Re: [Freeipa-devel] [PATCH] 242 new method to identify CAs to trust

2009-07-23 Thread Jason Gerard DeRose
On Thu, 2009-07-23 at 17:57 -0400, Rob Crittenden wrote: A new way to identify the CAs to trust when importing a PKCS#12 file (like during replica installation). We used to use certutil -O but Fedora 11 changed certutil so it doesn't show untrusted CAs (the whole point of running the

Re: [Freeipa-devel] [PATCH] 253 fix BaseException.message deprecation warning

2009-08-20 Thread Jason Gerard DeRose
On Thu, 2009-08-20 at 10:17 -0400, Rob Crittenden wrote: Fix a Python 2.6 deprecation warning in the master branch. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] jderose 011 Fleshed out krb plugin and added example of scripting against Python API

2009-08-31 Thread Jason Gerard DeRose
Attached is an updated to this patch that now correctly applies. On Tue, 2009-07-07 at 07:07 +, Jason Gerard DeRose wrote: This patch adds the first example of scripting against the IPA Python API in doc/examples/python-api.py. It also finally fleshes out the ipalib.plugins.kerberos.krb

Re: [Freeipa-devel] [PATCH] jderose 011 Fleshed out krb plugin and added example of scripting against Python API

2009-08-31 Thread Jason Gerard DeRose
On Mon, 2009-08-31 at 17:56 -0400, Rob Crittenden wrote: Jason Gerard DeRose wrote: Attached is an updated to this patch that now correctly applies. ack pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https

Re: [Freeipa-devel] [PATCH] Make ldap2.add_entry proof to None values, because python-ldap hates'em.

2009-08-31 Thread Jason Gerard DeRose
On Mon, 2009-08-31 at 12:03 +0200, Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zuna wrote: python-ldap seems to hate None values when adding an entry and raises an exception instead ignoring them, so we need to filter them ourselves. Pavel Couldn't updates contain None as well?

[Freeipa-devel] [PATCH] jderose 016 Fixed undefined `dns_forwarders` in ipa-server-install

2009-09-08 Thread Jason Gerard DeRose
In ipa-server-install, if options.setup_dns is False, the `dns_forwarders` variable doesn't get defined, and so things crap out when bind.setup() is called in line 649. From 0001ead23abfca6bd419e06ca6ab134367672e63 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Tue

Re: [Freeipa-devel] [PATCH] jderose 017 Giant WebUI patch part 1

2009-09-14 Thread Jason Gerard DeRose
On Tue, 2009-09-08 at 17:43 -0400, Dmitri Pal wrote: Rob Crittenden wrote: Jason Gerard DeRose wrote: This is a big patch to get everyone synced up with what I'm doing on the webUI. The Engine is currently *very* dumb because I need to tare through a bunch of plugin metadata, make

Re: [Freeipa-devel] Re: [Freeipa-users] IPA license

2009-09-15 Thread Jason Gerard DeRose
On Tue, 2009-09-15 at 18:09 -0400, Dmitri Pal wrote: Andrea Modesto Rossi wrote: On Mar, 15 Settembre 2009 9:55 pm, Dmitri Pal wrote: We are considering to release freeIPA v2 under a less restrictive license than we used in IPA v1. It was GPLv2 only in v1.x and we think about GPLv2

[Freeipa-devel] Annoucing assets 0.1.0

2009-09-21 Thread Jason Gerard DeRose
The widget library previously had a `wehjit.assets` module for managing JavaScript and CSS assets. This module automatically named the assets using a content hash (sha1sum), while allowing the application to retrieve the current filename using a human readable key. But this module also was using

[Freeipa-devel] Announcing wehjit 0.1.0

2009-09-23 Thread Jason Gerard DeRose
Between my informal 0.0.1 release and this formal 0.1.0 release, I added a short tutorial and fleshed out the documentation, expanded the unit test coverage, and improved many areas where the API was either awkward or had limitations. There are also a number of new features, the most notable

Re: [Freeipa-devel] [PATCH] 273 join a host to an IPA domain

2009-09-24 Thread Jason Gerard DeRose
___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From e2ecf02822867170e3b4f19f5ba749d3c94d899c Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Thu, 24 Sep 2009 17:49:16 -0600 Subject: [PATCH] Added

Re: [Freeipa-devel] [PATCH] 280 add option to not normalize on adds/updates

2009-10-05 Thread Jason Gerard DeRose
ack. pushed to master. On Fri, 2009-10-02 at 16:02 +0200, Pavel Zuna wrote: Rob Crittenden wrote: Add an option to not run the normalizer against the DN on adds/updates. The MIT ldap plugin is extremely picky about the format of DNs it adds and it does not like the way we normalize

Re: [Freeipa-devel] [PATCH] 272 Add delete option to LDAP updater, unit tests

2009-10-05 Thread Jason Gerard DeRose
ack. pushed to master. On Mon, 2009-10-05 at 15:19 -0400, Rob Crittenden wrote: This gives the updater the ability to delete entries and adds some unit test cases. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 281 minor fix for updater

2009-10-05 Thread Jason Gerard DeRose
ack too. pushed to master. On Fri, 2009-10-02 at 16:02 +0200, Pavel Zuna wrote: Rob Crittenden wrote: Robustness fix for ipa-ldap-updater to not blow up if no updates are set yet. rob ack. Pavel ___ Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH] 282 update the KDC aci

2009-10-05 Thread Jason Gerard DeRose
On Fri, 2009-10-02 at 09:37 -0400, Rob Crittenden wrote: The API protecting the kerberos master key was a bit broad, also preventing adds and deletes to its subtree. I've relaxed that so I can add password policy entries which must be stored under the realm entry. I also changed the

Re: [Freeipa-devel] [PATCH] 283 allow no primary key in crud classes

2009-10-05 Thread Jason Gerard DeRose
On Fri, 2009-10-02 at 16:04 +0200, Pavel Zuna wrote: Rob Crittenden wrote: The crud classes required a primary key to be set in order to work. I've relaxed that as the pwpolicy plugin has no primary key but I still want to take advantage of other aspects of it. rob ack. LDAP*

Re: [Freeipa-devel] [PATCH] 284 per-group password policy

2009-10-05 Thread Jason Gerard DeRose
On Fri, 2009-10-02 at 16:07 +0200, Pavel Zuna wrote: Rob Crittenden wrote: Add support for per-group kerberos password policy. This uses a Class of Service to based on group membership to determine which policy should apply. The design doc called for non-overlapping groups but we can

Re: [Freeipa-devel] Re: [PATCH] Fix bug in HBAC and netgroup plugin get_primary_key_from_dn methods.

2009-10-12 Thread Jason Gerard DeRose
On Mon, 2009-10-12 at 10:22 -0400, Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zuna wrote: The method was returning tuples instead of strings in both plugins causing a mess in other plugins, when displaying netgroup/HBAC information. Pavel Assuming that

Re: [Freeipa-devel] [PATCH] jderose 017-2 Giant webui patch take 2

2009-10-13 Thread Jason Gerard DeRose
On Tue, 2009-10-13 at 15:21 -0400, Rob Crittenden wrote: Jason Gerard DeRose wrote: Okay, finally here is the revised webui patch. Since the last version, I: * Ported to various API changed between wehjit 0.0.1 and 0.1.0 * Removed the session.py stuff, which will be in a separate

Re: [Freeipa-devel] add_global_options() vs. build_global_parser()

2009-10-13 Thread Jason Gerard DeRose
On Tue, 2009-10-13 at 17:58 -0400, John Dennis wrote: ipalib.util defines the function add_global_options() which is never called but seems nearly identical to API.build_global_parser(). Why? Should API.build_global_parser() be calling util.add_global_options() or should

[Freeipa-devel] [PATCH] jderose 019 remove some cruft

2009-10-13 Thread Jason Gerard DeRose
This removes the util.add_global_options() function and the frontend.Application class, neither of which are now needed. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] jderose 019 remove some cruft

2009-10-13 Thread Jason Gerard DeRose
On Tue, 2009-10-13 at 22:45 -0600, Jason Gerard DeRose wrote: This removes the util.add_global_options() function and the frontend.Application class, neither of which are now needed. And *this* actually attaches the patch. ;) From c88f87dc36aed3b5e13450c0c3361c3f3469c2a5 Mon Sep 17 00:00:00

[Freeipa-devel] [PATCH] jderose 020 Make plugin browser show plugin parent class

2009-10-14 Thread Jason Gerard DeRose
It's very helpful if the plugin browser shows the parent class (or classes) that a plugin subclasses from. This small patch adds this feature. From 8dc21d6f30d1466f07b38e0d015de39a8c0d29d2 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Wed, 14 Oct 2009 15:08:30 -0600

Re: [Freeipa-devel] [PATCH] jderose 019 remove some cruft

2009-10-15 Thread Jason Gerard DeRose
On Wed, 2009-10-14 at 17:21 -0400, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Tue, 2009-10-13 at 22:45 -0600, Jason Gerard DeRose wrote: This removes the util.add_global_options() function and the frontend.Application class, neither of which are now needed. And *this* actually

[Freeipa-devel] [PATCH] jderose 021 Fixed try/except/finally for Python 2.4 compatability

2009-10-15 Thread Jason Gerard DeRose
This should fix the build failure in the daily build. From 5fad455ff41c7ab8acb8b41ea1c9c752830ce1ea Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Thu, 15 Oct 2009 15:00:57 -0600 Subject: [PATCH] Fixed try/except/finally for Python 2.4 compatability --- ipaserver

[Freeipa-devel] [PATCH] jderose 023 Fixed 'import json' for simplejson compatability

2009-10-16 Thread Jason Gerard DeRose
This fixes `import json` for Python 2.6. I'm just using the same compat.py from wehjit. From 292530a1e245657bc80d4a0a9f23e82144ca2e17 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Fri, 16 Oct 2009 11:58:28 -0600 Subject: [PATCH] Fixed 'import json' for simplejson

[Freeipa-devel] [PATCH] jderose 022 Change Password param

2009-10-16 Thread Jason Gerard DeRose
This patch allows you do provide a Password as a two item tuple or list (the password plus the password confirmation). This is the most natural way for this to work through the UI. From 8ecb97ca00600f05643f6844ab5c317d79857626 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com

Re: [Freeipa-devel] [PATCH] 297 use proper template string

2009-10-17 Thread Jason Gerard DeRose
On Fri, 2009-10-16 at 16:21 -0400, Rob Crittenden wrote: I goofed and didn't replace my test domain with a template string for some virtual operations. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 289 fix host admin acis

2009-10-17 Thread Jason Gerard DeRose
On Mon, 2009-10-12 at 15:05 +0200, Pavel Zuna wrote: Rob Crittenden wrote: It appears I missed a couple of ACI's when we changed the DN format of hosts. rob ack. Pavel ack. pushed to master. ___ Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH] 295 client Makefile target

2009-10-17 Thread Jason Gerard DeRose
On Mon, 2009-10-12 at 16:01 -0400, Rob Crittenden wrote: This adds a few new targets to the top-level Makefile, most notably client and client-rpms. Using this you can more easily build just the client pieces of IPA. rob ack. pushed to master. Did you mean to leave the `ipa` script out

Re: [Freeipa-devel] [PATCH] jderose 022 Change Password param

2009-10-19 Thread Jason Gerard DeRose
On Mon, 2009-10-19 at 15:14 +0200, Pavel Zuna wrote: Jason Gerard DeRose wrote: This patch allows you do provide a Password as a two item tuple or list (the password plus the password confirmation). This is the most natural way for this to work through the UI. ack. Pavel pushed

Re: [Freeipa-devel] Integer parameters

2009-10-19 Thread Jason Gerard DeRose
On Mon, 2009-10-19 at 10:24 -0400, John Dennis wrote: On 10/19/2009 09:12 AM, Pavel Zuna wrote: John Dennis wrote: I wanted to assure myself if a command was expecting an integer value, it could be input in whatever radix the user desires and be correctly converted. If I understand

Re: [Freeipa-devel] [PATCH] 298 more GER helpers

2009-10-21 Thread Jason Gerard DeRose
On Tue, 2009-10-20 at 11:58 -0400, Rob Crittenden wrote: Add 2 new Get Effective Rights helpers for adding and deleting entries. These will be useful in the UI for determining what things a user can do. rob ack. pushed to master. ___

Re: [Freeipa-devel] [PATCH] 299 request certs for other hosts

2009-10-21 Thread Jason Gerard DeRose
On Tue, 2009-10-20 at 12:02 -0400, Rob Crittenden wrote: First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is

Re: [Freeipa-devel] [PATCH] 300 fix hostname in dns lookup

2009-10-21 Thread Jason Gerard DeRose
On Tue, 2009-10-20 at 22:24 -0400, Rob Crittenden wrote: When looking up the hostname for doing cert comparisons I wasn't removing the trailing dot (so nothing matched). rob ack. pushed to master. ___ Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH] 301 require host before service

2009-10-21 Thread Jason Gerard DeRose
On Tue, 2009-10-20 at 22:24 -0400, Rob Crittenden wrote: Require that a host exist before trying to add a service for it. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

[Freeipa-devel] [PATCH] jderose 025 Add mod_python adapter and some UI tuning

2009-10-22 Thread Jason Gerard DeRose
This patch fixes the depreciated mod_proxy config (was used for TurboGears) and lays a bit of related ground work for my turning patch, which I still have a few days of work on. From cc63a119a629eb88982a3df93f5f16f875690d2d Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date

Re: [Freeipa-devel] validating return values in XML-RPC

2009-10-22 Thread Jason Gerard DeRose
So I've been thinking about this as I've been doing the UI tuning (extending meta-data and making the engine smarter). I agree with John that we need to describe the return values programatically. We can also kill two birds with one stone here because the description of the return values is a

Re: [Freeipa-devel] Fedora12: Looping detected inside krb5_get_in_tkt

2009-10-25 Thread Jason Gerard DeRose
On Thu, 2009-10-22 at 19:57 -0400, Nalin Dahyabhai wrote: On Mon, Oct 12, 2009 at 10:17:21PM -0600, Jason Gerard DeRose wrote: To help ensure that my new UI patch wont break our daily builds, I've tried building it under Fedora 12 as it has python-assets and python-wehjit. It builds fine

Re: [Freeipa-devel] [PATCH] 302 clean up join plugin

2009-10-25 Thread Jason Gerard DeRose
On Fri, 2009-10-23 at 18:40 +0200, Pavel Zůna wrote: Rob Crittenden wrote: Remove a bunch of unused imports, add some docstrings, etc. rob ack. Pavel ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] jderose 025 Add mod_python adapter and some UI tuning

2009-10-26 Thread Jason Gerard DeRose
On Fri, 2009-10-23 at 14:36 -0400, Rob Crittenden wrote: Jason Gerard DeRose wrote: This patch fixes the depreciated mod_proxy config (was used for TurboGears) and lays a bit of related ground work for my turning patch, which I still have a few days of work on. The ipa-rewrite stuff

Re: [Freeipa-devel] [PATCH] jderose 025 Add mod_python adapter and some UI tuning

2009-10-27 Thread Jason Gerard DeRose
On Tue, 2009-10-27 at 17:17 -0400, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Fri, 2009-10-23 at 14:36 -0400, Rob Crittenden wrote: Jason Gerard DeRose wrote: This patch fixes the depreciated mod_proxy config (was used for TurboGears) and lays a bit of related ground work for my

Re: [Freeipa-devel] [PATCH] 303 proper syntax for fqdn

2009-10-28 Thread Jason Gerard DeRose
On Tue, 2009-10-27 at 21:56 -0400, Rob Crittenden wrote: The schema defined the syntax for the fqdn attribute as using DN syntax. It should use Directory String syntax. rob ack from me. simple patch, doesn't break anything as far as I can tell. but maybe we should also get at ack from

[Freeipa-devel] [PATCH] jderose 026 ipa-server-install now renders UI assets

2009-11-02 Thread Jason Gerard DeRose
they wont break anything. For more info on the approach I'm taking for asset management and use of the Expires header, see: http://jderose.fedorapeople.org/assets/current/apidoc/ From e20083bf71c8ca70625306ff8e12d49fe92c5529 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder

Re: [Freeipa-devel] [PATCH] 304 hosts requesting certificates

2009-11-03 Thread Jason Gerard DeRose
On Wed, 2009-10-28 at 17:41 -0400, Rob Crittenden wrote: I had originally implemented allowing a host to request certificates for other hosts using the requesting IP address. That was a pretty lousy way to do it. This patch uses the DS ACI system instead. We came up with a clever ACI

Re: [Freeipa-devel] [PATCH] 304 hosts requesting certificates

2009-11-03 Thread Jason Gerard DeRose
On Tue, 2009-11-03 at 09:37 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Wed, 2009-10-28 at 17:41 -0400, Rob Crittenden wrote: I had originally implemented allowing a host to request certificates for other hosts using the requesting IP address. That was a pretty lousy way

Re: [Freeipa-devel] [PATCH] 305 remove a principal from a keytab

2009-11-03 Thread Jason Gerard DeRose
On Fri, 2009-10-30 at 16:30 -0400, Rob Crittenden wrote: I wasn't able to find a command-line program to remove principals from a keytab so I wrote my own. ktutil can do it but it doesn't take command-line arguments. Java ships a utility named ktab but adding a huge dependency for one app

Re: [Freeipa-devel] [PATCH] 306 selinux policy for assets

2009-11-04 Thread Jason Gerard DeRose
On Tue, 2009-11-03 at 15:29 -0500, Rob Crittenden wrote: This adds some SELinux policy for /var/cache/ipa/assets and /var/cache/ipa/sessions. I've also disabled Indexing on /ipa-assets and removed the deprecated IPADebug option. This effectively removes ipa_webgui too. I've left the

Re: [Freeipa-devel] [PATCH] Add 'File' parameter type.

2009-11-09 Thread Jason Gerard DeRose
On Fri, 2009-11-06 at 11:46 +0100, Pavel Zuna wrote: Accepts filenames and loads file contents as parameter value. In CLI, the 'stdin_if_missing' kwarg can be used to read the file from stdin if no filename has been entered. Pavel ack. pushed to master.

Re: [Freeipa-devel] [PATCH] Use File parameter for CSR in cert_request command plugin.

2009-11-09 Thread Jason Gerard DeRose
On Fri, 2009-11-06 at 11:47 +0100, Pavel Zuna wrote: Makes use of the new File parameter introduced in my previous patch. Pavel ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

[Freeipa-devel] Return values, CRUD, webUI

2009-11-16 Thread Jason Gerard DeRose
The vast majority of our Command plugins subclass from one of the CRUD base classes, so in terms of return value consistency and API style, we need to focus most on them (and then adapt their style to the few non-CRUD commands). While hooking up the webUI there have been many, many small problems

Re: [Freeipa-devel] [PATCH] 307 enforce scalar

2009-11-17 Thread Jason Gerard DeRose
On Wed, 2009-11-04 at 09:46 -0500, Rob Crittenden wrote: _convert_scalar() should not handle tuples/lists (by definition). A parameter may be mutivalued but even then _convert_scalar() gets the values one at a time. rob ack. pushed to master.

Re: [Freeipa-devel] [PATCH] 308 manage arbitrary attributes

2009-11-17 Thread Jason Gerard DeRose
On Tue, 2009-11-10 at 12:28 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: Oops, was this missing the attachment? ;) Bah, here it is. rob ack. pushed to master. On Wed, 2009-11-04 at 16:04 -0500, Rob Crittenden wrote: This adds 2 new parameters, --setattr and --addattr

Re: [Freeipa-devel] [PATCH] 309 make exception from ipautil.run() optional

2009-11-17 Thread Jason Gerard DeRose
On Wed, 2009-11-11 at 11:41 -0500, Rob Crittenden wrote: Rob Crittenden wrote: There are probably occasions where a caller will want more control over what happens when running a command fails. I've added an optional argument to run where it will not raise an exception on errors.

Re: [Freeipa-devel] Return values, CRUD, webUI

2009-11-19 Thread Jason Gerard DeRose
On Wed, 2009-11-18 at 15:15 +0100, Pavel Zuna wrote: Jason Gerard DeRose wrote: The vast majority of our Command plugins subclass from one of the CRUD base classes, so in terms of return value consistency and API style, we need to focus most on them (and then adapt their style to the few

Re: [Freeipa-devel] [PATCH] 310 clean up ipa-join return values

2009-11-19 Thread Jason Gerard DeRose
On Wed, 2009-11-11 at 11:36 -0500, Rob Crittenden wrote: ipa-join calls ipa-getkeytab and returns whatever return value it does so I want to be careful not to overlap the values and keep things unique or meaning the same thing in both. This patch cleans up a few places. rob ack.

Re: [Freeipa-devel] [PATCH] 311 more integrated client install

2009-11-19 Thread Jason Gerard DeRose
On Wed, 2009-11-11 at 11:39 -0500, Rob Crittenden wrote: This patch integrates ipa-join and ipa-rmkeytab into the client installer. This will join a machine to the IPA realm and fetch a host principal for /etc/krb5.keytab. On uninstall all principals for the realm will be removed from

Re: [Freeipa-devel] [PATCH] Print only one line of docstrings in command listings.

2009-11-24 Thread Jason Gerard DeRose
On Thu, 2009-11-19 at 15:57 +0100, Pavel Zuna wrote: Full docstring is shown on `ipa help COMMAND` Pavel nack. There is already a Plugin.summary attribute containing the first line of the docstring. See ipalib/plugable.py line 170. ___

Re: [Freeipa-devel] [PATCH] 315 tab completion for ipa command

2009-11-25 Thread Jason Gerard DeRose
On Mon, 2009-11-23 at 16:20 -0500, Rob Crittenden wrote: Rob Crittenden wrote: This adds bash tab completion for the ipa command. Note that this is sourced when you log in, so installing the package isn't enough to load this file. Alternatively you can do: % source

Re: [Freeipa-devel] [PATCH] 312 fix some ACI parsing bugs

2009-11-25 Thread Jason Gerard DeRose
On Thu, 2009-11-12 at 13:17 -0500, Rob Crittenden wrote: This fixes 2 bugs in the ACI parser: 1. When looking for the version section I wasn't specific enough. If the aci had the attribute nsosversion in it this was found instead. I switched it to look for version 3.0 instead. This removes

Re: [Freeipa-devel] [PATCH] 313 fix aci plugin host helper

2009-11-25 Thread Jason Gerard DeRose
On Thu, 2009-11-12 at 13:23 -0500, Rob Crittenden wrote: When creating an aci to cover host objects the wrong attribute is used in the DN. It should be using fqdn, not cn. rob ack. pushed to master. ___ Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH] 317 fix location of CA

2009-11-25 Thread Jason Gerard DeRose
On Thu, 2009-11-19 at 11:40 -0500, Rob Crittenden wrote: The output of ipa-server-install pointed to the old location of the self-signed database, the 389-DS instance. It is now stored in the Apache NSS database. Also set a db password on the 389-DS NSS database. It was using a blank

Re: [Freeipa-devel] [PATCH] jderose 027 Extensible return values

2009-11-25 Thread Jason Gerard DeRose
On Wed, 2009-11-25 at 12:05 -0500, Rob Crittenden wrote: This is purely from reading the patch, I haven't applied and tested it yet. ipalib/output.py: +primary_key = Output('primary_key', unicode, +'The primary key of the deleted entry' +) This isn't only for deleted entries,

Re: [Freeipa-devel] [PATCH] 285 CRL publishing

2009-11-25 Thread Jason Gerard DeRose
On Wed, 2009-11-25 at 13:45 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Tue, 2009-11-17 at 15:06 -0500, Rob Crittenden wrote: This enables CRL publishing by dogtag to a place where Apache can get the files. I have to do a couple of tricks here because dogtag

Re: [Freeipa-devel] [PATCH] 285 CRL publishing

2009-11-25 Thread Jason Gerard DeRose
On Wed, 2009-11-25 at 15:09 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Wed, 2009-11-25 at 13:45 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Tue, 2009-11-17 at 15:06 -0500, Rob Crittenden wrote: This enables CRL publishing by dogtag to a place where Apache

Re: [Freeipa-devel] [PATCH] 318 add PKCS#10 parser

2009-11-30 Thread Jason Gerard DeRose
On Tue, 2009-11-24 at 16:17 -0500, Rob Crittenden wrote: The pyOpenSSL PKCS#10 parser doesn't provide a way to get to attributes so we can't get the subject alt names (or other interesting bits). This pyasn1-based parser adds that support. I'm also switching to the pyasn1 X509v3 support

Re: [Freeipa-devel] [PATCH] 319 add -s option to ipa-join

2009-11-30 Thread Jason Gerard DeRose
On Wed, 2009-11-25 at 11:37 -0500, Rob Crittenden wrote: In ipa-client-install we do the ipa-join before creating any of the configuration files. I added a -s option to ipa-join to specify the IPA server since it won't be defined in /etc/ipa/default.conf yet. I discovered to my chagrin

Re: [Freeipa-devel] [PATCH] 320 remove /etc/ipa/ipa.conf

2009-11-30 Thread Jason Gerard DeRose
On Wed, 2009-11-25 at 17:43 -0500, Rob Crittenden wrote: The configuration file /etc/ipa/ipa.conf was used by the v1 clients and servers to manually set realm, domain and server(s). This has been renamed to /etc/ipa/default.conf in v2. Some old utilities still referenced this old file and

Re: [Freeipa-devel] [PATCH] 320 remove /etc/ipa/ipa.conf

2009-12-01 Thread Jason Gerard DeRose
On Tue, 2009-12-01 at 10:36 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Wed, 2009-11-25 at 17:43 -0500, Rob Crittenden wrote: The configuration file /etc/ipa/ipa.conf was used by the v1 clients and servers to manually set realm, domain and server(s). This has been renamed

Re: [Freeipa-devel] [PATCH] 323 type argument for x509.load_certificate()

2009-12-01 Thread Jason Gerard DeRose
On Tue, 2009-12-01 at 17:20 -0500, Rob Crittenden wrote: Add a type argument (PEM or DER) for x509.load_certificate(). Certs are coming out of LDAP as binary so we need to be able to handle that too. Seems more sane to add an argument that to base64-encode it. rob ack. pushed to master.

Re: [Freeipa-devel] [PATCH] 324 add errors.NotImplementedError

2009-12-01 Thread Jason Gerard DeRose
On Tue, 2009-12-01 at 17:23 -0500, Rob Crittenden wrote: This deprecates a similar patch from John last month. The server-side baseclass rabase defines a framework for CA plugins. When I added this code I set it up to return errors.NotImplementedError but didn't actually include that error

[Freeipa-devel] [PATCH] jderose 028 Lossless datetime round-trip

2009-12-02 Thread Jason Gerard DeRose
92ce9fa408f4b2e05cb61e3e40498b56cb709960 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Wed, 2 Dec 2009 21:41:24 -0700 Subject: [PATCH] Allow lossless round-trip of datetime objects over XML-RPC --- ipalib/rpc.py |9 +++-- tests/test_ipalib/test_rpc.py | 28

Re: [Freeipa-devel] [PATCH] jderose 028 Lossless datetime round-trip

2009-12-03 Thread Jason Gerard DeRose
On Thu, 2009-12-03 at 11:56 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: As per John's request, this patch allows lossless round-tripping of Python datetime.datetime objects. Unfortunately, the xmlrpclib dumps() and loads() functions use funny wrapper objects like

Re: [Freeipa-devel] [PATCH] 325 test for cert plugin

2009-12-03 Thread Jason Gerard DeRose
On Wed, 2009-12-02 at 13:11 -0500, Rob Crittenden wrote: John Dennis wrote: On 12/01/2009 11:19 PM, Rob Crittenden wrote: An extremely basic test for the cert plugin. Only tests the cert-request command but it's a start. I think the test should also check for the correct return type.

Re: [Freeipa-devel] [PATCH] 326 bump IPA install version

2009-12-03 Thread Jason Gerard DeRose
On Wed, 2009-12-02 at 16:26 -0500, Rob Crittenden wrote: We store a rough version of IPA at install time in the base object, bump this up to V2.0 rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

[Freeipa-devel] Declarative tests

2009-12-04 Thread Jason Gerard DeRose
, and this is a fast, dirty, and fun way to get there. -Jason patch soon DeRose # Authors: # Rob Crittenden rcrit...@redhat.com # Pavel Zuna pz...@redhat.com # Jason Gerard DeRose jder...@redhat.com # # Copyright (C) 2008, 2009 Red Hat # see file 'COPYING

Re: [Freeipa-devel] [PATCH] jderose 027 Extensible return values

2009-12-10 Thread Jason Gerard DeRose
On Wed, 2009-12-09 at 23:08 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: Okay, here's a revised patch. Significant additions/changes from the previous version are: 1. The return value dict now includes a 'summary' value, something like 'Added user jdoe'. This summary

Re: [Freeipa-devel] [PATCH] 328 force deletion of replica

2009-12-11 Thread Jason Gerard DeRose
On Mon, 2009-12-07 at 23:06 -0500, Rob Crittenden wrote: This adds an option to ipa-replica-manage, --force, that will let you force the deletion of a replication agreement. Before this both ends had to be up and running for this to work, so that the agreement could be removed on both

Re: [Freeipa-devel] [PATCH] 330 remove delegation patch

2009-12-11 Thread Jason Gerard DeRose
On Fri, 2009-12-11 at 17:39 -0500, Rob Crittenden wrote: The delegation patch was migrated from v1 and pretty much deprecated from the get-go. Lets finally put this thing down. It was replaced by the aci plugin. rob ack. pushed to master. ___

Re: [Freeipa-devel] [PATCH] 331 add more options to make-test

2009-12-11 Thread Jason Gerard DeRose
On Fri, 2009-12-11 at 17:41 -0500, Rob Crittenden wrote: I like using the --pdb and --pdb-failures options with make-test. Add these to the make-test script to be passed along to nosetests. rob Thanks for adding this, Rob. ack. pushed to master.

Re: [Freeipa-devel] [PATCH] 329 real services

2009-12-11 Thread Jason Gerard DeRose
On Mon, 2009-12-07 at 23:21 -0500, Rob Crittenden wrote: Make the IPA server host and its services real IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of

Re: [Freeipa-devel] [PATCH] jderose 029 host and hostgroup messages, tests

2009-12-14 Thread Jason Gerard DeRose
I attached this again in case the incorrect .pach extension caused problems for anyone. On Mon, 2009-12-14 at 13:37 -0700, Jason Gerard DeRose wrote: This patch: * Adds correct translatable `msg_summary` attributes on the host and hostgroup plugins * Rewrites the host and hostgroup

Re: [Freeipa-devel] [PATCH] 332 aci return values

2009-12-14 Thread Jason Gerard DeRose
On Fri, 2009-12-11 at 17:42 -0500, Rob Crittenden wrote: Convert the aci plugin to understand the new return values system. I had to do some hacks here because the aci plugin returns a single unicode value back representing the aci, not a set of attributes. rob ack. pushed to master.

Re: [Freeipa-devel] [PATCH] 333 add some labels

2009-12-14 Thread Jason Gerard DeRose
On Fri, 2009-12-11 at 17:42 -0500, Rob Crittenden wrote: The hostgroup and netgroup plugins were missing some labels in their Params. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 334 add aci tests

2009-12-14 Thread Jason Gerard DeRose
On Fri, 2009-12-11 at 17:43 -0500, Rob Crittenden wrote: Add an extremely simple set of tests for the aci plugin. At this point something is better than nothing. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 338 make hosts more like IPA services

2009-12-16 Thread Jason Gerard DeRose
On Wed, 2009-12-16 at 16:16 -0500, Rob Crittenden wrote: Since the host entry contains the host/ principal it needs to look a bit more like a service in order to be able to store certificates in it. This should make IPA work better with certmonger. rob ack. pushed to master.

Re: [Freeipa-devel] [PATCH] 342 control the certificate subject in dogtag

2010-01-08 Thread Jason Gerard DeRose
On Fri, 2009-12-18 at 11:05 -0500, Rob Crittenden wrote: Use the caIPAserviceCert profile for issuing service certs. This profile enables subject validation and ensures that the subject that the CA issues is uniform. The client can only request a specific CN, the rest of the subject is

Re: [Freeipa-devel] [PATCH] Allow creation of new connections by unshared instances of backend.Connectible.

2010-01-08 Thread Jason Gerard DeRose
On Tue, 2010-01-05 at 14:10 +0100, Pavel Zuna wrote: The backend.Connectible base class was designed, so that only one instance of each subclass is used at a time. Connectible generates a Connection object for each thread and stores it in thread-local storage (context). Subclasses access

[Freeipa-devel] [PATCH] jderose 033 Fix fuzzy digigits under Fedora12

2010-01-11 Thread Jason Gerard DeRose
Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Sun, 10 Jan 2010 17:47:15 -0700 Subject: [PATCH] Fixed xmlrpc_test.fuzzy_digits for Fedora12 --- tests/test_xmlrpc/xmlrpc_test.py |2 +- tests/util.py|2 +- 2 files changed, 2 insertions(+), 2

Re: [Freeipa-devel] [PATCH] Improve modlist generation in ldap2. Some code cleanup as bonus.

2010-01-11 Thread Jason Gerard DeRose
On Tue, 2010-01-05 at 15:01 +0100, Pavel Zuna wrote: ldap2._generate_modlist now uses more sophisticated means to decide when to use MOD_ADD+MOD_DELETE instead of MOD_REPLACE. Before it did MOD_REPLACE only on attributes explicitly specified in ldap2._FORCE_REPLACE_ON_UPDATE_ATTRS. Now it

[Freeipa-devel] Announcing wehjit 0.2.0

2010-01-21 Thread Jason Gerard DeRose
Whats new = This release adds significant client-side functionality and several new widgets. The Python API remains mostly unchanged, with the exception of one major addition: you can now make any state variable available client-side by simply creating the state descriptor with a

Re: [Freeipa-devel] Announcing wehjit 0.2.0

2010-01-25 Thread Jason Gerard DeRose
FYI, wehjit 0.2.0 has landed in Fedora 12. Just `yum install python-wehjit`. On Thu, 2010-01-21 at 09:46 -0700, Jason Gerard DeRose wrote: Whats new = This release adds significant client-side functionality and several new widgets. The Python API remains mostly unchanged

[Freeipa-devel] [PATCH] jderose 034 Enable WebUI CRUDS using wehjit 0.2.0

2010-01-26 Thread Jason Gerard DeRose
some niceties that still need a bit more testing and tweaking. From 073cea91cca082ec0f8d4d0644ff9db1961bfba9 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Tue, 26 Jan 2010 06:39:00 -0700 Subject: [PATCH] Enabled CRUDS in webUI using wehjit 0.2.0 --- ipalib/plugable.py

Re: [Freeipa-devel] not ascii, not utf-8, what's a parser supposed to do?

2010-01-26 Thread Jason Gerard DeRose
On Tue, 2010-01-26 at 17:28 -0500, John Dennis wrote: I've run into a small problem with xgettext. By default xgettext expects all strings in an input file to be encoded in ascii. It will also allow you to override that by specifying the strings in the input file are utf-8. In

[Freeipa-devel] [PATCH] jderose 035 Update spec to require python-wehjit = 0.2.0

2010-01-27 Thread Jason Gerard DeRose
The webui now requires wehjit 0.2.0. From 6f7aa9f687de72c16ef9b0883a0f2de8b2089a3d Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Wed, 27 Jan 2010 00:44:00 -0700 Subject: [PATCH] Update spec to require python-wehjit = 0.2.0 --- ipa.spec.in |5 - 1 files

Re: [Freeipa-devel] Why do we have so much duplicated code?

2010-01-27 Thread Jason Gerard DeRose
On Tue, 2010-01-26 at 18:55 -0500, John Dennis wrote: I constantly find identical code spread across multiple files. Is there a reason for this code duplication? (Perhaps trying to keep import name spaces isolated?) It seems to me code duplication is bad software practice for obvious

[Freeipa-devel] [PATCH] jderose 037 Fix broken unit tests

2010-01-27 Thread Jason Gerard DeRose
b7c5a456693cae3d6ecbb717114c5a6bbf205acd Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Wed, 27 Jan 2010 07:16:06 -0700 Subject: [PATCH] Fix broken XML-RPC tests --- tests/test_xmlrpc/objectclasses.py |1 + tests/test_xmlrpc/test_group_plugin.py |6

Re: [Freeipa-devel] [PATCH] Fix File parameter validation when prompting.

2010-01-28 Thread Jason Gerard DeRose
On Wed, 2010-01-27 at 17:53 +0100, Pavel Zuna wrote: cli.prompt_interactively now loads files before validating the parameter value. It also populates a list of already loaded files, so that cli.load_files knows when a parameter already contains the file contents. Fix #557163 Pavel

Re: [Freeipa-devel] [PATCH] 355 allow named to use ldapi

2010-01-28 Thread Jason Gerard DeRose
On Wed, 2010-01-27 at 14:53 -0500, Rob Crittenden wrote: Add SELinux rules so named can communicate to the DS over ldapi. This should fix the installation error when --setup-dns is set and SELinux is enforcing. rob I'm trying to test this out, but I'm not sure what I need to enter for

Re: [Freeipa-devel] [PATCH] Remove (un)wrap_binary_data cruft from */ipautil.py

2010-02-03 Thread Jason Gerard DeRose
On Thu, 2010-01-28 at 12:35 -0500, John Dennis wrote: Remove SAFE_STRING_PATTERN, safe_string_re, needs_base64(), wrap_binary_data(), unwrap_binary_data() from both instances of ipautil.py. This code is no longer in use and the SAFE_STRING_PATTERN regular expression string was causing xgettext

  1   2   >