Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.

2010-04-19 Thread Rob Crittenden

Pavel Zuna wrote:

On 04/16/2010 10:25 PM, Rob Crittenden wrote:

Pavel Zůna wrote:

On 4/16/2010 5:09 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

This patch effectively removes all LDAPv2 style quoted DNs and makes
sure we don't use them anymore.

KDC doesn't seem to have any problems with LDAPv3 style DNs, but I
kept the option to disable DN normalization for now.

I also had to add a new dollar variable for LDIF files:
$ESCAPED_SUFFIX. We need it to create entries that contain the DN of
another entry in their own, like the account activated/inactivated CoS
entries.

what I tested:
- playing around with password policies and CoS entries using both
pwpolicy and pwpolicy2
- changing user passwords to see if the policies apply
- re-installing IPA to see if the activated/inactived CoS entries
where OK
- user-lock/user-unlock

The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on
it, but won't apply without. I didn't realize before committing and
couldn't get it back by re-basing, so...

Pavel


This fails to apply because the pwpolicy2 plugin hasn't been committed
yet. You had suggested that this patch shouldn't be applied yet. Should
I remove the pwpolicy2 part of this patch and push, rebase it, or what?

rob

I rebased the patch - attached. It no longer depends on pwpolicy2. I'm
going to release an updated pwpolicy2 patch with quoting gone along
with this one.

Pavel


I made a couple of changes to the patch:
- added ESCAPED_SUFFIX to the dsinstance sub_dict so installations work
- added back some extra lines to pwpolicy_del() that actually deleted
the entries

Oups, probably deleted those by mistake. Anyway, nice catch.

Just tested it - ACK.


rob


Pavel


pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.

2010-04-19 Thread Pavel Zuna

On 04/16/2010 10:25 PM, Rob Crittenden wrote:

Pavel Zůna wrote:

On 4/16/2010 5:09 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

This patch effectively removes all LDAPv2 style quoted DNs and makes
sure we don't use them anymore.

KDC doesn't seem to have any problems with LDAPv3 style DNs, but I
kept the option to disable DN normalization for now.

I also had to add a new dollar variable for LDIF files:
$ESCAPED_SUFFIX. We need it to create entries that contain the DN of
another entry in their own, like the account activated/inactivated CoS
entries.

what I tested:
- playing around with password policies and CoS entries using both
pwpolicy and pwpolicy2
- changing user passwords to see if the policies apply
- re-installing IPA to see if the activated/inactived CoS entries
where OK
- user-lock/user-unlock

The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on
it, but won't apply without. I didn't realize before committing and
couldn't get it back by re-basing, so...

Pavel


This fails to apply because the pwpolicy2 plugin hasn't been committed
yet. You had suggested that this patch shouldn't be applied yet. Should
I remove the pwpolicy2 part of this patch and push, rebase it, or what?

rob

I rebased the patch - attached. It no longer depends on pwpolicy2. I'm
going to release an updated pwpolicy2 patch with quoting gone along
with this one.

Pavel


I made a couple of changes to the patch:
- added ESCAPED_SUFFIX to the dsinstance sub_dict so installations work
- added back some extra lines to pwpolicy_del() that actually deleted
the entries

Oups, probably deleted those by mistake. Anyway, nice catch.

Just tested it - ACK.


rob


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.

2010-04-16 Thread Rob Crittenden

Pavel Zůna wrote:

On 4/16/2010 5:09 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

This patch effectively removes all LDAPv2 style quoted DNs and makes
sure we don't use them anymore.

KDC doesn't seem to have any problems with LDAPv3 style DNs, but I
kept the option to disable DN normalization for now.

I also had to add a new dollar variable for LDIF files:
$ESCAPED_SUFFIX. We need it to create entries that contain the DN of
another entry in their own, like the account activated/inactivated CoS
entries.

what I tested:
- playing around with password policies and CoS entries using both
pwpolicy and pwpolicy2
- changing user passwords to see if the policies apply
- re-installing IPA to see if the activated/inactived CoS entries
where OK
- user-lock/user-unlock

The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on
it, but won't apply without. I didn't realize before committing and
couldn't get it back by re-basing, so...

Pavel


This fails to apply because the pwpolicy2 plugin hasn't been committed
yet. You had suggested that this patch shouldn't be applied yet. Should
I remove the pwpolicy2 part of this patch and push, rebase it, or what?

rob
I rebased the patch - attached. It no longer depends on pwpolicy2. I'm 
going to release an updated pwpolicy2 patch with quoting gone along with 
this one.


Pavel


I made a couple of changes to the patch:
- added ESCAPED_SUFFIX to the dsinstance sub_dict so installations work
- added back some extra lines to pwpolicy_del() that actually deleted 
the entries


rob


0001-Use-escapes-in-DNs-instead-of-quoting.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.

2010-04-16 Thread Pavel Zůna

On 4/16/2010 5:09 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

This patch effectively removes all LDAPv2 style quoted DNs and makes
sure we don't use them anymore.

KDC doesn't seem to have any problems with LDAPv3 style DNs, but I
kept the option to disable DN normalization for now.

I also had to add a new dollar variable for LDIF files:
$ESCAPED_SUFFIX. We need it to create entries that contain the DN of
another entry in their own, like the account activated/inactivated CoS
entries.

what I tested:
- playing around with password policies and CoS entries using both
pwpolicy and pwpolicy2
- changing user passwords to see if the policies apply
- re-installing IPA to see if the activated/inactived CoS entries
where OK
- user-lock/user-unlock

The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on
it, but won't apply without. I didn't realize before committing and
couldn't get it back by re-basing, so...

Pavel


This fails to apply because the pwpolicy2 plugin hasn't been committed
yet. You had suggested that this patch shouldn't be applied yet. Should
I remove the pwpolicy2 part of this patch and push, rebase it, or what?

rob
I rebased the patch - attached. It no longer depends on pwpolicy2. I'm 
going to release an updated pwpolicy2 patch with quoting gone along with 
this one.


Pavel


0001-Use-escapes-in-DNs-instead-of-quoting.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.

2010-03-30 Thread Rich Megginson

Pavel Zuna wrote:

On 03/30/2010 04:19 PM, Rich Megginson wrote:

Pavel Zuna wrote:

On 03/26/2010 04:56 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

This patch effectively removes all LDAPv2 style quoted DNs and makes
sure we don't use them anymore.

KDC doesn't seem to have any problems with LDAPv3 style DNs, but I
kept the option to disable DN normalization for now.

I also had to add a new dollar variable for LDIF files:
$ESCAPED_SUFFIX. We need it to create entries that contain the DN of
another entry in their own, like the account activated/inactivated 
CoS

entries.

what I tested:
- playing around with password policies and CoS entries using both
pwpolicy and pwpolicy2
- changing user passwords to see if the policies apply
- re-installing IPA to see if the activated/inactived CoS entries
where OK
- user-lock/user-unlock

The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on
it, but won't apply without. I didn't realize before committing and
couldn't get it back by re-basing, so...

Pavel


replication also uses v2-style escaping. This code looks ok for 
what it

touches but it isn't complete.

Maybe I'm wrong, but it seems that the cn="SUFFIX",cn=mapping
tree,cn=config entry is created automatically by DS

Yes.

and there's no much we can do about it.

Right.

We could delete the entry and create a new one, but I suspect
replication won't like it.

Right. Don't do that.

There are still a number of places in the directory server where quotes
are still used in DNs. We have not gone through and removed all of
those. We won't get around to doing this for 389-ds-base 1.2.6, probably
in some later release.

However, you should still be able to search for the
cn="SUFFIX",cn=mapping tree,cn=config entry using LDAPv3 style escapes -
the escapes should match the quotes inside the server. Just make sure
SUFFIX is the normalized DN (and that assumes the server is using the
normalized DN too).

Ok cool. Thanks for the info.

I did an extended version of the patch, that uses LDAPv3 DN with 
replication. Attached, so you can take a look, but don't hurry with 
pushing it.

Looks good.


The replication code still uses legacy LDAP code from v1 that is going 
away soon anyway. I would push the patch in its original state and 
include the replication changes in my next patch in the "ldap2 for 
installer" series.



/me grumbles at the fact that someone thought it was a good idea to use
DNs as values within other DNs in non-DN syntax attributes . . .



rob


Pavel


Pavel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.

2010-03-30 Thread Pavel Zuna

On 03/30/2010 04:19 PM, Rich Megginson wrote:

Pavel Zuna wrote:

On 03/26/2010 04:56 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

This patch effectively removes all LDAPv2 style quoted DNs and makes
sure we don't use them anymore.

KDC doesn't seem to have any problems with LDAPv3 style DNs, but I
kept the option to disable DN normalization for now.

I also had to add a new dollar variable for LDIF files:
$ESCAPED_SUFFIX. We need it to create entries that contain the DN of
another entry in their own, like the account activated/inactivated CoS
entries.

what I tested:
- playing around with password policies and CoS entries using both
pwpolicy and pwpolicy2
- changing user passwords to see if the policies apply
- re-installing IPA to see if the activated/inactived CoS entries
where OK
- user-lock/user-unlock

The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on
it, but won't apply without. I didn't realize before committing and
couldn't get it back by re-basing, so...

Pavel


replication also uses v2-style escaping. This code looks ok for what it
touches but it isn't complete.

Maybe I'm wrong, but it seems that the cn="SUFFIX",cn=mapping
tree,cn=config entry is created automatically by DS

Yes.

and there's no much we can do about it.

Right.

We could delete the entry and create a new one, but I suspect
replication won't like it.

Right. Don't do that.

There are still a number of places in the directory server where quotes
are still used in DNs. We have not gone through and removed all of
those. We won't get around to doing this for 389-ds-base 1.2.6, probably
in some later release.

However, you should still be able to search for the
cn="SUFFIX",cn=mapping tree,cn=config entry using LDAPv3 style escapes -
the escapes should match the quotes inside the server. Just make sure
SUFFIX is the normalized DN (and that assumes the server is using the
normalized DN too).

Ok cool. Thanks for the info.

I did an extended version of the patch, that uses LDAPv3 DN with replication. 
Attached, so you can take a look, but don't hurry with pushing it.


The replication code still uses legacy LDAP code from v1 that is going away soon 
anyway. I would push the patch in its original state and include the replication 
changes in my next patch in the "ldap2 for installer" series.



/me grumbles at the fact that someone thought it was a good idea to use
DNs as values within other DNs in non-DN syntax attributes . . .



rob


Pavel


Pavel


0001-Use-escapes-in-DNs-instead-of-quoting.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.

2010-03-30 Thread Rich Megginson

Pavel Zuna wrote:

On 03/26/2010 04:56 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

This patch effectively removes all LDAPv2 style quoted DNs and makes
sure we don't use them anymore.

KDC doesn't seem to have any problems with LDAPv3 style DNs, but I
kept the option to disable DN normalization for now.

I also had to add a new dollar variable for LDIF files:
$ESCAPED_SUFFIX. We need it to create entries that contain the DN of
another entry in their own, like the account activated/inactivated CoS
entries.

what I tested:
- playing around with password policies and CoS entries using both
pwpolicy and pwpolicy2
- changing user passwords to see if the policies apply
- re-installing IPA to see if the activated/inactived CoS entries
where OK
- user-lock/user-unlock

The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on
it, but won't apply without. I didn't realize before committing and
couldn't get it back by re-basing, so...

Pavel


replication also uses v2-style escaping. This code looks ok for what it
touches but it isn't complete.
Maybe I'm wrong, but it seems that the cn="SUFFIX",cn=mapping 
tree,cn=config entry is created automatically by DS

Yes.

and there's no much we can do about it.

Right.
We could delete the entry and create a new one, but I suspect 
replication won't like it.

Right.  Don't do that.

There are still a number of places in the directory server where quotes 
are still used in DNs.  We have not gone through and removed all of 
those.  We won't get around to doing this for 389-ds-base 1.2.6, 
probably in some later release.


However, you should still be able to search for the 
cn="SUFFIX",cn=mapping tree,cn=config entry using LDAPv3 style escapes - 
the escapes should match the quotes inside the server.  Just make sure 
SUFFIX is the normalized DN (and that assumes the server is using the 
normalized DN too).


/me grumbles at the fact that someone thought it was a good idea to use 
DNs as values within other DNs in non-DN syntax attributes . . .



rob


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.

2010-03-30 Thread Rob Crittenden

Pavel Zuna wrote:

On 03/26/2010 04:56 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

This patch effectively removes all LDAPv2 style quoted DNs and makes
sure we don't use them anymore.

KDC doesn't seem to have any problems with LDAPv3 style DNs, but I
kept the option to disable DN normalization for now.

I also had to add a new dollar variable for LDIF files:
$ESCAPED_SUFFIX. We need it to create entries that contain the DN of
another entry in their own, like the account activated/inactivated CoS
entries.

what I tested:
- playing around with password policies and CoS entries using both
pwpolicy and pwpolicy2
- changing user passwords to see if the policies apply
- re-installing IPA to see if the activated/inactived CoS entries
where OK
- user-lock/user-unlock

The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on
it, but won't apply without. I didn't realize before committing and
couldn't get it back by re-basing, so...

Pavel


replication also uses v2-style escaping. This code looks ok for what it
touches but it isn't complete.
Maybe I'm wrong, but it seems that the cn="SUFFIX",cn=mapping 
tree,cn=config entry is created automatically by DS and there's no much 
we can do about it. We could delete the entry and create a new one, but 
I suspect replication won't like it.


Yes, looks like you're right.

Rich, any thoughts on this?

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.

2010-03-30 Thread Pavel Zuna

On 03/26/2010 04:56 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

This patch effectively removes all LDAPv2 style quoted DNs and makes
sure we don't use them anymore.

KDC doesn't seem to have any problems with LDAPv3 style DNs, but I
kept the option to disable DN normalization for now.

I also had to add a new dollar variable for LDIF files:
$ESCAPED_SUFFIX. We need it to create entries that contain the DN of
another entry in their own, like the account activated/inactivated CoS
entries.

what I tested:
- playing around with password policies and CoS entries using both
pwpolicy and pwpolicy2
- changing user passwords to see if the policies apply
- re-installing IPA to see if the activated/inactived CoS entries
where OK
- user-lock/user-unlock

The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on
it, but won't apply without. I didn't realize before committing and
couldn't get it back by re-basing, so...

Pavel


replication also uses v2-style escaping. This code looks ok for what it
touches but it isn't complete.
Maybe I'm wrong, but it seems that the cn="SUFFIX",cn=mapping tree,cn=config 
entry is created automatically by DS and there's no much we can do about it. We 
could delete the entry and create a new one, but I suspect replication won't 
like it.



rob


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.

2010-03-26 Thread Rob Crittenden

Pavel Zuna wrote:
This patch effectively removes all LDAPv2 style quoted DNs and makes 
sure we don't use them anymore.


KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept 
the option to disable DN normalization for now.


I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. 
We need it to create entries that contain the DN of another entry in 
their own, like the account activated/inactivated CoS entries.


what I tested:
- playing around with password policies and CoS entries using both 
pwpolicy and pwpolicy2

- changing user passwords to see if the policies apply
- re-installing IPA to see if the activated/inactived CoS entries where OK
- user-lock/user-unlock

The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on 
it, but won't apply without. I didn't realize before committing and 
couldn't get it back by re-basing, so...


Pavel


replication also uses v2-style escaping. This code looks ok for what it 
touches but it isn't complete.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel