Re: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.

2011-04-08 Thread Pavel Zuna

On 04/04/2011 03:47 PM, Simo Sorce wrote:

On Mon, 28 Mar 2011 15:27:46 -0700
Nathan Kindernkin...@redhat.com  wrote:


On 03/28/2011 03:20 PM, Dmitri Pal wrote:

On 03/28/2011 04:38 PM, Pavel Zůna wrote:

This patch handles the issue in a kind of stupid way, but I
couldn't think of anything better.

It adds a new flag parameter to user-add (--noprivate). With this
flag, the command marks the private group about to be created for
deletion and is deleted after the user is created. The only
exception is when there is a group, that is named the same way as
the user, but isn't a private group - then the group is left there.

Private groups are created automatically by the managed entry DS
plugin and I didn't find a way to disable its creation for a
specific user.


The idea that comes to mind is to define some magical attribute
that the DS plugin would recognize and skip the creation of the
managed entry as well as strip the entry of this magic
attribute/value. I remember that other plugins might take advantage
of the similar approach.

Is something like this possible?

You are probably thinking of the DNA plug-in and it's use of a magic
value used to tell the plug-in to allocate a value from a range.  I
would not like to use this approach here, as it requires additional
coding and complexity that I don't think is needed.

I would prefer that we use the originFilter to deal with this.  We
could have an auxiliary objectclass that IPA usually adds when
creating an IPA user.  The originFilter can key off of this
objectclass to create managed groups.  When a user is added with the
--noprivate option, this objectclass is not included in the user
entry that is added.  Rob and I discussed this approach on IRC
earlier today.


Ack, this sounds like a better approach, although it doesn't
necessarily need to be an objectclass it can also be an attribute with
a specific value that is checked in the filter as (!(attrib=value))

Simo.



New patch with new approach attached.

It sets the checked filter to:
((objectclass=posixAccount)(!(description=__no_upg__)))

If a user entry is created with the description attribute equal to the string 
__no_upg__, the DS plugin will not trigger and no UPG is going to be created.


After this patch, the user-add plugin adds this description attribute 
(NO_UPG_MAGIC = __no_upg__) in the pre_callback and deletes it in the 
post_callback if necessary.


I think the description attribute is the best choice, because it's part of the 
posixAccount objectClass and we don't use it for anything on user entries.


Pavel
From 57f3b82bc4b3180a8b0a27733cc0632b813a7736 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Mon, 28 Mar 2011 15:10:57 -0400
Subject: [PATCH] Add a new user-add flag param to disable the creation of UPG.

Ticket #1131
---
 install/share/user_private_groups.ldif |2 +-
 ipalib/plugins/user.py |   53 ---
 2 files changed, 42 insertions(+), 13 deletions(-)

diff --git a/install/share/user_private_groups.ldif b/install/share/user_private_groups.ldif
index 9df729a..41a78ba 100644
--- a/install/share/user_private_groups.ldif
+++ b/install/share/user_private_groups.ldif
@@ -15,7 +15,7 @@ changetype: add
 objectclass: extensibleObject
 cn: UPG Definition
 originScope: cn=users,cn=accounts,$SUFFIX
-originFilter: objectclass=posixAccount
+originFilter: ((objectclass=posixAccount)(!(description=__no_upg__)))
 managedBase: cn=groups,cn=accounts,$SUFFIX
 managedTemplate: cn=UPG Template,cn=etc,$SUFFIX
 
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 9015144..9a658a9 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -63,6 +63,9 @@ from ipalib import _, ngettext
 from ipalib.request import context
 from time import gmtime, strftime
 
+
+NO_UPG_MAGIC = '__no_upg__'
+
 def validate_nsaccountlock(entry_attrs):
 if 'nsaccountlock' in entry_attrs:
 if not isinstance(entry_attrs['nsaccountlock'], basestring):
@@ -70,6 +73,7 @@ def validate_nsaccountlock(entry_attrs):
 if entry_attrs['nsaccountlock'].lower() not in ('true','false'):
 raise errors.ValidationError(name='nsaccountlock', error='must be TRUE or FALSE')
 
+
 class user(LDAPObject):
 
 User object.
@@ -250,22 +254,35 @@ class user_add(LDAPCreate):
 
 Add a new user.
 
-
 msg_summary = _('Added user %(value)s')
 
+takes_options = LDAPCreate.takes_args + (
+Flag('noprivate',
+cli_name='noprivate',
+doc=_('don\'t create user private group'),
+),
+)
+
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
-try:
-# The Managed Entries plugin will allow a user to be created
-# even if a group has a duplicate name. This would leave a user
-# without a private group. Check for both the group and the user.
-self.api.Command['group_show'](keys[-1

Re: [Freeipa-devel] [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr.

2011-04-07 Thread Pavel Zuna

On 04/06/2011 05:08 PM, Pavel Zuna wrote:

Ticket #744

Pavel



New fixed version of patch attached.

Pavel
From c61c329c1fd4f806a64f4fa6b660b0baeea38377 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Wed, 6 Apr 2011 09:08:03 -0400
Subject: [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr.

Ticket #744
---
 ipalib/plugins/krbtpolicy.py |   20 
 ipalib/plugins/user.py   |1 +
 2 files changed, 21 insertions(+), 0 deletions(-)

diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py
index c9d86ea..8cefc90 100644
--- a/ipalib/plugins/krbtpolicy.py
+++ b/ipalib/plugins/krbtpolicy.py
@@ -83,6 +83,10 @@ class krbtpolicy(LDAPObject):
 label=_('User name'),
 doc=_('Manage ticket policy for specific user'),
 primary_key=True,
+pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
+pattern_errmsg='may only include letters, numbers, _, -, . and $',
+maxlength=255,
+normalizer=lambda value: value.lower(),
 ),
 Int('krbmaxticketlife?',
 cli_name='maxlife',
@@ -96,6 +100,14 @@ class krbtpolicy(LDAPObject):
 doc=_('Maximum renewable age (seconds)'),
 minvalue=1,
 ),
+Int('uidnumber?',
+minvalue=1,
+flags=['no_create', 'no_update', 'no_search'],
+),
+Int('gidnumber?',
+minvalue=1,
+flags=['no_create', 'no_update', 'no_search'],
+),
 )
 
 def get_dn(self, *keys, **kwargs):
@@ -115,6 +127,14 @@ class krbtpolicy_mod(LDAPUpdate):
 #  ticket policies are attached to objects with unrelated attributes
 if options.get('all'):
 options['all'] = False
+if keys[-1] is not None:
+# we're modifying an user entry and it's possible to change its
+# attribute unrelated to ticket policy using --{set,add}-attr
+# we need to validate/normalize them here:
+if 'mail' in entry_attrs:
+entry_attrs['mail'] = self.api.Object['user']._normalize_email(
+entry_attrs['mail']
+)
 return dn
 
 api.register(krbtpolicy_mod)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index e71c21b..d18ba18 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -176,6 +176,7 @@ class user(LDAPObject):
 label=_('GID'),
 doc=_('Group ID Number'),
 default_from=lambda uid: uid,
+minvalue=1,
 ),
 Str('street?',
 cli_name='street',
-- 
1.7.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr.

2011-04-06 Thread Pavel Zuna

Ticket #744

Pavel


freeipa-pzuna-89-validatekrbt.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix gidnumber option of user-add command.

2011-03-28 Thread Pavel Zuna
With this patch, the gidNumber is set automatically only if it wasn't specified 
explicitly by the user.


Ticket #1127

Pavel


freeipa-pzuna-87-fixgidnumber.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 039 Wait for Directory Server ports to open

2011-03-15 Thread Pavel Zuna

On 03/14/2011 06:03 PM, Martin Kosek wrote:

I know this is a 2.1 ticket, but the patch is probably also a solution
of #1047 - a 2.0.5 bucket critical bug.


When Directory Server operation is run right after the server restart
the listening ports may not be opened yet. This makes the installation
fail.

This patch fixes this issue by waiting for both secure and insecure
Directory Server ports to open after every restart.

https://fedorahosted.org/freeipa/ticket/1076



ACK.

Seems to also fix #1047, as I couldn't reproduce after this patch was applied.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 752 fix SELinux AVCs

2011-03-15 Thread Pavel Zuna

On 03/14/2011 09:33 PM, Rob Crittenden wrote:

Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.

This fixes 2 AVCS:

* One because we are enabling port 7390 because an SSL port must be
defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
Instead generate a separate NSS database and certificate and have
certmonger track it separately

I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.

ticket 1085



ACK!!

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] Fix error in user plugin email normalizer for empty --setattr=mail=.

2011-03-03 Thread Pavel Zuna
An exception was raised when you tried to reset user email addresses and setting 
new ones using:


ipa user-add SOMEUSER --setattr=mail= --addattr=mail=someu...@redhat.com

Pavel


freeipa-pzuna-85-fixemailnorm.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix error in user plugin email normalizer for empty --setattr=mail=.

2011-03-03 Thread Pavel Zuna

On 03/03/2011 04:23 PM, Pavel Zuna wrote:

An exception was raised when you tried to reset user email addresses and
setting new ones using:

ipa user-add SOMEUSER --setattr=mail= --addattr=mail=someu...@redhat.com

Pavel




Just a correction: The example above should read 'ipa user-mod ...' ofc.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] Localization patches.

2011-02-28 Thread Pavel Zuna

On 02/23/2011 07:09 PM, Pavel Zůna wrote:

On 2011-02-22 20:16, Rob Crittenden wrote:

Pavel Zůna wrote:

On 2011-02-17 22:52, Rob Crittenden wrote:

Pavel Zůna wrote:

On 2011-02-17 05:09, Rob Crittenden wrote:

Pavel Zůna wrote:

My efforts in fixing localization all around the framework and
preparing
it for localizing docstrings have resulted in a lot of patches.
Because
I understand they have become a bit hard to track, I decided to post
them all together in this thread to make review easier.

After this is committed, there will be one more patch that switches
xgettext for pygettext. Then hopefully, we'll be pretty much set
when it
comes to i18n.

Pavel


Patch 81 isn't applying for me.

Help is not working for me either, this is due to patch 80.

$ ipa help user
ipa: ERROR: NameError: global name '_' is not defined
Traceback (most recent call last):
File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line
1087, in
run
api.finalize()
File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line
619,
in finalize
plugin_iter(base, (magic[k] for k in magic))
File /home/rcrit/redhat/freeipa-version/ipalib/base.py, line
397, in
__init__
sorted(members, key=lambda m: getattr(m, name_attr))
File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line
608,
in plugin_iter
plugins[klass] = PluginInstance(klass)
File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line
585,
in __init__
self.instance = klass()
File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line
184,
in __init__
self.doc = _(inspect.getdoc(cls))
NameError: global name '_' is not defined
ipa: ERROR: an internal error has occurred

Patches 69, 71 and 73 are still working fine.

What is switching from xgettext to pygettext going to do?


This was answered by John Dennis: xgettext doesn't parse python
docstrings.



rob


Rebased version of 81 attached. It should also fix the traceback
you're
getting.

Pavel


Something is still not working. I'm having a hard time reproducing
how I
got this but with LANG=es_US.UTF-8 for a while I was getting this with
every ipa user-* request:

ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character
u'\xf1' in position 20: ordinal not in range(128)
Traceback (most recent call last):
File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 1090, in
run
sys.exit(api.Backend.cli.run(argv))
File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 917, in
run
rv = cmd.output_for_cli(self.api.Backend.textui, result, *args,
**options)
File /home/rcrit/redhat/freeipa-version/ipalib/frontend.py, line 953,
in output_for_cli
textui.print_entries(result, order, labels, flags, print_all)
File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 346, in
print_entries
self.print_entry(entry, order, labels, flags, print_all, format,
indent)
File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 378, in
print_entry
label, value, format, indent, one_value_per_line
File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 309, in
print_attribute
self.print_indented(format % (attr, text[0]), indent)
File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 232, in
print_indented
print (CLI_TAB * indent + text)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in
position 20: ordinal not in range(128)
ipa: ERROR: ha ocurrido un error interno

I think it is blowing up on this user:

User login: jose
First name: Jose
Last name: contraseñas
Home directory: /home/jose
Login shell: /bin/sh
Account disabled: TRUE
Member of groups: ipausers

Then all of a sudden things started working fine, so I'm not sure
what's
going on.

Is this traceback meaningful to you?

rob


This looks like a bug in the textui backend.

You get this error when you do something like this:

 a = u'\xf1'
 a.decode('utf-8')
Traceback (most recent call last):
File stdin, line 1, in module
File /usr/lib/python2.6/encodings/utf_8.py, line 16, in decode
return codecs.utf_8_decode(input, errors, True)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in
position 0: ordinal not in range(128)

It means we're not handling encoding/decoding from/to the CLI right
somewhere.

The character \xf1 corresponds to the small N with tilde in Jose's last
name.

I'm going to look into it, but I don't think it's related to the
localization patches.

Pavel


I'm seeing 2 test failures:


==
FAIL: Test the `ipalib.plugable.Plugin.__init__` method.
--
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/nose/case.py, line 186, in
runTest
self.test(*self.arg)
File
/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py,
line 237, in test_init
assert o.summary == 'Do sub-classy things.'
AssertionError

==
FAIL: Test gettext translation

Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.

2011-02-25 Thread Pavel Zuna

On 02/23/2011 11:53 PM, Simo Sorce wrote:

On Wed, 23 Feb 2011 23:41:33 +0100
Pavel Zůnapz...@redhat.com  wrote:


On 2011-02-15 16:36, JR Aquino wrote:

On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com   wrote:


On Tue, 15 Feb 2011 15:19:50 +0100
Pavel Zunapz...@redhat.com   wrote:


I can't reproduce this. :-/

For me it goes fine:

[root@ipadev tools]# ./ipa-nis-manage enable
Directory Manager password:

Enabling plugin
This setting will not take effect until you restart Directory
Server. The rpcbind service may need to be started.



Pavel,
Jr has set the minimum ssf to a non default value to test a
configuration in which all communications are required to be
encrypted. That's why you can't reproduce with the vanilla
configuration.

We want to support that mode although it won't be the default, so
we need to fix any issue that causes that configuration to break
(ie all non-encrypted/non-ldapi connections).

Simo.

--
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


The best way to do this is:

-=-
service ipa stop
Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif

Change:
nsslapd-minssf: 0

To:
nsslapd-minssf: 56- 56 is chosen because SASL communicates a 56bit
handshake even though we utilize a much strong cipher... (It is a
known bug/feature)

service ipa start



I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py)
with ldapi=True, but it raises a NotFound exception when trying to
call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This
exception originates in IPAdmin.__lateinit() when trying to retrieve
this

cn=config,cn=ldbm database,cn=plugins,cn=config

For some reason it looks like this entry is inaccessible when doing a
SASL EXTERNAL bind as root.

I can retrieve the entry as cn=directory manager:



[root@vm-090 freeipa]# ldapsearch -D cn=directory manager -W -H
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b
cn=config,cn=ldbm database,cn=plugins,cn=config -s one
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# basecn=config,cn=ldbm database,cn=plugins,cn=config  with scope
oneLevel # filter: (objectclass=*)
# requesting: ALL
#

# default indexes, config, ldbm database, plugins, config
dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: default indexes

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1




but not as root:



[root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b
cn=config SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# basecn=config  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# SNMP, config
dn: cn=SNMP,cn=config
objectClass: top
objectClass: nsSNMP
cn: SNMP
nsSNMPEnabled: on

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9
cn: VLV Request Control

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2


I'm not sure what the problem is, I tried setting different SASL
security properties, but nothing helped. :( Next step is to analyze
DS logs, but before I do that, I wanted to ask if anyone has any tips
on what the solution might be.


We have very strict ACIs when using EXTERNAL SASL as root.
Is there any reason you need to operate as root ?
you can also authenticate with SIMPLE (Dir MGr credentials), or
SASL/GSSAPI if you ahve credentials.

If you need to run unattended as root then we may need to make
root+SASL/EXTERNAL more powerful but I'd like to understand exactly why
you need that and can't use regular authentication with DirMgr or
GSSAPI credentials.

Simo.



Thanks for advice! New version of the patch attached.

Pavel


freeipa-pzuna-78-4-toolsldapi.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.

2011-02-15 Thread Pavel Zuna

On 02/14/2011 04:53 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

On 02/08/2011 01:06 PM, Pavel Zuna wrote:

The patch also corrects exception handling in some of the tools.

Fix #874

Pavel



Updated patch attached. Forgot to rename an identifier in exception
handling.

Pavel


This isn't applying cleanly to master, can you rebase it?

rob


Rebased patch attached.

Pavel


freeipa-pzuna-78-3-toolsldapi.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.

2011-02-15 Thread Pavel Zuna

On 02/14/2011 04:56 PM, JR Aquino wrote:

On 2/10/11 2:42 AM, Pavel Zunapz...@redhat.com  wrote:


On 02/08/2011 01:06 PM, Pavel Zuna wrote:

The patch also corrects exception handling in some of the tools.

Fix #874

Pavel



Updated patch attached. Forgot to rename an identifier in exception
handling.

Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


NACK

It looks like LDAPUpdate calls may want to include ldapi=True?

-=-
# ipa-nis-manage enable
Directory Manager password:

Enabling plugin
Traceback (most recent call last):
   File /usr/sbin/ipa-nis-manage, line 211, inmodule
 sys.exit(main())
   File /usr/sbin/ipa-nis-manage, line 151, in main
 ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
   File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py,
line 101, in __init__
 conn.do_simple_bind(bindpw=self.dm_password)
   File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 350,
in do_simple_bind
 self.simple_bind_s(binddn, bindpw)
   File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204,
in inner
 return f(*args, **kargs)
   File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 207,
in simple_bind_s
 return self.result(msgid,all=1,timeout=self.timeout)
   File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 181,
in inner
 objtype, data = f(*args, **kargs)
   File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 436,
in result
 res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
   File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204,
in inner
 return f(*args, **kargs)
   File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 440,
in result2
 res_type, res_data, res_msgid, srv_ctrls =
self.result3(msgid,all,timeout)
   File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204,
in inner
 return f(*args, **kargs)
   File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 446,
in result3
 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
   File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204,
in inner
 return f(*args, **kargs)
   File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 96,
in _ldap_call
 result = func(*args,**kwargs)
ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc':
'Server is unwilling to perform'}



I can't reproduce this. :-/

For me it goes fine:

[root@ipadev tools]# ./ipa-nis-manage enable
Directory Manager password:

Enabling plugin
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.

2011-02-10 Thread Pavel Zuna

On 02/08/2011 01:06 PM, Pavel Zuna wrote:

The patch also corrects exception handling in some of the tools.

Fix #874

Pavel



Updated patch attached. Forgot to rename an identifier in exception handling.

Pavel


freeipa-pzuna-78-2-toolsldapi.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 050 Fix migration page

2011-02-09 Thread Pavel Zuna

On 02/09/2011 02:09 PM, Jakub Hrozek wrote:

During some UI rewrite, the password migration form completely lost the
action= field and defaulted to GET instead of POST.


ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.

2011-02-08 Thread Pavel Zuna

The patch also corrects exception handling in some of the tools.

Fix #874

Pavel


freeipa-pzuna-78-toolsldapi.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit.

2011-02-08 Thread Pavel Zuna

On 02/08/2011 12:34 AM, David O'Brien wrote:

Pavel Zuna wrote:

Fix #837

Pavel


/me hesitantly asks...
Doesn't this mean that 1 is illegal?

doc=_('Max. amount of time (sec.) for a search ( 1 or -1 for unlimited)'),

Neither is there any mention of zero being illegal. It may be implicit
or self-evident, but I don't rely on that in doc. I'd be inclined to
change it to ( 0, or -1 for unlimited) but remember, I'm not a coder :)

cheers



You're right. :)

Fixed version attached.

Pavel


freeipa-pzuna-73-2-configdoc.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 72 Set minimum for Kerberos policy max life and max renew

2011-02-07 Thread Pavel Zuna

Fix #847

Pavel


freeipa-pzuna-72-krbtpmin.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit.

2011-02-07 Thread Pavel Zuna

Fix #837

Pavel


freeipa-pzuna-73-configdoc.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 76 Fallback to default locale (en_US) if env. setting is corrupt.

2011-02-07 Thread Pavel Zuna

This is a follow-up to my patches 69 and 71 (70 is garbage).

It prevents a crash when user misconfigures his locale settings.

Pavel


freeipa-pzuna-76-deflocale.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed.

2011-02-07 Thread Pavel Zuna
It seems that restarting krb5kdc is only needed when changes to the global 
policy are made. Per-user policies take effect immediately for newly requested 
tickets. Can someone please confirm?


Fix #844

Pavel


freeipa-pzuna-77-krbtpdoc.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it.

2011-02-04 Thread Pavel Zuna

On 02/02/2011 09:36 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

This ticket effectively fixes the translation of exception messages.

Ticket #903

Pavel



On hold for now, see also patch 'Translate exception messages on the
client side.'

rob


This should get pushed for the translation in exceptions to work. It only 
removes the defunct code and replaces it with something functional.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] Send Accept-Language header over XML-RPC and translate on server.

2011-02-04 Thread Pavel Zuna
This patch makes the ipa client send the Accept-Language header, so that the 
server can translate things like exceptions, that cannot be translated on the 
client.


It also fixes the language recognition for the webUI. The values in 
Accept-Language header are a bit different than what is accepted by the LANG 
variable as a valid locale - some additional parsing was needed.

For example:
 Accept-Language: es-es;q=1
needs to translate to
 es_ES
otherwise it won't be recognized by gettext

Fix #904
Fix #917

Pavel


freeipa-pzuna-71-acceptlang.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] python i18n options

2011-02-04 Thread Pavel Zuna

On 02/03/2011 05:13 PM, John Dennis wrote:

On 02/03/2011 09:34 AM, Pavel Zuna wrote:

Python 2.6+ provides secure ways to encode and decode
literal types to/from strings.


I'm not sure what you mean by this, could you elaborate please?


http://docs.python.org/library/ast.html#ast.literal_eval

We could use it to send data about the exception and have the client translate 
it for itself. However I decided to drop this idea, because it would require 
changes in a lot of places where we construct exceptions and that's just not 
worth it.





Summary:

Unless we agree on a better way; I'm going to try the pygettext patch
and see
how usable it is. If it's not then I'll try the solution with merging
pygettext
and xgettext output. We also need to rethink the PublicError class and
it's
encoding/decoding in {JSON,XML}-RPC to have them translated on the
client.


I think your proposal sounds fine if we expect the message catalog on
the client to be in sync with the server. I'm not sure that's a good
assumption. When they drift apart the effect will be that some messages
appear localized and others won't. That will be a poor user experience.
One way we could address this problem is by following the web model. The
client sends their language preference in each request. When the server
responds it performs the message translation prior to sending it back to
the client. We're already doing this for the web UI, any reason not to
follow the same model for other clients?


Yes, we're going to use the same model in the end. Already posted a patch on the 
list that does just that (71).



I can't comment on the quality of the upstream pygettext patch, but one
way to find out is to start using it :-)


That's exactly what I'm planning to do. :)

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] python i18n options

2011-02-03 Thread Pavel Zuna
I've been playing around with localizing python strings for a while and this is 
what I figured out:


Currently we use xgettext to get strings to be translated from python files. 
From withing python we call the gettext library wrapped in ipalib/text.py 
classes to provide on request translation. We need on request translation, so 
that we can translate strings on the client.


Apart from the classes in ipalib/text.py, there are also localization functions 
in ipalib/request.py. These function are old and deprecated. Despite this they 
are still used when translating exception messages. That's why exceptions aren't 
currently being localized. Rob posted a patch recently that fixes this, but it 
wasn't fixing the problem at its root. There's another patch by me (69: Remove 
deprecated i18n code...) that removes references to ipalib/request.py and 
replaces it with ipalib/text.py classes.


This patch should definitely be accepted. It doesn't change anything - it just 
removes code that shouldn't be there anyway.


There's another problem with exceptions. They are localized when they are first 
created on the server. When transmitting exceptions from server to client, the 
data is wrapped in a xmlrpclib.Fault class. This class can only contain an error 
code and string making it impossible to reconstruct on the client especially if 
it contains template strings (i.e. '%(reason)s').


I propose we change the way exceptions are created and encode information about 
them as Fault string data. We can then reconstruct them on the client a perform 
localization there. Python 2.6+ provides secure ways to encode and decode 
literal types to/from strings. This will require changes to the PublicError class.


Now there's the issue of localizing the built-in help system ('ipa help') which 
translates to localizing python docstrings. xgettext can't do that on its own. 
There's an alternative called pygettext. Unfortunately pygettext can't 
translated ngettext string (meaning strings that have a singular and plural 
form). I found two solutions around this:


1) a) use both xgettext and pygettext
   b) merge the resulting .po files
   c) use msguniq utility to get unique translatable strings

2) theres a patch for pygettext to handle ngettext string

Solution 1) will probably works fine, but it's not very effective. I would 
prefer the second solution, but I still have to determine how good the patch is 
since it was sent by some random guy on the python mailing list.


Links:
http://bugs.python.org/issue8502
http://bugs.python.org/file17639/pygettext.py.patch

Opinions?

Summary:

Unless we agree on a better way; I'm going to try the pygettext patch and see 
how usable it is. If it's not then I'll try the solution with merging pygettext 
and xgettext output. We also need to rethink the PublicError class and it's 
encoding/decoding in {JSON,XML}-RPC to have them translated on the client.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] Fix crash in ipa help for NO_CLI plugins.

2011-02-02 Thread Pavel Zuna

Fix #854

Pavel
From 6c9f25fa6c50034db4967e64590cc9d46bdf8e0b Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Wed, 2 Feb 2011 12:47:34 -0500
Subject: [PATCH] Fix crash in ipa help for NO_CLI plugins.

Fix #854
---
 ipalib/cli.py |   16 ++--
 1 files changed, 2 insertions(+), 14 deletions(-)

diff --git a/ipalib/cli.py b/ipalib/cli.py
index 5543301..9735d2e 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -730,19 +730,6 @@ class help(frontend.Local):
 for t in topics:
 topic = self._topics[t]
 print '  %s  %s' % (to_cli(t).ljust(self._mtl), topic[0])
-
-if False:
-topic_commands = self._topics[t][2]
-mod_list = [self._get_command_module(c.module) for c in topic_commands]
-mod_list = list(set(mod_list))
-
-for mod in mod_list:
-m = '%s.%s' % (self._PLUGIN_BASE_MODULE, mod)
-if 'topic' in dir(sys.modules[m]):
-doc = sys.modules[m].topic[1]
-else:
-doc = (sys.modules[m].__doc__ or '').strip().split('\n', 1)[0]
-print '  %s  %s' % (to_cli(t).ljust(self._mtl), doc)
 print ''
 print 'Try `ipa --help` for a list of global options.'
 
@@ -759,6 +746,7 @@ class help(frontend.Local):
 mcl = self._topics[topic][1]
 commands = self._topics[topic][2]
 else:
+commands = []
 for t in self._topics:
 if type(self._topics[t][2]) is not dict:
 continue
@@ -772,8 +760,8 @@ class help(frontend.Local):
 doc = (sys.modules[m].__doc__ or '').strip()
 
 print doc
-print ''
 if len(commands)  1:
+print ''
 print 'Topic commands:'
 for c in commands:
 print '  %s  %s' % (to_cli(c.name).ljust(mcl), c.summary)
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix minor bug in host-add logic.

2011-02-02 Thread Pavel Zuna

Fix #798

Pavel
From c5872d7d532429341c86cf1ba10a24709b510664 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Wed, 2 Feb 2011 13:47:21 -0500
Subject: [PATCH] Fix minor bug in host-add logic.

Ticket #798
---
 ipalib/plugins/host.py |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index d5c5174..e3f38fc 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -323,9 +323,9 @@ class host_add(LDAPCreate):
 entry_attrs['krbprincipalname'] = 'host/%s@%s' % (
 keys[-1], self.api.env.realm
 )
-if 'krbprincipalaux' not in entry_attrs:
+if 'krbprincipalaux' not in entry_attrs['objectclass']:
 entry_attrs['objectclass'].append('krbprincipalaux')
-if 'krbprincipal' not in entry_attrs:
+if 'krbprincipal' not in entry_attrs['objectclass']:
 entry_attrs['objectclass'].append('krbprincipal')
 else:
 if 'krbprincipalaux' in entry_attrs['objectclass']:
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 698 Translate exception messages

2011-02-02 Thread Pavel Zuna

On 02/01/2011 11:36 PM, Rob Crittenden wrote:

Pavel mentioned this morning that translations didn't seem to be
working. I remembered that I did some things on the cli so I re-tested.
Turned out that exceptions aren't being translated.

I'm not at all sure this patch does the right thing, so take it with a
grain of salt. What it does is translates the message before stuffing it
into the exception.

Note that this will also translate messages returned via XML-RPC so I
wonder if we need to force LANG to en_US.UTF-8 there.

In any case, this seems to fix the client side anyway. I'm open to
criticism on this one.

To test do something like:

$ kinit admin
$ export LANG=es_US.UTF-8
$ ipa user-add --first=Kermit --last=Frog kfrog
$ ipa user-add --first=Kermit --last=Frog kfrog

You should get a DuplicateEntry() response in Spanish.

rob



nack.

While this patch works, it doesn't solve the problem at its root.

After some investigation I figured out, that functions initializing translations 
in ipalib/request.py are not called from anywhere. All the translation code in 
ipalib/request.py is currently deprecated in favor of ipalib/text.py. I'm 
preparing a patch, that removes the unused code and replaces references to it.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it.

2011-02-02 Thread Pavel Zuna

This ticket effectively fixes the translation of exception messages.

Ticket #903

Pavel
From b051be4d816f94ebab3fc932b3d2372d1cf0345a Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Wed, 2 Feb 2011 15:37:14 -0500
Subject: [PATCH] Remove deprecated i18n code from ipalib/request and all references to it.

Ticket #903
---
 ipalib/errors.py  |2 +-
 ipalib/parameters.py  |2 +-
 ipalib/request.py |   40 -
 tests/test_ipalib/test_request.py |  161 -
 4 files changed, 2 insertions(+), 203 deletions(-)
 delete mode 100644 tests/test_ipalib/test_request.py

diff --git a/ipalib/errors.py b/ipalib/errors.py
index 20cd52b..63648d2 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -101,7 +101,7 @@ current block assignments:
 
 
 from inspect import isclass
-from request import ugettext, ungettext
+from text import _ as ugettext, ngettext as ungettext
 from constants import TYPE_ERROR
 
 
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 22b0321..23177b3 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -102,7 +102,7 @@ a more detailed description for clarity.
 import re
 from types import NoneType
 from util import make_repr
-from request import ugettext
+from text import _ as ugettext
 from plugable import ReadOnly, lock, check_name
 from errors import ConversionError, RequirementError, ValidationError
 from errors import PasswordMismatch
diff --git a/ipalib/request.py b/ipalib/request.py
index 9a11fb9..15b26f5 100644
--- a/ipalib/request.py
+++ b/ipalib/request.py
@@ -23,8 +23,6 @@ Per-request thread-local data.
 
 
 import threading
-import locale
-import gettext
 from base import ReadOnly, lock
 from constants import OVERRIDE_ERROR, CALLABLE_ERROR
 
@@ -58,41 +56,3 @@ def destroy_context():
 value.disconnect()
 context.__dict__.clear()
 
-
-def ugettext(message):
-if hasattr(context, 'ugettext'):
-return context.ugettext(message)
-return message.decode('UTF-8')
-
-
-def ungettext(singular, plural, n):
-if hasattr(context, 'ungettext'):
-return context.ungettext(singular, plural, n)
-if n == 1:
-return singular.decode('UTF-8')
-return plural.decode('UTF-8')
-
-
-def set_languages(*languages):
-if hasattr(context, 'languages'):
-raise StandardError(OVERRIDE_ERROR %
-('context', 'languages', context.languages, languages)
-)
-if len(languages) == 0:
-languages = locale.getdefaultlocale()[:1]
-context.languages = languages
-assert type(context.languages) is tuple
-
-
-def create_translation(domain, localedir, *languages):
-if hasattr(context, 'ugettext') or hasattr(context, 'ungettext'):
-raise StandardError(
-'create_translation() already called in thread %r' %
-threading.currentThread().getName()
-)
-set_languages(*languages)
-translation = gettext.translation(domain,
-localedir=localedir, languages=context.languages, fallback=True
-)
-context.ugettext = translation.ugettext
-context.ungettext = translation.ungettext
diff --git a/tests/test_ipalib/test_request.py b/tests/test_ipalib/test_request.py
deleted file mode 100644
index 548156d..000
--- a/tests/test_ipalib/test_request.py
+++ /dev/null
@@ -1,161 +0,0 @@
-# Authors:
-#   Jason Gerard DeRose jder...@redhat.com
-#
-# Copyright (C) 2008  Red Hat
-# see file 'COPYING' for use and warranty contextrmation
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see http://www.gnu.org/licenses/.
-
-
-Test the `ipalib.request` module.
-
-
-import threading
-import locale
-from tests.util import raises, assert_equal
-from tests.util import TempDir, dummy_ugettext, dummy_ungettext
-from ipalib.constants import OVERRIDE_ERROR
-from ipalib import request
-
-
-def test_ugettext():
-
-Test the `ipalib.request.ugettext` function.
-
-f = request.ugettext
-context = request.context
-message = 'Hello, world!'
-
-# Test with no context.ugettext:
-assert not hasattr(context, 'ugettext')
-assert_equal(f(message), u'Hello, world!')
-
-# Test with dummy context.ugettext:
-assert not hasattr(context, 'ugettext')
-dummy = dummy_ugettext()
-context.ugettext = dummy
-assert f(message) is dummy.translation
-assert dummy.message is message

Re: [Freeipa-devel] [PATCH] Make 'ipa help' localizable.

2011-02-01 Thread Pavel Zuna

On 02/01/2011 03:08 PM, John Dennis wrote:

On 02/01/2011 08:16 AM, Pavel Zuna wrote:

For a long time, I was trying to find a way to localize python
docstrings, that
we use to generate the built-in documentation system. Unfortunately,
python
docstrings aren't meant to be localized and therefore I had to use a
dirty
trick: setting the __doc__ variable manually to a gettext instance.

There is one major disadvantage: tools that generate developer
documentation
(like epydoc) won't display docstrings set like this.

One solution would be to have docstrings twice in each module: once
normally and
once set using __doc__, but that would be very ugly.

This patch doesn't update .po files, because it's already big as it
is. They are
regenerated automatically anyway.

Ticket #179

Pavel


Hi Pavel:

I'm not sure this is the right approach. What we really want is to be
able to extract the docstrings and put them in a pot file. Normally
xgettext is used to xtract translatable strings but I don't think the
python parser in xgettext is docstring aware (we should probably confirm
that).

However pygettext in the python-tools package is docstring aware. From
it's help text:

-D
--docstrings
Extract module, class, method, and function docstrings. These do
not need to be wrapped in _() markers, and in fact cannot be for
Python to consider them docstrings. (See also the -X option).

So rather than changing all the source code and making it non-standard I
think we're better off using a more appropriate tool when building the
pot file.

Use of pygettext is discussed and documented in this Python
documentation link:

http://docs.python.org/library/gettext.html#internationalizing-your-programs-and-modules


You can find an interesting discussion of the docstring extraction issue
in this thread:

http://mail.python.org/pipermail/i18n-sig/2001-August/001292.html

BTW, Barry Warsaw is the man behind Mailman and is one of the Python
community luminaries.




Thanks for the tips! I'll see what I can do.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] Add ldap2 method to retrieve allowed attributes for specified objectClasses.

2011-01-25 Thread Pavel Zuna

ldap2.get_allowed_attributes(['posixuser'])

returns a list of unicode all lower case attribute names allowed for the object 
class 'posixuser'


You can enter as many object classes as you want.

Pavel
From 044476963a96136f951ccf8232debc1b1c48513f Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 25 Jan 2011 15:24:03 -0500
Subject: [PATCH 1/2] Add ldap2 method to retrieve allowed attributes for specified objectClasses.

ldap2.get_allowed_attribute(['posixuser'])

returns a list of unicode all lower case attribute names allowed
for the object class 'posixuser'
---
 ipaserver/plugins/ldap2.py |   20 +---
 1 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 86ea3f8..7490dfb 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -266,6 +266,16 @@ class ldap2(CrudBackend, Encoder):
 else:
 return None
 
+def get_allowed_attributes(self, objectclasses):
+if not self.schema:
+return []
+allowed_attributes = []
+for oc in objectclasses:
+obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc)
+if obj is not None:
+allowed_attributes += obj.must + obj.may
+return [unicode(a).lower() for a in list(set(allowed_attributes))]
+
 def get_single_value(self, attr):
 
 Check the schema to see if the attribute is single-valued.
@@ -597,15 +607,19 @@ class ldap2(CrudBackend, Encoder):
 Keyword arguments:
 attrs_list - list of attributes to return, all if None (default None)
 
-return self.find_entries(None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit, size_limit=size_limit, normalize=normalize)[0][0]
+return self.find_entries(
+None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit,
+size_limit=size_limit, normalize=normalize
+)[0][0]
 
 config_defaults = {'ipasearchtimelimit': [2], 'ipasearchrecordslimit': [0]}
-def get_ipa_config(self):
+def get_ipa_config(self, attrs_list=None):
 Returns the IPA configuration entry (dn, entry_attrs).
 cdn = %s,%s % (api.Object.config.get_dn(), api.env.basedn)
 try:
 (cdn, config_entry) = self.find_entries(
-base_dn=cdn, scope=self.SCOPE_BASE, time_limit=2, size_limit=10
+None, attrs_list, base_dn=cdn, scope=self.SCOPE_BASE,
+time_limit=2, size_limit=10
 )[0][0]
 except errors.NotFound:
 config_entry = {}
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Raise ValidationError when adding unallowed attribute to search fields.

2011-01-25 Thread Pavel Zuna

Depends on my previous patch number 64 (posted on the list 2 minutes ago).

Ticket #845

Pavel
From 275f22f718af14f3f3c5e29c1f03471ab152b386 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 25 Jan 2011 15:25:52 -0500
Subject: [PATCH 2/2] Raise ValidationError when adding unallowed attribute to search fields.

Ticket #845
---
 ipalib/plugins/config.py |   16 
 1 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index ccd06ca..f779732 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -198,6 +198,22 @@ class config_mod(LDAPUpdate):
 api.Command['group_show'](group)
 except errors.NotFound:
 raise errors.NotFound(message=unicode(The group doesn't exist))
+kw = {}
+if 'ipausersearchfields' in entry_attrs:
+kw['ipausersearchfields'] = 'ipauserobjectclasses'
+if 'ipagroupsearchfields' in entry_attrs:
+kw['ipagroupsearchfields']  = 'ipagroupobjectclasses'
+if kw:
+config = ldap.get_ipa_config(kw.values())
+for (k, v) in kw.iteritems():
+allowed_attrs = ldap.get_allowed_attributes(config[1][v])
+fields = entry_attrs[k].split(',')
+for a in fields:
+a = a.strip()
+if a not in allowed_attrs:
+raise errors.ValidationError(
+name=k, error='attribute %s not allowed' % a
+)
 return dn
 
 api.register(config_mod)
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] test speedup patch

2011-01-19 Thread Pavel Zuna

On 01/19/2011 04:17 AM, Rob Crittenden wrote:

Rob Crittenden wrote:

Rob Crittenden wrote:

Attached is a rough cut of a patch to try to speed up the cli a little
bit. Basically in production mode it will skip some things during
initialization.

My concept is that we develop in mode != production and release in mode
== production.

I managed to knock a second or so off time to do a user-show on average.

There may be some other things we can do to speed things up, I'm still
looking. Some feedback on the approach would be appreciated.

Note that I've completely ruled out SSL/Negotiate. I did my testing on
lite-server which doesn't use SSL or Negotiate and it was STILL taking
on average 3-4+ seconds per command. The server side was consistently
taking  1 second to complete.

rob


oh, and the patch.


I ran a couple of moderate tests this evening that executed 42 separate
operations like add, delete, and managing group membership. I ran this
10 times each on 2 identical VMs, one with a bit older code and one with
this patch then averaged the times.

With the patch the average was 1.3 seconds per operation, without 2.6. A
50% improvement is more than I expected, I saw a 33% improvement on
individual runs. I'll keep at it but this seems promising. I was also a
bit surprised that the average time without the patch was so low, I was
expecting something over 3 seconds.

Specifically what this patch does is it avoids doing some
self-validation. There is some amount of risk that the framework could
blow up but in a deployed situation I think the risk is rather low.

A side-effect of the API tester makeapi is that it loads the framework.
We can force it to be run in production mode so the product shouldn't be
buildable if it has inconsistencies.

rob



I find it hard to believe this patch causes such a big improvement in 
performance. Especially the parts skipping asserts, that shouldn't be 
significantly slower than your average ifs. Instance locking shouldn't be a time 
consuming operation either.


Bypassing check routines for parameter namespaces might provide a performance 
boost as it is called for every single plugin we have (~250). On the other hand, 
it is only used for positional arguments and most plugins only have 1 or 2 of those.


Personally, I would do some more tests on a single machine, because there's no 
guarantee, that two VMs with an identical image have the same performance.


If it really provides a significant improvement, than it's awesome, because I 
like the philosophy of this patch. It removes self-checking and instance 
locking, that is completely useless in a production environment and kind of 
limiting in non-production. I think there's more places likes this in the framework.


Long story short:
It's improbable, but not impossible, for the changes introduced by this patch to 
cause such a big performance improvement. Even if it doesn't, the patch is still 
good.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights.

2011-01-18 Thread Pavel Zuna

On 01/07/2011 08:59 PM, Rob Crittenden wrote:

Pavel Zůna wrote:

LDAPObject sub-classes can define a custom list of attributes for
effective rights retrieval.

Fix #677

Pavel



Nack. --rights should only return data when --all is also included.

Otherwise it looks ok.

rob


Fixed version attached.

Pavel
From abfe7eb176534b1d7cf0deae81f1bd2c2ebb7aef Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Thu, 30 Dec 2010 08:48:12 -0500
Subject: [PATCH] Enable custom list of attributes to retrieve effective rights.

Fix #677
---
 ipalib/plugins/baseldap.py |   34 ++
 ipalib/plugins/config.py   |4 
 2 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index e7ccb77..27d5950 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -166,20 +166,6 @@ def get_attributes(attrs):
 return attrlist
 
 
-def get_effective_rights(ldap, dn, attrs=None):
-if attrs is None:
-attrs = ['*', 'nsaccountlock', 'cospriority']
-rights = ldap.get_effective_rights(dn, attrs)
-rdict = {}
-if 'attributelevelrights' in rights[1]:
-rights = rights[1]['attributelevelrights']
-rights = rights[0].split(', ')
-for r in rights:
-(k,v) = r.split(':')
-rdict[k.strip().lower()] = v
-
-return rdict
-
 def wait_for_memberof(keys, entry_start, completed, show_command, adding=True):
 
 When adding or removing reverse members we are faking an update to
@@ -244,6 +230,7 @@ class LDAPObject(Object):
 search_attributes_config = None
 default_attributes = []
 hidden_attributes = ['objectclass', 'aci']
+rights_attributes = ['*', 'nsaccountlock', 'cospriority']
 # set rdn_attribute only if RDN attribute differs from primary key!
 rdn_attribute = ''
 uuid_attribute = ''
@@ -301,6 +288,19 @@ class LDAPObject(Object):
 pass
 return dn[len(self.primary_key.name) + 1:dn.find(',')]
 
+def get_effective_rights(self, dn, attrs=None):
+rdict = {}
+if attrs is None:
+attrs = self.rights_attributes
+rights = self.backend.get_effective_rights(dn, attrs)
+if 'attributelevelrights' in rights[1]:
+rights = rights[1]['attributelevelrights']
+rights = rights[0].split(', ')
+for r in rights:
+(k, v) = r.split(':')
+rdict[k.strip().lower()] = v
+return rdict
+
 def get_ancestor_primary_keys(self):
 if self.parent_object:
 parent_obj = self.api.Object[self.parent_object]
@@ -688,7 +688,8 @@ class LDAPRetrieve(LDAPQuery):
 self.obj.handle_not_found(*keys)
 
 if options.get('rights', False) and options.get('all', False):
-entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn)
+rights = self.obj.get_effective_rights(dn)
+entry_attrs['attributelevelrights'] = rights
 
 for callback in self.POST_CALLBACKS:
 if hasattr(callback, 'im_self'):
@@ -844,7 +845,8 @@ class LDAPUpdate(LDAPQuery, crud.Update):
 )
 
 if options.get('rights', False) and options.get('all', False):
-entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn)
+rights = self.obj.get_effective_rights(dn)
+entry_attrs['attributelevelrights'] = rights
 
 for callback in self.POST_CALLBACKS:
 if hasattr(callback, 'im_self'):
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 438f663..ccd06ca 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -87,6 +87,9 @@ class config(LDAPObject):
 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields',
 'ipamigrationenabled', 'ipacertificatesubjectbase',
 ]
+rights_attributes = LDAPObject.rights_attributes + [
+'ipahomesrootdir', 'ipagroupsearchfields',
+]
 
 label = _('Configuration')
 
@@ -206,3 +209,4 @@ class config_show(LDAPRetrieve):
 
 
 api.register(config_show)
+
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix import API_VERSION import error.

2011-01-18 Thread Pavel Zuna

Fixes import errors in the framework cause by recent API version changes.

Fix #796

Pavel
From 3532c0f551edc79e63843ee112dee097dfb6aadf Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 18 Jan 2011 12:35:59 -0500
Subject: [PATCH] Fix import API_VERSION import error.

Fix #796
---
 ipalib/cli.py   |2 +-
 ipalib/frontend.py  |2 +-
 ipalib/plugins/batch.py |2 +-
 ipalib/plugins/ping.py  |2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ipalib/cli.py b/ipalib/cli.py
index c634d49..54ab1c4 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -49,7 +49,7 @@ from errors import PublicError, CommandError, HelpError, InternalError, NoSuchNa
 from constants import CLI_TAB
 from parameters import Password, Bytes, File
 from text import _
-from ipapython.version import API_VERSION
+from ipapython.version import VERSION as API_VERSION
 
 
 def to_cli(name):
diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index eeed398..e514932 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -33,7 +33,7 @@ from text import _, ngettext
 from errors import ZeroArgumentError, MaxArgumentError, OverlapError, RequiresRoot, VersionError, RequirementError
 from errors import InvocationError
 from constants import TYPE_ERROR
-from ipapython.version import API_VERSION
+from ipapython.version import VERSION as API_VERSION
 from distutils import version
 
 
diff --git a/ipalib/plugins/batch.py b/ipalib/plugins/batch.py
index f6f662f..deaee5b 100644
--- a/ipalib/plugins/batch.py
+++ b/ipalib/plugins/batch.py
@@ -51,7 +51,7 @@ from ipalib import Str, List
 from ipalib.output import Output
 from ipalib import output
 from ipalib.text import _
-from ipapython.version import API_VERSION
+from ipapython.version import VERSION as API_VERSION
 
 class batch(Command):
 INTERNAL = True
diff --git a/ipalib/plugins/ping.py b/ipalib/plugins/ping.py
index c2f9b6b..db021b9 100644
--- a/ipalib/plugins/ping.py
+++ b/ipalib/plugins/ping.py
@@ -23,7 +23,7 @@ Ping the remote IPA server
 from ipalib import api
 from ipalib import Command
 from ipalib import output
-from ipapython.version import VERSION, API_VERSION
+from ipapython.version import VERSION as API_VERSION
 
 class ping(Command):
 
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix import API_VERSION import error.

2011-01-18 Thread Pavel Zuna

On 01/18/2011 01:40 PM, Pavel Zuna wrote:

Fixes import errors in the framework cause by recent API version changes.

Fix #796

Pavel


self-NACK.

Ignore this patch, didn't realize the API_VERSION constant is auto-generated.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] Remove SOA maximum parameter from DNS zone.

2011-01-18 Thread Pavel Zuna
There's no such thing as maximum in SOA record RDATA format according to RFC 
1035 and there's also no such attribute in the schema.


Fix #788

https://bugzilla.redhat.com/show_bug.cgi?id=670343

Pavel
From ee65cb0fc69384f2777537d222a762a4f7be5bfe Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 18 Jan 2011 13:29:58 -0500
Subject: [PATCH 2/2] Remove SOA maximum parameters from DNS zone.

There's no such thing as maximum in SOA record RDATA format
according to RFC 1035 and there's also no such attribute in
the schema.

Fix #788
---
 ipalib/plugins/dns.py |5 -
 1 files changed, 0 insertions(+), 5 deletions(-)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index cf58098..a2d0b8b 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -198,11 +198,6 @@ class dnszone(LDAPObject):
 default=3600,
 autofill=True,
 ),
-Int('idnssoamaximum?',
-cli_name='maximum',
-label=_('SOA maximum'),
-doc=_('SOA record maximum value'),
-),
 Int('dnsttl?',
 cli_name='ttl',
 label=_('SOA time to live'),
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix crash when building DN of host with name ending with period.

2011-01-18 Thread Pavel Zuna

Fix #797

Pavel
From 509a77949474b429bb4d4ee6fa871bdade446625 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 18 Jan 2011 13:28:37 -0500
Subject: [PATCH 1/2] Fix crash when building DN of host with name ending with period.

Fix #797
---
 ipalib/plugins/host.py |9 +
 1 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 8639ce5..d09f0eb 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -240,15 +240,16 @@ class host(LDAPObject):
 )
 
 def get_dn(self, *keys, **options):
-if keys[-1].endswith('.'):
-keys[-1] = keys[-1][:-1]
-dn = super(host, self).get_dn(*keys, **options)
+hostname = keys[-1]
+if hostname.endswith('.'):
+hostname = hostname[:-1]
+dn = super(host, self).get_dn(hostname, **options)
 try:
 self.backend.get_entry(dn, [''])
 except errors.NotFound:
 try:
 (dn, entry_attrs) = self.backend.find_entry_by_attr(
-'serverhostname', keys[-1], self.object_class, [''],
+'serverhostname', hostname, self.object_class, [''],
 self.container_dn
 )
 except errors.NotFound:
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix updating of DNS records by the host plugin.

2011-01-18 Thread Pavel Zuna

Fix #799

Pavel
From e97aa6d78e0ec32b160bf17deb894b1ba091541c Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 18 Jan 2011 15:33:40 -0500
Subject: [PATCH 1/2] Fix updating of DNS records by the host plugin.

Fix #799
---
 ipalib/plugins/host.py |   10 +-
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index d09f0eb..0a40705 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -345,9 +345,9 @@ class host_add(LDAPCreate):
 parts = keys[-1].split('.')
 domain = unicode('.'.join(parts[1:]))
 if ':' in options['ip_address']:
-addkw = { u'record' : options['ip_address'] }
+addkw = { 'record' : options['ip_address'] }
 else:
-addkw = { u'arecord' : options['ip_address'] }
+addkw = { 'arecord' : options['ip_address'] }
 try:
 api.Command['dnsrecord_add'](domain, parts[0], **addkw)
 except errors.EmptyModlist:
@@ -355,7 +355,7 @@ class host_add(LDAPCreate):
 pass
 revzone, revname = get_reverse_zone(options['ip_address'])
 try:
-addkw = { u'ptrrecord' : keys[-1]+'.' }
+addkw = { 'ptrrecord' : keys[-1]+'.' }
 api.Command['dnsrecord_add'](revzone, revname, **addkw)
 except errors.EmptyModlist:
 # the entry already exists and matches
@@ -443,12 +443,12 @@ class host_del(LDAPDelete):
 self.debug('deleting ipaddr %s' % ipaddr)
 revzone, revname = get_reverse_zone(ipaddr)
 try:
-delkw = { u'ptrrecord' : fqdn+'.' }
+delkw = { 'ptrrecord' : fqdn+'.' }
 api.Command['dnsrecord_del'](revzone, revname, **delkw)
 except errors.NotFound:
 pass
 try:
-delkw = { u'arecord' : ipaddr }
+delkw = { 'arecord' : ipaddr }
 api.Command['dnsrecord_del'](domain, parts[0], **delkw)
 except errors.NotFound:
 pass
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-18 Thread Pavel Zuna

Fix #798

Pavel
From a013e19957b33ca84102efdc0be7448eb3a83423 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 18 Jan 2011 15:43:07 -0500
Subject: [PATCH 2/2] Fix password/random logic in host plugin.

Fix #798
---
 ipalib/plugins/host.py |   15 +--
 1 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 0a40705..6947d90 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -319,16 +319,19 @@ class host_add(LDAPCreate):
 del entry_attrs['locality']
 entry_attrs['cn'] = keys[-1]
 entry_attrs['serverhostname'] = keys[-1].split('.', 1)[0]
-if 'userpassword' not in entry_attrs and \
-options.get('random', False) == False:
+if 'userpassword' not in entry_attrs and not options.get('random', False):
 entry_attrs['krbprincipalname'] = 'host/%s@%s' % (
 keys[-1], self.api.env.realm
 )
-if 'krbprincipalaux' not in entry_attrs['objectclass']:
-entry_attrs['objectclass'].append('krbprincipalaux')
+if 'krbprincipal' not in entry_attrs:
 entry_attrs['objectclass'].append('krbprincipal')
-elif 'krbprincipalaux' in entry_attrs['objectclass']:
-entry_attrs['objectclass'].remove('krbprincipalaux')
+if 'krbprincipal' not in entry_attrs:
+entry_attrs['objectclass'].append('krbprincipalaux')
+else:
+if 'krbprincipal' in entry_attrs['objectclass']:
+entry_attrs['objectclass'].remove('krbprincipal')
+if 'krbprincipalaux' in entry_attrs['objectclass']:
+entry_attrs['objectclass'].remove('krbprincipalaux')
 if 'random' in options:
 if options.get('random'):
 entry_attrs['userpassword'] = ipa_generate_password()
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Make it impossible to add an object as a member of itself in webUI.

2011-01-05 Thread Pavel Zuna

Ticket #700

Pavel
From 793314369f6587fa1819a17bb0b196e09939c3f3 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Wed, 5 Jan 2011 09:31:02 -0500
Subject: [PATCH] Make it impossible to add an object as a member of itself in webUI.

Ticket #700
---
 install/static/associate.js |5 -
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/install/static/associate.js b/install/static/associate.js
index 6517cca..60e7c09 100644
--- a/install/static/associate.js
+++ b/install/static/associate.js
@@ -164,9 +164,12 @@ function ipa_association_adder_dialog(spec) {
 var results = data.result;
 that.clear_available_values();
 
+var pkey_attr = IPA.metadata[that.entity_name].primary_key;
+
 for (var i=0; iresults.count; i++){
 var result = results.result[i];
-that.add_available_value(result);
+if (result[pkey_attr] != spec.pkey)
+that.add_available_value(result);
 }
 }
 
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Retype (when cloning) Flag parameters to Bool for search commands.

2011-01-05 Thread Pavel Zuna
Flag parameters are always autofill by definition, causing unexpected search 
results. This patch retypes them to Bool for search commands, so that users have 
to/can enter the desired value manually.


A good example of the Flag parameters causing problems in search commands is 
`dnszone-find` (ticket #689).


Ticket #689
Ticket #701

Pavel
From 2206dd739dabf3e08555126b545a6cc62d6cd93c Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Wed, 5 Jan 2011 10:07:23 -0500
Subject: [PATCH] Retype (when cloning) Flag parameters to Bool for search commands.

Flag parameters are always autofill by definition, causing unexpected
search results. This patch retypes them to Bool for search commands,
so that users have to/can enter the desired value manually.

Ticket #689
Ticket #701
---
 ipalib/crud.py   |   12 +---
 ipalib/parameters.py |8 +++-
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/ipalib/crud.py b/ipalib/crud.py
index 86e1756..6df3c73 100644
--- a/ipalib/crud.py
+++ b/ipalib/crud.py
@@ -210,9 +210,15 @@ class Search(Method):
 for option in self.obj.params_minus(self.args):
 if 'no_search' in option.flags:
 continue
-yield option.clone(
-attribute=True, query=True, required=False, autofill=False
-)
+if isinstance(option, parameters.Flag):
+yield option.clone_retype(
+option.name, parameters.Bool,
+attribute=True, query=True, required=False, autofill=False
+)
+else:
+yield option.clone(
+attribute=True, query=True, required=False, autofill=False
+)
 if not self.extra_options_first:
 for option in super(Search, self).get_options():
 yield option
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 5c386c3..128c8a4 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -585,9 +585,15 @@ class Param(ReadOnly):
 
 Return a new `Param` instance similar to this one, but named differently
 
+return self.clone_retype(name, self.__class__, **overrides)
+
+def clone_retype(self, name, klass, **overrides):
+
+Return a new `Param` instance similar to this one, but of a different type
+
 kw = dict(self.__clonekw)
 kw.update(overrides)
-return self.__class__(name, *self.rules, **kw)
+return klass(name, *self.rules, **kw)
 
 def normalize(self, value):
 
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Improve filtering of enrollments search results.

2011-01-04 Thread Pavel Zuna

This is required for effective filtering of enrollments search
results in the webUI and also gives an edge to the CLI.

After this patch, each LDAPObject can define its relationships
to other LDAPObjects. For now, this is used only for filtering
search results by enrollments, but there are probably more
benefits to come.

You can do this for example:

# search for all users not enrolled in group admins
ipa user-find --not-in-groups=admins

# search for all groups not enrolled in group global with user Pavel
ipa group-find --users=Pavel --not-in-groups=global

# more examples:
ipa group-find --users=Pavel,Jakub --no-users=Honza
ipa hostgroup-find --hosts=webui.pzuna

Pavel
From 19975e5e2ceb3a3f9fd18be0f3fafe8f42aa626c Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 4 Jan 2011 15:15:54 -0500
Subject: [PATCH 1/2] Improve filtering of enrollments search results.

This is required for effective filtering of enrollments search
results in the webUI and also gives an edge to the CLI.

After this patch, each LDAPObject can define its relationships
to other LDAPObjects. For now, this is used only for filtering
search results by enrollments, but there are probably more
benefits to come.

You can do this for example:

# search for all users not enrolled in group admins
ipa user-find --not-in-groups=admins

# search for all groups not enrolled in group global with user Pavel
ipa group-find --users=Pavel --not-in-groups=global

# more examples:
ipa group-find --users=Pavel,Jakub --no-users=Honza
ipa hostgroup-find --hosts=webui.pzuna
---
 ipalib/plugins/baseldap.py  |   57 ---
 ipalib/plugins/group.py |2 +-
 ipalib/plugins/host.py  |7 -
 ipalib/plugins/hostgroup.py |2 +-
 ipalib/plugins/netgroup.py  |   11 +++-
 ipalib/plugins/user.py  |2 +
 6 files changed, 68 insertions(+), 13 deletions(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 1cd181c..d38da89 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -234,6 +234,15 @@ class LDAPObject(Object):
 rdnattr = None
 # Can bind as this entry (has userPassword or krbPrincipalKey)
 bindable = False
+relationships = {
+# attribute: (label, inclusive param prefix, exclusive param prefix)
+'member': ('Member', '', 'no_'),
+'memberof': ('Parent', 'in_', 'not_in_'),
+'memberindirect': (
+'Indirect Member', None, 'no_indirect_'
+),
+}
+label = _('Entry')
 
 container_not_found_msg = _('container entry (%(container)s) not found')
 parent_not_found_msg = _('%(parent)s: %(oname)s not found')
@@ -343,7 +352,7 @@ class LDAPObject(Object):
 'parent_object', 'container_dn', 'object_name', 'object_name_plural',
 'object_class', 'object_class_config', 'default_attributes', 'label',
 'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name',
-'takes_params', 'rdn_attribute', 'bindable',
+'takes_params', 'rdn_attribute', 'bindable', 'relationships',
 )
 
 def __json__(self):
@@ -1195,7 +1204,8 @@ class LDAPSearch(CallbackInterface, crud.Search):
 Retrieve all LDAP entries matching the given criteria.
 
 member_attributes = []
-member_param_doc = 'exclude %s with member %s (comma-separated list)'
+member_param_incl_doc = 'only %s with %s %s'
+member_param_excl_doc = 'only %s with no %s %s'
 
 takes_options = (
 Int('timelimit?',
@@ -1227,21 +1237,50 @@ class LDAPSearch(CallbackInterface, crud.Search):
 for attr in self.member_attributes:
 for ldap_obj_name in self.obj.attribute_members[attr]:
 ldap_obj = self.api.Object[ldap_obj_name]
-name = to_cli(ldap_obj_name)
-doc = self.member_param_doc % (
-self.obj.object_name_plural, ldap_obj.object_name_plural
+relationship = self.obj.relationships.get(
+attr, ['member', '', 'no_']
+)
+doc = self.member_param_incl_doc % (
+self.obj.object_name_plural, relationship[0].lower(),
+ldap_obj.object_name_plural
+)
+name = '%s%s' % (relationship[1], to_cli(ldap_obj_name))
+yield List(
+'%s?' % name, cli_name='%ss' % name, doc=doc,
+label=ldap_obj.object_name
+)
+doc = self.member_param_excl_doc % (
+self.obj.object_name_plural, relationship[0].lower(),
+ldap_obj.object_name_plural
+)
+name = '%s%s' % (relationship[2], to_cli(ldap_obj_name))
+yield List(
+'%s?' % name, cli_name='%ss' % name, doc=doc,
+label=ldap_obj.object_name
 )
-yield List('no_%s?' % name

[Freeipa-devel] [PATCH] Improvements to enrollments in the webUI.

2011-01-04 Thread Pavel Zuna
The patch is a bit bigger and more complex, so I expect this to be the first 
shot at it.


There are some places where we need to handle localization better and be more 
generic when it comes to non-standard relationships like 'enrolledby' etc., but 
that can be done later. (I put a few TODOs in the code.)


Anyway, here's the changelog for this patch:

- Enrollement links in the action panel are now sorted by relationships.
- You can only enroll members.
  (The webUI made the impression you can enroll parents as well, but it was
   broken.)
- When enrolling new members, you can choose not to display already enrolled
  ones. (On by default.)
- Couple cosmetic changes.

IT DEPENDS ON MY PATCH NUMBER 54 (Improve filtering of enrollments search 
results.)


Pavel
From 830c2c5f2780b461f62509ae044c82da76607dc3 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 4 Jan 2011 15:21:18 -0500
Subject: [PATCH 2/2] Improvements to enrollments in the webUI.

TAKE 1

- Enrollement links in the action panel are now sorted by relationships.
- You can only enroll members.
  (The webUI made the impression you can enroll parents as well, but it was
   broken.)
- When enrolling new members, you can choose not to display already enrolled
  ones. (On by default.)
- Couple cosmetic changes.
---
 install/static/associate.js |   72 +++
 install/static/entity.js|   45 --
 install/static/group.js |9 +-
 install/static/ipa.css  |   10 +-
 install/static/widget.js|   21 
 5 files changed, 124 insertions(+), 33 deletions(-)

diff --git a/install/static/associate.js b/install/static/associate.js
index 66db171..6517cca 100644
--- a/install/static/associate.js
+++ b/install/static/associate.js
@@ -140,6 +140,7 @@ function ipa_association_adder_dialog(spec) {
 that.entity_name = spec.entity_name;
 that.pkey = spec.pkey;
 that.other_entity = spec.other_entity;
+that.attribute_member = spec.attribute_member;
 
 that.init = function() {
 if (!that.columns.length) {
@@ -152,6 +153,9 @@ function ipa_association_adder_dialog(spec) {
 });
 }
 
+/* FIXME: event not firing? */
+$('input[name=hidememb]', that.container).click(that.search);
+
 that.adder_dialog_init();
 };
 
@@ -166,7 +170,31 @@ function ipa_association_adder_dialog(spec) {
 }
 }
 
-ipa_cmd('find', [that.get_filter()], {'all': true}, on_success, null, that.other_entity);
+var hide_checkbox = $('input[name=hidememb]', that.container);
+
+var options = {'all': true};
+if (hide_checkbox.attr('checked')) {
+var relationships = IPA.metadata[that.other_entity].relationships;
+
+/* TODO: better generic handling of different relationships! */
+var other_attribute_member = '';
+if (that.attribute_member == 'member')
+other_attribute_member = 'memberof';
+else if (that.attribute_member == 'memberuser')
+other_attribute_member = 'memberof';
+else if (that.attribute_member == 'memberhost')
+other_attribute_member = 'memberof';
+else if (that.attribute_member == 'memberof')
+other_attribute_member = 'member';
+
+var relationship = relationships[other_attribute_member];
+if (relationship) {
+var param_name = relationship[2] + that.entity_name;
+options[param_name] = that.pkey;
+}
+}
+
+ipa_cmd('find', [that.get_filter()], options, on_success, null, that.other_entity);
 };
 
 that.association_adder_dialog_init = that.init;
@@ -234,6 +262,7 @@ function ipa_association_table_widget(spec) {
 var that = ipa_table_widget(spec);
 
 that.other_entity = spec.other_entity;
+that.attribute_member = spec.attribute_member;
 
 that.associator = spec.associator || bulk_associator;
 that.add_method = spec.add_method || 'add_member';
@@ -398,7 +427,8 @@ function ipa_association_table_widget(spec) {
 'title': title,
 'entity_name': that.entity_name,
 'pkey': pkey,
-'other_entity': that.other_entity
+'other_entity': that.other_entity,
+'attribute_member': that.attribute_member,
 });
 };
 
@@ -513,6 +543,8 @@ function ipa_association_facet(spec) {
 var that = ipa_facet(spec);
 
 that.other_entity = spec.other_entity;
+that.facet_group = spec.facet_group;
+that.attribute_member = spec.attribute_member;
 
 that.associator = spec.associator || bulk_associator;
 that.add_method = spec.add_method || 'add_member';
@@ -636,9 +668,20 @@ function ipa_association_facet(spec) {
 
 that.pkey = $.bbq.getState(that.entity_name + '-pkey', true) || '';
 
-//TODO I18N
-var header_message

[Freeipa-devel] [PATCH] Fix the mod operations.

2010-12-21 Thread Pavel Zuna

*-mod operations were not functioning properly after the recent 'rename' patch.

Pavel
From 4f59a29a7f16a4dbdb8a39766968102a21fae1ed Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 21 Dec 2010 16:17:28 +0100
Subject: [PATCH] Fix the mod operations.

---
 ipalib/plugins/baseldap.py |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index f8e5445..d91fd93 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -711,6 +711,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
 def _get_rename_option(self):
 rdnparam = getattr(self.obj.params, self.obj.rdnattr)
 return rdnparam.clone_rename('rename', cli_name='rename',
+required=False, label=_('Rename'),
 doc=_('Rename the %s object' % self.obj.object_name))
 
 def get_options(self):
-- 
1.7.3.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix reporting of errors when validating parameters.

2010-12-21 Thread Pavel Zuna
Print the attribute CLI name instead of its 'real' name. The real name is 
usually the name of the corresponding LDAP attribute, which is confusing to the 
user.


 This way we get:

Invalid 'login': blablabla

instead of:

Invalid 'uid': blablabla


Another example:

Invalid 'hostname': blablabla

instead of:

Invalid 'fqdn': blablabla


Ticket #435

Pavel
From 8c6ef40f575399f3190ef077b26fd38ecb3a1c0e Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 21 Dec 2010 12:14:38 -0500
Subject: [PATCH 1/2] Fix reporting of errors when validating parameters.

Print the attribute CLI name instead of its 'real' name.
The real name is usually the name of the corresponding LDAP
attribute, which is confusing to the user.

This way we get:
Invalid 'login': blablabla
instead of:
Invalid 'uid': blablabla

Another example:
Invalid 'hostname': blablabla
instead of:
Invalid 'fqdn': blablabla

Ticket #435
---
 ipalib/parameters.py   |5 -
 ipalib/plugins/user.py |8 +++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 955b979..feccd7e 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -748,8 +748,11 @@ class Param(ReadOnly):
 for rule in self.all_rules:
 error = rule(ugettext, value)
 if error is not None:
+name = self.cli_name
+if not name:
+name = self.name
 raise ValidationError(
-name=self.name,
+name=name,
 value=value,
 index=index,
 error=error,
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index f76fbd6..6209754 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -227,7 +227,13 @@ class user_add(LDAPCreate):
 config = ldap.get_ipa_config()[1]
 if 'ipamaxusernamelength' in config:
 if len(keys[-1])  int(config.get('ipamaxusernamelength')[0]):
-raise errors.ValidationError(name='uid', error=_('can be at most %(len)d characters' % dict(len = int(config.get('ipamaxusernamelength')[0]
+raise errors.ValidationError(
+name=self.obj.primary_key.cli_name, error=_(
+'can be at most %(len)d characters' % dict(
+len = int(config.get('ipamaxusernamelength')[0])
+)
+)
+)
 entry_attrs.setdefault('loginshell', config.get('ipadefaultloginshell'))
 # hack so we can request separate first and last name in CLI
 full_name = '%s %s' % (entry_attrs['givenname'], entry_attrs['sn'])
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Update built-in help for user (ipa help user) with info about username format.

2010-12-21 Thread Pavel Zuna
General talk about username format including username length and how to change 
it in ipa config.


Ticket #436

Pavel
From 6874f8d1ecc340832961b28b84b5140c65f6ca2b Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 21 Dec 2010 12:23:40 -0500
Subject: [PATCH 2/2] Update built-in help for user (ipa help user) with info about username format.

Ticket #436
---
 ipalib/plugins/user.py |6 ++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 6209754..e3228a1 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -22,6 +22,12 @@ Users
 
 Manage user entries. All users are POSIX users.
 
+IPA supports a wide range of username formats, but you need to be aware of any
+restrictions that may apply to your particular environment. For example,
+usernames that starts with a digit or usernames that exceed a certain length
+may cause problems for some UNIX systems.
+Use 'ipa config-mod' to change the username format allowed by IPA tools.
+
 Disabling a user account prevents that user from obtaining new Kerberos
 credentials. It does not invalidate any credentials that have already
 been issued.
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.

2010-12-09 Thread Pavel Zuna

On 12/08/2010 08:30 PM, Rob Crittenden wrote:

Pavel Zůna wrote:

On 2010-11-30 04:06, Rob Crittenden wrote:

Pavel Zůna wrote:

LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.

Any class that extends LDAPSearch can benefit from this functionality.
This patch enables it for the following objects:
group, netgroup, rolegroup, hostgroup, taskgroup

Example:
ipa group-find --no-users=admin

Only direct members are taken into account, but if we need indirect
members as well - it's not a problem.

Ticket #288

Pavel


This works as advertised but I wonder what would happen if a huge list
of members was passed in to ignore. Is there a limit on the search
filter size (remember that the member will be translated into a full dn
so will quickly grow in size).

Should we impose a cofigurable limit on the # of members to be excluded?

Is there a max search filter size and should we check that we haven't
exceeded that before doing a search?

rob


I tried it out with more than a 1000 users and was getting an unwilling
to perform error (search filter nested too deep).

After a little bit of investigation, I figured the filter was being
generated like this:

(((!(a=v))(!(a2=v2

We were going deeper with each additional DN!

I updated the patch to generate the filter like this instead:

(!(|(a=v)(a2=v2)))

Tried it again with more than 1000 users (~55Kb) - it worked and wasn't
even slow.

Updated patch attached.

I also had to fix a bug in ldap2 filter generator, as a result this
patch depends on my patch number 43.

Pavel


You'll need to rebase this against master but otherwise ACK.

It might be a small optimization to de-dupe the no-users list but it
isn't a priority.

rob


Re-based patch attached.

Pavel
From 871b9d2b52175a4209ba2d8bdb12fcc019d871e9 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Thu, 2 Dec 2010 19:24:11 -0500
Subject: [PATCH] Enable filtering search results by member attributes.

LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.

Example:
ipa group-find --no-users=admin

Only direct members are taken into account.

Ticket #288
---
 ipalib/plugins/baseldap.py  |   34 +-
 ipalib/plugins/group.py |2 ++
 ipalib/plugins/hostgroup.py |2 +-
 ipalib/plugins/netgroup.py  |1 +
 4 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 6b7153b..9635f41 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1124,6 +1124,9 @@ class LDAPSearch(CallbackInterface, crud.Search):
 
 Retrieve all LDAP entries matching the given criteria.
 
+member_attributes = []
+member_param_doc = 'exclude %s with member %s (comma-separated list)'
+
 takes_options = (
 Int('timelimit?',
 label=_('Time Limit'),
@@ -1151,6 +1154,33 @@ class LDAPSearch(CallbackInterface, crud.Search):
 def get_options(self):
 for option in super(LDAPSearch, self).get_options():
 yield option
+for attr in self.member_attributes:
+for ldap_obj_name in self.obj.attribute_members[attr]:
+ldap_obj = self.api.Object[ldap_obj_name]
+name = to_cli(ldap_obj_name)
+doc = self.member_param_doc % (
+self.obj.object_name_plural, ldap_obj.object_name_plural
+)
+yield List('no_%s?' % name, cli_name='no_%ss' % name, doc=doc,
+   label=ldap_obj.object_name)
+
+def get_member_filter(self, ldap, **options):
+filter = ''
+for attr in self.member_attributes:
+for ldap_obj_name in self.obj.attribute_members[attr]:
+param_name = 'no_%s' % to_cli(ldap_obj_name)
+if param_name in options:
+dns = []
+ldap_obj = self.api.Object[ldap_obj_name]
+for pkey in options[param_name]:
+dns.append(ldap_obj.get_dn(pkey))
+flt = ldap.make_filter_from_attr(
+attr, dns, ldap.MATCH_NONE
+)
+filter = ldap.combine_filters(
+(filter, flt), ldap.MATCH_ALL
+)
+return filter
 
 has_output_params = global_output_params
 
@@ -1192,8 +1222,10 @@ class LDAPSearch(CallbackInterface, crud.Search):
 search_kw[a] = term
 term_filter = ldap.make_filter(search_kw, exact=False)
 
+member_filter = self.get_member_filter(ldap, **options)
+
 filter = ldap.combine_filters(
-(term_filter

[Freeipa-devel] [PATCH] Introduce new env variable, enable_dns=True, if IPA is managing DNS.

2010-12-09 Thread Pavel Zuna

if api.env.enable_dns:
print DNS is managed by IPA



ipa env | grep enable_dns: True  /devnull  echo DNS is managed by IPA



Ticket #600

Pavel
From d6031a2bbb1bb5d4b0520d6d56fc4716c3ef2242 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Thu, 9 Dec 2010 13:10:36 -0500
Subject: [PATCH] Introduce new env variable. enable_dns=True, if IPA is managing DNS.

Ticket #600
---
 install/tools/ipa-server-install |5 -
 ipalib/constants.py  |1 +
 2 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index bed9add..6785acd 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -488,7 +488,8 @@ def main():
 cfg = dict(
 context='installer',
 in_server=True,
-debug=options.debug
+debug=options.debug,
+enable_dns=options.setup_dns,
 )
 
 if options.uninstall:
@@ -677,6 +678,8 @@ def main():
 fd.write(enable_ra=True\n)
 if not options.selfsign:
 fd.write(ra_plugin=dogtag\n)
+if options.setup_dns:
+fd.write(enable_dns=True\n)
 fd.close()
 
 api.bootstrap(**cfg)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 32c6450..d0ab9fb 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -139,6 +139,7 @@ DEFAULT_CONFIG = (
 # Enable certain optional plugins:
 ('enable_ra', False),
 ('ra_plugin', 'selfsign'),
+('enable_dns', False),
 
 # 
 #  The remaining keys are never set from the values here!
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain).

2010-12-07 Thread Pavel Zuna

Fixes an attribute name mismatch in the config plugin.

Ticket #573

Pavel
From d98843a980331e9b8173a6eba228fa393b04e350 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Sun, 5 Dec 2010 03:26:52 -0500
Subject: [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain).

Ticket #573
---
 ipalib/plugins/config.py |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 79db77e..a56b667 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -66,7 +66,7 @@ class config(LDAPObject):
 object_name = 'configuration options'
 default_attributes = [
 'ipamaxusernamelength', 'ipahomesrootdir', 'ipadefaultloginshell',
-'ipadefaultprimarygroup', 'ipadefaultdomain', 'ipasearchtimelimit',
+'ipadefaultprimarygroup', 'ipadefaultemaildomain', 'ipasearchtimelimit',
 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields',
 'ipamigrationenabled', 'ipacertificatesubjectbase',
 ]
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Error message handling in HBAC module

2010-11-29 Thread Pavel Zuna

On 11/29/2010 11:20 AM, Jan Zelený wrote:

This patch contains a part of my original 0008 patch. The rest of it is solved
differently (see my patch 0010).




ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] Prompt correctly for required Password params.

2010-11-24 Thread Pavel Zuna
Required Password params were prompted for like any other non-Password params, 
resulting in the password being displayed on the command line and there was no 
confirmation.


Ticket #361

Pavel
From f8451a7b94f226f3e5b4181f464de52e2dfbad2d Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Wed, 24 Nov 2010 08:01:31 -0500
Subject: [PATCH] Prompt correctly for required Password params.

Ticket #361
---
 ipalib/cli.py |   23 +--
 1 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/ipalib/cli.py b/ipalib/cli.py
index 41bee7a..3120e01 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -515,7 +515,7 @@ class textui(backend.Backend):
 try:
 if sys.stdin.isatty():
 while True:
-pw1 = getpass.getpass('%s: ' % label)
+pw1 = getpass.getpass(u'%s: ' % unicode(label))
 pw2 = getpass.getpass(
 unicode(_('Enter %(label)s again to verify: ') % dict(label=label))
 )
@@ -887,16 +887,15 @@ class cli(backend.Executioner):
 ``self.env.prompt_all`` is ``True``, this method will prompt for any
 params that have a missing values, even if the param is optional.
 
-for param in cmd.params():
-if param.password and (
-kw.get(param.name, False) is True or param.name in cmd.args
-):
-kw[param.name] = \
-self.Backend.textui.prompt_password(param.cli_name)
-elif param.name not in kw:
-if param.autofill:
+for param in cmd.params(): 
+if (param.required and param.name not in kw) or self.env.prompt_all:
+if param.password:
+kw[param.name] = self.Backend.textui.prompt_password(
+param.label
+)
+elif param.autofill:
 kw[param.name] = param.get_default(**kw)
-elif param.required or self.env.prompt_all:
+else:
 default = param.get_default(**kw)
 error = None
 while True:
@@ -910,6 +909,10 @@ class cli(backend.Executioner):
 break
 except ValidationError, e:
 error = e.error
+elif param.password and kw.get(param.name, False) is True:
+kw[param.name] = self.Backend.textui.prompt_password(
+param.label
+)
 
 def load_files(self, cmd, kw):
 
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.

2010-11-23 Thread Pavel Zuna
Finally managed to rewrite the DNS plugin again. Sorry, it took so long, we had 
training in the office and I also had a nasty bug in baseldap.py I couldn't find.


Anyway, this version has it all:
- changes we agreed on meeting, the resource abstraction is gone and we now 
only have zones and records = adding new record automatically updates and 
existing entry or creates it if it wasn't there and deleting the last record 
deletes the whole entry - all of it transparent to the user

- unit tests
- ipa help documentation

Fixes tickets:
#36
#450

I also closed bug #654412.

It has a new patch sequence number, because it depends on another patch with a 
higher number and didn't want to create forward dependencies.


Depends on my patches number:
35 (will repost if needed)
38 (posted a while ago on freeipa-devel)

Pavel
From 9ff886618623abb7253956dc92e652361fe4076e Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Mon, 8 Nov 2010 22:34:14 -0500
Subject: [PATCH 2/3] Add new version of DNS plugin: complete rework with baseldap + unit tests.

Ticket #36
Ticket #450
---
 ipa.spec.in  |1 +
 ipalib/plugins/dns2.py   |  584 ++
 tests/test_xmlrpc/test_dns_plugin.py |  341 
 3 files changed, 926 insertions(+), 0 deletions(-)
 create mode 100644 ipalib/plugins/dns2.py
 create mode 100644 tests/test_xmlrpc/test_dns_plugin.py

diff --git a/ipa.spec.in b/ipa.spec.in
index 5a3ea2b..1225bb0 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -178,6 +178,7 @@ Requires: gnupg
 Requires: pyOpenSSL
 Requires: python-nss = 0.9-8
 Requires: python-lxml
+Requires: python-netaddr
 
 %description python
 IPA is an integrated solution to provide centrally managed Identity (machine,
diff --git a/ipalib/plugins/dns2.py b/ipalib/plugins/dns2.py
new file mode 100644
index 000..2f72fec
--- /dev/null
+++ b/ipalib/plugins/dns2.py
@@ -0,0 +1,584 @@
+# Authors:
+#   Pavel Zuna pz...@redhat.com
+#
+# Copyright (C) 2010  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+Domain Name System (DNS)
+
+Manage DNS zone and resource records.
+
+EXAMPLES:
+
+ Add new zone:
+   ipa dnszone-add example.com --name_server nameserver.example.com
+   --admin_email ad...@example.com
+
+ edd second nameserver for example.com:
+   ipa dnsrecord-add example.com @ --ns-rec nameserver2.example.com
+
+ Delete previously added nameserver from example.com:
+   ipa dnsrecord-del example.com @ --ns-rec nameserver2.example.com
+
+ Add new A record for www.example.com: (random IP)
+   ipa dnsrecord-add example.com www --a-rec 80.142.15.2
+
+ Add new PTR record for www.example.com
+   ipa dnsrecord 15.142.80.in-addr.arpa 2 --ptr-rec www.example.com.
+
+ Show zone example.com:
+   ipa dnszone-show example.com
+
+ Find zone with example in it's domain name:
+   ipa dnszone-find example
+
+ Find records for resources with www in their name in zone example.com:
+   ipa dnsrecord-find example.com www
+
+ Find A records with value 10.10.0.1 in zone example.com
+   ipa dnsrecord-find example.com --a-rec 10.10.0.1
+
+ Show records for resource www in zone example.com
+   ipa dnsrecord-show example.com www
+
+ Delete zone example.com with all resource records:
+   ipa dnszone-del example.com
+
+ Resolve a host name to see if it exists (will add default IPA domain
+ if one is not included):
+   ipa dns-resolve www.example.com
+   ipa dns-resolve www
+
+
+
+import netaddr
+import time
+
+from ipalib import api, errors, output
+from ipalib import Command
+from ipalib import Flag, Int, List, Str, StrEnum
+from ipalib.plugins.baseldap import *
+from ipalib import _, ngettext
+from ipapython import dnsclient
+
+# supported resource record types
+_record_types = (
+u'A', u'', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV',
+u'DNAME', u'DNSKEY', u'DS', u'HINFO', u'HIP', u'IPSECKEY', u'KEY', u'KX',
+u'LOC', u'MD', u'MINFO', u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3',
+u'NSEC3PARAM', u'NXT', u'PTR', u'RRSIG', u'RP', u'SIG', u'SPF', u'SRV',
+u'SSHFP', u'TA', u'TKEY', u'TSIG', u'TXT',
+)
+
+# attributes derived from record types
+_record_attributes = [str('%srecord' % t.lower()) for t in _record_types]
+
+# supported DNS classes, IN = internet, rest is almost never

Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.

2010-10-21 Thread Pavel Zuna

On 10/20/2010 11:42 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

On 10/14/2010 03:30 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

There was no default value set even though we were using config.get and
it was throwing exceptions if someone deleted one of the related config
values.

Pavel


Is this needed since get_ipa_config() will always return something for
time and search limits?

rob


Yes, because get_ipa_config will return defaults for time and search
limits only when the whole ipaConfig entry isn't found.

I reworked the patch, so that defaults are always returned by
get_ipa_config, but I left changes from the previous version, because it
doesn't hurt anything and is a (very little) bit safer.

New version attached.

Pavel


I see your point. One can do 'ipa config-mod --searchtimelimit=` and
blam, everything stops working. This still seems like a bit of a
cover-up fix for that. Should we prevent these attributes from being
removed?


We could do that, but it's always possible to delete the attribute using 
ldapmodify or some other tool.




rob


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.

2010-10-20 Thread Pavel Zuna

On 10/14/2010 03:30 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

There was no default value set even though we were using config.get and
it was throwing exceptions if someone deleted one of the related config
values.

Pavel


Is this needed since get_ipa_config() will always return something for
time and search limits?

rob


Yes, because get_ipa_config will return defaults for time and search limits only 
when the whole ipaConfig entry isn't found.


I reworked the patch, so that defaults are always returned by get_ipa_config, 
but I left changes from the previous version, because it doesn't hurt anything 
and is a (very little) bit safer.


New version attached.

Pavel


pzuna-freeipa-0033-2-limitdefaults.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 552 handle setattr/addattr better

2010-10-14 Thread Pavel Zuna

On 09/29/2010 11:03 PM, Rob Crittenden wrote:

When doing an addattr check to see if we are creating a multi-value
attribute and see if that is allowed by the Param and/or the attribute
in the schema (SINGLE-VALUE).

Pavel, check my fix in the exception callback. It was passing attrs_list
but that isn't set until later. I decided to send an empty list instead.

Also catch RDN update exceptions and return an error about primary keys
(which this essentially means).

ticket 230

rob


NACK.

The patch isn't all bad, but the single-value check is in the wrong place. As a 
result, it only applies when someone tries to add a new value to attributes 
already present in the original entry. It won't fire when someone is trying to 
add more than one value if there was none before and it also won't fire when 
creating new entries.


I reworked your patch a bit a merged it with my patch number 32, because they 
overlap in functionality.


See freeipa-devel thread: [PATCH] Check if attribute is single-value before 
trying to add values to it.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it.

2010-10-14 Thread Pavel Zuna

On 10/14/2010 12:01 AM, Rob Crittenden wrote:

Pavel Zuna wrote:

This patch adds a check in ldap2 for single-value attributes. DS doesn't
seem to care much about attributes being defined as SINGLE-VALUE except
for things like uidNumber and gidNumber (I suspect this is handled by
the DNA plugin).

Ticket #246

Pavel


This is similar to ticket 220 which I have a pending patch for (patch
552). I think both patches are valid but we should test them together to
be sure. Can you do that?

rob


I had to NACK your patch number 552, because the check was in the wrong place.

Both patches overlap in functionality, so I decided to merge them into a new 
version of my original patch.


I split the single-value check into two parts:

First part is in baseldap classes (LDAPCreate, LDAPUpdate) and it checks if 
we're not trying to add more values to a Param defined attribute, that is not 
flagged as multivalue.


Second part is in the ldap2 backend. It checks if we're not trying to add more 
values to an attribute, that is defined as SINGLE-VALUE in the schema. 
Unfortunately, it seems that python-ldap isn't capable of reporting the 
SINGLE-VALUE flag reliably and DS doesn't enforce it at all. In other words, 
this check is a bit weak, but still better than nothing.


I hope you don't mind I merged both patches, but it seemed simpler and we can 
knock out 2 tickets in one commit. :)


Ticket #230
Ticket #246

Pavel
From adff41671b7f04f718085711401e7328390151ae Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Thu, 14 Oct 2010 13:05:43 -0400
Subject: [PATCH 1/2] Disallow RDN change and single-value bypass using setattr/addattr.

Merge of my original patch number 32 and Rob's patch number 552.

Ticket #230
Ticket #246
---
 ipalib/errors.py   |   33 -
 ipalib/frontend.py |2 +-
 ipalib/plugins/baseldap.py |   14 +-
 ipaserver/plugins/ldap2.py |   44 +++-
 4 files changed, 77 insertions(+), 16 deletions(-)

diff --git a/ipalib/errors.py b/ipalib/errors.py
index 42d43ce..db13a43 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1162,7 +1162,7 @@ class DatabaseError(ExecutionError):
 
 
 errno = 4203
-format = _('%(desc)s:%(info)s')
+format = _('%(desc)s: %(info)s')
 
 
 class LimitsExceeded(ExecutionError):
@@ -1195,6 +1195,37 @@ class ObjectclassViolation(ExecutionError):
 errno = 4205
 format = _('%(info)s')
 
+class NotAllowedOnRDN(ExecutionError):
+
+**4206** Raised when an RDN value is modified.
+
+For example:
+
+ raise NotAllowedOnRDN()
+Traceback (most recent call last):
+  ...
+NotAllowedOnRDN: modifying primary key is not allowed
+
+
+errno = 4206
+format = _('modifying primary key is not allowed')
+
+
+class OnlyOneValueAllowed(ExecutionError):
+
+**4207** Raised when trying to set more than one value to single-value attributes
+
+For example:
+
+ raise OnlyOneValueAllowed(attr='ipasearchtimelimit')
+Traceback (most recent call last):
+  ...
+OnlyOneValueAllowed: ipasearchtimelimit: attribute is single-value
+
+
+errno = 4207
+format = _('%(attr)s: attribute is single-value')
+
 
 class CertificateError(ExecutionError):
 
diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index c9c070d..96649d9 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -504,7 +504,7 @@ class Command(HasParam):
 a dictionary. The incoming attribute may be a string or
 a list.
 
-Any attribute found that is also a param is silently dropped.
+Any attribute found that is also a param is validated.
 
 append controls whether this returns a list of values or a single
 value.
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 2335a7a..caa616a 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -157,6 +157,14 @@ _attr_options = (
 ),
 )
 
+# addattr can cause parameters to have more than one value even if not defined
+# as multivalue, make sure this isn't the case
+def _check_single_value_attrs(params, entry_attrs):
+for (a, v) in entry_attrs.iteritems():
+if isinstance(v, (list, tuple)) and len(v)  1:
+if a in params and not params[a].multivalue:
+raise errors.OnlyOneValueAllowed(attr=a)
+
 
 class CallbackInterface(Method):
 
@@ -277,6 +285,8 @@ class LDAPCreate(CallbackInterface, crud.Create):
 self, ldap, dn, entry_attrs, attrs_list, *keys, **options
 )
 
+_check_single_value_attrs(self.params, entry_attrs)
+
 try:
 ldap.add_entry(dn, entry_attrs, normalize=self.obj.normalize_dn)
 except errors.ExecutionError, e:
@@ -464,7 +474,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
 except errors.ExecutionError, e:
 try:
 (dn, old_entry

[Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.

2010-10-14 Thread Pavel Zuna
There was no default value set even though we were using config.get and it was 
throwing exceptions if someone deleted one of the related config values.


Pavel
From 5dfda61f3995f4d5ae5813b7f70f2d2658a687f0 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Thu, 14 Oct 2010 10:54:24 -0400
Subject: [PATCH 2/2] Add fail-safe defaults to time and size limits in ldap2 searches.

---
 ipaserver/plugins/ldap2.py |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 096d3a3..1d18bbb 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -515,9 +515,9 @@ class ldap2(CrudBackend, Encoder):
 if time_limit is None or size_limit is None:
 (cdn, config) = self.get_ipa_config()
 if time_limit is None:
-time_limit = config.get('ipasearchtimelimit')[0]
+time_limit = config.get('ipasearchtimelimit', [-1])[0]
 if size_limit is None:
-size_limit = config.get('ipasearchrecordslimit')[0]
+size_limit = config.get('ipasearchrecordslimit', [0])[0]
 if not isinstance(size_limit, int):
 size_limit = int(size_limit)
 if not isinstance(time_limit, float):
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it.

2010-10-13 Thread Pavel Zuna
This patch adds a check in ldap2 for single-value attributes. DS doesn't seem to 
care much about attributes being defined as SINGLE-VALUE except for things like 
uidNumber and gidNumber (I suspect this is handled by the DNA plugin).


Ticket #246

Pavel
From 94681f66292904979227bbe2fed058ba9b1a23a4 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Wed, 13 Oct 2010 12:40:51 -0400
Subject: [PATCH] Check if attribute is single-value before trying to add values to it.

Ticket #246
---
 ipalib/errors.py   |2 +-
 ipaserver/plugins/ldap2.py |   16 +++-
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/ipalib/errors.py b/ipalib/errors.py
index 42d43ce..fd96e57 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1162,7 +1162,7 @@ class DatabaseError(ExecutionError):
 
 
 errno = 4203
-format = _('%(desc)s:%(info)s')
+format = _('%(desc)s: %(info)s')
 
 
 class LimitsExceeded(ExecutionError):
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 2213df0..1c5a84f 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -690,13 +690,19 @@ class ldap2(CrudBackend, Encoder):
 adds = list(v.difference(old_v))
 rems = list(old_v.difference(v))
 
+is_single_value = False
+if self.schema:
+obj = self.schema.get_obj(_ldap.schema.AttributeType, k)
+is_single_value = obj and obj.single_value
+
+if is_single_value and len(adds)  1 or len(adds)  len(rems):
+raise errors.DatabaseError(
+info='attribute is single-value', desc=k
+)
+
 force_replace = False
-if k in self._FORCE_REPLACE_ON_UPDATE_ATTRS:
+if k in self._FORCE_REPLACE_ON_UPDATE_ATTRS or is_single_value:
 force_replace = True
-elif self.schema:
-obj = self.schema.get_obj(_ldap.schema.AttributeType, k)
-if obj and obj.single_value:
-force_replace = True
 elif len(adds) == 1 and len(rems) == 1:
 force_replace = True
 
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 570 enforce max username length

2010-10-13 Thread Pavel Zuna

On 10/11/2010 05:19 PM, Rob Crittenden wrote:

Enforce the configurable max username length from cn=ipaconfig.

rob



This will raise an exception if the ipaMaxUsernameLength attribute isn't present 
in the config entry. I know it's not very likely, but it would be better to 
retrieve the attribute first and only do the length check if it is set.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 569 detect when DNS is not configured

2010-10-13 Thread Pavel Zuna

On 10/11/2010 04:55 PM, Rob Crittenden wrote:

Detect when DNS is not configured and return an error message when using
the command-line.

It would be nicer if we disabled the command altogether but this would
require checking the server to see every time the ipa command is
executed (which would be bad). We can't store this in a configuration
file because it is possible to add a DNS post-install (and it would
require adding this to every single client install).

ticket 147

rob



ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 571 return non-zero on *-find when nothing is found

2010-10-13 Thread Pavel Zuna

On 10/11/2010 06:58 PM, Rob Crittenden wrote:

Return non-zero when the number of entries from *-find returned is zero.

ticket 325

rob



ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 572 fix usage help of ipa-replica-install

2010-10-13 Thread Pavel Zuna

On 10/11/2010 07:07 PM, Rob Crittenden wrote:

Include REPLICA_FILE in usage for ipa-replica-install

ticket 247

rob



ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 570 enforce max username length

2010-10-13 Thread Pavel Zuna

On 10/13/2010 03:46 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

On 10/11/2010 05:19 PM, Rob Crittenden wrote:

Enforce the configurable max username length from cn=ipaconfig.

rob



This will raise an exception if the ipaMaxUsernameLength attribute isn't
present in the config entry. I know it's not very likely, but it would
be better to retrieve the attribute first and only do the length check
if it is set.

Pavel


Ok, new patch attached. get_ipa_config() always returns a dict (unless
things really go south in which case missing this attribute is the least
of our problems).

rob


ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] Fix attribute callbacks on details pages in the webUI.

2010-10-06 Thread Pavel Zuna

Fixes bug reported by Adam in internal discussion.

Ticket #326

Pavel
From 4ca5f618913d780e018e37e03b159201bffb9996 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Wed, 6 Oct 2010 12:01:02 -0400
Subject: [PATCH] Fix attribute callbacks on details pages in the webUI.

Ticket #326
---
 install/static/details.js |   20 
 1 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/install/static/details.js b/install/static/details.js
index f16dc36..99666b1 100644
--- a/install/static/details.js
+++ b/install/static/details.js
@@ -79,19 +79,23 @@ function ipa_generate_dl(jobj, id, name, dts)
 
 for (var i = 0; i  dts.length; ++i) {
 var label = '';
-if (dts[i][0].indexOf('call_') != 0) {
-var param_info = ipa_get_param_info(obj_name, dts[i][0]);
-if (param_info)
-label = param_info['label'];
-}
+var param_info = ipa_get_param_info(obj_name, dts[i][0]);
+if (param_info)
+label = param_info['label'];
 if ((!label)  (dts[i].length  1))
 label = dts[i][1];
+
+var title = dts[i][0];
+if (typeof dts[i][2] == 'function')
+title = 'call_' + dts[i][2].name;
 dl.append(
-$('dt/',{
-title:dts[i][0],
-html:label+:})
+$('dt/dt', {
+title: title,
+html: label + ':',
+})
 );
 }
+
 parent.append(dl);
 parent.append('hr/');
 }
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix inconsistent error message when deleting groups that don't exist.

2010-10-06 Thread Pavel Zuna
The pre_callback in group_del was using a direct ldap2 call with no exception 
handling.


Ticket #292

Pavel
From 60eb789c84f91c5911dec397c528fd8a2e21ef99 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Wed, 6 Oct 2010 13:45:20 -0400
Subject: [PATCH] Fix inconsistent error message when deleting groups that don't exist.

Ticket #292
---
 ipalib/plugins/group.py |4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index fae6a28..9beef00 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -165,7 +165,9 @@ class group_del(LDAPDelete):
 def_primary_group_dn = group_dn = self.obj.get_dn(def_primary_group)
 if dn == def_primary_group_dn:
 raise errors.DefaultGroup()
-(group_dn, group_attrs) = ldap.get_entry(dn)
+(group_dn, group_attrs) = self.obj.methods.show(
+self.obj.get_primary_key_from_dn(dn)
+)
 if 'mepmanagedby' in group_attrs:
 raise errors.ManagedGroupError()
 return dn
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Rename user-lock and user-unlock to user-enable user-disable.

2010-10-05 Thread Pavel Zuna

Also fixes related unit tests and therefore depends on my patch number 28.

Ticket #165

Pavel
From 9ead34195c3ef1b3be9f9c57ba54fd2849215ab0 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 5 Oct 2010 15:37:37 -0400
Subject: [PATCH] Rename user-lock and user-unlock to user-enable user-disable.

Ticket #165
---
 ipalib/plugins/user.py|   16 
 tests/test_xmlrpc/test_user_plugin.py |   12 ++--
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 0746553..daa5cc4 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -274,13 +274,13 @@ class user_show(LDAPRetrieve):
 api.register(user_show)
 
 
-class user_lock(LDAPQuery):
+class user_disable(LDAPQuery):
 
-Lock a user account.
+Disable user account.
 
 
 has_output = output.standard_value
-msg_summary = _('Locked user %(value)s')
+msg_summary = _('Disabled user account %(value)s')
 
 def execute(self, *keys, **options):
 ldap = self.obj.backend
@@ -297,16 +297,16 @@ class user_lock(LDAPQuery):
 value=keys[0],
 )
 
-api.register(user_lock)
+api.register(user_disable)
 
 
-class user_unlock(LDAPQuery):
+class user_enable(LDAPQuery):
 
-Unlock a user account.
+Enable user account.
 
 
 has_output = output.standard_value
-msg_summary = _('Unlocked user %(value)s')
+msg_summary = _('Enabled user account %(value)s')
 
 def execute(self, *keys, **options):
 ldap = self.obj.backend
@@ -323,4 +323,4 @@ class user_unlock(LDAPQuery):
 value=keys[0],
 )
 
-api.register(user_unlock)
+api.register(user_enable)
diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py
index 1850dc1..7d77131 100644
--- a/tests/test_xmlrpc/test_user_plugin.py
+++ b/tests/test_xmlrpc/test_user_plugin.py
@@ -235,27 +235,27 @@ class test_user(Declarative):
 
 
 dict(
-desc='Lock %r' % user1,
+desc='Disable %r' % user1,
 command=(
-'user_lock', [user1], {}
+'user_disable', [user1], {}
 ),
 expected=dict(
 result=True,
 value=user1,
-summary=u'Locked user tuser1',
+summary=u'Disabled user account tuser1',
 ),
 ),
 
 
 dict(
-desc='Unlock %r'  % user1,
+desc='Enable %r'  % user1,
 command=(
-'user_unlock', [user1], {}
+'user_enable', [user1], {}
 ),
 expected=dict(
 result=True,
 value=user1,
-summary=u'Unlocked user tuser1',
+summary=u'Enabled user account tuser1',
 ),
 ),
 
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.

2010-10-05 Thread Pavel Zuna

On 10/05/2010 04:47 PM, Pavel Zuna wrote:

All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the
--continuous flag (off by default). The flag should indicate that the
command shouldn't stop on errors and continue operation with the next
primary key on the arguments lists.

This effectively fixes *-del unit tests, because continuous mode is off
by default. (It was on before this patch and there was no option to turn
it off.)

Ticket #321

Pavel


I forgot to mention that this depends on my patch number 27, because they modify 
the same file (baseldap.py).


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] Add LDAPMultiQuery base class and make it the base of LDAPDelete

2010-10-01 Thread Pavel Zuna
In other words: make *-del commands accept 1 or more primary keys of entries to 
be deleted. We can now delete more entries at a time with a single command.


Ticket #20

Pavel
From 1aabeb75114ef01ec23044031664f82ed0364825 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Fri, 1 Oct 2010 12:35:27 -0400
Subject: [PATCH 2/3] Add LDAPMultiQuery base class and make it the base of LDAPDelete.

In other words: make *-del commands accept 1 or more primary keys
of entries to be deleted.

Ticket #20
---
 ipalib/plugins/baseldap.py |   98 +---
 1 files changed, 65 insertions(+), 33 deletions(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 1757a45..f6b98e2 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -345,6 +345,19 @@ class LDAPQuery(CallbackInterface, crud.PKQuery):
 yield self.obj.primary_key.clone(attribute=True, query=True)
 
 
+class LDAPMultiQuery(LDAPQuery):
+
+Base class for commands that need to retrieve one or more existing entries.
+
+def get_args(self):
+for key in self.obj.get_ancestor_primary_keys():
+yield key
+if self.obj.primary_key:
+yield self.obj.primary_key.clone(
+attribute=True, query=True, multivalue=True
+)
+
+
 class LDAPRetrieve(LDAPQuery):
 
 Retrieve an LDAP entry.
@@ -512,7 +525,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
 raise exc
 
 
-class LDAPDelete(LDAPQuery):
+class LDAPDelete(LDAPMultiQuery):
 
 Delete an LDAP entry and all of its direct subentries.
 
@@ -521,47 +534,66 @@ class LDAPDelete(LDAPQuery):
 def execute(self, *keys, **options):
 ldap = self.obj.backend
 
-dn = self.obj.get_dn(*keys, **options)
+def delete_entry(pkey):
+nkeys = keys[:-1] + (pkey, )
+dn = self.obj.get_dn(*nkeys, **options)
 
-for callback in self.PRE_CALLBACKS:
-if hasattr(callback, 'im_self'):
-dn = callback(ldap, dn, *keys, **options)
-else:
-dn = callback(self, ldap, dn, *keys, **options)
+for callback in self.PRE_CALLBACKS:
+if hasattr(callback, 'im_self'):
+dn = callback(ldap, dn, *nkeys, **options)
+else:
+dn = callback(self, ldap, dn, *nkeys, **options)
 
-def delete_subtree(base_dn):
-truncated = True
-while truncated:
+def delete_subtree(base_dn):
+truncated = True
+while truncated:
+try:
+(subentries, truncated) = ldap.find_entries(
+None, [''], base_dn, ldap.SCOPE_ONELEVEL
+)
+except errors.NotFound:
+break
+else:
+for (dn_, entry_attrs) in subentries:
+delete_subtree(dn_)
 try:
-(subentries, truncated) = ldap.find_entries(
-None, [''], base_dn, ldap.SCOPE_ONELEVEL
-)
-except errors.NotFound:
-break
+ldap.delete_entry(base_dn, normalize=self.obj.normalize_dn)
+except errors.ExecutionError, e:
+try:
+self._call_exc_callbacks(
+nkeys, options, e, ldap.delete_entry, base_dn,
+normalize=self.obj.normalize_dn
+)
+except errors.NotFound:
+self.obj.handle_not_found(*nkeys)
+
+delete_subtree(dn)
+
+for callback in self.POST_CALLBACKS:
+if hasattr(callback, 'im_self'):
+result = callback(ldap, dn, *nkeys, **options)
 else:
-for (dn_, entry_attrs) in subentries:
-delete_subtree(dn_)
-try:
-ldap.delete_entry(base_dn, normalize=self.obj.normalize_dn)
-except errors.ExecutionError, e:
-try:
-self._call_exc_callbacks(
-keys, options, e, ldap.delete_entry, base_dn,
-normalize=self.obj.normalize_dn
-)
-except errors.NotFound:
-self.obj.handle_not_found(*keys)
+result = callback(self, ldap, dn, *nkeys, **options)
 
-delete_subtree(dn)
+return result
 
-for callback in self.POST_CALLBACKS:
-if hasattr(callback, 'im_self'):
-result = callback(ldap, dn, *keys, **options)
+if not self.obj.primary_key or not isinstance(keys[-1], (list, tuple)):
+keys = keys[:-1] + (keys[-1

[Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups.

2010-10-01 Thread Pavel Zuna

Ticket #251

Pavel
From 1bb54788dca503a7b6e25e2fc13a8852174a3827 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 21 Sep 2010 13:03:40 -0400
Subject: [PATCH 1/3] Add flag to group-find to only search on private groups.

Ticket #251
---
 ipalib/plugins/group.py |   16 ++--
 1 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 616eff2..b3b6747 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -184,7 +184,6 @@ class group_mod(LDAPUpdate):
 
 Modify a group.
 
-
 msg_summary = _('Modified group %(value)s')
 
 takes_options = LDAPUpdate.takes_options + (
@@ -214,11 +213,24 @@ class group_find(LDAPSearch):
 
 Search for groups.
 
-
 msg_summary = ngettext(
 '%(count)d group matched', '%(count)d groups matched', 0
 )
 
+takes_options = LDAPSearch.takes_options + (
+Flag('privateonly',
+cli_name='privateonly',
+doc=_('search for private groups only'),
+),
+)
+
+def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options):
+if options['privateonly']:
+objclass = ['posixGroup', 'mepManagedEntry']
+flt = ldap.make_filter_from_attr('objectclass', objclass)
+filter = ldap.combine_filters([filter, flt], ldap.MATCH_ALL)
+return filter
+
 api.register(group_find)
 
 
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Modal dialog for enrollment

2010-09-23 Thread Pavel Zuna

On 09/23/2010 01:04 AM, Endi Sukma Dewata wrote:

Hi,

Please review the attached patch. Thanks!

The enroll facet has been converted into a dialog box. This dialog
box will appear when the user clicks the enroll button above the
association list. When the user clicks the enroll button in the
dialog box, the new associations will be created, then the list will
be refreshed to show the changes.

The SerialAssociator and BulkAssociator have been modified to accept
an on_success function which will be called when the whole operation
is completed successfully. This is used to refresh the list and close
the dialog box appropriately.

Some other changes were also made to improve code clarity.

--
Endi S. Dewata



ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0026-fixed-formatting-of-search-table.patch

2010-09-20 Thread Pavel Zuna

On 09/17/2010 04:33 PM, Adam Young wrote:

admiyo-freeipa-0026-fixed-formatting-of-search-table.patch




ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0027-fix-sampledata.patch

2010-09-20 Thread Pavel Zuna

On 09/17/2010 04:34 PM, Adam Young wrote:

URL needs to be relative, not absolute in order for in tree development




ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0031-unbroke-the-facets-link.patch

2010-09-20 Thread Pavel Zuna

On 09/17/2010 04:41 PM, Adam Young wrote:

This has a fix for a previous patch which turned the facets into a
hortizontal list, but broke the clickability.




ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0032-css-cleanup.patch

2010-09-20 Thread Pavel Zuna

On 09/17/2010 04:42 PM, Adam Young wrote:

Fixes many of the CSS issues introduced by jquery.ui.tabs.  Not all, but
it looks a lot better




ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0033-pointer-cursor-for-facets.patch

2010-09-20 Thread Pavel Zuna

On 09/17/2010 04:43 PM, Adam Young wrote:

Changes the mouse icon for facets to a the pointer, signifying clickability




ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] Icons

2010-09-20 Thread Pavel Zuna

On 09/18/2010 02:35 AM, Adam Young wrote:

THese are just place holder icons until we get the offical ones from
UXD.  They look roughly like the finished product, with have some rough
points. They will be used by the next patch to Generate the quick links
and facets.

THis is a huga patch, but it is all binary files.



ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0030-moved-images-up.patch

2010-09-20 Thread Pavel Zuna

On 09/17/2010 04:38 PM, Adam Young wrote:

moved images up
Adding an 'images' subdir was proliferating changes throughout the build
system
this seemed easier

Submitted as a separate patch to signify where wea re departing from
what is generated by theme-roller



Doesn't apply for me. Missing some image files and doesn't apply on 
jquery-ui.css.

I applied all your patches I could find before this one, but I can't find number 
28 on the list. Maybe that's the reason.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0036-links-and-facet-icons.patch

2010-09-20 Thread Pavel Zuna

On 09/18/2010 02:36 AM, Adam Young wrote:

This patch makes use of the previous patch to put the icons in the
facets and quick links



It looks OK, but I can't test it because the required patch 30 doesn't apply 
for me.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0019-associations.patch

2010-09-07 Thread Pavel Zuna

On 09/04/2010 04:29 AM, Adam Young wrote:

You are right.  the 'this' pointer always gets overridden, so it has to
be assigtned to a nother variable name in order to get used in a closure.

Here's an updated patch



On 09/03/2010 05:20 PM, Endi Sukma Dewata wrote:

Hi Adam,

Thanks for the update. I found a problem, the this.pkey in the
callback function below is undefined so it won't load the values back
in the details page.

diff --git a/install/static/associate.js b/install/static/associate.js
index dabc76c..ae1f4af 100644
--- a/install/static/associate.js
+++ b/install/static/associate.js
@@ -90,10 +90,10 @@ function BulkAssociator(form, pkey, manyObjPkeys){
function(response){
var qs = ipa_parse_qs();
if (response.error){
- alert(error adding memeber);
+ alert(error adding member);
}else{
location.hash=tab= +form.oneObj
- +facet=detailspkey=+this.pkey;
+ +facet=detailspkey=+pkey;
}
},
function(response){

Attached is the service tab I've been working on. Sometimes the
enrollment page doesn't work quite right. When I click Find it
will show the available hosts, but sometimes it would replace the
list immediately with the list of available users. Probably the
previous click handler still got called somehow.

--
Endi S. Dewata

- Adam Youngayo...@redhat.com wrote:


Updated version that provides the means to overload the method called.

This was requested by edewata to support services. I also simplified

some of the internal code .

https://fedorahosted.org/freeipa/attachment/ticket/104/admiyo-freeipa-0019-2-associations.patch




Let's get this in. ACK.

There are some white-space warnings, remove them before pushing.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 514 make ldap2 class work with clients

2010-09-07 Thread Pavel Zuna

On 08/19/2010 01:08 AM, Rob Crittenden wrote:

Make ldap2 class work as a client library as well.

Move the user-private group caching code out of the global config and
determine the value the first time it is needed.

Renamed global_init() back to get_schema() and make it take an optional
connection. This solves the problem of being able to do all operations
with a simple bind instead of GSSAPI.

Moved the global get_syntax() into a class method so that a schema can
be passed in.

If a schema wasn't loaded during the module import then it is loaded
when the connection is created (so we have the credntials needed for
binding).

ticket 63

rob



Sorry it took me so long to review this patch. ACK!

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] BA-BBQ

2010-08-23 Thread Pavel Zuna

On 08/23/2010 04:12 AM, Adam Young wrote:

Pavel,


Thoughts of jquery.ba-bbq have been marinating in the back of my brain.
I know that the Back button doesn't work so well with hjashparams, and
that BBQ purports to fix this, but I had some sort of mental shift I had
to make. I think I have it now.

BBQ, and in fact the whole AJAX approach works off of client side code,
which means the whole hash params approach. What I didn't get was that
the best approach to dealing with this was to drive the site off of the
event that happens when the url hash changes. We need to do this.

Bascially, navigation.js registers:

$(window).bind( 'hashchange', function(e) {
...
}

This function gets called each time the URL hash changes, which happens
on either a tab click or on a back button (lets start with those two,
there will be more)


So bascially, this function is our dispatach. Instead of having to
register the onclick functions for each of the tabs, we know that they
will all end up in this function, and then we let it parse the params
for us.

BBQ has the concept of a stack, where we can push and pop state. Thyis
might be useful for pushing a query, going to the details page, and then
popping the query afterwards. I'm still mulling this over.


Note, we will want to replace the custom hash param working we are doing
with JQuery.deparam and JQuery.param calls, as they are much more
mature, and it is less code we have to debug.
Sure, from what I've read in jQuery docs, it looks more powerful than what we 
currently have.



The thing I have to figure out now is what this will do to navigation on
the details, add and groups pages.
I don't think it will be a problem. Functional links (such as Reset, Update, 
Add, Remove) are only used to run javascript functions - the URL, query string 
or hash doesn't change. Most of these action are also one way only. We don't 
want the user to be able to go Back after he updated an entry. (Going back in 
this case should probably bring him back to the search page).


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] Extending Details, user and otherwise

2010-08-23 Thread Pavel Zuna

On 08/17/2010 08:12 PM, Adam Young wrote:

The structure of our details code is basciallt

[categorid, categoryDisplay, atrrtibutes]

and attributes are

[attributeId, attributeDisplay,


I've inlined the user details at the bottom as an example.


In order to make these configuratble by the end user, here is a strawman
proposal:


Create a dir under /var/lib/ipa/details with code that will, at run
time, get validated and then appended to the web code. This code, unlike
the resources approach, will not be autogenerated.
The code for the user details gets pre-populated there from a static
copy somewhere under /usr/share/ipa. The end user can then customize it
to add or remove fields.
If they so desire, they can add in custom javascript code that will
provide more advanced UI. An example might be a n interactive map for
showing seat and parking assignments.


IPA server install and uninstall will be aware of these files, and treat
them gently. Doing an install will not over write the files if they are
present, but will instead rename and back them up. Same with uninstall,
unless an additional option is given ( for example --ultraclean) the is
repsonbile for removing all vestiges of IPA from a system.

The details pages will be named collection-details.js:
user-details.js, group-details.js and so forth.


As I said, this is a strawman. Please poke holes in it, and make better
suggestions.



That's one possible way. I was thinking of something a little bit different, but 
similar from the user perspective.


We could have the insert-object-name-here-details.js files under (for example) 
/etc/ipa/webui/ and /usr/share/ipa/static would have symlinks to them. It's 
basically the same thing Adam proposed, but in this case, we don't have to 
monitor, generate or append anything. We only need to make sure not to overwrite 
these files after installation.


Take it as just another proposal, because I'm not sure if it's 100% compatible 
with the Linux file system philosophy. There might also be some security risks 
using symlinks to /etc/*, although I'm not aware of any.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] Add link to json2.js to index.xhtml.

2010-08-18 Thread Pavel Zuna

Applies after Adam's 0008 patch (Hash params).

Pavel
From 4be347d0cdf5f65d9360e8483d09076b45163d5b Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Wed, 18 Aug 2010 12:39:09 -0400
Subject: [PATCH] Add link to json2.js to index.xhtml.

---
 install/static/index.xhtml |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/install/static/index.xhtml b/install/static/index.xhtml
index 8cde161..69c1b99 100644
--- a/install/static/index.xhtml
+++ b/install/static/index.xhtml
@@ -5,6 +5,7 @@
 titleIPA: Identity Policy Audit/title
 link href=ipa.css  rel=stylesheet type=text/css /
 
+script type=text/javascript src=json2.js/script
 script type=text/javascript src=jquery.js/script
 script type=text/javascript src=jquery.cookie.js/script
 
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] admiyo-0001-hash-params

2010-08-17 Thread Pavel Zuna

On 08/12/2010 08:36 PM, Adam Young wrote:

I'll try to use a patch naming structure similar to what Pavel's using:


This patch fixes https://fedorahosted.org/freeipa/ticket/135.

Instead of HTML Params starting with '?' we use the Hash '#' as the
startgin point. This keeps the broswer from sending addition http
requests to the server whenever we need to update the URL.

Sorry for a late review. I can't get this patch to apply, probably because of 
some other patches that were pushed in between. Please add me to CC on your 
patches, so they end up in my Inbox and I'll make sure to review them faster.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] Improve serialization to JSON.

2010-08-10 Thread Pavel Zuna

- Make it recursive.
- Make Param classes serializable.
- Take python native data types into account.

Pavel


pzuna-freeipa-0010-json.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Add a new INTERNAL plugin that exports plugin meta-data into JSON.

2010-08-10 Thread Pavel Zuna

This is required for the webUI, since we're dropping Genshi. *ehm* :)

You can't use this command on the CLI. It takes one optional argument:
the name of an IPA object. If not specified, meta-data for all objects
are returned.

Note: If you want to try it out on the CLI, just comment out the INTERNAL = True 
line.


Pavel


pzuna-freeipa-0011-export.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Clean ipa.js and make it load plugin meta-data over JSON-RPC.

2010-08-10 Thread Pavel Zuna

What it means?
Well, first I removed some development control variables from ipa.js.
Namely useSampleData and sizelimit. I moved useSampleData to the top
of index.xhtml. This way we won't forget about it when we don't need
it anymore. sizelimit has nothing to do in ipa.js and be hardcoded
for ALL commands! Some don't have this parameter and could fail.

Since ipa_init now loads meta-data over JSON-RPC, we need to wait for
it to finish its job. That's why I put a second parameter to ipa_init:
on_win. ipa_init will call on_win when all data is loaded properly and
we can start building the page.

Pavel


pzuna-freeipa-0012-cleanipajs.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Clean details.js.

2010-08-10 Thread Pavel Zuna

What does it mean?
I removed duplicate code, that was pasted here from the user details page.

ipa_details_init doesn't call ipa_init anymore.

ipa_details_create takes a second optional parameter, that can be set to
a container element if we want to place the definition lists into a specific
element instead of body. In our case, we place stuff in div id=content

Pavel


pzuna-freeipa-0013-cleandetailsjs.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Stretch content div and make Reset/Update buttons stick to right.

2010-08-10 Thread Pavel Zuna
I know that the user details page still doesn't look exactly like the mockups, 
but it's getting there and it's mostly just a matter of moving elements around - 
easy.


Pavel


pzuna-freeipa-0015-detailscss.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 506 correct ipa-server-install man page

2010-08-10 Thread Pavel Zuna

On 08/10/2010 07:20 PM, Rob Crittenden wrote:

The ipa-server-install man page still referred to the deprecated --ca
option to configure a dogtag instance. Drop that and include information
on the --selfsign option.

rob



ack.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 480 new search attribute

2010-07-13 Thread Pavel Zuna

On 07/12/2010 08:21 PM, Rob Crittenden wrote:

Add a new optional calss variable to store the attributes to search on.
They might differ from the default attributes you want to display.

Also link in any search attributes defined in cn=ipaconfig. Thesese are
a comma-separated list of attributes. We only have user and group
defined currently.

rob


ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 481 add has_output_params support to Method class

2010-07-13 Thread Pavel Zuna

On 07/12/2010 10:47 PM, Rob Crittenden wrote:

When figuring out what to display has_output_params was being ignored by
decendents of the Method class.

rob


ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 483 disable service/host

2010-07-13 Thread Pavel Zuna

On 07/12/2010 11:48 PM, Rob Crittenden wrote:

This patch supercedes patch 479 which is now defunct. It relies on patch
481.

Add API to delete a service principal key, service-disable and
host-disable. This is so an admin can essentially revoke a service
principal without deleting it (a host stores its own host service
principal).

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new output parameter, has_keytab. It is a boolean that
indicates whether the entry has a kerberos principal key (or at least
our best guess at it).

rob

ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 476 fix bad API call in selfsign

2010-07-12 Thread Pavel Zuna

On 06/25/2010 03:46 PM, Rob Crittenden wrote:

Use newer API in selfsign plugin. Fix missing import when running in the
in-tree lite-server.

rob

Maybe we should remove the comment as well, if it's not valid anymore. Other 
than that:


ACK.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] Fields currently available for the user object

2010-06-22 Thread Pavel Zuna

On 06/17/2010 03:23 AM, Adam Young wrote:

Is there any documentation on how to write plugins, or extend existing
plugins?

As Rob pointed out, there are example plugins in ipalib/plugins/example.py. They 
should give you a good overview of the plugin framework, parameters, etc. 
Unfortunately, the file doesn't cover baseldap.py classes used by 95% of the 
plugins.


baseldap.py classes are described in the internal wiki, search for the article 
named HOWTO Write IPA command plugins.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 460 an enrollment role

2010-06-22 Thread Pavel Zuna

On 06/02/2010 08:34 PM, Rob Crittenden wrote:

Add a new role specifically for delegating enrollment. Previously you
had to delegate two tasks, this simplifies things.

rob


ack.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 461 ignore no_* options in Virtual class

2010-06-22 Thread Pavel Zuna

On 06/02/2010 08:35 PM, Rob Crittenden wrote:

The Virtual base class is used for doing non-LDAP operations, right not
just for certificate commands. It wasn't honoring the no_* option flags.
Add support for that.

rob


NACK.

I think I do understand what this patch is trying to do and it works, but I also 
think it builds over the misuse of the 'no_*' option flags.


These flags were added, so that we can specify a common list of Params in 
Object.takes_params and mark those that are inappropriate for Add/Update/Search 
methods.


It doesn't make sense to use these flags in cert.py commands, because they 
aren't linked to any Object.


If you want to add Params just for output purpose, use 
Command.has_output_params.

EXAMPLE: WRONG:

class cert_status(VirtualCommand):
takes_args = (
Str('request_id',
label=_('Request id'),
# pzuna: the next line has no effect
flags=['no_create', 'no_update', 'no_search'],
),
)
# pzuna: ipa cert-status doesn't TAKE the cert-request-status option
takes_options = (
Str('cert_request_status?',
label=_('Request status'),
flags=['no_create', 'no_update', 'no_search'],
),
)


EXAMPLE: RIGHT:

class cert_status(VirtualCommand):
takes_args = (
Str('request_id',
label=_('Request id'),
),
)
has_output_params = (
Str('cert_request_status?',
label=_('Request status'),
),
)


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 462 add per-command documentation

2010-06-22 Thread Pavel Zuna

On 06/02/2010 08:36 PM, Rob Crittenden wrote:

First pass at adding per-command documentation for each plugin.

rob


ack.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 462 add per-command documentation

2010-06-22 Thread Pavel Zuna

On 06/15/2010 03:08 AM, David O'Brien wrote:

Rob Crittenden wrote:

First pass at adding per-command documentation for each plugin.

rob

Rob,
How would you like edits to this?

I _could_ edit the patch, or I could wait until you commit what you have
and then run ipa help topic and send edited files for each topic. This
was posted almost two weeks ago; what's the status?

cheers

I think the best approach would be for you to send edited files. It's better if 
you see it in action than in a patch and it's less prone to mistakes.


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 458 catch no CA preop.pin

2010-06-01 Thread Pavel Zuna

On 05/28/2010 05:22 PM, Rob Crittenden wrote:

The preop.pin is used to authenticate the admin when doing CA
enrollment. We were assuming it would be available and things blow up
badly if not (we end up passing None as an argument to exec). If there
isn't a preop pin there is no need to do anything, so raise an error.

rob


It looks like the patch message is missing a part, it ends with:
To remove an existing instance run: and then nothing, but that's just a 
detail :)

ack.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


  1   2   3   >