dialog_init(); }; @@ -166,7 +170,31 @@ function ipa_association_adder_dialog(spec) { } } -ipa_cmd('find', [that.get_filter()], {'all': true}, on_success, null, that.other_entity); +var hide_checkbox = $('input[name=hidememb]', that.container); + +var options = {'all': true}; +if (hide_checkbox.attr('checked')) { +var relationships = IPA.metadata[that.other_entity].relationships; + +/* TODO: better generic handling of different relationships! */ +var other_attribute_member = ''; +if (that.attribute_member == 'member') +other_attribute_member = 'memberof'; +else if (that.attribute_member == 'memberuser') +other_attribute_member = 'memberof'; +else if (that.attribute_member == 'memberhost') +other_attribute_member = 'memberof'; +else if (that.attribute_member == 'memberof') +other_attribute_member = 'member'; + +var relationship = relationships[other_attribute_member]; +if (relationship) { +var param_name = relationship[2] + that.entity_name; +options[param_name] = that.pkey; +} +} + +ipa_cmd('find', [that.get_filter()], options, on_success, null, that.other_entity); }; that.association_adder_dialog_init = that.init; @@ -234,6 +262,7 @@ function ipa_association_table_widget(spec) { var that = ipa_table_widget(spec); that.other_entity = spec.other_entity; +that.attribute_member = spec.attribute_member; that.associator = spec.associator || bulk_associator; that.add_method = spec.add_method || 'add_member'; @@ -398,7 +427,8 @@ function ipa_association_table_widget(spec) { 'title': title, 'entity_name': that.entity_name, 'pkey': pkey, -'other_entity': that.other_entity +'other_entity': that.other_entity, +'attribute_member': that.attribute_member, }); }; @@ -513,6 +543,8 @@ function ipa_association_facet(spec) { var that = ipa_facet(spec); that.other_entity = spec.other_entity; +that.facet_group = spec.facet_group; +that.attribute_member = spec.attribute_member; that.associator = spec.associator || bulk_associator; that.add_method =
[Freeipa-devel] [PATCH] Improve filtering of enrollments search results.
This is required for effective filtering of enrollments search results in the webUI and also gives an edge to the CLI. After this patch, each LDAPObject can define its relationships to other LDAPObjects. For now, this is used only for filtering search results by enrollments, but there are probably more benefits to come. You can do this for example: # search for all users not enrolled in group admins ipa user-find --not-in-groups=admins # search for all groups not enrolled in group global with user Pavel ipa group-find --users=Pavel --not-in-groups=global # more examples: ipa group-find --users=Pavel,Jakub --no-users=Honza ipa hostgroup-find --hosts=webui.pzuna Pavel >From 19975e5e2ceb3a3f9fd18be0f3fafe8f42aa626c Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 4 Jan 2011 15:15:54 -0500 Subject: [PATCH 1/2] Improve filtering of enrollments search results. This is required for effective filtering of enrollments search results in the webUI and also gives an edge to the CLI. After this patch, each LDAPObject can define its relationships to other LDAPObjects. For now, this is used only for filtering search results by enrollments, but there are probably more benefits to come. You can do this for example: # search for all users not enrolled in group admins ipa user-find --not-in-groups=admins # search for all groups not enrolled in group global with user Pavel ipa group-find --users=Pavel --not-in-groups=global # more examples: ipa group-find --users=Pavel,Jakub --no-users=Honza ipa hostgroup-find --hosts=webui.pzuna --- ipalib/plugins/baseldap.py | 57 --- ipalib/plugins/group.py |2 +- ipalib/plugins/host.py |7 - ipalib/plugins/hostgroup.py |2 +- ipalib/plugins/netgroup.py | 11 +++- ipalib/plugins/user.py |2 + 6 files changed, 68 insertions(+), 13 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 1cd181c..d38da89 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -234,6 +234,15 @@ class LDAPObject(Object): rdnattr = None # Can bind as this entry (has userPassword or krbPrincipalKey) bindable = False +relationships = { +# attribute: (label, inclusive param prefix, exclusive param prefix) +'member': ('Member', '', 'no_'), +'memberof': ('Parent', 'in_', 'not_in_'), +'memberindirect': ( +'Indirect Member', None, 'no_indirect_' +), +} +label = _('Entry') container_not_found_msg = _('container entry (%(container)s) not found') parent_not_found_msg = _('%(parent)s: %(oname)s not found') @@ -343,7 +352,7 @@ class LDAPObject(Object): 'parent_object', 'container_dn', 'object_name', 'object_name_plural', 'object_class', 'object_class_config', 'default_attributes', 'label', 'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name', -'takes_params', 'rdn_attribute', 'bindable', +'takes_params', 'rdn_attribute', 'bindable', 'relationships', ) def __json__(self): @@ -1195,7 +1204,8 @@ class LDAPSearch(CallbackInterface, crud.Search): Retrieve all LDAP entries matching the given criteria. """ member_attributes = [] -member_param_doc = 'exclude %s with member %s (comma-separated list)' +member_param_incl_doc = 'only %s with %s %s' +member_param_excl_doc = 'only %s with no %s %s' takes_options = ( Int('timelimit?', @@ -1227,21 +1237,50 @@ class LDAPSearch(CallbackInterface, crud.Search): for attr in self.member_attributes: for ldap_obj_name in self.obj.attribute_members[attr]: ldap_obj = self.api.Object[ldap_obj_name] -name = to_cli(ldap_obj_name) -doc = self.member_param_doc % ( -self.obj.object_name_plural, ldap_obj.object_name_plural +relationship = self.obj.relationships.get( +attr, ['member', '', 'no_'] +) +doc = self.member_param_incl_doc % ( +self.obj.object_name_plural, relationship[0].lower(), +ldap_obj.object_name_plural +) +name = '%s%s' % (relationship[1], to_cli(ldap_obj_name)) +yield List( +'%s?' % name, cli_name='%ss' % name, doc=doc, +label=ldap_obj.object_name +) +doc = self.member_param_excl_d
[Freeipa-devel] [PATCH] Fix webUI command parameters error on Fedora 14.
Fixes the webUI on Fedora 14. Pavel >From 219fda47a0ac0fc2edbd6c62f75ea43927913728 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 22 Dec 2010 15:18:33 -0500 Subject: [PATCH] Fix webUI command parameters error on Fedora 14. --- ipalib/parameters.py | 10 +- 1 files changed, 9 insertions(+), 1 deletions(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index feccd7e..5c386c3 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -1014,7 +1014,7 @@ class Int(Number): """ if type(value) in (int, long): return value -if type(value) is unicode: +if type(value) in (str, unicode): # permit floating point strings if value.find(u'.') >= 0: try: @@ -1247,6 +1247,14 @@ class Str(Data): """ if type(value) is self.type: return value +if type(value) is str: +try: +return value.decode('utf-8') +except UnicodeDecodeError: +raise ConversionError( +name=self.name, index=index, +error=ugettext(self.scalar_error) +) if type(value) in (int, float): return self.type(value) if type(value) in (tuple, list): -- 1.7.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Update built-in help for user (ipa help user) with info about username format.
General talk about username format including username length and how to change it in ipa config. Ticket #436 Pavel >From 6874f8d1ecc340832961b28b84b5140c65f6ca2b Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 21 Dec 2010 12:23:40 -0500 Subject: [PATCH 2/2] Update built-in help for user (ipa help user) with info about username format. Ticket #436 --- ipalib/plugins/user.py |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 6209754..e3228a1 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -22,6 +22,12 @@ Users Manage user entries. All users are POSIX users. +IPA supports a wide range of username formats, but you need to be aware of any +restrictions that may apply to your particular environment. For example, +usernames that starts with a digit or usernames that exceed a certain length +may cause problems for some UNIX systems. +Use 'ipa config-mod' to change the username format allowed by IPA tools. + Disabling a user account prevents that user from obtaining new Kerberos credentials. It does not invalidate any credentials that have already been issued. -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix reporting of errors when validating parameters.
Print the attribute CLI name instead of its 'real' name. The real name is usually the name of the corresponding LDAP attribute, which is confusing to the user. This way we get: Invalid 'login': blablabla instead of: Invalid 'uid': blablabla Another example: Invalid 'hostname': blablabla instead of: Invalid 'fqdn': blablabla Ticket #435 Pavel >From 8c6ef40f575399f3190ef077b26fd38ecb3a1c0e Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 21 Dec 2010 12:14:38 -0500 Subject: [PATCH 1/2] Fix reporting of errors when validating parameters. Print the attribute CLI name instead of its 'real' name. The real name is usually the name of the corresponding LDAP attribute, which is confusing to the user. This way we get: Invalid 'login': blablabla instead of: Invalid 'uid': blablabla Another example: Invalid 'hostname': blablabla instead of: Invalid 'fqdn': blablabla Ticket #435 --- ipalib/parameters.py |5 - ipalib/plugins/user.py |8 +++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 955b979..feccd7e 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -748,8 +748,11 @@ class Param(ReadOnly): for rule in self.all_rules: error = rule(ugettext, value) if error is not None: +name = self.cli_name +if not name: +name = self.name raise ValidationError( -name=self.name, +name=name, value=value, index=index, error=error, diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index f76fbd6..6209754 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -227,7 +227,13 @@ class user_add(LDAPCreate): config = ldap.get_ipa_config()[1] if 'ipamaxusernamelength' in config: if len(keys[-1]) > int(config.get('ipamaxusernamelength')[0]): -raise errors.ValidationError(name='uid', error=_('can be at most %(len)d characters' % dict(len = int(config.get('ipamaxusernamelength')[0] +raise errors.ValidationError( +name=self.obj.primary_key.cli_name, error=_( +'can be at most %(len)d characters' % dict( +len = int(config.get('ipamaxusernamelength')[0]) +) +) +) entry_attrs.setdefault('loginshell', config.get('ipadefaultloginshell')) # hack so we can request separate first and last name in CLI full_name = '%s %s' % (entry_attrs['givenname'], entry_attrs['sn']) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix the mod operations.
*-mod operations were not functioning properly after the recent 'rename' patch. Pavel >From 4f59a29a7f16a4dbdb8a39766968102a21fae1ed Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 21 Dec 2010 16:17:28 +0100 Subject: [PATCH] Fix the mod operations. --- ipalib/plugins/baseldap.py |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index f8e5445..d91fd93 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -711,6 +711,7 @@ class LDAPUpdate(LDAPQuery, crud.Update): def _get_rename_option(self): rdnparam = getattr(self.obj.params, self.obj.rdnattr) return rdnparam.clone_rename('rename', cli_name='rename', +required=False, label=_('Rename'), doc=_('Rename the %s object' % self.obj.object_name)) def get_options(self): -- 1.7.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Introduce new env variable, enable_dns=True, if IPA is managing DNS.
if api.env.enable_dns: print "DNS is managed by IPA" ipa env | grep "enable_dns: True" > /devnull && echo "DNS is managed by IPA" Ticket #600 Pavel >From d6031a2bbb1bb5d4b0520d6d56fc4716c3ef2242 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Thu, 9 Dec 2010 13:10:36 -0500 Subject: [PATCH] Introduce new env variable. enable_dns=True, if IPA is managing DNS. Ticket #600 --- install/tools/ipa-server-install |5 - ipalib/constants.py |1 + 2 files changed, 5 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index bed9add..6785acd 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -488,7 +488,8 @@ def main(): cfg = dict( context='installer', in_server=True, -debug=options.debug +debug=options.debug, +enable_dns=options.setup_dns, ) if options.uninstall: @@ -677,6 +678,8 @@ def main(): fd.write("enable_ra=True\n") if not options.selfsign: fd.write("ra_plugin=dogtag\n") +if options.setup_dns: +fd.write("enable_dns=True\n") fd.close() api.bootstrap(**cfg) diff --git a/ipalib/constants.py b/ipalib/constants.py index 32c6450..d0ab9fb 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -139,6 +139,7 @@ DEFAULT_CONFIG = ( # Enable certain optional plugins: ('enable_ra', False), ('ra_plugin', 'selfsign'), +('enable_dns', False), # # The remaining keys are never set from the values here! -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.
On 12/08/2010 08:30 PM, Rob Crittenden wrote: Pavel Zůna wrote: On 2010-11-30 04:06, Rob Crittenden wrote: Pavel Zůna wrote: LDAPSearch base class has now the ability to generate additional options for objects with member attributes. These options are used to filter search results - search only for objects without the specified members. Any class that extends LDAPSearch can benefit from this functionality. This patch enables it for the following objects: group, netgroup, rolegroup, hostgroup, taskgroup Example: ipa group-find --no-users=admin Only direct members are taken into account, but if we need indirect members as well - it's not a problem. Ticket #288 Pavel This works as advertised but I wonder what would happen if a huge list of members was passed in to ignore. Is there a limit on the search filter size (remember that the member will be translated into a full dn so will quickly grow in size). Should we impose a cofigurable limit on the # of members to be excluded? Is there a max search filter size and should we check that we haven't exceeded that before doing a search? rob I tried it out with more than a 1000 users and was getting an unwilling to perform error (search filter nested too deep). After a little bit of investigation, I figured the filter was being generated like this: (&(&(!(a=v))(!(a2=v2 We were going deeper with each additional DN! I updated the patch to generate the filter like this instead: (!(|(a=v)(a2=v2))) Tried it again with more than 1000 users (~55Kb) - it worked and wasn't even slow. Updated patch attached. I also had to fix a bug in ldap2 filter generator, as a result this patch depends on my patch number 43. Pavel You'll need to rebase this against master but otherwise ACK. It might be a small optimization to de-dupe the no-users list but it isn't a priority. rob Re-based patch attached. Pavel >From 871b9d2b52175a4209ba2d8bdb12fcc019d871e9 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Thu, 2 Dec 2010 19:24:11 -0500 Subject: [PATCH] Enable filtering search results by member attributes. LDAPSearch base class has now the ability to generate additional options for objects with member attributes. These options are used to filter search results - search only for objects without the specified members. Example: ipa group-find --no-users=admin Only direct members are taken into account. Ticket #288 --- ipalib/plugins/baseldap.py | 34 +- ipalib/plugins/group.py |2 ++ ipalib/plugins/hostgroup.py |2 +- ipalib/plugins/netgroup.py |1 + 4 files changed, 37 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 6b7153b..9635f41 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1124,6 +1124,9 @@ class LDAPSearch(CallbackInterface, crud.Search): """ Retrieve all LDAP entries matching the given criteria. """ +member_attributes = [] +member_param_doc = 'exclude %s with member %s (comma-separated list)' + takes_options = ( Int('timelimit?', label=_('Time Limit'), @@ -1151,6 +1154,33 @@ class LDAPSearch(CallbackInterface, crud.Search): def get_options(self): for option in super(LDAPSearch, self).get_options(): yield option +for attr in self.member_attributes: +for ldap_obj_name in self.obj.attribute_members[attr]: +ldap_obj = self.api.Object[ldap_obj_name] +name = to_cli(ldap_obj_name) +doc = self.member_param_doc % ( +self.obj.object_name_plural, ldap_obj.object_name_plural +) +yield List('no_%s?' % name, cli_name='no_%ss' % name, doc=doc, + label=ldap_obj.object_name) + +def get_member_filter(self, ldap, **options): +filter = '' +for attr in self.member_attributes: +for ldap_obj_name in self.obj.attribute_members[attr]: +param_name = 'no_%s' % to_cli(ldap_obj_name) +if param_name in options: +dns = [] +ldap_obj = self.api.Object[ldap_obj_name] +for pkey in options[param_name]: +dns.append(ldap_obj.get_dn(pkey)) +flt = ldap.make_filter_from_attr( +attr, dns, ldap.MATCH_NONE +) +filter = ldap.combine_filters( +(filter, flt), ldap.MATCH_ALL +) +return filter has_output_params = global_output_params @@ -1192,8 +1222,10 @@ class LDAPSearch(CallbackInterface, crud.Search): search_kw[a] = term term_filter = ldap.make_filter(search_kw, exact=False) +
[Freeipa-devel] [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain).
Fixes an attribute name mismatch in the config plugin. Ticket #573 Pavel >From d98843a980331e9b8173a6eba228fa393b04e350 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Sun, 5 Dec 2010 03:26:52 -0500 Subject: [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain). Ticket #573 --- ipalib/plugins/config.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 79db77e..a56b667 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -66,7 +66,7 @@ class config(LDAPObject): object_name = 'configuration options' default_attributes = [ 'ipamaxusernamelength', 'ipahomesrootdir', 'ipadefaultloginshell', -'ipadefaultprimarygroup', 'ipadefaultdomain', 'ipasearchtimelimit', +'ipadefaultprimarygroup', 'ipadefaultemaildomain', 'ipasearchtimelimit', 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields', 'ipamigrationenabled', 'ipacertificatesubjectbase', ] -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Error message handling in HBAC module
On 11/29/2010 11:20 AM, Jan Zelený wrote: This patch contains a part of my original 0008 patch. The rest of it is solved differently (see my patch 0010). ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Prompt correctly for required Password params.
Required Password params were prompted for like any other non-Password params, resulting in the password being displayed on the command line and there was no confirmation. Ticket #361 Pavel >From f8451a7b94f226f3e5b4181f464de52e2dfbad2d Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 24 Nov 2010 08:01:31 -0500 Subject: [PATCH] Prompt correctly for required Password params. Ticket #361 --- ipalib/cli.py | 23 +-- 1 files changed, 13 insertions(+), 10 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 41bee7a..3120e01 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -515,7 +515,7 @@ class textui(backend.Backend): try: if sys.stdin.isatty(): while True: -pw1 = getpass.getpass('%s: ' % label) +pw1 = getpass.getpass(u'%s: ' % unicode(label)) pw2 = getpass.getpass( unicode(_('Enter %(label)s again to verify: ') % dict(label=label)) ) @@ -887,16 +887,15 @@ class cli(backend.Executioner): ``self.env.prompt_all`` is ``True``, this method will prompt for any params that have a missing values, even if the param is optional. """ -for param in cmd.params(): -if param.password and ( -kw.get(param.name, False) is True or param.name in cmd.args -): -kw[param.name] = \ -self.Backend.textui.prompt_password(param.cli_name) -elif param.name not in kw: -if param.autofill: +for param in cmd.params(): +if (param.required and param.name not in kw) or self.env.prompt_all: +if param.password: +kw[param.name] = self.Backend.textui.prompt_password( +param.label +) +elif param.autofill: kw[param.name] = param.get_default(**kw) -elif param.required or self.env.prompt_all: +else: default = param.get_default(**kw) error = None while True: @@ -910,6 +909,10 @@ class cli(backend.Executioner): break except ValidationError, e: error = e.error +elif param.password and kw.get(param.name, False) is True: +kw[param.name] = self.Backend.textui.prompt_password( +param.label +) def load_files(self, cmd, kw): """ -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods.
On 11/19/2010 04:23 PM, Jakub Hrozek wrote: On Tue, Nov 09, 2010 at 04:55:50AM +0100, Pavel Zůna wrote: If the parent and child entries have the same attribute as primary key (such as in the DNS schema), we need to rename the parent key to prevent a param name conflict. It has no side effects, because the primary key name is always taken from the LDAPObject params, never from the method params. Pavel Would you mind rebasing the patch on top of Rob's 593 which is already acked (not pushed yet as of now). Jakub Rebased patch number 35 attached - required by the new DNS plugin. Pavel >From 6325523e8b01fe64ff24dbc1cd2fcb62038a56e3 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Mon, 8 Nov 2010 22:36:04 -0500 Subject: [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods. If the parent and child entries have the same attribute as primary key (such as in the DNS schema), we need to rename the parent key to prevent a param name conflict. It has no side effects, because the primary key name is always taken from the LDAPObject params, never from the method params. --- ipalib/plugins/baseldap.py |6 +- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 8f723b9..7039f1c 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -232,7 +232,11 @@ class LDAPObject(Object): for key in parent_obj.get_ancestor_primary_keys(): yield key if parent_obj.primary_key: -yield parent_obj.primary_key.clone(query=True) +pkey = parent_obj.primary_key +yield pkey.__class__( +parent_obj.name + pkey.name, required=True, query=True, +cli_name=parent_obj.name, label=pkey.label +) def has_objectclass(self, classes, objectclass): oc = map(lambda x:x.lower(),classes) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
On 11/24/2010 03:26 AM, Adam Young wrote: On 11/23/2010 09:37 AM, Pavel Zuna wrote: Finally managed to rewrite the DNS plugin again. Sorry, it took so long, we had training in the office and I also had a nasty bug in baseldap.py I couldn't find. Anyway, this version has it all: - changes we agreed on meeting, the "resource" abstraction is gone and we now only have zones and records = adding new record automatically updates and existing entry or creates it if it wasn't there and deleting the last record deletes the whole entry - all of it transparent to the user - unit tests - ipa help documentation Fixes tickets: #36 #450 I also closed bug #654412. It has a new patch sequence number, because it depends on another patch with a higher number and didn't want to create forward dependencies. Depends on my patches number: 35 (will repost if needed) 38 (posted a while ago on freeipa-devel) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I keep getting an error when doing simple things like install and ipa help: [ayo...@ipa freeipa]$ ./ipa help dns2 ipa: ERROR: AttributeError: cannot override NameSpace.idnsname value Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa', localedir=None), label=Gettext('Zone name', domain='ipa', localedir=None), multivalue=False, normalizer=, primary_key=True, query=True, required=True) with Str('idnsname', attribute=True, cli_name='name', doc=Gettext('Record name', domain='ipa', localedir=None), label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) Traceback (most recent call last): File "/home/ayoung/devel/freeipa/ipalib/cli.py", line 962, in run api.finalize() File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 615, in finalize p.instance.finalize() File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 724, in finalize self._create_param_namespace('args') File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 350, in _create_param_namespace sort=False File "/home/ayoung/devel/freeipa/ipalib/base.py", line 407, in __init__ (self.__class__.__name__, name, self.__map[name], member) AttributeError: cannot override NameSpace.idnsname value Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa', localedir=None), label=Gettext('Zone name', domain='ipa', localedir=None), multivalue=False, normalizer=, primary_key=True, query=True, required=True) with Str('idnsname', attribute=True, cli_name='name', doc=Gettext('Record name', domain='ipa', localedir=None), label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) ipa: ERROR: an internal error has occurred That's because you need my patch number 35 for it to work... Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Change signature of LDAPSearch.pre_callback.
On 11/23/2010 03:29 PM, Pavel Zuna wrote: Add the opportunity to change base DN and scope in the callback. This makes the callback a lot more powerful, because it enables the plugin author to broaden or completely change the search location. Pavel Just noticed that this patch also fixes the "ipa plugins" command. Meant to be in a separate patch, but it ended up here by accident. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Generate better DuplicateEntry error message in LDAPCreate.
DuplicateEntry error messages generated by LDAPCreate are now detailed like this: ipa: ERROR: user with name "testuser" already exists Solves ticket #530. It works for everything, not just the objects described in this ticket. Pavel >From 26c1ac1a4f05c7fd53e6ec48af42430195491277 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 23 Nov 2010 09:14:03 -0500 Subject: [PATCH 3/3] Generate better DuplicateEntry error messages in LDAPCreate. Ticket #530 --- ipalib/plugins/baseldap.py | 19 +-- 1 files changed, 13 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index d38131a..7039f1c 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -266,6 +266,16 @@ class LDAPObject(Object): } ) +def handle_duplicate_entry(self, *keys): +pkey = '' +if self.primary_key: +pkey = keys[-1] +raise errors.DuplicateEntry( +message=self.already_exists_msg % { +'pkey': pkey, 'oname': self.object_name, +} +) + # list of attributes we want exported to JSON json_friendly_attributes = ( 'parent_object', 'container_dn', 'object_name', 'object_name_plural', @@ -412,12 +422,7 @@ class LDAPCreate(CallbackInterface, crud.Create): dn = self.obj.get_dn(*keys, **options) if self.obj.rdn_attribute: if not dn.startswith('%s=' % self.obj.primary_key.name): -raise errors.DuplicateEntry( -message=self.obj.already_exists_msg % { -'oname': self.obj.object_name, -'pkey': keys[-1], -} -) +self.obj.handle_duplicate_entry(*keys) dn = ldap.make_dn( entry_attrs, self.obj.rdn_attribute, self.obj.container_dn ) @@ -463,6 +468,8 @@ class LDAPCreate(CallbackInterface, crud.Create): 'container': self.obj.container_dn, } ) +except errors.DuplicateEntry: +self.obj.handle_duplicate_entry(*keys) try: if self.obj.rdn_attribute: -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
Finally managed to rewrite the DNS plugin again. Sorry, it took so long, we had training in the office and I also had a nasty bug in baseldap.py I couldn't find. Anyway, this version has it all: - changes we agreed on meeting, the "resource" abstraction is gone and we now only have zones and records = adding new record automatically updates and existing entry or creates it if it wasn't there and deleting the last record deletes the whole entry - all of it transparent to the user - unit tests - ipa help documentation Fixes tickets: #36 #450 I also closed bug #654412. It has a new patch sequence number, because it depends on another patch with a higher number and didn't want to create forward dependencies. Depends on my patches number: 35 (will repost if needed) 38 (posted a while ago on freeipa-devel) Pavel >From 9ff886618623abb7253956dc92e652361fe4076e Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Mon, 8 Nov 2010 22:34:14 -0500 Subject: [PATCH 2/3] Add new version of DNS plugin: complete rework with baseldap + unit tests. Ticket #36 Ticket #450 --- ipa.spec.in |1 + ipalib/plugins/dns2.py | 584 ++ tests/test_xmlrpc/test_dns_plugin.py | 341 3 files changed, 926 insertions(+), 0 deletions(-) create mode 100644 ipalib/plugins/dns2.py create mode 100644 tests/test_xmlrpc/test_dns_plugin.py diff --git a/ipa.spec.in b/ipa.spec.in index 5a3ea2b..1225bb0 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -178,6 +178,7 @@ Requires: gnupg Requires: pyOpenSSL Requires: python-nss >= 0.9-8 Requires: python-lxml +Requires: python-netaddr %description python IPA is an integrated solution to provide centrally managed Identity (machine, diff --git a/ipalib/plugins/dns2.py b/ipalib/plugins/dns2.py new file mode 100644 index 000..2f72fec --- /dev/null +++ b/ipalib/plugins/dns2.py @@ -0,0 +1,584 @@ +# Authors: +# Pavel Zuna +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +Domain Name System (DNS) + +Manage DNS zone and resource records. + +EXAMPLES: + + Add new zone: + ipa dnszone-add example.com --name_server nameserver.example.com + --admin_email ad...@example.com + + edd second nameserver for example.com: + ipa dnsrecord-add example.com @ --ns-rec nameserver2.example.com + + Delete previously added nameserver from example.com: + ipa dnsrecord-del example.com @ --ns-rec nameserver2.example.com + + Add new A record for www.example.com: (random IP) + ipa dnsrecord-add example.com www --a-rec 80.142.15.2 + + Add new PTR record for www.example.com + ipa dnsrecord 15.142.80.in-addr.arpa 2 --ptr-rec www.example.com. + + Show zone example.com: + ipa dnszone-show example.com + + Find zone with "example" in it's domain name: + ipa dnszone-find example + + Find records for resources with "www" in their name in zone example.com: + ipa dnsrecord-find example.com www + + Find A records with value 10.10.0.1 in zone example.com + ipa dnsrecord-find example.com --a-rec 10.10.0.1 + + Show records for resource www in zone example.com + ipa dnsrecord-show example.com www + + Delete zone example.com with all resource records: + ipa dnszone-del example.com + + Resolve a host name to see if it exists (will add default IPA domain + if one is not included): + ipa dns-resolve www.example.com + ipa dns-resolve www + +""" + +import netaddr +import time + +from ipalib import api, errors, output +from ipalib import Command +from ipalib import Flag, Int, List, Str, StrEnum +from ipalib.plugins.baseldap import * +from ipalib import _, ngettext +from ipapython import dnsclient + +# supported resource record types +_record_types = ( +u'A', u'', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV', +u'DNAME', u'DNSKEY', u'DS', u'HINFO', u'HIP', u'IPSECKEY', u'KEY', u'KX', +u'LOC', u'MD', u'MINFO', u'MX', u'NAPTR', u'NS', u'
[Freeipa-devel] [PATCH] Change signature of LDAPSearch.pre_callback.
Add the opportunity to change base DN and scope in the callback. This makes the callback a lot more powerful, because it enables the plugin author to broaden or completely change the search location. Pavel >From 22d9cc1184d410d89e5e51956a65b6fc0c862468 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 23 Nov 2010 09:02:54 -0500 Subject: [PATCH 1/3] Change signature of LDAPSearch.pre_callback. Add the opportunity to change base DN and scope in the callback. --- ipalib/plugins/baseldap.py | 19 ++- ipalib/plugins/group.py|4 ++-- ipalib/plugins/host.py |4 ++-- ipalib/plugins/misc.py | 10 ++ ipalib/plugins/service.py |7 --- ipalib/plugins/user.py |4 ++-- 6 files changed, 30 insertions(+), 18 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 5dd8c9b..d38131a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1153,19 +1153,20 @@ class LDAPSearch(CallbackInterface, crud.Search): (term_filter, attr_filter), rules=ldap.MATCH_ALL ) +scope = ldap.SCOPE_ONELEVEL for callback in self.PRE_CALLBACKS: if hasattr(callback, 'im_self'): -filter = callback( -ldap, filter, attrs_list, base_dn, *args, **options -) +(filter, base_dn, scope) = callback( +ldap, filter, attrs_list, base_dn, scope, *args, **options +) else: -filter = callback( -self, ldap, filter, attrs_list, base_dn, *args, **options +(filter, base_dn, scope) = callback( +self, ldap, filter, attrs_list, base_dn, scope, *args, **options ) try: (entries, truncated) = ldap.find_entries( -filter, attrs_list, base_dn, scope=ldap.SCOPE_ONELEVEL, +filter, attrs_list, base_dn, scope, time_limit=options.get('timelimit', None), size_limit=options.get('sizelimit', None) ) @@ -1173,7 +1174,7 @@ class LDAPSearch(CallbackInterface, crud.Search): try: (entries, truncated) = self._call_exc_callbacks( args, options, e, ldap.find_entries, filter, attrs_list, -base_dn, scoope=ldap.SCOPE_ONELEVEL, +base_dn, scope=ldap.SCOPE_ONELEVEL, normalize=self.obj.normalize_dn ) except errors.NotFound: @@ -1199,8 +1200,8 @@ class LDAPSearch(CallbackInterface, crud.Search): truncated=truncated, ) -def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options): -return filter +def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): +return (filter, base_dn, scope) def post_callback(self, ldap, entries, truncated, *args, **options): pass diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 5ecc72a..5db3c67 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -223,7 +223,7 @@ class group_find(LDAPSearch): ), ) -def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options): +def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): # if looking for private groups, we need to create a new search filter, # because private groups have different object classes if options['private']: @@ -243,7 +243,7 @@ class group_find(LDAPSearch): cflt = ldap.make_filter(search_kw, exact=False) filter = ldap.combine_filters((oflt, cflt), rules=ldap.MATCH_ALL) -return filter +return (filter, base_dn, scope) api.register(group_find) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 2e77dd5..61ababe 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -437,11 +437,11 @@ class host_find(LDAPSearch): ) member_attributes = ['managedby'] -def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options): +def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): if 'locality' in attrs_list: attrs_list.remove('locality') attrs_list.append('l') -return filter.replace('locality', 'l') +return (filter.replace('locality', 'l'), base_dn, scope) def post_callback(self, ldap, entries, truncated, *args, **options): for entry in entries: diff --git a/ipalib/plugins/misc.py b/ipalib/plugins/misc.py index d66e696..d7529ca 100644 --- a/ipalib/plugins/misc.py +++ b/ipalib/plugins/misc.py @@ -109,6 +109,16 @@ class plugins(LocalOrRemote
Re: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
On 11/09/2010 10:31 PM, Adam Young wrote: On 11/08/2010 11:07 PM, Pavel Zůna wrote: Finally, there it is. :) I redesigned the whole thing to fit the baseldap model. Here's some example on how it's used: # create zone 'example.com' # ipa dnszone-add example.com --name=ns.example.com --admin=ad...@example.com # create a resource in zone 'example.com' named 'machine1' # (machine1.example.com) with A record 10.10.0.1 # ipa dnsres-add example.com machine1 --a-rec=10.10.0.1 # Add another A record to 'machine1' in 'example.com' # ipa dnsres-add-record example.com machine1 --a-rec=10.10.0.2 # Remove one of the A records from 'machine1' in 'example.com' # ipa dnsres-remove-record example.com machine1 --a-rec=10.10.0.1 The plugin is pretty complex and requires my patch number 35 to work. There is a bunch of unit tests, so hopefully it won't be too much pain to review. You can use both dns and dns2 at the same time. When dns2 is tested enough, it should replace the original dns plugin. docstring (ipa help dns2) documentation will follow soon in a separate patch. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Note that it has the patch format issue where Thunderbird prepends a > keeping git am from applying. Also, patch name is reversed: we had standardized on freeipa_ Sorry about that, I'll make sure to use this convention for my future patches. The lite server doesn't seem to want to respond to thenew commands. ipa helpd dns2 brings up the right subset of helpstrings, but: [ayo...@ipa freeipa]$ ./ipa dnszone-find ipa: ERROR: unknown command u'dnszone_find' [ayo...@ipa freeipa]$ ./ipa dnsres-find ayoung.boston.devel.redhat.com ipa: ERROR: unknown command u'dnsres_find' Just tested in on a clean clone of master and it works. Check your configuration: ./ipa env | grep xmlrpc_uri It should read: https://localhost:/ipa/xml Otherwise you're not connecting to the lite-server, but to the installed server. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
On 10/20/2010 11:42 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 10/14/2010 03:30 PM, Rob Crittenden wrote: Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob Yes, because get_ipa_config will return defaults for time and search limits only when the whole ipaConfig entry isn't found. I reworked the patch, so that defaults are always returned by get_ipa_config, but I left changes from the previous version, because it doesn't hurt anything and is a (very little) bit safer. New version attached. Pavel I see your point. One can do 'ipa config-mod --searchtimelimit=` and blam, everything stops working. This still seems like a bit of a cover-up fix for that. Should we prevent these attributes from being removed? We could do that, but it's always possible to delete the attribute using ldapmodify or some other tool. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
On 10/14/2010 03:30 PM, Rob Crittenden wrote: Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob Yes, because get_ipa_config will return defaults for time and search limits only when the whole ipaConfig entry isn't found. I reworked the patch, so that defaults are always returned by get_ipa_config, but I left changes from the previous version, because it doesn't hurt anything and is a (very little) bit safer. New version attached. Pavel pzuna-freeipa-0033-2-limitdefaults.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups.
On 10/14/2010 11:16 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 10/01/2010 02:47 PM, Pavel Zuna wrote: Ticket #251 Pavel New version of patch attached. This time it should work. :) I renamed the flag from --privateonly to --private. Normal searches do not return private groups at all, while searches with this flag only return private groups. Pavel This works a lot better than the last patch. The code itself is fine, I'd just ask that you add a test case for searching for private groups. The test that is in this patch seems more geared for removing multiple users at once (which is a good thing) but doesn't actually work without this change: --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -358,7 +358,7 @@ class test_user(Declarative): loginshell=[u'/bin/sh'], objectclass=objectclasses.user, sn=[u'User2'], - uid=[user1], + uid=[user2], uidnumber=[fuzzy_digits], ipauniqueid=[fuzzy_uuid], dn=u'uid=tuser2,cn=users,cn=accounts,' + api.env.basedn, So NACK for now but its very close. rob Version 3 attached. Added a test case for searching private groups and fixed user tests. Pavel pzuna-freeipa-0024-3-searchprvgroup.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel >From 5dfda61f3995f4d5ae5813b7f70f2d2658a687f0 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Thu, 14 Oct 2010 10:54:24 -0400 Subject: [PATCH 2/2] Add fail-safe defaults to time and size limits in ldap2 searches. --- ipaserver/plugins/ldap2.py |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 096d3a3..1d18bbb 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -515,9 +515,9 @@ class ldap2(CrudBackend, Encoder): if time_limit is None or size_limit is None: (cdn, config) = self.get_ipa_config() if time_limit is None: -time_limit = config.get('ipasearchtimelimit')[0] +time_limit = config.get('ipasearchtimelimit', [-1])[0] if size_limit is None: -size_limit = config.get('ipasearchrecordslimit')[0] +size_limit = config.get('ipasearchrecordslimit', [0])[0] if not isinstance(size_limit, int): size_limit = int(size_limit) if not isinstance(time_limit, float): -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it.
On 10/14/2010 12:01 AM, Rob Crittenden wrote: Pavel Zuna wrote: This patch adds a check in ldap2 for single-value attributes. DS doesn't seem to care much about attributes being defined as SINGLE-VALUE except for things like uidNumber and gidNumber (I suspect this is handled by the DNA plugin). Ticket #246 Pavel This is similar to ticket 220 which I have a pending patch for (patch 552). I think both patches are valid but we should test them together to be sure. Can you do that? rob I had to NACK your patch number 552, because the check was in the wrong place. Both patches overlap in functionality, so I decided to merge them into a new version of my original patch. I split the single-value check into two parts: First part is in baseldap classes (LDAPCreate, LDAPUpdate) and it checks if we're not trying to add more values to a Param defined attribute, that is not flagged as multivalue. Second part is in the ldap2 backend. It checks if we're not trying to add more values to an attribute, that is defined as SINGLE-VALUE in the schema. Unfortunately, it seems that python-ldap isn't capable of reporting the SINGLE-VALUE flag reliably and DS doesn't enforce it at all. In other words, this check is a bit weak, but still better than nothing. I hope you don't mind I merged both patches, but it seemed simpler and we can knock out 2 tickets in one commit. :) Ticket #230 Ticket #246 Pavel >From adff41671b7f04f718085711401e7328390151ae Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Thu, 14 Oct 2010 13:05:43 -0400 Subject: [PATCH 1/2] Disallow RDN change and single-value bypass using setattr/addattr. Merge of my original patch number 32 and Rob's patch number 552. Ticket #230 Ticket #246 --- ipalib/errors.py | 33 - ipalib/frontend.py |2 +- ipalib/plugins/baseldap.py | 14 +- ipaserver/plugins/ldap2.py | 44 +++- 4 files changed, 77 insertions(+), 16 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 42d43ce..db13a43 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1162,7 +1162,7 @@ class DatabaseError(ExecutionError): """ errno = 4203 -format = _('%(desc)s:%(info)s') +format = _('%(desc)s: %(info)s') class LimitsExceeded(ExecutionError): @@ -1195,6 +1195,37 @@ class ObjectclassViolation(ExecutionError): errno = 4205 format = _('%(info)s') +class NotAllowedOnRDN(ExecutionError): +""" +**4206** Raised when an RDN value is modified. + +For example: + +>>> raise NotAllowedOnRDN() +Traceback (most recent call last): + ... +NotAllowedOnRDN: modifying primary key is not allowed +""" + +errno = 4206 +format = _('modifying primary key is not allowed') + + +class OnlyOneValueAllowed(ExecutionError): +""" +**4207** Raised when trying to set more than one value to single-value attributes + +For example: + +>> raise OnlyOneValueAllowed(attr='ipasearchtimelimit') +Traceback (most recent call last): + ... +OnlyOneValueAllowed: ipasearchtimelimit: attribute is single-value +""" + +errno = 4207 +format = _('%(attr)s: attribute is single-value') + class CertificateError(ExecutionError): """ diff --git a/ipalib/frontend.py b/ipalib/frontend.py index c9c070d..96649d9 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -504,7 +504,7 @@ class Command(HasParam): a dictionary. The incoming attribute may be a string or a list. -Any attribute found that is also a param is silently dropped. +Any attribute found that is also a param is validated. append controls whether this returns a list of values or a single value. diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 2335a7a..caa616a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -157,6 +157,14 @@ _attr_options = ( ), ) +# addattr can cause parameters to have more than one value even if not defined +# as multivalue, make sure this isn't the case +def _check_single_value_attrs(params, entry_attrs): +for (a, v) in entry_attrs.iteritems(): +if isinstance(v, (list, tuple)) and len(v) > 1: +if a in params and not params[a].multivalue: +raise errors.OnlyOneValueAllowed(attr=a) + class CallbackInterface(Method): """ @@ -277,6 +285,8 @@ class LDAPCreate(CallbackInterface, crud.Create): self, ldap, dn, entry_attrs, attrs_list, *keys, **options ) +_check_single_value_attrs(self.params, entry_attrs) + try: ldap.add_entry(dn
Re: [Freeipa-devel] [PATCH] 552 handle setattr/addattr better
On 09/29/2010 11:03 PM, Rob Crittenden wrote: When doing an addattr check to see if we are creating a multi-value attribute and see if that is allowed by the Param and/or the attribute in the schema (SINGLE-VALUE). Pavel, check my fix in the exception callback. It was passing attrs_list but that isn't set until later. I decided to send an empty list instead. Also catch RDN update exceptions and return an error about primary keys (which this essentially means). ticket 230 rob NACK. The patch isn't all bad, but the single-value check is in the wrong place. As a result, it only applies when someone tries to add a new value to attributes already present in the original entry. It won't fire when someone is trying to add more than one value if there was none before and it also won't fire when creating new entries. I reworked your patch a bit a merged it with my patch number 32, because they overlap in functionality. See freeipa-devel thread: [PATCH] Check if attribute is single-value before trying to add values to it. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 570 enforce max username length
On 10/13/2010 03:46 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 10/11/2010 05:19 PM, Rob Crittenden wrote: Enforce the configurable max username length from cn=ipaconfig. rob This will raise an exception if the ipaMaxUsernameLength attribute isn't present in the config entry. I know it's not very likely, but it would be better to retrieve the attribute first and only do the length check if it is set. Pavel Ok, new patch attached. get_ipa_config() always returns a dict (unless things really go south in which case missing this attribute is the least of our problems). rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 572 fix usage help of ipa-replica-install
On 10/11/2010 07:07 PM, Rob Crittenden wrote: Include REPLICA_FILE in usage for ipa-replica-install ticket 247 rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 571 return non-zero on *-find when nothing is found
On 10/11/2010 06:58 PM, Rob Crittenden wrote: Return non-zero when the number of entries from *-find returned is zero. ticket 325 rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 569 detect when DNS is not configured
On 10/11/2010 04:55 PM, Rob Crittenden wrote: Detect when DNS is not configured and return an error message when using the command-line. It would be nicer if we disabled the command altogether but this would require checking the server to see every time the ipa command is executed (which would be bad). We can't store this in a configuration file because it is possible to add a DNS post-install (and it would require adding this to every single client install). ticket 147 rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 570 enforce max username length
On 10/11/2010 05:19 PM, Rob Crittenden wrote: Enforce the configurable max username length from cn=ipaconfig. rob This will raise an exception if the ipaMaxUsernameLength attribute isn't present in the config entry. I know it's not very likely, but it would be better to retrieve the attribute first and only do the length check if it is set. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it.
This patch adds a check in ldap2 for single-value attributes. DS doesn't seem to care much about attributes being defined as SINGLE-VALUE except for things like uidNumber and gidNumber (I suspect this is handled by the DNA plugin). Ticket #246 Pavel >From 94681f66292904979227bbe2fed058ba9b1a23a4 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 13 Oct 2010 12:40:51 -0400 Subject: [PATCH] Check if attribute is single-value before trying to add values to it. Ticket #246 --- ipalib/errors.py |2 +- ipaserver/plugins/ldap2.py | 16 +++- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 42d43ce..fd96e57 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1162,7 +1162,7 @@ class DatabaseError(ExecutionError): """ errno = 4203 -format = _('%(desc)s:%(info)s') +format = _('%(desc)s: %(info)s') class LimitsExceeded(ExecutionError): diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 2213df0..1c5a84f 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -690,13 +690,19 @@ class ldap2(CrudBackend, Encoder): adds = list(v.difference(old_v)) rems = list(old_v.difference(v)) +is_single_value = False +if self.schema: +obj = self.schema.get_obj(_ldap.schema.AttributeType, k) +is_single_value = obj and obj.single_value + +if is_single_value and len(adds) > 1 or len(adds) > len(rems): +raise errors.DatabaseError( +info='attribute is single-value', desc=k +) + force_replace = False -if k in self._FORCE_REPLACE_ON_UPDATE_ATTRS: +if k in self._FORCE_REPLACE_ON_UPDATE_ATTRS or is_single_value: force_replace = True -elif self.schema: -obj = self.schema.get_obj(_ldap.schema.AttributeType, k) -if obj and obj.single_value: -force_replace = True elif len(adds) == 1 and len(rems) == 1: force_replace = True -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups.
On 10/01/2010 02:47 PM, Pavel Zuna wrote: Ticket #251 Pavel New version of patch attached. This time it should work. :) I renamed the flag from --privateonly to --private. Normal searches do not return private groups at all, while searches with this flag only return private groups. Pavel >From cabfcab3d53b4b7d51d5f3646c9747272e2ca965 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 21 Sep 2010 13:03:40 -0400 Subject: [PATCH] Add flag to group-find to only search on private groups. ticket #251 --- ipalib/plugins/group.py | 31 +++- tests/test_xmlrpc/test_user_plugin.py | 65 +++-- 2 files changed, 91 insertions(+), 5 deletions(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 9beef00..ff1fc99 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -187,7 +187,6 @@ class group_mod(LDAPUpdate): """ Modify a group. """ - msg_summary = _('Modified group "%(value)s"') takes_options = LDAPUpdate.takes_options + ( @@ -217,11 +216,39 @@ class group_find(LDAPSearch): """ Search for groups. """ - msg_summary = ngettext( '%(count)d group matched', '%(count)d groups matched', 0 ) +takes_options = LDAPSearch.takes_options + ( +Flag('private', +cli_name='private', +doc=_('search for private groups'), +), +) + +def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options): +# if looking for private groups, we need to create a new search filter, +# because private groups have different object classes +if options['private']: +# filter based on options, oflt +search_kw = self.args_options_2_entry(**options) +search_kw['objectclass'] = ['posixGroup', 'mepManagedEntry'] +oflt = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL) + +# filter based on 'criteria' argument +search_kw = {} +config = ldap.get_ipa_config()[1] +attrs = config.get(self.obj.search_attributes_config, []) +if len(attrs) == 1 and isinstance(attrs[0], basestring): +search_attrs = attrs[0].split(',') +for a in search_attrs: +search_kw[a] = args[-1] +cflt = ldap.make_filter(search_kw, exact=False) + +filter = ldap.combine_filters((oflt, cflt), rules=ldap.MATCH_ALL) +return filter + api.register(group_find) diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index c6770b7..7d77131 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -30,6 +30,7 @@ from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid user_memberof = (u'cn=ipausers,cn=groups,cn=accounts,%s' % api.env.basedn,) user1=u'tuser1' +user2=u'tuser2' invaliduser1=u'+tuser1' invaliduser2=u'tuser1234567890123456789012345678901234567890' @@ -38,7 +39,7 @@ invaliduser2=u'tuser1234567890123456789012345678901234567890' class test_user(Declarative): cleanup_commands = [ -('user_del', [user1], {}), +('user_del', [user1, user2], {}), ] tests = [ @@ -67,7 +68,7 @@ class test_user(Declarative): dict( desc='Create %r' % user1, command=( -'user_add', [], dict(givenname=u'Test', sn=u'User1') +'user_add', [user1], dict(givenname=u'Test', sn=u'User1') ), expected=dict( value=user1, @@ -92,7 +93,7 @@ class test_user(Declarative): dict( desc='Try to create duplicate %r' % user1, command=( -'user_add', [], dict(givenname=u'Test', sn=u'User1') +'user_add', [user1], dict(givenname=u'Test', sn=u'User1') ), expected=errors.DuplicateEntry(), ), @@ -318,6 +319,64 @@ class test_user(Declarative): dict( +desc='Create %r' % user1, +command=( +'user_add', [user1], dict(givenname=u'Test', sn=u'User1') +), +expected=dict( +value=user1, +summary=u'Added user "tuser1"', +result=dict( +gecos=[user1], +givenname=[u'Test'], +homedirectory=[u'/home/tuser1'], +
Re: [Freeipa-devel] [PATCH] 567 fix group deletion
On 10/09/2010 04:47 AM, Rob Crittenden wrote: Group deletion was failing with an error about too many values. rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix inconsistent error message when deleting groups that don't exist.
The pre_callback in group_del was using a direct ldap2 call with no exception handling. Ticket #292 Pavel >From 60eb789c84f91c5911dec397c528fd8a2e21ef99 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 6 Oct 2010 13:45:20 -0400 Subject: [PATCH] Fix inconsistent error message when deleting groups that don't exist. Ticket #292 --- ipalib/plugins/group.py |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index fae6a28..9beef00 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -165,7 +165,9 @@ class group_del(LDAPDelete): def_primary_group_dn = group_dn = self.obj.get_dn(def_primary_group) if dn == def_primary_group_dn: raise errors.DefaultGroup() -(group_dn, group_attrs) = ldap.get_entry(dn) +(group_dn, group_attrs) = self.obj.methods.show( +self.obj.get_primary_key_from_dn(dn) +) if 'mepmanagedby' in group_attrs: raise errors.ManagedGroupError() return dn -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix attribute callbacks on details pages in the webUI.
Fixes bug reported by Adam in internal discussion. Ticket #326 Pavel >From 4ca5f618913d780e018e37e03b159201bffb9996 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 6 Oct 2010 12:01:02 -0400 Subject: [PATCH] Fix attribute callbacks on details pages in the webUI. Ticket #326 --- install/static/details.js | 20 1 files changed, 12 insertions(+), 8 deletions(-) diff --git a/install/static/details.js b/install/static/details.js index f16dc36..99666b1 100644 --- a/install/static/details.js +++ b/install/static/details.js @@ -79,19 +79,23 @@ function ipa_generate_dl(jobj, id, name, dts) for (var i = 0; i < dts.length; ++i) { var label = ''; -if (dts[i][0].indexOf('call_') != 0) { -var param_info = ipa_get_param_info(obj_name, dts[i][0]); -if (param_info) -label = param_info['label']; -} +var param_info = ipa_get_param_info(obj_name, dts[i][0]); +if (param_info) +label = param_info['label']; if ((!label) && (dts[i].length > 1)) label = dts[i][1]; + +var title = dts[i][0]; +if (typeof dts[i][2] == 'function') +title = 'call_' + dts[i][2].name; dl.append( -$('',{ -title:dts[i][0], -html:label+":"}) +$('', { +title: title, +html: label + ':', +}) ); } + parent.append(dl); parent.append(''); } -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
On 10/06/2010 03:37 AM, Rob Crittenden wrote: Pavel Zuna wrote: All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the --continuous flag (off by default). The flag should indicate that the command shouldn't stop on errors and continue operation with the next primary key on the arguments lists. This effectively fixes *-del unit tests, because continuous mode is off by default. (It was on before this patch and there was no option to turn it off.) Ticket #321 Pavel The migration plugin and pending automount plugin patch already define an attribute for continuous operation though it is named continue instead. We should pick one and be consistent. I like continue because it's easier to type. rob Fixed version attached. Pavel >From d8bc23e86458e91616b7ab2ed9cd26983cecc24c Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 5 Oct 2010 14:34:47 -0400 Subject: [PATCH 2/3] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests. Ticket #321 --- ipalib/plugins/baseldap.py |9 + 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 42d9017..2335a7a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -353,6 +353,13 @@ class LDAPMultiQuery(LDAPQuery): """ Base class for commands that need to retrieve one or more existing entries. """ +takes_options = ( +Flag('continue', +cli_name='continue', +doc=_('Continuous mode: Don\'t stop on errors.'), +), +) + def get_args(self): for key in self.obj.get_ancestor_primary_keys(): yield key @@ -594,6 +601,8 @@ class LDAPDelete(LDAPMultiQuery): if not delete_entry(pkey): result = False except errors.ExecutionError: +if not options.get('continuous', False): +raise failed.append(pkey) else: deleted.append(pkey) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args.
On 10/06/2010 03:35 AM, Rob Crittenden wrote: Pavel Zuna wrote: takes_args defined in a baseldap subclass is now transformed into positional arguments that go after primary keys. Before this patch, takes_args in crud subclasses were ignored. example: --- snip --- class user_something(LDAPRetrieve): takes_args = ( Str('randomarg'), ) --- snip --- # ipa help something Usage: ipa [global-options] user-something LOGIN RANDOMARG Pavel Nack, this breaks the pwpolicy plugin tests (though I'm not 100% sure why). pwpolicy-del defines its own get_args(). I'm guessing it is failing because the local get_args returns a string and the multivalue stuff is expecting a list so pulling the string apart one character at a time. If you run pwpolicy-del testpolicy it will fail with a not found on 't' policy. I think simply removing the get_args() from pwpolicy will fix it: rob Fixed version attached. Pavel >From dca00ce6a586ee91a0518e3473c49223f8e7cdf3 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 5 Oct 2010 14:33:27 -0400 Subject: [PATCH 1/3] Generate additional positional arguments for baseldap commands from takes_args. --- ipalib/plugins/baseldap.py |8 ipalib/plugins/pwpolicy.py |4 +++- 2 files changed, 11 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index f6b98e2..42d9017 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -240,6 +240,8 @@ class LDAPCreate(CallbackInterface, crud.Create): yield key if self.obj.primary_key: yield self.obj.primary_key.clone(attribute=True) +for arg in super(crud.Create, self).get_args(): +yield arg def execute(self, *keys, **options): ldap = self.obj.backend @@ -343,6 +345,8 @@ class LDAPQuery(CallbackInterface, crud.PKQuery): yield key if self.obj.primary_key: yield self.obj.primary_key.clone(attribute=True, query=True) +for arg in super(crud.PKQuery, self).get_args(): +yield arg class LDAPMultiQuery(LDAPQuery): @@ -356,6 +360,8 @@ class LDAPMultiQuery(LDAPQuery): yield self.obj.primary_key.clone( attribute=True, query=True, multivalue=True ) +for arg in super(crud.PKQuery, self).get_args(): +yield arg class LDAPRetrieve(LDAPQuery): @@ -881,6 +887,8 @@ class LDAPSearch(CallbackInterface, crud.Search): for key in self.obj.get_ancestor_primary_keys(): yield key yield Str('criteria?') +for arg in super(crud.Search, self).get_args(): +yield arg def get_options(self): for option in super(LDAPSearch, self).get_options(): diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py index dbbb471..cbfbf80 100644 --- a/ipalib/plugins/pwpolicy.py +++ b/ipalib/plugins/pwpolicy.py @@ -300,7 +300,9 @@ class pwpolicy_del(LDAPDelete): Delete a group password policy. """ def get_args(self): -yield self.obj.primary_key.clone(attribute=True, required=True) +yield self.obj.primary_key.clone( +attribute=True, required=True, multivalue=True +) def post_callback(self, ldap, dn, *keys, **options): try: -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Rename user-lock and user-unlock to user-enable user-disable.
On 10/05/2010 06:07 PM, Rob Crittenden wrote: Pavel Zuna wrote: Also fixes related unit tests and therefore depends on my patch number 28. Ticket #165 Pavel This looks ok but you need to update the examples in the top help block too: Lock a user account: ipa user-lock tuser1 Unlock a user account: ipa user-unlock tuser1 Fix those and you have an ack. rob Fixed version attached. Pavel >From 013384a8804859be9f56e9494dee953cc020fbb7 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 5 Oct 2010 15:37:37 -0400 Subject: [PATCH 3/3] Rename user-lock and user-unlock to user-enable user-disable. Ticket #165 --- ipalib/plugins/user.py| 24 tests/test_xmlrpc/test_user_plugin.py | 12 ++-- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 0746553..a6e6b5d 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -37,11 +37,11 @@ EXAMPLES: Find all users with "Tim" as the first name: ipa user-find --first=Tim - Lock a user account: - ipa user-lock tuser1 + Disable a user account: + ipa user-disable tuser1 - Unlock a user account: - ipa user-unlock tuser1 + Enable a user account: + ipa user-enable tuser1 Delete a user: ipa user-del tuser1 @@ -274,13 +274,13 @@ class user_show(LDAPRetrieve): api.register(user_show) -class user_lock(LDAPQuery): +class user_disable(LDAPQuery): """ -Lock a user account. +Disable user account. """ has_output = output.standard_value -msg_summary = _('Locked user "%(value)s"') +msg_summary = _('Disabled user account "%(value)s"') def execute(self, *keys, **options): ldap = self.obj.backend @@ -297,16 +297,16 @@ class user_lock(LDAPQuery): value=keys[0], ) -api.register(user_lock) +api.register(user_disable) -class user_unlock(LDAPQuery): +class user_enable(LDAPQuery): """ -Unlock a user account. +Enable user account. """ has_output = output.standard_value -msg_summary = _('Unlocked user "%(value)s"') +msg_summary = _('Enabled user account "%(value)s"') def execute(self, *keys, **options): ldap = self.obj.backend @@ -323,4 +323,4 @@ class user_unlock(LDAPQuery): value=keys[0], ) -api.register(user_unlock) +api.register(user_enable) diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index 1850dc1..7d77131 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -235,27 +235,27 @@ class test_user(Declarative): dict( -desc='Lock %r' % user1, +desc='Disable %r' % user1, command=( -'user_lock', [user1], {} +'user_disable', [user1], {} ), expected=dict( result=True, value=user1, -summary=u'Locked user "tuser1"', +summary=u'Disabled user account "tuser1"', ), ), dict( -desc='Unlock %r' % user1, +desc='Enable %r' % user1, command=( -'user_unlock', [user1], {} +'user_enable', [user1], {} ), expected=dict( result=True, value=user1, -summary=u'Unlocked user "tuser1"', +summary=u'Enabled user account "tuser1"', ), ), -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
On 10/05/2010 04:47 PM, Pavel Zuna wrote: All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the --continuous flag (off by default). The flag should indicate that the command shouldn't stop on errors and continue operation with the next primary key on the arguments lists. This effectively fixes *-del unit tests, because continuous mode is off by default. (It was on before this patch and there was no option to turn it off.) Ticket #321 Pavel I forgot to mention that this depends on my patch number 27, because they modify the same file (baseldap.py). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Rename user-lock and user-unlock to user-enable user-disable.
Also fixes related unit tests and therefore depends on my patch number 28. Ticket #165 Pavel >From 9ead34195c3ef1b3be9f9c57ba54fd2849215ab0 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 5 Oct 2010 15:37:37 -0400 Subject: [PATCH] Rename user-lock and user-unlock to user-enable user-disable. Ticket #165 --- ipalib/plugins/user.py| 16 tests/test_xmlrpc/test_user_plugin.py | 12 ++-- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 0746553..daa5cc4 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -274,13 +274,13 @@ class user_show(LDAPRetrieve): api.register(user_show) -class user_lock(LDAPQuery): +class user_disable(LDAPQuery): """ -Lock a user account. +Disable user account. """ has_output = output.standard_value -msg_summary = _('Locked user "%(value)s"') +msg_summary = _('Disabled user account "%(value)s"') def execute(self, *keys, **options): ldap = self.obj.backend @@ -297,16 +297,16 @@ class user_lock(LDAPQuery): value=keys[0], ) -api.register(user_lock) +api.register(user_disable) -class user_unlock(LDAPQuery): +class user_enable(LDAPQuery): """ -Unlock a user account. +Enable user account. """ has_output = output.standard_value -msg_summary = _('Unlocked user "%(value)s"') +msg_summary = _('Enabled user account "%(value)s"') def execute(self, *keys, **options): ldap = self.obj.backend @@ -323,4 +323,4 @@ class user_unlock(LDAPQuery): value=keys[0], ) -api.register(user_unlock) +api.register(user_enable) diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index 1850dc1..7d77131 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -235,27 +235,27 @@ class test_user(Declarative): dict( -desc='Lock %r' % user1, +desc='Disable %r' % user1, command=( -'user_lock', [user1], {} +'user_disable', [user1], {} ), expected=dict( result=True, value=user1, -summary=u'Locked user "tuser1"', +summary=u'Disabled user account "tuser1"', ), ), dict( -desc='Unlock %r' % user1, +desc='Enable %r' % user1, command=( -'user_unlock', [user1], {} +'user_enable', [user1], {} ), expected=dict( result=True, value=user1, -summary=u'Unlocked user "tuser1"', +summary=u'Enabled user account "tuser1"', ), ), -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the --continuous flag (off by default). The flag should indicate that the command shouldn't stop on errors and continue operation with the next primary key on the arguments lists. This effectively fixes *-del unit tests, because continuous mode is off by default. (It was on before this patch and there was no option to turn it off.) Ticket #321 Pavel >From 3c6ad32fd6da79207184c6fbc1fca2126e20f7bd Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 5 Oct 2010 14:34:47 -0400 Subject: [PATCH 2/2] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests. Ticket #321 --- ipalib/plugins/baseldap.py |9 + 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 42d9017..a4dff46 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -353,6 +353,13 @@ class LDAPMultiQuery(LDAPQuery): """ Base class for commands that need to retrieve one or more existing entries. """ +takes_options = ( +Flag('continuous', +cli_name='continuous', +doc=_('Continuous mode: Don\'t stop on errors.'), +), +) + def get_args(self): for key in self.obj.get_ancestor_primary_keys(): yield key @@ -594,6 +601,8 @@ class LDAPDelete(LDAPMultiQuery): if not delete_entry(pkey): result = False except errors.ExecutionError: +if not options.get('continuous', False): +raise failed.append(pkey) else: deleted.append(pkey) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args.
takes_args defined in a baseldap subclass is now transformed into positional arguments that go after primary keys. Before this patch, takes_args in crud subclasses were ignored. example: --- snip --- class user_something(LDAPRetrieve): takes_args = ( Str('randomarg'), ) --- snip --- # ipa help something Usage: ipa [global-options] user-something LOGIN RANDOMARG Pavel >From b67b9f355a31278656285fb2082696b008cf41ef Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 5 Oct 2010 14:33:27 -0400 Subject: [PATCH 1/2] Generate additional positional arguments for baseldap commands from takes_args. --- ipalib/plugins/baseldap.py |8 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index f6b98e2..42d9017 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -240,6 +240,8 @@ class LDAPCreate(CallbackInterface, crud.Create): yield key if self.obj.primary_key: yield self.obj.primary_key.clone(attribute=True) +for arg in super(crud.Create, self).get_args(): +yield arg def execute(self, *keys, **options): ldap = self.obj.backend @@ -343,6 +345,8 @@ class LDAPQuery(CallbackInterface, crud.PKQuery): yield key if self.obj.primary_key: yield self.obj.primary_key.clone(attribute=True, query=True) +for arg in super(crud.PKQuery, self).get_args(): +yield arg class LDAPMultiQuery(LDAPQuery): @@ -356,6 +360,8 @@ class LDAPMultiQuery(LDAPQuery): yield self.obj.primary_key.clone( attribute=True, query=True, multivalue=True ) +for arg in super(crud.PKQuery, self).get_args(): +yield arg class LDAPRetrieve(LDAPQuery): @@ -881,6 +887,8 @@ class LDAPSearch(CallbackInterface, crud.Search): for key in self.obj.get_ancestor_primary_keys(): yield key yield Str('criteria?') +for arg in super(crud.Search, self).get_args(): +yield arg def get_options(self): for option in super(LDAPSearch, self).get_options(): -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups.
Ticket #251 Pavel >From 1bb54788dca503a7b6e25e2fc13a8852174a3827 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 21 Sep 2010 13:03:40 -0400 Subject: [PATCH 1/3] Add flag to group-find to only search on private groups. Ticket #251 --- ipalib/plugins/group.py | 16 ++-- 1 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 616eff2..b3b6747 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -184,7 +184,6 @@ class group_mod(LDAPUpdate): """ Modify a group. """ - msg_summary = _('Modified group "%(value)s"') takes_options = LDAPUpdate.takes_options + ( @@ -214,11 +213,24 @@ class group_find(LDAPSearch): """ Search for groups. """ - msg_summary = ngettext( '%(count)d group matched', '%(count)d groups matched', 0 ) +takes_options = LDAPSearch.takes_options + ( +Flag('privateonly', +cli_name='privateonly', +doc=_('search for private groups only'), +), +) + +def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options): +if options['privateonly']: +objclass = ['posixGroup', 'mepManagedEntry'] +flt = ldap.make_filter_from_attr('objectclass', objclass) +filter = ldap.combine_filters([filter, flt], ldap.MATCH_ALL) +return filter + api.register(group_find) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add Delete capabilities to Search facet in the WebUI.
