freeipa.git/install/tools/ipa-ldap-updater, branch webui_isolate FreeIPA patches Use /usr/bin/python2 2014-01-03T08:46:05+00:00 Xiao-Long Chen chenxiaolong@cxl.epac.to 2013-11-27T13:53:57+00:00 5e96fbc22afa02f08f71513e7b59d3d5c6a1f9dc Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com 
Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.

FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2

https://fedorahosted.org/freeipa/ticket/3438

Updated by pviktori@redhat.com
Framework for admin/install tools, with ipa-ldap-updater 2012-07-23T03:17:56+00:00 Petr Viktorin pviktori@redhat.com 2012-04-20T08:39:59+00:00 b5c1ce88a4a3b35adb3b22bc68fb10b49322641a Currently, FreeIPA's install/admin scripts are long pieces of code that aren't very reusable, importable, or testable. They have been extended over time with features such as logging and error handling, but since each tool was extended individually, there is much inconsistency and code duplication. This patch starts a framework which the admin tools can use, and converts ipa-ldap-updater to use the framework. Common tasks the tools do -- option parsing, validation, logging setup, error handling -- are represented as methods. Individual tools can extend, override or reuse the defaults as they see fit. The ipa-ldap-updater has two modes (normal and --upgrade) that don't share much functionality. They are represented by separate classes. Option parsing, and selecting which class to run, happens before they're instantiated. All code is moved to importable modules to aid future testing. The only thing that remains in the ipa-ldap-updater script is a two-line call to the library. First part of the work for: https://fedorahosted.org/freeipa/ticket/2652 
Currently, FreeIPA's install/admin scripts are long pieces of code
that aren't very reusable, importable, or testable.
They have been extended over time with features such as logging and
error handling, but since each tool was extended individually, there
is much inconsistency and code duplication.
This patch starts a framework which the admin tools can use, and
converts ipa-ldap-updater to use the framework.

Common tasks the tools do -- option parsing, validation, logging
setup, error handling -- are represented as methods. Individual
tools can extend, override or reuse the defaults as they see fit.

The ipa-ldap-updater has two modes (normal and --upgrade) that
don't share much functionality. They are represented by separate
classes. Option parsing, and selecting which class to run, happens
before they're instantiated.

All code is moved to importable modules to aid future testing. The
only thing that remains in the ipa-ldap-updater script is a two-line
call to the library.

First part of the work for:
https://fedorahosted.org/freeipa/ticket/2652
Print ipa-ldap-updater errors during RPM upgrade 2012-07-13T14:18:45+00:00 Martin Kosek mkosek@redhat.com 2012-07-11T14:22:13+00:00 c20d4c71b87365b3b8d9c53418a79f992e68cd00 ipa-ldap-updater does a lot of essential LDAP changes and if it fails, user may be surprised after the upgrade why things does not work. Modify ipa-ldap-updater to print ERROR logging messages by default and modify RPM upgrade scriptlet to show these errors to user. Console error messages are now formated in a more user-friendly way. Information message stating that IPA is not configured and i.e. there is nothing to be updated is not printer to stderr so that it does not pop up for every freeipa-server package update when IPA is not configured. https://fedorahosted.org/freeipa/ticket/2892 
ipa-ldap-updater does a lot of essential LDAP changes and if it
fails, user may be surprised after the upgrade why things does not
work.

Modify ipa-ldap-updater to print ERROR logging messages by default
and modify RPM upgrade scriptlet to show these errors to user. Console
error messages are now formated in a more user-friendly way.

Information message stating that IPA is not configured and i.e. there
is nothing to be updated is not printer to stderr so that it does
not pop up for every freeipa-server package update when IPA is not
configured.

https://fedorahosted.org/freeipa/ticket/2892
Only allow root to run update plugins 2012-06-07T09:02:22+00:00 Petr Viktorin pviktori@redhat.com 2012-06-06T04:44:58+00:00 6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5 Several plugins need restarting the DS (or they currently do an external bind). Rather than disabling plugins (possibly partially), refuse to run them when run as an unprivileged user. This means running ipa-ldap-updater as non-root requires specifying a list of files, and omiting the --upgrade and --plugins options. https://fedorahosted.org/freeipa/ticket/2621 
Several plugins need restarting the DS (or they currently do
an external bind).
Rather than disabling plugins (possibly partially), refuse
to run them when run as an unprivileged user.

This means running ipa-ldap-updater as non-root requires specifying
a list of files, and omiting the --upgrade and --plugins options.

https://fedorahosted.org/freeipa/ticket/2621
Add plugin framework to LDAP updates. 2011-11-23T04:57:10+00:00 Rob Crittenden rcritten@redhat.com 2011-11-23T21:52:40+00:00 2f4b3972a04e3ebf99ea7fd51c2b102cc8342582 There are two reasons for the plugin framework: 1. To provide a way of doing manual/complex LDAP changes without having to keep extending ldapupdate.py (like we did with managed entries). 2. Allows for better control of restarts. There are two types of plugins, preop and postop. A preop plugin runs before any file-based updates are loaded. A postop plugin runs after all file-based updates are applied. A preop plugin may update LDAP directly or craft update entries to be applied with the file-based updates. Either a preop or postop plugin may attempt to restart the dirsrv instance. The instance is only restartable if ipa-ldap-updater is being executed as root. A warning is printed if a restart is requested for a non-root user. Plugins are not executed by default. This is so we can use ldapupdate to apply simple updates in commands like ipa-nis-manage. https://fedorahosted.org/freeipa/ticket/1789 https://fedorahosted.org/freeipa/ticket/1790 https://fedorahosted.org/freeipa/ticket/2032 
There are two reasons for the plugin framework:
1. To provide a way of doing manual/complex LDAP changes without having
   to keep extending ldapupdate.py (like we did with managed entries).
2. Allows for better control of restarts.

There are two types of plugins, preop and postop. A preop plugin runs
before any file-based updates are loaded. A postop plugin runs after
all file-based updates are applied.

A preop plugin may update LDAP directly or craft update entries to be
applied with the file-based updates.

Either a preop or postop plugin may attempt to restart the dirsrv instance.
The instance is only restartable if ipa-ldap-updater is being executed
as root. A warning is printed if a restart is requested for a non-root
user.

Plugins are not executed by default. This is so we can use ldapupdate
to apply simple updates in commands like ipa-nis-manage.

https://fedorahosted.org/freeipa/ticket/1789
https://fedorahosted.org/freeipa/ticket/1790
https://fedorahosted.org/freeipa/ticket/2032
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging 2011-11-23T08:36:18+00:00 John Dennis jdennis@redhat.com 2011-11-15T19:39:31+00:00 56401c1abe7d4c78650acfcd9bbe8c8edc1dac57 change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level() 
change default_logger_level to debug in configure_standard_logging

add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.

change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.

add missing import for parse_log_level()
Install tools crash when password prompt is interrupted 2011-10-06T06:28:15+00:00 Martin Kosek mkosek@redhat.com 2011-10-06T06:22:08+00:00 185ca8f6fc5e69e989e473c8b1d066aa2d8e5cb1 When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916 
When getpass.getpass() function is interrupted via CTRL+D, EOFError
exception is thrown. Most of the install tools are not prepared for
this event and crash with this exception. Make sure that it is
handled properly and nice error message is printed.

https://fedorahosted.org/freeipa/ticket/1916
Check IPA configuration in install tools 2011-07-18T07:36:43+00:00 Martin Kosek mkosek@redhat.com 2011-07-18T07:33:57+00:00 50a2c45760d51e7a13888702e1a047a113bc1f5e Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347 
Install tools may fail with unexpected error when IPA server is not
installed on a system. Improve user experience by implementing
a check to affected tools.

https://fedorahosted.org/freeipa/ticket/1327
https://fedorahosted.org/freeipa/ticket/1347
Remove root autobind search restriction, fix upgrade logging & error handling. 2011-06-13T07:51:05+00:00 Rob Crittenden rcritten@redhat.com 2011-06-09T17:16:07+00:00 7940270b9fbebfa09b25c18198933b6a6b82b1d3 There was no point in limiting autobind root to just search cn=config since it could always just modify its way out of the box, so remove the restriction. The upgrade log wasn't being created. Clearing all other loggers before we calling logging.basicConfig() fixes this. Add a global exception when performing updates so we can gracefully catch and log problems without leaving the server in a bad state. https://fedorahosted.org/freeipa/ticket/1243 https://fedorahosted.org/freeipa/ticket/1254 
There was no point in limiting autobind root to just search cn=config since
it could always just modify its way out of the box, so remove the
restriction.

The upgrade log wasn't being created. Clearing all other loggers before
we calling logging.basicConfig() fixes this.

Add a global exception when performing updates so we can gracefully catch
and log problems without leaving the server in a bad state.

https://fedorahosted.org/freeipa/ticket/1243
https://fedorahosted.org/freeipa/ticket/1254
Fix traceback in ipa-nis-manage. 2011-04-11T19:33:03+00:00 Rob Crittenden rcritten@redhat.com 2011-04-11T19:30:11+00:00 d42bf3f530759824586bba0df52f9bd8a6f20df7 The root user cannot use ldapi because of the autobind configuration. Fall back to a standard GSSAPI sasl bind if the external bind fails. With --ldapi a regular user may be trying this as well, catch that and report a reasonable error message. This also gives priority to the DM password if it is passed in. Also require the user be root to run the ipa-nis-manage command. We enable/disable and start/stop services which need to be done as root. Add a new option to ipa-ldap-updater to prompt for the DM password. Remove restriction to be run as root except when doing an upgrade. Ticket 1157 
The root user cannot use ldapi because of the autobind configuration.
Fall back to a standard GSSAPI sasl bind if the external bind fails.
With --ldapi a regular user may be trying this as well, catch that
and report a reasonable error message.

This also gives priority to the DM password if it is passed in.

Also require the user be root to run the ipa-nis-manage command.
We enable/disable and start/stop services which need to be done as root.

Add a new option to ipa-ldap-updater to prompt for the DM password.
Remove restriction to be run as root except when doing an upgrade.

Ticket 1157