Re: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
On 04/04/2011 03:47 PM, Simo Sorce wrote: On Mon, 28 Mar 2011 15:27:46 -0700 Nathan Kindernkin...@redhat.com wrote: On 03/28/2011 03:20 PM, Dmitri Pal wrote: On 03/28/2011 04:38 PM, Pavel Zůna wrote: This patch handles the issue in a kind of stupid way, but I couldn't think of anything better. It adds a new flag parameter to user-add (--noprivate). With this flag, the command marks the private group about to be created for deletion and is deleted after the user is created. The only exception is when there is a group, that is named the same way as the user, but isn't a private group - then the group is left there. Private groups are created automatically by the managed entry DS plugin and I didn't find a way to disable its creation for a specific user. The idea that comes to mind is to define some magical attribute that the DS plugin would recognize and skip the creation of the managed entry as well as strip the entry of this magic attribute/value. I remember that other plugins might take advantage of the similar approach. Is something like this possible? You are probably thinking of the DNA plug-in and it's use of a magic value used to tell the plug-in to allocate a value from a range. I would not like to use this approach here, as it requires additional coding and complexity that I don't think is needed. I would prefer that we use the originFilter to deal with this. We could have an auxiliary objectclass that IPA usually adds when creating an IPA user. The originFilter can key off of this objectclass to create managed groups. When a user is added with the --noprivate option, this objectclass is not included in the user entry that is added. Rob and I discussed this approach on IRC earlier today. Ack, this sounds like a better approach, although it doesn't necessarily need to be an objectclass it can also be an attribute with a specific value that is checked in the filter as (!(attrib=value)) Simo. New patch with new approach attached. It sets the checked filter to: ((objectclass=posixAccount)(!(description=__no_upg__))) If a user entry is created with the description attribute equal to the string __no_upg__, the DS plugin will not trigger and no UPG is going to be created. After this patch, the user-add plugin adds this description attribute (NO_UPG_MAGIC = __no_upg__) in the pre_callback and deletes it in the post_callback if necessary. I think the description attribute is the best choice, because it's part of the posixAccount objectClass and we don't use it for anything on user entries. Pavel From 57f3b82bc4b3180a8b0a27733cc0632b813a7736 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 28 Mar 2011 15:10:57 -0400 Subject: [PATCH] Add a new user-add flag param to disable the creation of UPG. Ticket #1131 --- install/share/user_private_groups.ldif |2 +- ipalib/plugins/user.py | 53 --- 2 files changed, 42 insertions(+), 13 deletions(-) diff --git a/install/share/user_private_groups.ldif b/install/share/user_private_groups.ldif index 9df729a..41a78ba 100644 --- a/install/share/user_private_groups.ldif +++ b/install/share/user_private_groups.ldif @@ -15,7 +15,7 @@ changetype: add objectclass: extensibleObject cn: UPG Definition originScope: cn=users,cn=accounts,$SUFFIX -originFilter: objectclass=posixAccount +originFilter: ((objectclass=posixAccount)(!(description=__no_upg__))) managedBase: cn=groups,cn=accounts,$SUFFIX managedTemplate: cn=UPG Template,cn=etc,$SUFFIX diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 9015144..9a658a9 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -63,6 +63,9 @@ from ipalib import _, ngettext from ipalib.request import context from time import gmtime, strftime + +NO_UPG_MAGIC = '__no_upg__' + def validate_nsaccountlock(entry_attrs): if 'nsaccountlock' in entry_attrs: if not isinstance(entry_attrs['nsaccountlock'], basestring): @@ -70,6 +73,7 @@ def validate_nsaccountlock(entry_attrs): if entry_attrs['nsaccountlock'].lower() not in ('true','false'): raise errors.ValidationError(name='nsaccountlock', error='must be TRUE or FALSE') + class user(LDAPObject): User object. @@ -250,22 +254,35 @@ class user_add(LDAPCreate): Add a new user. - msg_summary = _('Added user %(value)s') +takes_options = LDAPCreate.takes_args + ( +Flag('noprivate', +cli_name='noprivate', +doc=_('don\'t create user private group'), +), +) + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): -try: -# The Managed Entries plugin will allow a user to be created -# even if a group has a duplicate name. This would leave a user -# without a private group. Check for both the group and the user. -self.api.Command['group_show'](keys[-1
Re: [Freeipa-devel] [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr.
On 04/06/2011 05:08 PM, Pavel Zuna wrote: Ticket #744 Pavel New fixed version of patch attached. Pavel From c61c329c1fd4f806a64f4fa6b660b0baeea38377 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 6 Apr 2011 09:08:03 -0400 Subject: [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr. Ticket #744 --- ipalib/plugins/krbtpolicy.py | 20 ipalib/plugins/user.py |1 + 2 files changed, 21 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index c9d86ea..8cefc90 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -83,6 +83,10 @@ class krbtpolicy(LDAPObject): label=_('User name'), doc=_('Manage ticket policy for specific user'), primary_key=True, +pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', +pattern_errmsg='may only include letters, numbers, _, -, . and $', +maxlength=255, +normalizer=lambda value: value.lower(), ), Int('krbmaxticketlife?', cli_name='maxlife', @@ -96,6 +100,14 @@ class krbtpolicy(LDAPObject): doc=_('Maximum renewable age (seconds)'), minvalue=1, ), +Int('uidnumber?', +minvalue=1, +flags=['no_create', 'no_update', 'no_search'], +), +Int('gidnumber?', +minvalue=1, +flags=['no_create', 'no_update', 'no_search'], +), ) def get_dn(self, *keys, **kwargs): @@ -115,6 +127,14 @@ class krbtpolicy_mod(LDAPUpdate): # ticket policies are attached to objects with unrelated attributes if options.get('all'): options['all'] = False +if keys[-1] is not None: +# we're modifying an user entry and it's possible to change its +# attribute unrelated to ticket policy using --{set,add}-attr +# we need to validate/normalize them here: +if 'mail' in entry_attrs: +entry_attrs['mail'] = self.api.Object['user']._normalize_email( +entry_attrs['mail'] +) return dn api.register(krbtpolicy_mod) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index e71c21b..d18ba18 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -176,6 +176,7 @@ class user(LDAPObject): label=_('GID'), doc=_('Group ID Number'), default_from=lambda uid: uid, +minvalue=1, ), Str('street?', cli_name='street', -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr.
Ticket #744 Pavel freeipa-pzuna-89-validatekrbt.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix gidnumber option of user-add command.
With this patch, the gidNumber is set automatically only if it wasn't specified explicitly by the user. Ticket #1127 Pavel freeipa-pzuna-87-fixgidnumber.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Wait for Directory Server ports to open
On 03/14/2011 06:03 PM, Martin Kosek wrote: I know this is a 2.1 ticket, but the patch is probably also a solution of #1047 - a 2.0.5 bucket critical bug. When Directory Server operation is run right after the server restart the listening ports may not be opened yet. This makes the installation fail. This patch fixes this issue by waiting for both secure and insecure Directory Server ports to open after every restart. https://fedorahosted.org/freeipa/ticket/1076 ACK. Seems to also fix #1047, as I couldn't reproduce after this patch was applied. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 752 fix SELinux AVCs
On 03/14/2011 09:33 PM, Rob Crittenden wrote: Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085 ACK!! Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix error in user plugin email normalizer for empty --setattr=mail=.
An exception was raised when you tried to reset user email addresses and setting new ones using: ipa user-add SOMEUSER --setattr=mail= --addattr=mail=someu...@redhat.com Pavel freeipa-pzuna-85-fixemailnorm.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix error in user plugin email normalizer for empty --setattr=mail=.
On 03/03/2011 04:23 PM, Pavel Zuna wrote: An exception was raised when you tried to reset user email addresses and setting new ones using: ipa user-add SOMEUSER --setattr=mail= --addattr=mail=someu...@redhat.com Pavel Just a correction: The example above should read 'ipa user-mod ...' ofc. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
On 02/23/2011 07:09 PM, Pavel Zůna wrote: On 2011-02-22 20:16, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 22:52, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 05:09, Rob Crittenden wrote: Pavel Zůna wrote: My efforts in fixing localization all around the framework and preparing it for localizing docstrings have resulted in a lot of patches. Because I understand they have become a bit hard to track, I decided to post them all together in this thread to make review easier. After this is committed, there will be one more patch that switches xgettext for pygettext. Then hopefully, we'll be pretty much set when it comes to i18n. Pavel Patch 81 isn't applying for me. Help is not working for me either, this is due to patch 80. $ ipa help user ipa: ERROR: NameError: global name '_' is not defined Traceback (most recent call last): File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 1087, in run api.finalize() File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 619, in finalize plugin_iter(base, (magic[k] for k in magic)) File /home/rcrit/redhat/freeipa-version/ipalib/base.py, line 397, in __init__ sorted(members, key=lambda m: getattr(m, name_attr)) File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 608, in plugin_iter plugins[klass] = PluginInstance(klass) File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 585, in __init__ self.instance = klass() File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 184, in __init__ self.doc = _(inspect.getdoc(cls)) NameError: global name '_' is not defined ipa: ERROR: an internal error has occurred Patches 69, 71 and 73 are still working fine. What is switching from xgettext to pygettext going to do? This was answered by John Dennis: xgettext doesn't parse python docstrings. rob Rebased version of 81 attached. It should also fix the traceback you're getting. Pavel Something is still not working. I'm having a hard time reproducing how I got this but with LANG=es_US.UTF-8 for a while I was getting this with every ipa user-* request: ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) Traceback (most recent call last): File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 1090, in run sys.exit(api.Backend.cli.run(argv)) File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 917, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File /home/rcrit/redhat/freeipa-version/ipalib/frontend.py, line 953, in output_for_cli textui.print_entries(result, order, labels, flags, print_all) File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 346, in print_entries self.print_entry(entry, order, labels, flags, print_all, format, indent) File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 378, in print_entry label, value, format, indent, one_value_per_line File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 309, in print_attribute self.print_indented(format % (attr, text[0]), indent) File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 232, in print_indented print (CLI_TAB * indent + text) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) ipa: ERROR: ha ocurrido un error interno I think it is blowing up on this user: User login: jose First name: Jose Last name: contraseñas Home directory: /home/jose Login shell: /bin/sh Account disabled: TRUE Member of groups: ipausers Then all of a sudden things started working fine, so I'm not sure what's going on. Is this traceback meaningful to you? rob This looks like a bug in the textui backend. You get this error when you do something like this: a = u'\xf1' a.decode('utf-8') Traceback (most recent call last): File stdin, line 1, in module File /usr/lib/python2.6/encodings/utf_8.py, line 16, in decode return codecs.utf_8_decode(input, errors, True) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 0: ordinal not in range(128) It means we're not handling encoding/decoding from/to the CLI right somewhere. The character \xf1 corresponds to the small N with tilde in Jose's last name. I'm going to look into it, but I don't think it's related to the localization patches. Pavel I'm seeing 2 test failures: == FAIL: Test the `ipalib.plugable.Plugin.__init__` method. -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/case.py, line 186, in runTest self.test(*self.arg) File /home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py, line 237, in test_init assert o.summary == 'Do sub-classy things.' AssertionError == FAIL: Test gettext translation
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůnapz...@redhat.com wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunapz...@redhat.com wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as cn=directory manager: [root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config,cn=ldbm database,cn=plugins,cn=config -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # basecn=config,cn=ldbm database,cn=plugins,cn=config with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # basecn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. Thanks for advice! New version of the patch attached. Pavel freeipa-pzuna-78-4-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/14/2011 04:53 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel This isn't applying cleanly to master, can you rebase it? rob Rebased patch attached. Pavel freeipa-pzuna-78-3-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/14/2011 04:56 PM, JR Aquino wrote: On 2/10/11 2:42 AM, Pavel Zunapz...@redhat.com wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK It looks like LDAPUpdate calls may want to include ldapi=True? -=- # ipa-nis-manage enable Directory Manager password: Enabling plugin Traceback (most recent call last): File /usr/sbin/ipa-nis-manage, line 211, inmodule sys.exit(main()) File /usr/sbin/ipa-nis-manage, line 151, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 101, in __init__ conn.do_simple_bind(bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 350, in do_simple_bind self.simple_bind_s(binddn, bindpw) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 207, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 181, in inner objtype, data = f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 436, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 440, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 446, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 96, in _ldap_call result = func(*args,**kwargs) ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'} I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 050 Fix migration page
On 02/09/2011 02:09 PM, Jakub Hrozek wrote: During some UI rewrite, the password migration form completely lost the action= field and defaulted to GET instead of POST. ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
The patch also corrects exception handling in some of the tools. Fix #874 Pavel freeipa-pzuna-78-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit.
On 02/08/2011 12:34 AM, David O'Brien wrote: Pavel Zuna wrote: Fix #837 Pavel /me hesitantly asks... Doesn't this mean that 1 is illegal? doc=_('Max. amount of time (sec.) for a search ( 1 or -1 for unlimited)'), Neither is there any mention of zero being illegal. It may be implicit or self-evident, but I don't rely on that in doc. I'd be inclined to change it to ( 0, or -1 for unlimited) but remember, I'm not a coder :) cheers You're right. :) Fixed version attached. Pavel freeipa-pzuna-73-2-configdoc.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 72 Set minimum for Kerberos policy max life and max renew
Fix #847 Pavel freeipa-pzuna-72-krbtpmin.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit.
Fix #837 Pavel freeipa-pzuna-73-configdoc.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 76 Fallback to default locale (en_US) if env. setting is corrupt.
This is a follow-up to my patches 69 and 71 (70 is garbage). It prevents a crash when user misconfigures his locale settings. Pavel freeipa-pzuna-76-deflocale.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed.
It seems that restarting krb5kdc is only needed when changes to the global policy are made. Per-user policies take effect immediately for newly requested tickets. Can someone please confirm? Fix #844 Pavel freeipa-pzuna-77-krbtpdoc.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it.
On 02/02/2011 09:36 PM, Rob Crittenden wrote: Pavel Zuna wrote: This ticket effectively fixes the translation of exception messages. Ticket #903 Pavel On hold for now, see also patch 'Translate exception messages on the client side.' rob This should get pushed for the translation in exceptions to work. It only removes the defunct code and replaces it with something functional. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Send Accept-Language header over XML-RPC and translate on server.
This patch makes the ipa client send the Accept-Language header, so that the server can translate things like exceptions, that cannot be translated on the client. It also fixes the language recognition for the webUI. The values in Accept-Language header are a bit different than what is accepted by the LANG variable as a valid locale - some additional parsing was needed. For example: Accept-Language: es-es;q=1 needs to translate to es_ES otherwise it won't be recognized by gettext Fix #904 Fix #917 Pavel freeipa-pzuna-71-acceptlang.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] python i18n options
On 02/03/2011 05:13 PM, John Dennis wrote: On 02/03/2011 09:34 AM, Pavel Zuna wrote: Python 2.6+ provides secure ways to encode and decode literal types to/from strings. I'm not sure what you mean by this, could you elaborate please? http://docs.python.org/library/ast.html#ast.literal_eval We could use it to send data about the exception and have the client translate it for itself. However I decided to drop this idea, because it would require changes in a lot of places where we construct exceptions and that's just not worth it. Summary: Unless we agree on a better way; I'm going to try the pygettext patch and see how usable it is. If it's not then I'll try the solution with merging pygettext and xgettext output. We also need to rethink the PublicError class and it's encoding/decoding in {JSON,XML}-RPC to have them translated on the client. I think your proposal sounds fine if we expect the message catalog on the client to be in sync with the server. I'm not sure that's a good assumption. When they drift apart the effect will be that some messages appear localized and others won't. That will be a poor user experience. One way we could address this problem is by following the web model. The client sends their language preference in each request. When the server responds it performs the message translation prior to sending it back to the client. We're already doing this for the web UI, any reason not to follow the same model for other clients? Yes, we're going to use the same model in the end. Already posted a patch on the list that does just that (71). I can't comment on the quality of the upstream pygettext patch, but one way to find out is to start using it :-) That's exactly what I'm planning to do. :) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] python i18n options
I've been playing around with localizing python strings for a while and this is what I figured out: Currently we use xgettext to get strings to be translated from python files. From withing python we call the gettext library wrapped in ipalib/text.py classes to provide on request translation. We need on request translation, so that we can translate strings on the client. Apart from the classes in ipalib/text.py, there are also localization functions in ipalib/request.py. These function are old and deprecated. Despite this they are still used when translating exception messages. That's why exceptions aren't currently being localized. Rob posted a patch recently that fixes this, but it wasn't fixing the problem at its root. There's another patch by me (69: Remove deprecated i18n code...) that removes references to ipalib/request.py and replaces it with ipalib/text.py classes. This patch should definitely be accepted. It doesn't change anything - it just removes code that shouldn't be there anyway. There's another problem with exceptions. They are localized when they are first created on the server. When transmitting exceptions from server to client, the data is wrapped in a xmlrpclib.Fault class. This class can only contain an error code and string making it impossible to reconstruct on the client especially if it contains template strings (i.e. '%(reason)s'). I propose we change the way exceptions are created and encode information about them as Fault string data. We can then reconstruct them on the client a perform localization there. Python 2.6+ provides secure ways to encode and decode literal types to/from strings. This will require changes to the PublicError class. Now there's the issue of localizing the built-in help system ('ipa help') which translates to localizing python docstrings. xgettext can't do that on its own. There's an alternative called pygettext. Unfortunately pygettext can't translated ngettext string (meaning strings that have a singular and plural form). I found two solutions around this: 1) a) use both xgettext and pygettext b) merge the resulting .po files c) use msguniq utility to get unique translatable strings 2) theres a patch for pygettext to handle ngettext string Solution 1) will probably works fine, but it's not very effective. I would prefer the second solution, but I still have to determine how good the patch is since it was sent by some random guy on the python mailing list. Links: http://bugs.python.org/issue8502 http://bugs.python.org/file17639/pygettext.py.patch Opinions? Summary: Unless we agree on a better way; I'm going to try the pygettext patch and see how usable it is. If it's not then I'll try the solution with merging pygettext and xgettext output. We also need to rethink the PublicError class and it's encoding/decoding in {JSON,XML}-RPC to have them translated on the client. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix crash in ipa help for NO_CLI plugins.
Fix #854 Pavel From 6c9f25fa6c50034db4967e64590cc9d46bdf8e0b Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 2 Feb 2011 12:47:34 -0500 Subject: [PATCH] Fix crash in ipa help for NO_CLI plugins. Fix #854 --- ipalib/cli.py | 16 ++-- 1 files changed, 2 insertions(+), 14 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 5543301..9735d2e 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -730,19 +730,6 @@ class help(frontend.Local): for t in topics: topic = self._topics[t] print ' %s %s' % (to_cli(t).ljust(self._mtl), topic[0]) - -if False: -topic_commands = self._topics[t][2] -mod_list = [self._get_command_module(c.module) for c in topic_commands] -mod_list = list(set(mod_list)) - -for mod in mod_list: -m = '%s.%s' % (self._PLUGIN_BASE_MODULE, mod) -if 'topic' in dir(sys.modules[m]): -doc = sys.modules[m].topic[1] -else: -doc = (sys.modules[m].__doc__ or '').strip().split('\n', 1)[0] -print ' %s %s' % (to_cli(t).ljust(self._mtl), doc) print '' print 'Try `ipa --help` for a list of global options.' @@ -759,6 +746,7 @@ class help(frontend.Local): mcl = self._topics[topic][1] commands = self._topics[topic][2] else: +commands = [] for t in self._topics: if type(self._topics[t][2]) is not dict: continue @@ -772,8 +760,8 @@ class help(frontend.Local): doc = (sys.modules[m].__doc__ or '').strip() print doc -print '' if len(commands) 1: +print '' print 'Topic commands:' for c in commands: print ' %s %s' % (to_cli(c.name).ljust(mcl), c.summary) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix minor bug in host-add logic.
Fix #798 Pavel From c5872d7d532429341c86cf1ba10a24709b510664 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 2 Feb 2011 13:47:21 -0500 Subject: [PATCH] Fix minor bug in host-add logic. Ticket #798 --- ipalib/plugins/host.py |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index d5c5174..e3f38fc 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -323,9 +323,9 @@ class host_add(LDAPCreate): entry_attrs['krbprincipalname'] = 'host/%s@%s' % ( keys[-1], self.api.env.realm ) -if 'krbprincipalaux' not in entry_attrs: +if 'krbprincipalaux' not in entry_attrs['objectclass']: entry_attrs['objectclass'].append('krbprincipalaux') -if 'krbprincipal' not in entry_attrs: +if 'krbprincipal' not in entry_attrs['objectclass']: entry_attrs['objectclass'].append('krbprincipal') else: if 'krbprincipalaux' in entry_attrs['objectclass']: -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 698 Translate exception messages
On 02/01/2011 11:36 PM, Rob Crittenden wrote: Pavel mentioned this morning that translations didn't seem to be working. I remembered that I did some things on the cli so I re-tested. Turned out that exceptions aren't being translated. I'm not at all sure this patch does the right thing, so take it with a grain of salt. What it does is translates the message before stuffing it into the exception. Note that this will also translate messages returned via XML-RPC so I wonder if we need to force LANG to en_US.UTF-8 there. In any case, this seems to fix the client side anyway. I'm open to criticism on this one. To test do something like: $ kinit admin $ export LANG=es_US.UTF-8 $ ipa user-add --first=Kermit --last=Frog kfrog $ ipa user-add --first=Kermit --last=Frog kfrog You should get a DuplicateEntry() response in Spanish. rob nack. While this patch works, it doesn't solve the problem at its root. After some investigation I figured out, that functions initializing translations in ipalib/request.py are not called from anywhere. All the translation code in ipalib/request.py is currently deprecated in favor of ipalib/text.py. I'm preparing a patch, that removes the unused code and replaces references to it. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it.
This ticket effectively fixes the translation of exception messages. Ticket #903 Pavel From b051be4d816f94ebab3fc932b3d2372d1cf0345a Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 2 Feb 2011 15:37:14 -0500 Subject: [PATCH] Remove deprecated i18n code from ipalib/request and all references to it. Ticket #903 --- ipalib/errors.py |2 +- ipalib/parameters.py |2 +- ipalib/request.py | 40 - tests/test_ipalib/test_request.py | 161 - 4 files changed, 2 insertions(+), 203 deletions(-) delete mode 100644 tests/test_ipalib/test_request.py diff --git a/ipalib/errors.py b/ipalib/errors.py index 20cd52b..63648d2 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -101,7 +101,7 @@ current block assignments: from inspect import isclass -from request import ugettext, ungettext +from text import _ as ugettext, ngettext as ungettext from constants import TYPE_ERROR diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 22b0321..23177b3 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -102,7 +102,7 @@ a more detailed description for clarity. import re from types import NoneType from util import make_repr -from request import ugettext +from text import _ as ugettext from plugable import ReadOnly, lock, check_name from errors import ConversionError, RequirementError, ValidationError from errors import PasswordMismatch diff --git a/ipalib/request.py b/ipalib/request.py index 9a11fb9..15b26f5 100644 --- a/ipalib/request.py +++ b/ipalib/request.py @@ -23,8 +23,6 @@ Per-request thread-local data. import threading -import locale -import gettext from base import ReadOnly, lock from constants import OVERRIDE_ERROR, CALLABLE_ERROR @@ -58,41 +56,3 @@ def destroy_context(): value.disconnect() context.__dict__.clear() - -def ugettext(message): -if hasattr(context, 'ugettext'): -return context.ugettext(message) -return message.decode('UTF-8') - - -def ungettext(singular, plural, n): -if hasattr(context, 'ungettext'): -return context.ungettext(singular, plural, n) -if n == 1: -return singular.decode('UTF-8') -return plural.decode('UTF-8') - - -def set_languages(*languages): -if hasattr(context, 'languages'): -raise StandardError(OVERRIDE_ERROR % -('context', 'languages', context.languages, languages) -) -if len(languages) == 0: -languages = locale.getdefaultlocale()[:1] -context.languages = languages -assert type(context.languages) is tuple - - -def create_translation(domain, localedir, *languages): -if hasattr(context, 'ugettext') or hasattr(context, 'ungettext'): -raise StandardError( -'create_translation() already called in thread %r' % -threading.currentThread().getName() -) -set_languages(*languages) -translation = gettext.translation(domain, -localedir=localedir, languages=context.languages, fallback=True -) -context.ugettext = translation.ugettext -context.ungettext = translation.ungettext diff --git a/tests/test_ipalib/test_request.py b/tests/test_ipalib/test_request.py deleted file mode 100644 index 548156d..000 --- a/tests/test_ipalib/test_request.py +++ /dev/null @@ -1,161 +0,0 @@ -# Authors: -# Jason Gerard DeRose jder...@redhat.com -# -# Copyright (C) 2008 Red Hat -# see file 'COPYING' for use and warranty contextrmation -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see http://www.gnu.org/licenses/. - - -Test the `ipalib.request` module. - - -import threading -import locale -from tests.util import raises, assert_equal -from tests.util import TempDir, dummy_ugettext, dummy_ungettext -from ipalib.constants import OVERRIDE_ERROR -from ipalib import request - - -def test_ugettext(): - -Test the `ipalib.request.ugettext` function. - -f = request.ugettext -context = request.context -message = 'Hello, world!' - -# Test with no context.ugettext: -assert not hasattr(context, 'ugettext') -assert_equal(f(message), u'Hello, world!') - -# Test with dummy context.ugettext: -assert not hasattr(context, 'ugettext') -dummy = dummy_ugettext() -context.ugettext = dummy -assert f(message) is dummy.translation -assert dummy.message is message
Re: [Freeipa-devel] [PATCH] Make 'ipa help' localizable.
On 02/01/2011 03:08 PM, John Dennis wrote: On 02/01/2011 08:16 AM, Pavel Zuna wrote: For a long time, I was trying to find a way to localize python docstrings, that we use to generate the built-in documentation system. Unfortunately, python docstrings aren't meant to be localized and therefore I had to use a dirty trick: setting the __doc__ variable manually to a gettext instance. There is one major disadvantage: tools that generate developer documentation (like epydoc) won't display docstrings set like this. One solution would be to have docstrings twice in each module: once normally and once set using __doc__, but that would be very ugly. This patch doesn't update .po files, because it's already big as it is. They are regenerated automatically anyway. Ticket #179 Pavel Hi Pavel: I'm not sure this is the right approach. What we really want is to be able to extract the docstrings and put them in a pot file. Normally xgettext is used to xtract translatable strings but I don't think the python parser in xgettext is docstring aware (we should probably confirm that). However pygettext in the python-tools package is docstring aware. From it's help text: -D --docstrings Extract module, class, method, and function docstrings. These do not need to be wrapped in _() markers, and in fact cannot be for Python to consider them docstrings. (See also the -X option). So rather than changing all the source code and making it non-standard I think we're better off using a more appropriate tool when building the pot file. Use of pygettext is discussed and documented in this Python documentation link: http://docs.python.org/library/gettext.html#internationalizing-your-programs-and-modules You can find an interesting discussion of the docstring extraction issue in this thread: http://mail.python.org/pipermail/i18n-sig/2001-August/001292.html BTW, Barry Warsaw is the man behind Mailman and is one of the Python community luminaries. Thanks for the tips! I'll see what I can do. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add ldap2 method to retrieve allowed attributes for specified objectClasses.
ldap2.get_allowed_attributes(['posixuser']) returns a list of unicode all lower case attribute names allowed for the object class 'posixuser' You can enter as many object classes as you want. Pavel From 044476963a96136f951ccf8232debc1b1c48513f Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 25 Jan 2011 15:24:03 -0500 Subject: [PATCH 1/2] Add ldap2 method to retrieve allowed attributes for specified objectClasses. ldap2.get_allowed_attribute(['posixuser']) returns a list of unicode all lower case attribute names allowed for the object class 'posixuser' --- ipaserver/plugins/ldap2.py | 20 +--- 1 files changed, 17 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 86ea3f8..7490dfb 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -266,6 +266,16 @@ class ldap2(CrudBackend, Encoder): else: return None +def get_allowed_attributes(self, objectclasses): +if not self.schema: +return [] +allowed_attributes = [] +for oc in objectclasses: +obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc) +if obj is not None: +allowed_attributes += obj.must + obj.may +return [unicode(a).lower() for a in list(set(allowed_attributes))] + def get_single_value(self, attr): Check the schema to see if the attribute is single-valued. @@ -597,15 +607,19 @@ class ldap2(CrudBackend, Encoder): Keyword arguments: attrs_list - list of attributes to return, all if None (default None) -return self.find_entries(None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit, size_limit=size_limit, normalize=normalize)[0][0] +return self.find_entries( +None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit, +size_limit=size_limit, normalize=normalize +)[0][0] config_defaults = {'ipasearchtimelimit': [2], 'ipasearchrecordslimit': [0]} -def get_ipa_config(self): +def get_ipa_config(self, attrs_list=None): Returns the IPA configuration entry (dn, entry_attrs). cdn = %s,%s % (api.Object.config.get_dn(), api.env.basedn) try: (cdn, config_entry) = self.find_entries( -base_dn=cdn, scope=self.SCOPE_BASE, time_limit=2, size_limit=10 +None, attrs_list, base_dn=cdn, scope=self.SCOPE_BASE, +time_limit=2, size_limit=10 )[0][0] except errors.NotFound: config_entry = {} -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Raise ValidationError when adding unallowed attribute to search fields.
Depends on my previous patch number 64 (posted on the list 2 minutes ago). Ticket #845 Pavel From 275f22f718af14f3f3c5e29c1f03471ab152b386 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 25 Jan 2011 15:25:52 -0500 Subject: [PATCH 2/2] Raise ValidationError when adding unallowed attribute to search fields. Ticket #845 --- ipalib/plugins/config.py | 16 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index ccd06ca..f779732 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -198,6 +198,22 @@ class config_mod(LDAPUpdate): api.Command['group_show'](group) except errors.NotFound: raise errors.NotFound(message=unicode(The group doesn't exist)) +kw = {} +if 'ipausersearchfields' in entry_attrs: +kw['ipausersearchfields'] = 'ipauserobjectclasses' +if 'ipagroupsearchfields' in entry_attrs: +kw['ipagroupsearchfields'] = 'ipagroupobjectclasses' +if kw: +config = ldap.get_ipa_config(kw.values()) +for (k, v) in kw.iteritems(): +allowed_attrs = ldap.get_allowed_attributes(config[1][v]) +fields = entry_attrs[k].split(',') +for a in fields: +a = a.strip() +if a not in allowed_attrs: +raise errors.ValidationError( +name=k, error='attribute %s not allowed' % a +) return dn api.register(config_mod) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] test speedup patch
On 01/19/2011 04:17 AM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Attached is a rough cut of a patch to try to speed up the cli a little bit. Basically in production mode it will skip some things during initialization. My concept is that we develop in mode != production and release in mode == production. I managed to knock a second or so off time to do a user-show on average. There may be some other things we can do to speed things up, I'm still looking. Some feedback on the approach would be appreciated. Note that I've completely ruled out SSL/Negotiate. I did my testing on lite-server which doesn't use SSL or Negotiate and it was STILL taking on average 3-4+ seconds per command. The server side was consistently taking 1 second to complete. rob oh, and the patch. I ran a couple of moderate tests this evening that executed 42 separate operations like add, delete, and managing group membership. I ran this 10 times each on 2 identical VMs, one with a bit older code and one with this patch then averaged the times. With the patch the average was 1.3 seconds per operation, without 2.6. A 50% improvement is more than I expected, I saw a 33% improvement on individual runs. I'll keep at it but this seems promising. I was also a bit surprised that the average time without the patch was so low, I was expecting something over 3 seconds. Specifically what this patch does is it avoids doing some self-validation. There is some amount of risk that the framework could blow up but in a deployed situation I think the risk is rather low. A side-effect of the API tester makeapi is that it loads the framework. We can force it to be run in production mode so the product shouldn't be buildable if it has inconsistencies. rob I find it hard to believe this patch causes such a big improvement in performance. Especially the parts skipping asserts, that shouldn't be significantly slower than your average ifs. Instance locking shouldn't be a time consuming operation either. Bypassing check routines for parameter namespaces might provide a performance boost as it is called for every single plugin we have (~250). On the other hand, it is only used for positional arguments and most plugins only have 1 or 2 of those. Personally, I would do some more tests on a single machine, because there's no guarantee, that two VMs with an identical image have the same performance. If it really provides a significant improvement, than it's awesome, because I like the philosophy of this patch. It removes self-checking and instance locking, that is completely useless in a production environment and kind of limiting in non-production. I think there's more places likes this in the framework. Long story short: It's improbable, but not impossible, for the changes introduced by this patch to cause such a big performance improvement. Even if it doesn't, the patch is still good. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights.
On 01/07/2011 08:59 PM, Rob Crittenden wrote: Pavel Zůna wrote: LDAPObject sub-classes can define a custom list of attributes for effective rights retrieval. Fix #677 Pavel Nack. --rights should only return data when --all is also included. Otherwise it looks ok. rob Fixed version attached. Pavel From abfe7eb176534b1d7cf0deae81f1bd2c2ebb7aef Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Thu, 30 Dec 2010 08:48:12 -0500 Subject: [PATCH] Enable custom list of attributes to retrieve effective rights. Fix #677 --- ipalib/plugins/baseldap.py | 34 ++ ipalib/plugins/config.py |4 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index e7ccb77..27d5950 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -166,20 +166,6 @@ def get_attributes(attrs): return attrlist -def get_effective_rights(ldap, dn, attrs=None): -if attrs is None: -attrs = ['*', 'nsaccountlock', 'cospriority'] -rights = ldap.get_effective_rights(dn, attrs) -rdict = {} -if 'attributelevelrights' in rights[1]: -rights = rights[1]['attributelevelrights'] -rights = rights[0].split(', ') -for r in rights: -(k,v) = r.split(':') -rdict[k.strip().lower()] = v - -return rdict - def wait_for_memberof(keys, entry_start, completed, show_command, adding=True): When adding or removing reverse members we are faking an update to @@ -244,6 +230,7 @@ class LDAPObject(Object): search_attributes_config = None default_attributes = [] hidden_attributes = ['objectclass', 'aci'] +rights_attributes = ['*', 'nsaccountlock', 'cospriority'] # set rdn_attribute only if RDN attribute differs from primary key! rdn_attribute = '' uuid_attribute = '' @@ -301,6 +288,19 @@ class LDAPObject(Object): pass return dn[len(self.primary_key.name) + 1:dn.find(',')] +def get_effective_rights(self, dn, attrs=None): +rdict = {} +if attrs is None: +attrs = self.rights_attributes +rights = self.backend.get_effective_rights(dn, attrs) +if 'attributelevelrights' in rights[1]: +rights = rights[1]['attributelevelrights'] +rights = rights[0].split(', ') +for r in rights: +(k, v) = r.split(':') +rdict[k.strip().lower()] = v +return rdict + def get_ancestor_primary_keys(self): if self.parent_object: parent_obj = self.api.Object[self.parent_object] @@ -688,7 +688,8 @@ class LDAPRetrieve(LDAPQuery): self.obj.handle_not_found(*keys) if options.get('rights', False) and options.get('all', False): -entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn) +rights = self.obj.get_effective_rights(dn) +entry_attrs['attributelevelrights'] = rights for callback in self.POST_CALLBACKS: if hasattr(callback, 'im_self'): @@ -844,7 +845,8 @@ class LDAPUpdate(LDAPQuery, crud.Update): ) if options.get('rights', False) and options.get('all', False): -entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn) +rights = self.obj.get_effective_rights(dn) +entry_attrs['attributelevelrights'] = rights for callback in self.POST_CALLBACKS: if hasattr(callback, 'im_self'): diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 438f663..ccd06ca 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -87,6 +87,9 @@ class config(LDAPObject): 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields', 'ipamigrationenabled', 'ipacertificatesubjectbase', ] +rights_attributes = LDAPObject.rights_attributes + [ +'ipahomesrootdir', 'ipagroupsearchfields', +] label = _('Configuration') @@ -206,3 +209,4 @@ class config_show(LDAPRetrieve): api.register(config_show) + -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix import API_VERSION import error.
Fixes import errors in the framework cause by recent API version changes. Fix #796 Pavel From 3532c0f551edc79e63843ee112dee097dfb6aadf Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 18 Jan 2011 12:35:59 -0500 Subject: [PATCH] Fix import API_VERSION import error. Fix #796 --- ipalib/cli.py |2 +- ipalib/frontend.py |2 +- ipalib/plugins/batch.py |2 +- ipalib/plugins/ping.py |2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index c634d49..54ab1c4 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -49,7 +49,7 @@ from errors import PublicError, CommandError, HelpError, InternalError, NoSuchNa from constants import CLI_TAB from parameters import Password, Bytes, File from text import _ -from ipapython.version import API_VERSION +from ipapython.version import VERSION as API_VERSION def to_cli(name): diff --git a/ipalib/frontend.py b/ipalib/frontend.py index eeed398..e514932 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -33,7 +33,7 @@ from text import _, ngettext from errors import ZeroArgumentError, MaxArgumentError, OverlapError, RequiresRoot, VersionError, RequirementError from errors import InvocationError from constants import TYPE_ERROR -from ipapython.version import API_VERSION +from ipapython.version import VERSION as API_VERSION from distutils import version diff --git a/ipalib/plugins/batch.py b/ipalib/plugins/batch.py index f6f662f..deaee5b 100644 --- a/ipalib/plugins/batch.py +++ b/ipalib/plugins/batch.py @@ -51,7 +51,7 @@ from ipalib import Str, List from ipalib.output import Output from ipalib import output from ipalib.text import _ -from ipapython.version import API_VERSION +from ipapython.version import VERSION as API_VERSION class batch(Command): INTERNAL = True diff --git a/ipalib/plugins/ping.py b/ipalib/plugins/ping.py index c2f9b6b..db021b9 100644 --- a/ipalib/plugins/ping.py +++ b/ipalib/plugins/ping.py @@ -23,7 +23,7 @@ Ping the remote IPA server from ipalib import api from ipalib import Command from ipalib import output -from ipapython.version import VERSION, API_VERSION +from ipapython.version import VERSION as API_VERSION class ping(Command): -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix import API_VERSION import error.
On 01/18/2011 01:40 PM, Pavel Zuna wrote: Fixes import errors in the framework cause by recent API version changes. Fix #796 Pavel self-NACK. Ignore this patch, didn't realize the API_VERSION constant is auto-generated. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Remove SOA maximum parameter from DNS zone.
There's no such thing as maximum in SOA record RDATA format according to RFC 1035 and there's also no such attribute in the schema. Fix #788 https://bugzilla.redhat.com/show_bug.cgi?id=670343 Pavel From ee65cb0fc69384f2777537d222a762a4f7be5bfe Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 18 Jan 2011 13:29:58 -0500 Subject: [PATCH 2/2] Remove SOA maximum parameters from DNS zone. There's no such thing as maximum in SOA record RDATA format according to RFC 1035 and there's also no such attribute in the schema. Fix #788 --- ipalib/plugins/dns.py |5 - 1 files changed, 0 insertions(+), 5 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index cf58098..a2d0b8b 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -198,11 +198,6 @@ class dnszone(LDAPObject): default=3600, autofill=True, ), -Int('idnssoamaximum?', -cli_name='maximum', -label=_('SOA maximum'), -doc=_('SOA record maximum value'), -), Int('dnsttl?', cli_name='ttl', label=_('SOA time to live'), -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix crash when building DN of host with name ending with period.
Fix #797 Pavel From 509a77949474b429bb4d4ee6fa871bdade446625 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 18 Jan 2011 13:28:37 -0500 Subject: [PATCH 1/2] Fix crash when building DN of host with name ending with period. Fix #797 --- ipalib/plugins/host.py |9 + 1 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 8639ce5..d09f0eb 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -240,15 +240,16 @@ class host(LDAPObject): ) def get_dn(self, *keys, **options): -if keys[-1].endswith('.'): -keys[-1] = keys[-1][:-1] -dn = super(host, self).get_dn(*keys, **options) +hostname = keys[-1] +if hostname.endswith('.'): +hostname = hostname[:-1] +dn = super(host, self).get_dn(hostname, **options) try: self.backend.get_entry(dn, ['']) except errors.NotFound: try: (dn, entry_attrs) = self.backend.find_entry_by_attr( -'serverhostname', keys[-1], self.object_class, [''], +'serverhostname', hostname, self.object_class, [''], self.container_dn ) except errors.NotFound: -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix updating of DNS records by the host plugin.
Fix #799 Pavel From e97aa6d78e0ec32b160bf17deb894b1ba091541c Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 18 Jan 2011 15:33:40 -0500 Subject: [PATCH 1/2] Fix updating of DNS records by the host plugin. Fix #799 --- ipalib/plugins/host.py | 10 +- 1 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index d09f0eb..0a40705 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -345,9 +345,9 @@ class host_add(LDAPCreate): parts = keys[-1].split('.') domain = unicode('.'.join(parts[1:])) if ':' in options['ip_address']: -addkw = { u'record' : options['ip_address'] } +addkw = { 'record' : options['ip_address'] } else: -addkw = { u'arecord' : options['ip_address'] } +addkw = { 'arecord' : options['ip_address'] } try: api.Command['dnsrecord_add'](domain, parts[0], **addkw) except errors.EmptyModlist: @@ -355,7 +355,7 @@ class host_add(LDAPCreate): pass revzone, revname = get_reverse_zone(options['ip_address']) try: -addkw = { u'ptrrecord' : keys[-1]+'.' } +addkw = { 'ptrrecord' : keys[-1]+'.' } api.Command['dnsrecord_add'](revzone, revname, **addkw) except errors.EmptyModlist: # the entry already exists and matches @@ -443,12 +443,12 @@ class host_del(LDAPDelete): self.debug('deleting ipaddr %s' % ipaddr) revzone, revname = get_reverse_zone(ipaddr) try: -delkw = { u'ptrrecord' : fqdn+'.' } +delkw = { 'ptrrecord' : fqdn+'.' } api.Command['dnsrecord_del'](revzone, revname, **delkw) except errors.NotFound: pass try: -delkw = { u'arecord' : ipaddr } +delkw = { 'arecord' : ipaddr } api.Command['dnsrecord_del'](domain, parts[0], **delkw) except errors.NotFound: pass -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
Fix #798 Pavel From a013e19957b33ca84102efdc0be7448eb3a83423 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 18 Jan 2011 15:43:07 -0500 Subject: [PATCH 2/2] Fix password/random logic in host plugin. Fix #798 --- ipalib/plugins/host.py | 15 +-- 1 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 0a40705..6947d90 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -319,16 +319,19 @@ class host_add(LDAPCreate): del entry_attrs['locality'] entry_attrs['cn'] = keys[-1] entry_attrs['serverhostname'] = keys[-1].split('.', 1)[0] -if 'userpassword' not in entry_attrs and \ -options.get('random', False) == False: +if 'userpassword' not in entry_attrs and not options.get('random', False): entry_attrs['krbprincipalname'] = 'host/%s@%s' % ( keys[-1], self.api.env.realm ) -if 'krbprincipalaux' not in entry_attrs['objectclass']: -entry_attrs['objectclass'].append('krbprincipalaux') +if 'krbprincipal' not in entry_attrs: entry_attrs['objectclass'].append('krbprincipal') -elif 'krbprincipalaux' in entry_attrs['objectclass']: -entry_attrs['objectclass'].remove('krbprincipalaux') +if 'krbprincipal' not in entry_attrs: +entry_attrs['objectclass'].append('krbprincipalaux') +else: +if 'krbprincipal' in entry_attrs['objectclass']: +entry_attrs['objectclass'].remove('krbprincipal') +if 'krbprincipalaux' in entry_attrs['objectclass']: +entry_attrs['objectclass'].remove('krbprincipalaux') if 'random' in options: if options.get('random'): entry_attrs['userpassword'] = ipa_generate_password() -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Make it impossible to add an object as a member of itself in webUI.
Ticket #700 Pavel From 793314369f6587fa1819a17bb0b196e09939c3f3 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 5 Jan 2011 09:31:02 -0500 Subject: [PATCH] Make it impossible to add an object as a member of itself in webUI. Ticket #700 --- install/static/associate.js |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/install/static/associate.js b/install/static/associate.js index 6517cca..60e7c09 100644 --- a/install/static/associate.js +++ b/install/static/associate.js @@ -164,9 +164,12 @@ function ipa_association_adder_dialog(spec) { var results = data.result; that.clear_available_values(); +var pkey_attr = IPA.metadata[that.entity_name].primary_key; + for (var i=0; iresults.count; i++){ var result = results.result[i]; -that.add_available_value(result); +if (result[pkey_attr] != spec.pkey) +that.add_available_value(result); } } -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Retype (when cloning) Flag parameters to Bool for search commands.
Flag parameters are always autofill by definition, causing unexpected search results. This patch retypes them to Bool for search commands, so that users have to/can enter the desired value manually. A good example of the Flag parameters causing problems in search commands is `dnszone-find` (ticket #689). Ticket #689 Ticket #701 Pavel From 2206dd739dabf3e08555126b545a6cc62d6cd93c Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 5 Jan 2011 10:07:23 -0500 Subject: [PATCH] Retype (when cloning) Flag parameters to Bool for search commands. Flag parameters are always autofill by definition, causing unexpected search results. This patch retypes them to Bool for search commands, so that users have to/can enter the desired value manually. Ticket #689 Ticket #701 --- ipalib/crud.py | 12 +--- ipalib/parameters.py |8 +++- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ipalib/crud.py b/ipalib/crud.py index 86e1756..6df3c73 100644 --- a/ipalib/crud.py +++ b/ipalib/crud.py @@ -210,9 +210,15 @@ class Search(Method): for option in self.obj.params_minus(self.args): if 'no_search' in option.flags: continue -yield option.clone( -attribute=True, query=True, required=False, autofill=False -) +if isinstance(option, parameters.Flag): +yield option.clone_retype( +option.name, parameters.Bool, +attribute=True, query=True, required=False, autofill=False +) +else: +yield option.clone( +attribute=True, query=True, required=False, autofill=False +) if not self.extra_options_first: for option in super(Search, self).get_options(): yield option diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 5c386c3..128c8a4 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -585,9 +585,15 @@ class Param(ReadOnly): Return a new `Param` instance similar to this one, but named differently +return self.clone_retype(name, self.__class__, **overrides) + +def clone_retype(self, name, klass, **overrides): + +Return a new `Param` instance similar to this one, but of a different type + kw = dict(self.__clonekw) kw.update(overrides) -return self.__class__(name, *self.rules, **kw) +return klass(name, *self.rules, **kw) def normalize(self, value): -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Improve filtering of enrollments search results.
This is required for effective filtering of enrollments search results in the webUI and also gives an edge to the CLI. After this patch, each LDAPObject can define its relationships to other LDAPObjects. For now, this is used only for filtering search results by enrollments, but there are probably more benefits to come. You can do this for example: # search for all users not enrolled in group admins ipa user-find --not-in-groups=admins # search for all groups not enrolled in group global with user Pavel ipa group-find --users=Pavel --not-in-groups=global # more examples: ipa group-find --users=Pavel,Jakub --no-users=Honza ipa hostgroup-find --hosts=webui.pzuna Pavel From 19975e5e2ceb3a3f9fd18be0f3fafe8f42aa626c Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 4 Jan 2011 15:15:54 -0500 Subject: [PATCH 1/2] Improve filtering of enrollments search results. This is required for effective filtering of enrollments search results in the webUI and also gives an edge to the CLI. After this patch, each LDAPObject can define its relationships to other LDAPObjects. For now, this is used only for filtering search results by enrollments, but there are probably more benefits to come. You can do this for example: # search for all users not enrolled in group admins ipa user-find --not-in-groups=admins # search for all groups not enrolled in group global with user Pavel ipa group-find --users=Pavel --not-in-groups=global # more examples: ipa group-find --users=Pavel,Jakub --no-users=Honza ipa hostgroup-find --hosts=webui.pzuna --- ipalib/plugins/baseldap.py | 57 --- ipalib/plugins/group.py |2 +- ipalib/plugins/host.py |7 - ipalib/plugins/hostgroup.py |2 +- ipalib/plugins/netgroup.py | 11 +++- ipalib/plugins/user.py |2 + 6 files changed, 68 insertions(+), 13 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 1cd181c..d38da89 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -234,6 +234,15 @@ class LDAPObject(Object): rdnattr = None # Can bind as this entry (has userPassword or krbPrincipalKey) bindable = False +relationships = { +# attribute: (label, inclusive param prefix, exclusive param prefix) +'member': ('Member', '', 'no_'), +'memberof': ('Parent', 'in_', 'not_in_'), +'memberindirect': ( +'Indirect Member', None, 'no_indirect_' +), +} +label = _('Entry') container_not_found_msg = _('container entry (%(container)s) not found') parent_not_found_msg = _('%(parent)s: %(oname)s not found') @@ -343,7 +352,7 @@ class LDAPObject(Object): 'parent_object', 'container_dn', 'object_name', 'object_name_plural', 'object_class', 'object_class_config', 'default_attributes', 'label', 'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name', -'takes_params', 'rdn_attribute', 'bindable', +'takes_params', 'rdn_attribute', 'bindable', 'relationships', ) def __json__(self): @@ -1195,7 +1204,8 @@ class LDAPSearch(CallbackInterface, crud.Search): Retrieve all LDAP entries matching the given criteria. member_attributes = [] -member_param_doc = 'exclude %s with member %s (comma-separated list)' +member_param_incl_doc = 'only %s with %s %s' +member_param_excl_doc = 'only %s with no %s %s' takes_options = ( Int('timelimit?', @@ -1227,21 +1237,50 @@ class LDAPSearch(CallbackInterface, crud.Search): for attr in self.member_attributes: for ldap_obj_name in self.obj.attribute_members[attr]: ldap_obj = self.api.Object[ldap_obj_name] -name = to_cli(ldap_obj_name) -doc = self.member_param_doc % ( -self.obj.object_name_plural, ldap_obj.object_name_plural +relationship = self.obj.relationships.get( +attr, ['member', '', 'no_'] +) +doc = self.member_param_incl_doc % ( +self.obj.object_name_plural, relationship[0].lower(), +ldap_obj.object_name_plural +) +name = '%s%s' % (relationship[1], to_cli(ldap_obj_name)) +yield List( +'%s?' % name, cli_name='%ss' % name, doc=doc, +label=ldap_obj.object_name +) +doc = self.member_param_excl_doc % ( +self.obj.object_name_plural, relationship[0].lower(), +ldap_obj.object_name_plural +) +name = '%s%s' % (relationship[2], to_cli(ldap_obj_name)) +yield List( +'%s?' % name, cli_name='%ss' % name, doc=doc, +label=ldap_obj.object_name ) -yield List('no_%s?' % name
[Freeipa-devel] [PATCH] Improvements to enrollments in the webUI.
The patch is a bit bigger and more complex, so I expect this to be the first shot at it. There are some places where we need to handle localization better and be more generic when it comes to non-standard relationships like 'enrolledby' etc., but that can be done later. (I put a few TODOs in the code.) Anyway, here's the changelog for this patch: - Enrollement links in the action panel are now sorted by relationships. - You can only enroll members. (The webUI made the impression you can enroll parents as well, but it was broken.) - When enrolling new members, you can choose not to display already enrolled ones. (On by default.) - Couple cosmetic changes. IT DEPENDS ON MY PATCH NUMBER 54 (Improve filtering of enrollments search results.) Pavel From 830c2c5f2780b461f62509ae044c82da76607dc3 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 4 Jan 2011 15:21:18 -0500 Subject: [PATCH 2/2] Improvements to enrollments in the webUI. TAKE 1 - Enrollement links in the action panel are now sorted by relationships. - You can only enroll members. (The webUI made the impression you can enroll parents as well, but it was broken.) - When enrolling new members, you can choose not to display already enrolled ones. (On by default.) - Couple cosmetic changes. --- install/static/associate.js | 72 +++ install/static/entity.js| 45 -- install/static/group.js |9 +- install/static/ipa.css | 10 +- install/static/widget.js| 21 5 files changed, 124 insertions(+), 33 deletions(-) diff --git a/install/static/associate.js b/install/static/associate.js index 66db171..6517cca 100644 --- a/install/static/associate.js +++ b/install/static/associate.js @@ -140,6 +140,7 @@ function ipa_association_adder_dialog(spec) { that.entity_name = spec.entity_name; that.pkey = spec.pkey; that.other_entity = spec.other_entity; +that.attribute_member = spec.attribute_member; that.init = function() { if (!that.columns.length) { @@ -152,6 +153,9 @@ function ipa_association_adder_dialog(spec) { }); } +/* FIXME: event not firing? */ +$('input[name=hidememb]', that.container).click(that.search); + that.adder_dialog_init(); }; @@ -166,7 +170,31 @@ function ipa_association_adder_dialog(spec) { } } -ipa_cmd('find', [that.get_filter()], {'all': true}, on_success, null, that.other_entity); +var hide_checkbox = $('input[name=hidememb]', that.container); + +var options = {'all': true}; +if (hide_checkbox.attr('checked')) { +var relationships = IPA.metadata[that.other_entity].relationships; + +/* TODO: better generic handling of different relationships! */ +var other_attribute_member = ''; +if (that.attribute_member == 'member') +other_attribute_member = 'memberof'; +else if (that.attribute_member == 'memberuser') +other_attribute_member = 'memberof'; +else if (that.attribute_member == 'memberhost') +other_attribute_member = 'memberof'; +else if (that.attribute_member == 'memberof') +other_attribute_member = 'member'; + +var relationship = relationships[other_attribute_member]; +if (relationship) { +var param_name = relationship[2] + that.entity_name; +options[param_name] = that.pkey; +} +} + +ipa_cmd('find', [that.get_filter()], options, on_success, null, that.other_entity); }; that.association_adder_dialog_init = that.init; @@ -234,6 +262,7 @@ function ipa_association_table_widget(spec) { var that = ipa_table_widget(spec); that.other_entity = spec.other_entity; +that.attribute_member = spec.attribute_member; that.associator = spec.associator || bulk_associator; that.add_method = spec.add_method || 'add_member'; @@ -398,7 +427,8 @@ function ipa_association_table_widget(spec) { 'title': title, 'entity_name': that.entity_name, 'pkey': pkey, -'other_entity': that.other_entity +'other_entity': that.other_entity, +'attribute_member': that.attribute_member, }); }; @@ -513,6 +543,8 @@ function ipa_association_facet(spec) { var that = ipa_facet(spec); that.other_entity = spec.other_entity; +that.facet_group = spec.facet_group; +that.attribute_member = spec.attribute_member; that.associator = spec.associator || bulk_associator; that.add_method = spec.add_method || 'add_member'; @@ -636,9 +668,20 @@ function ipa_association_facet(spec) { that.pkey = $.bbq.getState(that.entity_name + '-pkey', true) || ''; -//TODO I18N -var header_message
[Freeipa-devel] [PATCH] Fix the mod operations.
*-mod operations were not functioning properly after the recent 'rename' patch. Pavel From 4f59a29a7f16a4dbdb8a39766968102a21fae1ed Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 21 Dec 2010 16:17:28 +0100 Subject: [PATCH] Fix the mod operations. --- ipalib/plugins/baseldap.py |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index f8e5445..d91fd93 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -711,6 +711,7 @@ class LDAPUpdate(LDAPQuery, crud.Update): def _get_rename_option(self): rdnparam = getattr(self.obj.params, self.obj.rdnattr) return rdnparam.clone_rename('rename', cli_name='rename', +required=False, label=_('Rename'), doc=_('Rename the %s object' % self.obj.object_name)) def get_options(self): -- 1.7.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix reporting of errors when validating parameters.
Print the attribute CLI name instead of its 'real' name. The real name is usually the name of the corresponding LDAP attribute, which is confusing to the user. This way we get: Invalid 'login': blablabla instead of: Invalid 'uid': blablabla Another example: Invalid 'hostname': blablabla instead of: Invalid 'fqdn': blablabla Ticket #435 Pavel From 8c6ef40f575399f3190ef077b26fd38ecb3a1c0e Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 21 Dec 2010 12:14:38 -0500 Subject: [PATCH 1/2] Fix reporting of errors when validating parameters. Print the attribute CLI name instead of its 'real' name. The real name is usually the name of the corresponding LDAP attribute, which is confusing to the user. This way we get: Invalid 'login': blablabla instead of: Invalid 'uid': blablabla Another example: Invalid 'hostname': blablabla instead of: Invalid 'fqdn': blablabla Ticket #435 --- ipalib/parameters.py |5 - ipalib/plugins/user.py |8 +++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 955b979..feccd7e 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -748,8 +748,11 @@ class Param(ReadOnly): for rule in self.all_rules: error = rule(ugettext, value) if error is not None: +name = self.cli_name +if not name: +name = self.name raise ValidationError( -name=self.name, +name=name, value=value, index=index, error=error, diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index f76fbd6..6209754 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -227,7 +227,13 @@ class user_add(LDAPCreate): config = ldap.get_ipa_config()[1] if 'ipamaxusernamelength' in config: if len(keys[-1]) int(config.get('ipamaxusernamelength')[0]): -raise errors.ValidationError(name='uid', error=_('can be at most %(len)d characters' % dict(len = int(config.get('ipamaxusernamelength')[0] +raise errors.ValidationError( +name=self.obj.primary_key.cli_name, error=_( +'can be at most %(len)d characters' % dict( +len = int(config.get('ipamaxusernamelength')[0]) +) +) +) entry_attrs.setdefault('loginshell', config.get('ipadefaultloginshell')) # hack so we can request separate first and last name in CLI full_name = '%s %s' % (entry_attrs['givenname'], entry_attrs['sn']) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Update built-in help for user (ipa help user) with info about username format.
General talk about username format including username length and how to change it in ipa config. Ticket #436 Pavel From 6874f8d1ecc340832961b28b84b5140c65f6ca2b Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 21 Dec 2010 12:23:40 -0500 Subject: [PATCH 2/2] Update built-in help for user (ipa help user) with info about username format. Ticket #436 --- ipalib/plugins/user.py |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 6209754..e3228a1 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -22,6 +22,12 @@ Users Manage user entries. All users are POSIX users. +IPA supports a wide range of username formats, but you need to be aware of any +restrictions that may apply to your particular environment. For example, +usernames that starts with a digit or usernames that exceed a certain length +may cause problems for some UNIX systems. +Use 'ipa config-mod' to change the username format allowed by IPA tools. + Disabling a user account prevents that user from obtaining new Kerberos credentials. It does not invalidate any credentials that have already been issued. -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.
On 12/08/2010 08:30 PM, Rob Crittenden wrote: Pavel Zůna wrote: On 2010-11-30 04:06, Rob Crittenden wrote: Pavel Zůna wrote: LDAPSearch base class has now the ability to generate additional options for objects with member attributes. These options are used to filter search results - search only for objects without the specified members. Any class that extends LDAPSearch can benefit from this functionality. This patch enables it for the following objects: group, netgroup, rolegroup, hostgroup, taskgroup Example: ipa group-find --no-users=admin Only direct members are taken into account, but if we need indirect members as well - it's not a problem. Ticket #288 Pavel This works as advertised but I wonder what would happen if a huge list of members was passed in to ignore. Is there a limit on the search filter size (remember that the member will be translated into a full dn so will quickly grow in size). Should we impose a cofigurable limit on the # of members to be excluded? Is there a max search filter size and should we check that we haven't exceeded that before doing a search? rob I tried it out with more than a 1000 users and was getting an unwilling to perform error (search filter nested too deep). After a little bit of investigation, I figured the filter was being generated like this: (((!(a=v))(!(a2=v2 We were going deeper with each additional DN! I updated the patch to generate the filter like this instead: (!(|(a=v)(a2=v2))) Tried it again with more than 1000 users (~55Kb) - it worked and wasn't even slow. Updated patch attached. I also had to fix a bug in ldap2 filter generator, as a result this patch depends on my patch number 43. Pavel You'll need to rebase this against master but otherwise ACK. It might be a small optimization to de-dupe the no-users list but it isn't a priority. rob Re-based patch attached. Pavel From 871b9d2b52175a4209ba2d8bdb12fcc019d871e9 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Thu, 2 Dec 2010 19:24:11 -0500 Subject: [PATCH] Enable filtering search results by member attributes. LDAPSearch base class has now the ability to generate additional options for objects with member attributes. These options are used to filter search results - search only for objects without the specified members. Example: ipa group-find --no-users=admin Only direct members are taken into account. Ticket #288 --- ipalib/plugins/baseldap.py | 34 +- ipalib/plugins/group.py |2 ++ ipalib/plugins/hostgroup.py |2 +- ipalib/plugins/netgroup.py |1 + 4 files changed, 37 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 6b7153b..9635f41 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1124,6 +1124,9 @@ class LDAPSearch(CallbackInterface, crud.Search): Retrieve all LDAP entries matching the given criteria. +member_attributes = [] +member_param_doc = 'exclude %s with member %s (comma-separated list)' + takes_options = ( Int('timelimit?', label=_('Time Limit'), @@ -1151,6 +1154,33 @@ class LDAPSearch(CallbackInterface, crud.Search): def get_options(self): for option in super(LDAPSearch, self).get_options(): yield option +for attr in self.member_attributes: +for ldap_obj_name in self.obj.attribute_members[attr]: +ldap_obj = self.api.Object[ldap_obj_name] +name = to_cli(ldap_obj_name) +doc = self.member_param_doc % ( +self.obj.object_name_plural, ldap_obj.object_name_plural +) +yield List('no_%s?' % name, cli_name='no_%ss' % name, doc=doc, + label=ldap_obj.object_name) + +def get_member_filter(self, ldap, **options): +filter = '' +for attr in self.member_attributes: +for ldap_obj_name in self.obj.attribute_members[attr]: +param_name = 'no_%s' % to_cli(ldap_obj_name) +if param_name in options: +dns = [] +ldap_obj = self.api.Object[ldap_obj_name] +for pkey in options[param_name]: +dns.append(ldap_obj.get_dn(pkey)) +flt = ldap.make_filter_from_attr( +attr, dns, ldap.MATCH_NONE +) +filter = ldap.combine_filters( +(filter, flt), ldap.MATCH_ALL +) +return filter has_output_params = global_output_params @@ -1192,8 +1222,10 @@ class LDAPSearch(CallbackInterface, crud.Search): search_kw[a] = term term_filter = ldap.make_filter(search_kw, exact=False) +member_filter = self.get_member_filter(ldap, **options) + filter = ldap.combine_filters( -(term_filter
[Freeipa-devel] [PATCH] Introduce new env variable, enable_dns=True, if IPA is managing DNS.
if api.env.enable_dns: print DNS is managed by IPA ipa env | grep enable_dns: True /devnull echo DNS is managed by IPA Ticket #600 Pavel From d6031a2bbb1bb5d4b0520d6d56fc4716c3ef2242 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Thu, 9 Dec 2010 13:10:36 -0500 Subject: [PATCH] Introduce new env variable. enable_dns=True, if IPA is managing DNS. Ticket #600 --- install/tools/ipa-server-install |5 - ipalib/constants.py |1 + 2 files changed, 5 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index bed9add..6785acd 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -488,7 +488,8 @@ def main(): cfg = dict( context='installer', in_server=True, -debug=options.debug +debug=options.debug, +enable_dns=options.setup_dns, ) if options.uninstall: @@ -677,6 +678,8 @@ def main(): fd.write(enable_ra=True\n) if not options.selfsign: fd.write(ra_plugin=dogtag\n) +if options.setup_dns: +fd.write(enable_dns=True\n) fd.close() api.bootstrap(**cfg) diff --git a/ipalib/constants.py b/ipalib/constants.py index 32c6450..d0ab9fb 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -139,6 +139,7 @@ DEFAULT_CONFIG = ( # Enable certain optional plugins: ('enable_ra', False), ('ra_plugin', 'selfsign'), +('enable_dns', False), # # The remaining keys are never set from the values here! -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain).
Fixes an attribute name mismatch in the config plugin. Ticket #573 Pavel From d98843a980331e9b8173a6eba228fa393b04e350 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Sun, 5 Dec 2010 03:26:52 -0500 Subject: [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain). Ticket #573 --- ipalib/plugins/config.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 79db77e..a56b667 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -66,7 +66,7 @@ class config(LDAPObject): object_name = 'configuration options' default_attributes = [ 'ipamaxusernamelength', 'ipahomesrootdir', 'ipadefaultloginshell', -'ipadefaultprimarygroup', 'ipadefaultdomain', 'ipasearchtimelimit', +'ipadefaultprimarygroup', 'ipadefaultemaildomain', 'ipasearchtimelimit', 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields', 'ipamigrationenabled', 'ipacertificatesubjectbase', ] -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Error message handling in HBAC module
On 11/29/2010 11:20 AM, Jan Zelený wrote: This patch contains a part of my original 0008 patch. The rest of it is solved differently (see my patch 0010). ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Prompt correctly for required Password params.
Required Password params were prompted for like any other non-Password params, resulting in the password being displayed on the command line and there was no confirmation. Ticket #361 Pavel From f8451a7b94f226f3e5b4181f464de52e2dfbad2d Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 24 Nov 2010 08:01:31 -0500 Subject: [PATCH] Prompt correctly for required Password params. Ticket #361 --- ipalib/cli.py | 23 +-- 1 files changed, 13 insertions(+), 10 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 41bee7a..3120e01 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -515,7 +515,7 @@ class textui(backend.Backend): try: if sys.stdin.isatty(): while True: -pw1 = getpass.getpass('%s: ' % label) +pw1 = getpass.getpass(u'%s: ' % unicode(label)) pw2 = getpass.getpass( unicode(_('Enter %(label)s again to verify: ') % dict(label=label)) ) @@ -887,16 +887,15 @@ class cli(backend.Executioner): ``self.env.prompt_all`` is ``True``, this method will prompt for any params that have a missing values, even if the param is optional. -for param in cmd.params(): -if param.password and ( -kw.get(param.name, False) is True or param.name in cmd.args -): -kw[param.name] = \ -self.Backend.textui.prompt_password(param.cli_name) -elif param.name not in kw: -if param.autofill: +for param in cmd.params(): +if (param.required and param.name not in kw) or self.env.prompt_all: +if param.password: +kw[param.name] = self.Backend.textui.prompt_password( +param.label +) +elif param.autofill: kw[param.name] = param.get_default(**kw) -elif param.required or self.env.prompt_all: +else: default = param.get_default(**kw) error = None while True: @@ -910,6 +909,10 @@ class cli(backend.Executioner): break except ValidationError, e: error = e.error +elif param.password and kw.get(param.name, False) is True: +kw[param.name] = self.Backend.textui.prompt_password( +param.label +) def load_files(self, cmd, kw): -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
Finally managed to rewrite the DNS plugin again. Sorry, it took so long, we had training in the office and I also had a nasty bug in baseldap.py I couldn't find. Anyway, this version has it all: - changes we agreed on meeting, the resource abstraction is gone and we now only have zones and records = adding new record automatically updates and existing entry or creates it if it wasn't there and deleting the last record deletes the whole entry - all of it transparent to the user - unit tests - ipa help documentation Fixes tickets: #36 #450 I also closed bug #654412. It has a new patch sequence number, because it depends on another patch with a higher number and didn't want to create forward dependencies. Depends on my patches number: 35 (will repost if needed) 38 (posted a while ago on freeipa-devel) Pavel From 9ff886618623abb7253956dc92e652361fe4076e Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 8 Nov 2010 22:34:14 -0500 Subject: [PATCH 2/3] Add new version of DNS plugin: complete rework with baseldap + unit tests. Ticket #36 Ticket #450 --- ipa.spec.in |1 + ipalib/plugins/dns2.py | 584 ++ tests/test_xmlrpc/test_dns_plugin.py | 341 3 files changed, 926 insertions(+), 0 deletions(-) create mode 100644 ipalib/plugins/dns2.py create mode 100644 tests/test_xmlrpc/test_dns_plugin.py diff --git a/ipa.spec.in b/ipa.spec.in index 5a3ea2b..1225bb0 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -178,6 +178,7 @@ Requires: gnupg Requires: pyOpenSSL Requires: python-nss = 0.9-8 Requires: python-lxml +Requires: python-netaddr %description python IPA is an integrated solution to provide centrally managed Identity (machine, diff --git a/ipalib/plugins/dns2.py b/ipalib/plugins/dns2.py new file mode 100644 index 000..2f72fec --- /dev/null +++ b/ipalib/plugins/dns2.py @@ -0,0 +1,584 @@ +# Authors: +# Pavel Zuna pz...@redhat.com +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +Domain Name System (DNS) + +Manage DNS zone and resource records. + +EXAMPLES: + + Add new zone: + ipa dnszone-add example.com --name_server nameserver.example.com + --admin_email ad...@example.com + + edd second nameserver for example.com: + ipa dnsrecord-add example.com @ --ns-rec nameserver2.example.com + + Delete previously added nameserver from example.com: + ipa dnsrecord-del example.com @ --ns-rec nameserver2.example.com + + Add new A record for www.example.com: (random IP) + ipa dnsrecord-add example.com www --a-rec 80.142.15.2 + + Add new PTR record for www.example.com + ipa dnsrecord 15.142.80.in-addr.arpa 2 --ptr-rec www.example.com. + + Show zone example.com: + ipa dnszone-show example.com + + Find zone with example in it's domain name: + ipa dnszone-find example + + Find records for resources with www in their name in zone example.com: + ipa dnsrecord-find example.com www + + Find A records with value 10.10.0.1 in zone example.com + ipa dnsrecord-find example.com --a-rec 10.10.0.1 + + Show records for resource www in zone example.com + ipa dnsrecord-show example.com www + + Delete zone example.com with all resource records: + ipa dnszone-del example.com + + Resolve a host name to see if it exists (will add default IPA domain + if one is not included): + ipa dns-resolve www.example.com + ipa dns-resolve www + + + +import netaddr +import time + +from ipalib import api, errors, output +from ipalib import Command +from ipalib import Flag, Int, List, Str, StrEnum +from ipalib.plugins.baseldap import * +from ipalib import _, ngettext +from ipapython import dnsclient + +# supported resource record types +_record_types = ( +u'A', u'', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV', +u'DNAME', u'DNSKEY', u'DS', u'HINFO', u'HIP', u'IPSECKEY', u'KEY', u'KX', +u'LOC', u'MD', u'MINFO', u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', +u'NSEC3PARAM', u'NXT', u'PTR', u'RRSIG', u'RP', u'SIG', u'SPF', u'SRV', +u'SSHFP', u'TA', u'TKEY', u'TSIG', u'TXT', +) + +# attributes derived from record types +_record_attributes = [str('%srecord' % t.lower()) for t in _record_types] + +# supported DNS classes, IN = internet, rest is almost never
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
On 10/20/2010 11:42 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 10/14/2010 03:30 PM, Rob Crittenden wrote: Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob Yes, because get_ipa_config will return defaults for time and search limits only when the whole ipaConfig entry isn't found. I reworked the patch, so that defaults are always returned by get_ipa_config, but I left changes from the previous version, because it doesn't hurt anything and is a (very little) bit safer. New version attached. Pavel I see your point. One can do 'ipa config-mod --searchtimelimit=` and blam, everything stops working. This still seems like a bit of a cover-up fix for that. Should we prevent these attributes from being removed? We could do that, but it's always possible to delete the attribute using ldapmodify or some other tool. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
On 10/14/2010 03:30 PM, Rob Crittenden wrote: Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob Yes, because get_ipa_config will return defaults for time and search limits only when the whole ipaConfig entry isn't found. I reworked the patch, so that defaults are always returned by get_ipa_config, but I left changes from the previous version, because it doesn't hurt anything and is a (very little) bit safer. New version attached. Pavel pzuna-freeipa-0033-2-limitdefaults.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 552 handle setattr/addattr better
On 09/29/2010 11:03 PM, Rob Crittenden wrote: When doing an addattr check to see if we are creating a multi-value attribute and see if that is allowed by the Param and/or the attribute in the schema (SINGLE-VALUE). Pavel, check my fix in the exception callback. It was passing attrs_list but that isn't set until later. I decided to send an empty list instead. Also catch RDN update exceptions and return an error about primary keys (which this essentially means). ticket 230 rob NACK. The patch isn't all bad, but the single-value check is in the wrong place. As a result, it only applies when someone tries to add a new value to attributes already present in the original entry. It won't fire when someone is trying to add more than one value if there was none before and it also won't fire when creating new entries. I reworked your patch a bit a merged it with my patch number 32, because they overlap in functionality. See freeipa-devel thread: [PATCH] Check if attribute is single-value before trying to add values to it. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it.
On 10/14/2010 12:01 AM, Rob Crittenden wrote: Pavel Zuna wrote: This patch adds a check in ldap2 for single-value attributes. DS doesn't seem to care much about attributes being defined as SINGLE-VALUE except for things like uidNumber and gidNumber (I suspect this is handled by the DNA plugin). Ticket #246 Pavel This is similar to ticket 220 which I have a pending patch for (patch 552). I think both patches are valid but we should test them together to be sure. Can you do that? rob I had to NACK your patch number 552, because the check was in the wrong place. Both patches overlap in functionality, so I decided to merge them into a new version of my original patch. I split the single-value check into two parts: First part is in baseldap classes (LDAPCreate, LDAPUpdate) and it checks if we're not trying to add more values to a Param defined attribute, that is not flagged as multivalue. Second part is in the ldap2 backend. It checks if we're not trying to add more values to an attribute, that is defined as SINGLE-VALUE in the schema. Unfortunately, it seems that python-ldap isn't capable of reporting the SINGLE-VALUE flag reliably and DS doesn't enforce it at all. In other words, this check is a bit weak, but still better than nothing. I hope you don't mind I merged both patches, but it seemed simpler and we can knock out 2 tickets in one commit. :) Ticket #230 Ticket #246 Pavel From adff41671b7f04f718085711401e7328390151ae Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Thu, 14 Oct 2010 13:05:43 -0400 Subject: [PATCH 1/2] Disallow RDN change and single-value bypass using setattr/addattr. Merge of my original patch number 32 and Rob's patch number 552. Ticket #230 Ticket #246 --- ipalib/errors.py | 33 - ipalib/frontend.py |2 +- ipalib/plugins/baseldap.py | 14 +- ipaserver/plugins/ldap2.py | 44 +++- 4 files changed, 77 insertions(+), 16 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 42d43ce..db13a43 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1162,7 +1162,7 @@ class DatabaseError(ExecutionError): errno = 4203 -format = _('%(desc)s:%(info)s') +format = _('%(desc)s: %(info)s') class LimitsExceeded(ExecutionError): @@ -1195,6 +1195,37 @@ class ObjectclassViolation(ExecutionError): errno = 4205 format = _('%(info)s') +class NotAllowedOnRDN(ExecutionError): + +**4206** Raised when an RDN value is modified. + +For example: + + raise NotAllowedOnRDN() +Traceback (most recent call last): + ... +NotAllowedOnRDN: modifying primary key is not allowed + + +errno = 4206 +format = _('modifying primary key is not allowed') + + +class OnlyOneValueAllowed(ExecutionError): + +**4207** Raised when trying to set more than one value to single-value attributes + +For example: + + raise OnlyOneValueAllowed(attr='ipasearchtimelimit') +Traceback (most recent call last): + ... +OnlyOneValueAllowed: ipasearchtimelimit: attribute is single-value + + +errno = 4207 +format = _('%(attr)s: attribute is single-value') + class CertificateError(ExecutionError): diff --git a/ipalib/frontend.py b/ipalib/frontend.py index c9c070d..96649d9 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -504,7 +504,7 @@ class Command(HasParam): a dictionary. The incoming attribute may be a string or a list. -Any attribute found that is also a param is silently dropped. +Any attribute found that is also a param is validated. append controls whether this returns a list of values or a single value. diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 2335a7a..caa616a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -157,6 +157,14 @@ _attr_options = ( ), ) +# addattr can cause parameters to have more than one value even if not defined +# as multivalue, make sure this isn't the case +def _check_single_value_attrs(params, entry_attrs): +for (a, v) in entry_attrs.iteritems(): +if isinstance(v, (list, tuple)) and len(v) 1: +if a in params and not params[a].multivalue: +raise errors.OnlyOneValueAllowed(attr=a) + class CallbackInterface(Method): @@ -277,6 +285,8 @@ class LDAPCreate(CallbackInterface, crud.Create): self, ldap, dn, entry_attrs, attrs_list, *keys, **options ) +_check_single_value_attrs(self.params, entry_attrs) + try: ldap.add_entry(dn, entry_attrs, normalize=self.obj.normalize_dn) except errors.ExecutionError, e: @@ -464,7 +474,7 @@ class LDAPUpdate(LDAPQuery, crud.Update): except errors.ExecutionError, e: try: (dn, old_entry
[Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel From 5dfda61f3995f4d5ae5813b7f70f2d2658a687f0 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Thu, 14 Oct 2010 10:54:24 -0400 Subject: [PATCH 2/2] Add fail-safe defaults to time and size limits in ldap2 searches. --- ipaserver/plugins/ldap2.py |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 096d3a3..1d18bbb 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -515,9 +515,9 @@ class ldap2(CrudBackend, Encoder): if time_limit is None or size_limit is None: (cdn, config) = self.get_ipa_config() if time_limit is None: -time_limit = config.get('ipasearchtimelimit')[0] +time_limit = config.get('ipasearchtimelimit', [-1])[0] if size_limit is None: -size_limit = config.get('ipasearchrecordslimit')[0] +size_limit = config.get('ipasearchrecordslimit', [0])[0] if not isinstance(size_limit, int): size_limit = int(size_limit) if not isinstance(time_limit, float): -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it.
This patch adds a check in ldap2 for single-value attributes. DS doesn't seem to care much about attributes being defined as SINGLE-VALUE except for things like uidNumber and gidNumber (I suspect this is handled by the DNA plugin). Ticket #246 Pavel From 94681f66292904979227bbe2fed058ba9b1a23a4 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 13 Oct 2010 12:40:51 -0400 Subject: [PATCH] Check if attribute is single-value before trying to add values to it. Ticket #246 --- ipalib/errors.py |2 +- ipaserver/plugins/ldap2.py | 16 +++- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 42d43ce..fd96e57 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1162,7 +1162,7 @@ class DatabaseError(ExecutionError): errno = 4203 -format = _('%(desc)s:%(info)s') +format = _('%(desc)s: %(info)s') class LimitsExceeded(ExecutionError): diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 2213df0..1c5a84f 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -690,13 +690,19 @@ class ldap2(CrudBackend, Encoder): adds = list(v.difference(old_v)) rems = list(old_v.difference(v)) +is_single_value = False +if self.schema: +obj = self.schema.get_obj(_ldap.schema.AttributeType, k) +is_single_value = obj and obj.single_value + +if is_single_value and len(adds) 1 or len(adds) len(rems): +raise errors.DatabaseError( +info='attribute is single-value', desc=k +) + force_replace = False -if k in self._FORCE_REPLACE_ON_UPDATE_ATTRS: +if k in self._FORCE_REPLACE_ON_UPDATE_ATTRS or is_single_value: force_replace = True -elif self.schema: -obj = self.schema.get_obj(_ldap.schema.AttributeType, k) -if obj and obj.single_value: -force_replace = True elif len(adds) == 1 and len(rems) == 1: force_replace = True -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 570 enforce max username length
On 10/11/2010 05:19 PM, Rob Crittenden wrote: Enforce the configurable max username length from cn=ipaconfig. rob This will raise an exception if the ipaMaxUsernameLength attribute isn't present in the config entry. I know it's not very likely, but it would be better to retrieve the attribute first and only do the length check if it is set. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 569 detect when DNS is not configured
On 10/11/2010 04:55 PM, Rob Crittenden wrote: Detect when DNS is not configured and return an error message when using the command-line. It would be nicer if we disabled the command altogether but this would require checking the server to see every time the ipa command is executed (which would be bad). We can't store this in a configuration file because it is possible to add a DNS post-install (and it would require adding this to every single client install). ticket 147 rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 571 return non-zero on *-find when nothing is found
On 10/11/2010 06:58 PM, Rob Crittenden wrote: Return non-zero when the number of entries from *-find returned is zero. ticket 325 rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 570 enforce max username length
On 10/13/2010 03:46 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 10/11/2010 05:19 PM, Rob Crittenden wrote: Enforce the configurable max username length from cn=ipaconfig. rob This will raise an exception if the ipaMaxUsernameLength attribute isn't present in the config entry. I know it's not very likely, but it would be better to retrieve the attribute first and only do the length check if it is set. Pavel Ok, new patch attached. get_ipa_config() always returns a dict (unless things really go south in which case missing this attribute is the least of our problems). rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix attribute callbacks on details pages in the webUI.
Fixes bug reported by Adam in internal discussion. Ticket #326 Pavel From 4ca5f618913d780e018e37e03b159201bffb9996 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 6 Oct 2010 12:01:02 -0400 Subject: [PATCH] Fix attribute callbacks on details pages in the webUI. Ticket #326 --- install/static/details.js | 20 1 files changed, 12 insertions(+), 8 deletions(-) diff --git a/install/static/details.js b/install/static/details.js index f16dc36..99666b1 100644 --- a/install/static/details.js +++ b/install/static/details.js @@ -79,19 +79,23 @@ function ipa_generate_dl(jobj, id, name, dts) for (var i = 0; i dts.length; ++i) { var label = ''; -if (dts[i][0].indexOf('call_') != 0) { -var param_info = ipa_get_param_info(obj_name, dts[i][0]); -if (param_info) -label = param_info['label']; -} +var param_info = ipa_get_param_info(obj_name, dts[i][0]); +if (param_info) +label = param_info['label']; if ((!label) (dts[i].length 1)) label = dts[i][1]; + +var title = dts[i][0]; +if (typeof dts[i][2] == 'function') +title = 'call_' + dts[i][2].name; dl.append( -$('dt/',{ -title:dts[i][0], -html:label+:}) +$('dt/dt', { +title: title, +html: label + ':', +}) ); } + parent.append(dl); parent.append('hr/'); } -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix inconsistent error message when deleting groups that don't exist.
The pre_callback in group_del was using a direct ldap2 call with no exception handling. Ticket #292 Pavel From 60eb789c84f91c5911dec397c528fd8a2e21ef99 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 6 Oct 2010 13:45:20 -0400 Subject: [PATCH] Fix inconsistent error message when deleting groups that don't exist. Ticket #292 --- ipalib/plugins/group.py |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index fae6a28..9beef00 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -165,7 +165,9 @@ class group_del(LDAPDelete): def_primary_group_dn = group_dn = self.obj.get_dn(def_primary_group) if dn == def_primary_group_dn: raise errors.DefaultGroup() -(group_dn, group_attrs) = ldap.get_entry(dn) +(group_dn, group_attrs) = self.obj.methods.show( +self.obj.get_primary_key_from_dn(dn) +) if 'mepmanagedby' in group_attrs: raise errors.ManagedGroupError() return dn -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Rename user-lock and user-unlock to user-enable user-disable.
Also fixes related unit tests and therefore depends on my patch number 28. Ticket #165 Pavel From 9ead34195c3ef1b3be9f9c57ba54fd2849215ab0 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 5 Oct 2010 15:37:37 -0400 Subject: [PATCH] Rename user-lock and user-unlock to user-enable user-disable. Ticket #165 --- ipalib/plugins/user.py| 16 tests/test_xmlrpc/test_user_plugin.py | 12 ++-- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 0746553..daa5cc4 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -274,13 +274,13 @@ class user_show(LDAPRetrieve): api.register(user_show) -class user_lock(LDAPQuery): +class user_disable(LDAPQuery): -Lock a user account. +Disable user account. has_output = output.standard_value -msg_summary = _('Locked user %(value)s') +msg_summary = _('Disabled user account %(value)s') def execute(self, *keys, **options): ldap = self.obj.backend @@ -297,16 +297,16 @@ class user_lock(LDAPQuery): value=keys[0], ) -api.register(user_lock) +api.register(user_disable) -class user_unlock(LDAPQuery): +class user_enable(LDAPQuery): -Unlock a user account. +Enable user account. has_output = output.standard_value -msg_summary = _('Unlocked user %(value)s') +msg_summary = _('Enabled user account %(value)s') def execute(self, *keys, **options): ldap = self.obj.backend @@ -323,4 +323,4 @@ class user_unlock(LDAPQuery): value=keys[0], ) -api.register(user_unlock) +api.register(user_enable) diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index 1850dc1..7d77131 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -235,27 +235,27 @@ class test_user(Declarative): dict( -desc='Lock %r' % user1, +desc='Disable %r' % user1, command=( -'user_lock', [user1], {} +'user_disable', [user1], {} ), expected=dict( result=True, value=user1, -summary=u'Locked user tuser1', +summary=u'Disabled user account tuser1', ), ), dict( -desc='Unlock %r' % user1, +desc='Enable %r' % user1, command=( -'user_unlock', [user1], {} +'user_enable', [user1], {} ), expected=dict( result=True, value=user1, -summary=u'Unlocked user tuser1', +summary=u'Enabled user account tuser1', ), ), -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
On 10/05/2010 04:47 PM, Pavel Zuna wrote: All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the --continuous flag (off by default). The flag should indicate that the command shouldn't stop on errors and continue operation with the next primary key on the arguments lists. This effectively fixes *-del unit tests, because continuous mode is off by default. (It was on before this patch and there was no option to turn it off.) Ticket #321 Pavel I forgot to mention that this depends on my patch number 27, because they modify the same file (baseldap.py). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups.
Ticket #251 Pavel From 1bb54788dca503a7b6e25e2fc13a8852174a3827 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 21 Sep 2010 13:03:40 -0400 Subject: [PATCH 1/3] Add flag to group-find to only search on private groups. Ticket #251 --- ipalib/plugins/group.py | 16 ++-- 1 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 616eff2..b3b6747 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -184,7 +184,6 @@ class group_mod(LDAPUpdate): Modify a group. - msg_summary = _('Modified group %(value)s') takes_options = LDAPUpdate.takes_options + ( @@ -214,11 +213,24 @@ class group_find(LDAPSearch): Search for groups. - msg_summary = ngettext( '%(count)d group matched', '%(count)d groups matched', 0 ) +takes_options = LDAPSearch.takes_options + ( +Flag('privateonly', +cli_name='privateonly', +doc=_('search for private groups only'), +), +) + +def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options): +if options['privateonly']: +objclass = ['posixGroup', 'mepManagedEntry'] +flt = ldap.make_filter_from_attr('objectclass', objclass) +filter = ldap.combine_filters([filter, flt], ldap.MATCH_ALL) +return filter + api.register(group_find) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Modal dialog for enrollment
On 09/23/2010 01:04 AM, Endi Sukma Dewata wrote: Hi, Please review the attached patch. Thanks! The enroll facet has been converted into a dialog box. This dialog box will appear when the user clicks the enroll button above the association list. When the user clicks the enroll button in the dialog box, the new associations will be created, then the list will be refreshed to show the changes. The SerialAssociator and BulkAssociator have been modified to accept an on_success function which will be called when the whole operation is completed successfully. This is used to refresh the list and close the dialog box appropriately. Some other changes were also made to improve code clarity. -- Endi S. Dewata ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0026-fixed-formatting-of-search-table.patch
On 09/17/2010 04:33 PM, Adam Young wrote: admiyo-freeipa-0026-fixed-formatting-of-search-table.patch ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0027-fix-sampledata.patch
On 09/17/2010 04:34 PM, Adam Young wrote: URL needs to be relative, not absolute in order for in tree development ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0031-unbroke-the-facets-link.patch
On 09/17/2010 04:41 PM, Adam Young wrote: This has a fix for a previous patch which turned the facets into a hortizontal list, but broke the clickability. ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0032-css-cleanup.patch
On 09/17/2010 04:42 PM, Adam Young wrote: Fixes many of the CSS issues introduced by jquery.ui.tabs. Not all, but it looks a lot better ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0033-pointer-cursor-for-facets.patch
On 09/17/2010 04:43 PM, Adam Young wrote: Changes the mouse icon for facets to a the pointer, signifying clickability ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Icons
On 09/18/2010 02:35 AM, Adam Young wrote: THese are just place holder icons until we get the offical ones from UXD. They look roughly like the finished product, with have some rough points. They will be used by the next patch to Generate the quick links and facets. THis is a huga patch, but it is all binary files. ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0030-moved-images-up.patch
On 09/17/2010 04:38 PM, Adam Young wrote: moved images up Adding an 'images' subdir was proliferating changes throughout the build system this seemed easier Submitted as a separate patch to signify where wea re departing from what is generated by theme-roller Doesn't apply for me. Missing some image files and doesn't apply on jquery-ui.css. I applied all your patches I could find before this one, but I can't find number 28 on the list. Maybe that's the reason. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0036-links-and-facet-icons.patch
On 09/18/2010 02:36 AM, Adam Young wrote: This patch makes use of the previous patch to put the icons in the facets and quick links It looks OK, but I can't test it because the required patch 30 doesn't apply for me. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0019-associations.patch
On 09/04/2010 04:29 AM, Adam Young wrote: You are right. the 'this' pointer always gets overridden, so it has to be assigtned to a nother variable name in order to get used in a closure. Here's an updated patch On 09/03/2010 05:20 PM, Endi Sukma Dewata wrote: Hi Adam, Thanks for the update. I found a problem, the this.pkey in the callback function below is undefined so it won't load the values back in the details page. diff --git a/install/static/associate.js b/install/static/associate.js index dabc76c..ae1f4af 100644 --- a/install/static/associate.js +++ b/install/static/associate.js @@ -90,10 +90,10 @@ function BulkAssociator(form, pkey, manyObjPkeys){ function(response){ var qs = ipa_parse_qs(); if (response.error){ - alert(error adding memeber); + alert(error adding member); }else{ location.hash=tab= +form.oneObj - +facet=detailspkey=+this.pkey; + +facet=detailspkey=+pkey; } }, function(response){ Attached is the service tab I've been working on. Sometimes the enrollment page doesn't work quite right. When I click Find it will show the available hosts, but sometimes it would replace the list immediately with the list of available users. Probably the previous click handler still got called somehow. -- Endi S. Dewata - Adam Youngayo...@redhat.com wrote: Updated version that provides the means to overload the method called. This was requested by edewata to support services. I also simplified some of the internal code . https://fedorahosted.org/freeipa/attachment/ticket/104/admiyo-freeipa-0019-2-associations.patch Let's get this in. ACK. There are some white-space warnings, remove them before pushing. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 514 make ldap2 class work with clients
On 08/19/2010 01:08 AM, Rob Crittenden wrote: Make ldap2 class work as a client library as well. Move the user-private group caching code out of the global config and determine the value the first time it is needed. Renamed global_init() back to get_schema() and make it take an optional connection. This solves the problem of being able to do all operations with a simple bind instead of GSSAPI. Moved the global get_syntax() into a class method so that a schema can be passed in. If a schema wasn't loaded during the module import then it is loaded when the connection is created (so we have the credntials needed for binding). ticket 63 rob Sorry it took me so long to review this patch. ACK! Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] BA-BBQ
On 08/23/2010 04:12 AM, Adam Young wrote: Pavel, Thoughts of jquery.ba-bbq have been marinating in the back of my brain. I know that the Back button doesn't work so well with hjashparams, and that BBQ purports to fix this, but I had some sort of mental shift I had to make. I think I have it now. BBQ, and in fact the whole AJAX approach works off of client side code, which means the whole hash params approach. What I didn't get was that the best approach to dealing with this was to drive the site off of the event that happens when the url hash changes. We need to do this. Bascially, navigation.js registers: $(window).bind( 'hashchange', function(e) { ... } This function gets called each time the URL hash changes, which happens on either a tab click or on a back button (lets start with those two, there will be more) So bascially, this function is our dispatach. Instead of having to register the onclick functions for each of the tabs, we know that they will all end up in this function, and then we let it parse the params for us. BBQ has the concept of a stack, where we can push and pop state. Thyis might be useful for pushing a query, going to the details page, and then popping the query afterwards. I'm still mulling this over. Note, we will want to replace the custom hash param working we are doing with JQuery.deparam and JQuery.param calls, as they are much more mature, and it is less code we have to debug. Sure, from what I've read in jQuery docs, it looks more powerful than what we currently have. The thing I have to figure out now is what this will do to navigation on the details, add and groups pages. I don't think it will be a problem. Functional links (such as Reset, Update, Add, Remove) are only used to run javascript functions - the URL, query string or hash doesn't change. Most of these action are also one way only. We don't want the user to be able to go Back after he updated an entry. (Going back in this case should probably bring him back to the search page). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Extending Details, user and otherwise
On 08/17/2010 08:12 PM, Adam Young wrote: The structure of our details code is basciallt [categorid, categoryDisplay, atrrtibutes] and attributes are [attributeId, attributeDisplay, I've inlined the user details at the bottom as an example. In order to make these configuratble by the end user, here is a strawman proposal: Create a dir under /var/lib/ipa/details with code that will, at run time, get validated and then appended to the web code. This code, unlike the resources approach, will not be autogenerated. The code for the user details gets pre-populated there from a static copy somewhere under /usr/share/ipa. The end user can then customize it to add or remove fields. If they so desire, they can add in custom javascript code that will provide more advanced UI. An example might be a n interactive map for showing seat and parking assignments. IPA server install and uninstall will be aware of these files, and treat them gently. Doing an install will not over write the files if they are present, but will instead rename and back them up. Same with uninstall, unless an additional option is given ( for example --ultraclean) the is repsonbile for removing all vestiges of IPA from a system. The details pages will be named collection-details.js: user-details.js, group-details.js and so forth. As I said, this is a strawman. Please poke holes in it, and make better suggestions. That's one possible way. I was thinking of something a little bit different, but similar from the user perspective. We could have the insert-object-name-here-details.js files under (for example) /etc/ipa/webui/ and /usr/share/ipa/static would have symlinks to them. It's basically the same thing Adam proposed, but in this case, we don't have to monitor, generate or append anything. We only need to make sure not to overwrite these files after installation. Take it as just another proposal, because I'm not sure if it's 100% compatible with the Linux file system philosophy. There might also be some security risks using symlinks to /etc/*, although I'm not aware of any. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add link to json2.js to index.xhtml.
Applies after Adam's 0008 patch (Hash params). Pavel From 4be347d0cdf5f65d9360e8483d09076b45163d5b Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 18 Aug 2010 12:39:09 -0400 Subject: [PATCH] Add link to json2.js to index.xhtml. --- install/static/index.xhtml |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/install/static/index.xhtml b/install/static/index.xhtml index 8cde161..69c1b99 100644 --- a/install/static/index.xhtml +++ b/install/static/index.xhtml @@ -5,6 +5,7 @@ titleIPA: Identity Policy Audit/title link href=ipa.css rel=stylesheet type=text/css / +script type=text/javascript src=json2.js/script script type=text/javascript src=jquery.js/script script type=text/javascript src=jquery.cookie.js/script -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Improve serialization to JSON.
- Make it recursive. - Make Param classes serializable. - Take python native data types into account. Pavel pzuna-freeipa-0010-json.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add a new INTERNAL plugin that exports plugin meta-data into JSON.
This is required for the webUI, since we're dropping Genshi. *ehm* :) You can't use this command on the CLI. It takes one optional argument: the name of an IPA object. If not specified, meta-data for all objects are returned. Note: If you want to try it out on the CLI, just comment out the INTERNAL = True line. Pavel pzuna-freeipa-0011-export.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Clean ipa.js and make it load plugin meta-data over JSON-RPC.
What it means? Well, first I removed some development control variables from ipa.js. Namely useSampleData and sizelimit. I moved useSampleData to the top of index.xhtml. This way we won't forget about it when we don't need it anymore. sizelimit has nothing to do in ipa.js and be hardcoded for ALL commands! Some don't have this parameter and could fail. Since ipa_init now loads meta-data over JSON-RPC, we need to wait for it to finish its job. That's why I put a second parameter to ipa_init: on_win. ipa_init will call on_win when all data is loaded properly and we can start building the page. Pavel pzuna-freeipa-0012-cleanipajs.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Clean details.js.
What does it mean? I removed duplicate code, that was pasted here from the user details page. ipa_details_init doesn't call ipa_init anymore. ipa_details_create takes a second optional parameter, that can be set to a container element if we want to place the definition lists into a specific element instead of body. In our case, we place stuff in div id=content Pavel pzuna-freeipa-0013-cleandetailsjs.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Stretch content div and make Reset/Update buttons stick to right.
I know that the user details page still doesn't look exactly like the mockups, but it's getting there and it's mostly just a matter of moving elements around - easy. Pavel pzuna-freeipa-0015-detailscss.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 506 correct ipa-server-install man page
On 08/10/2010 07:20 PM, Rob Crittenden wrote: The ipa-server-install man page still referred to the deprecated --ca option to configure a dogtag instance. Drop that and include information on the --selfsign option. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 481 add has_output_params support to Method class
On 07/12/2010 10:47 PM, Rob Crittenden wrote: When figuring out what to display has_output_params was being ignored by decendents of the Method class. rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 483 disable service/host
On 07/12/2010 11:48 PM, Rob Crittenden wrote: This patch supercedes patch 479 which is now defunct. It relies on patch 481. Add API to delete a service principal key, service-disable and host-disable. This is so an admin can essentially revoke a service principal without deleting it (a host stores its own host service principal). I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new output parameter, has_keytab. It is a boolean that indicates whether the entry has a kerberos principal key (or at least our best guess at it). rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 476 fix bad API call in selfsign
On 06/25/2010 03:46 PM, Rob Crittenden wrote: Use newer API in selfsign plugin. Fix missing import when running in the in-tree lite-server. rob Maybe we should remove the comment as well, if it's not valid anymore. Other than that: ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 460 an enrollment role
On 06/02/2010 08:34 PM, Rob Crittenden wrote: Add a new role specifically for delegating enrollment. Previously you had to delegate two tasks, this simplifies things. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 461 ignore no_* options in Virtual class
On 06/02/2010 08:35 PM, Rob Crittenden wrote: The Virtual base class is used for doing non-LDAP operations, right not just for certificate commands. It wasn't honoring the no_* option flags. Add support for that. rob NACK. I think I do understand what this patch is trying to do and it works, but I also think it builds over the misuse of the 'no_*' option flags. These flags were added, so that we can specify a common list of Params in Object.takes_params and mark those that are inappropriate for Add/Update/Search methods. It doesn't make sense to use these flags in cert.py commands, because they aren't linked to any Object. If you want to add Params just for output purpose, use Command.has_output_params. EXAMPLE: WRONG: class cert_status(VirtualCommand): takes_args = ( Str('request_id', label=_('Request id'), # pzuna: the next line has no effect flags=['no_create', 'no_update', 'no_search'], ), ) # pzuna: ipa cert-status doesn't TAKE the cert-request-status option takes_options = ( Str('cert_request_status?', label=_('Request status'), flags=['no_create', 'no_update', 'no_search'], ), ) EXAMPLE: RIGHT: class cert_status(VirtualCommand): takes_args = ( Str('request_id', label=_('Request id'), ), ) has_output_params = ( Str('cert_request_status?', label=_('Request status'), ), ) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 462 add per-command documentation
On 06/02/2010 08:36 PM, Rob Crittenden wrote: First pass at adding per-command documentation for each plugin. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 462 add per-command documentation
On 06/15/2010 03:08 AM, David O'Brien wrote: Rob Crittenden wrote: First pass at adding per-command documentation for each plugin. rob Rob, How would you like edits to this? I _could_ edit the patch, or I could wait until you commit what you have and then run ipa help topic and send edited files for each topic. This was posted almost two weeks ago; what's the status? cheers I think the best approach would be for you to send edited files. It's better if you see it in action than in a patch and it's less prone to mistakes. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 458 catch no CA preop.pin
On 05/28/2010 05:22 PM, Rob Crittenden wrote: The preop.pin is used to authenticate the admin when doing CA enrollment. We were assuming it would be available and things blow up badly if not (we end up passing None as an argument to exec). If there isn't a preop pin there is no need to do anything, so raise an error. rob It looks like the patch message is missing a part, it ends with: To remove an existing instance run: and then nothing, but that's just a detail :) ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 456 replica creation
On 05/27/2010 11:51 PM, Rob Crittenden wrote: If a host is already enrolled (either as a client or a former replica) then ipa-replica-install will fail spectacularly with an error about a missing keytab. This is because some entries already exist and it totally confuses things. We need to start this host from scratch, so catch this condition and give the admin some hints on how to fix it. rob It seems to work, but this: except Exception, e: pass is a very bad practice, because it catches everything (even the KeyboardInterrupt exception) and makes code very hard to debug if something really unexpected happens. I've already replaced a few things like this in the installer, but there are probably more left. Catch errors.ExecutionError instead or in this case errors.NotFound. auto-ack when this is fixed. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 446 fix clone from a clone
On 05/19/2010 07:28 PM, Rob Crittenden wrote: Include -clone_uri argument to pkisilent setting the clone URI. This makes creating a clone from a clone work as expected. Note that this depends on some fixes in the pki-ca, pki-common and pki-silent packages. I tested this against pre-release versions. This means you can do something like this: Install IPA on server A Prepare a replica file on server A for server B Install the IPA replica on server B Preparea replica file for server C on server B Install the IPA replica on server C The replication topology looks like: A - B - C This isn't really recommended but it at least frees us from having a single point of failure regarding the CA. The CAs are now independent, though they replicate over a difference channel than IPA user data. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 447 load dogtag selinux rules in spec
On 05/20/2010 05:56 PM, Rob Crittenden wrote: Move the dogtag SELinux rules loading into the spec file I couldn't put the dogtag rules into the spec file until we required dogtag as a component. If it wasn't pre-loaded them the rules loading would fail because types would be missing. rob This doesn't apply after your 446 patch, because it includes it. So either drop 446 or remove the CAInstance part from 447 and apply both. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 448 fix default hbac rule, add default services
On 05/20/2010 07:54 PM, Rob Crittenden wrote: Add the 'all' serviceCategory to the default allow_all HBAC rule and add some standard services: ftp, login, sshd, su, sudo. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 451 fix i18n test
On 05/21/2010 11:35 PM, Rob Crittenden wrote: Fix this test to work from source tree root It would work if you ran the test from its location in tests/test_ipalib but this isn't the most common method. If you want to run it individually you can do: $ ./make-test tests/test_ipalib/test_text.py rob Maybe I'm doing something wrong, but I'm still getting this one error: == ERROR: Test gettext translation -- Traceback (most recent call last): File /usr/lib/python2.6/site-packages/nose/case.py, line 183, in runTest self.test(*self.arg) File /root/freeipa/tests/test_ipalib/test_text.py, line 89, in test_gettext msgid = get_msgid(test_file) File /root/freeipa/tests/test_ipalib/test_text.py, line 43, in get_msgid f = open(po_file) IOError: [Errno 2] No such file or directory: 'install/po/test.po' Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 452 add missing hbac update file
On 05/26/2010 03:50 PM, Rob Crittenden wrote: I moved these contents into an update so that each entry could get its own UUID. The templater for ldif files is a little less robust and can only assign a single UUID per file. If this is ever an issue we can address it then butit isn't a problem for now. This is needed for patch 450 to work properly. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel