Re: [Freeipa-devel] Sudoers schema

2010-08-03 Thread JR Aquino
That was the original design, however I was told that this is not something people will be interested in. Thanks for you data point but to change it we probably need couple more data points and comments. I would be very interested as to why there was resistance or a thought that people would

Re: [Freeipa-devel] Sudoers schema

2010-08-04 Thread JR Aquino
One was performance, memberOf isn't free. The second was complexity. Lets say you define command R and assign it to command groups A, B and C. The admin of group B needs to tweak the command a bit so he modifies R. This could have a negative impact on command groups A and C. So for

Re: [Freeipa-devel] [PATCH] 2 Addressing issues found in SUDO schema

2010-09-24 Thread JR Aquino
Looks like there was a typo in the hostMask. The others were correct. -attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreIA5Match ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15

[Freeipa-devel] Sudo Schema Bug

2010-09-29 Thread JR Aquino
also added to a 'deny' command group, the compat layer should prepend the ! for us. Please let me know if anyone has any objections or observations. ~ Jr Aquino, GCIH | Information Security Specialist Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117 T

Re: [Freeipa-devel] Sudo Schema Bug

2010-09-29 Thread JR Aquino
objectClass: sudoRole objectClass: top cn: role1 sudoUser: johnny sudoHost: ALL sudoCommand: ALL sudoCommand: !/bin/sh =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jr Aquino | Information Security Specialist Citrix Online Division May be I misunderstood how things

Re: [Freeipa-devel] Sudo Schema Bug

2010-09-30 Thread JR Aquino
...@citrixonline.com so spake JR Aquino (JR.Aquino): Todd, if you have a moment, could you weigh in on this? We are trying to clarify as to whether Sudo is a first match and stop, or if it will search the whole directory for rules that match and then make a calcu lated decision. When using /etc

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-09-30 Thread JR Aquino
a system that is only functional if our user base subscribes to ALL of our software components. ~ Jr Aquino, GCIH | Information Security Specialist Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aqu

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-09-30 Thread JR Aquino
On Sep 30, 2010, at 9:37 AM, Sumit Bose wrote: I agree, I only made the suggestion about the IPA server, because I think that this feature is a bug in the current sudo code base, an annoying bug at best and a serious security issue at worst. It is both a bug and a security concern... one that

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-09-30 Thread JR Aquino
btw. I cannot reproduce your issue where a command is denied where only user and host is matching, can you give an example where this is happening? Thanks I retract my previous statement and stand corrected: I have run a test and verified on Redhat Enterprise 5.5 that Sudo is behaving as we

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-10-04 Thread JR Aquino
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote: Dmitri Pal wrote: Dmitri Pal wrote: Dmitri Pal wrote: How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? So it looks like current schema would not fly well with SUDO due to SUDO

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-10-04 Thread JR Aquino
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote: Dmitri Pal wrote: Dmitri Pal wrote: Dmitri Pal wrote: How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? So it looks like current schema would not fly well with SUDO due to SUDO

[Freeipa-devel] [ PATCH ] lite-server.py failing due to cli.py dependency: import default_encoding_utf8

2010-11-01 Thread JR Aquino
./lite-server.py -d ipa: DEBUG: importing all plugin modules in '/usr/src/freeipa/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/automount.py' ipa: ERROR: could not load plugin

[Freeipa-devel] [ Patch ] sudo plugins updated to reflect sudocmd attribute change

2010-11-02 Thread JR Aquino
Patches for sudocmd attribute change and support for sudorule cmdCategory. 0001-Added-fixes-to-adjust-for-sudocmd-attribute-for-sudo.patch Description: 0001-Added-fixes-to-adjust-for-sudocmd-attribute-for-sudo.patch ___ Freeipa-devel mailing list

[Freeipa-devel] [ PATCH ] lite-server.py failing due to cli.py dependency: import default_encoding_utf8

2010-11-03 Thread JR Aquino
./lite-server.py -d ipa: DEBUG: importing all plugin modules in '/usr/src/freeipa/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/automount.py' ipa: ERROR: could not load plugin

Re: [Freeipa-devel] [ PATCH ] lite-server.py failing due to cli.py dependency: import default_encoding_utf8

2010-11-03 Thread JR Aquino
This issue is resolved. A full uninstall and reinstall properly fixed the dependency issue. On 11/3/10 8:33 AM, Dmitri Pal d...@redhat.com wrote: JR Aquino wrote: ./lite-server.py -d ipa: DEBUG: importing all plugin modules in '/usr/src/freeipa/ipalib/plugins'... ipa: DEBUG: importing plugin

[Freeipa-devel] Where we are with SUDO?

2010-11-18 Thread JR Aquino
On 11/18/10 8:16 AM, Nalin Dahyabhai na...@redhat.com wrote: snipit ToDo's: * Get sudo compat to translate usergroup/posix group's such that it can prepend a %groupname - notice that it is not fully qualified dn. If memberUser can point to either a user or a group, and we read a

Re: [Freeipa-devel] Where we are with SUDO?

2010-11-24 Thread JR Aquino
Progress! Ok, here is the latest data from the lab. The compat translation is almost there!!! * The sudoers container has correctly been moved out to the top of the tree. I think it only needs 1 small final edit, the sudo ldap default is to look for: ou=sudoers, rather than what is currently

Re: [Freeipa-devel] Host groups and netgroups

2010-11-24 Thread JR Aquino
If this proposal looks reasonable I will open a ticket. JR will you be able to provide a patch that does all of this since this is not exactly what we originally planned? Your premise makes a lot of sense. This is very promising news Dmitri. Let me consider how I would accommodate the patch,

Re: [Freeipa-devel] Host groups and netgroups

2010-11-29 Thread JR Aquino
On 11/24/10 11:19 AM, Dmitri Pal d...@redhat.com wrote: Hello, It is well known that with IPA we want to try to move people from the netgroups to host groups but many companies currently use netgroups as hostgroups. To simplify migration I suggest that we by default always create a managed

[Freeipa-devel] [PATCH] Hostgroups - Netgroups Managed Entries

2010-12-06 Thread JR Aquino
Hello, Please review the attached patch. It is meant to address: https://fedorahosted.org/freeipa/ticket/543 This patch adds support for the default behavior of adding/deleting/modifing an ipaNetgroup anytime an ipaHostgroup is added/deleted/modified. As requested by the ticket, the cli does

[Freeipa-devel] [PATCH 2] Adding user/host category and ipaenabledflag

2010-12-07 Thread JR Aquino
This patch is for ticket: https://fedorahosted.org/freeipa/ticket/570 This patch Addresses items: 1. The UI needs a rule status with values active inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations. 2.

Re: [Freeipa-devel] [PATCH 3] Adding CLI Enable/Disable Operations for SudoRules

2010-12-08 Thread JR Aquino
PM, JR Aquino wrote: This patch Addresses items: 1. The UI needs a rule status with values active inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations. 2. The UI needs a user category for the Who section

Re: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates

2010-12-08 Thread JR Aquino
I just had a chance to revisit this. It appears that the host piece still doesn't work quite right. This time, I am missing the sudoHost translation entirely. dn: ipaUniqueID=e52c8e06-0315-11e0-b2dd-8a3d259cb0b9,cn=sudorules,dc=example,dc =com objectClass: ipaassociation objectClass:

[Freeipa-devel] [PATCH 4] dbe instead of lde (ipa-compat-manage/ipa-nis-manage)

2010-12-08 Thread JR Aquino
The error handling refers to lde as a typo... When the exception occurs due to a database error, it gets captured as: dbe. This is a One line bug fix for compat and nis tools freeipa-jaquino-0004-dbe-instead-of-lde.patch Description: freeipa-jaquino-0004-dbe-instead-of-lde.patch

Re: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates

2010-12-08 Thread JR Aquino
This is what I see when I manually add the ipaSudoRule entry to my test server: dn: cn=devel,cn=sudoers,dc=example,dc=com objectClass: sudoRole sudoUser: %ops sudoHost: auth4.ops.expertcity.com sudoCommand: /usr/bin/less cn: devel That's assuming the group and host entries you're using

Re: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates

2010-12-09 Thread JR Aquino
On 12/9/10 10:03 AM, Dmitri Pal d...@redhat.com wrote: Nalin Dahyabhai wrote: On Wed, Dec 08, 2010 at 11:12:34PM +, JR Aquino wrote: I guess the piece that is still missing then is: Instead of: sudoHost: hostname.com It should be: sudoHost: +production - which is the group

