freeipa.git/ipalib, branch ipa-2-2 FreeIPA patches Add support for disabling KDC writes 2012-06-07T02:11:41+00:00 Simo Sorce ssorce@redhat.com 2012-05-23T16:35:44+00:00 97e362681ff9c81d76b6b015467309f90e301bce Add two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. https://fedorahosted.org/freeipa/ticket/2734 
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
Improve error message in zonemgr validator 2012-04-29T23:38:31+00:00 Martin Kosek mkosek@redhat.com 2012-04-30T11:51:03+00:00 ed99c51117fdc691c65ef9f366862bbe3a9f60ed This patch consolidates zonemgr function to move the most of the checks to common functions in order to provide consistent output. The error messages produced by the validator should now be more helpful when identifying the source of error. https://fedorahosted.org/freeipa/ticket/1966 
This patch consolidates zonemgr function to move the most of the
checks to common functions in order to provide consistent output.
The error messages produced by the validator should now be more
helpful when identifying the source of error.

https://fedorahosted.org/freeipa/ticket/1966
Revert "Validate attributes in permission-add" 2012-04-29T21:40:31+00:00 Rob Crittenden rcritten@redhat.com 2012-04-29T21:38:12+00:00 ee8ff3adf8b8214598c51d9b052f68cedf105cd1 This reverts commit 1356988b7a40a60af39807db143860efb4a2f435. We are going to take another approach to this. Instead of erroring out on attributes that don't seem to be allowed we are going to eventually return a warning. 
This reverts commit 1356988b7a40a60af39807db143860efb4a2f435.

We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
Sort password policies properly with --pkey-only 2012-04-26T12:35:42+00:00 Martin Kosek mkosek@redhat.com 2012-04-25T14:24:20+00:00 2271e0a481889d1a7d5d8b71aa9dda73880dd3f2 Password policy plugin sorts password policies by its COS priority. However, when the pwpolicy-find command is run with --pkey-only, the resulting entries do not contain COS priority and the sort function crashes. This patch makes sure that cospriority is present in the time of the result sorting process and removes the cospriority again when the sorting is done. This way, the entries are sorted properly both with and without --pkey-only flag. Previous entries_sortfn member attribute of LDAPSearch class containing custom user sorting function was replaced just with a flag indicating if a sorting in LDAPSearch shall be done at all. This change makes it possible to sort entries in a custom post_callback which is much more powerful (and essential for sorting like in pwpolicy plugin) approach than a plain sorting function. https://fedorahosted.org/freeipa/ticket/2676 
Password policy plugin sorts password policies by its COS priority.
However, when the pwpolicy-find command is run with --pkey-only,
the resulting entries do not contain COS priority and the sort
function crashes.

This patch makes sure that cospriority is present in the time
of the result sorting process and removes the cospriority again
when the sorting is done. This way, the entries are sorted properly
both with and without --pkey-only flag.

Previous entries_sortfn member attribute of LDAPSearch class
containing custom user sorting function was replaced just with
a flag indicating if a sorting in LDAPSearch shall be done at all.
This change makes it possible to sort entries in a custom
post_callback which is much more powerful (and essential for
sorting like in pwpolicy plugin) approach than a plain sorting
function.

https://fedorahosted.org/freeipa/ticket/2676
Update docs for user-status, always show disabled, time for each server. 2012-04-23T08:20:45+00:00 Rob Crittenden rcritten@redhat.com 2012-04-23T08:16:45+00:00 dbc7afcef5a73e86dab0450ca92abda622266df8 Provide some guidance on how to read and understand the output. Some manual work is needed to identify which master the user is locked on. Always display the enabled/disabled status. Include the time that the master was contacted in the output for each master as lockout is very time sensitive. https://fedorahosted.org/freeipa/ticket/2162 
Provide some guidance on how to read and understand the output. Some
manual work is needed to identify which master the user is locked on.

Always display the enabled/disabled status.

Include the time that the master was contacted in the output for each
master as lockout is very time sensitive.

https://fedorahosted.org/freeipa/ticket/2162
Fix name error in hbactest 2012-04-19T13:22:59+00:00 John Dennis jdennis@redhat.com 2012-04-19T12:56:07+00:00 1df88f06f926ae1907b4bfc2633bee747d146c89 Ticket #2512 In hbactest.py there is a name error wrapped inside a try/except block that ignores all errors so the code block exits prematurely leaving a critical variable uninitialized. The name error is the result of a cut-n-paste error that references a variable that had never been initialized in the scope of the code block. Python generates an exception when this variable is referenced but because it's wrapped in a try/except block that catches all errors and ignores all errors there is no evidence that something went wrong. The fix is to use the correct variables. At some point we may want to revist if ignoring all errors and proceding as if nothing happened is actually correct. Alexander tells me this mimics what SSSD does in the hbac rule processing, thus the ignoring of errors is intentional. But in a plugin whose purpose is to test and exercise hbac rules I'm not sure ignoring all errors is really the right behavior. 
Ticket #2512

In hbactest.py there is a name error wrapped inside a try/except block
that ignores all errors so the code block exits prematurely leaving a
critical variable uninitialized.

The name error is the result of a cut-n-paste error that references a
variable that had never been initialized in the scope of the code
block. Python generates an exception when this variable is referenced
but because it's wrapped in a try/except block that catches all errors
and ignores all errors there is no evidence that something went wrong.

The fix is to use the correct variables.

At some point we may want to revist if ignoring all errors and
proceding as if nothing happened is actually correct. Alexander tells
me this mimics what SSSD does in the hbac rule processing, thus the
ignoring of errors is intentional. But in a plugin whose purpose is to
test and exercise hbac rules I'm not sure ignoring all errors is
really the right behavior.
Fix internal error when renaming user with an empty string. 2012-04-18T07:04:02+00:00 Jan Cholasta jcholast@redhat.com 2012-04-12T11:29:21+00:00 2a27e0bd2067e380c8c7f0652b694a54a495f82d ticket 2629 
ticket 2629
Do not fail migration because of duplicate groups 2012-04-17T04:20:47+00:00 Martin Kosek mkosek@redhat.com 2012-04-17T18:39:32+00:00 49f869522581d66a62e7d251739a2f758837d78e When 2 groups in a remote LDAP server share the same GID number, the migration may fail entirely with incomprehensible message. This should not be taken as unrecoverable error - GID number check is just a sanity check, a warning is enough. This patch also makes sure that GID check warnings include a user name to make an investigation easier. https://fedorahosted.org/freeipa/ticket/2644 
When 2 groups in a remote LDAP server share the same GID number,
the migration may fail entirely with incomprehensible message. This
should not be taken as unrecoverable error - GID number check is
just a sanity check, a warning is enough. This patch also makes
sure that GID check warnings include a user name to make
an investigation easier.

https://fedorahosted.org/freeipa/ticket/2644
Raise proper exception when LDAP limits are exceeded 2012-04-17T03:24:08+00:00 Martin Kosek mkosek@redhat.com 2012-04-17T07:56:04+00:00 4a48efe636c0036334d4d3afadc933b0408de0f0 ldap2 plugin returns NotFound error for find_entries/get_entry queries when the server did not manage to return an entry due to time limits. This may be confusing for user when the entry he searches actually exists. This patch fixes the behavior in ldap2 plugin to 1) Return even a zero search results + truncated bool set in ldap2.find_entries 2) Raise LimitsExceeded in ldap2.get_entry and ldap2.find_entry_by_attr instead of NotFound error This changed several assumptions about ldap2.find_entries results. Several calls accross IPA code base had to be amended. https://fedorahosted.org/freeipa/ticket/2606 
ldap2 plugin returns NotFound error for find_entries/get_entry
queries when the server did not manage to return an entry
due to time limits. This may be confusing for user when the
entry he searches actually exists.

This patch fixes the behavior in ldap2 plugin to
1) Return even a zero search results + truncated bool set in
   ldap2.find_entries
2) Raise LimitsExceeded in ldap2.get_entry and
   ldap2.find_entry_by_attr instead of NotFound error

This changed several assumptions about ldap2.find_entries
results. Several calls accross IPA code base had to be
amended.

https://fedorahosted.org/freeipa/ticket/2606
don't append basedn to container if it is included 2012-04-17T02:26:59+00:00 John Dennis jdennis@redhat.com 2012-04-16T22:48:57+00:00 36eb2543c3c01a24a6604b761b7287ae179cea7e ticket #2566 When specifying a container to ds-migrate we should not automatically append the basedn if it is provided by the end-user. This is easy to detect using DN objects because DN objects have a endswith() method which can easily and correctly ascertain if a base already exists. 
ticket #2566

When specifying a container to ds-migrate we should not automatically
append the basedn if it is provided by the end-user.

This is easy to detect using DN objects because DN objects have a
endswith() method which can easily and correctly ascertain if a base
already exists.