[Freeipa-devel] 389-DS ACI improvement to control MODDN

2014-02-25 Thread thierry bordaz
Hello, Ticket https://fedorahosted.org/389/ticket/47553, is a 389-ds enhancement to allow a finer access control during a MODDN (new superior) operation. The use case being to allow/deny a bound user to move an entry from one specified part of the DIT to an other part. This

[Freeipa-devel] [389-devel] Design review (second): Access control on entries specified in MODDN operation (ticket 47553)

2014-02-27 Thread thierry bordaz
Hello, Thanks to all your feedbacks, they helped me a lot and raised a severe limitation in the original design. I updated the design following the aci syntax proposed during the discussion. On the implementation side, it is a bit more complex but less than I expected. I have not yet

Re: [Freeipa-devel] [389-devel] Design review (second): Access control on entries specified in MODDN operation (ticket 47553)

2014-02-28 Thread thierry bordaz
to older versions of ds, but this is for n1, how about the new design ? Ludwig On 02/27/2014 04:46 PM, thierry bordaz wrote: Hello, Thanks to all your feedbacks, they helped me a lot and raised a severe limitation in the original design. I updated the design following the aci syntax proposed during

Re: [Freeipa-devel] [PATCH] 0543 - dns: Add idnsSecInlineSigning attribute, add --dnssec option to zone

2014-04-30 Thread thierry bordaz
On 04/29/2014 10:07 PM, Martin Kosek wrote: On 04/29/2014 08:17 PM, Simo Sorce wrote: On Tue, 2014-04-29 at 20:00 +0200, Petr Viktorin wrote: This adds the idnsSecInlineSigning attribute and related option. https://fedorahosted.org/freeipa/ticket/3801 Simo, is adding a MAY attribute to an

[Freeipa-devel] Asking for help to add new options

2014-05-14 Thread thierry bordaz
Hello, Quite beginner in freeipa land, I am trying to add options to 'user-add' sub-command but desperately failing to make it work. I did the following modification: diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 9b21200..0c36e35 100644 ---

Re: [Freeipa-devel] Asking for help to add new options

2014-05-14 Thread thierry bordaz
On 05/14/2014 12:32 PM, Petr Viktorin wrote: On 05/14/2014 12:27 PM, thierry bordaz wrote: On 05/14/2014 12:01 PM, Petr Viktorin wrote: On 05/14/2014 11:21 AM, thierry bordaz wrote: Hello, Quite beginner in freeipa land, I am trying to add options to 'user-add' sub-command

Re: [Freeipa-devel] Status/Question about User life cycle

2014-05-19 Thread thierry bordaz
wrote: On 05/19/2014 08:24 AM, Martin Kosek wrote: On 05/16/2014 04:48 PM, thierry bordaz wrote: Hello Martin, I am getting familiar with the freeipa CLI code and started implemented '--to-stage' and '--from-stage'. This really an impressive set of code :-) Great! :-) I

Re: [Freeipa-devel] Status/Question about User life cycle

2014-05-19 Thread thierry bordaz
On 05/19/2014 04:22 PM, Jan Cholasta wrote: On 19.5.2014 16:03, thierry bordaz wrote: On 05/19/2014 03:54 PM, Jan Cholasta wrote: On 19.5.2014 15:19, Petr Viktorin wrote: Hello list, Here's a conversation that started internally. I'm making it public. On 05/19/2014 01:00 PM, Martin Kosek

Re: [Freeipa-devel] Status/Question about User life cycle

2014-05-19 Thread thierry bordaz
On 05/19/2014 04:44 PM, Jan Cholasta wrote: On 19.5.2014 16:34, thierry bordaz wrote: On 05/19/2014 04:22 PM, Jan Cholasta wrote: On 19.5.2014 16:03, thierry bordaz wrote: On 05/19/2014 03:54 PM, Jan Cholasta wrote: On 19.5.2014 15:19, Petr Viktorin wrote: Hello list, Here's a conversation

Re: [Freeipa-devel] User life cycle: question regarding the design

2014-05-21 Thread thierry bordaz
On 05/20/2014 10:30 PM, Martin Kosek wrote: I am sharing the question below with the list as I think the information is useful and relevant for everyone interested in this feature. See answers in the text. On 05/20/2014 06:26 PM, thierry bordaz wrote: Hello Martin, Petr, I implemented

Re: [Freeipa-devel] User life cycle: question regarding the design

2014-05-22 Thread thierry bordaz
On 05/21/2014 09:06 PM, Martin Kosek wrote: On 05/21/2014 08:14 PM, Simo Sorce wrote: On Wed, 2014-05-21 at 16:01 +0200, thierry bordaz wrote: Hello, Thanks for all these detailed descriptions. Just to be sure to be on the same page, here is my understanding

[Freeipa-devel] User life cycle: plugins scope for staged users

2014-05-22 Thread thierry bordaz
Hello, In order to provision staged users (account inactivated) with there initial values: /usr/bin/ipa user-add tb20 --to-stage --first=tb20 --last=tb20 - Added user tb20 - User login: tb20 First name: tb20

Re: [Freeipa-devel] Status/Question about User life cycle

2014-05-22 Thread thierry bordaz
On 05/22/2014 04:38 PM, Martin Kosek wrote: On 05/22/2014 10:47 AM, Petr Viktorin wrote: On 05/21/2014 10:00 PM, Dmitri Pal wrote: On 05/19/2014 10:45 AM, thierry bordaz wrote: On 05/19/2014 04:44 PM, Jan Cholasta wrote: On 19.5.2014 16:34, thierry bordaz wrote: On 05/19/2014 04:22 PM, Jan

Re: [Freeipa-devel] Status/Question about User life cycle

2014-05-23 Thread thierry bordaz
On 05/23/2014 08:29 AM, Martin Kosek wrote: On 05/22/2014 05:52 PM, thierry bordaz wrote: On 05/22/2014 04:38 PM, Martin Kosek wrote: On 05/22/2014 10:47 AM, Petr Viktorin wrote: On 05/21/2014 10:00 PM, Dmitri Pal wrote: On 05/19/2014 10:45 AM, thierry bordaz wrote: On 05/19/2014 04:44 PM

Re: [Freeipa-devel] Status/Question about User life cycle

2014-05-23 Thread thierry bordaz
On 05/23/2014 10:04 AM, Martin Kosek wrote: On 05/23/2014 09:34 AM, thierry bordaz wrote: On 05/23/2014 08:29 AM, Martin Kosek wrote: On 05/22/2014 05:52 PM, thierry bordaz wrote: On 05/22/2014 04:38 PM, Martin Kosek wrote: On 05/22/2014 10:47 AM, Petr Viktorin wrote: On 05/21/2014 10:00 PM

Re: [Freeipa-devel] Status/Question about User life cycle

2014-05-23 Thread thierry bordaz
On 05/23/2014 10:55 AM, Martin Kosek wrote: On 05/23/2014 10:22 AM, thierry bordaz wrote: On 05/23/2014 10:04 AM, Martin Kosek wrote: On 05/23/2014 09:34 AM, thierry bordaz wrote: ... 3) inactivate the user (active to inactive) ipa user-inactivate# (after the command

Re: [Freeipa-devel] User life cycle: question regarding the design

2014-05-23 Thread thierry bordaz
, Martin Kosek wrote: On 05/21/2014 08:14 PM, Simo Sorce wrote: On Wed, 2014-05-21 at 16:01 +0200, thierry bordaz wrote: Hello, Thanks for all these detailed descriptions. Just to be sure to be on the same page, here is my understanding of the provisioning templates

Re: [Freeipa-devel] User life cycle: question regarding the design

2014-05-26 Thread thierry bordaz
On 05/26/2014 07:49 AM, Martin Kosek wrote: On 05/23/2014 04:55 PM, Simo Sorce wrote: On Fri, 2014-05-23 at 10:13 -0400, Rob Crittenden wrote: This, I believe, has already been covered, but I'm concerned with the (over)use of active/inactive in this discussion. I think use of inactive and

Re: [Freeipa-devel] User life cycle: question regarding the design

2014-05-26 Thread thierry bordaz
On 05/26/2014 10:18 AM, Martin Kosek wrote: On 05/26/2014 09:33 AM, Jan Cholasta wrote: On 26.5.2014 07:49, Martin Kosek wrote: ... 5) modifying (in active) ipa user-mod tuser ... Ok. (in stage)ipa user-mod tuser --staged ... Simo did not like this command, I would

[Freeipa-devel] Supported Staged entries

2014-05-27 Thread thierry bordaz
Hello, Me again !!! Thanks to all your inputs, the discussion about User_life_cycle clarified a lot workflow/command verbs. Now I have a doubt about what would be an entry in staging (objectclass/attribute). Also I wonder if ipa CLI (ipa user-add --stage), would be the only

Re: [Freeipa-devel] Supported Staged entries

2014-05-27 Thread thierry bordaz
11:14, thierry bordaz wrote: Hello, Me again !!! Thanks to all your inputs, the discussion about User_life_cycle clarified a lot workflow/command verbs. Now I have a doubt about what would be an entry in staging (objectclass/attribute). Also I wonder if ipa CLI (ipa

Re: [Freeipa-devel] Supported Staged entries

2014-05-27 Thread thierry bordaz
On 05/27/2014 02:19 PM, Martin Kosek wrote: On 05/27/2014 02:16 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 13:01 +0200, Martin Kosek wrote: On 05/27/2014 11:53 AM, Jan Cholasta wrote: On 27.5.2014 11:14, thierry bordaz wrote: Hello, Me again !!! Thanks to all your inputs

Re: [Freeipa-devel] Supported Staged entries

2014-05-27 Thread thierry bordaz
On 05/27/2014 03:10 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 14:59 +0200, thierry bordaz wrote: Now if an entry was not created by FreeIPA CLI ('ipa user-add --stage') it could be impossible to update/unstage the entry with FreeIPA CLI . For example with those two entries. 'ipa user-mod

Re: [Freeipa-devel] Supported Staged entries

2014-05-27 Thread thierry bordaz
On 05/27/2014 03:08 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 14:40 +0200, thierry bordaz wrote: On 05/27/2014 02:32 PM, Jan Cholasta wrote: On 27.5.2014 14:22, Simo Sorce wrote: On Tue, 2014-05-27 at 14:19 +0200, Martin Kosek wrote: On 05/27/2014 02:16 PM, Simo Sorce wrote: On Tue, 2014

Re: [Freeipa-devel] Supported Staged entries

2014-05-27 Thread thierry bordaz
On 05/27/2014 04:35 PM, Martin Kosek wrote: On 05/27/2014 04:27 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 15:21 +0200, Martin Kosek wrote: This topic was already discussed in the past, see following part of the design:

Re: [Freeipa-devel] Supported Staged entries

2014-05-27 Thread thierry bordaz
On 05/27/2014 06:06 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 17:55 +0200, thierry bordaz wrote: On 05/27/2014 04:35 PM, Martin Kosek wrote: On 05/27/2014 04:27 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 15:21 +0200, Martin Kosek wrote: This topic was already discussed in the past, see

Re: [Freeipa-devel] Supported Staged entries

2014-05-27 Thread thierry bordaz
On 05/27/2014 06:56 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 18:39 +0200, thierry bordaz wrote: On 05/27/2014 06:06 PM, Simo Sorce wrote: We just need to care about the 'uid' attribute in the staged entry, and pick that to generate the RDN of the user in the active tree

Re: [Freeipa-devel] Supported Staged entries

2014-05-28 Thread thierry bordaz
On 05/28/2014 08:22 AM, Martin Kosek wrote: On 05/27/2014 08:18 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 21:14 +0300, Alexander Bokovoy wrote: On Tue, 27 May 2014, Simo Sorce wrote: On Tue, 2014-05-27 at 19:59 +0200, thierry bordaz wrote: On 05/27/2014 06:56 PM, Simo Sorce wrote: On Tue

Re: [Freeipa-devel] Supported Staged entries

2014-05-28 Thread thierry bordaz
On 05/28/2014 02:55 PM, Rob Crittenden wrote: Simo Sorce wrote: On Wed, 2014-05-28 at 09:38 +0200, thierry bordaz wrote: On 05/28/2014 08:22 AM, Martin Kosek wrote: On 05/27/2014 08:18 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 21:14 +0300, Alexander Bokovoy wrote: On Tue, 27 May 2014

Re: [Freeipa-devel] User life cycle: plugins scope for staged users

2014-06-02 Thread thierry bordaz
On 05/29/2014 08:17 AM, Martin Kosek wrote: On 05/29/2014 04:09 AM, Dmitri Pal wrote: On 05/22/2014 10:33 AM, thierry bordaz wrote: Hello, In order to provision staged users (account inactivated) with there initial values: /usr/bin/ipa user-add tb20 --to-stage --first=tb20

Re: [Freeipa-devel] User life cycle: question regarding the design

2014-06-02 Thread thierry bordaz
On 05/30/2014 03:32 PM, Jan Cholasta wrote: On 30.5.2014 15:24, Petr Viktorin wrote: On 05/30/2014 08:37 AM, Martin Kosek wrote: On 05/29/2014 08:14 PM, Dmitri Pal wrote: On 05/29/2014 08:39 AM, Simo Sorce wrote: On Thu, 2014-05-29 at 09:43 +0200, Martin Kosek wrote: On 05/29/2014 05:31 AM,

Re: [Freeipa-devel] Move replication topology to the shared tree

2014-06-02 Thread thierry bordaz
On 06/02/2014 10:46 AM, Ludwig Krispenz wrote: Ticket 4302 is a request for an enhancement: Move replication topology to the shared tree There has been some discussion in comments in the ticket, but I'd like to open the discussion to a wider audience to get an agreement on what should be

Re: [Freeipa-devel] Move replication topology to the shared tree

2014-06-04 Thread thierry bordaz
On 06/02/2014 10:46 AM, Ludwig Krispenz wrote: Ticket 4302 is a request for an enhancement: Move replication topology to the shared tree There has been some discussion in comments in the ticket, but I'd like to open the discussion to a wider audience to get an agreement on what should be

[Freeipa-devel] User life Cycle: referential integrity

2014-06-04 Thread thierry bordaz
Hello, I am looking at the appropriate way to configure DS referential integrity and I am hitting some issues about its scoping and which attributes need to be preserved. User A and B are both Active. User A refers user B for example 'owner: DN user B in Active container'.

Re: [Freeipa-devel] Move replication topology to the shared tree

2014-06-04 Thread thierry bordaz
On 06/04/2014 05:41 PM, Simo Sorce wrote: On Wed, 2014-06-04 at 13:46 +0200, Ludwig Krispenz wrote: On 06/04/2014 10:43 AM, thierry bordaz wrote: So my proposal would contain the following components 1] Store replication configuration in the shared tree in a combination of server

Re: [Freeipa-devel] User life Cycle: referential integrity

2014-06-04 Thread thierry bordaz
On 06/04/2014 06:02 PM, Simo Sorce wrote: On Wed, 2014-06-04 at 17:46 +0200, thierry bordaz wrote: Hello, I am looking at the appropriate way to configure DS referential integrity and I am hitting some issues about its scoping and which attributes need

Re: [Freeipa-devel] User life Cycle: referential integrity

2014-06-05 Thread thierry bordaz
On 06/04/2014 07:04 PM, Simo Sorce wrote: On Wed, 2014-06-04 at 18:46 +0200, thierry bordaz wrote: On 06/04/2014 06:02 PM, Simo Sorce wrote: On Wed, 2014-06-04 at 17:46 +0200, thierry bordaz wrote: Hello, I am looking at the appropriate way to configure DS referential

[Freeipa-devel] [PATCH] 0001 - User Life Cycle (stageuser workflow)

2014-06-11 Thread thierry bordaz
f9f7cd6e64a181c4925b30e73bd013de75d45720 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Wed, 11 Jun 2014 17:19:18 +0200 Subject: [PATCH] Ticket 3813 - User Life Cycle: introduction of stageuser plugin Bug Description: User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life

[Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

2014-06-16 Thread thierry bordaz
Hello, When a stage user is activate (ipa stageuse-activate), UUID plugin (DS) checks that the ipaUniqueID value of the new active user is 'autogenerate'. This is useful to prevent a provisioning systems to create Active user with invalid ipaUniqueID. Now one of the workflow

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

2014-06-17 Thread thierry bordaz
On 06/16/2014 03:04 PM, Rob Crittenden wrote: thierry bordaz wrote: Hello, When a stage user is activate (ipa stageuse-activate), UUID plugin (DS) checks that the ipaUniqueID value of the new active user is 'autogenerate'. This is useful to prevent a provisioning systems

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

2014-06-17 Thread thierry bordaz
On 06/17/2014 07:35 PM, Rob Crittenden wrote: thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: thierry bordaz wrote: Hello, When a stage user is activate (ipa stageuse-activate), UUID plugin (DS) checks that the ipaUniqueID value of the new active user

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

2014-06-17 Thread thierry bordaz
On 06/17/2014 08:39 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa stageuser-add login --from-delete It moves a deleted entry to staging container where uidNumber: unchanged, so it is preserved from

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

2014-06-17 Thread thierry bordaz
On 06/17/2014 09:29 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 15:23 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa stageuser-add login --from-delete It moves a deleted entry to staging container where

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

2014-06-18 Thread thierry bordaz
On 06/17/2014 09:42 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 21:36 +0200, thierry bordaz wrote: On 06/17/2014 09:29 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 15:23 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread thierry bordaz
On 06/18/2014 12:47 PM, Martin Kosek wrote: On 06/17/2014 05:59 PM, thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: ... Thanks for your precise feedback and sorry for my late answer. So if I try to consolidate my understandings, the workflow would be: 1

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread thierry bordaz
On 06/18/2014 03:40 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 15:22 +0200, thierry bordaz wrote: On 06/18/2014 12:47 PM, Martin Kosek wrote: On 06/17/2014 05:59 PM, thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: ... Thanks for your precise feedback and sorry

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread thierry bordaz
On 06/18/2014 03:31 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 12:47 +0200, Martin Kosek wrote: On 06/17/2014 05:59 PM, thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: ... Thanks for your precise feedback and sorry for my late answer. So if I try to consolidate

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread thierry bordaz
On 06/18/2014 04:45 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz wrote: On 06/18/2014 03:31 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 12:47 +0200, Martin Kosek wrote: On 06/17/2014 05:59 PM, thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-19 Thread thierry bordaz
On 06/19/2014 09:06 AM, Martin Kosek wrote: On 06/18/2014 06:09 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote: On 06/18/2014 04:45 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz wrote: On 06/18/2014 03:31 PM, Simo Sorce wrote: On Wed

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-19 Thread thierry bordaz
On 06/19/2014 02:33 PM, Simo Sorce wrote: On Thu, 2014-06-19 at 09:06 +0200, Martin Kosek wrote: On 06/18/2014 06:09 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote: On 06/18/2014 04:45 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz

[Freeipa-devel] User life cycle: authentication and preserved attributes

2014-06-19 Thread thierry bordaz
Hello, Thanks for all you feedbacks and help about which attributes to preserved and how to limit authentication (simple and krb) to Active accounts, here are my understandings: 1. Staging (container: cn=staged users,cn=accounts,cn=provisioning,SUFFIX) plugins scoping

Re: [Freeipa-devel] User life cycle: authentication and preserved attributes

2014-06-19 Thread thierry bordaz
On 06/19/2014 03:41 PM, Simo Sorce wrote: On Thu, 2014-06-19 at 15:32 +0200, thierry bordaz wrote: (those values must be active DN entries) userPassword/krb keys: copied from source entry if they exists Uhmm this may actually fail, as we

Re: [Freeipa-devel] [PATCH 0019] Clarify LDAPClient docstrings about get_entry, get_entries and find_entrie

2014-06-20 Thread thierry bordaz
On 06/20/2014 11:06 AM, Martin Basti wrote: On Wed, 2014-06-18 at 17:36 +0200, Petr Spacek wrote: Hello, Clarify LDAPClient docstrings about get_entry, get_entries and find_entries. BTW what is the purpose of size_limit in LDAPClient.get_entry()? def get_entry(self, dn, attrs_list=None,

[Freeipa-devel] User Life Cycle: scoping of referential integrity, memberof, IPA UUID plugins

2014-06-24 Thread thierry bordaz
Hello, User life cycle assigns a status to user entries depending where they are in the DIT. 'Active' user will be under 'cn=accounts,SUFFIX' while 'Stage' and 'Delete' users are somewhere under 'cn=provisioning,SUFFIX'. Only 'Active' users have valid membership attributes: A

Re: [Freeipa-devel] User Life Cycle: scoping of referential integrity, memberof, IPA UUID plugins

2014-06-25 Thread thierry bordaz
On 06/25/2014 10:52 AM, Martin Kosek wrote: On 06/24/2014 06:31 PM, thierry bordaz wrote: Hello, User life cycle assigns a status to user entries depending where they are in the DIT. 'Active' user will be under 'cn=accounts,SUFFIX' while 'Stage' and 'Delete' users are somewhere

[Freeipa-devel] [PATCH] 0002 - User Life Cycle (create containers and scoping DS plugins)

2014-06-30 Thread thierry bordaz
all backends with https://fedorahosted.org/389/ticket/47823 * ipa UUID will exclude Stage/Delete container with a change in ipa-uuid (patch 0003) Thanks thierry From 63241abc1dbb291745ad18c73ae5da415661d022 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor

[Freeipa-devel] [PATCH] 0003 - User Life Cycle (prevent ipaUniqueID generation in provisioning)

2014-06-30 Thread thierry bordaz
This fix is to prevent IPA UUID DS plugin to generate a ipaUniqueID for users in provisioning container (Stage/Delete). thanks thierry From c06af590b11a3692dcd1afc4a52e724aab59173d Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Wed, 25 Jun 2014 12:49:45 +0200

[Freeipa-devel] [PATCH] 0003 User life cycle: new stageuser plugin with add verb

2014-08-08 Thread thierry bordaz
..924e1b8e83ad11c86f2c86404ca43ecd30d0b8d5 --- /dev/null +++ b/ipalib/plugins/stageuser.py @@ -0,0 +1,848 @@ +# Authors: +# Thierry Bordaz tbor...@redhat.com +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can

Re: [Freeipa-devel] [PATCH] 0001 User Life Cycle: create containers and scoping DS plugins

2014-08-13 Thread thierry bordaz
On 08/13/2014 04:48 PM, Petr Viktorin wrote: On 08/08/2014 09:24 AM, thierry bordaz wrote: Hi, The attached patch is a first patch related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates 'Stage' and 'Delete' containers and configure DS plugin to scope only

[Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

2014-08-14 Thread thierry bordaz
Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Thu, 7 Aug 2014 16

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

2014-08-18 Thread thierry bordaz
On 08/18/2014 04:06 PM, Petr Viktorin wrote: On 08/14/2014 07:18 PM, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry Looks better, thanks! I've tested install

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

2014-08-18 Thread thierry bordaz
On 08/18/2014 05:10 PM, Petr Viktorin wrote: On 08/18/2014 05:03 PM, thierry bordaz wrote: On 08/18/2014 04:06 PM, Petr Viktorin wrote: On 08/14/2014 07:18 PM, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

2014-08-19 Thread thierry bordaz
On 08/19/2014 09:38 AM, Martin Kosek wrote: On 08/18/2014 05:17 PM, thierry bordaz wrote: On 08/18/2014 05:10 PM, Petr Viktorin wrote: On 08/18/2014 05:03 PM, thierry bordaz wrote: ... Simply reply to this mail with the revised patch attached. As for attaching patches to the tickets, I've

Re: [Freeipa-devel] [PATCH 0061] Ensure ipaUserAuthTypeClass when needed on user creation

2014-08-20 Thread thierry bordaz
On 08/19/2014 10:46 PM, Nathaniel McCallum wrote: Also, remove the attempt to load the objectClasses when absent. This never makes sense during an add operation. https://fedorahosted.org/freeipa/ticket/4455 ___ Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH 0061] Ensure ipaUserAuthTypeClass when needed on user creation

2014-08-20 Thread thierry bordaz
On 08/20/2014 03:48 PM, Nathaniel McCallum wrote: On Wed, 2014-08-20 at 14:35 +0200, thierry bordaz wrote: On 08/19/2014 10:46 PM, Nathaniel McCallum wrote: Also, remove the attempt to load the objectClasses when absent. This never makes sense during an add operation. https

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

2014-08-28 Thread thierry bordaz
On 08/28/2014 06:51 PM, Sumit Bose wrote: On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry From

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

2014-08-28 Thread thierry bordaz
On 08/28/2014 08:30 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote: On 08/28/2014 06:51 PM, Sumit Bose wrote: On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

2014-08-29 Thread thierry bordaz
On 08/28/2014 08:58 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote: On 08/28/2014 08:30 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote: On 08/28/2014 06:51 PM, Sumit Bose wrote: On Thu, Aug 14, 2014 at 07:18:40PM

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

2014-08-29 Thread thierry bordaz
for this catch. The new patch revert the change in dna update. thierry On 08/28/2014 08:58 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote: On 08/28/2014 08:30 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote: On 08/28/2014 06

Re: [Freeipa-devel] [PATCH] 0003 User life cycle: new stageuser plugin with add verb

2014-09-02 Thread thierry bordaz
On 09/01/2014 01:08 PM, Petr Viktorin wrote: On 08/08/2014 03:54 PM, thierry bordaz wrote: Hi, The attached patch is related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates a stageuser plugin with a first function stageuser-add. Stage user entries

Re: [Freeipa-devel] FreeIPA 4.0.3?

2014-09-11 Thread thierry bordaz
On 09/11/2014 04:46 PM, Martin Kosek wrote: On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ...

Re: [Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

2014-09-12 Thread thierry bordaz
On 09/11/2014 10:24 PM, Martin Kosek wrote: On 09/11/2014 08:49 PM, Simo Sorce wrote: On Thu, 2014-09-11 at 20:28 +0200, Martin Kosek wrote: On 09/11/2014 05:37 PM, Simo Sorce wrote: On Thu, 2014-09-11 at 17:03 +0200, Martin Kosek wrote: Hello, We have another important issue to resolve.

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

2014-09-16 Thread thierry bordaz
On 09/15/2014 09:05 PM, Nathaniel McCallum wrote: This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion is not permitted. https://fedorahosted.org/freeipa/ticket/4494 ___ Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

2014-09-16 Thread thierry bordaz
On 09/16/2014 07:25 PM, Nathaniel McCallum wrote: On Tue, 2014-09-16 at 19:24 +0200, thierry bordaz wrote: On 09/15/2014 09:05 PM, Nathaniel McCallum wrote: This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion is not permitted. https

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

2014-09-17 Thread thierry bordaz
On 09/01/2014 01:08 PM, Petr Viktorin wrote: On 08/08/2014 03:54 PM, thierry bordaz wrote: Hi, The attached patch is related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates a stageuser plugin with a first function stageuser-add. Stage user entries

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

2014-09-17 Thread thierry bordaz
On 09/15/2014 09:05 PM, Nathaniel McCallum wrote: This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion is not permitted. https://fedorahosted.org/freeipa/ticket/4494 ___ Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

2014-09-19 Thread thierry bordaz
all of these issues. It should also be more performant and use less memory. Nathaniel On Wed, 2014-09-17 at 15:33 +0200, thierry bordaz wrote: On 09/15/2014 09:05 PM, Nathaniel McCallum wrote: This plugin ensures that all counter/watermark operations are atomic and never decrement. Also

Re: [Freeipa-devel] [PATCH 0069] Adds 389DS plugin to enforce UUID token IDs

2014-09-22 Thread thierry bordaz
Hello Nathaniel, Just a remark, in is_token if the entry is objectclass=ipaToken it returns without freeing the 'objectclass' char array. thanks thierry On 09/21/2014 09:07 PM, Nathaniel McCallum wrote: Users that can rename the token (such as admins) can also create non-UUID

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

2014-09-22 Thread thierry bordaz
On 09/20/2014 09:39 PM, Nathaniel McCallum wrote: On Sat, 2014-09-20 at 00:25 +0200, thierry bordaz wrote: Hello Nathaniel, sanitize_input translates MOD/REPLACE into MOD/DEL+MOD/ADD. It looks good but difficult to think to all possible cases. I think

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

2014-09-22 Thread thierry bordaz
of these issues. It should also be more performant and use less memory. Nathaniel On Wed, 2014-09-17 at 15:33 +0200, thierry bordaz wrote: On 09/15/2014 09:05 PM, Nathaniel McCallum wrote: This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion

Re: [Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID

2014-09-22 Thread thierry bordaz
On 09/22/2014 05:37 PM, Martin Kosek wrote: On 09/20/2014 10:22 PM, Nathaniel McCallum wrote: On Wed, 2014-09-17 at 12:31 +0200, Martin Kosek wrote: On 09/17/2014 08:51 AM, Jan Cholasta wrote: Hi, Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a): We perform this enforcement at the API

Re: [Freeipa-devel] [PATCH 0069] Adds 389DS plugin to enforce UUID token IDs

2014-09-23 Thread thierry bordaz
: On Mon, 22 Sep 2014 10:34:54 +0200 Martin Kosek mko...@redhat.com wrote: On 09/22/2014 09:33 AM, thierry bordaz wrote: Hello Nathaniel, Just a remark, in is_token if the entry is objectclass=ipaToken it returns without freeing the 'objectclass' char array. thanks thierry

Re: [Freeipa-devel] [PATCHES] 0633-0634 Move setting SELinux booleans to platform code; Set SELinux booleans when restoring

2014-09-24 Thread thierry bordaz
On 08/15/2014 10:40 PM, Petr Viktorin wrote: A fix for https://fedorahosted.org/freeipa/ticket/4157 This depends on my patches 0631-0632 (for backup/restore integration tests). Our setsebool code was repeated a few times. Instead of adding another copy, I refactored what we have into a

Re: [Freeipa-devel] [PATCHES] 0633-0634 Move setting SELinux booleans to platform code; Set SELinux booleans when restoring

2014-09-25 Thread thierry bordaz
On 09/25/2014 10:58 AM, Petr Viktorin wrote: On 09/24/2014 06:02 PM, thierry bordaz wrote: On 08/15/2014 10:40 PM, Petr Viktorin wrote: A fix for https://fedorahosted.org/freeipa/ticket/4157 This depends on my patches 0631-0632 (for backup/restore integration tests). Our setsebool code

Re: [Freeipa-devel] [PATCH 0067] Use stack allocation when writing values during otp auth

2014-09-25 Thread thierry bordaz
On 09/19/2014 07:49 PM, Nathaniel McCallum wrote: This is an optimization from patch 0062 (rescinded) which I think is worth keeping. There is no ticket for this. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH 0068] Move OTP synchronization step to after counter writeback

2014-09-25 Thread thierry bordaz
On 09/19/2014 07:53 PM, Nathaniel McCallum wrote: This prevents synchronization when an authentication collision occurs. https://fedorahosted.org/freeipa/ticket/4493 NOTE: this patch is related to the above ticket, but does not solve it. For the solution, please see patch 0064. This behavior

Re: [Freeipa-devel] [PATCHES] 0633-0634 Move setting SELinux booleans to platform code; Set SELinux booleans when restoring

2014-09-26 Thread thierry bordaz
On 09/26/2014 11:23 AM, Martin Kosek wrote: On 09/25/2014 11:34 AM, thierry bordaz wrote: On 09/25/2014 10:58 AM, Petr Viktorin wrote: On 09/24/2014 06:02 PM, thierry bordaz wrote: On 08/15/2014 10:40 PM, Petr Viktorin wrote: A fix for https://fedorahosted.org/freeipa/ticket/4157

Re: [Freeipa-devel] [PATCH] 0001 Refactor selinuxenabled check

2014-09-26 Thread thierry bordaz
On 09/26/2014 03:35 PM, Francesco Marella wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hello, I think that if we want to keep the same previous behaviour, then if

Re: [Freeipa-devel] [PATCH] 0001 Refactor selinuxenabled check

2014-09-26 Thread thierry bordaz
Hello, When called from set_selinux_booleans, if not selinux_enabled, you may want to 'return False' rather than 'return'. Now it looks like callers of set_selinux_booleans do not check the returned value :-) thanks thierry On 09/26/2014 05:26 PM, Francesco Marella wrote:

Re: [Freeipa-devel] [PATCH] 0001 Refactor selinuxenabled check

2014-09-26 Thread thierry bordaz
On 09/26/2014 05:53 PM, Francesco Marella wrote: On 26/09/2014 17:43, thierry bordaz wrote: Hello, When called from set_selinux_booleans, if not selinux_enabled, you may want to 'return False' rather than 'return'. Now it looks like callers of set_selinux_booleans do not check

Re: [Freeipa-devel] [PATCH 0067] Use stack allocation when writing values during otp auth

2014-09-29 Thread thierry bordaz
On 09/29/2014 05:45 PM, Nathaniel McCallum wrote: On Thu, 2014-09-25 at 13:45 +0200, thierry bordaz wrote: On 09/19/2014 07:49 PM, Nathaniel McCallum wrote: This is an optimization from patch 0062 (rescinded) which I think is worth keeping. There is no ticket

Re: [Freeipa-devel] [PATCH 0068] Move OTP synchronization step to after counter writeback

2014-09-30 Thread thierry bordaz
On 09/29/2014 08:38 PM, Nathaniel McCallum wrote: On Thu, 2014-09-25 at 15:15 +0200, thierry bordaz wrote: On 09/19/2014 07:53 PM, Nathaniel McCallum wrote: This prevents synchronization when an authentication collision occurs. https://fedorahosted.org/freeipa/ticket/4493 NOTE: this patch

Re: [Freeipa-devel] [PATCH 0068] Move OTP synchronization step to after counter writeback

2014-09-30 Thread thierry bordaz
On 09/30/2014 02:41 PM, Nathaniel McCallum wrote: On Tue, 2014-09-30 at 13:42 +0200, thierry bordaz wrote: On 09/29/2014 08:38 PM, Nathaniel McCallum wrote: On Thu, 2014-09-25 at 15:15 +0200, thierry bordaz wrote: On 09/19/2014 07:53 PM, Nathaniel McCallum wrote: This prevents

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

2014-09-30 Thread thierry bordaz
On 09/29/2014 08:30 PM, Nathaniel McCallum wrote: On Mon, 2014-09-22 at 09:32 -0400, Simo Sorce wrote: On Sun, 21 Sep 2014 22:33:47 -0400 Nathaniel McCallum npmccal...@redhat.com wrote: Comments inline. + +#define ch_malloc(type) \ +(type*) slapi_ch_malloc(sizeof(type)) +#define

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

2014-10-01 Thread thierry bordaz
On 09/30/2014 10:49 PM, Nathaniel McCallum wrote: On Tue, 2014-09-30 at 18:30 +0200, thierry bordaz wrote: On 09/29/2014 08:30 PM, Nathaniel McCallum wrote: On Mon, 2014-09-22 at 09:32 -0400, Simo Sorce wrote: On Sun, 21 Sep 2014 22:33:47 -0400 Nathaniel McCallum npmccal...@redhat.com wrote

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

2014-10-03 Thread thierry bordaz
Hello Nathaniel, An additional comment about the patch. When the new value is detected to be invalid, it is fixed by a repair operation (trigger_replication). I did test it and it is fine to update, with an internal operation, the same entry that is currently updated. Now if

Re: [Freeipa-devel] [PATCH] 0159-0160 Support ID views in compat tree

2014-10-07 Thread thierry bordaz
On 10/01/2014 06:16 PM, Alexander Bokovoy wrote: Hi! Attached are patches to add support of FreeIPA ID views to Schema compatibility plugin (slapi-nis). There are two patches for FreeIPA and a separate patch for slapi-nis. Patches can be applied independently; if old slapi-nis is installed, it

Re: [Freeipa-devel] [PATCH] 0159-0160 Support ID views in compat tree

2014-10-07 Thread thierry bordaz
On 10/07/2014 11:43 AM, Alexander Bokovoy wrote: On Tue, 07 Oct 2014, thierry bordaz wrote: A question about backend_search_filter_has_cn_uid. It checks if a filter components contains (uid|uidNumber|gidNumber|memberUid) and in this case returns SLAPI_FILTER_SCAN_STOP. This value

Re: [Freeipa-devel] [PATCH] 0159-0160 Support ID views in compat tree

2014-10-07 Thread thierry bordaz
On 10/01/2014 06:16 PM, Alexander Bokovoy wrote: Hi! Attached are patches to add support of FreeIPA ID views to Schema compatibility plugin (slapi-nis). There are two patches for FreeIPA and a separate patch for slapi-nis. Patches can be applied independently; if old slapi-nis is installed, it

Re: [Freeipa-devel] [PATCH] 0159-0160 Support ID views in compat tree

2014-10-07 Thread thierry bordaz
On 10/07/2014 05:00 PM, Alexander Bokovoy wrote: On Tue, 07 Oct 2014, thierry bordaz wrote: On 10/01/2014 06:16 PM, Alexander Bokovoy wrote: Hi! Attached are patches to add support of FreeIPA ID views to Schema compatibility plugin (slapi-nis). There are two patches for FreeIPA and a separate

  1   2   3   4   >