Re: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates

2010-12-09 Thread JR Aquino
On 12/9/10 11:59 AM, Dmitri Pal d...@redhat.com wrote: http://www.freeipa.org/page/SUDO_Schema_Design#Why_we_must_support_netgrou ps_in_the_SUDO_rules.3F Last paragraph of the section. Also see last open question and answer to it on the page :-) However... read further... Ah Ha! I just talked

[Freeipa-devel] [PATCH 5] managed entry hostgroup netgroup support

2010-12-09 Thread JR Aquino
These 2 patches address all of the items within (https://fedorahosted.org/freeipa/ticket/543) Included are: * ldif for the hostgroup -to- netgroup Managed Entry Plugin * dsinstance modifications to correctly install the ldif * management script (ipa-host-net-manage) * man page for documentation

Re: [Freeipa-devel] [PATCH 5] managed entry hostgroup netgroup support

2010-12-10 Thread JR Aquino
) Thank you. On 12/9/10 4:11 PM, JR Aquino jr.aqu...@citrix.com wrote: These 2 patches address all of the items within (https://fedorahosted.org/freeipa/ticket/543) Included are: * ldif for the hostgroup -to- netgroup Managed Entry Plugin * dsinstance modifications to correctly install the ldif

Re: [Freeipa-devel] [PATCH] managed entry hostgroup netgroup support

2010-12-10 Thread JR Aquino
On 12/10/10 12:49 PM, Rob Crittenden rcrit...@redhat.com wrote: nack, found a couple of minor issues: - The patch doesn't apply against the master branch (probably from Simo's recent changes there) - looks like you copied the man page from ipa-ldap-updater, needs a few more updates (though kudos

[Freeipa-devel] [Patch] sudo run as user or group AND tests

2010-12-13 Thread JR Aquino
Attached are patches to address: (https://fedorahosted.org/freeipa/ticket/570) 5) -The UI needs separate run-as-user and run-as-group categories for the As Whom section. The UI also needs a way to manage the list of users/groups for the run-as-user, and the list of groups for the run-as-group.

[Freeipa-devel] [PATCH] SUDO plugin support for external hosts and users

2010-12-15 Thread JR Aquino
Attached is the patch to provide cli support for external hosts and users. This is accomplished similarly to the netgroup plugin. If the plugin is input with a hostname/user that does not exist in the directory, the plugin will then assume that the User had intended for these objects to be

[Freeipa-devel] [PATCH] Fix to man page for ipa-compat-manage (one liner)

2010-12-15 Thread JR Aquino
There was a typo for the manpage, this is a one liner to fix. -.\ A man page for ipa-ldap-updater +.\ A man page for ipa-compat-manage freeipa-jraquino-0010-Fix-to-man-page-for-ipa-compat-manage.patch Description: freeipa-jraquino-0010-Fix-to-man-page-for-ipa-compat-manage.patch

Re: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates

2010-12-15 Thread JR Aquino
Thanks! Testing now. On 12/15/10 2:49 PM, Nalin Dahyabhai na...@redhat.com wrote: On Wed, Dec 15, 2010 at 09:29:53PM +, JR Aquino wrote: Thank you very much Nalin, at first glance these patches appear to solve what we are after. However, it looks like the master has drifted a little

Re: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates

2010-12-15 Thread JR Aquino
Perfect! All tests check out clean! One final piece I think needs a quick one liner: From: http://www.gratisoft.us/sudo/sudoers.ldap.man.html --The sudoers configuration is contained in the ou=SUDOers LDAP container.-- Currently the plugin creates 'cn=sudoers' as opposed to 'ou=sudoers'.

Re: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates

2010-12-16 Thread JR Aquino
Attached are both patches with one modification to 0001: -add:schema-compat-container-group: 'cn=SUDOers, $SUFFIX' +add:schema-compat-container-group: 'ou=SUDOers, $SUFFIX' Please ack and push to master. On 12/15/10 8:16 PM, JR Aquino jr.aqu...@citrix.com wrote: Perfect! All tests check out

[Freeipa-devel] [PATCH] netgroups created by hostgroups lacked info

2010-12-22 Thread JR Aquino
Fix for ticket #653 https://fedorahosted.org/freeipa/ticket/653 The managed netgroup was missing the ipaObject objectclass and the nisDomain attribute when created from a hostgroup. Please review and ack. binqcaDq7V9XM.bin Description:

Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release

2011-01-04 Thread JR Aquino
. All tools are best used by their intended design. If the only tool you have is a Hammer, you may approach all of your problems as if they are nails. ~~ Jr Aquino Information Security Specialist Citrix Online GCIH, CCNA

[Freeipa-devel] [PATCH] fixed typo for description usage example

2011-01-06 Thread JR Aquino
There was a typo in the example for cli usage of sudocmd This is a 1 liner patch to correct the usage syntax and addresses ticket #704: https://fedorahosted.org/freeipa/ticket/704 -JR freeipa-jraquino-0012-fixed-typo-for-description-usage.patch Description:

[Freeipa-devel] [PATCH] Fix SudoRule RunAs users/groups

2011-01-07 Thread JR Aquino
Attached is the patch to fix the following: (Per ticket 570: https://fedorahosted.org/freeipa/ticket/570 Issue #5) * Runas users to support groups * Runas users to support external users * runasgroup to support external groups * compat fix to account for the runas users to support %groups *

[Freeipa-devel] [PATCH 14] Bugfix for sudo compat cmdcat and deny commands

2011-01-10 Thread JR Aquino
Attached is a patch to fix the sudo compat plugin. Ticket# 742: https://fedorahosted.org/freeipa/ticket/742 The sudo compat plugin should allow for the presence of: Command Category: ALL AND sudoCommand: !/usr/bin/less Currently the plugin is set to overwrite any other sudoCommand attribute in

Re: [Freeipa-devel] [PATCH] 14-2 Bugfix for sudo compat cmdcat and deny commands

2011-01-11 Thread JR Aquino
Correction to patch. The previous patch inherited a line for patch #13 This has been corrected in the attached patch. On 1/10/11 3:11 PM, JR Aquino jr.aqu...@citrix.com wrote: Attached is a patch to fix the sudo compat plugin. Ticket# 742: https://fedorahosted.org/freeipa/ticket/742 The sudo

Re: [Freeipa-devel] [PATCH] 0055 Consolidate sudo data in one subtree

2011-01-17 Thread JR Aquino
ACK. Please push. On 1/14/11 3:03 PM, Simo Sorce sso...@redhat.com wrote: On Fri, 14 Jan 2011 17:33:31 -0500 Dmitri Pal d...@redhat.com wrote: Simo Sorce wrote: Put all sudo data except the legacy ou=SUDOers into the cn=sudo subtree. Ticket: #773 Simo. Does it include the

Re: [Freeipa-devel] [PATCH] test speedup patch

2011-01-19 Thread JR Aquino
Just tested. I do see a performance increase of ~30% Without the Patch time ipa user-find -- 1 user matched -- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Account activation status: False Member of groups:

Re: [Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts

2011-01-19 Thread JR Aquino
On 1/18/11 4:02 PM, Simo Sorce sso...@redhat.com wrote: We need to use authenticated lda binds in init scripts as otherwise starting components fails when the option to restrict anonymous access to ldap is set. In order to do that we need to also start the KDC unconditionally, so it has been

Re: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info

2011-01-20 Thread JR Aquino
I think it is safe to give up member. It is necessary for nss_ldap and nis. If we remove member and add the role container I think that should cover the low hanging fruit that discloses authorization data. On 1/19/11 3:28 PM, Simo Sorce sso...@redhat.com wrote: On Wed, 19 Jan 2011 17:51:56

Re: [Freeipa-devel] [PATCH] 0064 Fix authentication for init scripts

2011-01-20 Thread JR Aquino
On 1/19/11 3:31 PM, Simo Sorce sso...@redhat.com wrote: In order for ipactl to function even when anonymous access is disabled we need to authenticate. Use sASL/EXTERNAL to let root get access as a very low privileged special user. Ticket #795 This patch is a replacement of 0061 where I was

Re: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc

2011-01-20 Thread JR Aquino
NACK. Please retest this... I'm not sure how it is related, but I receive an error during the make rpm process: Traceback (most recent call last): File ./makeapi, line 27, in module from ipalib import * File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/__init__.py ,

Re: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc

2011-01-20 Thread JR Aquino
On 1/20/11 10:11 AM, Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: NACK. Please retest this... I'm not sure how it is related, but I receive an error during the make rpm process: Traceback (most recent call last): File ./makeapi, line 27, inmodule from ipalib import

Re: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info

2011-01-20 Thread JR Aquino
On 1/20/11 10:05 AM, Rob Crittenden rcrit...@redhat.com wrote: Simo Sorce wrote: On Wed, 19 Jan 2011 17:51:56 -0500 Rob Crittendenrcrit...@redhat.com wrote: +aci: (targetattr = member || memberOf || memberHost || memberUser)(version 3.0; acl No anonymous access to member information; deny

[Freeipa-devel] [PATCH] 0015 block anonymous access to sudo info

2011-01-27 Thread JR Aquino
Aci patch to block anonymous access to sudo info https://fedorahosted.org/freeipa/ticket/865 freeipa-jraquino-0015-block-anonymous-access-to-sudo-info.patch Description: freeipa-jraquino-0015-block-anonymous-access-to-sudo-info.patch ___ Freeipa-devel

[Freeipa-devel] FreeIPA Logging (Not Auditing... yet)

2011-01-27 Thread JR Aquino
I have been working with the project for a while now and it has dawned on me that the FreeIPA ipalib plugins, don't really have a syslog library that they output with. So far I've really just been troubleshooting and getting around with: /var/log/httpd/access_log /var/log/httpd/error_log

Re: [Freeipa-devel] FreeIPA Logging (Not Auditing... yet)

2011-01-28 Thread JR Aquino
On 1/28/11 10:43 AM, Dmitri Pal d...@redhat.com wrote JR, Thank you for bringing it up. I think it would be beneficial to have something for logging. I agree as it is a PCI Requirement. I am not sure that this is exactly it. You are correct. More discussion is necessary to capture the minimum

Re: [Freeipa-devel] SUDO community changed SUDO schema!!!

2011-01-29 Thread JR Aquino
From: Dmitri Pal d...@redhat.commailto:d...@redhat.com Organization: Red Hat Reply-To: d...@redhat.commailto:d...@redhat.com Date: Sat, 29 Jan 2011 11:25:17 -0500 To: freeipa-devel@redhat.commailto:freeipa-devel@redhat.com Subject: [Freeipa-devel] SUDO community changed SUDO schema!!!

Re: [Freeipa-devel] SUDO community changed SUDO schema!!!

2011-01-29 Thread JR Aquino
On 1/29/11 9:30 AM, JR Aquino jr.aqu...@citrix.com wrote: From: Dmitri Pal d...@redhat.commailto:d...@redhat.com Organization: Red Hat Reply-To: d...@redhat.commailto:d...@redhat.com Date: Sat, 29 Jan 2011 11:25:17 -0500 To: freeipa-devel@redhat.commailto:freeipa-devel@redhat.com Subject

Re: [Freeipa-devel] SUDO community changed SUDO schema!!!

2011-01-30 Thread JR Aquino
On 1/29/11 3:40 PM, Dmitri Pal d...@redhat.com wrote: On 01/29/2011 12:37 PM, JR Aquino wrote: On 1/29/11 9:30 AM, JR Aquino jr.aqu...@citrix.com wrote: From: Dmitri Pal d...@redhat.commailto:d...@redhat.com Organization: Red Hat Reply-To: d...@redhat.commailto:d...@redhat.com Date: Sat, 29

Re: [Freeipa-devel] SUDO community changed SUDO schema!!!

2011-01-31 Thread JR Aquino
On 1/30/11 8:53 PM, Dmitri Pal d...@redhat.com wrote: ... The main concern about the solution is the following scenario. 1) IPA releases as is without support of the order attribute. 2) Some time passes and new version of SUDO gets released into some distros we care about 3) Support for ordered

Re: [Freeipa-devel] [PATCH] 720 provide some logging by default

2011-02-13 Thread JR Aquino
On 2/11/11 2:26 PM, Rob Crittenden rcrit...@redhat.com wrote: If neither verbose nor debug were set (and they aren't by default) then we logged absolutely nothing about framework requests. This adds a default of who, what, result in the Apache error log. This is a first-step for ticket 873 just

[Freeipa-devel] [PATCH] 16 Bugfix for ipa-client-install echo's password in cleartext to stdout

2011-02-14 Thread JR Aquino
During the ipa-client-install, when prompted for the principal password, it is possible to start typing and have the password echoed back. This patch corrects this behavior and addresses bug #959 https://fedorahosted.org/freeipa/ticket/959 binegPaWpIOK0.bin Description:

Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.

2011-02-14 Thread JR Aquino
On 2/10/11 2:42 AM, Pavel Zuna pz...@redhat.com wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel

Re: [Freeipa-devel] [PATCH] 16-1 Bugfix for ipa-client-install echo's password in cleartext to stdout

2011-02-14 Thread JR Aquino
Patch 16-1 submitted to exit if no password is given. On 2/14/11 12:06 PM, Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: During the ipa-client-install, when prompted for the principal password, it is possible to start typing and have the password echoed back. This patch corrects

Re: [Freeipa-devel] [PATCH] 42 Add group members to default output of sudorule-show

2011-02-15 Thread JR Aquino
On 2/15/11 2:06 AM, Jan Zelený jzel...@redhat.com wrote: https://fedorahosted.org/freeipa/ticket/915 Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK I don't know how I missed that!

[Freeipa-devel] [PATCH] 17 Managed netgroups should be invisible

2011-02-15 Thread JR Aquino
This patch provides ipa netgroup-find a default filter which prevents the displaying of mepManageEntry Netgroups by default. It also introduces a —private flag similar to the group.py to allow for displaying them if necessary. freeipa-jraquino-0017-Managed-netgroups-should-be-invisible.patch

[Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install

2011-02-16 Thread JR Aquino
This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 binh94MJnFPEx.bin Description: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client-install.patch

Re: [Freeipa-devel] [PATCH] 17-2 Managed netgroups should be invisible

2011-02-16 Thread JR Aquino
Removed whitespace from patch and added API.txt changes to reflect the --private option added to netgroup On 2/15/11 12:45 PM, JR Aquino jr.aqu...@citrix.com wrote: This patch provides ipa netgroup-find a default filter which prevents the displaying of mepManageEntry Netgroups by default

[Freeipa-devel] [PATCH] 19 prevent duplicate netgroup entries

2011-02-16 Thread JR Aquino
This patch fixes the netgroup plugin's behavior of adding duplicate entries when the managed entry plugin creates a netgroup with a mepManagedEntry This problem is documented in ticket: https://fedorahosted.org/freeipa/ticket/963 As noted by Endi for issue #3 in the History: 3. Just out of

Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install

2011-02-17 Thread JR Aquino
deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, Jan Zelený jzel...@redhat.com wrote: JR Aquino jr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack

Re: [Freeipa-devel] [PATCH] 19 Cleanup for netgroup search

2011-02-17 Thread JR Aquino
On 2/17/11 3:23 AM, Jan Zelený jzel...@redhat.com wrote: JR Aquino jr.aqu...@citrix.com wrote: This patch fixes the netgroup plugin's behavior of adding duplicate entries when the managed entry plugin creates a netgroup with a mepManagedEntry This problem is documented in ticket: https

Re: [Freeipa-devel] [PATCH] 729 managed netgroups immutable

2011-02-17 Thread JR Aquino
On 2/17/11 11:02 AM, Rob Crittenden rcrit...@redhat.com wrote: Make managed netgroups (those created as a result of creating a hostgroup) should be immutable. This aci will deny writes to a managed netgroup. ticket 962 rob ___ Freeipa-devel mailing

Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install

2011-02-17 Thread JR Aquino
On 2/17/11 9:46 AM, Jan Zeleny jzel...@redhat.com wrote: JR Aquino jr.aqu...@citrix.com wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client

Re: [Freeipa-devel] Scripting the SUDO setup for a client

2011-02-17 Thread JR Aquino
On Feb 17, 2011, at 8:38 PM, Adam Young ayo...@redhat.com wrote: I tried to follow the steps to setup Sudo on a client here: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_sudo Of course, since my serve wasn't example.com, I had to modify the LDAP fitlers. I got something wrong.

Re: [Freeipa-devel] Scripting the SUDO setup for a client

2011-02-18 Thread JR Aquino
On Feb 18, 2011, at 5:01 AM, Simo Sorce sso...@redhat.com wrote: On Fri, 18 Feb 2011 05:06:34 + JR Aquino jr.aqu...@citrix.com wrote: On Feb 17, 2011, at 8:38 PM, Adam Young ayo...@redhat.com wrote: I tried to follow the steps to setup Sudo on a client here: https://fedoraproject.org

Re: [Freeipa-devel] Scripting the SUDO setup for a client

2011-02-18 Thread JR Aquino
On 2/18/11 5:49 AM, Simo Sorce sso...@redhat.com wrote: On Fri, 18 Feb 2011 13:18:36 + JR Aquino jr.aqu...@citrix.com wrote: I'm afraid not Simo. As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA are protected. There is a deliberate default aci which prevents

Re: [Freeipa-devel] [PATCH] 730 managed netgroups immutable

2011-02-18 Thread JR Aquino
On 2/17/11 2:20 PM, Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: On 2/17/11 11:02 AM, Rob Crittendenrcrit...@redhat.com wrote: Make managed netgroups (those created as a result of creating a hostgroup) should be immutable. This aci will deny writes to a managed netgroup

Re: [Freeipa-devel] ipa-client-sudo

2011-02-19 Thread JR Aquino
On 2/19/11 7:33 AM, Simo Sorce sso...@redhat.com wrote: On Fri, 18 Feb 2011 23:09:21 -0500 Adam Young ayo...@redhat.com wrote: Here's a rough hack. It follows the steps in the test script. I tested it out and it works. Truly a hack :) More specifically: The script looks like it will

Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install

2011-02-21 Thread JR Aquino
On 2/21/11 10:46 AM, Jan Zeleny jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: Lets try now. Attached is the corrected patch. There were several spots

Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install

2011-02-21 Thread JR Aquino
On 2/21/11 11:18 AM, JR Aquino jr.aqu...@citrix.com wrote: On 2/21/11 10:46 AM, Jan Zeleny jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: Lets try now

Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.

2011-02-21 Thread JR Aquino
On 2/15/11 6:19 AM, Pavel Zuna pz...@redhat.com wrote: On 02/14/2011 04:56 PM, JR Aquino wrote: On 2/10/11 2:42 AM, Pavel Zunapz...@redhat.com wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch

[Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user

2011-02-22 Thread JR Aquino
This patch addressees ticket #998 It adds: * ldif to create a default sudo bind user: dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX * modifications to dsinstance.py to add the ldif * modifications to dsinstance.py to add a call to ipautil.ipa_generate_password() for an random password. It is

Re: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user

2011-02-23 Thread JR Aquino
On 2/22/11 7:45 PM, JR Aquino jr.aqu...@citrix.com wrote: This patch addressees ticket #998 It adds: * ldif to create a default sudo bind user: dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX * modifications to dsinstance.py to add the ldif * modifications to dsinstance.py to add a call

Re: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user

2011-02-23 Thread JR Aquino
On 2/23/11 11:23 AM, Simo Sorce sso...@redhat.com wrote: On Wed, 23 Feb 2011 13:50:37 -0500 Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: On 2/22/11 7:45 PM, JR Aquinojr.aqu...@citrix.com wrote: This patch addressees ticket #998 It adds: * ldif to create a default

Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.

2011-02-25 Thread JR Aquino
On 2/25/11 5:58 AM, Pavel Zuna pz...@redhat.com wrote: On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůnapz...@redhat.com wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com wrote: On Tue, 15 Feb 2011 15:19

Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.

2011-02-28 Thread JR Aquino
On 2/25/11 9:27 AM, Pavel Zůna pz...@redhat.com wrote: On 2011-02-25 18:12, JR Aquino wrote: On 2/25/11 5:58 AM, Pavel Zunapz...@redhat.com wrote: On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůnapz...@redhat.com wrote: On 2011-02-15 16:36, JR

Re: [Freeipa-devel] [PATCH] 039 Wait for Directory Server ports to open

2011-03-15 Thread JR Aquino
On Mar 15, 2011, at 11:05 AM, Pavel Zuna wrote: On 03/14/2011 06:03 PM, Martin Kosek wrote: I know this is a 2.1 ticket, but the patch is probably also a solution of #1047 - a 2.0.5 bucket critical bug. When Directory Server operation is run right after the server restart the

[Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches

2011-03-30 Thread JR Aquino
The FreeIPA framework performs unescaped searches to enumerate group membership. The following patch corrects this behavior. -JR binIXm2E6QDid.bin Description: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch ___

Re: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches

2011-03-30 Thread JR Aquino
On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: The FreeIPA framework performs unescaped searches to enumerate group membership. The following patch corrects this behavior. -JR freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof

[Freeipa-devel] [PATCH] 22 Add memberHost and memberUser to default indexes

2011-03-30 Thread JR Aquino
The plugin architecture makes a great deal of calls to search for memberUser and memberHost. These attributes are missing from the index and are greatly slowing down the CLI and WebUI. They should be added as Equality Indexes, as the searches that are performed are meant for enumeration after

Re: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches

2011-03-30 Thread JR Aquino
On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/30/2011 03:53 PM, JR Aquino wrote: On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: The FreeIPA framework performs unescaped searches to enumerate group membership

Re: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches

2011-03-30 Thread JR Aquino
On Mar 30, 2011, at 3:03 PM, Rob Crittenden wrote: JR Aquino wrote: On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/30/2011 03:53 PM, JR Aquino wrote: On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: The FreeIPA framework

Re: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership

2011-03-31 Thread JR Aquino
Better formatting for the statistics: -=- Without patch ipa hostgroup-find ... - Number of entries returned 52 - real0m20.054s user0m0.934s sys 0m0.050s -=- With

Re: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership

2011-03-31 Thread JR Aquino
On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote: JR Aquino wrote: The following patch Removes around 20 lines of code and provides a substantial increase in performance for FreeIPA member/memberof verification searches. The current code base blindly searches static containers

Re: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership

2011-03-31 Thread JR Aquino
To clarify, the high delay times in these stats are due to buffered logging being turned off. The ratio of performance increase is ~the same with buffered logging turned on; e.g 1.9 seconds down to 1.5 On Mar 31, 2011, at 1:43 PM, JR Aquino jr.aqu...@citrix.com wrote: Better formatting

Re: [Freeipa-devel] [PATCH] 22 Add memberHost and memberUser to default indexes

2011-04-01 Thread JR Aquino
On Mar 30, 2011, at 1:16 PM, JR Aquino wrote: The plugin architecture makes a great deal of calls to search for memberUser and memberHost. These attributes are missing from the index and are greatly slowing down the CLI and WebUI. They should be added as Equality Indexes, as the searches

Re: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership

2011-04-07 Thread JR Aquino
On Mar 31, 2011, at 2:16 PM, JR Aquino wrote: On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote: JR Aquino wrote: The following patch Removes around 20 lines of code and provides a substantial increase in performance for FreeIPA member/memberof verification searches. The current code

Re: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership

2011-04-07 Thread JR Aquino
On Apr 7, 2011, at 3:42 PM, JR Aquino wrote: On Mar 31, 2011, at 2:16 PM, JR Aquino wrote: On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote: JR Aquino wrote: The following patch Removes around 20 lines of code and provides a substantial increase in performance for FreeIPA member

Re: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership

2011-04-07 Thread JR Aquino
On Apr 7, 2011, at 4:04 PM, JR Aquino wrote: On Apr 7, 2011, at 3:42 PM, JR Aquino wrote: On Mar 31, 2011, at 2:16 PM, JR Aquino wrote: On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote: JR Aquino wrote: The following patch Removes around 20 lines of code and provides a substantial

Re: [Freeipa-devel] [PATCH] 767 fix ipa-nis-manage

2011-04-08 Thread JR Aquino
Does this imply the use of ldap with tls now or just standard ldap? There was a previous ticket that changed this and many other tools such that they used ldapi to accommodate FreeIPA with a minssf set. On Apr 8, 2011, at 7:24 AM, Rob Crittenden rcrit...@redhat.com wrote: ipa-nis-manage was

Re: [Freeipa-devel] [PATCH] 760 don't crash when calculating indirect

2011-04-08 Thread JR Aquino
On Apr 8, 2011, at 7:32 AM, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-03-30 at 10:46 -0400, Rob Crittenden wrote: Rob Crittenden wrote: This prevents an internal error when calculating direct vs indirect membership. ticket 1133 I accidentally included a change from another patch.

Re: [Freeipa-devel] [PATCH] 767 fix ipa-nis-manage

2011-04-08 Thread JR Aquino
as root since we start/stop and configure/unconfigure services. ticket 1157 rob freeipa-rcrit-767-nis.patch JR Aquino wrote: Does this imply the use of ldap with tls now or just standard ldap? There was a previous ticket that changed this and many other tools such that they used ldapi

Re: [Freeipa-devel] [PATCH] 767 fix ipa-nis-manage

2011-04-08 Thread JR Aquino
On Apr 8, 2011, at 8:53 AM, Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: On Apr 8, 2011, at 8:03 AM, Rob Crittenden wrote: On Apr 8, 2011, at 7:24 AM, Rob Crittendenrcrit...@redhat.com wrote: ipa-nis-manage was failing because root has very limited capabilities when

  1   2   3   >