Re: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider
Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote: Set krb5_realm in sssd.conf in the ipa provider. ticket 925 rob This works fine, so Ack. One question, though, why don't we add the realm only if ipa_domain.upper() != krb5_realm? It would make the config file a little more readable for the 99% case where the two are the same. Sure. We can't assume that the realm is always upper case so I'll do a case insensitive match (I did lower by reflex). rob freeipa-rcrit-735-2-sssd.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 736 hard limit for # of batch requests
Set a hard limit of 256 for the # of commands in a batch request we'll handle. ticket 984 rob freeipa-rcrit-736-limit.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 064 Document --enable-dns-updates in ipa-client-install man page
Jakub Hrozek wrote: https://fedorahosted.org/freeipa/ticket/991 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 737 move BuildRequires
Move some BuildRequires so building with ONLY_CLIENT works. I tested with: $ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1' ./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm rob freeipa-rcrit-737-spec.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 061 Validate NAPTR records
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm not sure about checking the flags - this might be a little too much validation. https://fedorahosted.org/freeipa/ticket/840 I think the flags length check needs to change. I would do this instead: flags = flags.replace('"','') Otherwise someone might try to pass in the flags 'SAU' and all that would get set is A. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
JR Aquino wrote: On 2/17/11 9:46 AM, "Jan Zeleny" wrote: JR Aquino wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, "Jan Zelený" wrote: JR Aquino wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan Please ignore previous patches for #18. Attached is the replacement all inclusive patch for this ticket. Per Rob: ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it should populate a tempdir with the temp cert for the initial discovery bind. Attached is the full patch to provide both TLS and the safer wget of the ca.crt to a temporary directory created by tempfile.mkdtemp() Please verify that ipa-client-install from a separate machine functions as expected against a FreeIPA server who is set to "nsslapd-minssf: 56" It looks ok except for the try/except around the tempfile. If it fails all heck is gonna break loose. We should raise a RuntimeError in that case. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Jan Zelený wrote: Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan We still need to enforce that we get the schema, some low-level functions depend on it. Also, if the UI doesn't get its aciattrs (which are derived from the schema) then nothing will be editable. I'm getting this backtrace if I force no schema by disabling get_schema: [Mon Feb 21 13:57:33 2011] [error] ipa: ERROR: non-public: UnicodeDecodeError: 'utf8' codec can't decode byte 0xb3 in position 3: invalid start byte [Mon Feb 21 13:57:33 2011] [error] Traceback (most recent call last): [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 211, in wsgi_execute [Mon Feb 21 13:57:33 2011] [error] result = self.Command[name](*args, **options) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 422, in __call__ [Mon Feb 21 13:57:33 2011] [error] ret = self.run(*args, **options) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 728, in run [Mon Feb 21 13:57:33 2011] [error] return self.execute(*args, **options) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 720, in execute [Mon Feb 21 13:57:33 2011] [error] dn, attrs_list, normalize=self.obj.normalize_dn [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 629, in get_entry [Mon Feb 21 13:57:33 2011] [error] size_limit=size_limit, normalize=normalize [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f [Mon Feb 21 13:57:33 2011] [error] return f(*new_args, **kwargs) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 199, in new_f [Mon Feb 21 13:57:33 2011] [error] return args[0].decode(f(*args, **kwargs)) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 139, in decode [Mon Feb 21 13:57:33 2011] [error] return tuple(self.decode(m) for m in var) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 139, in [Mon Feb 21 13:57:33 2011] [error] return tuple(self.decode(m) for m in var) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 137, in decode [Mon Feb 21 13:57:33 2011] [error] return [self.decode(m) for m in var] [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 139, in decode [Mon Feb 21 13:57:33 2011] [error] return tuple(self.decode(m) for m in var) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 139, in [Mon Feb 21 13:57:33 2011] [error] return tuple(self.decode(m) for m in var) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 157, in decode [Mon Feb 21 13:57:33 2011] [error] dct[k] = self._decode_dict_val(k, v) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 64, in _decode_dict_val [Mon Feb 21 13:57:33 2011] [error] return self.decode(val) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 137, in decode [Mon Feb 21 13:57:33 2011] [error] return [self.decode(m) for m in var] [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 132, in decode [Mon Feb 21 13:57:33 2011] [error] var.decode(self.encoder_settings.decode_from) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib64/python2.7/encodings/utf_8.py", line 16, in decode [Mon Feb 21 13:57:33 2011] [error] return codecs.utf_8_decode(input, errors, True) [Mon Feb 21 13:57:33 2011] [error] UnicodeDecodeError: 'utf8' codec can't decode byte 0xb3 in position 3: invalid start byte [Mon Feb 21 13:57:33 2011] [error] ipa: INFO: ad...@greyoak.com: user_show(u'admin', rights=True, all=True, raw=False, version=u'2.0'): UnicodeDecodeError ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
Jakub Hrozek wrote: On Thu, Feb 17, 2011 at 08:25:37PM +0100, Jakub Hrozek wrote: On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelený wrote: Jakub Hrozek wrote: On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelený wrote: Jakub Hrozek wrote: Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan Thanks for the review. But attached is a new version of the patch that changes the semantics a little based on what's recommended by the new version of python-nss: don't construct the NetworkAddress object manually, but rather resolve the hostname using the AddrInfo object and then try connecting to the list of of NetworkAddress object manually. Changes consulted off-list, the patch looks good. Will do some more testing on RHEL6. Unless I find some issues, this patch is ACKed. Jan One more change - bumped the minimum required version of python-nss to 0.11 which is in the nightly devel repo now. and now with the patch attached. ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
JR Aquino wrote: On 2/21/11 11:18 AM, "JR Aquino" wrote: On 2/21/11 10:46 AM, "Jan Zeleny" wrote: Rob Crittenden wrote: JR Aquino wrote: On 2/17/11 9:46 AM, "Jan Zeleny" wrote: JR Aquino wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, "Jan Zelený" wrote: JR Aquino wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan Please ignore previous patches for #18. Attached is the replacement all inclusive patch for this ticket. Per Rob: ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it should populate a tempdir with the temp cert for the initial discovery bind. Attached is the full patch to provide both TLS and the safer wget of the ca.crt to a temporary directory created by tempfile.mkdtemp() Please verify that ipa-client-install from a separate machine functions as expected against a FreeIPA server who is set to "nsslapd-minssf: 56" It looks ok except for the try/except around the tempfile. If it fails all heck is gonna break loose. We should raise a RuntimeError in that case. rob Agreed, I had moreless the same comment prepared. Correction made, patch attached. except OSError, e: raise RuntimeError("Creating temporary directory failed: %s" % str(e)) In the spirt of consistency, I have corrected a section further down where sys.exit is called instead of raising the exception. I have also broken out the removal of the temp files in a finally clause. Please review, and confirm that it meets with your approval. ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 738 default.conf man page
Add a man page for the IPA configuration file default.conf. ticket 969 rob freeipa-rcrit-738-man.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
Jakub Hrozek wrote: On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelený wrote: Jakub Hrozek wrote: On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelený wrote: Jakub Hrozek wrote: Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan Thanks for the review. But attached is a new version of the patch that changes the semantics a little based on what's recommended by the new version of python-nss: don't construct the NetworkAddress object manually, but rather resolve the hostname using the AddrInfo object and then try connecting to the list of of NetworkAddress object manually. Changes consulted off-list, the patch looks good. Will do some more testing on RHEL6. Unless I find some issues, this patch is ACKed. Jan One more change - bumped the minimum required version of python-nss to 0.11 which is in the nightly devel repo now. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
Jan Zelený wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 11:21:41AM +0100, Jakub Hrozek wrote: Note the %else. Sorry, %endif. That separates BRs for !ONLY_CLIENT from those that are needed in both cases. Yes I noticed that and I understand that part. I meant the part after the %endif - there is no need to move those dependencies. On the other hand it's definitely not a patch-blocker or something, so I give this patch ACK. Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider
Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 11:30:04AM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote: Set krb5_realm in sssd.conf in the ipa provider. ticket 925 rob This works fine, so Ack. One question, though, why don't we add the realm only if ipa_domain.upper() != krb5_realm? It would make the config file a little more readable for the 99% case where the two are the same. Sure. We can't assume that the realm is always upper case so I'll do a case insensitive match (I did lower by reflex). rob My sssd.conf is nice and minimal again, thank you :-) Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
Jan Zeleny wrote: Rob Crittenden wrote: Move some BuildRequires so building with ONLY_CLIENT works. I tested with: $ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1' ./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm rob I'm a little confused. Some of the lines are only moved a couple lines above their original location (like python-ldap for instance). Does this really have an impact on building? The only three lines I undestand are those first three. Thanks for explanation Jan I had already sone a similar change in another spec I maintain and pull them out one at a time until it built properly, thus I didn't maintain order. What this does is it pulls most of the requires out of the ! ONLY_CLIENT conditional. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 736 hard limit for # of batch requests
Martin Kosek wrote: On Mon, 2011-02-21 at 11:48 -0500, Rob Crittenden wrote: Set a hard limit of 256 for the # of commands in a batch request we'll handle. ticket 984 rob ACK. Works for me. Tested by custom JSON command via curl. Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 061 Validate NAPTR records
Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 01:18:07PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm not sure about checking the flags - this might be a little too much validation. https://fedorahosted.org/freeipa/ticket/840 I think the flags length check needs to change. I would do this instead: flags = flags.replace('"','') Otherwise someone might try to pass in the flags 'SAU' and all that would get set is A. rob OK, that's much better. New patch attached. ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 738 default.conf man page
David O'Brien wrote: Rob Crittenden wrote: Add a man page for the IPA configuration file default.conf. ticket 969 rob NACK A few too many typos and other errors. "Spaces between the equals sign are ignored." Do you mean, "Spaces surrounding equals signs are ignored."? +Specifies the base DN to use when performan LDAP operations. performing +Specfies the secure CA agent port. The defauilt is 9443. Specifies default +Specifies the unsecure CA end user port. The default is 9190. insecure "For example. if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server add the verbose option to \fI/etc/ipa/cli.conf\fR." comma after "example", not a period. add a comma after "enabled on the server" +Specifies whether the CA is acting is an RA agent, as an RA agent "+Specifies the name of the CA backend to use. The current options are \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. Changing this value is not recommended as the CA backend is only set up during ininitial installation." s/backend/back end/ s/selfsign/self-sign/ s/ininitial/initial/ +Specifies the kerberos realm. Kerberos "...and show the server(s) the client contacts." s/server(s)/servers/ +user IPA configurationf ile configuration file "+Optional configuration files used in a particular context are. The value of mode is used to attempt to load these files, if they exist:" I'm not sure what this means Fixes applied. rob freeipa-rcrit-738-2-man.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
Martin Kosek wrote: On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = "ldap:///cn=*,cn=hbac,$SUFFIX";' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a "DNS Administrators" privilege in dns.ldif. Would it make sense to add DNS administration to "Security Architect" (replication management) and "IT Specialist" (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? done The patch now applies ok (just one whitespace warning), ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I have to NACK this. I have found some issues in the new LDAP records: 1) A wrong groupdn for the following ACI in 40-delegation.update: add:aci: '(target = "ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add SUDO rule";allow (add) groupdn = "ldap:///cn=Add SUDOrule,cn=permissions,cn=pbac,$SUFFIX";)' It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX 2) Another wrong target for few ACIs: ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX is used instead of ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX 3) Missing Description for the following new privileges: Write IPA Configuration Modify Users and Reset passwords Modify Group membership Remainder looks good. Martin Thanks for the careful review. Updated patch attached. rob freeipa-rcrit-728-4-roles.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
Martin Kosek wrote: On Tue, 2011-02-22 at 09:22 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = "ldap:///cn=*,cn=hbac,$SUFFIX";' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a "DNS Administrators" privilege in dns.ldif. Would it make sense to add DNS administration to "Security Architect" (replication management) and "IT Specialist" (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? done The patch now applies ok (just one whitespace warning), ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I have to NACK this. I have found some issues in the new LDAP records: 1) A wrong groupdn for the following ACI in 40-delegation.update: add:aci: '(target = "ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add SUDO rule";allow (add) groupdn = "ldap:///cn=Add SUDOrule,cn=permissions,cn=pbac,$SUFFIX";)' It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX 2) Another wrong target for few ACIs: ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX is used instead of ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX 3) Missing Description for the following new privileges: Write IPA Configuration Modify Users and Reset passwords Modify Group membership Remainder looks good. Martin Thanks for the careful review. Updated patch attached. rob Good job! Its OK now. ACK Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin
Martin Kosek wrote: This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 739 update permission help text
Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob freeipa-rcrit-739-permission.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
Pavel Zůna wrote: On 2011-02-17 22:52, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 05:09, Rob Crittenden wrote: Pavel Zůna wrote: My efforts in fixing localization all around the framework and preparing it for localizing docstrings have resulted in a lot of patches. Because I understand they have become a bit hard to track, I decided to post them all together in this thread to make review easier. After this is committed, there will be one more patch that switches xgettext for pygettext. Then hopefully, we'll be pretty much set when it comes to i18n. Pavel Patch 81 isn't applying for me. Help is not working for me either, this is due to patch 80. $ ipa help user ipa: ERROR: NameError: global name '_' is not defined Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in run api.finalize() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619, in finalize plugin_iter(base, (magic[k] for k in magic)) File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in __init__ sorted(members, key=lambda m: getattr(m, name_attr)) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608, in plugin_iter plugins[klass] = PluginInstance(klass) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585, in __init__ self.instance = klass() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184, in __init__ self.doc = _(inspect.getdoc(cls)) NameError: global name '_' is not defined ipa: ERROR: an internal error has occurred Patches 69, 71 and 73 are still working fine. What is switching from xgettext to pygettext going to do? This was answered by John Dennis: xgettext doesn't parse python docstrings. rob Rebased version of 81 attached. It should also fix the traceback you're getting. Pavel Something is still not working. I'm having a hard time reproducing how I got this but with LANG=es_US.UTF-8 for a while I was getting this with every ipa user-* request: ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in run sys.exit(api.Backend.cli.run(argv)) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953, in output_for_cli textui.print_entries(result, order, labels, flags, print_all) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in print_entries self.print_entry(entry, order, labels, flags, print_all, format, indent) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in print_entry label, value, format, indent, one_value_per_line File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in print_attribute self.print_indented(format % (attr, text[0]), indent) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in print_indented print (CLI_TAB * indent + text) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) ipa: ERROR: ha ocurrido un error interno I think it is blowing up on this user: User login: jose First name: Jose Last name: contraseñas Home directory: /home/jose Login shell: /bin/sh Account disabled: TRUE Member of groups: ipausers Then all of a sudden things started working fine, so I'm not sure what's going on. Is this traceback meaningful to you? rob This looks like a bug in the textui backend. You get this error when you do something like this: >>> a = u'\xf1' >>> a.decode('utf-8') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode return codecs.utf_8_decode(input, errors, True) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 0: ordinal not in range(128) It means we're not handling encoding/decoding from/to the CLI right somewhere. The character \xf1 corresponds to the small N with tilde in Jose's last name. I'm going to look into it, but I don't think it's related to the localization patches. Pavel I'm seeing 2 test failures: == FAIL: Test the `ipalib.plugable.Plugin.__init__` method. -- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in runTest self.test(*se
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Jan Zelený wrote: Rob Crittenden wrote: Jan Zelený wrote: Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan We still need to enforce that we get the schema, some low-level functions depend on it. Also, if the UI doesn't get its aciattrs (which are derived from the schema) then nothing will be editable. I'm getting this backtrace if I force no schema by disabling get_schema: Ok, I'm sending new version, it should handle these exceptions better and the operation should fail if it needs the schema and the schema is not available for some reason. This breaks the XML-RPC server. I fixed one problem: --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): def get_syntax(self, attr, value): if not self.schema: -self.schema = get_schema(self.ldap_uri, self.conn) -if not self.schema: +schema = get_schema(self.ldap_uri, self.conn) +if not schema: return None +object.__setattr__(self, 'schema', schema) obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is not None: return obj.syntax But simply things like get_entry() return an InternalError now. I'm not sure where you were going by adding this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 739 update permission help text
Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob I think you sent a wrong patch, this is the default.conf manpage one. D'oh, here you go. rob freeipa-rcrit-739-permission.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 739 update permission help text
Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob I think you sent a wrong patch, this is the default.conf manpage one. D'oh, here you go. rob I agree with the changes, but now I realized that davido mentioned "privilege" not "permission". The privilege docstring contains the same errors as permission, can you also copy the changes into ipalib/plugins/privilege.py ? Good idea, updated patch attached. rob freeipa-rcrit-739-2-permission.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common
Jakub Hrozek wrote: Replace only if old and new have nothing in common This has problems when removing the last member. There is no adds, rems has a single value (the member being removed). The intersection is 0 so force_replace gets set to True and nothing ends up getting done. I added a len(v) > 0 to this conditional and it seems to work. I also added a small test case based on Endi's initial report. I'm getting a 100% test pass rate. rob freeipa-rcrit-740-replace.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 739 update permission help text
David O'Brien wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob I think you sent a wrong patch, this is the default.conf manpage one. D'oh, here you go. rob I agree with the changes, but now I realized that davido mentioned "privilege" not "permission". The privilege docstring contains the same errors as permission, can you also copy the changes into ipalib/plugins/privilege.py ? Good idea, updated patch attached. rob This is heaps better. ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 738 default.conf man page
David O'Brien wrote: Rob Crittenden wrote: David O'Brien wrote: Rob Crittenden wrote: Add a man page for the IPA configuration file default.conf. ticket 969 rob NACK A few too many typos and other errors. "Spaces between the equals sign are ignored." Do you mean, "Spaces surrounding equals signs are ignored."? +Specifies the base DN to use when performan LDAP operations. performing +Specfies the secure CA agent port. The defauilt is 9443. Specifies default +Specifies the unsecure CA end user port. The default is 9190. insecure "For example. if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server add the verbose option to \fI/etc/ipa/cli.conf\fR." comma after "example", not a period. add a comma after "enabled on the server" +Specifies whether the CA is acting is an RA agent, as an RA agent "+Specifies the name of the CA backend to use. The current options are \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. Changing this value is not recommended as the CA backend is only set up during ininitial installation." s/backend/back end/ s/selfsign/self-sign/ s/ininitial/initial/ +Specifies the kerberos realm. Kerberos "...and show the server(s) the client contacts." s/server(s)/servers/ +user IPA configurationf ile configuration file "+Optional configuration files used in a particular context are. The value of mode is used to attempt to load these files, if they exist:" I'm not sure what this means Fixes applied. rob +Specfies the secure CA agent port. The default is 9443. Specifies "Changing this value is not recommended as the CA backend is only set up during initial installation." s/backend/back end/ "+Optional configuration files used in a particular context are. The value of the context setting (\fBcli\fR or \fBserver\fR) is used to attempt to load these files, if they exist:" I still don't understand this. Bear in mind that I'm reading the raw patch; I haven't applied it or tried to format this as a man page. Maybe that would help. Everything else is fine. ACK with those couple of fixes. /dob Fixed, pushed to master. I added a bit more discussion about the context-specific files. I think it is clearer now. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2011 04:47 PM, Rob Crittenden wrote: Jakub Hrozek wrote: Replace only if old and new have nothing in common This has problems when removing the last member. There is no adds, rems has a single value (the member being removed). The intersection is 0 so force_replace gets set to True and nothing ends up getting done. I added a len(v)> 0 to this conditional and it seems to work. I also added a small test case based on Endi's initial report. I'm getting a 100% test pass rate. rob I hit one more problem with the patch, although I'm not entirely sure how is that possible - when a user is renamed, his memberof becomes indirect memberof: # ipa user-mod --rename test2 test - Modified user "test" - User login: test2 First name: Test Last name: User Home directory: /home/test Login shell: /bin/sh Account disabled: False Indirect Member of group: ipausers I think this is another timing issue with 389-ds postop plugins, this time the referential integrity plugin. I don't think this is related to this change. We start with: dn: uid=test, ... uid: test memberOf: ipausers dn: cn=ipausers, ... cn: ipausers member: uid=test,... When we we do the rename we immediately end up with: dn: uid=test2, .. uid: test2 memberOf: ipausers dn: cn=ipausers, ... cn: ipausers member: uid=test, ... We determine indirect membership by comparing the user's memberOf with the results of a query for member=uid=test2 If the refint plugin hasn't updated the ipausers group by the time we do the query the user will appear to be an indirect member. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
JR Aquino wrote: On 2/22/11 7:45 PM, "JR Aquino" wrote: This patch addressees ticket #998 It adds: * ldif to create a default sudo bind user: dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX * modifications to dsinstance.py to add the ldif * modifications to dsinstance.py to add a call to ipautil.ipa_generate_password() for an random password. It is added to the sub_dict as 'RANDOM_PASSWORD' * addition to the Makefile.am in install/share to account for the new ldif file Corrections / Additions: * Correction to dsinstance.py to remove the unnecessary sha1 call and library * Addition of docstring for the ipa help sudorule to explain usage of the sudo binddn We need to make sure we don't log random passwords. Can you add this to your patch? --- service.py 2011-02-14 20:18:23.0 -0500 +++ /tmp/service.py 2011-02-23 13:49:56.0 -0500 @@ -137,6 +137,8 @@ # do not log passwords if sub_dict.has_key('PASSWORD'): nologlist = sub_dict['PASSWORD'], +if sub_dict.has_key('RANDOM_PASSWORD'): +nologlist = sub_dict['RANDOM_PASSWORD'], if self.dm_password: [pw_fd, pw_name] = tempfile.mkstemp() ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
Pavel Zůna wrote: Rebased patch 81 and 83 (pygettext). Created a new patch to fix these latest test failures - it was easier than doing a complex rebase. All latest versions of localization patches are attached to this email for review. I tried to apply them on a clean master clone, build RPMs, installed and run all unit tests. So hopefully, we're finally going to get this in. :) Pavel I don't understand some of these (and past changes): - Updated patch 83-2 just changes the commit message slightly - Patch 84 comments out several lines in the tests.There isn't any explaination what these changes do and why they are needed. It seems to be disabling a confirmation that changing locale works. - Patch 82 drops a bunch of the old ugettext code which is fine, but I think one of the purposes was to make sure that translation was occurring. - Patch 82 in test_text.py changing the languages is removed. Are we really exercising this code? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] one-liner for krbtpolicy
Pushed out this one-liner to fix a typo and add an example for when user ticket policy takes effect. diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index 22ef161..c9d86ea 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -30,8 +30,8 @@ is required, which can be achieved using: service krb5kdc restart -Changes to per-user policies take effect immediatly for newly requested -tickets. +Changes to per-user policies take effect immediately for newly requested +tickets (e.g. when the user next runs kinit). EXAMPLES: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
JR Aquino wrote: On 2/23/11 11:23 AM, "Simo Sorce" wrote: On Wed, 23 Feb 2011 13:50:37 -0500 Rob Crittenden wrote: JR Aquino wrote: On 2/22/11 7:45 PM, "JR Aquino" wrote: This patch addressees ticket #998 It adds: * ldif to create a default sudo bind user: dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX * modifications to dsinstance.py to add the ldif * modifications to dsinstance.py to add a call to ipautil.ipa_generate_password() for an random password. It is added to the sub_dict as 'RANDOM_PASSWORD' * addition to the Makefile.am in install/share to account for the new ldif file Corrections / Additions: * Correction to dsinstance.py to remove the unnecessary sha1 call and library * Addition of docstring for the ipa help sudorule to explain usage of the sudo binddn We need to make sure we don't log random passwords. Can you add this to your patch? --- service.py 2011-02-14 20:18:23.0 -0500 +++ /tmp/service.py 2011-02-23 13:49:56.0 -0500 @@ -137,6 +137,8 @@ # do not log passwords if sub_dict.has_key('PASSWORD'): nologlist = sub_dict['PASSWORD'], +if sub_dict.has_key('RANDOM_PASSWORD'): +nologlist = sub_dict['RANDOM_PASSWORD'], Should you append to nologlist ? If I read this right otherwise you'll replace the previous one. Simo. New corrections posted for the full patch. Adding a correction to nologlist to initialize it as a dict rather than a tuple. Then correctly appending the various sub_dict objects to the list. Also corrected 2 trailing whitespace bugs that were present in the previous patch. ack, pushed to master. I just added a bit more info to the commit message. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 741 fix sudocmd membership
We weren't searching the cn=sudo container so all members of a sudocmdgroup looked indirect. Add a label for sudo command groups. Update the tests to include verifying that membership is done properly. ticket 1003 rob freeipa-rcrit-741-sudocmd.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting
It was a design decision to now allow nesting sudo command groups, remove it. ticket 1004 rob freeipa-rcrit-742-sudocmdgroup.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting
Rob Crittenden wrote: It was a design decision to now allow nesting sudo command groups, remove it. ticket 1004 rob Updated patch attached. This is going to require an API change. rob freeipa-rcrit-742-2-sudocmdgroup.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 743 add SuitespotGroup to ds install
We should have been doing this all along but with 389-ds-base-1.2.8.a3 we need to supply the SuitespotGroup directive in the installation template. The 389-ds instance installation will fail otherwise, being unable to write to /var/run/dirsrv. ticket 1010 rob freeipa-rcrit-743-dsgroup.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0087 Fix winsync agreements setup
Simo Sorce wrote: Setting up a winsync agreement was broken. This patch fixes the code to allow setting up a winsync agreement that requires access to a non-IPA ldap server. Simo. This changes the side we initiate the replication startup on. I don't know a ton about the internals of 389-ds replication but is this necessary? It has been this way for years. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0087 Fix winsync agreements setup
Simo Sorce wrote: On Mon, 28 Feb 2011 10:49:29 -0500 Rob Crittenden wrote: Simo Sorce wrote: Setting up a winsync agreement was broken. This patch fixes the code to allow setting up a winsync agreement that requires access to a non-IPA ldap server. Simo. This changes the side we initiate the replication startup on. I don't know a ton about the internals of 389-ds replication but is this necessary? It has been this way for years. Sorry, I don't see that. Where am I doing that ? Simo. This is what I saw: mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')] -other_conn.modify_s(dn, mod) +conn.modify_s(dn, mod) It looks like you renamed the variable from other_conn to to conn so this change is ok. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 744 use Sudo rather than SUDO
Use Sudo instead of SUDO in labels, descriptions, etc. ticket 1005 rob freeipa-rcrit-744-sudo.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 2 Release
To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Release Candidate 2 release of freeIPA 2.0 server [1]. * Binaries are available for F-14 and F-15 [2]. * Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-us...@redhat.com Main Highlights of the Release Candidate. This release consists primarily of bug fixes and polish across all areas of the project. Modifications include but are not limited to * Make Indirect membership clearer. * Input validation fixes. * WebUI improvements. * Created default Roles. * IPv6 support * Documentation updates Focus of the Release Candidate Testing * There was a Fedora test day for FreeIPA on Feb 15th [3]. These tests are still relevant and feedback would be appreciated. * The following section outlines the areas that we are mostly interested to test [4]. Significant Changes Since RC 1 To see all the tickets addressed since the beta 2 release see [6]. Repositories and Installation * Use the following link to install the RC 2 packages [5]. * FreeIPA relies on the latest versions of the packages currently available from the updates-testing repository. Please make sure to enable this repository before you proceed with installation. Known Issues: * There are known issues that currently prevent FreeIPA from successfully installing with dogtag on F-15 [2]. We will send a separate message when this issue is resolved. The FreeIPA server is installable with the --selfsign option on F-15, or with dogtag on F-14. * Server-generated error messages are not translated yet. * The 'ipa help' command does not support localization. We plan to address all the outstanding tickets before the final 2.0 release. For the complete list see [7]. Thank you, The FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] dogtag is having issues with systemd: https://bugzilla.redhat.com/show_bug.cgi?id=676330 [3] https://fedoraproject.org/wiki/QA/Fedora_15_test_days [4] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test [5] http://freeipa.org/downloads/freeipa-devel.repo [6] https://fedorahosted.org/freeipa/query?status=closed&milestone=2.0.2+Bug+fixing+(RC2) [7] https://fedorahosted.org/freeipa/milestone/2.0.3.%20Bug%20Fixing%20%28GA%29 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0087 Fix winsync agreements setup
Simo Sorce wrote: On Mon, 28 Feb 2011 11:18:45 -0500 Rob Crittenden wrote: Simo Sorce wrote: On Mon, 28 Feb 2011 10:49:29 -0500 Rob Crittenden wrote: Simo Sorce wrote: Setting up a winsync agreement was broken. This patch fixes the code to allow setting up a winsync agreement that requires access to a non-IPA ldap server. Simo. This changes the side we initiate the replication startup on. I don't know a ton about the internals of 389-ds replication but is this necessary? It has been this way for years. Sorry, I don't see that. Where am I doing that ? Simo. This is what I saw: mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')] -other_conn.modify_s(dn, mod) +conn.modify_s(dn, mod) It looks like you renamed the variable from other_conn to to conn so this change is ok. Oh yes it is just a rename of the variable not an actual change. Simo. Works great, ack. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0092 Fix replica management with krb credentials
Simo Sorce wrote: If no bind password is provided it is not possible to create the basic replication user. Creating this user is not necessary for winsync agreements or to create new replica connections that use gssapi auth so make it optional if krb credentials are used. Simo. ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0091 Make wrappers for sasl binds
Simo Sorce wrote: Sasl gssapi binds were done w/o a wrapper, this caused sasl binds to behave differently in some cases ad __lateinit() was never called on them. Unify sasl binds in ipaldap.py This is needed in conjuction with patch 0092 to fix managing replicas with krb credentials Simo. ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0086 add loginShell to winsynced users
Rich Megginson wrote: On 02/18/2011 03:10 PM, Simo Sorce wrote: Fixes #266 I haven't been able to test this as the Windows machine we have available decided to not behave today. I may try again next week assuming I have time. ack Second ack. I tested the patch and it worked fine. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
Pavel Zuna wrote: On 02/23/2011 07:09 PM, Pavel Zůna wrote: On 2011-02-22 20:16, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 22:52, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 05:09, Rob Crittenden wrote: Pavel Zůna wrote: My efforts in fixing localization all around the framework and preparing it for localizing docstrings have resulted in a lot of patches. Because I understand they have become a bit hard to track, I decided to post them all together in this thread to make review easier. After this is committed, there will be one more patch that switches xgettext for pygettext. Then hopefully, we'll be pretty much set when it comes to i18n. Pavel Patch 81 isn't applying for me. Help is not working for me either, this is due to patch 80. $ ipa help user ipa: ERROR: NameError: global name '_' is not defined Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in run api.finalize() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619, in finalize plugin_iter(base, (magic[k] for k in magic)) File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in __init__ sorted(members, key=lambda m: getattr(m, name_attr)) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608, in plugin_iter plugins[klass] = PluginInstance(klass) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585, in __init__ self.instance = klass() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184, in __init__ self.doc = _(inspect.getdoc(cls)) NameError: global name '_' is not defined ipa: ERROR: an internal error has occurred Patches 69, 71 and 73 are still working fine. What is switching from xgettext to pygettext going to do? This was answered by John Dennis: xgettext doesn't parse python docstrings. rob Rebased version of 81 attached. It should also fix the traceback you're getting. Pavel Something is still not working. I'm having a hard time reproducing how I got this but with LANG=es_US.UTF-8 for a while I was getting this with every ipa user-* request: ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in run sys.exit(api.Backend.cli.run(argv)) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953, in output_for_cli textui.print_entries(result, order, labels, flags, print_all) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in print_entries self.print_entry(entry, order, labels, flags, print_all, format, indent) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in print_entry label, value, format, indent, one_value_per_line File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in print_attribute self.print_indented(format % (attr, text[0]), indent) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in print_indented print (CLI_TAB * indent + text) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) ipa: ERROR: ha ocurrido un error interno I think it is blowing up on this user: User login: jose First name: Jose Last name: contraseñas Home directory: /home/jose Login shell: /bin/sh Account disabled: TRUE Member of groups: ipausers Then all of a sudden things started working fine, so I'm not sure what's going on. Is this traceback meaningful to you? rob This looks like a bug in the textui backend. You get this error when you do something like this: >>> a = u'\xf1' >>> a.decode('utf-8') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode return codecs.utf_8_decode(input, errors, True) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 0: ordinal not in range(128) It means we're not handling encoding/decoding from/to the CLI right somewhere. The character \xf1 corresponds to the small N with tilde in Jose's last name. I'm going to look into it, but I don't think it's related to the localization patches. Pavel I'm seeing 2 test failures: == FAIL: Test the `ipalib.plugable.Plugin.__init__` method. -- Traceback (most recent call las
Re: [Freeipa-devel] Localization patches.
Rob Crittenden wrote: Pavel Zuna wrote: On 02/23/2011 07:09 PM, Pavel Zůna wrote: On 2011-02-22 20:16, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 22:52, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 05:09, Rob Crittenden wrote: Pavel Zůna wrote: My efforts in fixing localization all around the framework and preparing it for localizing docstrings have resulted in a lot of patches. Because I understand they have become a bit hard to track, I decided to post them all together in this thread to make review easier. After this is committed, there will be one more patch that switches xgettext for pygettext. Then hopefully, we'll be pretty much set when it comes to i18n. Pavel Patch 81 isn't applying for me. Help is not working for me either, this is due to patch 80. $ ipa help user ipa: ERROR: NameError: global name '_' is not defined Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in run api.finalize() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619, in finalize plugin_iter(base, (magic[k] for k in magic)) File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in __init__ sorted(members, key=lambda m: getattr(m, name_attr)) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608, in plugin_iter plugins[klass] = PluginInstance(klass) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585, in __init__ self.instance = klass() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184, in __init__ self.doc = _(inspect.getdoc(cls)) NameError: global name '_' is not defined ipa: ERROR: an internal error has occurred Patches 69, 71 and 73 are still working fine. What is switching from xgettext to pygettext going to do? This was answered by John Dennis: xgettext doesn't parse python docstrings. rob Rebased version of 81 attached. It should also fix the traceback you're getting. Pavel Something is still not working. I'm having a hard time reproducing how I got this but with LANG=es_US.UTF-8 for a while I was getting this with every ipa user-* request: ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in run sys.exit(api.Backend.cli.run(argv)) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953, in output_for_cli textui.print_entries(result, order, labels, flags, print_all) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in print_entries self.print_entry(entry, order, labels, flags, print_all, format, indent) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in print_entry label, value, format, indent, one_value_per_line File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in print_attribute self.print_indented(format % (attr, text[0]), indent) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in print_indented print (CLI_TAB * indent + text) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) ipa: ERROR: ha ocurrido un error interno I think it is blowing up on this user: User login: jose First name: Jose Last name: contraseñas Home directory: /home/jose Login shell: /bin/sh Account disabled: TRUE Member of groups: ipausers Then all of a sudden things started working fine, so I'm not sure what's going on. Is this traceback meaningful to you? rob This looks like a bug in the textui backend. You get this error when you do something like this: >>> a = u'\xf1' >>> a.decode('utf-8') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode return codecs.utf_8_decode(input, errors, True) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 0: ordinal not in range(128) It means we're not handling encoding/decoding from/to the CLI right somewhere. The character \xf1 corresponds to the small N with tilde in Jose's last name. I'm going to look into it, but I don't think it's related to the localization patches. Pavel I'm seeing 2 test failures: == FAIL: Test the `ipalib.plugable.Plugin.__init__` method. ---
Re: [Freeipa-devel] [PATCH] 744 use Sudo rather than SUDO
Adam Young wrote: On 02/28/2011 03:28 PM, Endi Sukma Dewata wrote: On 2/28/2011 12:51 PM, Endi Sukma Dewata wrote: On 2/28/2011 10:47 AM, Rob Crittenden wrote: Use Sudo instead of SUDO in labels, descriptions, etc. ticket 1005 rob This patch is ACKed. The capitalization is now consistent in the CLI. However, the UI capitalizes the labels in the action panel and the title of association facets, so we still see a mix of Sudo and SUDO in the UI. There are still some SUDO leftover in the UI test data, but that can be fixed in a separate patch. The attached patch fixes the UI test data. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 744 use Sudo rather than SUDO
Endi Sukma Dewata wrote: On 2/28/2011 10:47 AM, Rob Crittenden wrote: Use Sudo instead of SUDO in labels, descriptions, etc. ticket 1005 rob This patch is ACKed. The capitalization is now consistent in the CLI. However, the UI capitalizes the labels in the action panel and the title of association facets, so we still see a mix of Sudo and SUDO in the UI. There are still some SUDO leftover in the UI test data, but that can be fixed in a separate patch. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Revert-Set-hard-limit-on-number-of-commands-in-batch
Adam Young wrote: I have not tested this, just ran: git revert 79d22f8341026450ba7ca564e24812c9351c7e70 Please test before ACKing. I will test as well now. ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0094 Make it possible to list also winsync replicas
Simo Sorce wrote: This patch registers winsync replica in the public tree with enough information to know which master is handling the agreement. Now when listing replicas, the type is also returned and winsync agreements are listed. When listing a specific server with --verbose, in case of a winsync peer the winsync peer status is shown by contacting the master that has the agreement. On winsync link removal, the public information about the agreement is also removed. Ticket 1007 Simo. Works great, good call on the update file. I updated my existing installation and it worked fine. ack rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0094 Make it possible to list also winsync replicas
Rob Crittenden wrote: Simo Sorce wrote: This patch registers winsync replica in the public tree with enough information to know which master is handling the agreement. Now when listing replicas, the type is also returned and winsync agreements are listed. When listing a specific server with --verbose, in case of a winsync peer the winsync peer status is shown by contacting the master that has the agreement. On winsync link removal, the public information about the agreement is also removed. Ticket 1007 Simo. Works great, good call on the update file. I updated my existing installation and it worked fine. ack rob BTW, this needs a small rebase, it fails to apply the change to install/updates/Makefile.am rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0092 Fix replica management with krb credentials
Rob Crittenden wrote: Simo Sorce wrote: If no bind password is provided it is not possible to create the basic replication user. Creating this user is not necessary for winsync agreements or to create new replica connections that use gssapi auth so make it optional if krb credentials are used. Simo. ack This has been pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use pygettext to generate translatable strings from plugin files.
Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 04:12:31PM +0100, Pavel Zůna wrote: This goes on top of my other localization patches! This patch replaces xgettext with a custom pygettext to generate translatable strings from plugin files in ipalib/plugins. pygettext was modified to handle plural forms (credit goes to Jan Hendrik Goellner) and had some bugs fixed by myself. We only use it for plugins, because it's the only place where we need to extract docstrings for the built-in help system. I also had to make some changes to the way the built-in documentation system gets docstrings from modules for this to work. How to test? 1) First, apply all of the localization patches found in thread "Localization patches" on freeipa-devel. Then apply this patch. 2) Regenerate your install/po/Makefile: - delete install/po/Makefile - run `./configure` in install 3) Regenerate the pot and po files: - run `make update-pot` in install/po - run `make update-po` in install/po I noticed that none of the .po files is regenerated when we run make dist. Is that intentional? I think that all the released tarballs should contain up-to-date translations. 4) Make a change to one of the translations: - example: add translation to the ACI docstring * find docstring for ACI in install/po/es.po * change the corresponding msgstr "" to msgstr "\nBuenos dias, amigos!\n" Note: if the translatable string begins with \n, the translation also needs to begin with \n. Same goes for ending. 5) Install the modified translations: - run `make install` in install/po Note: I had some problems with this and had to make rpms and install IPA from beginning for it to work. Looks like doing `make install` manually updates /usr/local/share/locale instead of /usr/share/locale, but maybe I just did something wrong. ./configure --datadir=/usr/share My buildscript contains a variation of "rpm -E %configure". ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel This was pushed with the mass of i18n patches ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 745 restart dogtag DS instance after install
The dogtag team tells me we should restart their LDAP backend right after installation. In some configurations not doing this can cause problems (using the CA as we do isn't one of the known cases but better safe than sorry). To do this we bring down dogtag, restart 389-ds, then bring dogtag back up. Ticket 1024 rob freeipa-rcrit-745-restart.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 745 restart dogtag DS instance after install
Martin Kosek wrote: On Wed, 2011-03-02 at 16:51 -0500, Rob Crittenden wrote: The dogtag team tells me we should restart their LDAP backend right after installation. In some configurations not doing this can cause problems (using the CA as we do isn't one of the known cases but better safe than sorry). To do this we bring down dogtag, restart 389-ds, then bring dogtag back up. Ticket 1024 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The patch looks OK and it actually worked for me, but why is the dogtag restarted only for replicas (ipa-replica-install)? This bug says it is only needed on clones: https://bugzilla.redhat.com/show_bug.cgi?id=680984 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 035 IPA replica/server install does not check for a client
Martin Kosek wrote: When IPA replica or server is configured it does not check for possibly installed client. This will cause the installation to fail in the very end. This patch adds a check for already configured client and suggests removing it before server/replica installation. https://fedorahosted.org/freeipa/ticket/1002 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 036 Inconsistent sysrestore file handling by IPA server installer
Martin Kosek wrote: IPA server/replica uninstallation may fail when it tries to restore a Directory server configuration file in sysrestore directory, which was already restored before. The problem is in Directory Server uninstaller which uses and modifies its own image of sysrestore directory state instead of using the common uninstaller image. https://fedorahosted.org/freeipa/ticket/1026 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common
Pavel Zuna wrote: On 03/02/2011 08:50 PM, Jakub Hrozek wrote: On Wed, Feb 23, 2011 at 12:36:06PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2011 04:47 PM, Rob Crittenden wrote: Jakub Hrozek wrote: Replace only if old and new have nothing in common This has problems when removing the last member. There is no adds, rems has a single value (the member being removed). The intersection is 0 so force_replace gets set to True and nothing ends up getting done. I added a len(v)> 0 to this conditional and it seems to work. I also added a small test case based on Endi's initial report. I'm getting a 100% test pass rate. rob I hit one more problem with the patch, although I'm not entirely sure how is that possible - when a user is renamed, his memberof becomes indirect memberof: # ipa user-mod --rename test2 test - Modified user "test" - User login: test2 First name: Test Last name: User Home directory: /home/test Login shell: /bin/sh Account disabled: False Indirect Member of group: ipausers I think this is another timing issue with 389-ds postop plugins, this time the referential integrity plugin. I don't think this is related to this change. We start with: dn: uid=test, ... uid: test memberOf: ipausers dn: cn=ipausers, ... cn: ipausers member: uid=test,... When we we do the rename we immediately end up with: dn: uid=test2, .. uid: test2 memberOf: ipausers dn: cn=ipausers, ... cn: ipausers member: uid=test, ... We determine indirect membership by comparing the user's memberOf with the results of a query for member=uid=test2 If the refint plugin hasn't updated the ipausers group by the time we do the query the user will appear to be an indirect member. rob OK, you're probably right, I can't reproduce the issue anymore. This patch has an ACK from me. Since this is a very low-level change at a late stage, I have asked Martin to take a second look. Jakub Tested a few corner cases and it seems to be cool. ACK from me too. Pavel pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 745 restart dogtag DS instance after install
Martin Kosek wrote: On Thu, 2011-03-03 at 09:30 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-03-02 at 16:51 -0500, Rob Crittenden wrote: The dogtag team tells me we should restart their LDAP backend right after installation. In some configurations not doing this can cause problems (using the CA as we do isn't one of the known cases but better safe than sorry). To do this we bring down dogtag, restart 389-ds, then bring dogtag back up. Ticket 1024 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The patch looks OK and it actually worked for me, but why is the dogtag restarted only for replicas (ipa-replica-install)? This bug says it is only needed on clones: https://bugzilla.redhat.com/show_bug.cgi?id=680984 rob ACK from me then. I was confused by commit message - no info about clones here. Martin Ok, amended commit entry and pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix error in user plugin email normalizer for empty --setattr=mail=.
Pavel Zuna wrote: ipa user-add SOMEUSER --setattr=mail= --addattr=mail=someu...@redhat.com Ack, pushed to master I created ticket 1048 for this problem and ammended the git commit message. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
Martin Kosek wrote: On Thu, 2011-03-03 at 15:29 +0100, Martin Kosek wrote: On Mon, 2011-02-28 at 18:15 +, JR Aquino wrote: On 2/25/11 9:27 AM, "Pavel Zůna" wrote: On 2011-02-25 18:12, JR Aquino wrote: On 2/25/11 5:58 AM, "Pavel Zuna" wrote: On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůnawrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, "Simo Sorce" wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zuna wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as "cn=directory manager": [root@vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # basewith scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # basewith scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. Thanks for advice! New version of the patch attached. Sorry Pavel, I Have to NACK again: It looks like some comment info got left in the patch perhaps. [root@auth2 ~]# ipa-compat-manage status File "/usr/sbin/ipa-compat-manage", line 169 <<< HEAD [root@auth2 ~]# ipa-host-net-manage status File "/usr/sbin/ipa-host-net-manage", line 195 <<< HEAD ^ That's cool, I just wonder how it got there. :) Fixed version attached. Pavel I've verified the following: install/migration/migration.py install/tools/ipa-compat-manage install/tools/ipa-compliance install/tools/ipa-host-net-manage install/tools/ipa-nis-manage install/tools/ipa-replica-prepare install/tools/ipa-server-install ipaserver/install/ldapupdate.py ACK for everything except: install/tools/ipa-server-certinstall I'm not sur
[Freeipa-devel] [PATCH] 747 don't check DNS for sanity if we're installing DNS
Skip the DNS checks during installation if we're configuring IPA as a DNS server. ticket 1036 rob freeipa-rcrit-747-install.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 747 don't check DNS for sanity if we're installing DNS
Simo Sorce wrote: On Thu, 03 Mar 2011 16:11:24 -0500 Rob Crittenden wrote: Skip the DNS checks during installation if we're configuring IPA as a DNS server. ticket 1036 ACK Simo. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 746 style and grammatical issues in help
David O'Brien wrote: Rob Crittenden wrote: Fix style and grammatical issues in built-in command help. There is a rather large API.txt change but it is only due to changes in the doc string in parameters. ticket 729 rob Couple of picks: --maxusername=INT Max. username length when creating/modifing a user (modifying) doc=_('Extra hashes to generate in password plugin.'), (plug-in should by hyphenated) doc=_('Force DNS zone creation even if name server not in DNS.'), (Sometimes we say "nameserver" and other times "name server". Our Style Guide prefers "nameserver", so "Force DNS zone creation even if the nameserver is not in the DNS.") ACK with those couple of fixes. Fixed, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 118 Fixed host enrollment time
Endi Sukma Dewata wrote: The month in krblastpwdchange (LDAP Generalized Time) is 1-based but the month in JavaScript Date.setUTCFullYear() is 0-based so it needs a conversion. Ticket 1053 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 748 always stop tracking cert on client uninstall
certmonger stop_tracking() is robust enough to do the right thing if no certificate exists so go ahead and always call it. If the certificate failed to be issued for some reason the request will still in certmonger after uninstalling. This would cause problems when trying to reinstall the client. This will go ahead and always tell certmonger to stop tracking it. Testing instructions are in the ticket. ticket 1028 rob freeipa-rcrit-748-client.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] fix API, broken build
When I applied some fixes to the help text as suggested by David for patch 746 I missed that it affected the API. It is just a doc string change, pushed under the one-liner rule. --- a/API.txt +++ b/API.txt @@ -708,7 +708,7 @@ option: Str('idnsupdatepolicy', attribute=True, cli_name='update_policy', label= option: Flag('idnsallowdynupdate', attribute=True, autofill=True, cli_name='allow_dynupdate', default=False, label=Gettext('Dynamic update', domain='ipa', localedir=None), multivalue=False, required=True) option: Str('addattr*', validate_add_attribute, cli_name='addattr', exclude='webui') option: Str('setattr*', validate_set_attribute, cli_name='setattr', exclude='webui') -option: Flag('force', autofill=True, default=False,lag('force', autofill=True, default=False, doc=Gettext('Force DNS zone creation even if name server not in DNS.', domain='ipa', localedir=None)) +option: Flag('force', autofill=True, default=False,lag('force', autofill=True, default=False, doc=Gettext('Force DNS zone creation even if nameserver not in DNS.', domain='ipa', localedir=None)) option: Str('ip_address?', _validate_ipaddr,tr('ip_address?', _validate_ipaddr, doc=Gettext('Add the nameserver to DNS with this IP address', domain='ipa', localedir=None)) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output']) -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install
If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. Additionally on un-enrollment the wrong hostname was unenrolled, it used the value of gethostname() rather than the one that was passed into the installer. We have to modify the CA configuration of certmonger to make it use the right principal when requesting certificates. The filename is unpredicable but it will be in /var/lib/certmonger/cas. We need to hunt for ipa_submit and add -k to it, then undo that on uninstall. These files are created the first time the certmonger service starts, so start and stop it before messing with them. ticket 1029 To test do something like: # ipa-client-install --hostname some_other_host.example.com # ipa-getcert list # id admin If id admin works it means sssd is set up properly, you can confirm by looking at ipa_hostname in /etc/sssd/sssd.conf. The certificate in ipa-getcert should be MONITORING. Now on the IPA server look at the host entry for som_other_host.example.com and it should have Keytab: True Now run: ipa-client-install --uninstall The host entry on the server should have Keytab: False ipa-getcert list should return nothing (you'll need to start the certmonger service to see it) rob freeipa-rcrit-749-hostname.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install
Nalin Dahyabhai wrote: On Fri, Mar 04, 2011 at 05:59:26PM -0500, Rob Crittenden wrote: If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. [snip] @@ -241,6 +242,81 @@ def stop_tracking(secdir, request_id=None, nickname=None): return (stdout, stderr, returncode) +def _find_ipa_submit_ca(): +""" +Look through all the certmonger CA files to find the one that +defines ipa-submit as the ca_external_helper. + +We can use find_request_value because the ca files have the +same file format. +""" +fileList=os.listdir(CA_DIR) +for file in fileList: +value = find_request_value('%s/%s' % (CA_DIR, file), 'ca_external_helper') +if value is not None and value.startswith('/usr/libexec/certmonger/ipa-submit'): +return '%s/%s' % (CA_DIR, file) This should work, but could I get you to change the test here to look for "id=IPA" instead of "ca_external_helper=/usr/libexec/certmonger/ipa-submit"? The "ipa-getcert" command-line tool is hard-coded to ask certmonger to use the CA with an "id" of "IPA", and that's how certmonger figures out which file's settings to use. I can imagine having another CA configuration for certmonger on the system that told it to call its ipa-submit helper with a different set of arguments. In that setup, the one with "id=IPA" would still be the one that certmonger would use on behalf of ipa-getcert. (I don't have a good idea of _why_ someone would do that, but there you go.) Cheers, Nalin Good idea, switched to use id=IPA instead. rob freeipa-rcrit-749-2-hostname.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 23/23] Add Transifex tx client configuration file
John Dennis wrote: ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 750 chkconfig ipa off on uninstall
chkconfig the ipa service to off on unistall ticket 1056 rob freeipa-rcrit-750-service.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 037 Improve error handling and return status codes in ipactl
Martin Kosek wrote: There are cases when ipactl returns success even when it fails. Plus, when the error really is detected the status codes are not LSB compliant. This may result in consequent issues. This patch improves error handling in ipactl and adds LSB compliant status codes. Namely: 0 program is running or service is OK 3 program is not running 4 program or service status is unknown for "status" action. Status code 4 is issued when IPA is not configured to distinguish this state from not running IPA. For other actions, the following non-zero status codes are implemented: 1 generic or unspecified error 2 invalid or excess argument(s) 4 user had insufficient privilege 6 program is not configured https://fedorahosted.org/freeipa/ticket/1055 Nice work, thanks for documenting this so well. Ack, pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 748 always stop tracking cert on client uninstall
Martin Kosek wrote: On Fri, 2011-03-04 at 13:14 -0500, Rob Crittenden wrote: certmonger stop_tracking() is robust enough to do the right thing if no certificate exists so go ahead and always call it. If the certificate failed to be issued for some reason the request will still in certmonger after uninstalling. This would cause problems when trying to reinstall the client. This will go ahead and always tell certmonger to stop tracking it. Testing instructions are in the ticket. ticket 1028 rob ACK. Works fine (verified also with the test case in the ticket). Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install
Martin Kosek wrote: On Mon, 2011-03-07 at 11:52 -0500, Rob Crittenden wrote: Nalin Dahyabhai wrote: On Fri, Mar 04, 2011 at 05:59:26PM -0500, Rob Crittenden wrote: If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. [snip] @@ -241,6 +242,81 @@ def stop_tracking(secdir, request_id=None, nickname=None): return (stdout, stderr, returncode) +def _find_ipa_submit_ca(): +""" +Look through all the certmonger CA files to find the one that +defines ipa-submit as the ca_external_helper. + +We can use find_request_value because the ca files have the +same file format. +""" +fileList=os.listdir(CA_DIR) +for file in fileList: +value = find_request_value('%s/%s' % (CA_DIR, file), 'ca_external_helper') +if value is not None and value.startswith('/usr/libexec/certmonger/ipa-submit'): +return '%s/%s' % (CA_DIR, file) This should work, but could I get you to change the test here to look for "id=IPA" instead of "ca_external_helper=/usr/libexec/certmonger/ipa-submit"? The "ipa-getcert" command-line tool is hard-coded to ask certmonger to use the CA with an "id" of "IPA", and that's how certmonger figures out which file's settings to use. I can imagine having another CA configuration for certmonger on the system that told it to call its ipa-submit helper with a different set of arguments. In that setup, the one with "id=IPA" would still be the one that certmonger would use on behalf of ipa-getcert. (I don't have a good idea of _why_ someone would do that, but there you go.) Cheers, Nalin Good idea, switched to use id=IPA instead. rob ACK, nice work. Tested with ticket 748. Everything worked with both --hostname set and without it, uninstallation was also correct. I just run into an issue (not patch related) when certmonger kept showing me CA_UNCONFIGURED certificate tracking status. As we found out, this was caused by SELinux. However, new SElinux policy selinux-policy-3.9.7-33.fc14 should fix it. Martin I need to do some further investigation to see how this affects other distros, we may need to update the low-bar for selinux policy in our spec file. I'll open a new ticket for that. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 750 chkconfig ipa off on uninstall
Martin Kosek wrote: On Mon, 2011-03-07 at 16:30 -0500, Rob Crittenden wrote: chkconfig the ipa service to off on unistall ticket 1056 rob ACK, works fine. Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 038 ipa-dns-install script fails
Martin Kosek wrote: This patch fixes a typo in class Service, function __get_conn which causes ipa-dns-install script to fail every time. https://fedorahosted.org/freeipa/ticket/1065 Ack, pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 751 dogtag replication
The replication between dogtag servers wasn't using TLS or SSL. This uses a new option to pkisilent to create replication agreements that use TLS. The SSL cert we will use is the same as the main 389-ds instance via symbolic link. I tested with --selfsign, with dogtag and with dogtag signed by an external CA. ticket 1060 rob freeipa-rcrit-751-replication.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 751 dogtag replication
Martin Kosek wrote: On Thu, 2011-03-10 at 00:10 -0500, Rob Crittenden wrote: The replication between dogtag servers wasn't using TLS or SSL. This uses a new option to pkisilent to create replication agreements that use TLS. The SSL cert we will use is the same as the main 389-ds instance via symbolic link. I tested with --selfsign, with dogtag and with dogtag signed by an external CA. ticket 1060 rob ACK. The patch looks OK. I tested the installation process on both F-14 and F-15 (IPA with dogtag + replica, self-signed IPA + replica, IPA with external CA + replica) and the replication was OK. There were some issues during the testing, but they were found irrelevant in our IRC discussion. I am opening a ticket right now to increase a stability of IPA installation (after the DS restart, wait until the ports are open - then do the ldapmodify commands). Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 3 Release
To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Release Candidate 3 release of freeIPA 2.0 server [1]. This should be the last release candidate, becoming the final release if no critical problems are found. * Binaries are available for F-14 and F-15. * Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-us...@redhat.com Main Highlights of the Release Candidate. This release consists primarily of bug fixes and polish across all areas of the project. Modifications include but are not limited to * i18n improvements * Fixed the self-service page in the WebUI * Use TLS for CA replication * Setting up Winsync agreements has been fixed Focus of the Release Candidate Testing * There was a Fedora test day for FreeIPA on Feb 15th [2]. These tests are still relevant and feedback would be appreciated. We are particularly interested to know if there are any problems setting up replication. * The following section outlines the areas that we are mostly interested to test [3]. Significant Changes Since RC 2 To see all the tickets addressed since the rc2 release see [5]. Repositories and Installation * Use the following link to install the RC 3 packages [4]. * FreeIPA relies on the latest versions of the packages currently available from the updates-testing repository. Please make sure to enable this repository before you proceed with installation. Known Issues: * Installing IPA on Fedora-15 works but can take more time than Fedora 14 due to systemd. It is not recognizing some restarts as being successful so only continues after a 3-minute timeout. We are working on a solution. Thank you, The FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] https://fedoraproject.org/wiki/QA/Fedora_15_test_days [3] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test [4] http://freeipa.org/downloads/freeipa-devel.repo [5] https://fedorahosted.org/freeipa/milestone/2.0.3.