This depends on my patch number 25! It should apply without it, but deleting entries won't work properly. Ticket #206 Pavel >From 1b99aa86c0faddfa8253c97745a090410313269b Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Fri, 1 Oct 2010 12:40:30 -0400 Subject: [PATCH 3/3] Add Delete capabilities to Search facet in the WebUI. Ticket #206 --- install/static/search.js | 103 +++- ipalib/plugins/internal.py |8 +++- 2 files changed, 107 insertions(+), 4 deletions(-) diff --git a/install/static/search.js b/install/static/search.js index 59caf71..e97632b 100644 --- a/install/static/search.js +++ b/install/static/search.js @@ -34,6 +34,52 @@ function search_create(obj_name, scl, container) $.bbq.pushState(state); }; +function delete_on_click() { +var delete_list = []; +var delete_dialog = $('', { +title: ipa_messages.button.delete, +'class': 'search-dialog-delete', +}); + +function delete_on_click() { +ipa_cmd('del', delete_list, {}, delete_on_win, null, obj_name); +delete_dialog.dialog('close'); +}; + +function delete_on_win() { +for (var i = 0; i < delete_list.length; ++i) { +var chk = container.find( +'.search-selector[title=' + delete_list[i] + ']' +); +if (chk) +chk.closest('tr').remove(); +} +}; + +function cancel_on_click() { +delete_dialog.dialog('close'); +}; + +container.find('.search-selector').each(function () { +var jobj = $(this); +if (jobj.attr('checked')) +delete_list.push(jobj.attr('title')); +}); + +if (delete_list.length == 0) +return; + +delete_dialog.text(ipa_messages.search.delete_confirm); + +delete_dialog.dialog({ +modal: true, +buttons: { +'Delete': delete_on_click, +'Cancel': cancel_on_click, +}, +}); +}; + if (!container) { alert('ERROR: search_create: Second argument "container" missing!'); return; @@ -50,6 +96,8 @@ function search_create(obj_name, scl, container) jobj.children().last().attr('name', 'search-' + obj_name + '-filter') jobj.append(''); jobj.children().last().click(find_on_click); +jobj.append(''); +jobj.children().last().click(delete_on_click); div.append(''); var search_results = $('', { @@ -65,12 +113,45 @@ function search_create(obj_name, scl, container) search_table.append(''); var tr = search_table.find('tr'); +search_insert_checkbox_th(tr); for (var i = 0; i < scl.length; ++i) { var c = scl[i]; search_insert_th(tr, obj_name, c[0], c[1], c[2]); } } +function search_insert_checkbox_th(jobj) +{ +function select_all_on_click() { +var jobj = $(this); + +var checked = null; +if (jobj.attr('checked')) { +checked = true; +jobj.attr('title', 'Unselect All'); +} else { +checked = false; +jobj.attr('title', 'Select All'); +} +jobj.attr('checked', checked); + +var chks = jobj.closest('.search-container').find('.search-selector'); +for (var i = 0; i < chks.length; ++i) +chks[i].checked = checked; +}; + +var checkbox = $('', { +type: 'checkbox', +title: 'Select All', +}); +checkbox.click(select_all_on_click); + +var th = $(''); +th.append(checkbox); + +jobj.append(th); +} + var _search_th_template = 'N'; function search_insert_th(jobj, obj_name, attr, name, render_call) @@ -119,11 +200,16 @@ function search_load(jobj, criteria, on_win, on_fail) function search_generate_tr(thead, tbody, entry_attrs) { +var obj_name = tbody.closest('.search-container').attr('title'); +var pkey = ipa_objs[obj_name].primary_key; +var pkey_value = entry_attrs[pkey]; + tbody.append(''); var tr = tbody.children().last(); +search_generate_checkbox_td(tr, pkey_value); var ths = thead.find('th'); -for (var i = 0; i < ths.length; ++i) { +for (var i = 1; i < ths.length; ++i) { var jobj = $(ths[i]); var attr = jobj.attr('abbr'); var value = entry_attrs[attr]; @@ -137,7 +223,6 @@ function search_generate_tr(thead, tbody, entry
[Freeipa-devel] [PATCH] Add LDAPMultiQuery base class and make it the base of LDAPDelete
In other words: make *-del commands accept 1 or more primary keys of entries to be deleted. We can now delete more entries at a time with a single command. Ticket #20 Pavel >From 1aabeb75114ef01ec23044031664f82ed0364825 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Fri, 1 Oct 2010 12:35:27 -0400 Subject: [PATCH 2/3] Add LDAPMultiQuery base class and make it the base of LDAPDelete. In other words: make *-del commands accept 1 or more primary keys of entries to be deleted. Ticket #20 --- ipalib/plugins/baseldap.py | 98 +--- 1 files changed, 65 insertions(+), 33 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 1757a45..f6b98e2 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -345,6 +345,19 @@ class LDAPQuery(CallbackInterface, crud.PKQuery): yield self.obj.primary_key.clone(attribute=True, query=True) +class LDAPMultiQuery(LDAPQuery): +""" +Base class for commands that need to retrieve one or more existing entries. +""" +def get_args(self): +for key in self.obj.get_ancestor_primary_keys(): +yield key +if self.obj.primary_key: +yield self.obj.primary_key.clone( +attribute=True, query=True, multivalue=True +) + + class LDAPRetrieve(LDAPQuery): """ Retrieve an LDAP entry. @@ -512,7 +525,7 @@ class LDAPUpdate(LDAPQuery, crud.Update): raise exc -class LDAPDelete(LDAPQuery): +class LDAPDelete(LDAPMultiQuery): """ Delete an LDAP entry and all of its direct subentries. """ @@ -521,47 +534,66 @@ class LDAPDelete(LDAPQuery): def execute(self, *keys, **options): ldap = self.obj.backend -dn = self.obj.get_dn(*keys, **options) +def delete_entry(pkey): +nkeys = keys[:-1] + (pkey, ) +dn = self.obj.get_dn(*nkeys, **options) -for callback in self.PRE_CALLBACKS: -if hasattr(callback, 'im_self'): -dn = callback(ldap, dn, *keys, **options) -else: -dn = callback(self, ldap, dn, *keys, **options) +for callback in self.PRE_CALLBACKS: +if hasattr(callback, 'im_self'): +dn = callback(ldap, dn, *nkeys, **options) +else: +dn = callback(self, ldap, dn, *nkeys, **options) -def delete_subtree(base_dn): -truncated = True -while truncated: +def delete_subtree(base_dn): +truncated = True +while truncated: +try: +(subentries, truncated) = ldap.find_entries( +None, [''], base_dn, ldap.SCOPE_ONELEVEL +) +except errors.NotFound: +break +else: +for (dn_, entry_attrs) in subentries: +delete_subtree(dn_) try: -(subentries, truncated) = ldap.find_entries( -None, [''], base_dn, ldap.SCOPE_ONELEVEL -) -except errors.NotFound: -break +ldap.delete_entry(base_dn, normalize=self.obj.normalize_dn) +except errors.ExecutionError, e: +try: +self._call_exc_callbacks( +nkeys, options, e, ldap.delete_entry, base_dn, +normalize=self.obj.normalize_dn +) +except errors.NotFound: +self.obj.handle_not_found(*nkeys) + +delete_subtree(dn) + +for callback in self.POST_CALLBACKS: +if hasattr(callback, 'im_self'): +result = callback(ldap, dn, *nkeys, **options) else: -for (dn_, entry_attrs) in subentries: -delete_subtree(dn_) -try: -ldap.delete_entry(base_dn, normalize=self.obj.normalize_dn) -except errors.ExecutionError, e: -try: -self._call_exc_callbacks( -keys, options, e, ldap.delete_entry, base_dn, -normalize=self.obj.normalize_dn -) -except errors.NotFound: -self.obj.handle_not_found(*keys) +result = callback(self, ldap, dn, *nkeys, **options) -delete_subtree(dn) +return result -for callback in self.POST_CALLBACKS: -if hasattr(callback, 'im_self'): -result = callback(ldap, dn, *
Re: [Freeipa-devel] [PATCH] Modal dialog for enrollment
On 09/23/2010 01:04 AM, Endi Sukma Dewata wrote: Hi, Please review the attached patch. Thanks! The enroll facet has been converted into a dialog box. This dialog box will appear when the user clicks the enroll button above the association list. When the user clicks the enroll button in the dialog box, the new associations will be created, then the list will be refreshed to show the changes. The SerialAssociator and BulkAssociator have been modified to accept an on_success function which will be called when the whole operation is completed successfully. This is used to refresh the list and close the dialog box appropriately. Some other changes were also made to improve code clarity. -- Endi S. Dewata ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0036-links-and-facet-icons.patch
On 09/18/2010 02:36 AM, Adam Young wrote: This patch makes use of the previous patch to put the icons in the facets and quick links It looks OK, but I can't test it because the required patch 30 doesn't apply for me. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0030-moved-images-up.patch
On 09/17/2010 04:38 PM, Adam Young wrote: moved images up Adding an 'images' subdir was proliferating changes throughout the build system this seemed easier Submitted as a separate patch to signify where wea re departing from what is generated by theme-roller Doesn't apply for me. Missing some image files and doesn't apply on jquery-ui.css. I applied all your patches I could find before this one, but I can't find number 28 on the list. Maybe that's the reason. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Icons
On 09/18/2010 02:35 AM, Adam Young wrote: THese are just place holder icons until we get the offical ones from UXD. They look roughly like the finished product, with have some rough points. They will be used by the next patch to Generate the quick links and facets. THis is a huga patch, but it is all binary files. ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0033-pointer-cursor-for-facets.patch
On 09/17/2010 04:43 PM, Adam Young wrote: Changes the mouse icon for facets to a the pointer, signifying clickability ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel