[Freeipa-devel] [PATCH] Disable renaming to empty string

2011-01-24 Thread Jan Zelený
So far it was possible to rename any object using LDAPUpdate to a name with empty primary key. Since this can cause nasty problems, this patch disables empty string in --rename argument. https://fedorahosted.org/freeipa/ticket/827 Jan From 5d2eb85af1df7c20049e7fdc05e6a529a2b2839b Mon Sep 17

Re: [Freeipa-devel] [PATCH] Disable renaming to empty string

2011-01-24 Thread Simo Sorce
On Mon, 24 Jan 2011 09:38:45 +0100 Jan Zelený jzel...@redhat.com wrote: So far it was possible to rename any object using LDAPUpdate to a name with empty primary key. Since this can cause nasty problems, this patch disables empty string in --rename argument.

Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters

2011-01-24 Thread Jakub Hrozek
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/22/2011 02:28 AM, Adam Young wrote: Does any of this imply that we shopuld change the WebUI handling of Zone or Record deletes? Sorry, I don't know enough about the WebUI to give an authoritative answer. I'll try to summarize the changes I

Re: [Freeipa-devel] [PATCH] Make ipa permission-add ask for optional attributes

2011-01-24 Thread Rob Crittenden
Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zeleny wrote: Either one of type, filter, subtree, targetgroup, attrs or memberof is required. https://fedorahosted.org/freeipa/ticket/819 Jan Do you think the prompt should be annotated somehow to indicate that the optional

Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters

2011-01-24 Thread Adam Young
On 01/24/2011 09:51 AM, Jakub Hrozek wrote: Sorry, I don't know enough about the WebUI to give an authoritative answer. I'll try to summarize the changes I did, if it doesn't answer your question, please catch me on IRC:-) The only change to the API is a new option del_all that specifies that

[Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field.

2011-01-24 Thread Jeff B
I'm not sure if this is a user error or a bug. I didn't see a way to tell OpenSSL to not require that Country be in the CSR. Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'MYREALM.COM' commonName

Re: [Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field.

2011-01-24 Thread Rob Crittenden
Jeff B wrote: I'm not sure if this is a user error or a bug. I didn't see a way to tell OpenSSL to not require that Country be in the CSR. Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'MYREALM.COM'

Re: [Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field.

2011-01-24 Thread Jeff B
On Mon, Jan 24, 2011 at 10:38 AM, Jeff B jeffb.l...@gmail.com wrote: You are right. I changed: [ policy_match ] countryName             = match stateOrProvinceName     = match organizationName        = match organizationalUnitName  = optional commonName              = supplied

[Freeipa-devel] [PATCH] fix doctest

2011-01-24 Thread Rob Crittenden
I pushed this under the 1-liner rule, it fixes a doctest failure. rob From 76cbd48896bc8953fdd7abf4afd797ffb6cbfc92 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 24 Jan 2011 10:41:20 -0500 Subject: [PATCH] Fix exception doctest failure --- ipalib/errors.py |4

[Freeipa-devel] [PATCH] 688 fix some unit tests

2011-01-24 Thread Rob Crittenden
It looks like python 2.7 changed the API of time.utcoffset(), this should fix the tests. We have recently relaxed what input a Str will take, the tests need to be updated to accomodate. rob From 459b204be01bd57ba2420a269b3a9702dfc22a3c Mon Sep 17 00:00:00 2001 From: Rob Crittenden

[Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses

2011-01-24 Thread Rob Crittenden
In the host plugin we modify the default set of objectclasses depending on what kind of host we're creating. This was actually updating the objectclass of the object itself so that the objectclass variable was storing duplicate objectclasses (because we sometimes append values). Make a

Re: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses

2011-01-24 Thread Jakub Hrozek
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:50 PM, Rob Crittenden wrote: In the host plugin we modify the default set of objectclasses depending on what kind of host we're creating. This was actually updating the objectclass of the object itself so that the objectclass

Re: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses

2011-01-24 Thread Rob Crittenden
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:50 PM, Rob Crittenden wrote: In the host plugin we modify the default set of objectclasses depending on what kind of host we're creating. This was actually updating the objectclass of the object itself so that

