On Fri, 2015-05-29 at 17:23 -0400, Adam Young wrote:
> On 05/28/2015 01:29 AM, Jan Cholasta wrote:
> > Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a):
> >> On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
> >>> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
> On Wed, 2015-05-27 at 13:57
On 05/28/2015 01:29 AM, Jan Cholasta wrote:
Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod --enable-kdcproxy=TRUE
On 2015-05-28 15:28, Martin Kosek wrote:
> In the end, Alexander had a good point that there will be some needed
> associated configuration changes in DNS, when the KdcProxy is
> enabled/disabled:
>
> http://www.redhat.com/archives/freeipa-devel/2015-May/msg00522.html
>
> In which case, we may w
On Thu, 2015-05-28 at 12:10 +0200, Petr Spacek wrote:
> On 28.5.2015 11:59, Martin Kosek wrote:
> > On 05/28/2015 11:12 AM, Alexander Bokovoy wrote:
> >> On Thu, 28 May 2015, Petr Spacek wrote:
> >>> On 28.5.2015 07:42, Jan Cholasta wrote:
> Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
> >
On 05/28/2015 03:06 PM, Simo Sorce wrote:
> On Thu, 2015-05-28 at 07:42 +0200, Jan Cholasta wrote:
>> Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
>>> On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
> On Wed, 2015-05-27 at 13:57 +0200, Jan
On Thu, 2015-05-28 at 12:14 +0300, Alexander Bokovoy wrote:
> On Thu, 28 May 2015, Martin Kosek wrote:
> >On 05/28/2015 10:02 AM, Jan Cholasta wrote:
> >> Dne 28.5.2015 v 09:45 Christian Heimes napsal(a):
> >>> On 2015-05-28 07:32, Jan Cholasta wrote:
> Dne 27.5.2015 v 16:01 Christian Heimes n
On Thu, 2015-05-28 at 07:42 +0200, Jan Cholasta wrote:
> Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
> > On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
> >> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
> >>> On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
> >>
> >> ipa co
On 28/05/15 14:06, Christian Heimes wrote:
On 2015-05-28 13:29, Martin Basti wrote:
On 28/05/15 12:53, Christian Heimes wrote:
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major disagreement, let us
start with enabling KDCPROXY by default during
On 2015-05-28 13:29, Martin Basti wrote:
> On 28/05/15 12:53, Christian Heimes wrote:
>> On 2015-05-28 12:46, Martin Kosek wrote:
>>> I am fine with this too. So if there is not another major disagreement, let
>>> us
>>> start with enabling KDCPROXY by default during upgrade/install, the new ACI
On 2015-05-28 13:30, Jan Cholasta wrote:
> Dne 28.5.2015 v 12:53 Christian Heimes napsal(a):
>> On 2015-05-28 12:46, Martin Kosek wrote:
>>> I am fine with this too. So if there is not another major
>>> disagreement, let us
>>> start with enabling KDCPROXY by default during upgrade/install, the
>>>
Dne 28.5.2015 v 13:56 Christian Heimes napsal(a):
On 2015-05-28 13:30, Jan Cholasta wrote:
Dne 28.5.2015 v 12:53 Christian Heimes napsal(a):
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major
disagreement, let us
start with enabling KDCPROXY by d
On 28.5.2015 12:53, Christian Heimes wrote:
> On 2015-05-28 12:46, Martin Kosek wrote:
>> I am fine with this too. So if there is not another major disagreement,
>> let us start with enabling KDCPROXY by default during upgrade/install,
>> the new ACI and the per-replica standard configuration.
>>
Dne 28.5.2015 v 12:53 Christian Heimes napsal(a):
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major disagreement, let us
start with enabling KDCPROXY by default during upgrade/install, the new ACI and
the per-replica standard configuration.
API C
On 28/05/15 12:53, Christian Heimes wrote:
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major disagreement, let us
start with enabling KDCPROXY by default during upgrade/install, the new ACI and
the per-replica standard configuration.
API CLI/UI c
On 2015-05-28 12:46, Martin Kosek wrote:
> I am fine with this too. So if there is not another major disagreement, let us
> start with enabling KDCPROXY by default during upgrade/install, the new ACI
> and
> the per-replica standard configuration.
>
> API CLI/UI can come later (4.2.x or 4.3).
LG
On 05/28/2015 12:27 PM, Alexander Bokovoy wrote:
> On Thu, 28 May 2015, Christian Heimes wrote:
>> On 2015-05-28 12:10, Petr Spacek wrote:
I see. My question is - if we go this way, what is then the reasonable
subset
configuration functionality realistic for FreeIPA 4.2 GA? (As we w
On Thu, 28 May 2015, Christian Heimes wrote:
On 2015-05-28 12:10, Petr Spacek wrote:
I see. My question is - if we go this way, what is then the reasonable subset
configuration functionality realistic for FreeIPA 4.2 GA? (As we want this
feature in for 4.2). Is ipa-kdcproxy-manage doable?
What
On 2015-05-28 12:10, Petr Spacek wrote:
>> I see. My question is - if we go this way, what is then the reasonable subset
>> configuration functionality realistic for FreeIPA 4.2 GA? (As we want this
>> feature in for 4.2). Is ipa-kdcproxy-manage doable?
>>
>> What is the proposed API here?
>>
>> ip
On 28.5.2015 11:59, Martin Kosek wrote:
> On 05/28/2015 11:12 AM, Alexander Bokovoy wrote:
>> On Thu, 28 May 2015, Petr Spacek wrote:
>>> On 28.5.2015 07:42, Jan Cholasta wrote:
Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
> On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
>> Dne
On 05/28/2015 11:12 AM, Alexander Bokovoy wrote:
> On Thu, 28 May 2015, Petr Spacek wrote:
>> On 28.5.2015 07:42, Jan Cholasta wrote:
>>> Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
>>
On Thu, 28 May 2015, Martin Kosek wrote:
On 05/28/2015 10:02 AM, Jan Cholasta wrote:
Dne 28.5.2015 v 09:45 Christian Heimes napsal(a):
On 2015-05-28 07:32, Jan Cholasta wrote:
Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
On 2015-05-27 15:51, Nathaniel McCallum wrote:
As I understand the
On Thu, 28 May 2015, Petr Spacek wrote:
On 28.5.2015 07:42, Jan Cholasta wrote:
Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa conf
On 05/28/2015 07:29 AM, Jan Cholasta wrote:
> Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a):
>> On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
>>> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
>>>
>>> ipa config-mod
On 05/28/2015 10:02 AM, Jan Cholasta wrote:
> Dne 28.5.2015 v 09:45 Christian Heimes napsal(a):
>> On 2015-05-28 07:32, Jan Cholasta wrote:
>>> Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
On 2015-05-27 15:51, Nathaniel McCallum wrote:
> As I understand the problem, there is an assump
On 28.5.2015 07:42, Jan Cholasta wrote:
> Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
>> On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
>>> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
>>>
>>> ipa config-mod --enable-kd
On 2015-05-28 10:02, Jan Cholasta wrote:
>> The python-kdcproxy package is a new dependency for the freeipa-server
>> package. It will always get installed with the server.
>
> Why? None of the IPA core functionality depends on it, so it should be
> optional. Also the overall trend in IPA is to ha
Dne 28.5.2015 v 09:45 Christian Heimes napsal(a):
On 2015-05-28 07:32, Jan Cholasta wrote:
Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
On 2015-05-27 15:51, Nathaniel McCallum wrote:
As I understand the problem, there is an assumption that an optional
component has a distinct service to s
On 2015-05-28 07:32, Jan Cholasta wrote:
> Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
>> On 2015-05-27 15:51, Nathaniel McCallum wrote:
>>> As I understand the problem, there is an assumption that an optional
>>> component has a distinct service to start and stop. That is not the
>>> case he
Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod --enable-kdcproxy=TRUE
ipa config-mod --enable-kdcproxy=FALSE
I don'
Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
On 2015-05-27 15:51, Nathaniel McCallum wrote:
As I understand the problem, there is an assumption that an optional
component has a distinct service to start and stop. That is not the
case here. This is just new config for apache.
More details:
Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod --enable-kdcproxy=TRUE
ipa config-mod --enable-kdcproxy=FALSE
On 2015-05-27 15:41, Petr Vobornik wrote:
> It would be great to have a privileged daemon which could observed
> replicated configuration and perform such tasks on all servers so we
> would eliminate manual tasks(and errors and misconceptions which are
> caused by forgotten manual tasks) as much as
On 2015-05-27 15:51, Nathaniel McCallum wrote:
> As I understand the problem, there is an assumption that an optional
> component has a distinct service to start and stop. That is not the
> case here. This is just new config for apache.
More details:
The KDC Proxy uses the same Apache instance as
On Wed, 2015-05-27 at 15:41 +0200, Petr Vobornik wrote:
> On 05/27/2015 03:34 PM, Christian Heimes wrote:
> > On 2015-05-27 14:47, Petr Vobornik wrote:
> >> Install/uninstall is not the same thing as enable/disable. Installation
> >> is a set of steps which first configures and then (optionally) en
On Wed, 2015-05-27 at 15:41 +0200, Petr Vobornik wrote:
> On 05/27/2015 03:34 PM, Christian Heimes wrote:
> > On 2015-05-27 14:47, Petr Vobornik wrote:
> > > Install/uninstall is not the same thing as enable/disable.
> > > Installation
> > > is a set of steps which first configures and then (optio
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
> > On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
>
> ipa config-mod --enable-kdcproxy=TRUE
> ipa config-mod --enable-kdcproxy=FALSE
> >>
> >> I don't like this appro
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod --enable-kdcproxy=TRUE
ipa config-mod --enable-kdcproxy=FALSE
I don't like this approach, as it is completely inconsistent with
every
other optional component. There shoul
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
> > On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
> > > > >
> > > > > ipa config-mod --enable-kdcproxy=TRUE
> > > > > ipa config-mod --enable-kdcproxy=FALSE
> > >
> > > I don't li
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
> >>
> >>ipa config-mod --enable-kdcproxy=TRUE
> >>ipa config-mod --enable-kdcproxy=FALSE
>
> I don't like this approach, as it is completely inconsistent with
> every
> other optional component. There should be *one* way to handle th
On 05/27/2015 03:34 PM, Christian Heimes wrote:
On 2015-05-27 14:47, Petr Vobornik wrote:
Install/uninstall is not the same thing as enable/disable. Installation
is a set of steps which first configures and then (optionally) enables
the component.
E.g:
1. modify configuration file(s), ldap entr
Dne 27.5.2015 v 14:47 Petr Vobornik napsal(a):
On 05/27/2015 01:57 PM, Jan Cholasta wrote:
Dne 27.5.2015 v 13:34 Martin Kosek napsal(a):
On 05/27/2015 01:33 PM, Christian Heimes wrote:
On 2015-05-27 11:59, Martin Kosek wrote:
On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
On Wed, 27 May 20
On 2015-05-27 14:47, Petr Vobornik wrote:
> Install/uninstall is not the same thing as enable/disable. Installation
> is a set of steps which first configures and then (optionally) enables
> the component.
>
> E.g:
> 1. modify configuration file(s), ldap entries
> 2. run something which starts the
On 05/27/2015 01:57 PM, Jan Cholasta wrote:
Dne 27.5.2015 v 13:34 Martin Kosek napsal(a):
On 05/27/2015 01:33 PM, Christian Heimes wrote:
On 2015-05-27 11:59, Martin Kosek wrote:
On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
On Wed, 27 May 2015, Martin Kosek wrote:
On 05/26/2015 05:40 PM,
Dne 27.5.2015 v 13:34 Martin Kosek napsal(a):
On 05/27/2015 01:33 PM, Christian Heimes wrote:
On 2015-05-27 11:59, Martin Kosek wrote:
On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
On Wed, 27 May 2015, Martin Kosek wrote:
On 05/26/2015 05:40 PM, Jan Cholasta wrote:
Dne 22.5.2015 v 12:24 C
On 05/27/2015 01:33 PM, Christian Heimes wrote:
> On 2015-05-27 11:59, Martin Kosek wrote:
>> On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
>>> On Wed, 27 May 2015, Martin Kosek wrote:
On 05/26/2015 05:40 PM, Jan Cholasta wrote:
> Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
.
On 2015-05-27 11:59, Martin Kosek wrote:
> On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
>> On Wed, 27 May 2015, Martin Kosek wrote:
>>> On 05/26/2015 05:40 PM, Jan Cholasta wrote:
Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
>>> ...
> Finally I haven't figured out the best way to
On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
> On Wed, 27 May 2015, Martin Kosek wrote:
>> On 05/26/2015 05:40 PM, Jan Cholasta wrote:
>>> Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
>> ...
Finally I haven't figured out the best way to configure the instance. An
admin should be
On 26.5.2015 17:56, Christian Heimes wrote:
> On 2015-05-26 17:11, Nathaniel McCallum wrote:
>> I don't want to add code that: 1. is half-baked 2. we aren't committed
>> to supporting.
>>
>> I'd rather land per-replica switches as a separate commit with
>> everything polished and supportable.
>
On Wed, 27 May 2015, Martin Kosek wrote:
On 05/26/2015 05:40 PM, Jan Cholasta wrote:
Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
...
Finally I haven't figured out the best way to configure the instance. An
admin should be able to enable / disable KDC proxy. Should I write a
script or a i
On 05/26/2015 05:40 PM, Jan Cholasta wrote:
> Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
...
>> Finally I haven't figured out the best way to configure the instance. An
>> admin should be able to enable / disable KDC proxy. Should I write a
>> script or a ipa plugin for the job?
>
> A scrip
On 2015-05-26 17:11, Nathaniel McCallum wrote:
> I don't want to add code that:
> 1. is half-baked
> 2. we aren't committed to supporting.
>
> I'd rather land per-replica switches as a separate commit with
> everything polished and supportable.
Well then ... I'm going to remove the code for per-r
Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
Hello,
since May 1st I'm a new Red Hat employee and developer with the FreeIPA
team. Some of you may already recognize my name from my contributions to
CPython core, Python security and TLS/SSL improvements, or a couple of
PEPs. I'm very glad tha
On Tue, 2015-05-26 at 17:09 +0200, Christian Heimes wrote:
> On 2015-05-26 16:50, Nathaniel McCallum wrote:
> > Right. So as I see it, we have three options:
> > 1. Merge kdcproxy soon with a global switch.
> > A. Build per-replica switches later.
> > B. Never build per-replica switches.
> > 2.
On 2015-05-26 16:50, Nathaniel McCallum wrote:
> Right. So as I see it, we have three options:
> 1. Merge kdcproxy soon with a global switch.
> A. Build per-replica switches later.
> B. Never build per-replica switches.
> 2. Merge kdcproxy later with per-replica switches.
>
> I don't think hav
On Tue, 2015-05-26 at 16:43 +0200, Christian Heimes wrote:
> On 2015-05-26 16:24, Martin Kosek wrote:
> > On 05/26/2015 04:17 PM, Christian Heimes wrote:
> > > On 2015-05-26 15:57, Nathaniel McCallum wrote:
> > > > /KdcProxy
> > > >
> > > > "The URI uses the virtual directory /KdcProxy unless othe
On 2015-05-26 16:24, Martin Kosek wrote:
> On 05/26/2015 04:17 PM, Christian Heimes wrote:
>> On 2015-05-26 15:57, Nathaniel McCallum wrote:
>>> /KdcProxy
>>>
>>> "The URI uses the virtual directory /KdcProxy unless otherwise
>>> configured."
>>>
>>> https://msdn.microsoft.com/en-us/library/hh55389
On 05/26/2015 04:17 PM, Christian Heimes wrote:
On 2015-05-26 15:57, Nathaniel McCallum wrote:
/KdcProxy
"The URI uses the virtual directory /KdcProxy unless otherwise
configured."
https://msdn.microsoft.com/en-us/library/hh553891.aspx
Also, the proxy should be available over both HTTP and HT
On 2015-05-26 15:57, Nathaniel McCallum wrote:
> /KdcProxy
>
> "The URI uses the virtual directory /KdcProxy unless otherwise
> configured."
>
> https://msdn.microsoft.com/en-us/library/hh553891.aspx
>
> Also, the proxy should be available over both HTTP and HTTPS.
Easy-peasy! I'm using /KdcPro
On Fri, 2015-05-22 at 12:24 +0200, Christian Heimes wrote:
> Here is what I have so far:
>
> 1) The FreeIPA webui already depends on Apache and mod_wsgi. KDC
> proxy
> will run from the same Apache HTTPD instance but it will use a
> different
> mod_wsgi daemon configuration. A second WSGI daemon
On 2015-05-22 14:02, Petr Vobornik wrote:
> Actually the service part of "IPA servers" is not covered in the
> proposal. The proposal just says that it can be added later.
>
> There will be question if it should even be called "services". Maybe
> capabilities would be better term given that KDC Pr
On 22/05/15 13:02, Martin Kosek wrote:
On 05/22/2015 12:24 PM, Christian Heimes wrote:
Hello,
since May 1st I'm a new Red Hat employee and developer with the FreeIPA
team. Some of you may already recognize my name from my contributions to
CPython core, Python security and TLS/SSL improvements,
On 05/22/2015 01:17 PM, Christian Heimes wrote:
On 2015-05-22 13:02, Martin Kosek wrote:
The original proposal was to do it globally in cn=config. But if it is
about to be stored in the cn=masters, per-replica, this looks as the
right way.
My first proposal used cn=ipaConfig,cn=etc because it
On 2015-05-22 13:02, Martin Kosek wrote:
> The original proposal was to do it globally in cn=config. But if it is
> about to be stored in the cn=masters, per-replica, this looks as the
> right way.
My first proposal used cn=ipaConfig,cn=etc because it was the first
place I found. It took me a bit
On 05/22/2015 12:24 PM, Christian Heimes wrote:
Hello,
since May 1st I'm a new Red Hat employee and developer with the FreeIPA
team. Some of you may already recognize my name from my contributions to
CPython core, Python security and TLS/SSL improvements, or a couple of
PEPs. I'm very glad that
64 matches
Mail list logo