Re: [Freeipa-devel] [PATCHES 529-530] ca install: use host credentials in domain level 1

2015-12-14 Thread Martin Basti 



On 14.12.2015 10:15, Martin Basti wrote:



On 14.12.2015 07:53, Jan Cholasta wrote:

On 11.12.2015 17:24, Martin Basti wrote:



On 11.12.2015 15:00, Jan Cholasta wrote:

On 10.12.2015 09:51, Jan Cholasta wrote:

Hi,

the attached patches fix 
.


My patches 523-525 are required for this:
. 





Honza


Rebased patches attached.


Patch works for me, but can you provide explanations (and update commit
message) why the ACI change is needed:

* why it is moved three ACIs from 'cn="$SUFFIX",cn=mapping
tree,cn=config' to 'cn=mapping tree,cn=config'


So that they apply to all replication agreements.

* why you removed completely 'dn: cn=o\3Dipaca,cn=mapping 
tree,cn=config'


I didn't, they were moved to cn=mapping tree,cn=config as well.

Updated patches attached.


ACK


Pushed to master: b248dfda3980244070f85a1968e76d37ad50de9c

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 529-530] ca install: use host credentials in domain level 1

2015-12-14 Thread Martin Basti 



On 14.12.2015 07:53, Jan Cholasta wrote:

On 11.12.2015 17:24, Martin Basti wrote:



On 11.12.2015 15:00, Jan Cholasta wrote:

On 10.12.2015 09:51, Jan Cholasta wrote:

Hi,

the attached patches fix 
.


My patches 523-525 are required for this:
. 





Honza


Rebased patches attached.


Patch works for me, but can you provide explanations (and update commit
message) why the ACI change is needed:

* why it is moved three ACIs from 'cn="$SUFFIX",cn=mapping
tree,cn=config' to 'cn=mapping tree,cn=config'


So that they apply to all replication agreements.

* why you removed completely 'dn: cn=o\3Dipaca,cn=mapping 
tree,cn=config'


I didn't, they were moved to cn=mapping tree,cn=config as well.

Updated patches attached.


ACK

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 529-530] ca install: use host credentials in domain level 1

2015-12-13 Thread Jan Cholasta 

On 11.12.2015 17:24, Martin Basti wrote:



On 11.12.2015 15:00, Jan Cholasta wrote:

On 10.12.2015 09:51, Jan Cholasta wrote:

Hi,

the attached patches fix .

My patches 523-525 are required for this:
.



Honza


Rebased patches attached.


Patch works for me, but can you provide explanations (and update commit
message) why the ACI change is needed:

* why it is moved three ACIs from 'cn="$SUFFIX",cn=mapping
tree,cn=config' to 'cn=mapping tree,cn=config'


So that they apply to all replication agreements.


* why you removed completely 'dn: cn=o\3Dipaca,cn=mapping tree,cn=config'


I didn't, they were moved to cn=mapping tree,cn=config as well.

Updated patches attached.

--
Jan Cholasta
From 730b9c2f5693020272a7458b9540366bca56b430 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 9 Dec 2015 10:31:18 +0100
Subject: [PATCH 1/2] aci: merge domain and CA suffix replication agreement
 ACIs

Merge the two identical sets of replication agreement permission ACIs for
the domain and CA suffixes into a single set suitable for replication
agreements for both suffixes. This makes the replication agreement
permissions behave correctly during CA replica install, so that any
non-admin user with the proper permissions (such as members of the
ipaservers host group) can set up replication for the CA suffix.

https://fedorahosted.org/freeipa/ticket/5399
---
 install/share/ca-topology.uldif |  6 --
 install/share/replica-acis.ldif |  6 +++---
 install/updates/20-aci.update   | 10 ++
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif
index 7ce3cb1..fea591b 100644
--- a/install/share/ca-topology.uldif
+++ b/install/share/ca-topology.uldif
@@ -10,11 +10,5 @@ default: objectclass: iparepltopoconf
 default: ipaReplTopoConfRoot: o=ipaca
 default: cn: ca
 
-# Update CA replication settings
-dn: cn=o\3Dipaca,cn=mapping tree,cn=config
-add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-
 dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
 onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index 8c0bc8e..6735130 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -1,16 +1,16 @@
 # Replica administration
 
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
+dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
 aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
+dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
 aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
+dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
 aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 5b9741d..cef842b 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -66,6 +66,16 @@ add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (rea
 dn: cn=mapping tree,cn=config
 add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 
+dn: cn="$SUFFIX",

Re: [Freeipa-devel] [PATCHES 529-530] ca install: use host credentials in domain level 1

2015-12-13 Thread Jan Cholasta 

On 10.12.2015 09:51, Jan Cholasta wrote:

Hi,

the attached patches fix .

My patches 523-525 are required for this:
.


Honza


Rebased patches attached.

--
Jan Cholasta
From a60dfc311007ead160a98f23f87618e7c5ce0fb1 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 9 Dec 2015 10:31:18 +0100
Subject: [PATCH 1/2] aci: merge domain and CA suffix replication agreement
 ACIs

https://fedorahosted.org/freeipa/ticket/5399
---
 install/share/ca-topology.uldif |  6 --
 install/share/replica-acis.ldif |  6 +++---
 install/updates/20-aci.update   | 10 ++
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif
index 7ce3cb1..fea591b 100644
--- a/install/share/ca-topology.uldif
+++ b/install/share/ca-topology.uldif
@@ -10,11 +10,5 @@ default: objectclass: iparepltopoconf
 default: ipaReplTopoConfRoot: o=ipaca
 default: cn: ca
 
-# Update CA replication settings
-dn: cn=o\3Dipaca,cn=mapping tree,cn=config
-add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-
 dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
 onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index 8c0bc8e..6735130 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -1,16 +1,16 @@
 # Replica administration
 
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
+dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
 aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
+dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
 aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
+dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
 aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index ca4c0df..b06f569 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -66,6 +66,16 @@ add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (rea
 dn: cn=mapping tree,cn=config
 add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "
+
+dn: cn=o\3Dipaca,cn=mapping tree,cn=config
+remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap

[Freeipa-devel] [PATCHES 529-530] ca install: use host credentials in domain level 1

2015-12-13 Thread Jan Cholasta 

Hi,

the attached patches fix .

My patches 523-525 are required for this: 
.


Honza

--
Jan Cholasta
From 4bcb399365501265ee062020ff9ef80fd6235a66 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 9 Dec 2015 10:31:18 +0100
Subject: [PATCH 1/2] aci: merge domain and CA suffix replication agreement
 ACIs

https://fedorahosted.org/freeipa/ticket/5399
---
 install/share/ca-topology.uldif |  6 --
 install/share/replica-acis.ldif |  6 +++---
 install/updates/20-aci.update   | 10 ++
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif
index 7ce3cb1..fea591b 100644
--- a/install/share/ca-topology.uldif
+++ b/install/share/ca-topology.uldif
@@ -10,11 +10,5 @@ default: objectclass: iparepltopoconf
 default: ipaReplTopoConfRoot: o=ipaca
 default: cn: ca
 
-# Update CA replication settings
-dn: cn=o\3Dipaca,cn=mapping tree,cn=config
-add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-
 dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
 onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index 8c0bc8e..6735130 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -1,16 +1,16 @@
 # Replica administration
 
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
+dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
 aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
+dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
 aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
+dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
 aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index ca4c0df..b06f569 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -66,6 +66,16 @@ add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (rea
 dn: cn=mapping tree,cn=config
 add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "
+
+dn: cn=o\3Dipaca,cn=mapping tree,cn=config
+remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+

Re: [Freeipa-devel] [PATCHES 529-530] ca install: use host credentials in domain level 1

2015-12-11 Thread Martin Basti 



On 11.12.2015 15:00, Jan Cholasta wrote:

On 10.12.2015 09:51, Jan Cholasta wrote:

Hi,

the attached patches fix .

My patches 523-525 are required for this:
. 




Honza


Rebased patches attached.

Patch works for me, but can you provide explanations (and update commit 
message) why the ACI change is needed:


* why it is moved three ACIs from 'cn="$SUFFIX",cn=mapping 
tree,cn=config' to 'cn=mapping tree,cn=config'

* why you removed completely 'dn: cn=o\3Dipaca,cn=mapping tree,cn=config'

Martin

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code