%20Bug%20Fixing%20%28GA%29 Detailed Changelog Adam Young (7): * Revert "Set hard limit on number of commands in batch request to 256." * update API.txt * Use modified entity find commands for associations * fix truncated message * typo in truncation message * type in default text * Better truncated message Endi S. Dewata (13): * Removed association facets based on memberofindirect. * Replaced SUDO with Sudo in UI test data. * Fixed attribute for SUDO command group membership. * Save changes before modifying association. * Fixed host enrollment time * Fixed memory leak caused by IPA.dialog. * Fixed memory leak caused by is_dirty dialogs. * Fixed memory leak caused by reset password dialog. * Fixed memory leak caused by DNS record adder dialog. * Fixed memory leak caused by DNS record deleter dialog. * Fixed memory leak caused by IPA.error_dialog. * Fixed memory leak caused by certificate dialogs. * Fixed self service page. John Dennis (1): * Add Transifex tx client configuration file Martin Kosek (4): * IPA replica/server install does not check for a client * Inconsistent sysrestore file handling by IPA server installer * Improve error handling and return status codes in ipactl * ipa-dns-install script fails Pavel Zuna (10): * Remove deprecated i18n code from ipalib/request and all references to it. * Send Accept-Language header over XML-RPC and translate on server. * Fallback to default locale (en_US) if env. setting is corrupt. * Translate docstrings. * Fix translatable strings in ipalib plugins. * Fix i18n related failures in unit tests. * Use pygettext to generate translatable strings from plugin files. * Final i18n unit test fixes. * Fix error in user plugin email normalizer for empty --setattr=email=. * Use ldapi: instead of unsecured ldap: in ipa core tools. Rob Crittenden (12): * Set SuiteSpotGroup when setting up our 389-ds instances. * Use Sudo rather than SUDO as a label. * Replace only if old and new have nothing in common * Need to restart the dogtag 388-ds instance before using it. * Skip DNS validation checks if we're setting up DNS in ipa-server-install. * Fix style and grammatical issues in built-in command help. * Update API to reflect doc change in force parameter in dnszone_add * Always try to stop tracking the server cert when uninstalling client. * If --hostname is provided for ipa-client-install use it everywhere. * chkconfig the ipa service off when it is uninstalled. * Use TLS for dogtag replication agreements. * Become IPA v2 RC 3 (2.0.0.rc3) Simo Sorce (9): * Set the loginShell attribute on winsynced entries if configured * Fix winsync agreements setup * Unbreak the ipa winsync plugin. * Fix user synchronization. * Make activated/inactivated groups optional * Use wrapper for sasl gssapi binds so it behaves like other binds * Fix replica setup using replication
Re: [Freeipa-devel] Wrong timeout parameter in ipapython
Sylvain Baubeau wrote: Hi, I was facing an error with ipapython that caused an NSPRError exception to be raised at line 159 of ipapython/nsslib.py : 157 logging.debug("connecting: %s", net_addr) 158 try: 159 self.sock.connect(net_addr, family) 160 except Exception, e: 161 logging.debug("Could not connect socket to %s, error: %s, retrying..", 162 net_addr, str(e)) The error message was : [Errno -5990] (PR_IO_TIMEOUT_ERROR) I/O operation timed out. It seems like the second argument to 'connect' is a timeout, not the socket family. I attached a patch that just removes the second argument. Or am I missing something ? Regards Sylvain Baubeau I'll do a full review tomorrow but it looks like you are correct, this is timeout not family. Under what conditions were you getting the timeout? Are you using IPv4 or IPv6 addresses? thanks rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Some observations based on the adhock testing
Dmitri Pal wrote: Hi, 1) I confirmed that capitalization in the host name makes things not work. I had a VM wit ha capital letter in the name. Everything installed fine but then "ipa" command did not work and the httpd error log was complaining that the host principal was not found. I uninstalled, changed the name and installed again - the server worked fine. I think we should fix the ticket or at least do it in release notes. Yes, we'll need to scope it to see if we can fix it soon. 2) I noticed that the memberOf plugin use changed in IPA. It now lists only direct members and indirect members are stored in the other attribute. Is IPA back end of the SSSD aware of that? It just appears that way in the framework. Internally they are all still memberOf. 3) Admin is not a part of the ipausers group is this intentional? Yes, admin is a special user. 4) There is an argument to make a group a posix group: --posix but the group is already a posix group if created by ipa group-add. Questions: how to create a non-posix group? How to make a posix group non-posix? It must be created as non-posix at creation time wth the flag --nonposix. You can't go back. Once a group is posix the only option is to remove it and re-create it. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 752 fix SELinux AVCs
Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085 freeipa-rcrit-752-selinux.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0213-Domain-to-Realm
Adam Young wrote: Even though my name is on the patch, Simo wrote it and is the author in the patch. This looks good I just have one question. Is it not safe to assume that the default kerberos realm is the realm? I think that is where any realm that would be passed into this would be determined as well. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 753 honor domain and server flags in client install
We now use TLS for the LDAP connection so need to fetch the IPA CA remotely very early in the process. Because we weren't honoring the server flags when doing DNS discovery we didn't know where to fetch the CA from. ticket 1090 rob freeipa-rcrit-753-client.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0213-Domain-to-Realm
Adam Young wrote: On 03/15/2011 05:26 AM, Martin Kosek wrote: On Mon, 2011-03-14 at 15:28 -0400, Adam Young wrote: Even though my name is on the patch, Simo wrote it and is the author in the patch. Patch looks good. Installation and replication with a realm different to domain name works like a charm now. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Can I consider that 3 ACKs Yes, push it. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 752 fix SELinux AVCs
Pavel Zuna wrote: On 03/14/2011 09:33 PM, Rob Crittenden wrote: Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085 ACK!! Pavel Thanks, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 754 ensure hostnames are lower-case
If a hostname has mixed-case in /etc/hosts or a mixed-case name is passed into either the client or host installer we need to prevent installation. The hostname should be lower-case otherwise all sorts of odd problems will happen. ticket 1080 rob freeipa-rcrit-754-hostname.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 754 ensure hostnames are lower-case
Martin Kosek wrote: On Wed, 2011-03-16 at 18:05 -0400, Rob Crittenden wrote: If a hostname has mixed-case in /etc/hosts or a mixed-case name is passed into either the client or host installer we need to prevent installation. The hostname should be lower-case otherwise all sorts of odd problems will happen. ticket 1080 rob Patch is OK, but I think that "Check /etc/hosts." part of the error message may be confusing. Hostname with mixed-case we are complaining about doesn't have to be read from /etc/hosts. It may be passed for example by --hostname parameter or set on a machine by `hostname` command. Martin Updated patch with the Check part removed. rob freeipa-rcrit-754-2-hostname.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 755 upgrade IPA on installation
Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 rob freeipa-rcrit-755-upgrade.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 755 upgrade IPA on installation
Martin Kosek wrote: On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote: Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 rob NACK. Patch is promising, ipa-ldap-updater --upgrade works just fine. The upgrade was also correctly executed after I did the RPM upgrade. But I have hit two issues: 1) When ipa-ldap-updater is run as a regular user on a configured IPA server I get the following error: $ ipa-ldap-updater IPA is not configured on this system. This is because regular user cannot access /var/lib/ipa/sysrestore/. I guess we should either use another method of detecting installed IPA or make the script root-only (as we do with other scripts taking advantage of fstore). 2) I get stacktrace when I run ipa-ldap-updater with --ldapi: $ sudo ipa-ldap-updater --ldapi Traceback (most recent call last): File "/usr/sbin/ipa-ldap-updater", line 125, in sys.exit(main()) File "/usr/sbin/ipa-ldap-updater", line 111, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 125, in __init__ conn.do_external_bind(self.pw_name) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 360, in do_external_bind self.__lateinit() File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 260, in __lateinit [ 'nsslapd-directory' ]) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 378, in getEntry raise errors.NotFound(reason=notfound(args)) ipalib.errors.NotFound: * not found I know that --ldapi did not work before the patch either, it just crashed with another stacktrace. But it would be nice to fix this one. Martin Issues addressed. I'm going to do a best-possible check for IPA Installation when non-root but stick with the fstore when doing it as root. This is because it is more important because it may be done automatically in rpm. rob freeipa-rcrit-755-2-upgrade.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 755 upgrade IPA on installation
Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote: Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 rob NACK. Patch is promising, ipa-ldap-updater --upgrade works just fine. The upgrade was also correctly executed after I did the RPM upgrade. But I have hit two issues: 1) When ipa-ldap-updater is run as a regular user on a configured IPA server I get the following error: $ ipa-ldap-updater IPA is not configured on this system. This is because regular user cannot access /var/lib/ipa/sysrestore/. I guess we should either use another method of detecting installed IPA or make the script root-only (as we do with other scripts taking advantage of fstore). 2) I get stacktrace when I run ipa-ldap-updater with --ldapi: $ sudo ipa-ldap-updater --ldapi Traceback (most recent call last): File "/usr/sbin/ipa-ldap-updater", line 125, in sys.exit(main()) File "/usr/sbin/ipa-ldap-updater", line 111, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 125, in __init__ conn.do_external_bind(self.pw_name) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 360, in do_external_bind self.__lateinit() File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 260, in __lateinit [ 'nsslapd-directory' ]) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 378, in getEntry raise errors.NotFound(reason=notfound(args)) ipalib.errors.NotFound: * not found I know that --ldapi did not work before the patch either, it just crashed with another stacktrace. But it would be nice to fix this one. Martin Issues addressed. I'm going to do a best-possible check for IPA Installation when non-root but stick with the fstore when doing it as root. This is because it is more important because it may be done automatically in rpm. rob fixed a couple more issues Martin discovered: - catch errors if the GSSAPI connection fails - do console logging when doing a password-based update as root rob freeipa-rcrit-755-3-upgrade.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 754 ensure hostnames are lower-case
Martin Kosek wrote: On Thu, 2011-03-17 at 10:24 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-03-16 at 18:05 -0400, Rob Crittenden wrote: If a hostname has mixed-case in /etc/hosts or a mixed-case name is passed into either the client or host installer we need to prevent installation. The hostname should be lower-case otherwise all sorts of odd problems will happen. ticket 1080 rob Patch is OK, but I think that "Check /etc/hosts." part of the error message may be confusing. Hostname with mixed-case we are complaining about doesn't have to be read from /etc/hosts. It may be passed for example by --hostname parameter or set on a machine by `hostname` command. Martin Updated patch with the Check part removed. rob ACK. Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Update translation files (ipa.pot, *po).
John Dennis wrote: On 03/14/2011 11:28 AM, Pavel Zuna wrote: I created a new patch with only the ipa.pot file updated as you suggested. I haven't seen a commit for this though. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Wrong timeout parameter in ipapython
Martin Kosek wrote: On Fri, 2011-03-11 at 11:37 +0100, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/11/2011 11:20 AM, Sylvain Baubeau wrote: Yes, I'm using IPv4. It's even worse as the constant 'io.PR_AF_INET' (whose value is 2) is used in this case :) Right.. Thank you very much for your contribution. I'm guessing we never hit the exception because most of our testing is done or a low-latency network.. ACK from me too. I amended the patch to show the ticket number for better tracking in GIT - attached. Rest of the patch left unchanged. Martin pushed to master. I added Sylvain to Contributors.txt too. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 755 upgrade IPA on installation
Martin Kosek wrote: On Fri, 2011-03-18 at 11:21 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote: Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 rob NACK. Patch is promising, ipa-ldap-updater --upgrade works just fine. The upgrade was also correctly executed after I did the RPM upgrade. But I have hit two issues: 1) When ipa-ldap-updater is run as a regular user on a configured IPA server I get the following error: $ ipa-ldap-updater IPA is not configured on this system. This is because regular user cannot access /var/lib/ipa/sysrestore/. I guess we should either use another method of detecting installed IPA or make the script root-only (as we do with other scripts taking advantage of fstore). 2) I get stacktrace when I run ipa-ldap-updater with --ldapi: $ sudo ipa-ldap-updater --ldapi Traceback (most recent call last): File "/usr/sbin/ipa-ldap-updater", line 125, in sys.exit(main()) File "/usr/sbin/ipa-ldap-updater", line 111, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 125, in __init__ conn.do_external_bind(self.pw_name) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 360, in do_external_bind self.__lateinit() File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 260, in __lateinit [ 'nsslapd-directory' ]) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 378, in getEntry raise errors.NotFound(reason=notfound(args)) ipalib.errors.NotFound: * not found I know that --ldapi did not work before the patch either, it just crashed with another stacktrace. But it would be nice to fix this one. Martin Issues addressed. I'm going to do a best-possible check for IPA Installation when non-root but stick with the fstore when doing it as root. This is because it is more important because it may be done automatically in rpm. rob fixed a couple more issues Martin discovered: - catch errors if the GSSAPI connection fails - do console logging when doing a password-based update as root rob ACK. Good job, everything works fine. Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Wait for Directory Server ports to open
Martin Kosek wrote: On Tue, 2011-03-15 at 18:25 +, JR Aquino wrote: On Mar 15, 2011, at 11:05 AM, Pavel Zuna wrote: On 03/14/2011 06:03 PM, Martin Kosek wrote: I know this is a 2.1 ticket, but the patch is probably also a solution of #1047 - a 2.0.5 bucket critical bug. When Directory Server operation is run right after the server restart the listening ports may not be opened yet. This makes the installation fail. This patch fixes this issue by waiting for both secure and insecure Directory Server ports to open after every restart. https://fedorahosted.org/freeipa/ticket/1076 ACK. Seems to also fix #1047, as I couldn't reproduce after this patch was applied. Pavel RE: 1047, I still seem to have an issue with the patch applied, but let me do a fresh reinstall and report back regarding 1047. That's a good idea. Even though this patch fixes #1076, I am now not sure if it fixes #1047 too. We need to know the real root cause of #1047 - if it is really caused by unopened ports 389,636 after the Directory Server restart. If you get some useful logs in your test on a fresh reinstall (different from the ones already attached in the Trac), please send them too. Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 040 Prevent stacktrace when DNS AAAA record is added
Martin Kosek wrote: This patch fixes a stacktrace that is printed out when a IPv6 record with subnet prefix length (e.g. /64) is added. The same error message as when IPv4 record with subnet prefix length is used. https://fedorahosted.org/freeipa/ticket/1115 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Fix some of the issues found by coverity
Simo Sorce wrote: One is a memory leak that can happen in some error paths. It is not highly probable to happen, so it can be deferred to post GA The other is a uninitialized variable that could cause a segfault in some cases (not seen on the wild, depends on an error path too). Simo. Ack on both. Only 0095 pushed to master so far, holding into 0096 until post-GA. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing FreeIPA v2 Server
The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA version 2.0. FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos and NTP. FreeIPA binds together a number of technologies and adds a web interface and command-line administration tools. Features of FreeIPA v2.0 include: * Centralized authentication via Kerberos or LDAP * Identity management for users, groups, hosts and services * Pluggable and extensible framework for UI/CLI * Rich CLI * Web-based User Interface * Server X.509 v3 certificate provisioning capabilities * Managing host identities including grouping hosts * Defining host-based access control rules that will be enforced on the client side by the IPA back end for SSSD [1] * Serving netgroups based on user and host objects stored in IPA * Serving sets of automount maps to different clients * Finer-grained management delegation * Group-based password policies * Centrally-managed SUDO * Automatic management of private groups * Compatibility with broad set of clients * Painless password migration * Optional integrated DNS server managed by IPA * Optional integrated Certificate Authority to manage server certificates managed by IPA * Can act as NIS server for legacy systems * Supports multi-server deployment based on the multi-master replication * User and group replication with MS Active Directory We encourage users and developers to start testing and deploying FreeIPA in their environments. A very simple installation procedure is provided and is part of the effort of making these complex technologies simple to use and friendly to administrators. We encourage people to experiment and evaluate the current release, we welcome feedback on the overall experience and bug reports [2]. We also would like to encourage interested users and developers to join our mailing list and discuss features and development directions [3]. The complete source code[4] is available for download here: http://www.freeipa.org/page/Downloads See our git repository at http://git.fedorahosted.org/git/freeipa.git/ for a complete changelog. FreeIPA 2.0 is available in Fedora 15, see Known Issues below. You will need to enable the updates-testing repository, e.g. # yum install freeipa-server --enablerepo=updates-testing Have Fun! The FreeIPA Project Team. --- [1] https://fedorahosted.org/sssd/ [2] https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora (component is ipa) [3] http://freeipa.org/page/Contribute Known Issues * The latest tomcat6 package has not been pushed to updates-testing. You need tomcat6-6-0.30-5 or higher. The packages can be retrieved from koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=231410 . The installation will fail restarting the CA with the current tomcat6 package in Fedora 15. * If the domain and realm do not match you may need to use the --force flag with ipa-client-install. * Dogtag replication is done separately from IPA replication. The ipa-replica-manage tool does not currently operate on dogtag replication agreements. * The OCSP URL encoded in dogtag certificates is by default the CA machine that issued the certificate. Detailed Changlog since FreeIPA v2.0.0 rc3 Adam Young (1): * pwpolicy priority Priority is now a required field in order to add a new password policy. Thus, not having the field present means we cannot create one. Endi S. Dewata (1): * Removed nested role from UI. Martin Kosek (2): * Wait for Directory Server ports to open * Prevent stacktrace when DNS record is added Pavel Zuna (1): * Update translation file (ipa.pot). Rob Crittenden (4): * Always consider domain and server when doing DNS discovery in client. * Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. * Ensure that the system hostname is lower-case. * Automatically update IPA LDAP on rpm upgrades Simo Sorce (1): * Domain to Realm Explicitly use the realm specified on the command line. Many places were assuming that the domain and realm were the same. * Fix uninitialized variable. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel