Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-09-20 Thread Martin Kosek
On Fri, 2011-09-16 at 16:37 +, JR Aquino wrote:
 On Sep 16, 2011, at 2:11 AM, Martin Kosek wrote:
 
  On Thu, 2011-09-15 at 17:25 +, JR Aquino wrote:
  On Sep 15, 2011, at 1:47 AM, Martin Kosek wrote:
  
  On Thu, 2011-09-15 at 00:47 +, JR Aquino wrote:
  On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote:
  
  5) I was thinking if there is a better solution to enabling/disabling of
  the plugin. Likes setting something like managedEntryEnabled attribute
  to on/off as we do with compat plugin. Current concept with disabling
  the definition by damaging the originFilter and then restoring it from
  an LDIF seems a bit awkward to me.
  
  This has been completely changed:
  Instead of looking to ldif files, an ldap look up is now performed to 
  dynamically list the available managed entries.
  
  Now we are talking :-) I like the new approach.
  
  high five
  
  
  I have reviewed your patch, basic functionality looks good. But I still
  have few (nitpicking) comments:
  
  1) There are parts from the previous file that are no longer needed
  since you switched to different approach:
  
  +import os
  
  +from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax
  
  +import StringIO
  
  +import ldif
  
  +except BadSyntax, e:
  +print There is a syntax error in this update file:
  +print   %s % e
  +sys.exit(1)
  
  Removed
  
  
  2) I saw few whitespace errors on following lines of the patch: 419, 433
  and 453
  
  Fixed whitespace errors
  
  
  3) Output of the --list method is confusing:
  
  # ipa-managed-entries --list
  Directory Manager password: 
  
  Available Managed Entry Plugins:
  cn=upg definition,cn=definitions,cn=managed
  entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  cn=ngp definition,cn=definitions,cn=managed
  entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  
  You must specify a managed entry definition 
  # echo $?
  1
  
  a) I shouldn't be asked to specify a managed entry definition for --list
  
  Fixed
  
  b) The listing was successful, so we shouldn't return error code
  
  Corrected error code
  
  
  4) Return code for disabling an already disabled entry should be 2
  (according to man pages):
  
  # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed 
  entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable
  Directory Manager password: 
  
  Plugin already disabled
  # echo $?
  0
  
  Fixed error code
  
  
  5) Strange is, that enabling a disabled plugin gives me return code 2:
  # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed 
  entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable
  Directory Manager password: 
  
  Enabling Plugin
  # echo $?
  2
  
  Return codes for these actions should fit the man pages.
  
  Fixed error code
  
  
  6) I would improve working with LDAP filters, current solution is error
  prone. Try disablingenabling NGP Defition, we end up with this
  originFilter:
  
  originfilter: ((objectclass=ipahostgroup))
  
  I think the cleanest solution would be to use ldap.make_filter and
  ldap.combine_filters functions to play with these filter. You can
  inspire yourself in this example I wrote for DNS plugin:
  
  rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, 
  exact=False,
trailing_wildcard=False)
  filter = ldap.combine_filters((rev_zone_filter, filter), 
  rules=ldap.MATCH_ALL)
  
  Rob and you addressed this in the mailing list.
  For the record, I do agree that we are lacking a method for reading and 
  modifying existing ldap filters.
  We will continue with the simple string method here for this iteration.
  
  
  7) Entering Directory Manager every time may be a bit tedious. Could we
  use current Kerberos credentials and fall-back to asking Directory
  Manager password if it doesn't work? Its already done this way in
  ipa-replica-manage for example.
  
  We could fix this, however, as an enhancement in another patch.
  
  Fixed. We now will use gssapi if available, and prompt for password if 
  there is no ticket.
  
  
  8) Man page - please use the new united FreeIPA man page header. Instead
  of 
  
  +.TH ipa-managed-entries 1 Sept 15 2011 freeipa 
  
  use:
  
  +.TH ipa-managed-entries 1 Sept 15 2011 FreeIPA FreeIPA Manual
  Pages
  
  Fixed
  
  
  
  9) Man page - comma is missing for --list option:
  
  +\fB\-l\-\-list\fR
  
  
  Fixed
  
  
  10) install/po/Makefile.in should be updated to: there is still
  reference to ipa-host-net-manage and ipa-managed-entries reference is
  missing
  
  Fixed
  
  
  Great, most bugs are fixed. I only saw these 2 minor bugs. If those are
  fixed, I think we can ackpush.
  
  1) Man pages: --list option is still not right, formating is wrong
  +\fB\-l\fR, -\-list\fR
 
 This typo is now corrected
 
  
  2) Enable action is missing a notice for the user, like the disable
  action has:
  
  # ipa-managed-entries -e 'cn=UPG 

Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-09-19 Thread Dmitri Pal
On 09/16/2011 10:25 AM, Alexander Bokovoy wrote:
 On Fri, 16 Sep 2011, JR Aquino wrote:
 On Sep 16, 2011, at 4:41 AM, Alexander Bokovoy aboko...@redhat.com wrote:
 Can't we have a shortcut that allows to specify only name of the 
 managed entry and we will expand it to full DN? Current approach is 
 way error-prone for admins to accidently make a typo or two...
 It may look intimidating via email, but the tool provides --list to 
 show the exact line thats needed to copy past, it also does checks 
 to prevent accidental typos.

 The user isn't expected to know the full dn off the top of their 
 head :)

 The other nice thing is that the tool is not limited to only the 
 stock FreeIPA managed entries, so it will also list, enable, and 
 disable any custom user created managed entries, or future FreeIPA 
 entries without modification.
 That is all fine but having *always* go through complete DN is simply 
 wrong from user experience perspective. If we can have helper shortcut 
 for most common cases for stock FreeIPA, we should do that.

 For example, if DN provided by user does not include = sign, treat it 
 as last component CN. That would already cover majority of cases.

+1. Should we have a helper function that works across all commands or
it is just limited to this commend?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-09-16 Thread Martin Kosek
On Thu, 2011-09-15 at 17:25 +, JR Aquino wrote:
 On Sep 15, 2011, at 1:47 AM, Martin Kosek wrote:
 
  On Thu, 2011-09-15 at 00:47 +, JR Aquino wrote:
  On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote:
  
  5) I was thinking if there is a better solution to enabling/disabling of
  the plugin. Likes setting something like managedEntryEnabled attribute
  to on/off as we do with compat plugin. Current concept with disabling
  the definition by damaging the originFilter and then restoring it from
  an LDIF seems a bit awkward to me.
  
  This has been completely changed:
  Instead of looking to ldif files, an ldap look up is now performed to 
  dynamically list the available managed entries.
  
  Now we are talking :-) I like the new approach.
 
 high five
 
  
  I have reviewed your patch, basic functionality looks good. But I still
  have few (nitpicking) comments:
  
  1) There are parts from the previous file that are no longer needed
  since you switched to different approach:
  
  +import os
  
  +from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax
  
  +import StringIO
  
  +import ldif
  
  +except BadSyntax, e:
  +print There is a syntax error in this update file:
  +print   %s % e
  +sys.exit(1)
 
 Removed
 
  
  2) I saw few whitespace errors on following lines of the patch: 419, 433
  and 453
 
 Fixed whitespace errors
 
  
  3) Output of the --list method is confusing:
  
  # ipa-managed-entries --list
  Directory Manager password: 
  
  Available Managed Entry Plugins:
  cn=upg definition,cn=definitions,cn=managed
  entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  cn=ngp definition,cn=definitions,cn=managed
  entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  
  You must specify a managed entry definition 
  # echo $?
  1
  
  a) I shouldn't be asked to specify a managed entry definition for --list
 
 Fixed
 
  b) The listing was successful, so we shouldn't return error code
 
 Corrected error code
 
  
  4) Return code for disabling an already disabled entry should be 2
  (according to man pages):
  
  # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed 
  entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable
  Directory Manager password: 
  
  Plugin already disabled
  # echo $?
  0
 
 Fixed error code
 
  
  5) Strange is, that enabling a disabled plugin gives me return code 2:
  # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed 
  entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable
  Directory Manager password: 
  
  Enabling Plugin
  # echo $?
  2
  
  Return codes for these actions should fit the man pages.
 
 Fixed error code
 
  
  6) I would improve working with LDAP filters, current solution is error
  prone. Try disablingenabling NGP Defition, we end up with this
  originFilter:
  
  originfilter: ((objectclass=ipahostgroup))
  
  I think the cleanest solution would be to use ldap.make_filter and
  ldap.combine_filters functions to play with these filter. You can
  inspire yourself in this example I wrote for DNS plugin:
  
  rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, 
  exact=False,
 trailing_wildcard=False)
  filter = ldap.combine_filters((rev_zone_filter, filter), 
  rules=ldap.MATCH_ALL)
 
 Rob and you addressed this in the mailing list.
 For the record, I do agree that we are lacking a method for reading and 
 modifying existing ldap filters.
 We will continue with the simple string method here for this iteration.
 
  
  7) Entering Directory Manager every time may be a bit tedious. Could we
  use current Kerberos credentials and fall-back to asking Directory
  Manager password if it doesn't work? Its already done this way in
  ipa-replica-manage for example.
  
  We could fix this, however, as an enhancement in another patch.
 
 Fixed. We now will use gssapi if available, and prompt for password if there 
 is no ticket.
 
  
  8) Man page - please use the new united FreeIPA man page header. Instead
  of 
  
  +.TH ipa-managed-entries 1 Sept 15 2011 freeipa 
  
  use:
  
  +.TH ipa-managed-entries 1 Sept 15 2011 FreeIPA FreeIPA Manual
  Pages
 
 Fixed
 
  
  
  9) Man page - comma is missing for --list option:
  
  +\fB\-l\-\-list\fR
  
 
 Fixed
 
  
  10) install/po/Makefile.in should be updated to: there is still
  reference to ipa-host-net-manage and ipa-managed-entries reference is
  missing
 
 Fixed
 

Great, most bugs are fixed. I only saw these 2 minor bugs. If those are
fixed, I think we can ackpush.

1) Man pages: --list option is still not right, formating is wrong
+\fB\-l\fR, -\-list\fR

2) Enable action is missing a notice for the user, like the disable
action has:

# ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed 
Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable
Disabling Plugin

# ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed 

Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-09-16 Thread JR Aquino
On Sep 16, 2011, at 4:41 AM, Alexander Bokovoy aboko...@redhat.com wrote:

 On Fri, 16 Sep 2011, Martin Kosek wrote:
 Great, most bugs are fixed. I only saw these 2 minor bugs. If those are
 fixed, I think we can ackpush.
 
 1) Man pages: --list option is still not right, formating is wrong
 +\fB\-l\fR, -\-list\fR
 
 2) Enable action is missing a notice for the user, like the disable
 action has:
 
 # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed 
 Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable
 Disabling Plugin
 
 # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed 
 Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable
 This hurts. :)
 
 Can't we have a shortcut that allows to specify only name of the 
 managed entry and we will expand it to full DN? Current approach is 
 way error-prone for admins to accidently make a typo or two...
 

It may look intimidating via email, but the tool provides --list to show the 
exact line thats needed to copy past, it also does checks to prevent accidental 
typos.

The user isn't expected to know the full dn off the top of their head :)

The other nice thing is that the tool is not limited to only the stock FreeIPA 
managed entries, so it will also list, enable, and disable any custom user 
created managed entries, or future FreeIPA entries without modification.

-jr

 -- 
 / Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-09-16 Thread Alexander Bokovoy
On Fri, 16 Sep 2011, JR Aquino wrote:
 On Sep 16, 2011, at 4:41 AM, Alexander Bokovoy aboko...@redhat.com wrote:
  Can't we have a shortcut that allows to specify only name of the 
  managed entry and we will expand it to full DN? Current approach is 
  way error-prone for admins to accidently make a typo or two...
 It may look intimidating via email, but the tool provides --list to 
 show the exact line thats needed to copy past, it also does checks 
 to prevent accidental typos.
 
 The user isn't expected to know the full dn off the top of their 
 head :)
 
 The other nice thing is that the tool is not limited to only the 
 stock FreeIPA managed entries, so it will also list, enable, and 
 disable any custom user created managed entries, or future FreeIPA 
 entries without modification.
That is all fine but having *always* go through complete DN is simply 
wrong from user experience perspective. If we can have helper shortcut 
for most common cases for stock FreeIPA, we should do that.

For example, if DN provided by user does not include = sign, treat it 
as last component CN. That would already cover majority of cases.

-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-09-16 Thread JR Aquino
On Sep 16, 2011, at 2:11 AM, Martin Kosek wrote:

 On Thu, 2011-09-15 at 17:25 +, JR Aquino wrote:
 On Sep 15, 2011, at 1:47 AM, Martin Kosek wrote:
 
 On Thu, 2011-09-15 at 00:47 +, JR Aquino wrote:
 On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote:
 
 5) I was thinking if there is a better solution to enabling/disabling of
 the plugin. Likes setting something like managedEntryEnabled attribute
 to on/off as we do with compat plugin. Current concept with disabling
 the definition by damaging the originFilter and then restoring it from
 an LDIF seems a bit awkward to me.
 
 This has been completely changed:
 Instead of looking to ldif files, an ldap look up is now performed to 
 dynamically list the available managed entries.
 
 Now we are talking :-) I like the new approach.
 
 high five
 
 
 I have reviewed your patch, basic functionality looks good. But I still
 have few (nitpicking) comments:
 
 1) There are parts from the previous file that are no longer needed
 since you switched to different approach:
 
 +import os
 
 +from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax
 
 +import StringIO
 
 +import ldif
 
 +except BadSyntax, e:
 +print There is a syntax error in this update file:
 +print   %s % e
 +sys.exit(1)
 
 Removed
 
 
 2) I saw few whitespace errors on following lines of the patch: 419, 433
 and 453
 
 Fixed whitespace errors
 
 
 3) Output of the --list method is confusing:
 
 # ipa-managed-entries --list
 Directory Manager password: 
 
 Available Managed Entry Plugins:
 cn=upg definition,cn=definitions,cn=managed
 entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
 cn=ngp definition,cn=definitions,cn=managed
 entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
 
 You must specify a managed entry definition 
 # echo $?
 1
 
 a) I shouldn't be asked to specify a managed entry definition for --list
 
 Fixed
 
 b) The listing was successful, so we shouldn't return error code
 
 Corrected error code
 
 
 4) Return code for disabling an already disabled entry should be 2
 (according to man pages):
 
 # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed 
 entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable
 Directory Manager password: 
 
 Plugin already disabled
 # echo $?
 0
 
 Fixed error code
 
 
 5) Strange is, that enabling a disabled plugin gives me return code 2:
 # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed 
 entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable
 Directory Manager password: 
 
 Enabling Plugin
 # echo $?
 2
 
 Return codes for these actions should fit the man pages.
 
 Fixed error code
 
 
 6) I would improve working with LDAP filters, current solution is error
 prone. Try disablingenabling NGP Defition, we end up with this
 originFilter:
 
 originfilter: ((objectclass=ipahostgroup))
 
 I think the cleanest solution would be to use ldap.make_filter and
 ldap.combine_filters functions to play with these filter. You can
 inspire yourself in this example I wrote for DNS plugin:
 
 rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, 
 exact=False,
   trailing_wildcard=False)
 filter = ldap.combine_filters((rev_zone_filter, filter), 
 rules=ldap.MATCH_ALL)
 
 Rob and you addressed this in the mailing list.
 For the record, I do agree that we are lacking a method for reading and 
 modifying existing ldap filters.
 We will continue with the simple string method here for this iteration.
 
 
 7) Entering Directory Manager every time may be a bit tedious. Could we
 use current Kerberos credentials and fall-back to asking Directory
 Manager password if it doesn't work? Its already done this way in
 ipa-replica-manage for example.
 
 We could fix this, however, as an enhancement in another patch.
 
 Fixed. We now will use gssapi if available, and prompt for password if there 
 is no ticket.
 
 
 8) Man page - please use the new united FreeIPA man page header. Instead
 of 
 
 +.TH ipa-managed-entries 1 Sept 15 2011 freeipa 
 
 use:
 
 +.TH ipa-managed-entries 1 Sept 15 2011 FreeIPA FreeIPA Manual
 Pages
 
 Fixed
 
 
 
 9) Man page - comma is missing for --list option:
 
 +\fB\-l\-\-list\fR
 
 
 Fixed
 
 
 10) install/po/Makefile.in should be updated to: there is still
 reference to ipa-host-net-manage and ipa-managed-entries reference is
 missing
 
 Fixed
 
 
 Great, most bugs are fixed. I only saw these 2 minor bugs. If those are
 fixed, I think we can ackpush.
 
 1) Man pages: --list option is still not right, formating is wrong
 +\fB\-l\fR, -\-list\fR

This typo is now corrected

 
 2) Enable action is missing a notice for the user, like the disable
 action has:
 
 # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed 
 Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable
 Disabling Plugin

The output is now corrected.

 # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed 
 

Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-09-15 Thread Martin Kosek
On Thu, 2011-09-15 at 00:47 +, JR Aquino wrote:
 On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote:

  5) I was thinking if there is a better solution to enabling/disabling of
  the plugin. Likes setting something like managedEntryEnabled attribute
  to on/off as we do with compat plugin. Current concept with disabling
  the definition by damaging the originFilter and then restoring it from
  an LDIF seems a bit awkward to me.
 
 This has been completely changed:
 Instead of looking to ldif files, an ldap look up is now performed to 
 dynamically list the available managed entries.

Now we are talking :-) I like the new approach.

I have reviewed your patch, basic functionality looks good. But I still
have few (nitpicking) comments:

1) There are parts from the previous file that are no longer needed
since you switched to different approach:

+import os

+from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax

+import StringIO

+import ldif

+except BadSyntax, e:
+print There is a syntax error in this update file:
+print   %s % e
+sys.exit(1)


2) I saw few whitespace errors on following lines of the patch: 419, 433
and 453

3) Output of the --list method is confusing:

# ipa-managed-entries --list
Directory Manager password: 

Available Managed Entry Plugins:
cn=upg definition,cn=definitions,cn=managed
entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
cn=ngp definition,cn=definitions,cn=managed
entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

You must specify a managed entry definition 
# echo $?
1

a) I shouldn't be asked to specify a managed entry definition for --list
b) The listing was successful, so we shouldn't return error code

4) Return code for disabling an already disabled entry should be 2
(according to man pages):

# ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed 
entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable
Directory Manager password: 

Plugin already disabled
# echo $?
0

5) Strange is, that enabling a disabled plugin gives me return code 2:
# ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed 
entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable
Directory Manager password: 

Enabling Plugin
# echo $?
2

Return codes for these actions should fit the man pages.

6) I would improve working with LDAP filters, current solution is error
prone. Try disablingenabling NGP Defition, we end up with this
originFilter:

originfilter: ((objectclass=ipahostgroup))

I think the cleanest solution would be to use ldap.make_filter and
ldap.combine_filters functions to play with these filter. You can
inspire yourself in this example I wrote for DNS plugin:

rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, 
exact=False,
trailing_wildcard=False)
filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL)

7) Entering Directory Manager every time may be a bit tedious. Could we
use current Kerberos credentials and fall-back to asking Directory
Manager password if it doesn't work? Its already done this way in
ipa-replica-manage for example.

We could fix this, however, as an enhancement in another patch.

8) Man page - please use the new united FreeIPA man page header. Instead
of 

+.TH ipa-managed-entries 1 Sept 15 2011 freeipa 

use:

+.TH ipa-managed-entries 1 Sept 15 2011 FreeIPA FreeIPA Manual
Pages


9) Man page - comma is missing for --list option:

+\fB\-l\-\-list\fR


10) install/po/Makefile.in should be updated to: there is still
reference to ipa-host-net-manage and ipa-managed-entries reference is
missing


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-09-15 Thread JR Aquino
On Sep 15, 2011, at 1:47 AM, Martin Kosek wrote:

 On Thu, 2011-09-15 at 00:47 +, JR Aquino wrote:
 On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote:
 
 5) I was thinking if there is a better solution to enabling/disabling of
 the plugin. Likes setting something like managedEntryEnabled attribute
 to on/off as we do with compat plugin. Current concept with disabling
 the definition by damaging the originFilter and then restoring it from
 an LDIF seems a bit awkward to me.
 
 This has been completely changed:
 Instead of looking to ldif files, an ldap look up is now performed to 
 dynamically list the available managed entries.
 
 Now we are talking :-) I like the new approach.

high five

 
 I have reviewed your patch, basic functionality looks good. But I still
 have few (nitpicking) comments:
 
 1) There are parts from the previous file that are no longer needed
 since you switched to different approach:
 
 +import os
 
 +from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax
 
 +import StringIO
 
 +import ldif
 
 +except BadSyntax, e:
 +print There is a syntax error in this update file:
 +print   %s % e
 +sys.exit(1)

Removed

 
 2) I saw few whitespace errors on following lines of the patch: 419, 433
 and 453

Fixed whitespace errors

 
 3) Output of the --list method is confusing:
 
 # ipa-managed-entries --list
 Directory Manager password: 
 
 Available Managed Entry Plugins:
 cn=upg definition,cn=definitions,cn=managed
 entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
 cn=ngp definition,cn=definitions,cn=managed
 entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
 
 You must specify a managed entry definition 
 # echo $?
 1
 
 a) I shouldn't be asked to specify a managed entry definition for --list

Fixed

 b) The listing was successful, so we shouldn't return error code

Corrected error code

 
 4) Return code for disabling an already disabled entry should be 2
 (according to man pages):
 
 # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed 
 entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable
 Directory Manager password: 
 
 Plugin already disabled
 # echo $?
 0

Fixed error code

 
 5) Strange is, that enabling a disabled plugin gives me return code 2:
 # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed 
 entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable
 Directory Manager password: 
 
 Enabling Plugin
 # echo $?
 2
 
 Return codes for these actions should fit the man pages.

Fixed error code

 
 6) I would improve working with LDAP filters, current solution is error
 prone. Try disablingenabling NGP Defition, we end up with this
 originFilter:
 
 originfilter: ((objectclass=ipahostgroup))
 
 I think the cleanest solution would be to use ldap.make_filter and
 ldap.combine_filters functions to play with these filter. You can
 inspire yourself in this example I wrote for DNS plugin:
 
 rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, 
 exact=False,
trailing_wildcard=False)
 filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL)

Rob and you addressed this in the mailing list.
For the record, I do agree that we are lacking a method for reading and 
modifying existing ldap filters.
We will continue with the simple string method here for this iteration.

 
 7) Entering Directory Manager every time may be a bit tedious. Could we
 use current Kerberos credentials and fall-back to asking Directory
 Manager password if it doesn't work? Its already done this way in
 ipa-replica-manage for example.
 
 We could fix this, however, as an enhancement in another patch.

Fixed. We now will use gssapi if available, and prompt for password if there is 
no ticket.

 
 8) Man page - please use the new united FreeIPA man page header. Instead
 of 
 
 +.TH ipa-managed-entries 1 Sept 15 2011 freeipa 
 
 use:
 
 +.TH ipa-managed-entries 1 Sept 15 2011 FreeIPA FreeIPA Manual
 Pages

Fixed

 
 
 9) Man page - comma is missing for --list option:
 
 +\fB\-l\-\-list\fR
 

Fixed

 
 10) install/po/Makefile.in should be updated to: there is still
 reference to ipa-host-net-manage and ipa-managed-entries reference is
 missing

Fixed



bin1u2MkpIsph.bin
Description: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-09-14 Thread JR Aquino

On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote:

 On Thu, 2011-07-21 at 23:52 +, JR Aquino wrote:
 On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote:
 
 On Mon, 2011-04-25 at 14:59 +, JR Aquino wrote:
 On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote:
 
 On Thu, 2011-04-21 at 23:28 +, JR Aquino wrote:
 Hmmm
 Both Private Groups and the Hostgroup - Netgroup Managed Entries
 create objects in the container:
 cn=Managed Entries,cn=plugins,cn=config
 
 Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX,
 and one in the cn=config
 
 How will these be treated by replication and the multi masters?
 
 Only the common objects in the public suffix are replicated.
 I think at some point we discussed that we should use a filter in the
 private config entry made so that we could enable/disable the plugin by
 simply making the filter result true/false.
 Thus not ever touch the entries in cn=config but simply
 enable/disable the functionality by (not)adding the appropriate
 attributes to objects so that filters would (not) match.
 
 Simo.
 
 This tool works by toggling the originfilter: objectclass=disabled in 
 order to turn off the plugin.
 
 But this is backwards, because originfilter is defined in the
 configuration entry stored in cn=config
 
 Meaning as soon as you change it one server will behave differently from
 the others until you go and change it on each and every server.
 
 Finally able to revisit this Patch / Ticket:
 (To be used in conjunction with Patch 38)
 
 25 Create Tool for Enabling/Disabling Managed Entry
 Plugins https://fedorahosted.org/freeipa/ticket/1181
 
 Remove legacy ipa-host-net-manage
 Add ipa-managed-entries tool
 Add man page for ipa-managed-entries tool
 
 
 I have found few issues with the patch:
 
 1) I don't think its necessary to change BuildRequires to
 389-ds-base-devel = 1.2.8

This is no longer necessary and has been removed.

 
 2) Invalid comment in get_dirman_password() function. There is no
 verification of the password. It just prompts it

This has been corrected

 
 3) ipa-managed entries man pages: copy  paste error:
 +Directory Server will need to be restarted after the schema
 compatibility plugin has been enabled.

Copy / Paste Typo corrected
 
 4) Invalid help of the program:
 # ipa-managed-entries --help
 Usage: ipa-managed-entries [options] enable|disable
   ipa-managed-entries [options]
 
 - status action is missing
 - running program without action is not allowed, i.e. should not be
 offered

Corrected help entries

 
 5) I was thinking if there is a better solution to enabling/disabling of
 the plugin. Likes setting something like managedEntryEnabled attribute
 to on/off as we do with compat plugin. Current concept with disabling
 the definition by damaging the originFilter and then restoring it from
 an LDIF seems a bit awkward to me.

This has been completely changed:
Instead of looking to ldif files, an ldap look up is now performed to 
dynamically list the available managed entries.
 
 6) ipa-managed-entries crashes when managed entry is a wrong file:
 
 # ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif 
 Directory Manager password: 
 
 Traceback (most recent call last):
  File /usr/sbin/ipa-managed-entries, line 245, in module
sys.exit(main())
  File /usr/sbin/ipa-managed-entries, line 141, in main
originFilter = entry_attr['originFilter'][0]
 KeyError: 'originFilter'

This is no longer an issue now that it is no longer using the ldif files.

 7) What if there are more managed entries in the LDIF? This concept
 would not work correctly then. A behavior I would expect:
 a) User (optionally) passes a directory with managed entries LDIFs
 b) ipa-managed-entries analyzes all LDIFs and prints available Managed
 Entry definitions
 c) I would choose the one I want to enable/disable via
 ipa-managed-entries option

Also no longer an issue.

 Martin
 

Corrected Patch Attached:


binscouuEWzDP.bin
Description: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-07-22 Thread Martin Kosek
On Thu, 2011-07-21 at 23:52 +, JR Aquino wrote:
 On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote:
 
  On Mon, 2011-04-25 at 14:59 +, JR Aquino wrote:
  On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote:
  
  On Thu, 2011-04-21 at 23:28 +, JR Aquino wrote:
  Hmmm
  Both Private Groups and the Hostgroup - Netgroup Managed Entries
  create objects in the container:
  cn=Managed Entries,cn=plugins,cn=config
  
  Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX,
  and one in the cn=config
  
  How will these be treated by replication and the multi masters?
  
  Only the common objects in the public suffix are replicated.
  I think at some point we discussed that we should use a filter in the
  private config entry made so that we could enable/disable the plugin by
  simply making the filter result true/false.
  Thus not ever touch the entries in cn=config but simply
  enable/disable the functionality by (not)adding the appropriate
  attributes to objects so that filters would (not) match.
  
  Simo.
  
  This tool works by toggling the originfilter: objectclass=disabled in 
  order to turn off the plugin.
  
  But this is backwards, because originfilter is defined in the
  configuration entry stored in cn=config
  
  Meaning as soon as you change it one server will behave differently from
  the others until you go and change it on each and every server.
 
 Finally able to revisit this Patch / Ticket:
 (To be used in conjunction with Patch 38)
 
 25 Create Tool for Enabling/Disabling Managed Entry
 Plugins https://fedorahosted.org/freeipa/ticket/1181
 
 Remove legacy ipa-host-net-manage
 Add ipa-managed-entries tool
 Add man page for ipa-managed-entries tool
 

I have found few issues with the patch:

1) I don't think its necessary to change BuildRequires to
389-ds-base-devel = 1.2.8

2) Invalid comment in get_dirman_password() function. There is no
verification of the password. It just prompts it

3) ipa-managed entries man pages: copy  paste error:
+Directory Server will need to be restarted after the schema
compatibility plugin has been enabled.

4) Invalid help of the program:
# ipa-managed-entries --help
Usage: ipa-managed-entries [options] enable|disable
   ipa-managed-entries [options]

- status action is missing
- running program without action is not allowed, i.e. should not be
offered

5) I was thinking if there is a better solution to enabling/disabling of
the plugin. Likes setting something like managedEntryEnabled attribute
to on/off as we do with compat plugin. Current concept with disabling
the definition by damaging the originFilter and then restoring it from
an LDIF seems a bit awkward to me.

6) ipa-managed-entries crashes when managed entry is a wrong file:

# ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif 
Directory Manager password: 

Traceback (most recent call last):
  File /usr/sbin/ipa-managed-entries, line 245, in module
sys.exit(main())
  File /usr/sbin/ipa-managed-entries, line 141, in main
originFilter = entry_attr['originFilter'][0]
KeyError: 'originFilter'

7) What if there are more managed entries in the LDIF? This concept
would not work correctly then. A behavior I would expect:
a) User (optionally) passes a directory with managed entries LDIFs
b) ipa-managed-entries analyzes all LDIFs and prints available Managed
Entry definitions
c) I would choose the one I want to enable/disable via
ipa-managed-entries option

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-07-22 Thread Rob Crittenden

Martin Kosek wrote:

On Thu, 2011-07-21 at 23:52 +, JR Aquino wrote:

On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote:


On Mon, 2011-04-25 at 14:59 +, JR Aquino wrote:

On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote:


On Thu, 2011-04-21 at 23:28 +, JR Aquino wrote:

Hmmm
Both Private Groups and the Hostgroup -  Netgroup Managed Entries
create objects in the container:
cn=Managed Entries,cn=plugins,cn=config

Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX,
and one in the cn=config

How will these be treated by replication and the multi masters?


Only the common objects in the public suffix are replicated.
I think at some point we discussed that we should use a filter in the
private config entry made so that we could enable/disable the plugin by
simply making the filter result true/false.
Thus not ever touch the entries in cn=config but simply
enable/disable the functionality by (not)adding the appropriate
attributes to objects so that filters would (not) match.

Simo.


This tool works by toggling the originfilter: objectclass=disabled in order to 
turn off the plugin.


But this is backwards, because originfilter is defined in the
configuration entry stored in cn=config

Meaning as soon as you change it one server will behave differently from
the others until you go and change it on each and every server.


Finally able to revisit this Patch / Ticket:
(To be used in conjunction with Patch 38)

25 Create Tool for Enabling/Disabling Managed Entry
Plugins https://fedorahosted.org/freeipa/ticket/1181

Remove legacy ipa-host-net-manage
Add ipa-managed-entries tool
Add man page for ipa-managed-entries tool



I have found few issues with the patch:

1) I don't think its necessary to change BuildRequires to
389-ds-base-devel= 1.2.8


I think this is because the ability to move the config out of cn=config. 
It should probably be Requires and not BuildRequires though.




2) Invalid comment in get_dirman_password() function. There is no
verification of the password. It just prompts it

3) ipa-managed entries man pages: copy  paste error:
+Directory Server will need to be restarted after the schema
compatibility plugin has been enabled.

4) Invalid help of the program:
# ipa-managed-entries --help
Usage: ipa-managed-entries [options]enable|disable
ipa-managed-entries [options]

- status action is missing
- running program without action is not allowed, i.e. should not be
offered

5) I was thinking if there is a better solution to enabling/disabling of
the plugin. Likes setting something like managedEntryEnabled attribute
to on/off as we do with compat plugin. Current concept with disabling
the definition by damaging the originFilter and then restoring it from
an LDIF seems a bit awkward to me.


We have to do it this way (or something like it) because cn=config is 
not replicated.




6) ipa-managed-entries crashes when managed entry is a wrong file:

# ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif
Directory Manager password:

Traceback (most recent call last):
   File /usr/sbin/ipa-managed-entries, line 245, inmodule
 sys.exit(main())
   File /usr/sbin/ipa-managed-entries, line 141, in main
 originFilter = entry_attr['originFilter'][0]
KeyError: 'originFilter'

7) What if there are more managed entries in the LDIF? This concept
would not work correctly then. A behavior I would expect:
a) User (optionally) passes a directory with managed entries LDIFs
b) ipa-managed-entries analyzes all LDIFs and prints available Managed
Entry definitions
c) I would choose the one I want to enable/disable via
ipa-managed-entries option

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-07-21 Thread JR Aquino
On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote:

 On Mon, 2011-04-25 at 14:59 +, JR Aquino wrote:
 On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote:
 
 On Thu, 2011-04-21 at 23:28 +, JR Aquino wrote:
 Hmmm
 Both Private Groups and the Hostgroup - Netgroup Managed Entries
 create objects in the container:
 cn=Managed Entries,cn=plugins,cn=config
 
 Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX,
 and one in the cn=config
 
 How will these be treated by replication and the multi masters?
 
 Only the common objects in the public suffix are replicated.
 I think at some point we discussed that we should use a filter in the
 private config entry made so that we could enable/disable the plugin by
 simply making the filter result true/false.
 Thus not ever touch the entries in cn=config but simply
 enable/disable the functionality by (not)adding the appropriate
 attributes to objects so that filters would (not) match.
 
 Simo.
 
 This tool works by toggling the originfilter: objectclass=disabled in order 
 to turn off the plugin.
 
 But this is backwards, because originfilter is defined in the
 configuration entry stored in cn=config
 
 Meaning as soon as you change it one server will behave differently from
 the others until you go and change it on each and every server.

Finally able to revisit this Patch / Ticket:
(To be used in conjunction with Patch 38)

25 Create Tool for Enabling/Disabling Managed Entry
Plugins https://fedorahosted.org/freeipa/ticket/1181

Remove legacy ipa-host-net-manage
Add ipa-managed-entries tool
Add man page for ipa-managed-entries tool




binnZSMRerxG0.bin
Description: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-04-25 Thread Simo Sorce
On Thu, 2011-04-21 at 23:28 +, JR Aquino wrote:
 Hmmm
 Both Private Groups and the Hostgroup - Netgroup Managed Entries
 create objects in the container:
 cn=Managed Entries,cn=plugins,cn=config
 
 Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX,
 and one in the cn=config
 
 How will these be treated by replication and the multi masters?

Only the common objects in the public suffix are replicated.
I think at some point we discussed that we should use a filter in the
private config entry made so that we could enable/disable the plugin by
simply making the filter result true/false.
Thus not ever touch the entries in cn=config but simply
enable/disable the functionality by (not)adding the appropriate
attributes to objects so that filters would (not) match.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-04-25 Thread JR Aquino
On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote:

 On Thu, 2011-04-21 at 23:28 +, JR Aquino wrote:
 Hmmm
 Both Private Groups and the Hostgroup - Netgroup Managed Entries
 create objects in the container:
 cn=Managed Entries,cn=plugins,cn=config
 
 Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX,
 and one in the cn=config
 
 How will these be treated by replication and the multi masters?
 
 Only the common objects in the public suffix are replicated.
 I think at some point we discussed that we should use a filter in the
 private config entry made so that we could enable/disable the plugin by
 simply making the filter result true/false.
 Thus not ever touch the entries in cn=config but simply
 enable/disable the functionality by (not)adding the appropriate
 attributes to objects so that filters would (not) match.
 
 Simo.

This tool works by toggling the originfilter: objectclass=disabled in order to 
turn off the plugin.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-04-25 Thread Simo Sorce
On Mon, 2011-04-25 at 14:59 +, JR Aquino wrote:
 On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote:
 
  On Thu, 2011-04-21 at 23:28 +, JR Aquino wrote:
  Hmmm
  Both Private Groups and the Hostgroup - Netgroup Managed Entries
  create objects in the container:
  cn=Managed Entries,cn=plugins,cn=config
  
  Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX,
  and one in the cn=config
  
  How will these be treated by replication and the multi masters?
  
  Only the common objects in the public suffix are replicated.
  I think at some point we discussed that we should use a filter in the
  private config entry made so that we could enable/disable the plugin by
  simply making the filter result true/false.
  Thus not ever touch the entries in cn=config but simply
  enable/disable the functionality by (not)adding the appropriate
  attributes to objects so that filters would (not) match.
  
  Simo.
 
 This tool works by toggling the originfilter: objectclass=disabled in order 
 to turn off the plugin.

But this is backwards, because originfilter is defined in the
configuration entry stored in cn=config

Meaning as soon as you change it one server will behave differently from
the others until you go and change it on each and every server.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-04-25 Thread Dmitri Pal
On 04/25/2011 12:00 PM, Simo Sorce wrote:
 On Mon, 2011-04-25 at 14:59 +, JR Aquino wrote:
 On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote:

 On Thu, 2011-04-21 at 23:28 +, JR Aquino wrote:
 Hmmm
 Both Private Groups and the Hostgroup - Netgroup Managed Entries
 create objects in the container:
 cn=Managed Entries,cn=plugins,cn=config

 Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX,
 and one in the cn=config

 How will these be treated by replication and the multi masters?
 Only the common objects in the public suffix are replicated.
 I think at some point we discussed that we should use a filter in the
 private config entry made so that we could enable/disable the plugin by
 simply making the filter result true/false.
 Thus not ever touch the entries in cn=config but simply
 enable/disable the functionality by (not)adding the appropriate
 attributes to objects so that filters would (not) match.

 Simo.
 This tool works by toggling the originfilter: objectclass=disabled in order 
 to turn off the plugin.
 But this is backwards, because originfilter is defined in the
 configuration entry stored in cn=config

 Meaning as soon as you change it one server will behave differently from
 the others until you go and change it on each and every server.

 Simo.

This is a problem with the place where we store the configuration since
it is not replicated. But I am concerned about moving it to some other
place.
Any ideas of what would be a proper solution to make the change affect
all replicas?


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-04-25 Thread Dmitri Pal
On 04/25/2011 01:32 PM, Simo Sorce wrote:
 On Mon, 2011-04-25 at 12:12 -0400, Dmitri Pal wrote:
 This is a problem with the place where we store the configuration
 since
 it is not replicated. But I am concerned about moving it to some other
 place.
 Any ideas of what would be a proper solution to make the change
 affect
 all replicas?
 In order to avoid changing all plugins I am thinking we might create a
 cn=plugin subtree under the shared cn=etc tree.

 And have a new IPA plugin monitor it.

 This plugin will act on any change done to this tree and copy any change
 to the non-shared cn=config tree in order to reconfigure plugins.

 This still leaves open the fact that someone may change directly what's
 in cn=config instead of modifying the shared subtree.
We can create an ACI that will prevent the modification operation to the
managed entry plugin configuration for any user except the internal op.
This will prevent direct modification. Of cause if user removes ACI all
bets are off, but this operation is similar to removing any other ACI
that grants some access or protects some crucial part of the tree. It
prevents customer from erroneously shooting himself in the foot but
would not prevent a suicide if one is so determined... 


 Not sure how to cope with that best. One way could be to immediately
 reset back the values to what's in the shared tree, but this means
 intercepting also changes to cn=config.

 Simo.



-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-04-21 Thread Dmitri Pal
On 04/21/2011 03:17 PM, JR Aquino wrote:
 This patch address ticket:
 * https://fedorahosted.org/freeipa/ticket/1181

 This patch provides:
 * ipa-managed-entries tool which can enable/disable any of the managed entry 
 plugins without the need of separate tools.
 -When run without any arguments, the tool will display a list of 
 available plugins detected inside of /usr/share/ipa (this directory can be 
 overridden with the --dir flag)
 * Man Page documenting the tool usage.
 * The removal of install/tools/ipa-host-net-manage and 
 install/tools/man/ipa-host-net-manage.1
 * Modification to ldap2.py: Added method for verifying upg is disabled by 
 objectfilter: objectclass=disabled.
   The current code assumes that the user private group managed plugin is 
 disabled, if the managed plugin entry is not present. 
   Due to bug https://bugzilla.redhat.com/show_bug.cgi?id=660399, the 
 running system will prohibit you from removing a Managed Entry plugin.

 NOTE: 
   As I was writing this tool, I noticed that in addition to Managed Entry 
 tools, we also seem to have Schema Compatibility management tools.
   I had considered rolling support for those plugins as well, but after 
 further inspection, it appears that there is hierarchical way to determine 
 our current 'Compatibility Plugins' via looking at the .uldif files.
   The method employed by the managed entry tool checks to see if the 
 .ldif file contains a modification which adds an object to the container: 
 cn=Managed Entries,cn=plugins,cn=config.
   If there is interest in it, we could consolidate ipa-compat-manage and 
 ipa-nis-manage by deciding on a default Container for Compat plugins to be 
 located in such as: cn=Schema Compatibility,cn=plugins,cn=config
   This would potentially give us 1 tool: ipa-plugin-manage that could 
 handle the enabling / disabling of Compat and Managed Entry Plugins...


Please log an enhancement ticket. I think it will be deferred but having
it in the backlog would be good.


 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-04-21 Thread Simo Sorce
On Thu, 2011-04-21 at 15:30 -0400, Dmitri Pal wrote:
 On 04/21/2011 03:17 PM, JR Aquino wrote: 
  This patch address ticket:
  * https://fedorahosted.org/freeipa/ticket/1181
  
  This patch provides:
  * ipa-managed-entries tool which can enable/disable any of the managed 
  entry plugins without the need of separate tools.
  -When run without any arguments, the tool will display a list of 
  available plugins detected inside of /usr/share/ipa (this directory can be 
  overridden with the --dir flag)
  * Man Page documenting the tool usage.
  * The removal of install/tools/ipa-host-net-manage and 
  install/tools/man/ipa-host-net-manage.1
  * Modification to ldap2.py: Added method for verifying upg is disabled by 
  objectfilter: objectclass=disabled.
  The current code assumes that the user private group managed plugin is 
  disabled, if the managed plugin entry is not present. 
  Due to bug https://bugzilla.redhat.com/show_bug.cgi?id=660399, the 
  running system will prohibit you from removing a Managed Entry plugin.
  
  NOTE: 
  As I was writing this tool, I noticed that in addition to Managed Entry 
  tools, we also seem to have Schema Compatibility management tools.
  I had considered rolling support for those plugins as well, but after 
  further inspection, it appears that there is hierarchical way to determine 
  our current 'Compatibility Plugins' via looking at the .uldif files.
  The method employed by the managed entry tool checks to see if the 
  .ldif file contains a modification which adds an object to the container: 
  cn=Managed Entries,cn=plugins,cn=config.
  If there is interest in it, we could consolidate ipa-compat-manage and 
  ipa-nis-manage by deciding on a default Container for Compat plugins to be 
  located in such as: cn=Schema Compatibility,cn=plugins,cn=config
  This would potentially give us 1 tool: ipa-plugin-manage that could 
  handle the enabling / disabling of Compat and Managed Entry Plugins...
  
 
 Please log an enhancement ticket. I think it will be deferred but
 having it in the backlog would be good.

Please note that the schema compatibility plugin enabling/disabling
should behave differently from the managed entries emabling/disabling.

The schema compat plugins configurations are per server, so that you can
decide which servers show it and which one doesn't (you may have many
masters and only a few allocated to serve legacy machines that need the
compat tree). This also means that you have to go to each server to
enable/disable the compat trees. This should be made abundantly clear in
the documentation of the respective tools.


The managed entries stuff instead should be global, and shouldn't touch
entries under cn=config (as they are local). If it does please let me
know.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

2011-04-21 Thread JR Aquino
On Apr 21, 2011, at 4:03 PM, Simo Sorce 
sso...@redhat.commailto:sso...@redhat.com wrote:

On Thu, 2011-04-21 at 15:30 -0400, Dmitri Pal wrote:
On 04/21/2011 03:17 PM, JR Aquino wrote:
This patch address ticket:
* https://fedorahosted.org/freeipa/ticket/1181 
https://fedorahosted.org/freeipa/ticket/1181

This patch provides:
* ipa-managed-entries tool which can enable/disable any of the managed entry 
plugins without the need of separate tools.
   -When run without any arguments, the tool will display a list of available 
plugins detected inside of /usr/share/ipa (this directory can be overridden 
with the --dir flag)
* Man Page documenting the tool usage.
* The removal of install/tools/ipa-host-net-manage and 
install/tools/man/ipa-host-net-manage.1
* Modification to ldap2.py: Added method for verifying upg is disabled by 
objectfilter: objectclass=disabled.
   The current code assumes that the user private group managed plugin is 
disabled, if the managed plugin entry is not present.
   Due to bug https://bugzilla.redhat.com/show_bug.cgi?id=660399, the running 
system will prohibit you from removing a Managed Entry plugin.

NOTE:
   As I was writing this tool, I noticed that in addition to Managed Entry 
tools, we also seem to have Schema Compatibility management tools.
   I had considered rolling support for those plugins as well, but after 
further inspection, it appears that there is hierarchical way to determine our 
current 'Compatibility Plugins' via looking at the .uldif files.
   The method employed by the managed entry tool checks to see if the .ldif 
file contains a modification which adds an object to the container: cn=Managed 
Entries,cn=plugins,cn=config.
   If there is interest in it, we could consolidate ipa-compat-manage and 
ipa-nis-manage by deciding on a default Container for Compat plugins to be 
located in such as: cn=Schema Compatibility,cn=plugins,cn=config
   This would potentially give us 1 tool: ipa-plugin-manage that could handle 
the enabling / disabling of Compat and Managed Entry Plugins...


Please log an enhancement ticket. I think it will be deferred but
having it in the backlog would be good.

Please note that the schema compatibility plugin enabling/disabling
should behave differently from the managed entries emabling/disabling.

The schema compat plugins configurations are per server, so that you can
decide which servers show it and which one doesn't (you may have many
masters and only a few allocated to serve legacy machines that need the
compat tree). This also means that you have to go to each server to
enable/disable the compat trees. This should be made abundantly clear in
the documentation of the respective tools.


The managed entries stuff instead should be global, and shouldn't touch
entries under cn=config (as they are local). If it does please let me
know.
Hmmm
Both Private Groups and the Hostgroup - Netgroup Managed Entries create 
objects in the container:
cn=Managed Entries,cn=plugins,cn=config

Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX, and one 
in the cn=config

How will these be treated by replication and the multi masters?


Simo.

--
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.commailto:Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel