[Freeipa-devel] [PATCH] 240 Better cert nickname handling

2009-07-23 Thread Rob Crittenden
-signed CA awareness so I'm not sure how I'm going to tackle that yet but I suspect that I'll simply make it the default if no CA is found (along with a log entry saying so). rob From 7c97c6c1e5201c9fc483d4713d5e21c0e2ca0201 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rc...@thor.greyoak.com Date

Re: [Freeipa-devel] [PATCH] Fix SELinux compilation on Fedora 11

2009-07-23 Thread Rob Crittenden
Simo Sorce wrote: On Wed, 2009-07-01 at 15:52 -0400, Rob Crittenden wrote: Fedora 11 replaced a SELinux macro which was causing the build to fail. Dan Walsh provided a patch to fix it and this patch integrates it into the tree. I've added a conditional so that the same policy file should

[Freeipa-devel] [PATCH] 242 new method to identify CAs to trust

2009-07-23 Thread Rob Crittenden
A new way to identify the CAs to trust when importing a PKCS#12 file (like during replica installation). We used to use certutil -O but Fedora 11 changed certutil so it doesn't show untrusted CAs (the whole point of running the command). Instead parse the output of pk12util -l to find the

Re: [Freeipa-devel] [PATCH] 243 clean up v1.2 LDAP module

2009-07-30 Thread Rob Crittenden
Martin Nagy wrote: On Wed, 29 Jul 2009 10:12:51 -0400, Rob Crittenden rcrit...@redhat.com wrote: The 1.2 LDAP module was throwing a deprecation warning for using popen2 and pychecker found a slew of other issues as well. This patch removes a bunch of unused imports, renames some variables

Re: [Freeipa-devel] [PATCHES] All-around improvements to baseldap.py classes.

2009-07-31 Thread Rob Crittenden
Pavel Zůna wrote: 0001: Enable attribute re-mapping and ordering when printing entries. Also print multiple values on one line separated by commas. Ok, though we'll have to see what that looks like on very large values. One thing I'm thinking is memberOf. In v1 when showing a user you'd also

Re: [Freeipa-devel] [PATCH] Replace TYPE_ERROR by ValidationError

2009-07-31 Thread Rob Crittenden
Pavel Zůna wrote: No more tracebacks when an INT parameter is beyond the type limit. Fix bug: 5107333 There will probably be more patches similar to this one in the future. TYPE_ERROR is used in a several places where a better suited exception is available. ack smime.p7s Description:

Re: [Freeipa-devel] [PATCH] Fix typo bug in aci.py

2009-07-31 Thread Rob Crittenden
Pavel Zůna wrote: Pavel ack smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] Re: [PATCH] Add option in baseldap classes to display unaltered LDAP entries.

2009-08-05 Thread Rob Crittenden
Pavel Zuna wrote: The option in question is '--raw'. In the future all plugins (extending classes in baseldap) will have 2 types of output - one human-readable and one raw (as stored in LDAP). It's going to look something like this: # ./ipa user-show pzuna --all -- user-show:

[Freeipa-devel] [PATCH] 253 fix BaseException.message deprecation warning

2009-08-20 Thread Rob Crittenden
Fix a Python 2.6 deprecation warning in the master branch. rob freeipa-253-warning.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

[Freeipa-devel] [PATCH] 255 publish CRLs

2009-08-24 Thread Rob Crittenden
This patch configures the CA to publish CRLs and makes that directory available via Apache so one can retrieve them. The URI will be /ipa/crl/ I made that directory indexable so one can pull delta CRLs or older ones if desired. There is always a symbolic link to the latest named

[Freeipa-devel] [PATCH] 258 Enable ldapi in kerberos backend

2009-08-27 Thread Rob Crittenden
This enables ldapi in the kerberos backend. rob freeipa-258-ldapi.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 256 allow uid/gid starting number to be set

2009-08-27 Thread Rob Crittenden
Martin Nagy wrote: On Wed, 2009-08-26 at 11:20 -0400, Rob Crittenden wrote: Ok, I think I've addressed all the issues raised. I've included Martin's cleaner lambda-based evaluator and the default uid/gid is now a random value between 1,000,000 and (2^31 - 1,000,000). rob

Re: [Freeipa-devel] [PATCH] 257 Enable ldapi in the management framework

2009-08-28 Thread Rob Crittenden
Loris Santamaria wrote: El jue, 27-08-2009 a las 21:31 -0400, Rob Crittenden escribió: Loris Santamaria wrote: El mié, 26-08-2009 a las 14:13 -0400, Rob Crittenden escribió: This enables an ldapi listening socket in the LDAP server and configures the management framework to use it instead

Re: [Freeipa-devel] [PATCH] Introduce a list of attributes for which only MOD_REPLACE operations are generated.

2009-08-28 Thread Rob Crittenden
Pavel Zuna wrote: Fixes bug 519481. Pavel ack, pushed to master rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 260 allow a CA to be regenerated

2009-08-28 Thread Rob Crittenden
Add an option so we can generate a new cert for a CA. This is so we can ultimately fix the missing CA basic constraint but it will also allow the CA to be renewed. This also fixes a small bug when generating the CA basic constraint. It wasn't getting set as Critical because somehow I had it

[Freeipa-devel] [QUASI-PATCH] issue new CA certificate

2009-08-28 Thread Rob Crittenden
distribution since it only applies to existing installs. I'd appreciate any thoughts on that as well. rob #! /usr/bin/python -E # Authors: Rob Crittenden rcrit...@redhat.com # # Copyright (C) 2009 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can

[Freeipa-devel] [PATCH] 261 Many SELinux fixes

2009-08-28 Thread Rob Crittenden
The ldapi code I committed yesterday didn't work with SELinux enabled. This patch addresses that. On Python 2.5+ systems the mgmt framework didn't work with SELinux enabled because of the ctypes module. It does all sorts of crazy stuff which makes SELinux absolutely freak out (it tries to

Re: [Freeipa-devel] [PATCH] jderose 011 Fleshed out krb plugin and added example of scripting against Python API

2009-08-31 Thread Rob Crittenden
Jason Gerard DeRose wrote: Attached is an updated to this patch that now correctly applies. ack smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH 2/3] Remove old --setup-bind option

2009-09-02 Thread Rob Crittenden
Martin Nagy wrote: Since we are changing the behaviour of the --setup-dns option substantially, we might as well remove the old --setup-bind option. Martin ack smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list

[Freeipa-devel] [PATCH] 264 own IPA httpd conf files

2009-09-02 Thread Rob Crittenden
For IPA 1-2 Have our spec file own the Apache configuration files we create. rob freeipa-264-spec.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 263 Tighten up upgrade detection

2009-09-04 Thread Rob Crittenden
Simo Sorce wrote: On Wed, 2009-09-02 at 18:03 -0400, Rob Crittenden wrote: We have an upgrade script that runs in rpm %post to see if an existing installation needs to be updated. This sometimes printed spurious error messages that were confusing. This patch attempts to tighten things up

Re: [Freeipa-devel] [PATCH] 264 own IPA httpd conf files

2009-09-04 Thread Rob Crittenden
Simo Sorce wrote: On Wed, 2009-09-02 at 18:04 -0400, Rob Crittenden wrote: For IPA 1-2 Have our spec file own the Apache configuration files we create. ACK Simo. pushed to ipa-1-2 smime.p7s Description: S/MIME Cryptographic Signature

[Freeipa-devel] Re: [PATCHES] Improve ipalib.plugins.baseldap classes.

2009-09-08 Thread Rob Crittenden
Pavel Zůna wrote: - remove obsolete code related to PluginProxy - remove parent_key attribute, for the purpose of nested objects the parent's primary key is retrieved automatically - added support for auto-generating UUIDs - make use of the improved attribute printing in CLI !!! depends on

Re: [Freeipa-devel] [PATCH] Fix bug in dns_find - execute() returned different value than expected.

2009-09-08 Thread Rob Crittenden
Pavel Zůna wrote: dns_find.execute() wasn't returning the truncated (truncated search results) flag. It threw an exception when invoked. ack, pushed to master smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list

[Freeipa-devel] [PATCH] 265 fix dnaMaxValue

2009-09-08 Thread Rob Crittenden
Ensure that dnaMaxValue is higher than dnaNextValue at install time. If you don't specify a specific uid/gid start value then a random one gets set. We need to be sure that the max value is more than this. I picked a 10 range to ensure that there is some headroom for replicas. rob

[Freeipa-devel] Re: [PATCHES] Improve ipalib.plugins.baseldap classes.

2009-09-09 Thread Rob Crittenden
Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zůna wrote: - remove obsolete code related to PluginProxy - remove parent_key attribute, for the purpose of nested objects the parent's primary key is retrieved automatically - added support for auto-generating UUIDs - make use of the improved

[Freeipa-devel] Re: [PATCHES] Add support for different automount maps per location.

2009-09-09 Thread Rob Crittenden
Pavel Zůna wrote: 0007: Add support for different automount maps per location. This patch enabled us to have a different set of automount maps per location and to manage those locations via command plugins. To add a new location: ipa automountlocation-add Brno To add a map to this

Re: [Freeipa-devel] Re: [PATCHES] Add support for different automount maps per location.

2009-09-09 Thread Rob Crittenden
Rob Crittenden wrote: Pavel Zůna wrote: 0007: Add support for different automount maps per location. This patch enabled us to have a different set of automount maps per location and to manage those locations via command plugins. To add a new location: ipa automountlocation-add Brno To add

Re: [Freeipa-devel] [PATCH] 265 fix dnaMaxValue

2009-09-09 Thread Rob Crittenden
Martin Nagy wrote: Rob Crittenden wrote: Ensure that dnaMaxValue is higher than dnaNextValue at install time. If you don't specify a specific uid/gid start value then a random one gets set. We need to be sure that the max value is more than this. I picked a 10 range to ensure

[Freeipa-devel] Re: [PATCH] Fix typos and minor bugs in baseldap. Add --all to LDAPUpdate.

2009-09-10 Thread Rob Crittenden
Pavel Zůna wrote: Fixes some minor things in baseldap. It also add the --all options (to display all attribute) to LDAPUpdate. Pavel Why are you not returning failed anymore with post_callback? rob smime.p7s Description: S/MIME Cryptographic Signature

[Freeipa-devel] Re: [PATCH] Automatically generate an auto.master map for new automount location.

2009-09-10 Thread Rob Crittenden
Pavel Zůna wrote: I thought that it might be a good idea to automatically generate the auto.master map for new locations. It depends on my previous automount patch. Pavel Question: do we need a method to return all maps? Jason might need this in the UI. ack and pushed to master

Re: [Freeipa-devel] [PATCH] 259 Fix selinux issue with ldapi

2009-09-10 Thread Rob Crittenden
Rob Crittenden wrote: The management framework wasn't working with SELinux over ldapi because it lacked permission to access the unix socket. This patch grants permission. Probably easier to review with the patch attached. rob freeipa-259-selinux.patch Description: application/mbox

Re: [Freeipa-devel] [PATCH] 259 Fix selinux issue with ldapi

2009-09-10 Thread Rob Crittenden
Simo Sorce wrote: On Fri, 2009-08-28 at 13:12 -0400, Rob Crittenden wrote: The management framework wasn't working with SELinux over ldapi because it lacked permission to access the unix socket. This patch grants permission. The patch itself looks good anyway, so it's an ACK for me. Simo

[Freeipa-devel] Re: [PATCH] Automatically generate an auto.master map for new automount location.

2009-09-10 Thread Rob Crittenden
Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zůna wrote: I thought that it might be a good idea to automatically generate the auto.master map for new locations. It depends on my previous automount patch. Pavel Question: do we need a method to return all maps? Jason might need

[Freeipa-devel] [PATCH] 266 remove deprecated comment

2009-09-10 Thread Rob Crittenden
Remove comment about plugin naming conventions. We've dumped this convention. rob freeipa-266-deprecated.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list

[Freeipa-devel] [PATCH] 267 fix virtual plugin

2009-09-10 Thread Rob Crittenden
Fix the virtual access plugin to work with the new backend. Also do a more explicit objectviolation catch. We will switch this to use GER when that is completed. rob freeipa-267-virtual.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature

[Freeipa-devel] [PATCH] 268 explicitly set verbose to false in RPC client

2009-09-10 Thread Rob Crittenden
I've needed to set verbose to True in the rpc client and every time I have to do this I hunt around trying to figure out where to put it. This will make it easier to find next time :-) rob freeipa-268-rpc.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic

[Freeipa-devel] Re: [PATCH] Fix incorrect imports in ipa-server-certinstall. [Was: consistent use of --help on CLI?]

2009-09-11 Thread Rob Crittenden
Pavel Zuna wrote: Fixed. Pavel Zuna wrote: Dmitri Pal wrote: Pavel, Rob, What do the CLI utils do when someone uses --help parameter? Is there a consistent behavior about this? Ack, pushed to master smime.p7s Description: S/MIME Cryptographic Signature

[Freeipa-devel] Re: [PATCH] Fix typos and minor bugs in baseldap. Add --all to LDAPUpdate.

2009-09-11 Thread Rob Crittenden
Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zůna wrote: Fixes some minor things in baseldap. It also add the --all options (to display all attribute) to LDAPUpdate. Pavel Why are you not returning failed anymore with post_callback? Because that was a mistake, I meant to return dn

[Freeipa-devel] [PATCH] 270 handle all exceptions in XML-RPC server

2009-09-11 Thread Rob Crittenden
Add a fail-safe exception handler to ensure that we destroy the request context and don't return dirty laundry to a client. If we don't do this then this process/thread will blow up the next time it handles a request because a context already exists. rob freeipa-270-exception.patch

[Freeipa-devel] [PATCH] 271 handle certificate decode errors in service

2009-09-11 Thread Rob Crittenden
In the service plugin we will attempt to revoke a server cert when a service is deleted. Add some error handling around that effort. This fixes the self-tests. rob freeipa-271-service.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature

[Freeipa-devel] IPA v1.2.2 in Fedora updates-testing

2009-09-11 Thread Rob Crittenden
IPA v1.2.2 has been released into the Fedora updates-testing repository (not quite pushed to all the mirrors yet). I'm putting it into testing so we can get some feedback on it before pushing it out to the masses. It primarily addresses the following bugs: * Fix group deletion in the web UI.

[Freeipa-devel] Re: [PATCHES] Make plugins use baseldap classes.

2009-09-11 Thread Rob Crittenden
Pavel Zůna wrote: This is a series of patches that depends on patches: - Improve attribute printing in the CLI. - Improve ipalib.plugins.baseldap classes. All plugins are converted to extend baseldap classes. This makes things more consistent, fixes some general bugs (with return values for

Re: [Freeipa-devel] [PATCH] 266 remove deprecated comment

2009-09-14 Thread Rob Crittenden
Pavel Zůna wrote: Rob Crittenden wrote: Remove comment about plugin naming conventions. We've dumped this convention. rob ack Pavel pushed to master smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH] 267 fix virtual plugin

2009-09-14 Thread Rob Crittenden
Pavel Zůna wrote: Rob Crittenden wrote: Fix the virtual access plugin to work with the new backend. Also do a more explicit objectviolation catch. We will switch this to use GER when that is completed. rob ack Pavel Pushed to master smime.p7s Description: S/MIME Cryptographic

Re: [Freeipa-devel] [PATCH] 268 explicitly set verbose to false in RPC client

2009-09-14 Thread Rob Crittenden
Pavel Zůna wrote: Rob Crittenden wrote: I've needed to set verbose to True in the rpc client and every time I have to do this I hunt around trying to figure out where to put it. This will make it easier to find next time :-) rob ack Pavel Push to master smime.p7s Description: S/MIME

[Freeipa-devel] [PATCH] 271 Enhance updater, add tests

2009-09-14 Thread Rob Crittenden
This patch lets the updater delete entire entries and adds a basic unit test harness. To have these tests run you need to have IPA installed locally and put the DM password into ~/.ipa/.dmpw. rob freeipa-272-updater.patch Description: application/mbox smime.p7s Description: S/MIME

[Freeipa-devel] Re: [PATCHES] Make plugins use baseldap classes.

2009-09-15 Thread Rob Crittenden
Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zůna wrote: This is a series of patches that depends on patches: - Improve attribute printing in the CLI. - Improve ipalib.plugins.baseldap classes. All plugins are converted to extend baseldap classes. This makes things more consistent, fixes

Re: [Freeipa-devel] [PATCH] 269 external CA signing, abstract RA

2009-09-15 Thread Rob Crittenden
Pavel Zuna wrote: Rob Crittenden wrote: The RA plugin originally only supported dogtag. At some point I want to be able to do on-line replica creation and this means we need to be able to do remote cert requests. To support this I've abstracted the RA plugin and added basic self-signed CA

Re: [Freeipa-devel] [PATCH] 271 handle certificate decode errors in service

2009-09-15 Thread Rob Crittenden
Pavel Zuna wrote: Rob Crittenden wrote: In the service plugin we will attempt to revoke a server cert when a service is deleted. Add some error handling around that effort. This fixes the self-tests. rob nack. Your 269 external CA signing, abstract RA already handles them inside

[Freeipa-devel] FreeIPA v1.2.2 released

2009-09-15 Thread Rob Crittenden
The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA version 1.22. FreeIPA is an integrated security information management solution combining Linux (Fedora), Fedora Directory Server, MIT Kerberos and NTP. FreeIPA binds together a number of technologies and adds a web interface

Re: [Freeipa-devel] Re: [PATCHES] Make plugins use baseldap classes.

2009-09-15 Thread Rob Crittenden
Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zůna wrote: This is a series of patches that depends on patches: - Improve attribute printing in the CLI. - Improve ipalib.plugins.baseldap classes. All plugins are converted to extend baseldap classes. This makes things

[Freeipa-devel] [PATCH] 274 detect whether to uninstall the CA or not

2009-09-15 Thread Rob Crittenden
You had to pass --ca when uninstalling if you wanted the CA uninstalled. This was nuts, auto-detect it. rob freeipa-274-uninstall.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing

Re: [Freeipa-devel] [PATCH] 263 Tighten up upgrade detection

2009-09-15 Thread Rob Crittenden
Rob Crittenden wrote: Simo Sorce wrote: On Wed, 2009-09-02 at 18:03 -0400, Rob Crittenden wrote: We have an upgrade script that runs in rpm %post to see if an existing installation needs to be updated. This sometimes printed spurious error messages that were confusing. This patch attempts

[Freeipa-devel] [PATCH] 275 Fix deprecation warning

2009-09-16 Thread Rob Crittenden
This warning was logged in the Apache error log: /usr/lib/python2.6/site-packages/mod_python/importer.py:32: DeprecationWarning: the md5 module is deprecated; use hashlib instead Try to import hashlib for md5 and if it fails, fall back to the deprecated version. Tested on Python 2.4 and 2.6.

[Freeipa-devel] [PATCH] 277 properly own Apache config files

2009-09-16 Thread Rob Crittenden
I goofed on the paths in the original patch I sent on this a while back. This corrects it. I know it looks like we're creating 0-length files here but with the %ghost directive it won't create the files, just own them. rob freeipa-277-spec.patch Description: application/mbox smime.p7s

Re: [Freeipa-devel] [PATCH] 277 properly own Apache config files

2009-09-17 Thread Rob Crittenden
Martin Nagy wrote: On Wed, 2009-09-16 at 13:05 -0400, Rob Crittenden wrote: I goofed on the paths in the original patch I sent on this a while back. This corrects it. I know it looks like we're creating 0-length files here but with the %ghost directive it won't create the files, just own

Re: [Freeipa-devel] [PATCH] 277 properly own Apache config files

2009-09-17 Thread Rob Crittenden
Simo Sorce wrote: On Thu, 2009-09-17 at 09:06 -0400, Rob Crittenden wrote: Martin Nagy wrote: On Wed, 2009-09-16 at 13:05 -0400, Rob Crittenden wrote: I goofed on the paths in the original patch I sent on this a while back. This corrects it. I know it looks like we're creating 0-length

[Freeipa-devel] [PATCH] 278 Only initialize API once in the installer

2009-09-25 Thread Rob Crittenden
Two patches crossed in the night, both added a call to initialize the API. There can be only one. Also need to make the ldap2 plugin more flexible and not require the schema to be loaded at startup so we can initialize the API before IPA has been installed. Addresses bug 525303. rob

[Freeipa-devel] [PATCH] 279 Fix/enhance the aci plugin

2009-09-25 Thread Rob Crittenden
The aci plugin didn't quite work with the new ldap2 backend, fix that. We already walk through the target part of the ACI syntax so skip that in the regex altogether. This now lets us handle all current ACIs in IPA (some used to be ignored/skipped) Add support for user groups so one can do

Re: [Freeipa-devel] [PATCH] 279 Fix/enhance the aci plugin

2009-09-25 Thread Rob Crittenden
Rob Crittenden wrote: The aci plugin didn't quite work with the new ldap2 backend, fix that. We already walk through the target part of the ACI syntax so skip that in the regex altogether. This now lets us handle all current ACIs in IPA (some used to be ignored/skipped) Add support for user

[Freeipa-devel] [PATCH] 272 Add delete option to LDAP updater, unit tests

2009-10-05 Thread Rob Crittenden
This gives the updater the ability to delete entries and adds some unit test cases. rob freeipa-272-updater.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list

Re: [Freeipa-devel] Re: [PATCHES] Make plugins use baseldap classes.

2009-10-05 Thread Rob Crittenden
Pavel Zuna wrote: Pavel Zuna wrote: Pavel Zůna wrote: Rob Crittenden wrote: Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zůna wrote: This is a series of patches that depends on patches: - Improve attribute printing in the CLI. - Improve ipalib.plugins.baseldap

[Freeipa-devel] Re: check your patches

2009-10-07 Thread Rob Crittenden
Pavel Zuna wrote: Rob Crittenden wrote: Pavel, I pushed a slew of your patches today but there were so many patches flying around that e-mail thread I may have missed something (and the tests patch doesn't apply). Can you check your patches to make sure I've applied everything? git has

[Freeipa-devel] Re: [PATCH] Fix bug in HBAC and netgroup plugin get_primary_key_from_dn methods.

2009-10-07 Thread Rob Crittenden
Pavel Zuna wrote: The method was returning tuples instead of strings in both plugins causing a mess in other plugins, when displaying netgroup/HBAC information. Pavel Assuming that the primary key doesn't exist, what meaning does returning '' have? For these 2 plugins shouldn't it always

[Freeipa-devel] [PATCH] 287 improve ipa-join

2009-10-07 Thread Rob Crittenden
I ran ipa-join on some not properly-configured clients and found a bunch of corner cases that are fixed here. This improves debugging and standard output considerably. rob freeipa-287-join.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature

[Freeipa-devel] Re: [PATCH] Fix bug in group plugin. Was using wrong variable for attributes.

2009-10-08 Thread Rob Crittenden
Pavel Zuna wrote: Fixes bug #527537: https://bugzilla.redhat.com/show_bug.cgi?id=527537 Pavel ack, pushed to master smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

[Freeipa-devel] Re: [PATCH] Fix bug in HBAC and netgroup plugin get_primary_key_from_dn methods.

2009-10-08 Thread Rob Crittenden
Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zuna wrote: The method was returning tuples instead of strings in both plugins causing a mess in other plugins, when displaying netgroup/HBAC information. Pavel Assuming that the primary key doesn't exist, what meaning does returning '' have

[Freeipa-devel] [PATCH] 289 fix host admin acis

2009-10-08 Thread Rob Crittenden
It appears I missed a couple of ACI's when we changed the DN format of hosts. rob freeipa-289-aci.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin

2009-10-08 Thread Rob Crittenden
John Dennis wrote: On 10/08/2009 05:11 PM, Rob Crittenden wrote: I missed this file when I did the last CA patch :-( This sets the cert_t context on some files needed for the selfsign plugin to work. It needs to let httpd write the serial number file and open the NSS database. Thanks Rob

Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin

2009-10-09 Thread Rob Crittenden
Jenny Galipeau wrote: John Dennis wrote: On 10/08/2009 05:22 PM, Rob Crittenden wrote: John Dennis wrote: Thanks Rob. BTW, I was going to add a try/except block around that code in selfsign and return a non-zero status if it fails. Do we have predefined status codes I should be using? I'm

[Freeipa-devel] [PATCH] 291 use DS memberof plugin

2009-10-09 Thread Rob Crittenden
Use the DS memberof plugin instead of the one contained in the IPA source. I'm not removing that source yet, simply not building or configuring it. rob freeipa-291-memberof.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature

[Freeipa-devel] [PATCH] 292 use proper objectclass for rolegroups

2009-10-09 Thread Rob Crittenden
I was using groupofnames for rolegroups but trying to add memberof to it (bad). Use nestedgroup instead. rob freeipa-292-rolegroups.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing

Re: [Freeipa-devel] [PATCH] 286 cache installer questions

2009-10-12 Thread Rob Crittenden
Martin Nagy wrote: Hi Rob, On Wed, 2009-10-07 at 10:57 -0400, Rob Crittenden wrote: Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking

Re: [Freeipa-devel] [PATCH] 288 man page for ipa-join

2009-10-12 Thread Rob Crittenden
Martin Nagy wrote: On Thu, 2009-10-08 at 11:11 -0400, Rob Crittenden wrote: Add a man page for the new ipa-join command. rob +ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-w\fR bulk bind password ] [ \fB\-d\fR ] [ \fB\-q\fR ] Can you use something like bulk-bind

Re: [Freeipa-devel] [PATCH] 291 use DS memberof plugin

2009-10-12 Thread Rob Crittenden
Martin Nagy wrote: On Fri, 2009-10-09 at 17:29 -0400, Rob Crittenden wrote: Use the DS memberof plugin instead of the one contained in the IPA source. I'm not removing that source yet, simply not building or configuring it. rob Looks good to me. Ack. Martin pushed to master smime.p7s

[Freeipa-devel] Re: [PATCH] Fix bug in HBAC and netgroup plugin get_primary_key_from_dn methods.

2009-10-12 Thread Rob Crittenden
Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zuna wrote: The method was returning tuples instead of strings in both plugins causing a mess in other plugins, when displaying netgroup/HBAC information. Pavel Assuming that the primary key doesn't exist, what meaning does returning '' have

[Freeipa-devel] [PATCH] 293 use fqdn

2009-10-12 Thread Rob Crittenden
Use getfqdn() instead of the gethostname(). self.ca_host could end up as the same value as self.host and if this isn't fully-qualified then SSL client requests won't work (we query the CA over SSL). rob freeipa-293-fqdn.patch Description: application/mbox smime.p7s Description: S/MIME

[Freeipa-devel] [PATCH] 294 sleep before doing a task

2009-10-12 Thread Rob Crittenden
One of the last steps of an install is to run through any updates. This change adds a sleep() prior to calling tasks to ensure postop writes are done We were seeing a rare deadlock of DS when creating the memberOf task because one thread was adding memberOf in a postop while another was

[Freeipa-devel] [PATCH] 295 client Makefile target

2009-10-12 Thread Rob Crittenden
This adds a few new targets to the top-level Makefile, most notably client and client-rpms. Using this you can more easily build just the client pieces of IPA. rob freeipa-295-client.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature

Re: [Freeipa-devel] why doesn't ipapython.ipautil.run() log what it's running?

2009-10-13 Thread Rob Crittenden
John Dennis wrote: Is there a reason why the run command (ipapython.ipautil.run()) does not log what command it's running? It logs the stdout and stderr output of the command (but without indicating what the log output is, so a lot of time it just shows up as a blank line if there was no

Re: [Freeipa-devel] [PATCH] jderose 017-2 Giant webui patch take 2

2009-10-13 Thread Rob Crittenden
Dmitri Pal wrote: Jason Gerard DeRose wrote: Okay, finally here is the revised webui patch. Since the last version, I: * Ported to various API changed between wehjit 0.0.1 and 0.1.0 * Removed the session.py stuff, which will be in a separate patch * Added the plugin browser to help

Re: [Freeipa-devel] why doesn't ipapython.ipautil.run() log what it's running?

2009-10-13 Thread Rob Crittenden
John Dennis wrote: On 10/13/2009 02:25 PM, Rob Crittenden wrote: John Dennis wrote: Is there a reason why the run command (ipapython.ipautil.run()) does not log what command it's running? It logs the stdout and stderr output of the command (but without indicating what the log output is, so

Re: [Freeipa-devel] [PATCH] jderose 017-2 Giant webui patch take 2

2009-10-13 Thread Rob Crittenden
Jason Gerard DeRose wrote: Okay, finally here is the revised webui patch. Since the last version, I: * Ported to various API changed between wehjit 0.0.1 and 0.1.0 * Removed the session.py stuff, which will be in a separate patch * Added the plugin browser to help developers inspect the

[Freeipa-devel] [PATCH] 296 work with newer schema layout of 389-DS

2009-10-14 Thread Rob Crittenden
The HEAD branch of upstream of 389-DS has lots new schema stuff. We have to work around some incompatibilities with the DNS schema in 05rfc2247.ldif but this isn't required in the HEAD, so don't fail if we can't replace this file. It isn't needed in newer versions of DS. rob

Re: [Freeipa-devel] [PATCH] jderose 020 Make plugin browser show plugin parent class

2009-10-14 Thread Rob Crittenden
Jason Gerard DeRose wrote: It's very helpful if the plugin browser shows the parent class (or classes) that a plugin subclasses from. This small patch adds this feature. ack smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel

Re: [Freeipa-devel] [PATCH] 294 sleep before doing a task

2009-10-16 Thread Rob Crittenden
Simo Sorce wrote: On Thu, 2009-10-15 at 15:28 +0200, Pavel Zuna wrote: Rob Crittenden wrote: One of the last steps of an install is to run through any updates. This change adds a sleep() prior to calling tasks to ensure postop writes are done We were seeing a rare deadlock of DS when

Re: [Freeipa-devel] [PATCH] 294 sleep before doing a task

2009-10-16 Thread Rob Crittenden
Pavel Zuna wrote: Rob Crittenden wrote: One of the last steps of an install is to run through any updates. This change adds a sleep() prior to calling tasks to ensure postop writes are done We were seeing a rare deadlock of DS when creating the memberOf task because one thread was adding

[Freeipa-devel] [PATCH] 297 use proper template string

2009-10-16 Thread Rob Crittenden
I goofed and didn't replace my test domain with a template string for some virtual operations. rob freeipa-297-template.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH] jderose 024 Fixed compatability break in rpcserver.py

2009-10-17 Thread Rob Crittenden
Jason Gerard DeRose wrote: This fixes an oops I missed that broke the IPA server when running under Apache. ack smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

[Freeipa-devel] [PATCH] 298 more GER helpers

2009-10-20 Thread Rob Crittenden
Add 2 new Get Effective Rights helpers for adding and deleting entries. These will be useful in the UI for determining what things a user can do. rob freeipa-298-ger.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature

[Freeipa-devel] access control for cert generation

2009-10-20 Thread Rob Crittenden
I touched on this a little in IRC, figured I'd move it to the list for a fuller conversation. I'm in the process of adding access controls to machines requesting certificates for themselves. Let me first show what happens when a certificate request occurs: - Some authenticated entity

Re: [Freeipa-devel] access control for cert generation

2009-10-20 Thread Rob Crittenden
Dmitri Pal wrote: Rob Crittenden wrote: I touched on this a little in IRC, figured I'd move it to the list for a fuller conversation. I'm in the process of adding access controls to machines requesting certificates for themselves. Let me first show what happens when a certificate request

[Freeipa-devel] [PATCH] 301 require host before service

2009-10-20 Thread Rob Crittenden
Require that a host exist before trying to add a service for it. rob freeipa-301-service.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

[Freeipa-devel] Re: [PATCH] Display membership attributes (member, memberOf) by default in show/find.

2009-10-21 Thread Rob Crittenden
Pavel Zůna wrote: Rob Crittenden wrote: The 10% failure is really just 1 test failing: ++ '[' 0 '!=' 0 ']' ++ ssh r...@iparhel5-64vmb.dsdev.sjc.redhat.com 'ipa group-find testgroup1 | grep testusr1' ++ '[' 1 '!=' 0 ']' ++ echo 'ERROR - ipa testusr1 not found in testgroup1 failed on iparhel5

Re: [Freeipa-devel] [PATCH] 274 detect whether to uninstall the CA or not

2009-10-21 Thread Rob Crittenden
Pavel Zuna wrote: Rob Crittenden wrote: You had to pass --ca when uninstalling if you wanted the CA uninstalled. This was nuts, auto-detect it. rob ack. Pavel pushed rebased patch to master rob smime.p7s Description: S/MIME Cryptographic Signature

Re: [Freeipa-devel] [PATCH] 274 detect whether to uninstall the CA or not

2009-10-22 Thread Rob Crittenden
David O'Brien wrote: Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: You had to pass --ca when uninstalling if you wanted the CA uninstalled. This was nuts, auto-detect it. rob ack. Pavel pushed rebased patch to master rob do you mean when uninstalling ipa-server you

Re: [Freeipa-devel] validating return values in XML-RPC

2009-10-22 Thread Rob Crittenden
John Dennis wrote: On 10/22/2009 10:45 AM, Jason Gerard DeRose wrote: So I've been thinking about this as I've been doing the UI tuning (extending meta-data and making the engine smarter). I agree with John that we need to describe the return values programatically. We can also kill two birds

[Freeipa-devel] [PATCH] 302 clean up join plugin

2009-10-23 Thread Rob Crittenden
Remove a bunch of unused imports, add some docstrings, etc. rob freeipa-302-cleanup.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] Fix bug in print_attribute.

2009-10-23 Thread Rob Crittenden
Pavel Zůna wrote: When a multi-value attribute had no values, and exception was generated while trying to word-wrap it. Pavel ack, pushed to master rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list

  1   2   3   4   5   6   7   8   9   10   >