Re: [Freeipa-devel] [PATCH] 688 fix some unit tests

2011-01-24 Thread Jakub Hrozek
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:46 PM, Rob Crittenden wrote: It looks like python 2.7 changed the API of time.utcoffset(), this should fix the tests. We have recently relaxed what input a Str will take, the tests need to be updated to accomodate. rob Ack

Re: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses

2011-01-24 Thread Jakub Hrozek
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:58 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:50 PM, Rob Crittenden wrote: In the host plugin we modify the default set of objectclasses depending on what kind

[Freeipa-devel] Results of some testing

2011-01-24 Thread Dmitri Pal
Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install without any command line parameters. It any prompt try to stop installation by pressing

[Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured.

2011-01-24 Thread Jeff B
I'm trying to do an ipa-server-install with an --external-ca but after it generates the .csr and I sign a .crt I can't run the followup ips-server-install to import the certificate. I don't think I'm supposed to run an --uninstall between the --external-ca and the --external_cert_file

[Freeipa-devel] [PATCH] 0070 Create DNS entries early on

2011-01-24 Thread Simo Sorce
See ticket #833 for a detailed explanation. Simo. -- Simo Sorce * Red Hat, Inc * New York From f74f30aa01a7b3cc669ebf0275ad7e3768ede787 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Mon, 24 Jan 2011 11:42:53 -0500 Subject: [PATCH] Create DNS records as early as possible

Re: [Freeipa-devel] Results of some testing

2011-01-24 Thread Rob Crittenden
Dmitri Pal wrote: Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install without any command line parameters. It any prompt try to stop

Re: [Freeipa-devel] [PATCH] Modified description of nsaccountlock attribute

2011-01-24 Thread Jan Zeleny
Jan Zelený jzel...@redhat.com wrote: The original one was misleading, giving the value exactly opposite meaning than it actually was. https://fedorahosted.org/freeipa/ticket/741 Jan Just a reminder that this patch still needs a review. Jan ___

Re: [Freeipa-devel] [PATCH] Modified description of nsaccountlock attribute

2011-01-24 Thread Jan Zeleny
Jan Zeleny jzel...@redhat.com wrote: Jan Zelený jzel...@redhat.com wrote: The original one was misleading, giving the value exactly opposite meaning than it actually was. https://fedorahosted.org/freeipa/ticket/741 Jan Just a reminder that this patch still needs a review. Jan

Re: [Freeipa-devel] [PATCH] Changed dns permission types

2011-01-24 Thread Jan Zeleny
Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class.

Re: [Freeipa-devel] [PATCH] Check field's validity before executing add

2011-01-24 Thread Adam Young
On 01/22/2011 07:49 PM, Endi Sukma Dewata wrote: This should fix this bug: https://fedorahosted.org/freeipa/ticket/660 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK: Too many

Re: [Freeipa-devel] [PATCH] Added scrollable panel for delete dialog box.

2011-01-24 Thread Adam Young
On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: This is required by the latest spec. May need further revision. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. As follow on, we

Re: [Freeipa-devel] [PATCH] Added spaces around radio buttons.

2011-01-24 Thread Adam Young
On 01/22/2011 07:45 PM, Endi Sukma Dewata wrote: This is required by the latest spec. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___

Re: [Freeipa-devel] [PATCH] Removed 'name' from 'Sudo Command Group name'

2011-01-24 Thread Adam Young
On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: This is required by the latest spec. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___

Re: [Freeipa-devel] [PATCH] Added scrollable panel for delete dialog box.

2011-01-24 Thread Adam Young
On 01/24/2011 01:29 PM, Adam Young wrote: On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: This is required by the latest spec. May need further revision. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] Added spaces around radio buttons.

2011-01-24 Thread Adam Young
On 01/24/2011 01:29 PM, Adam Young wrote: On 01/22/2011 07:45 PM, Endi Sukma Dewata wrote: This is required by the latest spec. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK

Re: [Freeipa-devel] [PATCH] Removed 'name' from 'Sudo Command Group name'

2011-01-24 Thread Adam Young
On 01/24/2011 01:31 PM, Adam Young wrote: On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: This is required by the latest spec. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK

Re: [Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured.

2011-01-24 Thread Rob Crittenden
Jeff B wrote: I'm trying to do an ipa-server-install with an --external-ca but after it generates the .csr and I sign a .crt I can't run the followup ips-server-install to import the certificate. I don't think I'm supposed to run an --uninstall between the --external-ca and the

Re: [Freeipa-devel] Results of some testing

2011-01-24 Thread Dmitri Pal
Rob Crittenden wrote: Dmitri Pal wrote: Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install without any command line parameters. It

Re: [Freeipa-devel] Results of some testing

2011-01-24 Thread Rob Crittenden
Dmitri Pal wrote: Rob Crittenden wrote: Dmitri Pal wrote: Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install without any command line

Re: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info

2011-01-24 Thread Rob Crittenden
JR Aquino wrote: On 1/20/11 10:05 AM, Rob Crittendenrcrit...@redhat.com wrote: Simo Sorce wrote: On Wed, 19 Jan 2011 17:51:56 -0500 Rob Crittendenrcrit...@redhat.com wrote: +aci: (targetattr = member || memberOf || memberHost || memberUser)(version 3.0; acl No anonymous access to member

Re: [Freeipa-devel] [PATCH] 688 fix some unit tests

2011-01-24 Thread Rob Crittenden
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:46 PM, Rob Crittenden wrote: It looks like python 2.7 changed the API of time.utcoffset(), this should fix the tests. We have recently relaxed what input a Str will take, the tests need to be updated to

Re: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses

2011-01-24 Thread Rob Crittenden
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:58 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:50 PM, Rob Crittenden wrote: In the host plugin we modify the default set of objectclasses

Re: [Freeipa-devel] Results of some testing

2011-01-24 Thread Dmitri Pal
Rob Crittenden wrote: Dmitri Pal wrote: Rob Crittenden wrote: Dmitri Pal wrote: Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install

Re: [Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured.

2011-01-24 Thread Jeff B
I don't want to start filing tickets since I'm not that familiar with the project but here is another similar one where the checks aren't necessarily doing what they are intended to be doing. Steps: 1. ran install with --external-ca 2. tried running with --external_cert_file but hit error in #835

[Freeipa-devel] [PATCH] 0071 Make -u optional in unattended mode

2011-01-24 Thread Simo Sorce
We have a default user name, which is also the recommended one, it made no sense to force users to specify it at the command line for unattended installations. Just use the default if none is provided. Ticket #836 Simo. -- Simo Sorce * Red Hat, Inc * New York From

Re: [Freeipa-devel] [PATCH] 0071 Make -u optional in unattended mode

2011-01-24 Thread Jakub Hrozek
On 01/24/2011 09:27 PM, Simo Sorce wrote: We have a default user name, which is also the recommended one, it made no sense to force users to specify it at the command line for unattended installations. Just use the default if none is provided. Ticket #836 Simo. Ack

Re: [Freeipa-devel] [PATCH] 0066 remove binddn when using GSSAPI for replication

2011-01-24 Thread Jakub Hrozek
On 01/20/2011 01:43 AM, Simo Sorce wrote: See ticket #817 Simo. Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0071 Make -u optional in unattended mode

2011-01-24 Thread Simo Sorce
On Mon, 24 Jan 2011 22:00:37 +0100 Jakub Hrozek jhro...@redhat.com wrote: On 01/24/2011 09:27 PM, Simo Sorce wrote: We have a default user name, which is also the recommended one, it made no sense to force users to specify it at the command line for unattended installations. Just use the

Re: [Freeipa-devel] [PATCH] 0066 remove binddn when using GSSAPI for replication

2011-01-24 Thread Simo Sorce
On Mon, 24 Jan 2011 22:28:57 +0100 Jakub Hrozek jhro...@redhat.com wrote: On 01/20/2011 01:43 AM, Simo Sorce wrote: See ticket #817 Simo. Ack Pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing

[Freeipa-devel] [PATCH] 690 add brackets around optional prompts

2011-01-24 Thread Rob Crittenden
When prompting for arguments in the cli there is no way to tell what is optional and what is required. This sticks brackets around optional arguments. Ticket 832 rob From 493040768759d1d215c26456198e0af5354333fe Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 24

Re: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas

2011-01-24 Thread Jakub Hrozek
On 01/23/2011 02:09 AM, Simo Sorce wrote: Do it always when the dns tree is available, even if the replica being installed doesn't provide dns service itself. Ticket #824 Simo. I tried applying this on top of both origin/master and 068 but did not succeed. Can you rebase, please?

[Freeipa-devel] [PATCH] 691 add --hostname option to ipa-client-install

2011-01-24 Thread Rob Crittenden
Let the installer override the detected hostname value with the --hostname flag. This is likely to lead to a non-working installation so let the buyer beware. ticket 834 rob From 08b985fc9deae2f8f46e5b5acda9e12fc8ace578 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date:

[Freeipa-devel] No luck using ds-migrate to import Apple Open Directory

2011-01-24 Thread Jeff B
Apple Open Directory is as follows: cn=users,dc=host,dc=domain,dc=tld cn=groups,dc=host,dc=domain,dc=tld User records have the following object classes: - person - top - organizationalPerson - extensibleObject - apple-user - shadowAccount - posixAccount - inetOrgPerson Group records have the

Re: [Freeipa-devel] [PATCH] 691 add --hostname option to ipa-client-install

2011-01-24 Thread Dmitri Pal
Rob Crittenden wrote: Let the installer override the detected hostname value with the --hostname flag. This is likely to lead to a non-working installation so let the buyer beware. ticket 834 I do not think this is enough. There is a part of the ipa-client-install other than ipa-join that

Re: [Freeipa-devel] [PATCH] 691 add --hostname option to ipa-client-install

2011-01-24 Thread Rob Crittenden
Dmitri Pal wrote: Rob Crittenden wrote: Let the installer override the detected hostname value with the --hostname flag. This is likely to lead to a non-working installation so let the buyer beware. ticket 834 I do not think this is enough. There is a part of the ipa-client-install other

Re: [Freeipa-devel] No luck using ds-migrate to import Apple Open Directory

2011-01-24 Thread Rob Crittenden
Jeff B wrote: Apple Open Directory is as follows: cn=users,dc=host,dc=domain,dc=tld cn=groups,dc=host,dc=domain,dc=tld User records have the following object classes: - person - top - organizationalPerson - extensibleObject - apple-user - shadowAccount - posixAccount - inetOrgPerson Group

[Freeipa-devel] [PATCH] admiyo-0156-remove-icons-from-association-buttons.

2011-01-24 Thread Adam Young
From b4313a5605bdd9de95d4bb245196d13aa54a7e46 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 24 Jan 2011 22:00:38 -0500 Subject: [PATCH] remove icons from association buttons --- install/ui/widget.js |2 -- 1 files changed, 0 insertions(+), 2 deletions(-) diff

[Freeipa-devel] [PATCH] admiyo-0157-aci-attribute-table-two-columns.patc

2011-01-24 Thread Adam Young
From 9611600891b8e594f25cd04f8aa5b2f0c1ca79f9 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 24 Jan 2011 22:21:31 -0500 Subject: [PATCH] aci attribute table two columns --- install/ui/aci.js | 31 +++ install/ui/ipa.css |9 + 2

Re: [Freeipa-devel] [PATCH] Changed dns permission types

2011-01-24 Thread Rob Crittenden
Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These

[Freeipa-devel] [PATCH] admiyo-0158-action-buttons-for-dns

2011-01-24 Thread Adam Young
From 27660b175d90b1d7b96958aa537a96ff46b498b8 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 24 Jan 2011 22:30:28 -0500 Subject: [PATCH] action buttons for dns --- install/ui/policy.js |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git