Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
On 09/25/2014 05:14 PM, Jan Cholasta wrote: Dne 25.9.2014 v 16:15 Martin Basti napsal(a): On 22/09/14 19:30, Martin Basti wrote: On 19/09/14 14:47, Jan Cholasta wrote: Dne 19.9.2014 v 13:33 Martin Basti napsal(a): On 02/09/14 11:59, Martin Basti wrote: On 02/09/14 09:10, Jan Cholasta wrote: Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by "ipactl restart" Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza Updated patch attached ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Please review, this should be in 4.1 -- Martin Basti 1) ipaConfigString is case-insensitive, so you need to look for the string "enabledService" in a case-insensitive way. 2) Don't say "failed to enable ..." when the service is already enabled. It is not a failure. Same for disabled. 3) Missing ipaConfigString is nothing to warn about. 4) You should log success in both ldap_enable/ldap_disable. 5) The except below update_entry should say "except errors.EmptyModlist". Thank you, updated patch attached Updated patch attached. I modified ldap_disable to use search function. ACK. Pushed to: master: 66ce71f17a689bcad03022e3df6bbdf0fada2ab8 ipa-4-1: df9086c938963fdf59309cd8af69f4f5d8a7a34e Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
Dne 25.9.2014 v 16:15 Martin Basti napsal(a): On 22/09/14 19:30, Martin Basti wrote: On 19/09/14 14:47, Jan Cholasta wrote: Dne 19.9.2014 v 13:33 Martin Basti napsal(a): On 02/09/14 11:59, Martin Basti wrote: On 02/09/14 09:10, Jan Cholasta wrote: Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by "ipactl restart" Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza Updated patch attached ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Please review, this should be in 4.1 -- Martin Basti 1) ipaConfigString is case-insensitive, so you need to look for the string "enabledService" in a case-insensitive way. 2) Don't say "failed to enable ..." when the service is already enabled. It is not a failure. Same for disabled. 3) Missing ipaConfigString is nothing to warn about. 4) You should log success in both ldap_enable/ldap_disable. 5) The except below update_entry should say "except errors.EmptyModlist". Thank you, updated patch attached Updated patch attached. I modified ldap_disable to use search function. ACK. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
On 22/09/14 19:30, Martin Basti wrote: On 19/09/14 14:47, Jan Cholasta wrote: Dne 19.9.2014 v 13:33 Martin Basti napsal(a): On 02/09/14 11:59, Martin Basti wrote: On 02/09/14 09:10, Jan Cholasta wrote: Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by "ipactl restart" Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza Updated patch attached ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Please review, this should be in 4.1 -- Martin Basti 1) ipaConfigString is case-insensitive, so you need to look for the string "enabledService" in a case-insensitive way. 2) Don't say "failed to enable ..." when the service is already enabled. It is not a failure. Same for disabled. 3) Missing ipaConfigString is nothing to warn about. 4) You should log success in both ldap_enable/ldap_disable. 5) The except below update_entry should say "except errors.EmptyModlist". Thank you, updated patch attached Updated patch attached. I modified ldap_disable to use search function. -- Martin Basti From 045137a10a7b003f92132c96fa8b341eeaf2d95c Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 28 Aug 2014 19:27:44 +0200 Subject: [PATCH] LDAP disable service This patch allows to disable service in LDAP (ipactl will not start it) --- ipaserver/install/service.py | 67 +++- 1 file changed, 66 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 8fb802099d7e58a10fd8fb17ff5dc7511eb98c7f..d095fe041bec8098937bf5b99b301a41842ce53e 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -392,6 +392,32 @@ class Service(object): self.ldap_connect() entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) + +# enable disabled service +try: +entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString']) +except errors.NotFound: +pass +else: +if any(u'enabledservice' == val.lower() + for val in entry.get('ipaConfigString', [])): +root_logger.debug("service %s startup entry already enabled", name) +return + +entry.setdefault('ipaConfigString', []).append(u'enabledService') + +try: +self.admin_conn.update_entry(entry) +except errors.EmptyModlist: +root_logger.debug("service %s startup entry already enabled", name) +return +except: +root_logger.debug("failed to enable service %s startup entry", name) +raise + +root_logger.debug("service %s startup entry enabled", name) +return + order = SERVICE_LIST[name][1] entry = self.admin_conn.make_entry( entry_name, @@ -404,9 +430,48 @@ class Service(object): try: self.admin_conn.add_entry(entry) except (errors.DuplicateEntry), e: -root_logger.debug("failed to add %s Service startup entry" % name) +root_logger.debug("failed to add service %s startup entry", name) raise e +def ldap_disable(self, name, fqdn, ldap_suffix): +assert isinstance(ldap_suffix, DN) +if not self.admin_conn: +self.ldap_connect() + +entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), +('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) +search_kw = {'ipaConfigString': u'enabledService'} +filter = self.admin_conn.make_filter(search_kw) +try: +entries, truncated = self.admin_conn.find_entries( +filter=filter, +attrs_list=['ipaConfigString'], +base_dn=entry_dn, +scope=self.admin_conn.SCOPE_BASE) +except errors.NotFound: +root_logger.debug("service %s startup entry already disabled", name) +return + +assert len(entries) == 1 # only one entry is expected +entry = entries[0] + +# case insensitive +for value in entry.get('ipaConfigString', []): +if value.lower() == u'enabledservice': +entry['ipaConfigString'].remove(value) +break + +try: +self.admin_conn.update_entry(entry) +except errors.EmptyModlist: +pass +except: +root_logger.debug("failed to disable service %s startu
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
On 19/09/14 14:47, Jan Cholasta wrote: Dne 19.9.2014 v 13:33 Martin Basti napsal(a): On 02/09/14 11:59, Martin Basti wrote: On 02/09/14 09:10, Jan Cholasta wrote: Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by "ipactl restart" Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza Updated patch attached ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Please review, this should be in 4.1 -- Martin Basti 1) ipaConfigString is case-insensitive, so you need to look for the string "enabledService" in a case-insensitive way. 2) Don't say "failed to enable ..." when the service is already enabled. It is not a failure. Same for disabled. 3) Missing ipaConfigString is nothing to warn about. 4) You should log success in both ldap_enable/ldap_disable. 5) The except below update_entry should say "except errors.EmptyModlist". Thank you, updated patch attached -- Martin Basti From 89d54ab02a3a8db846cce8bbea96925dacbe3156 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 28 Aug 2014 19:27:44 +0200 Subject: [PATCH] LDAP disable service This patch allows to disable service in LDAP (ipactl will not start it) --- ipaserver/install/service.py | 55 +++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 7f812a99c557ae567cd1d8a0db30eba434c507f9..b2b343c6b0a1f23ec7b369384ab4c15d29b73053 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -374,6 +374,30 @@ class Service(object): self.ldap_connect() entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) + +# enable disabled service +try: +entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString']) +except errors.NotFound: +pass +else: +if any(u'enabledservice' == x.lower() for x in entry.get('ipaConfigString', [])): +root_logger.debug("service %s startup entry already enabled", name) +return + +if 'ipaConfigString' in entry and entry['ipaConfigString'] is not None: +entry['ipaConfigString'].append(u'enabledService') +else: +entry['ipaConfigString'] = [u'enabledService'] + +try: +self.admin_conn.update_entry(entry) +except errors.EmptyModlist: +root_logger.debug("service %s startup entry already enabled", name) + +root_logger.debug("service %s startup entry enabled", name) +return + order = SERVICE_LIST[name][1] entry = self.admin_conn.make_entry( entry_name, @@ -386,9 +410,38 @@ class Service(object): try: self.admin_conn.add_entry(entry) except (errors.DuplicateEntry), e: -root_logger.debug("failed to add %s Service startup entry" % name) +root_logger.debug("failed to add service %s startup entry", name) raise e +def ldap_disable(self, name, fqdn, ldap_suffix): +assert isinstance(ldap_suffix, DN) +if not self.admin_conn: +self.ldap_connect() + +entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) +try: +entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString']) +except errors.NotFound: +root_logger.debug("service %s startup entry already disabled (entry not found)", name) +return + +if not any(u'enabledservice' == x.lower() for x in entry.get('ipaConfigString', [])): +root_logger.debug("service %s startup entry already disabled", name) +return + +entry['ipaConfigString'].remove(u'enabledService') + +try: +self.admin_conn.update_entry(entry) +except errors.EmptyModlist: +pass +except: +root_logger.debug("failed to disable service %s startup entry", name) +raise + +root_logger.debug("service %s startup entry disabled", name) + + class SimpleServiceInstance(Service): def create_instance(self, gensvc_name=None, fqdn=None, dm_password=None, ldap_suffix=None, realm=None): self.gensvc_name = gensvc_name -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
Dne 19.9.2014 v 13:33 Martin Basti napsal(a): On 02/09/14 11:59, Martin Basti wrote: On 02/09/14 09:10, Jan Cholasta wrote: Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by "ipactl restart" Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza Updated patch attached ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Please review, this should be in 4.1 -- Martin Basti 1) ipaConfigString is case-insensitive, so you need to look for the string "enabledService" in a case-insensitive way. 2) Don't say "failed to enable ..." when the service is already enabled. It is not a failure. Same for disabled. 3) Missing ipaConfigString is nothing to warn about. 4) You should log success in both ldap_enable/ldap_disable. 5) The except below update_entry should say "except errors.EmptyModlist". -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
On 02/09/14 11:59, Martin Basti wrote: On 02/09/14 09:10, Jan Cholasta wrote: Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by "ipactl restart" Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza Updated patch attached ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Please review, this should be in 4.1 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
On 02/09/14 09:10, Jan Cholasta wrote: Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by "ipactl restart" Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza Updated patch attached -- Martin Basti From 43fb8d981cc02b60c76b0a7040d0232bdf2165bc Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 28 Aug 2014 19:27:44 +0200 Subject: [PATCH] LDAP disable service This patch allows to disable service in LDAP (ipactl will not start it) --- ipaserver/install/service.py | 49 1 file changed, 49 insertions(+) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 1f01b275135173b7d0bfdb4d56729438a0853142..370f86fe308607162e9bd8b41144e3557ab0a7ab 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -375,6 +375,30 @@ class Service(object): self.ldap_connect() entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) + +# enable disabled service +try: +entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString']) +except errors.NotFound: +pass +else: +if 'enabledService' in entry.get('ipaConfigString', []): +root_logger.debug("failed to enable %s Service startup entry (already enabled)" % name) +return + +if 'ipaConfigString' in entry and entry['ipaConfigString'] is not None: +entry['ipaConfigString'].append('enabledService') +else: +entry['ipaConfigString'] = ['enabledService'] +root_logger.warning("%s Service startup entry has no 'ipaConfigString' attributes" % name) + +try: +self.admin_conn.update_entry(entry) +except: +root_logger.debug("failed to re-enable %s Service startup entry (already enabled)" % name) + +return + order = SERVICE_LIST[name][1] entry = self.admin_conn.make_entry( entry_name, @@ -390,6 +414,31 @@ class Service(object): root_logger.debug("failed to add %s Service startup entry" % name) raise e +def ldap_disable(self, name, fqdn, ldap_suffix): +assert isinstance(ldap_suffix, DN) +if not self.admin_conn: +self.ldap_connect() + +entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) +try: +entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString']) +except errors.NotFound: +root_logger.debug("failed to disable %s Service startup entry (service not found)" % name) +return + +if 'enabledService' not in entry.get('ipaConfigString', []): +root_logger.debug("failed to disable %s Service startup entry (Service already disabled)" % name) +return + +entry['ipaConfigString'].remove('enabledService') + +try: +self.admin_conn.update_entry(entry) +except: +root_logger.debug("failed to disable %s Service startup entry" % name) +raise + + class SimpleServiceInstance(Service): def create_instance(self, gensvc_name=None, fqdn=None, dm_password=None, ldap_suffix=None, realm=None): self.gensvc_name = gensvc_name -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0118] Allow to disable service (in LDAP)
Hi, Dne 1.9.2014 v 16:57 Martin Basti napsal(a): This patch allows to disable service in LDAP to prevents service to be started by "ipactl restart" Required by DNSSEC Patch attached I don't think the extra argument in ldap_enable is necessary. It should enable the service no matter if the entry existed before or not. Similarly, in ldap_disable you should not raise an error when the entry is not found, because that already makes the service disabled. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel