[Freeipa-devel] [PATCH] 0253 ipa-client: Use ipa as the package name for i18n
IPA uses ipa as the package name for all translations, even in the ipa-client package. https://fedorahosted.org/freeipa/ticket/3695 -- PetrĀ³ From 8ec85dd495faedda09286967cfa0706a08955848 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 18 Jul 2013 17:40:17 +0200 Subject: [PATCH] ipa-client: Use ipa as the package name for i18n IPA uses ipa as the package name for all translations, even in the ipa-client package. https://fedorahosted.org/freeipa/ticket/3695 --- ipa-client/ipa-client-common.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-client-common.c b/ipa-client/ipa-client-common.c index 68861c654e2254c4aceccd5497e8eda3f2c593de..23f384a6e0855582de8a83b84f40c40dd3b6c148 100644 --- a/ipa-client/ipa-client-common.c +++ b/ipa-client/ipa-client-common.c @@ -33,13 +33,13 @@ int init_gettext(void) } errno = 0; -c = bindtextdomain(PACKAGE, LOCALEDIR); +c = bindtextdomain(ipa, LOCALEDIR); if (c == NULL) { return errno; } errno = 0; -c = textdomain(PACKAGE); +c = textdomain(ipa); if (c == NULL) { return errno; } -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0253 ipa-client: Use ipa as the package name for i18n
On Fri, Jul 19, 2013 at 10:46:13AM +0200, Petr Viktorin wrote: IPA uses ipa as the package name for all translations, even in the ipa-client package. https://fedorahosted.org/freeipa/ticket/3695 --- ipa-client/ipa-client-common.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-client-common.c b/ipa-client/ipa-client-common.c index 68861c654e2254c4aceccd5497e8eda3f2c593de..23f384a6e0855582de8a83b84f40c40dd3b6c148 100644 --- a/ipa-client/ipa-client-common.c +++ b/ipa-client/ipa-client-common.c @@ -33,13 +33,13 @@ int init_gettext(void) } errno = 0; -c = bindtextdomain(PACKAGE, LOCALEDIR); +c = bindtextdomain(ipa, LOCALEDIR); if (c == NULL) { return errno; } errno = 0; -c = textdomain(PACKAGE); +c = textdomain(ipa); Ack. -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0049 Use admin@REALM when testing if SSSD is ready
On Thu, 18 Jul 2013, Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3771. ACK. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0049 Use admin@REALM when testing if SSSD is ready
On 07/18/2013 07:56 PM, Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3771. ACK. Pushed to master, ipa-3-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 436 Remove word 'field' from GECOS param label
Remove word 'field' from GECOS param label No other param/field has 'field' in a label. -- Petr Vobornik From a7f58da057c41c0902fde6b4f0c66d6ba5d5fdec Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 19 Jul 2013 13:35:17 +0200 Subject: [PATCH] Remove word 'field' from GECOS param label No other param/field has 'field' in a label. --- ipalib/plugins/user.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 5d667dc94d483c2775d4a1d793624fc081615047..9087a1ba269716fb65ce7c53a95f4edfbfdcd56a 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -263,7 +263,7 @@ class user(LDAPObject): label=_('Home directory'), ), Str('gecos?', -label=_('GECOS field'), +label=_('GECOS'), default_from=lambda givenname, sn: '%s %s' % (givenname, sn), autofill=True, ), -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 436 Remove word 'field' from GECOS param label
On Fri, Jul 19, 2013 at 01:44:57PM +0200, Petr Vobornik wrote: Remove word 'field' from GECOS param label No other param/field has 'field' in a label. I'm not sure I'm in favour of the change. Calling it just GECOS does not make much sense because as an informational field in /etc/passwd, it is not General Electric Comprehensive Operating System. It is the field that was (I assume) acced by/for GECOS back then but still the full name is GECOS field (of /etc/passwd). -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0076] Use AD LDAP probing to create trusted domain ID range
On Friday 19 of July 2013 12:32:04 Tomas Babej wrote: Hi, I still need to test this with AD 2008. Sending so that code can get some review before that. https://fedorahosted.org/freeipa/ticket/3649 Tomas This version fixes few small build nitpicks. TomasFrom c7dbbf5523176b713fd651c6c817c46806afbfc2 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 17 Jul 2013 15:55:36 +0200 Subject: [PATCH] Use AD LDAP probing to create trusted domain ID range When creating a trusted domain ID range, probe AD DC to get information about ID space leveraged by POSIX users already defined in AD, and create an ID range with according parameters. For more details: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD https://fedorahosted.org/freeipa/ticket/3649 --- API.txt | 2 +- VERSION | 2 +- ipalib/plugins/trust.py | 105 +--- ipaserver/dcerpc.py | 163 +- ipaserver/install/installutils.py | 7 +- 5 files changed, 225 insertions(+), 54 deletions(-) diff --git a/API.txt b/API.txt index 44b3dd444964c8dac595177f8601c82d0235eabe..2773f3d5c88ffa05ab7587dd9f0df97b350e45ca 100644 --- a/API.txt +++ b/API.txt @@ -3283,7 +3283,7 @@ arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=T option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Int('base_id?', cli_name='base_id') -option: Int('range_size?', autofill=True, cli_name='range_size', default=20) +option: Int('range_size?', cli_name='range_size') option: StrEnum('range_type?', cli_name='range_type', values=(u'ipa-ad-trust-posix', u'ipa-ad-trust')) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('realm_admin?', cli_name='admin') diff --git a/VERSION b/VERSION index 8606d724e6c8c785ba9d554ed3effa905573e25f..8a36c6304d7cfe0452eae5dbdc7a5d2951ab 100644 --- a/VERSION +++ b/VERSION @@ -89,4 +89,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=61 +IPA_API_VERSION_MINOR=62 diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 965ff76bb7968a8d2784e67478eb824dc3f0621b..40432c6074bb19e1a31c21e7e32d5b85c12d7210 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -20,9 +20,13 @@ from ipalib.plugins.baseldap import * from ipalib.plugins.dns import dns_container_exists +from ipapython.ipautil import realm_to_suffix from ipalib import api, Str, StrEnum, Password, _, ngettext from ipalib import Command from ipalib import errors +from ldap import SCOPE_SUBTREE +from time import sleep + try: import pysss_murmur #pylint: disable=F0401 _murmur_installed = True @@ -292,8 +296,6 @@ sides. Int('range_size?', cli_name='range_size', label=_('Size of the ID range reserved for the trusted domain'), -default=DEFAULT_RANGE_SIZE, -autofill=True ), StrEnum('range_type?', label=_('Range type'), @@ -313,7 +315,7 @@ sides. result = self.execute_ad(full_join, *keys, **options) if not old_range: -self.add_range(range_name, dom_sid, **options) +self.add_range(range_name, dom_sid, *keys, **options) trust_filter = cn=%s % result['value'] ldap = self.obj.backend @@ -418,9 +420,7 @@ sides. 'Only the ipa-ad-trust and ipa-ad-trust-posix are ' 'allowed values for --range-type when adding an AD ' 'trust.' -) - -) +)) base_id = options.get('base_id') range_size = options.get('range_size') != DEFAULT_RANGE_SIZE @@ -468,9 +468,90 @@ sides. return old_range, range_name, dom_sid -def add_range(self, range_name, dom_sid, **options): -base_id = options.get('base_id') -if not base_id: +def add_range(self, range_name, dom_sid, *keys, **options): + +First, we try to derive the parameters of the ID range based on the +information contained in the Active Directory. + +If that was not successful, we go for our usual defaults (random base, +range size 200 000, ipa-ad-trust range type). + +Any of these can be overriden by passing appropriate CLI options +to the trust-add command. + + +range_size = None +range_type = None +base_id = None + +# First, get information about ID space from AD + +# Get the base dn +domain = keys[-1] +basedn = realm_to_suffix(domain) + +# Search for information contained in +#
Re: [Freeipa-devel] [PATCH] 436 Remove word 'field' from GECOS param label
On 07/19/2013 02:20 PM, Jan Pazdziora wrote: On Fri, Jul 19, 2013 at 01:44:57PM +0200, Petr Vobornik wrote: Remove word 'field' from GECOS param label No other param/field has 'field' in a label. I'm not sure I'm in favour of the change. Calling it just GECOS does not make much sense because as an informational field in /etc/passwd, it is not General Electric Comprehensive Operating System. It is the field that was (I assume) acced by/for GECOS back then but still the full name is GECOS field (of /etc/passwd). Disclaimer: I have no strong feelings in this matter, it just looks weird to me, so I'm OK with not doing it if it's general consensus. Originally we wanted to do this change in https://fedorahosted.org/freeipa/ticket/3569 but it was not done because of string freeze. I guess you can add field suffix to every field from /etc/password when you use it in a sentence but that doesn't necessary mean that it's its name. man 5 passwd doesn't use word 'field' next to GECOS in fields description/list either. IMO our use case is the same. Historically correct label would probably be 'GECOS identity' but that's not usable today as it's purpose is more general. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 436 Remove word 'field' from GECOS param label
On Fri, Jul 19, 2013 at 03:17:49PM +0200, Petr Vobornik wrote: Disclaimer: I have no strong feelings in this matter, it just looks weird to me, so I'm OK with not doing it if it's general consensus. Originally we wanted to do this change in https://fedorahosted.org/freeipa/ticket/3569 but it was not done because of string freeze. I guess you can add field suffix to every field from /etc/password when you use it in a sentence but that doesn't necessary mean that You can. But gid exists as a concept beyond /etc/passwd. So does home directory. The GECOS field value does not, really. it's its name. man 5 passwd doesn't use word 'field' next to GECOS in fields description/list either. IMO our use case is the same. It says: GECOS This field (sometimes called the comment field) [...] The gcos field in the password file was [...] Historically correct label would probably be 'GECOS identity' but that's not usable today as it's purpose is more general. -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 19.7.2013 13:10, Petr Vobornik wrote: On 07/18/2013 05:29 PM, Jan Cholasta wrote: On 18.7.2013 17:26, Martin Kosek wrote: On 07/18/2013 05:22 PM, Jan Cholasta wrote: On 18.7.2013 17:07, Martin Kosek wrote: On 07/18/2013 04:53 PM, Jan Cholasta wrote: Added patch which adds new hidden option no_members to suppress membership processing for commands of all objects that have member attributes. This can be used by the WebUI to prevent member lookups where they are not necessary (as we discussed off-line with Martin and Petr). Honza 1) Should the new option really have exclude='webui'? I thought that Web UI is the main and only consumer of this option. The 'webui' context doesn't actually exist and the only meaning of this stanza is that the option is not shown in the output of the show_mappings command. 2) I would clearly state this is an internal option only, e.g. + doc=_('INTERNAL: suppress processing of membership attributes.'), No other internal option has this kind of thing in its doc and nobody will see it anyway, so we might just leave it like that IMHO. OK. 3) It would be nice to state that this option is mutually exclusive with --all, but given it is internal anyway and there is no central place to define it, we do not need to do that. The options are not really mutually exclusive at this point, they can be specified together, --all takes precedence. Well, they can be specified together, but the option is then NOOP which could confuse users which may have different expectations. Being explicit helps. I agree. But as I said, in this case this is not a requirement. I agree as well :-) Honza Functional ACK for Honza's patch (didn't break Web UI test suite) Attaching Web UI patch. It: 1) Removed --all from _find and _show commands used by search pages. All displayed attributes should be already included in default attributes. 2) Removed search_all_attributes - Not needed since introduction of paging. 3) Added --no-members options to search _show commmands. Hmm, is the has_members function used to distinguish between objects with members and without members? If so, would it be helpful to add the no_members option to all commands (just like all and raw), so that you don't have to do this check? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 07/19/2013 03:49 PM, Jan Cholasta wrote: On 19.7.2013 13:10, Petr Vobornik wrote: On 07/18/2013 05:29 PM, Jan Cholasta wrote: On 18.7.2013 17:26, Martin Kosek wrote: On 07/18/2013 05:22 PM, Jan Cholasta wrote: On 18.7.2013 17:07, Martin Kosek wrote: On 07/18/2013 04:53 PM, Jan Cholasta wrote: Added patch which adds new hidden option no_members to suppress membership processing for commands of all objects that have member attributes. This can be used by the WebUI to prevent member lookups where they are not necessary (as we discussed off-line with Martin and Petr). Honza 1) Should the new option really have exclude='webui'? I thought that Web UI is the main and only consumer of this option. The 'webui' context doesn't actually exist and the only meaning of this stanza is that the option is not shown in the output of the show_mappings command. 2) I would clearly state this is an internal option only, e.g. + doc=_('INTERNAL: suppress processing of membership attributes.'), No other internal option has this kind of thing in its doc and nobody will see it anyway, so we might just leave it like that IMHO. OK. 3) It would be nice to state that this option is mutually exclusive with --all, but given it is internal anyway and there is no central place to define it, we do not need to do that. The options are not really mutually exclusive at this point, they can be specified together, --all takes precedence. Well, they can be specified together, but the option is then NOOP which could confuse users which may have different expectations. Being explicit helps. I agree. But as I said, in this case this is not a requirement. I agree as well :-) Honza Functional ACK for Honza's patch (didn't break Web UI test suite) Attaching Web UI patch. It: 1) Removed --all from _find and _show commands used by search pages. All displayed attributes should be already included in default attributes. 2) Removed search_all_attributes - Not needed since introduction of paging. 3) Added --no-members options to search _show commmands. Hmm, is the has_members function used to distinguish between objects with members and without members? If so, would it be helpful to add the no_members option to all commands (just like all and raw), so that you don't have to do this check? Honza Yes, that's its purpose. IMO it doesn't matter now, the function is implemented. The only benefits would be small, not noticeable, performance gain and tolerance to incorrect use of --no-members. Doesn't look like a reason for polluting all commands with it. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 428 Hide delete button in multivalued widget if attr is not writable
On 07/18/2013 05:50 PM, James wrote: On Thu, 2013-07-18 at 12:11 +0200, Petr Vobornik wrote: Hide delete button in multivalued widget if attr is not writable Hey, Maybe it would be a good idea to set the disabled state of the button instead of removing it? That way it's obvious that some attrs can be deleted, and it won't cause users to search for a button that doesn't exist... Cheers, James Hello, Note: the button is actually in a form of a link The approach you're proposing is often valid and a preferred one but I don't think it's the best approach for our case. Web UI uses a pattern where textboxes are changed to simple text when user doesn't have write rights. This transformation pretty much says: no you can't do anything with this attribute. This pattern is all around the UI since textbox is the most common widget. Multivalued widget internally uses textboxes and so that transformation. It also already hides the 'add' button (link). IMO leaving 'delete' buttons next to the text values just clutters the UI. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] DNSSEC support design considerations: key material handling
I will reply to the rest of the message later if necessary, still digesting some of your answers, but I wanted to address the following first. On Fri, 2013-07-19 at 18:29 +0200, Petr Spacek wrote: The most important question at the moment is What can we postpone? How fragile it can be for shipping it as part of Fedora 20? Could we declare DNSSEC support as technology preview/don't use it for anything serious? Until we figur out proper management in LDAP we will be a bit stuck, esp if we want to consider usin the 'somthing' that stores keys instead of toring them stright in LDAP. So maybe we can start with allowing just one server to do DNSSEC and source keys from files for now ? as soon as we have that workign we should also have clearer plans about how we manage keys in LDAP (or elsewhere). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 428 Hide delete button in multivalued widget if attr is not writable
On Fri, 2013-07-19 at 17:59 +0200, Petr Vobornik wrote: Hello, Note: the button is actually in a form of a link I didn't notice this before. Sorry for the noise. James The approach you're proposing is often valid and a preferred one but I don't think it's the best approach for our case. Web UI uses a pattern where textboxes are changed to simple text when user doesn't have write rights. This transformation pretty much says: no you can't do anything with this attribute. This pattern is all around the UI since textbox is the most common widget. Multivalued widget internally uses textboxes and so that transformation. It also already hides the 'add' button (link). IMO leaving 'delete' buttons next to the text values just clutters the UI. signature.asc Description: This is a digitally signed message part ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 436 Remove word 'field' from GECOS param label
On 07/19/2013 09:26 AM, Jan Pazdziora wrote: On Fri, Jul 19, 2013 at 03:17:49PM +0200, Petr Vobornik wrote: Disclaimer: I have no strong feelings in this matter, it just looks weird to me, so I'm OK with not doing it if it's general consensus. Originally we wanted to do this change in https://fedorahosted.org/freeipa/ticket/3569 but it was not done because of string freeze. I guess you can add field suffix to every field from /etc/password when you use it in a sentence but that doesn't necessary mean that You can. But gid exists as a concept beyond /etc/passwd. So does home directory. The GECOS field value does not, really. it's its name. man 5 passwd doesn't use word 'field' next to GECOS in fields description/list either. IMO our use case is the same. It says: GECOS This field (sometimes called the comment field) [...] The gcos field in the password file was [...] Historically correct label would probably be 'GECOS identity' but that's not usable today as it's purpose is more general. Do we have tips in the UI? May be we should add them in future to provide extra information about meaning of the field or button. For now I think GECOS would probably be good enough. Adding field makes it more precise but looks weird. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0076] Use AD LDAP probing to create trusted domain ID range
On Fri, 19 Jul 2013, Tomas Babej wrote: On Friday 19 of July 2013 12:32:04 Tomas Babej wrote: Hi, I still need to test this with AD 2008. Sending so that code can get some review before that. https://fedorahosted.org/freeipa/ticket/3649 Tomas This version fixes few small build nitpicks. ACK, works fine for me. It requires my patches 0109-0110. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA AD Trust improvements, Fedora 19 Test Day, July 25th
Hello, The FreeIPA team is happy to welcome you to a Fedora Test Day that is being held on Thursday, July 25th. We would like to invite you to take part in testing of the upcoming FreeIPA 3.3 release containing 2 major improvements for easier deployment of FreeIPA Active Directory Trust feature to existing environments: 1) Use POSIX attributes defined in Active Directory [1] With previous FreeIPA releases, users coming from Active Directory to FreeIPA managed machines were always assigned POSIX attributes (UID and GID) by algorithmic mapping. However, in some deployments, Active Directory users and groups already have defined custom POSIX attribute values (UID and GID), which may then be leveraged on Linux machines via other 3rd party Active Directory integration solutions. Administrator may choose to keep the values to not disrupt file ownerships. With FreeIPA 3.3, FreeIPA Active Directory Trust may be configured to use these attributes when Active Directory user authenticates to Linux machines. 2) Expose POSIX data on legacy systems without recent SSSD Administrators may have a deployment of machines which cannot use the recent SSSD with Active Directory Trust support but would still like to be able to authenticate with Active Directory user to these machines. This may affect for example older Linux machines, UNIX machines. With FreeIPA 3.3, Administrator may configure a compatibility LDAP tree which will contain identities of the Active Directory users to the legacy systems. These systems may then leverage standard LDAP authentication in this tree allowing selected Active Directory users to authenticate. To read more about the Test Day and suggested tests, see the following link: https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients Thank you for your help and participation! The FreeIPA team [1] http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD [2] http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts [IdM | IPA] FAQs: https://url.corp.redhat.com/idm-faq Identity Management SME Team on Docspace https://url.corp.redhat.com/sme-idm Search the archives: post-office.corp.redhat.com/mailman/listinfo/idm-tech ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel