Re: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
On 04/04/2011 03:47 PM, Simo Sorce wrote:
On Mon, 28 Mar 2011 15:27:46 -0700
Nathan Kinder wrote:
On 03/28/2011 03:20 PM, Dmitri Pal wrote:
On 03/28/2011 04:38 PM, Pavel Zůna wrote:
This patch handles the issue in a kind of stupid way, but I
couldn't think of anything better.
It adds a new flag parameter to user-add (--noprivate). With this
flag, the command marks the private group about to be created for
deletion and is deleted after the user is created. The only
exception is when there is a group, that is named the same way as
the user, but isn't a private group - then the group is left there.
Private groups are created automatically by the managed entry DS
plugin and I didn't find a way to disable its creation for a
specific user.
The idea that comes to mind is to define some magical attribute
that the DS plugin would recognize and skip the creation of the
managed entry as well as strip the entry of this magic
attribute/value. I remember that other plugins might take advantage
of the similar approach.
Is something like this possible?
You are probably thinking of the DNA plug-in and it's use of a magic
value used to tell the plug-in to allocate a value from a range. I
would not like to use this approach here, as it requires additional
coding and complexity that I don't think is needed.
I would prefer that we use the originFilter to deal with this. We
could have an auxiliary objectclass that IPA usually adds when
creating an IPA user. The originFilter can key off of this
objectclass to create managed groups. When a user is added with the
--noprivate option, this objectclass is not included in the user
entry that is added. Rob and I discussed this approach on IRC
earlier today.
Ack, this sounds like a better approach, although it doesn't
necessarily need to be an objectclass it can also be an attribute with
a specific value that is checked in the filter as (!(attrib=value))
Simo.
New patch with new approach attached.
It sets the checked filter to:
(&(objectclass=posixAccount)(!(description=__no_upg__)))
If a user entry is created with the description attribute equal to the string
"__no_upg__", the DS plugin will not trigger and no UPG is going to be created.
After this patch, the user-add plugin adds this description attribute
(NO_UPG_MAGIC = "__no_upg__") in the pre_callback and deletes it in the
post_callback if necessary.
I think the description attribute is the best choice, because it's part of the
posixAccount objectClass and we don't use it for anything on user entries.
Pavel
>From 57f3b82bc4b3180a8b0a27733cc0632b813a7736 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Mon, 28 Mar 2011 15:10:57 -0400
Subject: [PATCH] Add a new user-add flag param to disable the creation of UPG.
Ticket #1131
---
install/share/user_private_groups.ldif |2 +-
ipalib/plugins/user.py | 53 ---
2 files changed, 42 insertions(+), 13 deletions(-)
diff --git a/install/share/user_private_groups.ldif b/install/share/user_private_groups.ldif
index 9df729a..41a78ba 100644
--- a/install/share/user_private_groups.ldif
+++ b/install/share/user_private_groups.ldif
@@ -15,7 +15,7 @@ changetype: add
objectclass: extensibleObject
cn: UPG Definition
originScope: cn=users,cn=accounts,$SUFFIX
-originFilter: objectclass=posixAccount
+originFilter: (&(objectclass=posixAccount)(!(description=__no_upg__)))
managedBase: cn=groups,cn=accounts,$SUFFIX
managedTemplate: cn=UPG Template,cn=etc,$SUFFIX
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 9015144..9a658a9 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -63,6 +63,9 @@ from ipalib import _, ngettext
from ipalib.request import context
from time import gmtime, strftime
+
+NO_UPG_MAGIC = '__no_upg__'
+
def validate_nsaccountlock(entry_attrs):
if 'nsaccountlock' in entry_attrs:
if not isinstance(entry_attrs['nsaccountlock'], basestring):
@@ -70,6 +73,7 @@ def validate_nsaccountlock(entry_attrs):
if entry_attrs['nsaccountlock'].lower() not in ('true','false'):
raise errors.ValidationError(name='nsaccountlock', error='must be TRUE or FALSE')
+
class user(LDAPObject):
"""
User object.
@@ -250,22 +254,35 @@ class user_add(LDAPCreate):
"""
Add a new user.
"""
-
msg_summary = _('Added user "%(value)s"')
+takes_options = LDAPCreate.takes_args + (
+Flag('noprivate',
+cli_name='noprivate',
+doc=_('don\'t create user private group'),
+),
+)
+
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
-try:
-# The Managed Entries plugin will allow a user
Re: [Freeipa-devel] [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr.
On 04/06/2011 05:08 PM, Pavel Zuna wrote:
Ticket #744
Pavel
New fixed version of patch attached.
Pavel
>From c61c329c1fd4f806a64f4fa6b660b0baeea38377 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Wed, 6 Apr 2011 09:08:03 -0400
Subject: [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr.
Ticket #744
---
ipalib/plugins/krbtpolicy.py | 20
ipalib/plugins/user.py |1 +
2 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py
index c9d86ea..8cefc90 100644
--- a/ipalib/plugins/krbtpolicy.py
+++ b/ipalib/plugins/krbtpolicy.py
@@ -83,6 +83,10 @@ class krbtpolicy(LDAPObject):
label=_('User name'),
doc=_('Manage ticket policy for specific user'),
primary_key=True,
+pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
+pattern_errmsg='may only include letters, numbers, _, -, . and $',
+maxlength=255,
+normalizer=lambda value: value.lower(),
),
Int('krbmaxticketlife?',
cli_name='maxlife',
@@ -96,6 +100,14 @@ class krbtpolicy(LDAPObject):
doc=_('Maximum renewable age (seconds)'),
minvalue=1,
),
+Int('uidnumber?',
+minvalue=1,
+flags=['no_create', 'no_update', 'no_search'],
+),
+Int('gidnumber?',
+minvalue=1,
+flags=['no_create', 'no_update', 'no_search'],
+),
)
def get_dn(self, *keys, **kwargs):
@@ -115,6 +127,14 @@ class krbtpolicy_mod(LDAPUpdate):
# ticket policies are attached to objects with unrelated attributes
if options.get('all'):
options['all'] = False
+if keys[-1] is not None:
+# we're modifying an user entry and it's possible to change its
+# attribute unrelated to ticket policy using --{set,add}-attr
+# we need to validate/normalize them here:
+if 'mail' in entry_attrs:
+entry_attrs['mail'] = self.api.Object['user']._normalize_email(
+entry_attrs['mail']
+)
return dn
api.register(krbtpolicy_mod)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index e71c21b..d18ba18 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -176,6 +176,7 @@ class user(LDAPObject):
label=_('GID'),
doc=_('Group ID Number'),
default_from=lambda uid: uid,
+minvalue=1,
),
Str('street?',
cli_name='street',
--
1.7.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr.
Ticket #744 Pavel freeipa-pzuna-89-validatekrbt.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix gidnumber option of user-add command.
With this patch, the gidNumber is set automatically only if it wasn't specified explicitly by the user. Ticket #1127 Pavel freeipa-pzuna-87-fixgidnumber.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 752 fix SELinux AVCs
On 03/14/2011 09:33 PM, Rob Crittenden wrote: Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085 ACK!! Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Wait for Directory Server ports to open
On 03/14/2011 06:03 PM, Martin Kosek wrote: I know this is a 2.1 ticket, but the patch is probably also a solution of #1047 - a 2.0.5 bucket critical bug. When Directory Server operation is run right after the server restart the listening ports may not be opened yet. This makes the installation fail. This patch fixes this issue by waiting for both secure and insecure Directory Server ports to open after every restart. https://fedorahosted.org/freeipa/ticket/1076 ACK. Seems to also fix #1047, as I couldn't reproduce after this patch was applied. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix error in user plugin email normalizer for empty --setattr=mail=.
On 03/03/2011 04:23 PM, Pavel Zuna wrote: An exception was raised when you tried to reset user email addresses and setting new ones using: ipa user-add SOMEUSER --setattr=mail= --addattr=mail=someu...@redhat.com Pavel Just a correction: The example above should read 'ipa user-mod ...' ofc. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix error in user plugin email normalizer for empty --setattr=mail=.
An exception was raised when you tried to reset user email addresses and setting new ones using: ipa user-add SOMEUSER --setattr=mail= --addattr=mail=someu...@redhat.com Pavel freeipa-pzuna-85-fixemailnorm.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common
On 03/02/2011 08:50 PM, Jakub Hrozek wrote: On Wed, Feb 23, 2011 at 12:36:06PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2011 04:47 PM, Rob Crittenden wrote: Jakub Hrozek wrote: Replace only if old and new have nothing in common This has problems when removing the last member. There is no adds, rems has a single value (the member being removed). The intersection is 0 so force_replace gets set to True and nothing ends up getting done. I added a len(v)> 0 to this conditional and it seems to work. I also added a small test case based on Endi's initial report. I'm getting a 100% test pass rate. rob I hit one more problem with the patch, although I'm not entirely sure how is that possible - when a user is renamed, his memberof becomes indirect memberof: # ipa user-mod --rename test2 test - Modified user "test" - User login: test2 First name: Test Last name: User Home directory: /home/test Login shell: /bin/sh Account disabled: False Indirect Member of group: ipausers I think this is another timing issue with 389-ds postop plugins, this time the referential integrity plugin. I don't think this is related to this change. We start with: dn: uid=test, ... uid: test memberOf: ipausers dn: cn=ipausers, ... cn: ipausers member: uid=test,... When we we do the rename we immediately end up with: dn: uid=test2, .. uid: test2 memberOf: ipausers dn: cn=ipausers, ... cn: ipausers member: uid=test, ... We determine indirect membership by comparing the user's memberOf with the results of a query for member=uid=test2 If the refint plugin hasn't updated the ipausers group by the time we do the query the user will appear to be an indirect member. rob OK, you're probably right, I can't reproduce the issue anymore. This patch has an ACK from me. Since this is a very low-level change at a late stage, I have asked Martin to take a second look. Jakub Tested a few corner cases and it seems to be cool. ACK from me too. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
On 02/23/2011 07:09 PM, Pavel Zůna wrote:
On 2011-02-22 20:16, Rob Crittenden wrote:
Pavel Zůna wrote:
On 2011-02-17 22:52, Rob Crittenden wrote:
Pavel Zůna wrote:
On 2011-02-17 05:09, Rob Crittenden wrote:
Pavel Zůna wrote:
My efforts in fixing localization all around the framework and
preparing
it for localizing docstrings have resulted in a lot of patches.
Because
I understand they have become a bit hard to track, I decided to post
them all together in this thread to make review easier.
After this is committed, there will be one more patch that switches
xgettext for pygettext. Then hopefully, we'll be pretty much set
when it
comes to i18n.
Pavel
Patch 81 isn't applying for me.
Help is not working for me either, this is due to patch 80.
$ ipa help user
ipa: ERROR: NameError: global name '_' is not defined
Traceback (most recent call last):
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line
1087, in
run
api.finalize()
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line
619,
in finalize
plugin_iter(base, (magic[k] for k in magic))
File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line
397, in
__init__
sorted(members, key=lambda m: getattr(m, name_attr))
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line
608,
in plugin_iter
plugins[klass] = PluginInstance(klass)
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line
585,
in __init__
self.instance = klass()
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line
184,
in __init__
self.doc = _(inspect.getdoc(cls))
NameError: global name '_' is not defined
ipa: ERROR: an internal error has occurred
Patches 69, 71 and 73 are still working fine.
What is switching from xgettext to pygettext going to do?
This was answered by John Dennis: xgettext doesn't parse python
docstrings.
rob
Rebased version of 81 attached. It should also fix the traceback
you're
getting.
Pavel
Something is still not working. I'm having a hard time reproducing
how I
got this but with LANG=es_US.UTF-8 for a while I was getting this with
every ipa user-* request:
ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character
u'\xf1' in position 20: ordinal not in range(128)
Traceback (most recent call last):
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in
run
sys.exit(api.Backend.cli.run(argv))
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in
run
rv = cmd.output_for_cli(self.api.Backend.textui, result, *args,
**options)
File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953,
in output_for_cli
textui.print_entries(result, order, labels, flags, print_all)
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in
print_entries
self.print_entry(entry, order, labels, flags, print_all, format,
indent)
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in
print_entry
label, value, format, indent, one_value_per_line
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in
print_attribute
self.print_indented(format % (attr, text[0]), indent)
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in
print_indented
print (CLI_TAB * indent + text)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in
position 20: ordinal not in range(128)
ipa: ERROR: ha ocurrido un error interno
I think it is blowing up on this user:
User login: jose
First name: Jose
Last name: contraseñas
Home directory: /home/jose
Login shell: /bin/sh
Account disabled: TRUE
Member of groups: ipausers
Then all of a sudden things started working fine, so I'm not sure
what's
going on.
Is this traceback meaningful to you?
rob
This looks like a bug in the textui backend.
You get this error when you do something like this:
>>> a = u'\xf1'
>>> a.decode('utf-8')
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode
return codecs.utf_8_decode(input, errors, True)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in
position 0: ordinal not in range(128)
It means we're not handling encoding/decoding from/to the CLI right
somewhere.
The character \xf1 corresponds to the small N with tilde in Jose's last
name.
I'm going to look into it, but I don't think it's related to the
localization patches.
Pavel
I'm seeing 2 test failures:
==
FAIL: Test the `ipalib.plugable.Plugin.__init__` method.
--
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in
runTest
self.test(*self.arg)
File
"/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py",
line 237, in test_init
assert o.summary == 'Do sub-classy things.'
AssertionError
==
FAIL: Test gettext translation
---
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůna wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, "Simo Sorce" wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zuna wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as "cn=directory manager": [root@vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. Thanks for advice! New version of the patch attached. Pavel freeipa-pzuna-78-4-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůna wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, "Simo Sorce" wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zuna wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as "cn=directory manager": [root@vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. I need it for IPA tools like ipa-nis-manage. SIMPLE bind is probably not good enough because of the SSF requirements and I'm not sure if it's OK to require a Kerberos ticket to run them. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix setattr mail bug in user plugin.
The email normalizer expects a list or tuple, but when using setattr it gets a string and interates on it as if it was a list/tuple. Before patch: [root@ipadev freeipa]# ./ipa user-mod testuser --setattr mail=testu...@example.com Modified user "testuser" User login: testuser First name: f Last name: l Home directory: /home/testuser Login shell: /bin/sh Email address: c@pzuna, @, x@pzuna, o@pzuna, .@pzuna, t@pzuna, e@pzuna, s@pzuna, r@pzuna, a@pzuna, m@pzuna, p@pzuna, u@pzuna, l@pzuna Account disabled: False Member of groups: ipausers Pavel freeipa-pzuna-79-normemail.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/14/2011 04:56 PM, JR Aquino wrote:
On 2/10/11 2:42 AM, "Pavel Zuna" wrote:
On 02/08/2011 01:06 PM, Pavel Zuna wrote:
The patch also corrects exception handling in some of the tools.
Fix #874
Pavel
Updated patch attached. Forgot to rename an identifier in exception
handling.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
NACK
It looks like LDAPUpdate calls may want to include ldapi=True?
-=-
# ipa-nis-manage enable
Directory Manager password:
Enabling plugin
Traceback (most recent call last):
File "/usr/sbin/ipa-nis-manage", line 211, in
sys.exit(main())
File "/usr/sbin/ipa-nis-manage", line 151, in main
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 101, in __init__
conn.do_simple_bind(bindpw=self.dm_password)
File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 350,
in do_simple_bind
self.simple_bind_s(binddn, bindpw)
File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204,
in inner
return f(*args, **kargs)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 207,
in simple_bind_s
return self.result(msgid,all=1,timeout=self.timeout)
File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 181,
in inner
objtype, data = f(*args, **kargs)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 436,
in result
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204,
in inner
return f(*args, **kargs)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 440,
in result2
res_type, res_data, res_msgid, srv_ctrls =
self.result3(msgid,all,timeout)
File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204,
in inner
return f(*args, **kargs)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 446,
in result3
ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204,
in inner
return f(*args, **kargs)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96,
in _ldap_call
result = func(*args,**kwargs)
ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc':
'Server is unwilling to perform'}
I can't reproduce this. :-/
For me it goes fine:
[root@ipadev tools]# ./ipa-nis-manage enable
Directory Manager password:
Enabling plugin
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/14/2011 04:53 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel This isn't applying cleanly to master, can you rebase it? rob Rebased patch attached. Pavel freeipa-pzuna-78-3-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel freeipa-pzuna-78-2-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 050 Fix migration page
On 02/09/2011 02:09 PM, Jakub Hrozek wrote: During some UI rewrite, the password migration form completely lost the action= field and defaulted to GET instead of POST. ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit.
On 02/08/2011 12:34 AM, David O'Brien wrote:
Pavel Zuna wrote:
Fix #837
Pavel
/me hesitantly asks...
Doesn't this mean that "1" is illegal?
doc=_('Max. amount of time (sec.) for a search (> 1 or -1 for unlimited)'),
Neither is there any mention of zero being illegal. It may be implicit
or self-evident, but I don't rely on that in doc. I'd be inclined to
change it to (> 0, or -1 for unlimited) but remember, I'm not a coder :)
cheers
You're right. :)
Fixed version attached.
Pavel
freeipa-pzuna-73-2-configdoc.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
The patch also corrects exception handling in some of the tools. Fix #874 Pavel freeipa-pzuna-78-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed.
It seems that restarting krb5kdc is only needed when changes to the global policy are made. Per-user policies take effect immediately for newly requested tickets. Can someone please confirm? Fix #844 Pavel freeipa-pzuna-77-krbtpdoc.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 76 Fallback to default locale (en_US) if env. setting is corrupt.
This is a follow-up to my patches 69 and 71 (70 is garbage). It prevents a crash when user misconfigures his locale settings. Pavel freeipa-pzuna-76-deflocale.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights.
On 02/03/2011 08:04 PM, Simo Sorce wrote: On Tue, 18 Jan 2011 13:25:28 +0100 Pavel Zuna wrote: On 01/07/2011 08:59 PM, Rob Crittenden wrote: Pavel Zůna wrote: LDAPObject sub-classes can define a custom list of attributes for effective rights retrieval. Fix #677 Pavel Nack. --rights should only return data when --all is also included. Otherwise it looks ok. rob Fixed version attached. Pavel Is this one still on the table ? Or did some other patch supersede it ? Simo. We can throw this one away. The problem was somewhere else and the ticket is already closed. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 72 Set minimum for Kerberos policy max life and max renew
On 02/07/2011 01:10 PM, Jakub Hrozek wrote: On Mon, Feb 07, 2011 at 11:13:56AM +0100, Pavel Zuna wrote: Fix #847 Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Nack, please update API.txt Forgot about that, sorry. Version with updated API.txt attached. Pavel freeipa-pzuna-72-2-krbtpmin.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 75 Display error messages for failed manageby in service-add/remove-host.
Fix #830 Pavel freeipa-pzuna-75-managedbyerr.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 74 Fix crash in DNS installer.
Fix #927 Pavel freeipa-pzuna-74-dnsinstallcrash.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit.
Fix #837 Pavel freeipa-pzuna-73-configdoc.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 72 Set minimum for Kerberos policy max life and max renew
Fix #847 Pavel freeipa-pzuna-72-krbtpmin.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it.
On 02/04/2011 04:03 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 02/02/2011 09:36 PM, Rob Crittenden wrote: Pavel Zuna wrote: This ticket effectively fixes the translation of exception messages. Ticket #903 Pavel On hold for now, see also patch 'Translate exception messages on the client side.' rob This should get pushed for the translation in exceptions to work. It only removes the defunct code and replaces it with something functional. Pavel If the server locale is not en_US.UTF-8 then messages are translated. rob I know, but it's not the purpose of this patch to do the right translation for the client. It's purpose is to fix the code to actually perform the translation. There's another patch (71) to do the right thing and it depends on this one. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] python i18n options
On 02/03/2011 05:13 PM, John Dennis wrote:
On 02/03/2011 09:34 AM, Pavel Zuna wrote:
Python 2.6+ provides secure ways to encode and decode
literal types to/from strings.
I'm not sure what you mean by this, could you elaborate please?
http://docs.python.org/library/ast.html#ast.literal_eval
We could use it to send data about the exception and have the client translate
it for itself. However I decided to drop this idea, because it would require
changes in a lot of places where we construct exceptions and that's just not
worth it.
Summary:
Unless we agree on a better way; I'm going to try the pygettext patch
and see
how usable it is. If it's not then I'll try the solution with merging
pygettext
and xgettext output. We also need to rethink the PublicError class and
it's
encoding/decoding in {JSON,XML}-RPC to have them translated on the
client.
I think your proposal sounds fine if we expect the message catalog on
the client to be in sync with the server. I'm not sure that's a good
assumption. When they drift apart the effect will be that some messages
appear localized and others won't. That will be a poor user experience.
One way we could address this problem is by following the web model. The
client sends their language preference in each request. When the server
responds it performs the message translation prior to sending it back to
the client. We're already doing this for the web UI, any reason not to
follow the same model for other clients?
Yes, we're going to use the same model in the end. Already posted a patch on the
list that does just that (71).
I can't comment on the quality of the upstream pygettext patch, but one
way to find out is to start using it :-)
That's exactly what I'm planning to do. :)
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Send Accept-Language header over XML-RPC and translate on server.
This patch makes the ipa client send the Accept-Language header, so that the server can translate things like exceptions, that cannot be translated on the client. It also fixes the language recognition for the webUI. The values in Accept-Language header are a bit different than what is accepted by the LANG variable as a valid locale - some additional parsing was needed. For example: >>> Accept-Language: es-es;q=1 needs to translate to >>> es_ES otherwise it won't be recognized by gettext Fix #904 Fix #917 Pavel freeipa-pzuna-71-acceptlang.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it.
On 02/02/2011 09:36 PM, Rob Crittenden wrote: Pavel Zuna wrote: This ticket effectively fixes the translation of exception messages. Ticket #903 Pavel On hold for now, see also patch 'Translate exception messages on the client side.' rob This should get pushed for the translation in exceptions to work. It only removes the defunct code and replaces it with something functional. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] python i18n options
I've been playing around with localizing python strings for a while and this is
what I figured out:
Currently we use xgettext to get strings to be translated from python files.
From withing python we call the gettext library wrapped in ipalib/text.py
classes to provide on request translation. We need on request translation, so
that we can translate strings on the client.
Apart from the classes in ipalib/text.py, there are also localization functions
in ipalib/request.py. These function are old and deprecated. Despite this they
are still used when translating exception messages. That's why exceptions aren't
currently being localized. Rob posted a patch recently that fixes this, but it
wasn't fixing the problem at its root. There's another patch by me (69: Remove
deprecated i18n code...) that removes references to ipalib/request.py and
replaces it with ipalib/text.py classes.
This patch should definitely be accepted. It doesn't change anything - it just
removes code that shouldn't be there anyway.
There's another problem with exceptions. They are localized when they are first
created on the server. When transmitting exceptions from server to client, the
data is wrapped in a xmlrpclib.Fault class. This class can only contain an error
code and string making it impossible to reconstruct on the client especially if
it contains template strings (i.e. '%(reason)s').
I propose we change the way exceptions are created and encode information about
them as Fault string data. We can then reconstruct them on the client a perform
localization there. Python 2.6+ provides secure ways to encode and decode
literal types to/from strings. This will require changes to the PublicError class.
Now there's the issue of localizing the built-in help system ('ipa help') which
translates to localizing python docstrings. xgettext can't do that on its own.
There's an alternative called pygettext. Unfortunately pygettext can't
translated ngettext string (meaning strings that have a singular and plural
form). I found two solutions around this:
1) a) use both xgettext and pygettext
b) merge the resulting .po files
c) use msguniq utility to get unique translatable strings
2) theres a patch for pygettext to handle ngettext string
Solution 1) will probably works fine, but it's not very effective. I would
prefer the second solution, but I still have to determine how good the patch is
since it was sent by some random guy on the python mailing list.
Links:
http://bugs.python.org/issue8502
http://bugs.python.org/file17639/pygettext.py.patch
Opinions?
Summary:
Unless we agree on a better way; I'm going to try the pygettext patch and see
how usable it is. If it's not then I'll try the solution with merging pygettext
and xgettext output. We also need to rethink the PublicError class and it's
encoding/decoding in {JSON,XML}-RPC to have them translated on the client.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Translate exception messages on the client side.
Ticket #904 Pavel >From ee8e1db4c07d7d2d6e2bff6a80fc9643f46b4c6b Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 2 Feb 2011 16:23:25 -0500 Subject: [PATCH] Translate exception messages on the client side. Ticket #904 --- ipalib/cli.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 9735d2e..606fe4d 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -1059,5 +1059,5 @@ def run(api): error = InternalError() if error is not None: assert isinstance(error, PublicError) -api.log.error(error.strerror) +api.log.error(_(error.format) % error.kw) sys.exit(error.rval) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it.
This ticket effectively fixes the translation of exception messages.
Ticket #903
Pavel
>From b051be4d816f94ebab3fc932b3d2372d1cf0345a Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Wed, 2 Feb 2011 15:37:14 -0500
Subject: [PATCH] Remove deprecated i18n code from ipalib/request and all references to it.
Ticket #903
---
ipalib/errors.py |2 +-
ipalib/parameters.py |2 +-
ipalib/request.py | 40 -
tests/test_ipalib/test_request.py | 161 -
4 files changed, 2 insertions(+), 203 deletions(-)
delete mode 100644 tests/test_ipalib/test_request.py
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 20cd52b..63648d2 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -101,7 +101,7 @@ current block assignments:
"""
from inspect import isclass
-from request import ugettext, ungettext
+from text import _ as ugettext, ngettext as ungettext
from constants import TYPE_ERROR
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 22b0321..23177b3 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -102,7 +102,7 @@ a more detailed description for clarity.
import re
from types import NoneType
from util import make_repr
-from request import ugettext
+from text import _ as ugettext
from plugable import ReadOnly, lock, check_name
from errors import ConversionError, RequirementError, ValidationError
from errors import PasswordMismatch
diff --git a/ipalib/request.py b/ipalib/request.py
index 9a11fb9..15b26f5 100644
--- a/ipalib/request.py
+++ b/ipalib/request.py
@@ -23,8 +23,6 @@ Per-request thread-local data.
"""
import threading
-import locale
-import gettext
from base import ReadOnly, lock
from constants import OVERRIDE_ERROR, CALLABLE_ERROR
@@ -58,41 +56,3 @@ def destroy_context():
value.disconnect()
context.__dict__.clear()
-
-def ugettext(message):
-if hasattr(context, 'ugettext'):
-return context.ugettext(message)
-return message.decode('UTF-8')
-
-
-def ungettext(singular, plural, n):
-if hasattr(context, 'ungettext'):
-return context.ungettext(singular, plural, n)
-if n == 1:
-return singular.decode('UTF-8')
-return plural.decode('UTF-8')
-
-
-def set_languages(*languages):
-if hasattr(context, 'languages'):
-raise StandardError(OVERRIDE_ERROR %
-('context', 'languages', context.languages, languages)
-)
-if len(languages) == 0:
-languages = locale.getdefaultlocale()[:1]
-context.languages = languages
-assert type(context.languages) is tuple
-
-
-def create_translation(domain, localedir, *languages):
-if hasattr(context, 'ugettext') or hasattr(context, 'ungettext'):
-raise StandardError(
-'create_translation() already called in thread %r' %
-threading.currentThread().getName()
-)
-set_languages(*languages)
-translation = gettext.translation(domain,
-localedir=localedir, languages=context.languages, fallback=True
-)
-context.ugettext = translation.ugettext
-context.ungettext = translation.ungettext
diff --git a/tests/test_ipalib/test_request.py b/tests/test_ipalib/test_request.py
deleted file mode 100644
index 548156d..000
--- a/tests/test_ipalib/test_request.py
+++ /dev/null
@@ -1,161 +0,0 @@
-# Authors:
-# Jason Gerard DeRose
-#
-# Copyright (C) 2008 Red Hat
-# see file 'COPYING' for use and warranty contextrmation
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-"""
-Test the `ipalib.request` module.
-"""
-
-import threading
-import locale
-from tests.util import raises, assert_equal
-from tests.util import TempDir, dummy_ugettext, dummy_ungettext
-from ipalib.constants import OVERRIDE_ERROR
-from ipalib import request
-
-
-def test_ugettext():
-"""
-Test the `ipalib.request.ugettext` function.
-"""
-f = request.ugettext
-context = request.context
-message = 'Hello, world!'
-
-# Test with no context.ugettext:
-assert not hasattr(context, 'ugettext')
-assert_equal(f(message), u'Hello, world!')
-
-
Re: [Freeipa-devel] [PATCH] 698 Translate exception messages
On 02/01/2011 11:36 PM, Rob Crittenden wrote: Pavel mentioned this morning that translations didn't seem to be working. I remembered that I did some things on the cli so I re-tested. Turned out that exceptions aren't being translated. I'm not at all sure this patch does the right thing, so take it with a grain of salt. What it does is translates the message before stuffing it into the exception. Note that this will also translate messages returned via XML-RPC so I wonder if we need to force LANG to en_US.UTF-8 there. In any case, this seems to fix the client side anyway. I'm open to criticism on this one. To test do something like: $ kinit admin $ export LANG=es_US.UTF-8 $ ipa user-add --first=Kermit --last=Frog kfrog $ ipa user-add --first=Kermit --last=Frog kfrog You should get a DuplicateEntry() response in Spanish. rob nack. While this patch works, it doesn't solve the problem at its root. After some investigation I figured out, that functions initializing translations in ipalib/request.py are not called from anywhere. All the translation code in ipalib/request.py is currently deprecated in favor of ipalib/text.py. I'm preparing a patch, that removes the unused code and replaces references to it. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix minor bug in host-add logic.
Fix #798
Pavel
>From c5872d7d532429341c86cf1ba10a24709b510664 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Wed, 2 Feb 2011 13:47:21 -0500
Subject: [PATCH] Fix minor bug in host-add logic.
Ticket #798
---
ipalib/plugins/host.py |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index d5c5174..e3f38fc 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -323,9 +323,9 @@ class host_add(LDAPCreate):
entry_attrs['krbprincipalname'] = 'host/%s@%s' % (
keys[-1], self.api.env.realm
)
-if 'krbprincipalaux' not in entry_attrs:
+if 'krbprincipalaux' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('krbprincipalaux')
-if 'krbprincipal' not in entry_attrs:
+if 'krbprincipal' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('krbprincipal')
else:
if 'krbprincipalaux' in entry_attrs['objectclass']:
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix crash in ipa help for NO_CLI plugins.
Fix #854
Pavel
>From 6c9f25fa6c50034db4967e64590cc9d46bdf8e0b Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Wed, 2 Feb 2011 12:47:34 -0500
Subject: [PATCH] Fix crash in ipa help for NO_CLI plugins.
Fix #854
---
ipalib/cli.py | 16 ++--
1 files changed, 2 insertions(+), 14 deletions(-)
diff --git a/ipalib/cli.py b/ipalib/cli.py
index 5543301..9735d2e 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -730,19 +730,6 @@ class help(frontend.Local):
for t in topics:
topic = self._topics[t]
print ' %s %s' % (to_cli(t).ljust(self._mtl), topic[0])
-
-if False:
-topic_commands = self._topics[t][2]
-mod_list = [self._get_command_module(c.module) for c in topic_commands]
-mod_list = list(set(mod_list))
-
-for mod in mod_list:
-m = '%s.%s' % (self._PLUGIN_BASE_MODULE, mod)
-if 'topic' in dir(sys.modules[m]):
-doc = sys.modules[m].topic[1]
-else:
-doc = (sys.modules[m].__doc__ or '').strip().split('\n', 1)[0]
-print ' %s %s' % (to_cli(t).ljust(self._mtl), doc)
print ''
print 'Try `ipa --help` for a list of global options.'
@@ -759,6 +746,7 @@ class help(frontend.Local):
mcl = self._topics[topic][1]
commands = self._topics[topic][2]
else:
+commands = []
for t in self._topics:
if type(self._topics[t][2]) is not dict:
continue
@@ -772,8 +760,8 @@ class help(frontend.Local):
doc = (sys.modules[m].__doc__ or '').strip()
print doc
-print ''
if len(commands) > 1:
+print ''
print 'Topic commands:'
for c in commands:
print ' %s %s' % (to_cli(c.name).ljust(mcl), c.summary)
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make 'ipa help' localizable.
On 02/01/2011 03:08 PM, John Dennis wrote: On 02/01/2011 08:16 AM, Pavel Zuna wrote: For a long time, I was trying to find a way to localize python docstrings, that we use to generate the built-in documentation system. Unfortunately, python docstrings aren't meant to be localized and therefore I had to use a dirty trick: setting the __doc__ variable manually to a gettext instance. There is one major disadvantage: tools that generate developer documentation (like epydoc) won't display docstrings set like this. One solution would be to have docstrings twice in each module: once normally and once set using __doc__, but that would be very ugly. This patch doesn't update .po files, because it's already big as it is. They are regenerated automatically anyway. Ticket #179 Pavel Hi Pavel: I'm not sure this is the right approach. What we really want is to be able to extract the docstrings and put them in a pot file. Normally xgettext is used to "xtract" translatable strings but I don't think the python parser in xgettext is docstring aware (we should probably confirm that). However pygettext in the python-tools package is docstring aware. From it's help text: -D --docstrings Extract module, class, method, and function docstrings. These do not need to be wrapped in _() markers, and in fact cannot be for Python to consider them docstrings. (See also the -X option). So rather than changing all the source code and making it non-standard I think we're better off using a more appropriate tool when building the pot file. Use of pygettext is discussed and documented in this Python documentation link: http://docs.python.org/library/gettext.html#internationalizing-your-programs-and-modules You can find an interesting discussion of the docstring extraction issue in this thread: http://mail.python.org/pipermail/i18n-sig/2001-August/001292.html BTW, Barry Warsaw is the man behind Mailman and is one of the Python community luminaries. Thanks for the tips! I'll see what I can do. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Make 'ipa help' localizable.
For a long time, I was trying to find a way to localize python docstrings, that
we use to generate the built-in documentation system. Unfortunately, python
docstrings aren't meant to be localized and therefore I had to use a dirty
trick: setting the __doc__ variable manually to a gettext instance.
There is one major disadvantage: tools that generate developer documentation
(like epydoc) won't display docstrings set like this.
One solution would be to have docstrings twice in each module: once normally and
once set using __doc__, but that would be very ugly.
This patch doesn't update .po files, because it's already big as it is. They are
regenerated automatically anyway.
Ticket #179
Pavel
>From 033d3480be0c4a48b0976ed719a2724330990aca Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 1 Feb 2011 13:07:50 -0500
Subject: [PATCH] Make 'ipa help' localizable.
---
ipalib/cli.py | 17 -
ipalib/plugins/aci.py |7 ---
ipalib/plugins/automount.py|6 --
ipalib/plugins/batch.py|5 ++---
ipalib/plugins/cert.py |6 +++---
ipalib/plugins/config.py |7 ---
ipalib/plugins/delegation.py |8 +---
ipalib/plugins/dns.py |7 ---
ipalib/plugins/group.py|7 ---
ipalib/plugins/hbacrule.py |7 ---
ipalib/plugins/hbacsvc.py |8 +---
ipalib/plugins/hbacsvcgroup.py |7 ---
ipalib/plugins/host.py |7 ---
ipalib/plugins/hostgroup.py|8 +---
ipalib/plugins/krbtpolicy.py |7 ---
ipalib/plugins/migration.py|7 ---
ipalib/plugins/netgroup.py |7 ---
ipalib/plugins/passwd.py |7 ---
ipalib/plugins/permission.py |8 +---
ipalib/plugins/pkinit.py |7 ---
ipalib/plugins/privilege.py|8 +---
ipalib/plugins/pwpolicy.py |7 ---
ipalib/plugins/role.py |8 +---
ipalib/plugins/selfservice.py |8 +---
ipalib/plugins/service.py |8 +---
ipalib/plugins/sudocmd.py |7 ---
ipalib/plugins/sudocmdgroup.py |7 ---
ipalib/plugins/user.py |7 ---
28 files changed, 125 insertions(+), 85 deletions(-)
diff --git a/ipalib/cli.py b/ipalib/cli.py
index 5543301..1fdcc30 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -663,12 +663,16 @@ class help(frontend.Local):
self._topics[topic_name][2].append(c)
else:
m = '%s.%s' % (self._PLUGIN_BASE_MODULE, topic_name)
-doc = (sys.modules[m].__doc__ or '').strip().split('\n', 1)[0]
+doc = ''
+if sys.modules[m].__doc__:
+doc = unicode(sys.modules[m].__doc__).strip().split('\n', 1)[0]
self._topics[topic_name] = [doc, 0, [c]]
mcl = max((self._topics[topic_name][1], len(c.name)))
self._topics[topic_name][1] = mcl
else: # a module grouped in a topic
-doc = (sys.modules[c.module].__doc__ or '').strip().split('\n', 1)[0]
+doc = ''
+if sys.modules[c.module].__doc__:
+doc = unicode(sys.modules[c.module].__doc__).strip().split('\n', 1)[0]
mod_name = c.module.rsplit('.',1)[1]
if topic_name in self._topics:
if mod_name in self._topics[topic_name][2]:
@@ -738,10 +742,11 @@ class help(frontend.Local):
for mod in mod_list:
m = '%s.%s' % (self._PLUGIN_BASE_MODULE, mod)
+doc = ''
if 'topic' in dir(sys.modules[m]):
doc = sys.modules[m].topic[1]
-else:
-doc = (sys.modules[m].__doc__ or '').strip().split('\n', 1)[0]
+elif sys.modules[m].__doc__:
+doc = unicode(sys.modules[m].__doc__).strip().split('\n', 1)[0]
print ' %s %s' % (to_cli(t).ljust(self._mtl), doc)
print ''
print 'Try `ipa --help` for a list of global options.'
@@ -769,7 +774,9 @@ class help(frontend.Local):
break
m = '%s.%s' % (self._PLUGIN_BASE_MODULE, topic)
-doc = (sys.modules[m].__doc__ or '').strip()
+doc = ''
+if sys.modules[m].__doc__:
+doc = unicode(sys.modules[m].__doc__).strip()
print doc
print ''
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 4ddaf98..395bc21
[Freeipa-devel] [PATCH] Raise ValidationError when adding unallowed attribute to search fields.
Depends on my previous patch number 64 (posted on the list 2 minutes ago).
Ticket #845
Pavel
>From 275f22f718af14f3f3c5e29c1f03471ab152b386 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 25 Jan 2011 15:25:52 -0500
Subject: [PATCH 2/2] Raise ValidationError when adding unallowed attribute to search fields.
Ticket #845
---
ipalib/plugins/config.py | 16
1 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index ccd06ca..f779732 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -198,6 +198,22 @@ class config_mod(LDAPUpdate):
api.Command['group_show'](group)
except errors.NotFound:
raise errors.NotFound(message=unicode("The group doesn't exist"))
+kw = {}
+if 'ipausersearchfields' in entry_attrs:
+kw['ipausersearchfields'] = 'ipauserobjectclasses'
+if 'ipagroupsearchfields' in entry_attrs:
+kw['ipagroupsearchfields'] = 'ipagroupobjectclasses'
+if kw:
+config = ldap.get_ipa_config(kw.values())
+for (k, v) in kw.iteritems():
+allowed_attrs = ldap.get_allowed_attributes(config[1][v])
+fields = entry_attrs[k].split(',')
+for a in fields:
+a = a.strip()
+if a not in allowed_attrs:
+raise errors.ValidationError(
+name=k, error='attribute "%s" not allowed' % a
+)
return dn
api.register(config_mod)
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add ldap2 method to retrieve allowed attributes for specified objectClasses.
ldap2.get_allowed_attributes(['posixuser'])
returns a list of unicode all lower case attribute names allowed for the object
class 'posixuser'
You can enter as many object classes as you want.
Pavel
>From 044476963a96136f951ccf8232debc1b1c48513f Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 25 Jan 2011 15:24:03 -0500
Subject: [PATCH 1/2] Add ldap2 method to retrieve allowed attributes for specified objectClasses.
ldap2.get_allowed_attribute(['posixuser'])
returns a list of unicode all lower case attribute names allowed
for the object class 'posixuser'
---
ipaserver/plugins/ldap2.py | 20 +---
1 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 86ea3f8..7490dfb 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -266,6 +266,16 @@ class ldap2(CrudBackend, Encoder):
else:
return None
+def get_allowed_attributes(self, objectclasses):
+if not self.schema:
+return []
+allowed_attributes = []
+for oc in objectclasses:
+obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc)
+if obj is not None:
+allowed_attributes += obj.must + obj.may
+return [unicode(a).lower() for a in list(set(allowed_attributes))]
+
def get_single_value(self, attr):
"""
Check the schema to see if the attribute is single-valued.
@@ -597,15 +607,19 @@ class ldap2(CrudBackend, Encoder):
Keyword arguments:
attrs_list - list of attributes to return, all if None (default None)
"""
-return self.find_entries(None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit, size_limit=size_limit, normalize=normalize)[0][0]
+return self.find_entries(
+None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit,
+size_limit=size_limit, normalize=normalize
+)[0][0]
config_defaults = {'ipasearchtimelimit': [2], 'ipasearchrecordslimit': [0]}
-def get_ipa_config(self):
+def get_ipa_config(self, attrs_list=None):
"""Returns the IPA configuration entry (dn, entry_attrs)."""
cdn = "%s,%s" % (api.Object.config.get_dn(), api.env.basedn)
try:
(cdn, config_entry) = self.find_entries(
-base_dn=cdn, scope=self.SCOPE_BASE, time_limit=2, size_limit=10
+None, attrs_list, base_dn=cdn, scope=self.SCOPE_BASE,
+time_limit=2, size_limit=10
)[0][0]
except errors.NotFound:
config_entry = {}
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] test speedup patch
On 01/19/2011 04:17 AM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Attached is a rough cut of a patch to try to speed up the cli a little bit. Basically in production mode it will skip some things during initialization. My concept is that we develop in mode != production and release in mode == production. I managed to knock a second or so off time to do a user-show on average. There may be some other things we can do to speed things up, I'm still looking. Some feedback on the approach would be appreciated. Note that I've completely ruled out SSL/Negotiate. I did my testing on lite-server which doesn't use SSL or Negotiate and it was STILL taking on average 3-4+ seconds per command. The server side was consistently taking < 1 second to complete. rob oh, and the patch. I ran a couple of moderate tests this evening that executed 42 separate operations like add, delete, and managing group membership. I ran this 10 times each on 2 identical VMs, one with a bit older code and one with this patch then averaged the times. With the patch the average was 1.3 seconds per operation, without 2.6. A 50% improvement is more than I expected, I saw a 33% improvement on individual runs. I'll keep at it but this seems promising. I was also a bit surprised that the average time without the patch was so low, I was expecting something over 3 seconds. Specifically what this patch does is it avoids doing some self-validation. There is some amount of risk that the framework could blow up but in a deployed situation I think the risk is rather low. A side-effect of the API tester makeapi is that it loads the framework. We can force it to be run in production mode so the product shouldn't be buildable if it has inconsistencies. rob I find it hard to believe this patch causes such a big improvement in performance. Especially the parts skipping asserts, that shouldn't be significantly slower than your average ifs. Instance locking shouldn't be a time consuming operation either. Bypassing check routines for parameter namespaces might provide a performance boost as it is called for every single plugin we have (~250). On the other hand, it is only used for positional arguments and most plugins only have 1 or 2 of those. Personally, I would do some more tests on a single machine, because there's no guarantee, that two VMs with an identical image have the same performance. If it really provides a significant improvement, than it's awesome, because I like the philosophy of this patch. It removes self-checking and instance locking, that is completely useless in a production environment and kind of limiting in non-production. I think there's more places likes this in the framework. Long story short: It's improbable, but not impossible, for the changes introduced by this patch to cause such a big performance improvement. Even if it doesn't, the patch is still good. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
Fix #798
Pavel
>From a013e19957b33ca84102efdc0be7448eb3a83423 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 18 Jan 2011 15:43:07 -0500
Subject: [PATCH 2/2] Fix password/random logic in host plugin.
Fix #798
---
ipalib/plugins/host.py | 15 +--
1 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 0a40705..6947d90 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -319,16 +319,19 @@ class host_add(LDAPCreate):
del entry_attrs['locality']
entry_attrs['cn'] = keys[-1]
entry_attrs['serverhostname'] = keys[-1].split('.', 1)[0]
-if 'userpassword' not in entry_attrs and \
-options.get('random', False) == False:
+if 'userpassword' not in entry_attrs and not options.get('random', False):
entry_attrs['krbprincipalname'] = 'host/%s@%s' % (
keys[-1], self.api.env.realm
)
-if 'krbprincipalaux' not in entry_attrs['objectclass']:
-entry_attrs['objectclass'].append('krbprincipalaux')
+if 'krbprincipal' not in entry_attrs:
entry_attrs['objectclass'].append('krbprincipal')
-elif 'krbprincipalaux' in entry_attrs['objectclass']:
-entry_attrs['objectclass'].remove('krbprincipalaux')
+if 'krbprincipal' not in entry_attrs:
+entry_attrs['objectclass'].append('krbprincipalaux')
+else:
+if 'krbprincipal' in entry_attrs['objectclass']:
+entry_attrs['objectclass'].remove('krbprincipal')
+if 'krbprincipalaux' in entry_attrs['objectclass']:
+entry_attrs['objectclass'].remove('krbprincipalaux')
if 'random' in options:
if options.get('random'):
entry_attrs['userpassword'] = ipa_generate_password()
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix updating of DNS records by the host plugin.
Fix #799
Pavel
>From e97aa6d78e0ec32b160bf17deb894b1ba091541c Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 18 Jan 2011 15:33:40 -0500
Subject: [PATCH 1/2] Fix updating of DNS records by the host plugin.
Fix #799
---
ipalib/plugins/host.py | 10 +-
1 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index d09f0eb..0a40705 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -345,9 +345,9 @@ class host_add(LDAPCreate):
parts = keys[-1].split('.')
domain = unicode('.'.join(parts[1:]))
if ':' in options['ip_address']:
-addkw = { u'record' : options['ip_address'] }
+addkw = { 'record' : options['ip_address'] }
else:
-addkw = { u'arecord' : options['ip_address'] }
+addkw = { 'arecord' : options['ip_address'] }
try:
api.Command['dnsrecord_add'](domain, parts[0], **addkw)
except errors.EmptyModlist:
@@ -355,7 +355,7 @@ class host_add(LDAPCreate):
pass
revzone, revname = get_reverse_zone(options['ip_address'])
try:
-addkw = { u'ptrrecord' : keys[-1]+'.' }
+addkw = { 'ptrrecord' : keys[-1]+'.' }
api.Command['dnsrecord_add'](revzone, revname, **addkw)
except errors.EmptyModlist:
# the entry already exists and matches
@@ -443,12 +443,12 @@ class host_del(LDAPDelete):
self.debug('deleting ipaddr %s' % ipaddr)
revzone, revname = get_reverse_zone(ipaddr)
try:
-delkw = { u'ptrrecord' : fqdn+'.' }
+delkw = { 'ptrrecord' : fqdn+'.' }
api.Command['dnsrecord_del'](revzone, revname, **delkw)
except errors.NotFound:
pass
try:
-delkw = { u'arecord' : ipaddr }
+delkw = { 'arecord' : ipaddr }
api.Command['dnsrecord_del'](domain, parts[0], **delkw)
except errors.NotFound:
pass
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix crash when building DN of host with name ending with period.
Fix #797
Pavel
>From 509a77949474b429bb4d4ee6fa871bdade446625 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 18 Jan 2011 13:28:37 -0500
Subject: [PATCH 1/2] Fix crash when building DN of host with name ending with period.
Fix #797
---
ipalib/plugins/host.py |9 +
1 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 8639ce5..d09f0eb 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -240,15 +240,16 @@ class host(LDAPObject):
)
def get_dn(self, *keys, **options):
-if keys[-1].endswith('.'):
-keys[-1] = keys[-1][:-1]
-dn = super(host, self).get_dn(*keys, **options)
+hostname = keys[-1]
+if hostname.endswith('.'):
+hostname = hostname[:-1]
+dn = super(host, self).get_dn(hostname, **options)
try:
self.backend.get_entry(dn, [''])
except errors.NotFound:
try:
(dn, entry_attrs) = self.backend.find_entry_by_attr(
-'serverhostname', keys[-1], self.object_class, [''],
+'serverhostname', hostname, self.object_class, [''],
self.container_dn
)
except errors.NotFound:
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Remove SOA maximum parameter from DNS zone.
There's no such thing as "maximum" in SOA record RDATA format according to RFC
1035 and there's also no such attribute in the schema.
Fix #788
https://bugzilla.redhat.com/show_bug.cgi?id=670343
Pavel
>From ee65cb0fc69384f2777537d222a762a4f7be5bfe Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 18 Jan 2011 13:29:58 -0500
Subject: [PATCH 2/2] Remove SOA maximum parameters from DNS zone.
There's no such thing as "maximum" in SOA record RDATA format
according to RFC 1035 and there's also no such attribute in
the schema.
Fix #788
---
ipalib/plugins/dns.py |5 -
1 files changed, 0 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index cf58098..a2d0b8b 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -198,11 +198,6 @@ class dnszone(LDAPObject):
default=3600,
autofill=True,
),
-Int('idnssoamaximum?',
-cli_name='maximum',
-label=_('SOA maximum'),
-doc=_('SOA record maximum value'),
-),
Int('dnsttl?',
cli_name='ttl',
label=_('SOA time to live'),
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix import API_VERSION import error.
On 01/18/2011 01:40 PM, Pavel Zuna wrote: Fixes import errors in the framework cause by recent API version changes. Fix #796 Pavel self-NACK. Ignore this patch, didn't realize the API_VERSION constant is auto-generated. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix import API_VERSION import error.
Fixes import errors in the framework cause by recent API version changes. Fix #796 Pavel >From 3532c0f551edc79e63843ee112dee097dfb6aadf Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 18 Jan 2011 12:35:59 -0500 Subject: [PATCH] Fix import API_VERSION import error. Fix #796 --- ipalib/cli.py |2 +- ipalib/frontend.py |2 +- ipalib/plugins/batch.py |2 +- ipalib/plugins/ping.py |2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index c634d49..54ab1c4 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -49,7 +49,7 @@ from errors import PublicError, CommandError, HelpError, InternalError, NoSuchNa from constants import CLI_TAB from parameters import Password, Bytes, File from text import _ -from ipapython.version import API_VERSION +from ipapython.version import VERSION as API_VERSION def to_cli(name): diff --git a/ipalib/frontend.py b/ipalib/frontend.py index eeed398..e514932 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -33,7 +33,7 @@ from text import _, ngettext from errors import ZeroArgumentError, MaxArgumentError, OverlapError, RequiresRoot, VersionError, RequirementError from errors import InvocationError from constants import TYPE_ERROR -from ipapython.version import API_VERSION +from ipapython.version import VERSION as API_VERSION from distutils import version diff --git a/ipalib/plugins/batch.py b/ipalib/plugins/batch.py index f6f662f..deaee5b 100644 --- a/ipalib/plugins/batch.py +++ b/ipalib/plugins/batch.py @@ -51,7 +51,7 @@ from ipalib import Str, List from ipalib.output import Output from ipalib import output from ipalib.text import _ -from ipapython.version import API_VERSION +from ipapython.version import VERSION as API_VERSION class batch(Command): INTERNAL = True diff --git a/ipalib/plugins/ping.py b/ipalib/plugins/ping.py index c2f9b6b..db021b9 100644 --- a/ipalib/plugins/ping.py +++ b/ipalib/plugins/ping.py @@ -23,7 +23,7 @@ Ping the remote IPA server from ipalib import api from ipalib import Command from ipalib import output -from ipapython.version import VERSION, API_VERSION +from ipapython.version import VERSION as API_VERSION class ping(Command): """ -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights.
On 01/07/2011 08:59 PM, Rob Crittenden wrote:
Pavel Zůna wrote:
LDAPObject sub-classes can define a custom list of attributes for
effective rights retrieval.
Fix #677
Pavel
Nack. --rights should only return data when --all is also included.
Otherwise it looks ok.
rob
Fixed version attached.
Pavel
>From abfe7eb176534b1d7cf0deae81f1bd2c2ebb7aef Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Thu, 30 Dec 2010 08:48:12 -0500
Subject: [PATCH] Enable custom list of attributes to retrieve effective rights.
Fix #677
---
ipalib/plugins/baseldap.py | 34 ++
ipalib/plugins/config.py |4
2 files changed, 22 insertions(+), 16 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index e7ccb77..27d5950 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -166,20 +166,6 @@ def get_attributes(attrs):
return attrlist
-def get_effective_rights(ldap, dn, attrs=None):
-if attrs is None:
-attrs = ['*', 'nsaccountlock', 'cospriority']
-rights = ldap.get_effective_rights(dn, attrs)
-rdict = {}
-if 'attributelevelrights' in rights[1]:
-rights = rights[1]['attributelevelrights']
-rights = rights[0].split(', ')
-for r in rights:
-(k,v) = r.split(':')
-rdict[k.strip().lower()] = v
-
-return rdict
-
def wait_for_memberof(keys, entry_start, completed, show_command, adding=True):
"""
When adding or removing reverse members we are faking an update to
@@ -244,6 +230,7 @@ class LDAPObject(Object):
search_attributes_config = None
default_attributes = []
hidden_attributes = ['objectclass', 'aci']
+rights_attributes = ['*', 'nsaccountlock', 'cospriority']
# set rdn_attribute only if RDN attribute differs from primary key!
rdn_attribute = ''
uuid_attribute = ''
@@ -301,6 +288,19 @@ class LDAPObject(Object):
pass
return dn[len(self.primary_key.name) + 1:dn.find(',')]
+def get_effective_rights(self, dn, attrs=None):
+rdict = {}
+if attrs is None:
+attrs = self.rights_attributes
+rights = self.backend.get_effective_rights(dn, attrs)
+if 'attributelevelrights' in rights[1]:
+rights = rights[1]['attributelevelrights']
+rights = rights[0].split(', ')
+for r in rights:
+(k, v) = r.split(':')
+rdict[k.strip().lower()] = v
+return rdict
+
def get_ancestor_primary_keys(self):
if self.parent_object:
parent_obj = self.api.Object[self.parent_object]
@@ -688,7 +688,8 @@ class LDAPRetrieve(LDAPQuery):
self.obj.handle_not_found(*keys)
if options.get('rights', False) and options.get('all', False):
-entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn)
+rights = self.obj.get_effective_rights(dn)
+entry_attrs['attributelevelrights'] = rights
for callback in self.POST_CALLBACKS:
if hasattr(callback, 'im_self'):
@@ -844,7 +845,8 @@ class LDAPUpdate(LDAPQuery, crud.Update):
)
if options.get('rights', False) and options.get('all', False):
-entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn)
+rights = self.obj.get_effective_rights(dn)
+entry_attrs['attributelevelrights'] = rights
for callback in self.POST_CALLBACKS:
if hasattr(callback, 'im_self'):
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 438f663..ccd06ca 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -87,6 +87,9 @@ class config(LDAPObject):
'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields',
'ipamigrationenabled', 'ipacertificatesubjectbase',
]
+rights_attributes = LDAPObject.rights_attributes + [
+'ipahomesrootdir', 'ipagroupsearchfields',
+]
label = _('Configuration')
@@ -206,3 +209,4 @@ class config_show(LDAPRetrieve):
"""
api.register(config_show)
+
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Retype (when cloning) Flag parameters to Bool for search commands.
Flag parameters are always autofill by definition, causing unexpected search results. This patch retypes them to Bool for search commands, so that users have to/can enter the desired value manually. A good example of the Flag parameters causing problems in search commands is `dnszone-find` (ticket #689). Ticket #689 Ticket #701 Pavel >From 2206dd739dabf3e08555126b545a6cc62d6cd93c Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 5 Jan 2011 10:07:23 -0500 Subject: [PATCH] Retype (when cloning) Flag parameters to Bool for search commands. Flag parameters are always autofill by definition, causing unexpected search results. This patch retypes them to Bool for search commands, so that users have to/can enter the desired value manually. Ticket #689 Ticket #701 --- ipalib/crud.py | 12 +--- ipalib/parameters.py |8 +++- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ipalib/crud.py b/ipalib/crud.py index 86e1756..6df3c73 100644 --- a/ipalib/crud.py +++ b/ipalib/crud.py @@ -210,9 +210,15 @@ class Search(Method): for option in self.obj.params_minus(self.args): if 'no_search' in option.flags: continue -yield option.clone( -attribute=True, query=True, required=False, autofill=False -) +if isinstance(option, parameters.Flag): +yield option.clone_retype( +option.name, parameters.Bool, +attribute=True, query=True, required=False, autofill=False +) +else: +yield option.clone( +attribute=True, query=True, required=False, autofill=False +) if not self.extra_options_first: for option in super(Search, self).get_options(): yield option diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 5c386c3..128c8a4 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -585,9 +585,15 @@ class Param(ReadOnly): """ Return a new `Param` instance similar to this one, but named differently """ +return self.clone_retype(name, self.__class__, **overrides) + +def clone_retype(self, name, klass, **overrides): +""" +Return a new `Param` instance similar to this one, but of a different type +""" kw = dict(self.__clonekw) kw.update(overrides) -return self.__class__(name, *self.rules, **kw) +return klass(name, *self.rules, **kw) def normalize(self, value): """ -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Make it impossible to add an object as a member of itself in webUI.
Ticket #700
Pavel
>From 793314369f6587fa1819a17bb0b196e09939c3f3 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Wed, 5 Jan 2011 09:31:02 -0500
Subject: [PATCH] Make it impossible to add an object as a member of itself in webUI.
Ticket #700
---
install/static/associate.js |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/install/static/associate.js b/install/static/associate.js
index 6517cca..60e7c09 100644
--- a/install/static/associate.js
+++ b/install/static/associate.js
@@ -164,9 +164,12 @@ function ipa_association_adder_dialog(spec) {
var results = data.result;
that.clear_available_values();
+var pkey_attr = IPA.metadata[that.entity_name].primary_key;
+
for (var i=0; i___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Improvements to enrollments in the webUI.
The patch is a bit bigger and more complex, so I expect this to be the first
shot at it.
There are some places where we need to handle localization better and be more
generic when it comes to non-standard relationships like 'enrolledby' etc., but
that can be done later. (I put a few TODOs in the code.)
Anyway, here's the changelog for this patch:
- Enrollement links in the action panel are now sorted by relationships.
- You can only enroll members.
(The webUI made the impression you can enroll parents as well, but it was
broken.)
- When enrolling new members, you can choose not to display already enrolled
ones. (On by default.)
- Couple cosmetic changes.
IT DEPENDS ON MY PATCH NUMBER 54 (Improve filtering of enrollments search
results.)
Pavel
>From 830c2c5f2780b461f62509ae044c82da76607dc3 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 4 Jan 2011 15:21:18 -0500
Subject: [PATCH 2/2] Improvements to enrollments in the webUI.
TAKE 1
- Enrollement links in the action panel are now sorted by relationships.
- You can only enroll members.
(The webUI made the impression you can enroll parents as well, but it was
broken.)
- When enrolling new members, you can choose not to display already enrolled
ones. (On by default.)
- Couple cosmetic changes.
---
install/static/associate.js | 72 +++
install/static/entity.js| 45 --
install/static/group.js |9 +-
install/static/ipa.css | 10 +-
install/static/widget.js| 21
5 files changed, 124 insertions(+), 33 deletions(-)
diff --git a/install/static/associate.js b/install/static/associate.js
index 66db171..6517cca 100644
--- a/install/static/associate.js
+++ b/install/static/associate.js
@@ -140,6 +140,7 @@ function ipa_association_adder_dialog(spec) {
that.entity_name = spec.entity_name;
that.pkey = spec.pkey;
that.other_entity = spec.other_entity;
+that.attribute_member = spec.attribute_member;
that.init = function() {
if (!that.columns.length) {
@@ -152,6 +153,9 @@ function ipa_association_adder_dialog(spec) {
});
}
+/* FIXME: event not firing? */
+$('input[name=hidememb]', that.container).click(that.search);
+
that.adder_dialog_init();
};
@@ -166,7 +170,31 @@ function ipa_association_adder_dialog(spec) {
}
}
-ipa_cmd('find', [that.get_filter()], {'all': true}, on_success, null, that.other_entity);
+var hide_checkbox = $('input[name=hidememb]', that.container);
+
+var options = {'all': true};
+if (hide_checkbox.attr('checked')) {
+var relationships = IPA.metadata[that.other_entity].relationships;
+
+/* TODO: better generic handling of different relationships! */
+var other_attribute_member = '';
+if (that.attribute_member == 'member')
+other_attribute_member = 'memberof';
+else if (that.attribute_member == 'memberuser')
+other_attribute_member = 'memberof';
+else if (that.attribute_member == 'memberhost')
+other_attribute_member = 'memberof';
+else if (that.attribute_member == 'memberof')
+other_attribute_member = 'member';
+
+var relationship = relationships[other_attribute_member];
+if (relationship) {
+var param_name = relationship[2] + that.entity_name;
+options[param_name] = that.pkey;
+}
+}
+
+ipa_cmd('find', [that.get_filter()], options, on_success, null, that.other_entity);
};
that.association_adder_dialog_init = that.init;
@@ -234,6 +262,7 @@ function ipa_association_table_widget(spec) {
var that = ipa_table_widget(spec);
that.other_entity = spec.other_entity;
+that.attribute_member = spec.attribute_member;
that.associator = spec.associator || bulk_associator;
that.add_method = spec.add_method || 'add_member';
@@ -398,7 +427,8 @@ function ipa_association_table_widget(spec) {
'title': title,
'entity_name': that.entity_name,
'pkey': pkey,
-'other_entity': that.other_entity
+'other_entity': that.other_entity,
+'attribute_member': that.attribute_member,
});
};
@@ -513,6 +543,8 @@ function ipa_association_facet(spec) {
var that = ipa_facet(spec);
that.other_entity = spec.other_entity;
+that.facet_group = spec.facet_group;
+that.attribute_member = spec.attribute_member;
that.associator = spec.associator || bulk_associator;
that.add_method =
[Freeipa-devel] [PATCH] Improve filtering of enrollments search results.
This is required for effective filtering of enrollments search
results in the webUI and also gives an edge to the CLI.
After this patch, each LDAPObject can define its relationships
to other LDAPObjects. For now, this is used only for filtering
search results by enrollments, but there are probably more
benefits to come.
You can do this for example:
# search for all users not enrolled in group admins
ipa user-find --not-in-groups=admins
# search for all groups not enrolled in group global with user Pavel
ipa group-find --users=Pavel --not-in-groups=global
# more examples:
ipa group-find --users=Pavel,Jakub --no-users=Honza
ipa hostgroup-find --hosts=webui.pzuna
Pavel
>From 19975e5e2ceb3a3f9fd18be0f3fafe8f42aa626c Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 4 Jan 2011 15:15:54 -0500
Subject: [PATCH 1/2] Improve filtering of enrollments search results.
This is required for effective filtering of enrollments search
results in the webUI and also gives an edge to the CLI.
After this patch, each LDAPObject can define its relationships
to other LDAPObjects. For now, this is used only for filtering
search results by enrollments, but there are probably more
benefits to come.
You can do this for example:
# search for all users not enrolled in group admins
ipa user-find --not-in-groups=admins
# search for all groups not enrolled in group global with user Pavel
ipa group-find --users=Pavel --not-in-groups=global
# more examples:
ipa group-find --users=Pavel,Jakub --no-users=Honza
ipa hostgroup-find --hosts=webui.pzuna
---
ipalib/plugins/baseldap.py | 57 ---
ipalib/plugins/group.py |2 +-
ipalib/plugins/host.py |7 -
ipalib/plugins/hostgroup.py |2 +-
ipalib/plugins/netgroup.py | 11 +++-
ipalib/plugins/user.py |2 +
6 files changed, 68 insertions(+), 13 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 1cd181c..d38da89 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -234,6 +234,15 @@ class LDAPObject(Object):
rdnattr = None
# Can bind as this entry (has userPassword or krbPrincipalKey)
bindable = False
+relationships = {
+# attribute: (label, inclusive param prefix, exclusive param prefix)
+'member': ('Member', '', 'no_'),
+'memberof': ('Parent', 'in_', 'not_in_'),
+'memberindirect': (
+'Indirect Member', None, 'no_indirect_'
+),
+}
+label = _('Entry')
container_not_found_msg = _('container entry (%(container)s) not found')
parent_not_found_msg = _('%(parent)s: %(oname)s not found')
@@ -343,7 +352,7 @@ class LDAPObject(Object):
'parent_object', 'container_dn', 'object_name', 'object_name_plural',
'object_class', 'object_class_config', 'default_attributes', 'label',
'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name',
-'takes_params', 'rdn_attribute', 'bindable',
+'takes_params', 'rdn_attribute', 'bindable', 'relationships',
)
def __json__(self):
@@ -1195,7 +1204,8 @@ class LDAPSearch(CallbackInterface, crud.Search):
Retrieve all LDAP entries matching the given criteria.
"""
member_attributes = []
-member_param_doc = 'exclude %s with member %s (comma-separated list)'
+member_param_incl_doc = 'only %s with %s %s'
+member_param_excl_doc = 'only %s with no %s %s'
takes_options = (
Int('timelimit?',
@@ -1227,21 +1237,50 @@ class LDAPSearch(CallbackInterface, crud.Search):
for attr in self.member_attributes:
for ldap_obj_name in self.obj.attribute_members[attr]:
ldap_obj = self.api.Object[ldap_obj_name]
-name = to_cli(ldap_obj_name)
-doc = self.member_param_doc % (
-self.obj.object_name_plural, ldap_obj.object_name_plural
+relationship = self.obj.relationships.get(
+attr, ['member', '', 'no_']
+)
+doc = self.member_param_incl_doc % (
+self.obj.object_name_plural, relationship[0].lower(),
+ldap_obj.object_name_plural
+)
+name = '%s%s' % (relationship[1], to_cli(ldap_obj_name))
+yield List(
+'%s?' % name, cli_name='%ss' % name, doc=doc,
+label=ldap_obj.object_name
+)
+doc = self.member_param_excl_d
[Freeipa-devel] [PATCH] Fix webUI command parameters error on Fedora 14.
Fixes the webUI on Fedora 14.
Pavel
>From 219fda47a0ac0fc2edbd6c62f75ea43927913728 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Wed, 22 Dec 2010 15:18:33 -0500
Subject: [PATCH] Fix webUI command parameters error on Fedora 14.
---
ipalib/parameters.py | 10 +-
1 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index feccd7e..5c386c3 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -1014,7 +1014,7 @@ class Int(Number):
"""
if type(value) in (int, long):
return value
-if type(value) is unicode:
+if type(value) in (str, unicode):
# permit floating point strings
if value.find(u'.') >= 0:
try:
@@ -1247,6 +1247,14 @@ class Str(Data):
"""
if type(value) is self.type:
return value
+if type(value) is str:
+try:
+return value.decode('utf-8')
+except UnicodeDecodeError:
+raise ConversionError(
+name=self.name, index=index,
+error=ugettext(self.scalar_error)
+)
if type(value) in (int, float):
return self.type(value)
if type(value) in (tuple, list):
--
1.7.3.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Update built-in help for user (ipa help user) with info about username format.
General talk about username format including username length and how to change it in ipa config. Ticket #436 Pavel >From 6874f8d1ecc340832961b28b84b5140c65f6ca2b Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 21 Dec 2010 12:23:40 -0500 Subject: [PATCH 2/2] Update built-in help for user (ipa help user) with info about username format. Ticket #436 --- ipalib/plugins/user.py |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 6209754..e3228a1 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -22,6 +22,12 @@ Users Manage user entries. All users are POSIX users. +IPA supports a wide range of username formats, but you need to be aware of any +restrictions that may apply to your particular environment. For example, +usernames that starts with a digit or usernames that exceed a certain length +may cause problems for some UNIX systems. +Use 'ipa config-mod' to change the username format allowed by IPA tools. + Disabling a user account prevents that user from obtaining new Kerberos credentials. It does not invalidate any credentials that have already been issued. -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix reporting of errors when validating parameters.
Print the attribute CLI name instead of its 'real' name. The real name is
usually the name of the corresponding LDAP attribute, which is confusing to the
user.
This way we get:
Invalid 'login': blablabla
instead of:
Invalid 'uid': blablabla
Another example:
Invalid 'hostname': blablabla
instead of:
Invalid 'fqdn': blablabla
Ticket #435
Pavel
>From 8c6ef40f575399f3190ef077b26fd38ecb3a1c0e Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 21 Dec 2010 12:14:38 -0500
Subject: [PATCH 1/2] Fix reporting of errors when validating parameters.
Print the attribute CLI name instead of its 'real' name.
The real name is usually the name of the corresponding LDAP
attribute, which is confusing to the user.
This way we get:
Invalid 'login': blablabla
instead of:
Invalid 'uid': blablabla
Another example:
Invalid 'hostname': blablabla
instead of:
Invalid 'fqdn': blablabla
Ticket #435
---
ipalib/parameters.py |5 -
ipalib/plugins/user.py |8 +++-
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 955b979..feccd7e 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -748,8 +748,11 @@ class Param(ReadOnly):
for rule in self.all_rules:
error = rule(ugettext, value)
if error is not None:
+name = self.cli_name
+if not name:
+name = self.name
raise ValidationError(
-name=self.name,
+name=name,
value=value,
index=index,
error=error,
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index f76fbd6..6209754 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -227,7 +227,13 @@ class user_add(LDAPCreate):
config = ldap.get_ipa_config()[1]
if 'ipamaxusernamelength' in config:
if len(keys[-1]) > int(config.get('ipamaxusernamelength')[0]):
-raise errors.ValidationError(name='uid', error=_('can be at most %(len)d characters' % dict(len = int(config.get('ipamaxusernamelength')[0]
+raise errors.ValidationError(
+name=self.obj.primary_key.cli_name, error=_(
+'can be at most %(len)d characters' % dict(
+len = int(config.get('ipamaxusernamelength')[0])
+)
+)
+)
entry_attrs.setdefault('loginshell', config.get('ipadefaultloginshell'))
# hack so we can request separate first and last name in CLI
full_name = '%s %s' % (entry_attrs['givenname'], entry_attrs['sn'])
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix the mod operations.
*-mod operations were not functioning properly after the recent 'rename' patch.
Pavel
>From 4f59a29a7f16a4dbdb8a39766968102a21fae1ed Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 21 Dec 2010 16:17:28 +0100
Subject: [PATCH] Fix the mod operations.
---
ipalib/plugins/baseldap.py |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index f8e5445..d91fd93 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -711,6 +711,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
def _get_rename_option(self):
rdnparam = getattr(self.obj.params, self.obj.rdnattr)
return rdnparam.clone_rename('rename', cli_name='rename',
+required=False, label=_('Rename'),
doc=_('Rename the %s object' % self.obj.object_name))
def get_options(self):
--
1.7.3.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Introduce new env variable, enable_dns=True, if IPA is managing DNS.
if api.env.enable_dns:
print "DNS is managed by IPA"
ipa env | grep "enable_dns: True" > /devnull && echo "DNS is managed by IPA"
Ticket #600
Pavel
>From d6031a2bbb1bb5d4b0520d6d56fc4716c3ef2242 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Thu, 9 Dec 2010 13:10:36 -0500
Subject: [PATCH] Introduce new env variable. enable_dns=True, if IPA is managing DNS.
Ticket #600
---
install/tools/ipa-server-install |5 -
ipalib/constants.py |1 +
2 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index bed9add..6785acd 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -488,7 +488,8 @@ def main():
cfg = dict(
context='installer',
in_server=True,
-debug=options.debug
+debug=options.debug,
+enable_dns=options.setup_dns,
)
if options.uninstall:
@@ -677,6 +678,8 @@ def main():
fd.write("enable_ra=True\n")
if not options.selfsign:
fd.write("ra_plugin=dogtag\n")
+if options.setup_dns:
+fd.write("enable_dns=True\n")
fd.close()
api.bootstrap(**cfg)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 32c6450..d0ab9fb 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -139,6 +139,7 @@ DEFAULT_CONFIG = (
# Enable certain optional plugins:
('enable_ra', False),
('ra_plugin', 'selfsign'),
+('enable_dns', False),
#
# The remaining keys are never set from the values here!
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.
On 12/08/2010 08:30 PM, Rob Crittenden wrote:
Pavel Zůna wrote:
On 2010-11-30 04:06, Rob Crittenden wrote:
Pavel Zůna wrote:
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.
Any class that extends LDAPSearch can benefit from this functionality.
This patch enables it for the following objects:
group, netgroup, rolegroup, hostgroup, taskgroup
Example:
ipa group-find --no-users=admin
Only direct members are taken into account, but if we need indirect
members as well - it's not a problem.
Ticket #288
Pavel
This works as advertised but I wonder what would happen if a huge list
of members was passed in to ignore. Is there a limit on the search
filter size (remember that the member will be translated into a full dn
so will quickly grow in size).
Should we impose a cofigurable limit on the # of members to be excluded?
Is there a max search filter size and should we check that we haven't
exceeded that before doing a search?
rob
I tried it out with more than a 1000 users and was getting an unwilling
to perform error (search filter nested too deep).
After a little bit of investigation, I figured the filter was being
generated like this:
(&(&(!(a=v))(!(a2=v2
We were going deeper with each additional DN!
I updated the patch to generate the filter like this instead:
(!(|(a=v)(a2=v2)))
Tried it again with more than 1000 users (~55Kb) - it worked and wasn't
even slow.
Updated patch attached.
I also had to fix a bug in ldap2 filter generator, as a result this
patch depends on my patch number 43.
Pavel
You'll need to rebase this against master but otherwise ACK.
It might be a small optimization to de-dupe the no-users list but it
isn't a priority.
rob
Re-based patch attached.
Pavel
>From 871b9d2b52175a4209ba2d8bdb12fcc019d871e9 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Thu, 2 Dec 2010 19:24:11 -0500
Subject: [PATCH] Enable filtering search results by member attributes.
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.
Example:
ipa group-find --no-users=admin
Only direct members are taken into account.
Ticket #288
---
ipalib/plugins/baseldap.py | 34 +-
ipalib/plugins/group.py |2 ++
ipalib/plugins/hostgroup.py |2 +-
ipalib/plugins/netgroup.py |1 +
4 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 6b7153b..9635f41 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1124,6 +1124,9 @@ class LDAPSearch(CallbackInterface, crud.Search):
"""
Retrieve all LDAP entries matching the given criteria.
"""
+member_attributes = []
+member_param_doc = 'exclude %s with member %s (comma-separated list)'
+
takes_options = (
Int('timelimit?',
label=_('Time Limit'),
@@ -1151,6 +1154,33 @@ class LDAPSearch(CallbackInterface, crud.Search):
def get_options(self):
for option in super(LDAPSearch, self).get_options():
yield option
+for attr in self.member_attributes:
+for ldap_obj_name in self.obj.attribute_members[attr]:
+ldap_obj = self.api.Object[ldap_obj_name]
+name = to_cli(ldap_obj_name)
+doc = self.member_param_doc % (
+self.obj.object_name_plural, ldap_obj.object_name_plural
+)
+yield List('no_%s?' % name, cli_name='no_%ss' % name, doc=doc,
+ label=ldap_obj.object_name)
+
+def get_member_filter(self, ldap, **options):
+filter = ''
+for attr in self.member_attributes:
+for ldap_obj_name in self.obj.attribute_members[attr]:
+param_name = 'no_%s' % to_cli(ldap_obj_name)
+if param_name in options:
+dns = []
+ldap_obj = self.api.Object[ldap_obj_name]
+for pkey in options[param_name]:
+dns.append(ldap_obj.get_dn(pkey))
+flt = ldap.make_filter_from_attr(
+attr, dns, ldap.MATCH_NONE
+)
+filter = ldap.combine_filters(
+(filter, flt), ldap.MATCH_ALL
+)
+return filter
has_output_params = global_output_params
@@ -1192,8 +1222,10 @@ class LDAPSearch(CallbackInterface, crud.Search):
search_kw[a] = term
term_filter = ldap.make_filter(search_kw, exact=False)
+
[Freeipa-devel] [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain).
Fixes an attribute name mismatch in the config plugin. Ticket #573 Pavel >From d98843a980331e9b8173a6eba228fa393b04e350 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Sun, 5 Dec 2010 03:26:52 -0500 Subject: [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain). Ticket #573 --- ipalib/plugins/config.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 79db77e..a56b667 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -66,7 +66,7 @@ class config(LDAPObject): object_name = 'configuration options' default_attributes = [ 'ipamaxusernamelength', 'ipahomesrootdir', 'ipadefaultloginshell', -'ipadefaultprimarygroup', 'ipadefaultdomain', 'ipasearchtimelimit', +'ipadefaultprimarygroup', 'ipadefaultemaildomain', 'ipasearchtimelimit', 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields', 'ipamigrationenabled', 'ipacertificatesubjectbase', ] -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Error message handling in HBAC module
On 11/29/2010 11:20 AM, Jan Zelený wrote: This patch contains a part of my original 0008 patch. The rest of it is solved differently (see my patch 0010). ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Prompt correctly for required Password params.
Required Password params were prompted for like any other non-Password params,
resulting in the password being displayed on the command line and there was no
confirmation.
Ticket #361
Pavel
>From f8451a7b94f226f3e5b4181f464de52e2dfbad2d Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Wed, 24 Nov 2010 08:01:31 -0500
Subject: [PATCH] Prompt correctly for required Password params.
Ticket #361
---
ipalib/cli.py | 23 +--
1 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/ipalib/cli.py b/ipalib/cli.py
index 41bee7a..3120e01 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -515,7 +515,7 @@ class textui(backend.Backend):
try:
if sys.stdin.isatty():
while True:
-pw1 = getpass.getpass('%s: ' % label)
+pw1 = getpass.getpass(u'%s: ' % unicode(label))
pw2 = getpass.getpass(
unicode(_('Enter %(label)s again to verify: ') % dict(label=label))
)
@@ -887,16 +887,15 @@ class cli(backend.Executioner):
``self.env.prompt_all`` is ``True``, this method will prompt for any
params that have a missing values, even if the param is optional.
"""
-for param in cmd.params():
-if param.password and (
-kw.get(param.name, False) is True or param.name in cmd.args
-):
-kw[param.name] = \
-self.Backend.textui.prompt_password(param.cli_name)
-elif param.name not in kw:
-if param.autofill:
+for param in cmd.params():
+if (param.required and param.name not in kw) or self.env.prompt_all:
+if param.password:
+kw[param.name] = self.Backend.textui.prompt_password(
+param.label
+)
+elif param.autofill:
kw[param.name] = param.get_default(**kw)
-elif param.required or self.env.prompt_all:
+else:
default = param.get_default(**kw)
error = None
while True:
@@ -910,6 +909,10 @@ class cli(backend.Executioner):
break
except ValidationError, e:
error = e.error
+elif param.password and kw.get(param.name, False) is True:
+kw[param.name] = self.Backend.textui.prompt_password(
+param.label
+)
def load_files(self, cmd, kw):
"""
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods.
On 11/19/2010 04:23 PM, Jakub Hrozek wrote: On Tue, Nov 09, 2010 at 04:55:50AM +0100, Pavel Zůna wrote: If the parent and child entries have the same attribute as primary key (such as in the DNS schema), we need to rename the parent key to prevent a param name conflict. It has no side effects, because the primary key name is always taken from the LDAPObject params, never from the method params. Pavel Would you mind rebasing the patch on top of Rob's 593 which is already acked (not pushed yet as of now). Jakub Rebased patch number 35 attached - required by the new DNS plugin. Pavel >From 6325523e8b01fe64ff24dbc1cd2fcb62038a56e3 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Mon, 8 Nov 2010 22:36:04 -0500 Subject: [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods. If the parent and child entries have the same attribute as primary key (such as in the DNS schema), we need to rename the parent key to prevent a param name conflict. It has no side effects, because the primary key name is always taken from the LDAPObject params, never from the method params. --- ipalib/plugins/baseldap.py |6 +- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 8f723b9..7039f1c 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -232,7 +232,11 @@ class LDAPObject(Object): for key in parent_obj.get_ancestor_primary_keys(): yield key if parent_obj.primary_key: -yield parent_obj.primary_key.clone(query=True) +pkey = parent_obj.primary_key +yield pkey.__class__( +parent_obj.name + pkey.name, required=True, query=True, +cli_name=parent_obj.name, label=pkey.label +) def has_objectclass(self, classes, objectclass): oc = map(lambda x:x.lower(),classes) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
On 11/24/2010 03:26 AM, Adam Young wrote:
On 11/23/2010 09:37 AM, Pavel Zuna wrote:
Finally managed to rewrite the DNS plugin again. Sorry, it took so
long, we had training in the office and I also had a nasty bug in
baseldap.py I couldn't find.
Anyway, this version has it all:
- changes we agreed on meeting, the "resource" abstraction is gone and
we now only have zones and records = adding new record automatically
updates and existing entry or creates it if it wasn't there and
deleting the last record deletes the whole entry - all of it
transparent to the user
- unit tests
- ipa help documentation
Fixes tickets:
#36
#450
I also closed bug #654412.
It has a new patch sequence number, because it depends on another
patch with a higher number and didn't want to create forward
dependencies.
Depends on my patches number:
35 (will repost if needed)
38 (posted a while ago on freeipa-devel)
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I keep getting an error when doing simple things like install and ipa help:
[ayo...@ipa freeipa]$ ./ipa help dns2
ipa: ERROR: AttributeError: cannot override NameSpace.idnsname value
Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)',
domain='ipa', localedir=None), label=Gettext('Zone name', domain='ipa',
localedir=None), multivalue=False, normalizer=,
primary_key=True, query=True, required=True) with Str('idnsname',
attribute=True, cli_name='name', doc=Gettext('Record name',
domain='ipa', localedir=None), label=Gettext('Record name',
domain='ipa', localedir=None), multivalue=False, primary_key=True,
query=True, required=True)
Traceback (most recent call last):
File "/home/ayoung/devel/freeipa/ipalib/cli.py", line 962, in run
api.finalize()
File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 615, in finalize
p.instance.finalize()
File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 724, in finalize
self._create_param_namespace('args')
File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 350, in
_create_param_namespace
sort=False
File "/home/ayoung/devel/freeipa/ipalib/base.py", line 407, in __init__
(self.__class__.__name__, name, self.__map[name], member)
AttributeError: cannot override NameSpace.idnsname value Str('idnsname',
cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa',
localedir=None), label=Gettext('Zone name', domain='ipa',
localedir=None), multivalue=False, normalizer=,
primary_key=True, query=True, required=True) with Str('idnsname',
attribute=True, cli_name='name', doc=Gettext('Record name',
domain='ipa', localedir=None), label=Gettext('Record name',
domain='ipa', localedir=None), multivalue=False, primary_key=True,
query=True, required=True)
ipa: ERROR: an internal error has occurred
That's because you need my patch number 35 for it to work...
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Change signature of LDAPSearch.pre_callback.
On 11/23/2010 03:29 PM, Pavel Zuna wrote: Add the opportunity to change base DN and scope in the callback. This makes the callback a lot more powerful, because it enables the plugin author to broaden or completely change the search location. Pavel Just noticed that this patch also fixes the "ipa plugins" command. Meant to be in a separate patch, but it ended up here by accident. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Generate better DuplicateEntry error message in LDAPCreate.
DuplicateEntry error messages generated by LDAPCreate are now detailed like
this:
ipa: ERROR: user with name "testuser" already exists
Solves ticket #530.
It works for everything, not just the objects described in this ticket.
Pavel
>From 26c1ac1a4f05c7fd53e6ec48af42430195491277 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 23 Nov 2010 09:14:03 -0500
Subject: [PATCH 3/3] Generate better DuplicateEntry error messages in LDAPCreate.
Ticket #530
---
ipalib/plugins/baseldap.py | 19 +--
1 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index d38131a..7039f1c 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -266,6 +266,16 @@ class LDAPObject(Object):
}
)
+def handle_duplicate_entry(self, *keys):
+pkey = ''
+if self.primary_key:
+pkey = keys[-1]
+raise errors.DuplicateEntry(
+message=self.already_exists_msg % {
+'pkey': pkey, 'oname': self.object_name,
+}
+)
+
# list of attributes we want exported to JSON
json_friendly_attributes = (
'parent_object', 'container_dn', 'object_name', 'object_name_plural',
@@ -412,12 +422,7 @@ class LDAPCreate(CallbackInterface, crud.Create):
dn = self.obj.get_dn(*keys, **options)
if self.obj.rdn_attribute:
if not dn.startswith('%s=' % self.obj.primary_key.name):
-raise errors.DuplicateEntry(
-message=self.obj.already_exists_msg % {
-'oname': self.obj.object_name,
-'pkey': keys[-1],
-}
-)
+self.obj.handle_duplicate_entry(*keys)
dn = ldap.make_dn(
entry_attrs, self.obj.rdn_attribute, self.obj.container_dn
)
@@ -463,6 +468,8 @@ class LDAPCreate(CallbackInterface, crud.Create):
'container': self.obj.container_dn,
}
)
+except errors.DuplicateEntry:
+self.obj.handle_duplicate_entry(*keys)
try:
if self.obj.rdn_attribute:
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
Finally managed to rewrite the DNS plugin again. Sorry, it took so long, we had training in the office and I also had a nasty bug in baseldap.py I couldn't find. Anyway, this version has it all: - changes we agreed on meeting, the "resource" abstraction is gone and we now only have zones and records = adding new record automatically updates and existing entry or creates it if it wasn't there and deleting the last record deletes the whole entry - all of it transparent to the user - unit tests - ipa help documentation Fixes tickets: #36 #450 I also closed bug #654412. It has a new patch sequence number, because it depends on another patch with a higher number and didn't want to create forward dependencies. Depends on my patches number: 35 (will repost if needed) 38 (posted a while ago on freeipa-devel) Pavel >From 9ff886618623abb7253956dc92e652361fe4076e Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Mon, 8 Nov 2010 22:34:14 -0500 Subject: [PATCH 2/3] Add new version of DNS plugin: complete rework with baseldap + unit tests. Ticket #36 Ticket #450 --- ipa.spec.in |1 + ipalib/plugins/dns2.py | 584 ++ tests/test_xmlrpc/test_dns_plugin.py | 341 3 files changed, 926 insertions(+), 0 deletions(-) create mode 100644 ipalib/plugins/dns2.py create mode 100644 tests/test_xmlrpc/test_dns_plugin.py diff --git a/ipa.spec.in b/ipa.spec.in index 5a3ea2b..1225bb0 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -178,6 +178,7 @@ Requires: gnupg Requires: pyOpenSSL Requires: python-nss >= 0.9-8 Requires: python-lxml +Requires: python-netaddr %description python IPA is an integrated solution to provide centrally managed Identity (machine, diff --git a/ipalib/plugins/dns2.py b/ipalib/plugins/dns2.py new file mode 100644 index 000..2f72fec --- /dev/null +++ b/ipalib/plugins/dns2.py @@ -0,0 +1,584 @@ +# Authors: +# Pavel Zuna +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +Domain Name System (DNS) + +Manage DNS zone and resource records. + +EXAMPLES: + + Add new zone: + ipa dnszone-add example.com --name_server nameserver.example.com + --admin_email ad...@example.com + + edd second nameserver for example.com: + ipa dnsrecord-add example.com @ --ns-rec nameserver2.example.com + + Delete previously added nameserver from example.com: + ipa dnsrecord-del example.com @ --ns-rec nameserver2.example.com + + Add new A record for www.example.com: (random IP) + ipa dnsrecord-add example.com www --a-rec 80.142.15.2 + + Add new PTR record for www.example.com + ipa dnsrecord 15.142.80.in-addr.arpa 2 --ptr-rec www.example.com. + + Show zone example.com: + ipa dnszone-show example.com + + Find zone with "example" in it's domain name: + ipa dnszone-find example + + Find records for resources with "www" in their name in zone example.com: + ipa dnsrecord-find example.com www + + Find A records with value 10.10.0.1 in zone example.com + ipa dnsrecord-find example.com --a-rec 10.10.0.1 + + Show records for resource www in zone example.com + ipa dnsrecord-show example.com www + + Delete zone example.com with all resource records: + ipa dnszone-del example.com + + Resolve a host name to see if it exists (will add default IPA domain + if one is not included): + ipa dns-resolve www.example.com + ipa dns-resolve www + +""" + +import netaddr +import time + +from ipalib import api, errors, output +from ipalib import Command +from ipalib import Flag, Int, List, Str, StrEnum +from ipalib.plugins.baseldap import * +from ipalib import _, ngettext +from ipapython import dnsclient + +# supported resource record types +_record_types = ( +u'A', u'', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV', +u'DNAME', u'DNSKEY', u'DS', u'HINFO', u'HIP', u'IPSECKEY', u'KEY', u'KX', +u'LOC', u'MD', u'MINFO', u'MX', u'NAPTR', u'NS', u'
[Freeipa-devel] [PATCH] Change signature of LDAPSearch.pre_callback.
Add the opportunity to change base DN and scope in the callback.
This makes the callback a lot more powerful, because it enables the plugin
author to broaden or completely change the search location.
Pavel
>From 22d9cc1184d410d89e5e51956a65b6fc0c862468 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 23 Nov 2010 09:02:54 -0500
Subject: [PATCH 1/3] Change signature of LDAPSearch.pre_callback.
Add the opportunity to change base DN and scope in the callback.
---
ipalib/plugins/baseldap.py | 19 ++-
ipalib/plugins/group.py|4 ++--
ipalib/plugins/host.py |4 ++--
ipalib/plugins/misc.py | 10 ++
ipalib/plugins/service.py |7 ---
ipalib/plugins/user.py |4 ++--
6 files changed, 30 insertions(+), 18 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 5dd8c9b..d38131a 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1153,19 +1153,20 @@ class LDAPSearch(CallbackInterface, crud.Search):
(term_filter, attr_filter), rules=ldap.MATCH_ALL
)
+scope = ldap.SCOPE_ONELEVEL
for callback in self.PRE_CALLBACKS:
if hasattr(callback, 'im_self'):
-filter = callback(
-ldap, filter, attrs_list, base_dn, *args, **options
-)
+(filter, base_dn, scope) = callback(
+ldap, filter, attrs_list, base_dn, scope, *args, **options
+)
else:
-filter = callback(
-self, ldap, filter, attrs_list, base_dn, *args, **options
+(filter, base_dn, scope) = callback(
+self, ldap, filter, attrs_list, base_dn, scope, *args, **options
)
try:
(entries, truncated) = ldap.find_entries(
-filter, attrs_list, base_dn, scope=ldap.SCOPE_ONELEVEL,
+filter, attrs_list, base_dn, scope,
time_limit=options.get('timelimit', None),
size_limit=options.get('sizelimit', None)
)
@@ -1173,7 +1174,7 @@ class LDAPSearch(CallbackInterface, crud.Search):
try:
(entries, truncated) = self._call_exc_callbacks(
args, options, e, ldap.find_entries, filter, attrs_list,
-base_dn, scoope=ldap.SCOPE_ONELEVEL,
+base_dn, scope=ldap.SCOPE_ONELEVEL,
normalize=self.obj.normalize_dn
)
except errors.NotFound:
@@ -1199,8 +1200,8 @@ class LDAPSearch(CallbackInterface, crud.Search):
truncated=truncated,
)
-def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options):
-return filter
+def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
+return (filter, base_dn, scope)
def post_callback(self, ldap, entries, truncated, *args, **options):
pass
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 5ecc72a..5db3c67 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -223,7 +223,7 @@ class group_find(LDAPSearch):
),
)
-def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options):
+def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
# if looking for private groups, we need to create a new search filter,
# because private groups have different object classes
if options['private']:
@@ -243,7 +243,7 @@ class group_find(LDAPSearch):
cflt = ldap.make_filter(search_kw, exact=False)
filter = ldap.combine_filters((oflt, cflt), rules=ldap.MATCH_ALL)
-return filter
+return (filter, base_dn, scope)
api.register(group_find)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 2e77dd5..61ababe 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -437,11 +437,11 @@ class host_find(LDAPSearch):
)
member_attributes = ['managedby']
-def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options):
+def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
if 'locality' in attrs_list:
attrs_list.remove('locality')
attrs_list.append('l')
-return filter.replace('locality', 'l')
+return (filter.replace('locality', 'l'), base_dn, scope)
def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries:
diff --git a/ipalib/plugins/misc.py b/ipalib/plugins/misc.py
index d66e696..d7529ca 100644
--- a/ipalib/plugins/misc.py
+++ b/ipalib/plugins/misc.py
@@ -109,6 +109,16 @@ class plugins(LocalOrRemote
Re: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
On 11/09/2010 10:31 PM, Adam Young wrote: On 11/08/2010 11:07 PM, Pavel Zůna wrote: Finally, there it is. :) I redesigned the whole thing to fit the baseldap model. Here's some example on how it's used: # create zone 'example.com' # ipa dnszone-add example.com --name=ns.example.com --admin=ad...@example.com # create a resource in zone 'example.com' named 'machine1' # (machine1.example.com) with A record 10.10.0.1 # ipa dnsres-add example.com machine1 --a-rec=10.10.0.1 # Add another A record to 'machine1' in 'example.com' # ipa dnsres-add-record example.com machine1 --a-rec=10.10.0.2 # Remove one of the A records from 'machine1' in 'example.com' # ipa dnsres-remove-record example.com machine1 --a-rec=10.10.0.1 The plugin is pretty complex and requires my patch number 35 to work. There is a bunch of unit tests, so hopefully it won't be too much pain to review. You can use both dns and dns2 at the same time. When dns2 is tested enough, it should replace the original dns plugin. docstring (ipa help dns2) documentation will follow soon in a separate patch. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Note that it has the patch format issue where Thunderbird prepends a > keeping git am from applying. Also, patch name is reversed: we had standardized on freeipa_ Sorry about that, I'll make sure to use this convention for my future patches. The lite server doesn't seem to want to respond to thenew commands. ipa helpd dns2 brings up the right subset of helpstrings, but: [ayo...@ipa freeipa]$ ./ipa dnszone-find ipa: ERROR: unknown command u'dnszone_find' [ayo...@ipa freeipa]$ ./ipa dnsres-find ayoung.boston.devel.redhat.com ipa: ERROR: unknown command u'dnsres_find' Just tested in on a clean clone of master and it works. Check your configuration: ./ipa env | grep xmlrpc_uri It should read: https://localhost:/ipa/xml Otherwise you're not connecting to the lite-server, but to the installed server. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
On 10/20/2010 11:42 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 10/14/2010 03:30 PM, Rob Crittenden wrote: Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob Yes, because get_ipa_config will return defaults for time and search limits only when the whole ipaConfig entry isn't found. I reworked the patch, so that defaults are always returned by get_ipa_config, but I left changes from the previous version, because it doesn't hurt anything and is a (very little) bit safer. New version attached. Pavel I see your point. One can do 'ipa config-mod --searchtimelimit=` and blam, everything stops working. This still seems like a bit of a cover-up fix for that. Should we prevent these attributes from being removed? We could do that, but it's always possible to delete the attribute using ldapmodify or some other tool. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
On 10/14/2010 03:30 PM, Rob Crittenden wrote: Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob Yes, because get_ipa_config will return defaults for time and search limits only when the whole ipaConfig entry isn't found. I reworked the patch, so that defaults are always returned by get_ipa_config, but I left changes from the previous version, because it doesn't hurt anything and is a (very little) bit safer. New version attached. Pavel pzuna-freeipa-0033-2-limitdefaults.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups.
On 10/14/2010 11:16 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 10/01/2010 02:47 PM, Pavel Zuna wrote: Ticket #251 Pavel New version of patch attached. This time it should work. :) I renamed the flag from --privateonly to --private. Normal searches do not return private groups at all, while searches with this flag only return private groups. Pavel This works a lot better than the last patch. The code itself is fine, I'd just ask that you add a test case for searching for private groups. The test that is in this patch seems more geared for removing multiple users at once (which is a good thing) but doesn't actually work without this change: --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -358,7 +358,7 @@ class test_user(Declarative): loginshell=[u'/bin/sh'], objectclass=objectclasses.user, sn=[u'User2'], - uid=[user1], + uid=[user2], uidnumber=[fuzzy_digits], ipauniqueid=[fuzzy_uuid], dn=u'uid=tuser2,cn=users,cn=accounts,' + api.env.basedn, So NACK for now but its very close. rob Version 3 attached. Added a test case for searching private groups and fixed user tests. Pavel pzuna-freeipa-0024-3-searchprvgroup.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
There was no default value set even though we were using config.get and it was
throwing exceptions if someone deleted one of the related config values.
Pavel
>From 5dfda61f3995f4d5ae5813b7f70f2d2658a687f0 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Thu, 14 Oct 2010 10:54:24 -0400
Subject: [PATCH 2/2] Add fail-safe defaults to time and size limits in ldap2 searches.
---
ipaserver/plugins/ldap2.py |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 096d3a3..1d18bbb 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -515,9 +515,9 @@ class ldap2(CrudBackend, Encoder):
if time_limit is None or size_limit is None:
(cdn, config) = self.get_ipa_config()
if time_limit is None:
-time_limit = config.get('ipasearchtimelimit')[0]
+time_limit = config.get('ipasearchtimelimit', [-1])[0]
if size_limit is None:
-size_limit = config.get('ipasearchrecordslimit')[0]
+size_limit = config.get('ipasearchrecordslimit', [0])[0]
if not isinstance(size_limit, int):
size_limit = int(size_limit)
if not isinstance(time_limit, float):
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it.
On 10/14/2010 12:01 AM, Rob Crittenden wrote:
Pavel Zuna wrote:
This patch adds a check in ldap2 for single-value attributes. DS doesn't
seem to care much about attributes being defined as SINGLE-VALUE except
for things like uidNumber and gidNumber (I suspect this is handled by
the DNA plugin).
Ticket #246
Pavel
This is similar to ticket 220 which I have a pending patch for (patch
552). I think both patches are valid but we should test them together to
be sure. Can you do that?
rob
I had to NACK your patch number 552, because the check was in the wrong place.
Both patches overlap in functionality, so I decided to merge them into a new
version of my original patch.
I split the single-value check into two parts:
First part is in baseldap classes (LDAPCreate, LDAPUpdate) and it checks if
we're not trying to add more values to a Param defined attribute, that is not
flagged as multivalue.
Second part is in the ldap2 backend. It checks if we're not trying to add more
values to an attribute, that is defined as SINGLE-VALUE in the schema.
Unfortunately, it seems that python-ldap isn't capable of reporting the
SINGLE-VALUE flag reliably and DS doesn't enforce it at all. In other words,
this check is a bit weak, but still better than nothing.
I hope you don't mind I merged both patches, but it seemed simpler and we can
knock out 2 tickets in one commit. :)
Ticket #230
Ticket #246
Pavel
>From adff41671b7f04f718085711401e7328390151ae Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Thu, 14 Oct 2010 13:05:43 -0400
Subject: [PATCH 1/2] Disallow RDN change and single-value bypass using setattr/addattr.
Merge of my original patch number 32 and Rob's patch number 552.
Ticket #230
Ticket #246
---
ipalib/errors.py | 33 -
ipalib/frontend.py |2 +-
ipalib/plugins/baseldap.py | 14 +-
ipaserver/plugins/ldap2.py | 44 +++-
4 files changed, 77 insertions(+), 16 deletions(-)
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 42d43ce..db13a43 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1162,7 +1162,7 @@ class DatabaseError(ExecutionError):
"""
errno = 4203
-format = _('%(desc)s:%(info)s')
+format = _('%(desc)s: %(info)s')
class LimitsExceeded(ExecutionError):
@@ -1195,6 +1195,37 @@ class ObjectclassViolation(ExecutionError):
errno = 4205
format = _('%(info)s')
+class NotAllowedOnRDN(ExecutionError):
+"""
+**4206** Raised when an RDN value is modified.
+
+For example:
+
+>>> raise NotAllowedOnRDN()
+Traceback (most recent call last):
+ ...
+NotAllowedOnRDN: modifying primary key is not allowed
+"""
+
+errno = 4206
+format = _('modifying primary key is not allowed')
+
+
+class OnlyOneValueAllowed(ExecutionError):
+"""
+**4207** Raised when trying to set more than one value to single-value attributes
+
+For example:
+
+>> raise OnlyOneValueAllowed(attr='ipasearchtimelimit')
+Traceback (most recent call last):
+ ...
+OnlyOneValueAllowed: ipasearchtimelimit: attribute is single-value
+"""
+
+errno = 4207
+format = _('%(attr)s: attribute is single-value')
+
class CertificateError(ExecutionError):
"""
diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index c9c070d..96649d9 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -504,7 +504,7 @@ class Command(HasParam):
a dictionary. The incoming attribute may be a string or
a list.
-Any attribute found that is also a param is silently dropped.
+Any attribute found that is also a param is validated.
append controls whether this returns a list of values or a single
value.
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 2335a7a..caa616a 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -157,6 +157,14 @@ _attr_options = (
),
)
+# addattr can cause parameters to have more than one value even if not defined
+# as multivalue, make sure this isn't the case
+def _check_single_value_attrs(params, entry_attrs):
+for (a, v) in entry_attrs.iteritems():
+if isinstance(v, (list, tuple)) and len(v) > 1:
+if a in params and not params[a].multivalue:
+raise errors.OnlyOneValueAllowed(attr=a)
+
class CallbackInterface(Method):
"""
@@ -277,6 +285,8 @@ class LDAPCreate(CallbackInterface, crud.Create):
self, ldap, dn, entry_attrs, attrs_list, *keys, **options
)
+_check_single_value_attrs(self.params, entry_attrs)
+
try:
ldap.add_entry(dn
Re: [Freeipa-devel] [PATCH] 552 handle setattr/addattr better
On 09/29/2010 11:03 PM, Rob Crittenden wrote: When doing an addattr check to see if we are creating a multi-value attribute and see if that is allowed by the Param and/or the attribute in the schema (SINGLE-VALUE). Pavel, check my fix in the exception callback. It was passing attrs_list but that isn't set until later. I decided to send an empty list instead. Also catch RDN update exceptions and return an error about primary keys (which this essentially means). ticket 230 rob NACK. The patch isn't all bad, but the single-value check is in the wrong place. As a result, it only applies when someone tries to add a new value to attributes already present in the original entry. It won't fire when someone is trying to add more than one value if there was none before and it also won't fire when creating new entries. I reworked your patch a bit a merged it with my patch number 32, because they overlap in functionality. See freeipa-devel thread: [PATCH] Check if attribute is single-value before trying to add values to it. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 570 enforce max username length
On 10/13/2010 03:46 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 10/11/2010 05:19 PM, Rob Crittenden wrote: Enforce the configurable max username length from cn=ipaconfig. rob This will raise an exception if the ipaMaxUsernameLength attribute isn't present in the config entry. I know it's not very likely, but it would be better to retrieve the attribute first and only do the length check if it is set. Pavel Ok, new patch attached. get_ipa_config() always returns a dict (unless things really go south in which case missing this attribute is the least of our problems). rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 572 fix usage help of ipa-replica-install
On 10/11/2010 07:07 PM, Rob Crittenden wrote: Include REPLICA_FILE in usage for ipa-replica-install ticket 247 rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 571 return non-zero on *-find when nothing is found
On 10/11/2010 06:58 PM, Rob Crittenden wrote: Return non-zero when the number of entries from *-find returned is zero. ticket 325 rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 569 detect when DNS is not configured
On 10/11/2010 04:55 PM, Rob Crittenden wrote: Detect when DNS is not configured and return an error message when using the command-line. It would be nicer if we disabled the command altogether but this would require checking the server to see every time the ipa command is executed (which would be bad). We can't store this in a configuration file because it is possible to add a DNS post-install (and it would require adding this to every single client install). ticket 147 rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 570 enforce max username length
On 10/11/2010 05:19 PM, Rob Crittenden wrote: Enforce the configurable max username length from cn=ipaconfig. rob This will raise an exception if the ipaMaxUsernameLength attribute isn't present in the config entry. I know it's not very likely, but it would be better to retrieve the attribute first and only do the length check if it is set. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it.
This patch adds a check in ldap2 for single-value attributes. DS doesn't seem to
care much about attributes being defined as SINGLE-VALUE except for things like
uidNumber and gidNumber (I suspect this is handled by the DNA plugin).
Ticket #246
Pavel
>From 94681f66292904979227bbe2fed058ba9b1a23a4 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Wed, 13 Oct 2010 12:40:51 -0400
Subject: [PATCH] Check if attribute is single-value before trying to add values to it.
Ticket #246
---
ipalib/errors.py |2 +-
ipaserver/plugins/ldap2.py | 16 +++-
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 42d43ce..fd96e57 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1162,7 +1162,7 @@ class DatabaseError(ExecutionError):
"""
errno = 4203
-format = _('%(desc)s:%(info)s')
+format = _('%(desc)s: %(info)s')
class LimitsExceeded(ExecutionError):
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 2213df0..1c5a84f 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -690,13 +690,19 @@ class ldap2(CrudBackend, Encoder):
adds = list(v.difference(old_v))
rems = list(old_v.difference(v))
+is_single_value = False
+if self.schema:
+obj = self.schema.get_obj(_ldap.schema.AttributeType, k)
+is_single_value = obj and obj.single_value
+
+if is_single_value and len(adds) > 1 or len(adds) > len(rems):
+raise errors.DatabaseError(
+info='attribute is single-value', desc=k
+)
+
force_replace = False
-if k in self._FORCE_REPLACE_ON_UPDATE_ATTRS:
+if k in self._FORCE_REPLACE_ON_UPDATE_ATTRS or is_single_value:
force_replace = True
-elif self.schema:
-obj = self.schema.get_obj(_ldap.schema.AttributeType, k)
-if obj and obj.single_value:
-force_replace = True
elif len(adds) == 1 and len(rems) == 1:
force_replace = True
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups.
On 10/01/2010 02:47 PM, Pavel Zuna wrote:
Ticket #251
Pavel
New version of patch attached. This time it should work. :) I renamed the flag
from --privateonly to --private. Normal searches do not return private groups at
all, while searches with this flag only return private groups.
Pavel
>From cabfcab3d53b4b7d51d5f3646c9747272e2ca965 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 21 Sep 2010 13:03:40 -0400
Subject: [PATCH] Add flag to group-find to only search on private groups.
ticket #251
---
ipalib/plugins/group.py | 31 +++-
tests/test_xmlrpc/test_user_plugin.py | 65 +++--
2 files changed, 91 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 9beef00..ff1fc99 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -187,7 +187,6 @@ class group_mod(LDAPUpdate):
"""
Modify a group.
"""
-
msg_summary = _('Modified group "%(value)s"')
takes_options = LDAPUpdate.takes_options + (
@@ -217,11 +216,39 @@ class group_find(LDAPSearch):
"""
Search for groups.
"""
-
msg_summary = ngettext(
'%(count)d group matched', '%(count)d groups matched', 0
)
+takes_options = LDAPSearch.takes_options + (
+Flag('private',
+cli_name='private',
+doc=_('search for private groups'),
+),
+)
+
+def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options):
+# if looking for private groups, we need to create a new search filter,
+# because private groups have different object classes
+if options['private']:
+# filter based on options, oflt
+search_kw = self.args_options_2_entry(**options)
+search_kw['objectclass'] = ['posixGroup', 'mepManagedEntry']
+oflt = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
+
+# filter based on 'criteria' argument
+search_kw = {}
+config = ldap.get_ipa_config()[1]
+attrs = config.get(self.obj.search_attributes_config, [])
+if len(attrs) == 1 and isinstance(attrs[0], basestring):
+search_attrs = attrs[0].split(',')
+for a in search_attrs:
+search_kw[a] = args[-1]
+cflt = ldap.make_filter(search_kw, exact=False)
+
+filter = ldap.combine_filters((oflt, cflt), rules=ldap.MATCH_ALL)
+return filter
+
api.register(group_find)
diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py
index c6770b7..7d77131 100644
--- a/tests/test_xmlrpc/test_user_plugin.py
+++ b/tests/test_xmlrpc/test_user_plugin.py
@@ -30,6 +30,7 @@ from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
user_memberof = (u'cn=ipausers,cn=groups,cn=accounts,%s' % api.env.basedn,)
user1=u'tuser1'
+user2=u'tuser2'
invaliduser1=u'+tuser1'
invaliduser2=u'tuser1234567890123456789012345678901234567890'
@@ -38,7 +39,7 @@ invaliduser2=u'tuser1234567890123456789012345678901234567890'
class test_user(Declarative):
cleanup_commands = [
-('user_del', [user1], {}),
+('user_del', [user1, user2], {}),
]
tests = [
@@ -67,7 +68,7 @@ class test_user(Declarative):
dict(
desc='Create %r' % user1,
command=(
-'user_add', [], dict(givenname=u'Test', sn=u'User1')
+'user_add', [user1], dict(givenname=u'Test', sn=u'User1')
),
expected=dict(
value=user1,
@@ -92,7 +93,7 @@ class test_user(Declarative):
dict(
desc='Try to create duplicate %r' % user1,
command=(
-'user_add', [], dict(givenname=u'Test', sn=u'User1')
+'user_add', [user1], dict(givenname=u'Test', sn=u'User1')
),
expected=errors.DuplicateEntry(),
),
@@ -318,6 +319,64 @@ class test_user(Declarative):
dict(
+desc='Create %r' % user1,
+command=(
+'user_add', [user1], dict(givenname=u'Test', sn=u'User1')
+),
+expected=dict(
+value=user1,
+summary=u'Added user "tuser1"',
+result=dict(
+gecos=[user1],
+givenname=[u'Test'],
+homedirectory=[u'/home/tuser1'],
+
Re: [Freeipa-devel] [PATCH] 567 fix group deletion
On 10/09/2010 04:47 AM, Rob Crittenden wrote: Group deletion was failing with an error about too many values. rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix inconsistent error message when deleting groups that don't exist.
The pre_callback in group_del was using a direct ldap2 call with no exception handling. Ticket #292 Pavel >From 60eb789c84f91c5911dec397c528fd8a2e21ef99 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Wed, 6 Oct 2010 13:45:20 -0400 Subject: [PATCH] Fix inconsistent error message when deleting groups that don't exist. Ticket #292 --- ipalib/plugins/group.py |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index fae6a28..9beef00 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -165,7 +165,9 @@ class group_del(LDAPDelete): def_primary_group_dn = group_dn = self.obj.get_dn(def_primary_group) if dn == def_primary_group_dn: raise errors.DefaultGroup() -(group_dn, group_attrs) = ldap.get_entry(dn) +(group_dn, group_attrs) = self.obj.methods.show( +self.obj.get_primary_key_from_dn(dn) +) if 'mepmanagedby' in group_attrs: raise errors.ManagedGroupError() return dn -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix attribute callbacks on details pages in the webUI.
Fixes bug reported by Adam in internal discussion.
Ticket #326
Pavel
>From 4ca5f618913d780e018e37e03b159201bffb9996 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Wed, 6 Oct 2010 12:01:02 -0400
Subject: [PATCH] Fix attribute callbacks on details pages in the webUI.
Ticket #326
---
install/static/details.js | 20
1 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/install/static/details.js b/install/static/details.js
index f16dc36..99666b1 100644
--- a/install/static/details.js
+++ b/install/static/details.js
@@ -79,19 +79,23 @@ function ipa_generate_dl(jobj, id, name, dts)
for (var i = 0; i < dts.length; ++i) {
var label = '';
-if (dts[i][0].indexOf('call_') != 0) {
-var param_info = ipa_get_param_info(obj_name, dts[i][0]);
-if (param_info)
-label = param_info['label'];
-}
+var param_info = ipa_get_param_info(obj_name, dts[i][0]);
+if (param_info)
+label = param_info['label'];
if ((!label) && (dts[i].length > 1))
label = dts[i][1];
+
+var title = dts[i][0];
+if (typeof dts[i][2] == 'function')
+title = 'call_' + dts[i][2].name;
dl.append(
-$('',{
-title:dts[i][0],
-html:label+":"})
+$('', {
+title: title,
+html: label + ':',
+})
);
}
+
parent.append(dl);
parent.append('');
}
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
On 10/06/2010 03:37 AM, Rob Crittenden wrote:
Pavel Zuna wrote:
All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the
--continuous flag (off by default). The flag should indicate that the
command shouldn't stop on errors and continue operation with the next
primary key on the arguments lists.
This effectively fixes *-del unit tests, because continuous mode is off
by default. (It was on before this patch and there was no option to turn
it off.)
Ticket #321
Pavel
The migration plugin and pending automount plugin patch already define
an attribute for continuous operation though it is named continue
instead. We should pick one and be consistent. I like continue because
it's easier to type.
rob
Fixed version attached.
Pavel
>From d8bc23e86458e91616b7ab2ed9cd26983cecc24c Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 5 Oct 2010 14:34:47 -0400
Subject: [PATCH 2/3] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
Ticket #321
---
ipalib/plugins/baseldap.py |9 +
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 42d9017..2335a7a 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -353,6 +353,13 @@ class LDAPMultiQuery(LDAPQuery):
"""
Base class for commands that need to retrieve one or more existing entries.
"""
+takes_options = (
+Flag('continue',
+cli_name='continue',
+doc=_('Continuous mode: Don\'t stop on errors.'),
+),
+)
+
def get_args(self):
for key in self.obj.get_ancestor_primary_keys():
yield key
@@ -594,6 +601,8 @@ class LDAPDelete(LDAPMultiQuery):
if not delete_entry(pkey):
result = False
except errors.ExecutionError:
+if not options.get('continuous', False):
+raise
failed.append(pkey)
else:
deleted.append(pkey)
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args.
On 10/06/2010 03:35 AM, Rob Crittenden wrote:
Pavel Zuna wrote:
takes_args defined in a baseldap subclass is now transformed into
positional arguments that go after primary keys. Before this patch,
takes_args in crud subclasses were ignored.
example:
--- snip ---
class user_something(LDAPRetrieve):
takes_args = (
Str('randomarg'),
)
--- snip ---
# ipa help something
Usage: ipa [global-options] user-something LOGIN RANDOMARG
Pavel
Nack, this breaks the pwpolicy plugin tests (though I'm not 100% sure
why). pwpolicy-del defines its own get_args(). I'm guessing it is
failing because the local get_args returns a string and the multivalue
stuff is expecting a list so pulling the string apart one character at a
time. If you run pwpolicy-del testpolicy it will fail with a not found
on 't' policy.
I think simply removing the get_args() from pwpolicy will fix it:
rob
Fixed version attached.
Pavel
>From dca00ce6a586ee91a0518e3473c49223f8e7cdf3 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 5 Oct 2010 14:33:27 -0400
Subject: [PATCH 1/3] Generate additional positional arguments for baseldap commands from takes_args.
---
ipalib/plugins/baseldap.py |8
ipalib/plugins/pwpolicy.py |4 +++-
2 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index f6b98e2..42d9017 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -240,6 +240,8 @@ class LDAPCreate(CallbackInterface, crud.Create):
yield key
if self.obj.primary_key:
yield self.obj.primary_key.clone(attribute=True)
+for arg in super(crud.Create, self).get_args():
+yield arg
def execute(self, *keys, **options):
ldap = self.obj.backend
@@ -343,6 +345,8 @@ class LDAPQuery(CallbackInterface, crud.PKQuery):
yield key
if self.obj.primary_key:
yield self.obj.primary_key.clone(attribute=True, query=True)
+for arg in super(crud.PKQuery, self).get_args():
+yield arg
class LDAPMultiQuery(LDAPQuery):
@@ -356,6 +360,8 @@ class LDAPMultiQuery(LDAPQuery):
yield self.obj.primary_key.clone(
attribute=True, query=True, multivalue=True
)
+for arg in super(crud.PKQuery, self).get_args():
+yield arg
class LDAPRetrieve(LDAPQuery):
@@ -881,6 +887,8 @@ class LDAPSearch(CallbackInterface, crud.Search):
for key in self.obj.get_ancestor_primary_keys():
yield key
yield Str('criteria?')
+for arg in super(crud.Search, self).get_args():
+yield arg
def get_options(self):
for option in super(LDAPSearch, self).get_options():
diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index dbbb471..cbfbf80 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -300,7 +300,9 @@ class pwpolicy_del(LDAPDelete):
Delete a group password policy.
"""
def get_args(self):
-yield self.obj.primary_key.clone(attribute=True, required=True)
+yield self.obj.primary_key.clone(
+attribute=True, required=True, multivalue=True
+)
def post_callback(self, ldap, dn, *keys, **options):
try:
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Rename user-lock and user-unlock to user-enable user-disable.
On 10/05/2010 06:07 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
Also fixes related unit tests and therefore depends on my patch number
28.
Ticket #165
Pavel
This looks ok but you need to update the examples in the top help block
too:
Lock a user account:
ipa user-lock tuser1
Unlock a user account:
ipa user-unlock tuser1
Fix those and you have an ack.
rob
Fixed version attached.
Pavel
>From 013384a8804859be9f56e9494dee953cc020fbb7 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 5 Oct 2010 15:37:37 -0400
Subject: [PATCH 3/3] Rename user-lock and user-unlock to user-enable user-disable.
Ticket #165
---
ipalib/plugins/user.py| 24
tests/test_xmlrpc/test_user_plugin.py | 12 ++--
2 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 0746553..a6e6b5d 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -37,11 +37,11 @@ EXAMPLES:
Find all users with "Tim" as the first name:
ipa user-find --first=Tim
- Lock a user account:
- ipa user-lock tuser1
+ Disable a user account:
+ ipa user-disable tuser1
- Unlock a user account:
- ipa user-unlock tuser1
+ Enable a user account:
+ ipa user-enable tuser1
Delete a user:
ipa user-del tuser1
@@ -274,13 +274,13 @@ class user_show(LDAPRetrieve):
api.register(user_show)
-class user_lock(LDAPQuery):
+class user_disable(LDAPQuery):
"""
-Lock a user account.
+Disable user account.
"""
has_output = output.standard_value
-msg_summary = _('Locked user "%(value)s"')
+msg_summary = _('Disabled user account "%(value)s"')
def execute(self, *keys, **options):
ldap = self.obj.backend
@@ -297,16 +297,16 @@ class user_lock(LDAPQuery):
value=keys[0],
)
-api.register(user_lock)
+api.register(user_disable)
-class user_unlock(LDAPQuery):
+class user_enable(LDAPQuery):
"""
-Unlock a user account.
+Enable user account.
"""
has_output = output.standard_value
-msg_summary = _('Unlocked user "%(value)s"')
+msg_summary = _('Enabled user account "%(value)s"')
def execute(self, *keys, **options):
ldap = self.obj.backend
@@ -323,4 +323,4 @@ class user_unlock(LDAPQuery):
value=keys[0],
)
-api.register(user_unlock)
+api.register(user_enable)
diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py
index 1850dc1..7d77131 100644
--- a/tests/test_xmlrpc/test_user_plugin.py
+++ b/tests/test_xmlrpc/test_user_plugin.py
@@ -235,27 +235,27 @@ class test_user(Declarative):
dict(
-desc='Lock %r' % user1,
+desc='Disable %r' % user1,
command=(
-'user_lock', [user1], {}
+'user_disable', [user1], {}
),
expected=dict(
result=True,
value=user1,
-summary=u'Locked user "tuser1"',
+summary=u'Disabled user account "tuser1"',
),
),
dict(
-desc='Unlock %r' % user1,
+desc='Enable %r' % user1,
command=(
-'user_unlock', [user1], {}
+'user_enable', [user1], {}
),
expected=dict(
result=True,
value=user1,
-summary=u'Unlocked user "tuser1"',
+summary=u'Enabled user account "tuser1"',
),
),
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
On 10/05/2010 04:47 PM, Pavel Zuna wrote: All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the --continuous flag (off by default). The flag should indicate that the command shouldn't stop on errors and continue operation with the next primary key on the arguments lists. This effectively fixes *-del unit tests, because continuous mode is off by default. (It was on before this patch and there was no option to turn it off.) Ticket #321 Pavel I forgot to mention that this depends on my patch number 27, because they modify the same file (baseldap.py). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Rename user-lock and user-unlock to user-enable user-disable.
Also fixes related unit tests and therefore depends on my patch number 28.
Ticket #165
Pavel
>From 9ead34195c3ef1b3be9f9c57ba54fd2849215ab0 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 5 Oct 2010 15:37:37 -0400
Subject: [PATCH] Rename user-lock and user-unlock to user-enable user-disable.
Ticket #165
---
ipalib/plugins/user.py| 16
tests/test_xmlrpc/test_user_plugin.py | 12 ++--
2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 0746553..daa5cc4 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -274,13 +274,13 @@ class user_show(LDAPRetrieve):
api.register(user_show)
-class user_lock(LDAPQuery):
+class user_disable(LDAPQuery):
"""
-Lock a user account.
+Disable user account.
"""
has_output = output.standard_value
-msg_summary = _('Locked user "%(value)s"')
+msg_summary = _('Disabled user account "%(value)s"')
def execute(self, *keys, **options):
ldap = self.obj.backend
@@ -297,16 +297,16 @@ class user_lock(LDAPQuery):
value=keys[0],
)
-api.register(user_lock)
+api.register(user_disable)
-class user_unlock(LDAPQuery):
+class user_enable(LDAPQuery):
"""
-Unlock a user account.
+Enable user account.
"""
has_output = output.standard_value
-msg_summary = _('Unlocked user "%(value)s"')
+msg_summary = _('Enabled user account "%(value)s"')
def execute(self, *keys, **options):
ldap = self.obj.backend
@@ -323,4 +323,4 @@ class user_unlock(LDAPQuery):
value=keys[0],
)
-api.register(user_unlock)
+api.register(user_enable)
diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py
index 1850dc1..7d77131 100644
--- a/tests/test_xmlrpc/test_user_plugin.py
+++ b/tests/test_xmlrpc/test_user_plugin.py
@@ -235,27 +235,27 @@ class test_user(Declarative):
dict(
-desc='Lock %r' % user1,
+desc='Disable %r' % user1,
command=(
-'user_lock', [user1], {}
+'user_disable', [user1], {}
),
expected=dict(
result=True,
value=user1,
-summary=u'Locked user "tuser1"',
+summary=u'Disabled user account "tuser1"',
),
),
dict(
-desc='Unlock %r' % user1,
+desc='Enable %r' % user1,
command=(
-'user_unlock', [user1], {}
+'user_enable', [user1], {}
),
expected=dict(
result=True,
value=user1,
-summary=u'Unlocked user "tuser1"',
+summary=u'Enabled user account "tuser1"',
),
),
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the
--continuous flag (off by default). The flag should indicate that the command
shouldn't stop on errors and continue operation with the next primary key on the
arguments lists.
This effectively fixes *-del unit tests, because continuous mode is off by
default. (It was on before this patch and there was no option to turn it off.)
Ticket #321
Pavel
>From 3c6ad32fd6da79207184c6fbc1fca2126e20f7bd Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 5 Oct 2010 14:34:47 -0400
Subject: [PATCH 2/2] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
Ticket #321
---
ipalib/plugins/baseldap.py |9 +
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 42d9017..a4dff46 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -353,6 +353,13 @@ class LDAPMultiQuery(LDAPQuery):
"""
Base class for commands that need to retrieve one or more existing entries.
"""
+takes_options = (
+Flag('continuous',
+cli_name='continuous',
+doc=_('Continuous mode: Don\'t stop on errors.'),
+),
+)
+
def get_args(self):
for key in self.obj.get_ancestor_primary_keys():
yield key
@@ -594,6 +601,8 @@ class LDAPDelete(LDAPMultiQuery):
if not delete_entry(pkey):
result = False
except errors.ExecutionError:
+if not options.get('continuous', False):
+raise
failed.append(pkey)
else:
deleted.append(pkey)
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args.
takes_args defined in a baseldap subclass is now transformed into positional
arguments that go after primary keys. Before this patch, takes_args in crud
subclasses were ignored.
example:
--- snip ---
class user_something(LDAPRetrieve):
takes_args = (
Str('randomarg'),
)
--- snip ---
# ipa help something
Usage: ipa [global-options] user-something LOGIN RANDOMARG
Pavel
>From b67b9f355a31278656285fb2082696b008cf41ef Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 5 Oct 2010 14:33:27 -0400
Subject: [PATCH 1/2] Generate additional positional arguments for baseldap commands from takes_args.
---
ipalib/plugins/baseldap.py |8
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index f6b98e2..42d9017 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -240,6 +240,8 @@ class LDAPCreate(CallbackInterface, crud.Create):
yield key
if self.obj.primary_key:
yield self.obj.primary_key.clone(attribute=True)
+for arg in super(crud.Create, self).get_args():
+yield arg
def execute(self, *keys, **options):
ldap = self.obj.backend
@@ -343,6 +345,8 @@ class LDAPQuery(CallbackInterface, crud.PKQuery):
yield key
if self.obj.primary_key:
yield self.obj.primary_key.clone(attribute=True, query=True)
+for arg in super(crud.PKQuery, self).get_args():
+yield arg
class LDAPMultiQuery(LDAPQuery):
@@ -356,6 +360,8 @@ class LDAPMultiQuery(LDAPQuery):
yield self.obj.primary_key.clone(
attribute=True, query=True, multivalue=True
)
+for arg in super(crud.PKQuery, self).get_args():
+yield arg
class LDAPRetrieve(LDAPQuery):
@@ -881,6 +887,8 @@ class LDAPSearch(CallbackInterface, crud.Search):
for key in self.obj.get_ancestor_primary_keys():
yield key
yield Str('criteria?')
+for arg in super(crud.Search, self).get_args():
+yield arg
def get_options(self):
for option in super(LDAPSearch, self).get_options():
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups.
Ticket #251
Pavel
>From 1bb54788dca503a7b6e25e2fc13a8852174a3827 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 21 Sep 2010 13:03:40 -0400
Subject: [PATCH 1/3] Add flag to group-find to only search on private groups.
Ticket #251
---
ipalib/plugins/group.py | 16 ++--
1 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 616eff2..b3b6747 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -184,7 +184,6 @@ class group_mod(LDAPUpdate):
"""
Modify a group.
"""
-
msg_summary = _('Modified group "%(value)s"')
takes_options = LDAPUpdate.takes_options + (
@@ -214,11 +213,24 @@ class group_find(LDAPSearch):
"""
Search for groups.
"""
-
msg_summary = ngettext(
'%(count)d group matched', '%(count)d groups matched', 0
)
+takes_options = LDAPSearch.takes_options + (
+Flag('privateonly',
+cli_name='privateonly',
+doc=_('search for private groups only'),
+),
+)
+
+def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options):
+if options['privateonly']:
+objclass = ['posixGroup', 'mepManagedEntry']
+flt = ldap.make_filter_from_attr('objectclass', objclass)
+filter = ldap.combine_filters([filter, flt], ldap.MATCH_ALL)
+return filter
+
api.register(group_find)
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add Delete capabilities to Search facet in the WebUI.
This depends on my patch number 25! It should apply without it, but deleting
entries won't work properly.
Ticket #206
Pavel
>From 1b99aa86c0faddfa8253c97745a090410313269b Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Fri, 1 Oct 2010 12:40:30 -0400
Subject: [PATCH 3/3] Add Delete capabilities to Search facet in the WebUI.
Ticket #206
---
install/static/search.js | 103 +++-
ipalib/plugins/internal.py |8 +++-
2 files changed, 107 insertions(+), 4 deletions(-)
diff --git a/install/static/search.js b/install/static/search.js
index 59caf71..e97632b 100644
--- a/install/static/search.js
+++ b/install/static/search.js
@@ -34,6 +34,52 @@ function search_create(obj_name, scl, container)
$.bbq.pushState(state);
};
+function delete_on_click() {
+var delete_list = [];
+var delete_dialog = $('', {
+title: ipa_messages.button.delete,
+'class': 'search-dialog-delete',
+});
+
+function delete_on_click() {
+ipa_cmd('del', delete_list, {}, delete_on_win, null, obj_name);
+delete_dialog.dialog('close');
+};
+
+function delete_on_win() {
+for (var i = 0; i < delete_list.length; ++i) {
+var chk = container.find(
+'.search-selector[title=' + delete_list[i] + ']'
+);
+if (chk)
+chk.closest('tr').remove();
+}
+};
+
+function cancel_on_click() {
+delete_dialog.dialog('close');
+};
+
+container.find('.search-selector').each(function () {
+var jobj = $(this);
+if (jobj.attr('checked'))
+delete_list.push(jobj.attr('title'));
+});
+
+if (delete_list.length == 0)
+return;
+
+delete_dialog.text(ipa_messages.search.delete_confirm);
+
+delete_dialog.dialog({
+modal: true,
+buttons: {
+'Delete': delete_on_click,
+'Cancel': cancel_on_click,
+},
+});
+};
+
if (!container) {
alert('ERROR: search_create: Second argument "container" missing!');
return;
@@ -50,6 +96,8 @@ function search_create(obj_name, scl, container)
jobj.children().last().attr('name', 'search-' + obj_name + '-filter')
jobj.append('');
jobj.children().last().click(find_on_click);
+jobj.append('');
+jobj.children().last().click(delete_on_click);
div.append('');
var search_results = $('', {
@@ -65,12 +113,45 @@ function search_create(obj_name, scl, container)
search_table.append('');
var tr = search_table.find('tr');
+search_insert_checkbox_th(tr);
for (var i = 0; i < scl.length; ++i) {
var c = scl[i];
search_insert_th(tr, obj_name, c[0], c[1], c[2]);
}
}
+function search_insert_checkbox_th(jobj)
+{
+function select_all_on_click() {
+var jobj = $(this);
+
+var checked = null;
+if (jobj.attr('checked')) {
+checked = true;
+jobj.attr('title', 'Unselect All');
+} else {
+checked = false;
+jobj.attr('title', 'Select All');
+}
+jobj.attr('checked', checked);
+
+var chks = jobj.closest('.search-container').find('.search-selector');
+for (var i = 0; i < chks.length; ++i)
+chks[i].checked = checked;
+};
+
+var checkbox = $('', {
+type: 'checkbox',
+title: 'Select All',
+});
+checkbox.click(select_all_on_click);
+
+var th = $('');
+th.append(checkbox);
+
+jobj.append(th);
+}
+
var _search_th_template = 'N';
function search_insert_th(jobj, obj_name, attr, name, render_call)
@@ -119,11 +200,16 @@ function search_load(jobj, criteria, on_win, on_fail)
function search_generate_tr(thead, tbody, entry_attrs)
{
+var obj_name = tbody.closest('.search-container').attr('title');
+var pkey = ipa_objs[obj_name].primary_key;
+var pkey_value = entry_attrs[pkey];
+
tbody.append('');
var tr = tbody.children().last();
+search_generate_checkbox_td(tr, pkey_value);
var ths = thead.find('th');
-for (var i = 0; i < ths.length; ++i) {
+for (var i = 1; i < ths.length; ++i) {
var jobj = $(ths[i]);
var attr = jobj.attr('abbr');
var value = entry_attrs[attr];
@@ -137,7 +223,6 @@ function search_generate_tr(thead, tbody, entry
[Freeipa-devel] [PATCH] Add LDAPMultiQuery base class and make it the base of LDAPDelete
In other words: make *-del commands accept 1 or more primary keys of entries to be deleted. We can now delete more entries at a time with a single command. Ticket #20 Pavel >From 1aabeb75114ef01ec23044031664f82ed0364825 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Fri, 1 Oct 2010 12:35:27 -0400 Subject: [PATCH 2/3] Add LDAPMultiQuery base class and make it the base of LDAPDelete. In other words: make *-del commands accept 1 or more primary keys of entries to be deleted. Ticket #20 --- ipalib/plugins/baseldap.py | 98 +--- 1 files changed, 65 insertions(+), 33 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 1757a45..f6b98e2 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -345,6 +345,19 @@ class LDAPQuery(CallbackInterface, crud.PKQuery): yield self.obj.primary_key.clone(attribute=True, query=True) +class LDAPMultiQuery(LDAPQuery): +""" +Base class for commands that need to retrieve one or more existing entries. +""" +def get_args(self): +for key in self.obj.get_ancestor_primary_keys(): +yield key +if self.obj.primary_key: +yield self.obj.primary_key.clone( +attribute=True, query=True, multivalue=True +) + + class LDAPRetrieve(LDAPQuery): """ Retrieve an LDAP entry. @@ -512,7 +525,7 @@ class LDAPUpdate(LDAPQuery, crud.Update): raise exc -class LDAPDelete(LDAPQuery): +class LDAPDelete(LDAPMultiQuery): """ Delete an LDAP entry and all of its direct subentries. """ @@ -521,47 +534,66 @@ class LDAPDelete(LDAPQuery): def execute(self, *keys, **options): ldap = self.obj.backend -dn = self.obj.get_dn(*keys, **options) +def delete_entry(pkey): +nkeys = keys[:-1] + (pkey, ) +dn = self.obj.get_dn(*nkeys, **options) -for callback in self.PRE_CALLBACKS: -if hasattr(callback, 'im_self'): -dn = callback(ldap, dn, *keys, **options) -else: -dn = callback(self, ldap, dn, *keys, **options) +for callback in self.PRE_CALLBACKS: +if hasattr(callback, 'im_self'): +dn = callback(ldap, dn, *nkeys, **options) +else: +dn = callback(self, ldap, dn, *nkeys, **options) -def delete_subtree(base_dn): -truncated = True -while truncated: +def delete_subtree(base_dn): +truncated = True +while truncated: +try: +(subentries, truncated) = ldap.find_entries( +None, [''], base_dn, ldap.SCOPE_ONELEVEL +) +except errors.NotFound: +break +else: +for (dn_, entry_attrs) in subentries: +delete_subtree(dn_) try: -(subentries, truncated) = ldap.find_entries( -None, [''], base_dn, ldap.SCOPE_ONELEVEL -) -except errors.NotFound: -break +ldap.delete_entry(base_dn, normalize=self.obj.normalize_dn) +except errors.ExecutionError, e: +try: +self._call_exc_callbacks( +nkeys, options, e, ldap.delete_entry, base_dn, +normalize=self.obj.normalize_dn +) +except errors.NotFound: +self.obj.handle_not_found(*nkeys) + +delete_subtree(dn) + +for callback in self.POST_CALLBACKS: +if hasattr(callback, 'im_self'): +result = callback(ldap, dn, *nkeys, **options) else: -for (dn_, entry_attrs) in subentries: -delete_subtree(dn_) -try: -ldap.delete_entry(base_dn, normalize=self.obj.normalize_dn) -except errors.ExecutionError, e: -try: -self._call_exc_callbacks( -keys, options, e, ldap.delete_entry, base_dn, -normalize=self.obj.normalize_dn -) -except errors.NotFound: -self.obj.handle_not_found(*keys) +result = callback(self, ldap, dn, *nkeys, **options) -delete_subtree(dn) +return result -for callback in self.POST_CALLBACKS: -if hasattr(callback, 'im_self'): -result = callback(ldap, dn, *
Re: [Freeipa-devel] [PATCH] Modal dialog for enrollment
On 09/23/2010 01:04 AM, Endi Sukma Dewata wrote: Hi, Please review the attached patch. Thanks! The enroll facet has been converted into a dialog box. This dialog box will appear when the user clicks the enroll button above the association list. When the user clicks the enroll button in the dialog box, the new associations will be created, then the list will be refreshed to show the changes. The SerialAssociator and BulkAssociator have been modified to accept an on_success function which will be called when the whole operation is completed successfully. This is used to refresh the list and close the dialog box appropriately. Some other changes were also made to improve code clarity. -- Endi S. Dewata ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0036-links-and-facet-icons.patch
On 09/18/2010 02:36 AM, Adam Young wrote: This patch makes use of the previous patch to put the icons in the facets and quick links It looks OK, but I can't test it because the required patch 30 doesn't apply for me. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0030-moved-images-up.patch
On 09/17/2010 04:38 PM, Adam Young wrote: moved images up Adding an 'images' subdir was proliferating changes throughout the build system this seemed easier Submitted as a separate patch to signify where wea re departing from what is generated by theme-roller Doesn't apply for me. Missing some image files and doesn't apply on jquery-ui.css. I applied all your patches I could find before this one, but I can't find number 28 on the list. Maybe that's the reason. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Icons
On 09/18/2010 02:35 AM, Adam Young wrote: THese are just place holder icons until we get the offical ones from UXD. They look roughly like the finished product, with have some rough points. They will be used by the next patch to Generate the quick links and facets. THis is a huga patch, but it is all binary files. ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0033-pointer-cursor-for-facets.patch
On 09/17/2010 04:43 PM, Adam Young wrote: Changes the mouse icon for facets to a the pointer, signifying clickability ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
