Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
Pavel Zuna wrote: On 04/16/2010 10:25 PM, Rob Crittenden wrote: Pavel Zůna wrote: On 4/16/2010 5:09 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel This fails to apply because the pwpolicy2 plugin hasn't been committed yet. You had suggested that this patch shouldn't be applied yet. Should I remove the pwpolicy2 part of this patch and push, rebase it, or what? rob I rebased the patch - attached. It no longer depends on pwpolicy2. I'm going to release an updated pwpolicy2 patch with quoting gone along with this one. Pavel I made a couple of changes to the patch: - added ESCAPED_SUFFIX to the dsinstance sub_dict so installations work - added back some extra lines to pwpolicy_del() that actually deleted the entries Oups, probably deleted those by mistake. Anyway, nice catch. Just tested it - ACK. rob Pavel pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
On 04/16/2010 10:25 PM, Rob Crittenden wrote: Pavel Zůna wrote: On 4/16/2010 5:09 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel This fails to apply because the pwpolicy2 plugin hasn't been committed yet. You had suggested that this patch shouldn't be applied yet. Should I remove the pwpolicy2 part of this patch and push, rebase it, or what? rob I rebased the patch - attached. It no longer depends on pwpolicy2. I'm going to release an updated pwpolicy2 patch with quoting gone along with this one. Pavel I made a couple of changes to the patch: - added ESCAPED_SUFFIX to the dsinstance sub_dict so installations work - added back some extra lines to pwpolicy_del() that actually deleted the entries Oups, probably deleted those by mistake. Anyway, nice catch. Just tested it - ACK. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
Pavel Zůna wrote: On 4/16/2010 5:09 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel This fails to apply because the pwpolicy2 plugin hasn't been committed yet. You had suggested that this patch shouldn't be applied yet. Should I remove the pwpolicy2 part of this patch and push, rebase it, or what? rob I rebased the patch - attached. It no longer depends on pwpolicy2. I'm going to release an updated pwpolicy2 patch with quoting gone along with this one. Pavel I made a couple of changes to the patch: - added ESCAPED_SUFFIX to the dsinstance sub_dict so installations work - added back some extra lines to pwpolicy_del() that actually deleted the entries rob 0001-Use-escapes-in-DNs-instead-of-quoting.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
On 4/16/2010 5:09 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel This fails to apply because the pwpolicy2 plugin hasn't been committed yet. You had suggested that this patch shouldn't be applied yet. Should I remove the pwpolicy2 part of this patch and push, rebase it, or what? rob I rebased the patch - attached. It no longer depends on pwpolicy2. I'm going to release an updated pwpolicy2 patch with quoting gone along with this one. Pavel 0001-Use-escapes-in-DNs-instead-of-quoting.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
Pavel Zuna wrote: On 03/30/2010 04:19 PM, Rich Megginson wrote: Pavel Zuna wrote: On 03/26/2010 04:56 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel replication also uses v2-style escaping. This code looks ok for what it touches but it isn't complete. Maybe I'm wrong, but it seems that the cn="SUFFIX",cn=mapping tree,cn=config entry is created automatically by DS Yes. and there's no much we can do about it. Right. We could delete the entry and create a new one, but I suspect replication won't like it. Right. Don't do that. There are still a number of places in the directory server where quotes are still used in DNs. We have not gone through and removed all of those. We won't get around to doing this for 389-ds-base 1.2.6, probably in some later release. However, you should still be able to search for the cn="SUFFIX",cn=mapping tree,cn=config entry using LDAPv3 style escapes - the escapes should match the quotes inside the server. Just make sure SUFFIX is the normalized DN (and that assumes the server is using the normalized DN too). Ok cool. Thanks for the info. I did an extended version of the patch, that uses LDAPv3 DN with replication. Attached, so you can take a look, but don't hurry with pushing it. Looks good. The replication code still uses legacy LDAP code from v1 that is going away soon anyway. I would push the patch in its original state and include the replication changes in my next patch in the "ldap2 for installer" series. /me grumbles at the fact that someone thought it was a good idea to use DNs as values within other DNs in non-DN syntax attributes . . . rob Pavel Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
On 03/30/2010 04:19 PM, Rich Megginson wrote: Pavel Zuna wrote: On 03/26/2010 04:56 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel replication also uses v2-style escaping. This code looks ok for what it touches but it isn't complete. Maybe I'm wrong, but it seems that the cn="SUFFIX",cn=mapping tree,cn=config entry is created automatically by DS Yes. and there's no much we can do about it. Right. We could delete the entry and create a new one, but I suspect replication won't like it. Right. Don't do that. There are still a number of places in the directory server where quotes are still used in DNs. We have not gone through and removed all of those. We won't get around to doing this for 389-ds-base 1.2.6, probably in some later release. However, you should still be able to search for the cn="SUFFIX",cn=mapping tree,cn=config entry using LDAPv3 style escapes - the escapes should match the quotes inside the server. Just make sure SUFFIX is the normalized DN (and that assumes the server is using the normalized DN too). Ok cool. Thanks for the info. I did an extended version of the patch, that uses LDAPv3 DN with replication. Attached, so you can take a look, but don't hurry with pushing it. The replication code still uses legacy LDAP code from v1 that is going away soon anyway. I would push the patch in its original state and include the replication changes in my next patch in the "ldap2 for installer" series. /me grumbles at the fact that someone thought it was a good idea to use DNs as values within other DNs in non-DN syntax attributes . . . rob Pavel Pavel 0001-Use-escapes-in-DNs-instead-of-quoting.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
Pavel Zuna wrote: On 03/26/2010 04:56 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel replication also uses v2-style escaping. This code looks ok for what it touches but it isn't complete. Maybe I'm wrong, but it seems that the cn="SUFFIX",cn=mapping tree,cn=config entry is created automatically by DS Yes. and there's no much we can do about it. Right. We could delete the entry and create a new one, but I suspect replication won't like it. Right. Don't do that. There are still a number of places in the directory server where quotes are still used in DNs. We have not gone through and removed all of those. We won't get around to doing this for 389-ds-base 1.2.6, probably in some later release. However, you should still be able to search for the cn="SUFFIX",cn=mapping tree,cn=config entry using LDAPv3 style escapes - the escapes should match the quotes inside the server. Just make sure SUFFIX is the normalized DN (and that assumes the server is using the normalized DN too). /me grumbles at the fact that someone thought it was a good idea to use DNs as values within other DNs in non-DN syntax attributes . . . rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
Pavel Zuna wrote: On 03/26/2010 04:56 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel replication also uses v2-style escaping. This code looks ok for what it touches but it isn't complete. Maybe I'm wrong, but it seems that the cn="SUFFIX",cn=mapping tree,cn=config entry is created automatically by DS and there's no much we can do about it. We could delete the entry and create a new one, but I suspect replication won't like it. Yes, looks like you're right. Rich, any thoughts on this? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
On 03/26/2010 04:56 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel replication also uses v2-style escaping. This code looks ok for what it touches but it isn't complete. Maybe I'm wrong, but it seems that the cn="SUFFIX",cn=mapping tree,cn=config entry is created automatically by DS and there's no much we can do about it. We could delete the entry and create a new one, but I suspect replication won't like it. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel replication also uses v2-style escaping. This code looks ok for what it touches but it isn't complete. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel