ded as we don't really
>>> support kadmin.
>> We shouldn't.
>>
>> Simo.
>>
>
> I would like to discuss consequences of adding kdc URI records:
>
> 1. basically all ipa clients enrolled using autodiscovery will use
> kdcproxy instead of KDC on po
On 2017-04-27 16:16, Martin Bašti wrote:
>
>
> On 27.04.2017 14:19, Christian Heimes wrote:
>> On 2017-04-27 14:00, Martin Bašti wrote:
>>> I would like to discuss consequences of adding kdc URI records:
>>>
>>> 1. basically all ipa clients enrolled
te a TGT and
then installs the trust anchor in the global trust store. It should be
enough to reverse the order and inject the trust anchor first.
Christian
--
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security
Red Hat GmbH, http://www.de.redhat.com/, Register
On 2017-03-06 14:10, Lukas Slebodnik wrote:
> On (06/03/17 13:49), Tomas Krizek wrote:
>> On 03/06/2017 01:44 PM, Lukas Slebodnik wrote:
>>> On (06/03/17 13:35), Tomas Krizek wrote:
On 03/03/2017 09:22 PM, Rob Crittenden wrote:
> Lukas Slebodnik wrote:
>> On (03/03/17 17:07), Lukas Sle
Hi,
for a while make causes unsolicited modifications to all translation
files. I have to reset all PO files a couple of times a day during
development:
git checkout -- po/*.po
It's slowly wearing me off. I opened ticket
https://fedorahosted.org/freeipa/ticket/6605 a while ago. It contains
m
On 2017-01-17 12:56, David Kupka wrote:
> Hi Christian,
> uniqueness of uid is not checked in staging area on purpose, it may be
> changed multiple times before the stageuser is transformed into user
> (activated). The uid uniqueness is then checked during activation.
>
> Third party application t
On 2017-01-16 15:52, David Kupka wrote:
> Hello everyone!
>
> I've noticed that our API for stageuser is missing some commands that
> user has (stageuser-{add,remove}-{principal,cert}). I was wondering if
> there is reason for it but after asking some fellows developers it seems
> that there's non
On 2016-12-19 15:07, John Dennis wrote:
> I'm not a big fan of NSS, it has it's issues. As the author of the
> Python binding I'm quite aware of all the nasty behaviors NSS has and
> needs to be worked around. I wouldn't be sad to see it go but OpenSSL
> has it's own issues too. If you remove NSS y
On 2016-12-12 10:37, Alexander Bokovoy wrote:
> On ma, 12 joulu 2016, Alexander Bokovoy wrote:
>> On ma, 12 joulu 2016, Christian Heimes wrote:
>>> On 2016-12-12 09:54, Alexander Bokovoy wrote:
>>>> On ma, 12 joulu 2016, Christian Heimes wrote:
>>>>>
On 2016-12-12 09:54, Alexander Bokovoy wrote:
> On ma, 12 joulu 2016, Christian Heimes wrote:
>> Hi Simo,
>>
>> I'm wondering if we need to change kdcproxy for anon pkinit. What kind
>> of Kerberos requests are performed by anon pkinit and to establish a
>> FA
Hi Simo,
I'm wondering if we need to change kdcproxy for anon pkinit. What kind
of Kerberos requests are performed by anon pkinit and to establish a
FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
and AP-REQ+KRB-PRV. Responses are not filtered.
Regards,
Christian
signatu
On 2016-11-21 14:44, Petr Spacek wrote:
>>> 3.3 ipaplatform auto-configuration
>>>
>>> I'm not sure if guessing platform from ID_LIKE is really a good idea. It
>>> might work fine for centos -> rhel, but in general we can't really
>>> assume it will always work, as the platforms listed in ID_LIKE m
On 2016-11-21 13:31, Jan Cholasta wrote:
> Hi,
>
> On 11.11.2016 15:25, Christian Heimes wrote:
>> Hello,
>>
>> I have released the first version of a new design document. It describes
>> how I'm going to improve integration of FreeIPA's client
On 2016-11-21 11:38, Jan Cholasta wrote:
> On 21.11.2016 11:04, Christian Heimes wrote:
>> On 2016-11-21 10:46, Jan Cholasta wrote:
>>> On 21.11.2016 10:32, Christian Heimes wrote:
>>>> On 2016-11-21 10:26, Jan Cholasta wrote:
>>>>> On 11.11.2016 18:28,
On 2016-11-21 10:46, Jan Cholasta wrote:
> On 21.11.2016 10:32, Christian Heimes wrote:
>> On 2016-11-21 10:26, Jan Cholasta wrote:
>>> On 11.11.2016 18:28, Christian Heimes wrote:
>>>> On 2016-11-11 17:46, Martin Basti wrote:
>>>>>
>>&g
On 2016-11-21 10:26, Jan Cholasta wrote:
> On 11.11.2016 18:28, Christian Heimes wrote:
>> On 2016-11-11 17:46, Martin Basti wrote:
>>>
>>>
>>> On 11.11.2016 15:25, Christian Heimes wrote:
>>>> Hello,
>>>>
>>>> I have release
On 2016-11-11 18:33, Rob Crittenden wrote:
> Martin Basti wrote:
>> 2) if I understand correctly, you want to separate client installer code
>> and client CLI code. In past we had freeipa-admintools but it was
>> removed because it was really tightly bounded to installed client. Do
>> you want to r
On 2016-11-11 17:46, Martin Basti wrote:
>
>
> On 11.11.2016 15:25, Christian Heimes wrote:
>> Hello,
>>
>> I have released the first version of a new design document. It describes
>> how I'm going to improve integration of FreeIPA's client libraries
&g
Hello,
I have released the first version of a new design document. It describes
how I'm going to improve integration of FreeIPA's client libraries
(ipalib, ipapython, ipaclient, ipaplatform) for third party developers.
http://www.freeipa.org/page/V4/Integration_Improvements
Regards,
Christian
On 2016-08-23 12:42, Petr Vobornik wrote:
> On 08/11/2016 04:13 PM, Martin Basti wrote:
>>
>>
>> On 08.08.2016 16:10, Christian Heimes wrote:
>>> The server-del plugin now removes the Custodia keys for encryption and
>>> key signing from LDAP.
>>>
On 2016-08-23 12:49, Petr Vobornik wrote:
> On 08/09/2016 01:53 PM, Martin Basti wrote:
>>
>>
>> On 08.08.2016 16:09, Christian Heimes wrote:
>>> I have split up patch 0032 into two smaller patches. This patch only
>>> addresses the server.keys file.
>>
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.
https://fedorahosted.org/freeipa/ticket/6015
From be4d66075d108fd9188a3a0b906bace6f6ea5122 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Mon, 8 Aug 2016 16:06:08 +0200
Subject: [PATCH] Remove
f the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.
https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056
From 29cdaa5e27e7b8b3690d222c43eb0edfefdd82ba Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Mon, 8 Aug 2016
On 2016-07-07 14:54, Martin Basti wrote:
> Patch needs changes in ipa-4-3 branch
Here are patches for master and ipa-4-3 branch. I have rebased both
patches to head.
Christian
From e3a99ef8a6245d6e1bca22b3b0cede5d2ff608e8 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Fri, 1 Jul 2016
On 2016-07-19 17:03, Martin Basti wrote:
>
>
> On 12.07.2016 16:45, Christian Heimes wrote:
>> Custodia's server.keys file contain the private RSA keys for encrypting
>> and signing Custodia messages. The file was created with permission 644
>> and is only
/system/httpd.service.d/.
https://fedorahosted.org/freeipa/ticket/6158
https://bugzilla.redhat.com/show_bug.cgi?id=1362537
From c6ab5d9323c1cc389ab221e0fc1c5290cc0075d4 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 2 Aug 2016 16:58:07 +0200
Subject: [PATCH] Correct path to HTTPD's sy
From: Christian Heimes
Date: Fri, 8 Jul 2016 20:06:57 +0200
Subject: [PATCH] Secure permission and cleanup Custodia server.keys
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by perm
On 2016-07-07 14:54, Martin Basti wrote:
> Patch needs changes in ipa-4-3 branch
My patch? Do you want me to submit a patch for 4.3 branch?
Christian
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/ma
On 2016-07-01 11:17, Petr Spacek wrote:
> On 1.7.2016 11:04, Christian Heimes wrote:
>> On 2016-07-01 10:59, Petr Spacek wrote:
>>> On 1.7.2016 10:55, Christian Heimes wrote:
>>>> On 2016-07-01 10:48, Petr Spacek wrote:
>>>>&
On 2016-07-01 10:59, Petr Spacek wrote:
> On 1.7.2016 10:55, Christian Heimes wrote:
>> On 2016-07-01 10:48, Petr Spacek wrote:
>>> On 1.7.2016 10:42, Christian Heimes wrote:
>>>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
>>>
On 2016-07-01 10:48, Petr Spacek wrote:
> On 1.7.2016 10:42, Christian Heimes wrote:
>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
>> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
>> returns OK. The ca_status()
pa-ca-install waits for master:8080 instead of replica:8080,
which might be blocked by a firewall.
https://fedorahosted.org/freeipa/ticket/6016
From 134f639aadad1b63e8715ec05fa06b53a3f12e74 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Fri, 1 Jul 2016 10:21:06 +0200
Subject: [PATCH] RedHatCASe
On 2016-06-28 12:49, Martin Kosek wrote:
> On 06/28/2016 12:49 PM, Jan Cholasta wrote:
>> On 28.6.2016 12:33, Martin Kosek wrote:
>>> On 06/28/2016 12:23 PM, Fraser Tweedale wrote:
On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote:
> Hi Fraser,
>
> I was testing FreeIPA
On 2016-05-25 12:00, Martin Kosek wrote:
> On 05/25/2016 11:55 AM, Christian Heimes wrote:
>> On 2016-05-25 11:46, Martin Kosek wrote:
>>> On 05/25/2016 10:03 AM, Jan Pazdziora wrote:
>>>> On Mon, May 23, 2016 at 04:24:38PM +0200, Florence Blanc-Renaud wrote:
>
On 2016-05-25 11:46, Martin Kosek wrote:
> On 05/25/2016 10:03 AM, Jan Pazdziora wrote:
>> On Mon, May 23, 2016 at 04:24:38PM +0200, Florence Blanc-Renaud wrote:
>>>
>>> - I start working on a specific issue and decide to create a branch on my
>>> git repository (on my laptop)
>>> git clone git://g
On 2016-05-24 16:29, Nathaniel McCallum wrote:
> Using a pragma instead of guards is easier to write, less error prone
> and avoids name clashes (a source of very subtle bugs). This pragma
> is supported on almost all compilers, including all the compilers we
> care about: https://en.wikipedia.org/
On 2016-05-06 15:50, Martin Babinsky wrote:
> On 05/06/2016 03:43 PM, Petr Spacek wrote:
>> Hello,
>>
>> I wonder if we should stop supporting new installations where
>> Kerberos realm != uppercase(primary DNS domain).
>>
>> It breaks a lot of stuff, is harder to manager and docs are full of
>> war
Hi Fraser,
and now to the review of your design doc for RFC 2818-compliant subject
alternative names in certs,
http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance
1) RFC 2818 vs. RFC 6125
First I like to address a more general topic. Your design mentions RFC
6125 shortly. IMHO RFC 61
Hi Fraser,
I'm the reviewer for your Sub-CAs and RFC 2818 designs. Let's start with
Sub-CAs first. http://www.freeipa.org/page/V4/Sub-CAs
In general the design is well written -- accurate as usual. I didn't
want to ACK the design with a simple LGTM, so I put myself in the
position of a customer a
Hi,
while I was working on my Ansible playbook I ran into an issue. It is
hard to detect if a FreeIPA server instance is fully installed and all
its services are ready to handle requests. It's even harder to check it
remotely. I have figured out some heuristics to detect that a sever is
*not* full
On 2016-04-07 11:09, Petr Spacek wrote:
> On 7.4.2016 08:43, Fraser Tweedale wrote:
>> Hi team,
>>
>> I updated the Sub-CAs design page with more detail for the key
>> replication[1]. This part of the design is nearly complete (a large
>> patchset is in review over at pki-devel@) but there are var
On 2016-03-21 12:02, Jan Cholasta wrote:
> Hi,
>
> On 18.3.2016 15:26, Christian Heimes wrote:
>> Hi,
>>
>> I'd like to use FreeIPA's RPC interface from Ansible directly. But the
>> output of plugins is rather unfriendly and unpythonic:
>>
>&
On 2016-03-21 10:29, Petr Spacek wrote:
> On 20.3.2016 21:56, Martin Basti wrote:
>> Patches attached.
>
> I do not really like
> freeipa-mbasti-0442-pylint-remove-bare-except
> because it replaces most of
>
> try: ... except:
>
> with
>
> try: ... except Exception:
>
>
> which AFAIK does not
Hi,
I'd like to use FreeIPA's RPC interface from Ansible directly. But the
output of plugins is rather unfriendly and unpythonic:
>>> print(api.Command.dnsconfig_show())
{u'result': {u'dn': u'cn=dns,dc=ipa,dc=example', u'idnsallowsyncptr':
(u'FALSE',)}, u'value': None, u'summary': None}
Please n
ed pep8 error, rebased it and attaching two
>> versions for master and for 4.3 branch.
>> I haven't found any missing cases and it works for me. If you're OK with the
>> modified patches it can be pushed.
>>
>> David
>>
>> - Original Message -
&g
On 2016-02-11 14:43, Martin Kosek wrote:
>> Pushed to:
>> master: 5ac3a3cee534a16db86c541b9beff4939f03410e
>> ipa-4-3: c3496a4a4893c75789bdf0c617e46923361fb43b
>>
>
> Very cool! Thanks guys! Looking forward to deploying FreeIPA 4.3.1 on the
> FreeIPA public demo :-)
I have to change the cipher li
On 2016-01-29 15:05, Martin Basti wrote:
>
>
> On 29.01.2016 14:42, Christian Heimes wrote:
>> On 2016-01-28 09:47, Martin Basti wrote:
>>>
>>> On 22.01.2016 12:32, Martin Kosek wrote:
>>>> On 01/21/2016 04:21 PM, Christian Heimes wrote:
>>
On 2016-01-28 09:47, Martin Basti wrote:
>
>
> On 22.01.2016 12:32, Martin Kosek wrote:
>> On 01/21/2016 04:21 PM, Christian Heimes wrote:
>>> The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf
>>> has been modernized. Insecure or less secur
TLS_RSA_WITH_AES_256_CBC_SHA
https://fedorahosted.org/freeipa/ticket/5589
From 26d356970ef1f7de7b00fe237f67345c507c7989 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Thu, 21 Jan 2016 16:09:10 +0100
Subject: [PATCH] Modernize mod_nss's cipher suites
The list of supported TLS cipher suit
On 2016-01-21 11:29, Martin Basti wrote:
>
>
> On 18.01.2016 17:55, Christian Heimes wrote:
>> On 2016-01-18 17:28, Martin Basti wrote:
>>> https://fedorahosted.org/freeipa/ticket/5538
>>>
>>> Patch attached
>> ACK
>>
>>
> Pushed t
On 2016-01-20 12:15, Abhijeet Kasurde wrote:
> Hi Christian,
>
> On 01/20/2016 04:15 PM, Christian Heimes wrote:
>> On 2016-01-20 08:30, Abhijeet Kasurde wrote:
>>> Ping for review request.
>> Hi,
>>
>> your initial patch has a small problem. Please provi
On 2016-01-20 02:54, Fraser Tweedale wrote:
> On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote:
>> ipaplatform.constants has platform specific names for a couple of system
>> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, DS_USER
>> and DS
On 2016-01-20 08:30, Abhijeet Kasurde wrote:
> Ping for review request.
Hi,
your initial patch has a small problem. Please provide a new patch with
port 464 instead of 749.
Christian
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel maili
On 2016-01-19 13:43, Martin Basti wrote:
> +
> +def fake_class(name_or_class_obj, members=[]):
Please use a non-mutable argument here. members=() will do the job just
fine.
> +if isinstance(name_or_class_obj, scoped_nodes.Class):
> +cl = name_or_class_obj
> +else:
> +cl =
/freeipa/ticket/5619
From bd49251543c480ed3d4527b3aeb32f0df6fc9e67 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 19 Jan 2016 14:18:30 +0100
Subject: [PATCH] Move user/group constants for PKI and DS into ipaplatform
https://fedorahosted.org/freeipa/ticket/5619
---
install/share/copy
On 2016-01-18 17:28, Martin Basti wrote:
> https://fedorahosted.org/freeipa/ticket/5538
>
> Patch attached
ACK
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute
On 2016-01-15 13:44, Tomas Babej wrote:
> Hi,
>
> For the dates older than 1900, Python is unable to convert the datetime
> representation to string using strftime:
>
> https://bugs.python.org/issue1777412
>
> Work around the issue adding a custom method to convert the datetime
> objects to LDAP
On 2016-01-08 16:49, Petr Spacek wrote:
> On 8.1.2016 13:56, Fraser Tweedale wrote:
>> On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote:
Hi Fraser and other X.509 SMEs,
I wanted to check with you on what we have or plan to have with respect to
certificate/cipher stre
On 2016-01-08 13:26, Martin Kosek wrote:
> Hi Fraser and other X.509 SMEs,
>
> I wanted to check with you on what we have or plan to have with respect to
> certificate/cipher strength in FreeIPA.
>
> When I visit the FreeIPA public demo for example, I usually see following
> errors with recent br
On 2016-01-05 11:30, Tomas Babej wrote:
>
>
> On 01/05/2016 08:54 AM, Jan Cholasta wrote:
>> Hi,
>>
>> the attached patch replaces the default_encoding_utf8 binary module with
>> 2 lines of equivalent Python code.
>>
>> Honza
>>
>>
>>
>
> This looks fine to me, however, I wonder, why this approa
The combination of a bug in Dogtag's sslget command and a new feature
in mod_nss causes an incomplete uninstallation of KRA. The bug has been
fixed in Dogtag 10.2.6-13.
https://fedorahosted.org/freeipa/ticket/5469
https://fedorahosted.org/pki/ticket/1704
Signed-off-by: Christian Heimes
On 2016-01-04 23:38, Nalin Dahyabhai wrote:
> On Mon, Dec 21, 2015 at 12:17:08PM +0530, Abhijeet Kasurde wrote:
>> Hi All,
>>
>> Please review patches attached.
>
> The port number should probably be changed from 749 to 464.
Nalin is correct. kpasswd and admin server use different ports:
$ geten
Hi,
in ticket https://fedorahosted.org/freeipa/ticket/5538 Ludwig has
suggested to exclude Dogtag's o=ipaca tree from the changelog. Sometimes
vault-archive fails because of a failed write to the Retro Changelog.
The RetroCL was enabled in https://fedorahosted.org/freeipa/ticket/3967
for the bind-
On 2015-12-07 19:59, Petr Vobornik wrote:
> On 7.12.2015 16:26, Christian Heimes wrote:
>> On 2015-12-07 16:17, Alexander Bokovoy wrote:
>>> On Mon, 07 Dec 2015, Christian Heimes wrote:
>>>> The patch fixes SELinux violations in Fedora 23.
>>>>
>&g
On 2015-12-07 16:17, Alexander Bokovoy wrote:
> On Mon, 07 Dec 2015, Christian Heimes wrote:
>> The patch fixes SELinux violations in Fedora 23.
>>
>> Background: Recent versions of cryptography cause SELinux violation
>> which will lead to a segfault, see
>
in wsgi.py prevents the import by raising an ImportError.
From 5ac052f085c74f058703c5da29d59849c11e571f Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Thu, 3 Dec 2015 14:26:19 +0100
Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in
cryptography
ipaserver.dcerpc uses M2
On 2015-12-03 11:04, Jan Cholasta wrote:
> On 2.12.2015 13:44, Petr Spacek wrote:
>> On 2.12.2015 13:23, Jan Cholasta wrote:
>>> On 2.12.2015 12:54, Petr Spacek wrote:
>>>> On 2.12.2015 12:51, Christian Heimes wrote:
>>>>> On 2015-12-02 08:37,
On 2015-12-02 08:37, Petr Spacek wrote:
> On 1.12.2015 18:42, Christian Heimes wrote:
>> From 33be1f56a64e53d261a1058c4606a7e48c0aac52 Mon Sep 17 00:00:00 2001
>> From: Christian Heimes
>> Date: Tue, 1 Dec 2015 15:49:53 +0100
>> Subject: [PATCH 25] Improve error l
Now the correct patch file instead of a vim swap file...
From 33be1f56a64e53d261a1058c4606a7e48c0aac52 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 1 Dec 2015 15:49:53 +0100
Subject: [PATCH 25] Improve error logging for Dogtag subsystem installation
In the case of a failed
In the case of a failed installation or uninstallation of a Dogtag
subsystem, the error output of pkispawn / pkidestroyed are now shown to
the user. It makes it more obvious what went wrong and makes it easier
to debug a problem.
The error handler also attempts to get the full name of the installa
On 2015-10-09 15:11, Jan Cholasta wrote:
> On 9.10.2015 15:00, Christian Heimes wrote:
>> On 2015-10-09 13:21, Jan Orel wrote:
>>> Hello,
>>>
>>> this patch removes (IMHO) redundat check in cert_show, which fails when
>>> host tries to re-submit c
On 2015-10-09 13:21, Jan Orel wrote:
> Hello,
>
> this patch removes (IMHO) redundat check in cert_show, which fails when
> host tries to re-submit certificate of different host/service which he
> can manage.
>
> I also reported the bug here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1269089
On 2015-09-30 08:05, Alexander Bokovoy wrote:
> On Tue, 29 Sep 2015, Brian Stinson wrote:
>> Hi FreeIPA!
>>
>> We are starting a working group of member projects looking to solve
>> problems
>> related to Community Authentication. The FreeIPA Community Portal
>> feature added
>> this summer is one
On 2015-09-23 12:40, Jan Cholasta wrote:
> On 23.9.2015 11:44, Christian Heimes wrote:
>> On 2015-09-23 10:54, Jan Cholasta wrote:
>>>> Correction, the HTTP server works, but it spits lots of errors in
>>>> error_log about /var/lib/kdcproxy not existing.
>>
On 2015-09-23 10:54, Jan Cholasta wrote:
>> Correction, the HTTP server works, but it spits lots of errors in
>> error_log about /var/lib/kdcproxy not existing.
>>
>> Is the KDCProxy supposed to be installked/enabled on upgrade ?
>> If not, why not ?
>> Even if it is not enabled, shouldn't the user
On 2015-09-10 14:58, Rob Crittenden wrote:
> Christian Heimes wrote:
>> The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
>> A timeout does no longer result into an Apache startup error.
>>
>> https://fedorahosted.org/freeipa/ticket/5292
>&g
The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
A timeout does no longer result into an Apache startup error.
https://fedorahosted.org/freeipa/ticket/5292
From 7ae756234534f0c6e750b5820733c6c5cb0682c6 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Thu, 10 Sep
On 2015-08-24 17:31, Petr Viktorin wrote:
0701.2-Use-Python3-compatible-dict-method-names
NACK
Why are you replacing iteritems() with items() instead of using
six.iteritems()?
>
> It looks cleaner, and it will be easier to clean up after six is dropped.
> Also, the performance
On 2015-08-21 12:55, Petr Viktorin wrote:
> On 08/14/2015 07:44 PM, Petr Viktorin wrote:
>> Hello,
>> These patches bring IPA another step towards compatibility with Python 3.
>>
>> Most of these were made by fixers from the "python-modernize" tool, but
>> I reviewed and edited the results.
>
> He
have regenerated API.txt, too.
Christian
From a6eb87a73c1462a4de516f19b219b51e415852e5 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Wed, 19 Aug 2015 13:32:01 +0200
Subject: [PATCH] Add flag to list all service and user vaults
The vault-find plugin has two additional arguments to list al
Number of entries returned 2
https://fedorahosted.org/freeipa/ticket/5150
From 513e4ab2e02e3b5f72b5a83a176b74ee0acba631 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Wed, 19 Aug 2015 13:32:01 +0200
Subject: [PATCH] Add flag to list all service and
On 2015-08-13 14:05, Petr Vobornik wrote:
> On 08/13/2015 12:38 PM, Christian Heimes wrote:
>> On 2015-08-13 12:10, Petr Vobornik wrote:
>>> On 07/23/2015 08:38 PM, Christian Heimes wrote:
>>>> The ipa vault commands now load the public keys in order to verify
>&
On 2015-08-13 12:10, Petr Vobornik wrote:
> On 07/23/2015 08:38 PM, Christian Heimes wrote:
>> The ipa vault commands now load the public keys in order to verify them.
>> The validation also prevents a user from accidentally sending her
>> private keys to the server. The
On 2015-08-12 18:10, Tomas Babej wrote:
>
>
> On 08/10/2015 05:39 PM, Petr Viktorin wrote:
>> On 08/03/2015 11:07 AM, Christian Heimes wrote:
>>> On 2015-07-31 19:14, Petr Viktorin wrote:
>>>> Hello,
>>>> Here is a batch of mostly mechanical chang
On 2015-08-11 09:46, Milan Kubík wrote:
> On 08/11/2015 09:08 AM, Jan Cholasta wrote:
>> On 11.8.2015 09:00, Milan Kubík wrote:
>>
>>> On 08/10/2015 06:22 PM, Milan Kubík wrote:
>>>
On 08/10/2015 06:02 PM, Milan Kubík wrote:
> On 08/10/2015 05:54 PM, Jan Cholasta wrote:
>
>> O
On 2015-08-03 11:30, Jan Cholasta wrote:
> Hi,
>
> Dne 3.8.2015 v 11:22 Christian Heimes napsal(a):
>> Python 3 porting mode for make-lint
>>
>> http://docs.pylint.org/features.html#general-options
>
> I would rather wait until all the modernization patches
Python 3 porting mode for make-lint
http://docs.pylint.org/features.html#general-options
From eb0565a16934a85df5075a6389dc49239e08f699 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Mon, 3 Aug 2015 11:18:03 +0200
Subject: [PATCH] make-lint Python 3 porting mode
pylint can check code for
On 2015-07-31 23:14, Simo Sorce wrote:
> On Fri, 2015-07-31 at 19:14 +0200, Petr Viktorin wrote:
>> Hello,
>> Here is a batch of mostly mechanical changes: removing deprecated
>> features to prepare for Python 3.
>>
>
> Do we have accompanying lint (or similar) tests that will prevent new
> patche
On 2015-07-31 19:14, Petr Viktorin wrote:
> Hello,
> Here is a batch of mostly mechanical changes: removing deprecated
> features to prepare for Python 3.
Out of curiosity, what tool did you use for patch 695-absolute-imports?
Python-modernize adds from __future__ import absolute_imports and
chang
f any
file can't be, an internal error was raised. The patch wraps all reads
and turns any IOError and UnicodeError into a ValidationError.
https://fedorahosted.org/freeipa/ticket/5155
From 71b3fcd6862bae2bfc6ea3e6fd38014ed77d4bac Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Thu, 30 J
On 2015-07-30 15:06, Michael Šimáček wrote:
> I didn't use ctypes, because it was advised against on this list:
> https://www.redhat.com/archives/freeipa-devel/2012-February/msg00268.html
> For the tests it's probably fine, but so is using klist.
> It would actually help a lot with getting the defa
On 2015-07-30 14:37, Jan Cholasta wrote:
> Hi,
>
> Dne 30.7.2015 v 14:07 Christian Heimes napsal(a):
>> Hello,
>>
>> While I was working on the ticket
>> https://fedorahosted.org/freeipa/ticket/5155, I noticed a couple of
>> additional places that
Hello,
While I was working on the ticket
https://fedorahosted.org/freeipa/ticket/5155, I noticed a couple of
additional places that may raise an IOError. Instead of a File()
paramaeter, the vault plugin uses Str() paramater in combination with
open() to read files.
For passwords I can mostly repl
Can you use contexmanager to store the right value in pre callback and
> then use it in post callback?
> (can find it in dns plugin, search for context)
Sounds good to me!
Christian
PS: Context is a fancy name for a TLS dict. ;)
From 1c7a67f331fb7d07f1e306e292e97b1df810958c Mon Sep 17 00:00
On 2015-07-29 10:09, Michael Šimáček wrote:
> GSSAPI doesn't provide any method (that I'm aware of) to get default
> ccache name. In most cases this is not needed as we can simply not pass
> any name and it will use the default. The ldap plugin had to be adjusted
> for this - the connect method now
2001
From: Christian Heimes
Date: Tue, 28 Jul 2015 16:12:40 +0200
Subject: [PATCH] Change internal rsa_(public|private)_key variable names
In two places the vault plugin refers to rsa public or rsa private key
although the code can handle just any kind of asymmetric algorithms,
e.g. ECDSA. The patch
Hello,
while I was working on https://fedorahosted.org/freeipa/ticket/5142 and
patch 019, I noticed the variable names rsa_public_key and
rsa_private_key in vault.py. load_pem_public_key() can load and return
other key formats (DSA, ECDSA), too. Does vault mean to support the
other algorithms?
In
On 2015-07-24 05:15, Fraser Tweedale wrote:
>> diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
>> index
>> 5550ed942521dbab2e783fba1570520268f9b378..fe8934690fe09499f0bacb6610d9815a2b4367a4
>> 100644
>> --- a/ipalib/plugins/certprofile.py
>> +++ b/ipalib/plugins/certpro
c-key-file mykey.pem
ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault
public key: Could not unserialize key data.
https://fedorahosted.org/freeipa/ticket/5142
https://fedorahosted.org/freeipa/ticket/5143
From fd380c4539fdd18a7d10786230c15a259b097af6 Mon Sep 17 00:00:00
The certprofile-import plugin expects a raw Dogtag config file. The XML
format is not supported. --help gives a hint about the correct file format.
https://fedorahosted.org/freeipa/ticket/5089
From 1344425af2886797ec9cef40a325e56a8d1752eb Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Thu
1 - 100 of 173 matches
Mail list logo