This patch fixes a couple of buglets with read_ip_address():
1) It writes host_name to /etc/hosts, but isn't currently
being passed host_name
2) It doesn't return the IP address even though the caller
expects it
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
After looking into setting up ntpd on the IPA servers I decided it
was better just to warn admins. There are just too many valid setups
for time synchronization for us to try to get this right. Additionally,
just installing ntp and accepting the default config will result in
a configuration that is perfectly valid for IPA.
This patch checks if ntpd is running and suggests enabling it if it
is not - for client and server. It also adds some suggested next
steps to the server installation.
Current ipa-python imports and calls code from ipaserver (which is in
the ipa-server package). This makes it impossible to use the admin
tools or the ipa-python package on a system without the server bits
installed. This fixes that in a fairly minimal way.
The use of a uuid for the DS instance name is overkill and it is a real
pain. This patch will use ipa-realm-name instead (resulting in something
like slapd-EXAMPLE-COM). All periods are converted to "-" because the DS
can't handle periods in server ids.
- illegal dn characters need to be escaped
- null characters in search filters
- dynamicedit.js was double html escaping (the python layer does it already)
> > This largish patch makes the build and installation work on 64bit
> > machines. The only catch here is that to get a 64bit build you need to
> > set LIBDIR on make:
> >
> > make install LIBDIR=/usr/lib64
> >
> > The spec file does this correctly. I couldn't find any reliable way to
> > guess this that works both on real systems and in the almost entirely
> > empty rpm build root (you can't, for example, check for the existence
> > of /usr/lib64).
Here is another patch for the installer. It does a few things:
* use socket.getfqdn() but fallback to gethostname()
* streamlines the hostname prompting
* fixes a bunch of spelling and grammatical errors
* fixes a bug in the hostname reading/verification logic
* allows "yes" and "no" as answers
* modularizes and reuses code where possible
* changes some of the prompts to be more like
the FDS installer - some text is copied (which is easy to use IMO)
* tries to make the prompts fit on smaller screens (<80 chars)
Hope you agree that it is better. :)
Thanks,
Jon
> William Jon McCann wrote:
> > Hi,
> >
> > After playing with the install (repeatedly) I ended up with a lot of
> > duplicate values in:
> > /etc/sysconfig/dirsrv
> > /etc/sysconfig/ipa-kpasswd
> >
> > Here is a patch that should fix this. It modifies the file "in-place"
> > and removes lines that matching the key (or commented key) and then
> > appends the new key=value.
> >
> > Jon
>
> Cool, I've wanted to fix this for a while (and recently aborted a switch
> from open with "a" to "w").
>
> What happens if the file doesn't exist yet? Do we need to wrap the
> fileinput loop in either a try/except or just look to see if the file
> exists first (my vote)?
>
> Something like:
>
> def update_key_val_in_file(filename, key, val):
> if os.path.exists(filename):
> pattern = "^[\s#]*%s\s*=" % re.escape(key)
> p = re.compile(pattern)
> for line in fileinput.input(filename, inplace=1):
> if not p.search(line):
> sys.stdout.write(line)
> fileinput.close()
> f = open(filename, "a")
> f.write("%s=%s\n" % (key, val))
> f.close()
Good point. In genera,l I prefer doing a try because it is a little
less racy but in this case it doesn't make a difference.
Updated patch attached.
Thanks,
Jon
Modify the way we detect SELinux to use selinuxenabled instead of using
a try/except.
Handle SASL/GSSAPI authentication failures when getting a connection
the exception to contain the complete command.
Add a check to make sure installer is running as root.
Add signal handler to detect a user-cancelled installation.
Detect existing DS instances and prompt to remove them.
Don't read ipa.conf to get the realm, the kerberos libs do that for you.
Use the krbPrincipalName to change passwords
Make it possible to specify the principal at user creation.
Mail is not a required attribute so far, don't require it.
- Change sort functions to be on entities, so can use on the view pages too
- Fix bug: empty ajax search on useredit blows up
- Filter illegal characters from suggest uid/email methods
- Rename first/last name fields
- Make default font family sans-serif
- Speed up effect appear/fade rendering
- Add buttons to top and bottom of pages
- Make grouplist sortable
- Add noscript warning to welcome page
Created a MemberDisplayInfo to hold the info needed to render a member.
Changed round trip persistance to use that class.
Created a single renderMemberInfo method to render the members.
Changed dynamic as well as static lists to use renderMemberInfo.
Lastly, render groups members in italics.
Change view group to render group members in italics.
Install the turbogears web gui including an init script. This
patch includes a few related changes:
* create a production configuration
* rename the web gui startup scrip to ipa-webgui
* add an init script
* chkconfig on the ipa-webgui init script
* make the start script properly daemonize the app when not
in a development directory.
* Install everything to the correct places (/usr/sbin/ipa-webgui
and /usr/share/ipa/ipagui mainly).
There are some things still left to do:
* Sort out the logging - the config needs to be adjusted so
that logging messages end up in /var/log.
* Remove the rpmbuild tree with the dist-clean target.
* Move ipa-server-setupssl from /usr/sbin to /usr/share/ipa
* Check in requirement change for generated freeipa-python.spec
* Fix interactive hostname in ipa-server-install.
The default configuration of the apache selinux policy doesn't allow
apache to connect to the turbogears gui. This sets the correct
boolean to allow that connection.
- Members of groups are clickable
- Combine name and uid into a single column in find users
- Remove license plate from searching
- Mailto links on user emails
- Add timelimit to finds. This is experimental...
- Fix usersearch to only search on objectClass=Person
- Change search to use get parameter
Add ipa-passwd tool
Add simple field validation package
This patch adds a package requirement, python-krbV. This is needed to
determine the current user based on their kerberos ticket.
name and location of the keytab. In order for this keytab to be usable
TurboGears and Apache will need to run as the same user. We will also need
to listen only on localhost in TG.
kerberos principal name
Add an identity an visit class to TurboGears that can handle the user
without requiring a database
Update the UI to show the user correctly.
Note that this is currently disabled. It is hardcoded to always return the
principal test@FREEIPA.ORG in proxyprovider.py
It doesn't handle an unauthorized request because that can never happen.
Change account status to use select list and 'active'/'inactive' values.
Improve autosuggest to keep suggesting unless you overwrite a suggestion
(if you correct the name, it will re-suggest).
- Rename buttons
- Add fake "logged in as" text
- Increase font size and spacing for sidebar
- Fix search messages for no results
- Open ipa footer link in new window
Set password for admin user using the Directory Mangaer account
and the mozldapldappaswd binary to get and SSL connection
Fix some timeout problems with deploying keytabs
Fix ipa_pwd_extop to actuallt correctly detect an SSL connection
Do not ask for the user to use for the directory unless 'dirsrv' is
an existing user which may clash, create it silently
or something very close to this one
Add default groups and admin user
TODO: need to discuss more in deep uid/gid generation, this will
probably change as soon as the DNA plugin is activated
This way it returns results even if the search times out.
The find_users() search now returns a counter as the first result, which
is set to -1 if the results are partial.
removes the need for LDIF conversion. It will make TurboGears direct
code faster, but should keep xmlrpc about the same speed.
The patch also swaps out ldap.cidict for the IPA CIDict class. IPA code
should only use the CIDict class now.
- "configurable" fields to search on
- tokenize search words
- prioritize exact matches over partial matches
- split match filter generation into a re-usable function.
Other updates:
- use finally block to return ldap connections
- update web gui to use new get_user methods
Create separate object for Users and Groups (using same base class)
Check for uniqueness before adding new users and groups
Remove user_container from everything but add operations
Abstract out a number of functions that are common across users and groups
Make sure all strings passed in to be in a filter are checked
Add new error message: No modifications specified
rpcclient.py must call XML-RPC functions with all arguments.
Removed encode_args and decode_args. They were the source of most of the
argument pain. Now opts is alwyas appended to the end of the arguments
so MUST be the last argument in any server-side function (can be None)
Allow the User object to handle unicode data
Small fixes to command-line tools to be friendlier
Broke out get_user() into get_user_by_dn() and get_user_by_uid()
Need to request more than just 'nsAccountLock' attribute when trying to
see if a user is already marked deleted. If it is blank the record
coming back is empty. Add 'uid' to the list to guarantee something coming
back (dn is handled specially)
Added user_container attribute to get_user_* and add_user so the caller
can specify where in the tree the user will be searched for/added.
Added global default value for user_container
Remove all dependencies on mhash
Remove code optimizatrion from Makefiles, right now these are
developers targeted builds, so it is better to have debugging
symbols around
Fix fields to be lowercase in web gui (server now returns them lowercase).
Fix ipaclient.py to refer to lowercase fields when adding a user.
Fix user.getValue() to check isinstance(value,list) instead of value[0].
This uses the random.SystemRandom() method to generate an 8-digit
alphanumeric password.
- Add ajax call to usernew and useredit forms to generate a new password
- Add the prototype javascript library: http://www.prototypejs.org/
prototype is distributed with the MIT license.
- Add a checkbox to toggle editing (and displaying) the password.
- Change usershow template to use same field labels as the edit and new forms.
(They will likely diverge so no sense forcing them together).
Add css for required fields.
Add "_orig" hidden fields to the edit form in prep for sending only modified
fields.
