Re: [Freeipa-devel] Automated Fedora update testing

2017-05-01 Thread Simo Sorce
Top posting FTW! (sorry) Excellent news Adam, this is awesome! Simo. On Fri, 2017-04-28 at 17:07 -0700, Adam Williamson wrote: > Hi folks! I thought this might be of interest to the FreeIPA > community, > so I thought I'd write it up here in case anyone missed it elsewhere. > > I work on the

Re: [Freeipa-devel] KDC proxy URI records

2017-04-27 Thread Simo Sorce
On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote: > On 04/27/2017 02:19 PM, Christian Heimes wrote: > > On 2017-04-27 14:00, Martin Bašti wrote: > > > I would like to discuss consequences of adding kdc URI records: > > > > > > 1. basically all ipa clients enrolled using autodiscovery will >

Re: [Freeipa-devel] [freeipa PR#723][+ack] Store GSSAPI session key in /var/run/httpd

2017-04-27 Thread Simo Sorce
On Thu, 2017-04-27 at 10:42 +0200, MartinBasti wrote: >   URL: https://github.com/freeipa/freeipa/pull/723 > Title: #723: Store GSSAPI session key in /var/run/httpd > > Label: +ack Guys I explained in the bug[1] that this is wrong, why was this acked and pushed ? Besides how does this even work

Re: [Freeipa-devel] Pagure issue template

2017-04-26 Thread Simo Sorce
t you're right we might be missing > > some, although "CERT" is probably not a good example, installer is. On > > the other hand, "userstory" is a tag I will myself never use on purpose. > >> > >> 2. Also, Having a bot in place which will enforce or a

Re: [Freeipa-devel] KDC proxy URI records

2017-04-26 Thread Simo Sorce
; > > > https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery > > > > https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt > > > > > > > > > > Thank you > > > > I found out that wiki page differs from the RFC

Re: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies

2017-03-24 Thread Simo Sorce
On Fri, 2017-03-24 at 11:52 +0100, Martin Babinsky wrote: > On Fri, Mar 24, 2017 at 10:53:49AM +0200, Alexander Bokovoy wrote: > >On pe, 24 maalis 2017, Martin Babinsky wrote: > >> On Thu, Mar 23, 2017 at 04:46:20PM +0200, Alexander Bokovoy wrote: > >> > On to, 23

Re: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies

2017-03-23 Thread Simo Sorce
On Thu, 2017-03-23 at 16:08 +0200, Alexander Bokovoy wrote: > On to, 23 maalis 2017, Martin Babinsky wrote: > >Hi List, > > > >TL;DR we have to handle FAST channer establishment when KDC is not issued > >PKINIT keypair > > > >I have spent some time studying and fixing bugs/regressions caused by >

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-07 Thread Simo Sorce
On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote: > On 03/06/2017 01:48 PM, Simo Sorce wrote: > > On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote: > >> On 03/02/2017 02:54 PM, Simo Sorce wrote: > >>> On Thu, 2017-03-02 at 08:10 +0100, Martin Babin

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-06 Thread Simo Sorce
On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote: > On 03/02/2017 02:54 PM, Simo Sorce wrote: > > On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote: > >> In this case it would probably be a good idea to think about "forward > >> compatibility&q

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-02 Thread Simo Sorce
es. In this way we may the just extend whathever object we > desire to carry the override in an easy and clean way. I agree. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Co

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-01 Thread Simo Sorce
On Wed, 2017-03-01 at 17:29 +0100, Martin Basti wrote: > > On 01.03.2017 17:04, Simo Sorce wrote: > > On Wed, 2017-03-01 at 16:47 +0100, Martin Babinsky wrote: > >> On 03/01/2017 04:32 PM, Simo Sorce wrote: > >>> On Wed, 2017-03-01 at 16:17 +0100, Martin Babinsky

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-01 Thread Simo Sorce
On Wed, 2017-03-01 at 16:47 +0100, Martin Babinsky wrote: > On 03/01/2017 04:32 PM, Simo Sorce wrote: > > On Wed, 2017-03-01 at 16:17 +0100, Martin Babinsky wrote: > >> On 03/01/2017 03:42 PM, Simo Sorce wrote: > >>> On Tue, 2017-02-28 at 13:29 +0100, Martin Bab

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-01 Thread Simo Sorce
On Wed, 2017-03-01 at 16:17 +0100, Martin Babinsky wrote: > On 03/01/2017 03:42 PM, Simo Sorce wrote: > > On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote: > >> Hello list, > >> > >> I have put together a draft of design page describing server-side &g

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-01 Thread Simo Sorce
n only hosts in that IDView would get this. Or a new object could be created that has members, the former has the advantage of being already in place and SSSD already downloads that data, the latter allows to target an even smaller set of hosts unrelated to previous ID views settings. Simo. --

Re: [Freeipa-devel] Requiring simultaneous authentication to Linux resources

2017-02-22 Thread Simo Sorce
in applying some specified rules in IPA itself ? As explained, there is no such concept in Unix/Linux to start with, but maybe you mean that you want to check credentials of 2 different users to allow privileged login, like root login ? Or is this something else ? It'd be nice if you can describe precisel

Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy

2016-12-12 Thread Simo Sorce
GS-REQ > and AP-REQ+KRB-PRV. Responses are not filtered. No changes needed, we only use AS and TGS request types. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribut

Re: [Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code

2016-12-09 Thread Simo Sorce
On Fri, 2016-12-09 at 08:31 +0100, Martin Basti wrote: > > On 08.12.2016 22:47, Simo Sorce wrote: > > On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote: > >> URL: https://github.com/freeipa/freeipa/pull/314 > >> Author: simo5 > >> Title: #314: RFC: priv

Re: [Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code

2016-12-08 Thread Simo Sorce
: http://www.freeipa.org/page/Contribute/Code There seem to be a bug in the mailing list posting script when someone edits a PR description, I see the original text here but not the new text! Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-30 Thread Simo Sorce
en people just stop caring and do not move to production. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [freeipa PR#184][comment] Minor install script fixes

2016-10-24 Thread Simo Sorce
that CI integration is currently broken so travis says your commits > failed the checks. > """ Done, and the CI seem happy ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.co

Re: [Freeipa-devel] Feature branches for sub-team efforts

2016-10-17 Thread Simo Sorce
t is finishes and tested. > > One dev could probably have a branch on personal fork of FreeIPA on > GitHub which would work as the feature branch. Other team members would > create pull requests against it. Exactly. > In such case we would loose mail notifications and would have to ext

Re: [Freeipa-devel] What would break if loopback addresses were allowed for IPA server?

2016-10-17 Thread Simo Sorce
gt; Before we touch IP address/domain name logic, we need to agree how it should > behave. > > What is the purpose of --ip-address option? > a) Specify IP addresses used in DNS. > ab) What checks should be performed on it? > b) To bind deamons only to specific IP addresses instead of all interfaces? > > I have seen requests for both. We need to decide what is the intended behavior > and design it before making further changes. The spaghetti code is too > intertwined for making any non-systematic changes. > > -- > Petr^2 Spacek > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates

2016-10-17 Thread Simo Sorce
microsoft.com/en-us/library/bb905527.aspx NOTE: Please look at the small paragraph named "Smart card logon across forests", we definitely want to think about this problem as well from the get-go and not try to retrofit something later on. HTH, Simo. -- Simo Sorce * Red Hat, Inc * N

Re: [Freeipa-devel] [PATCH 0097] Properly handle LDAP socket closures in ipa-otpd

2016-09-27 Thread Simo Sorce
t; > To remedy this problem, we pass error events along the same path as > read events. Should the actual read fail, we exit. LGTM Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-09-09 Thread Simo Sorce
On Fri, 2016-09-09 at 13:14 +0200, Standa Laznicka wrote: > On 09/03/2016 06:25 PM, Jan Pazdziora wrote: > > On Thu, Sep 01, 2016 at 11:18:45AM -0400, Simo Sorce wrote: > >> The thing is we (and admins) will be stuck with old client s for a loong > >> time, so we need to

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-09-01 Thread Simo Sorce
ients to ignore the objects you want them to ignore if you > want them not to ignore some. Yes there is, hostgroups again, you see, it works both ways :-) > But all and all thank you for the explanation with the example, it > made some of your previous points more clear. Sure. Simo.

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-09-01 Thread Simo Sorce
On Thu, 2016-09-01 at 16:35 +0200, Standa Laznicka wrote: > On 09/01/2016 03:06 PM, Simo Sorce wrote: > > On Thu, 2016-09-01 at 14:09 +0200, Standa Laznicka wrote: > >> The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule > >> upon > >> addition o

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-09-01 Thread Simo Sorce
namically. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-30 Thread Simo Sorce
On Tue, 2016-08-30 at 08:47 +0200, Standa Laznicka wrote: > On 08/26/2016 05:37 PM, Simo Sorce wrote: > > On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: > >> On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote: > >>> On Fri, 26 Aug 2016, Simo Sorce wr

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Simo Sorce
On Mon, 2016-08-29 at 16:35 +0200, Petr Spacek wrote: > On 29.8.2016 16:34, Simo Sorce wrote: > > On Mon, 2016-08-29 at 09:13 +0200, Petr Spacek wrote: > >> On 26.8.2016 17:40, Simo Sorce wrote: > >>> On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote: >

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Simo Sorce
On Mon, 2016-08-29 at 11:15 +0200, Jan Pazdziora wrote: > On Fri, Aug 26, 2016 at 10:39:53AM -0400, Simo Sorce wrote: > > On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: > > > > > > How do you want to enforce HBAC rule that have set time from 10 to 14 &g

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Simo Sorce
On Mon, 2016-08-29 at 09:13 +0200, Petr Spacek wrote: > On 26.8.2016 17:40, Simo Sorce wrote: > > On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote: > >> Ie we could set both "allow" and "allow_with_time" on an object for > >> cases where the ad

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Simo Sorce
On Mon, 2016-08-29 at 08:29 +0200, Jan Cholasta wrote: > On 26.8.2016 16:39, Simo Sorce wrote: > > On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: > >>> I miss "why" part of "To be able to handle backward compatibility > >> with > >>&

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-26 Thread Simo Sorce
On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote: > Ie we could set both "allow" and "allow_with_time" on an object for > cases where the admin wants to enforce the time part only o newer > client > but otherwise apply the rule to any client.

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-26 Thread Simo Sorce
On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: > On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote: > > On Fri, 26 Aug 2016, Simo Sorce wrote: > > >On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: > > >> > I miss "why" part of &

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-26 Thread Simo Sorce
On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote: > On Fri, 26 Aug 2016, Simo Sorce wrote: > >On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: > >> > I miss "why" part of "To be able to handle backward compatibility > >> with &

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-26 Thread Simo Sorce
H if an admin does not understand this difference, they may be surprised to find out there are clients that do not honor it. Perhaps we could find a way to set a flag on the rule such that when set (and only when set) older clients get excluded by way of changing the objectlass or something else to s

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-26 Thread Simo Sorce
> commands like timerule-test. > > > >> > >> On the link below is a PROTOTYPE-patched FreeIPA that covers most of the > >> CLI functionality (except for the creation of iCalendar strings from > >> options) for better illustration of the design. > >&

Re: [Freeipa-devel] [PATCHES] Coverity fixes

2016-08-16 Thread Simo Sorce
On Tue, 2016-08-16 at 12:34 +0200, Martin Basti wrote: > > On 14.08.2016 10:59, Simo Sorce wrote: > > > > On Thu, 2016-08-11 at 14:51 +0200, Martin Basti wrote: > > > > > > On 05.08.2016 14:13, Lukas Slebodnik wrote: > > > >

Re: [Freeipa-devel] [PATCHES] Coverity fixes

2016-08-14 Thread Simo Sorce
On Thu, 2016-08-11 at 14:51 +0200, Martin Basti wrote: > > On 05.08.2016 14:13, Lukas Slebodnik wrote: > > On (05/08/16 12:43), Petr Vobornik wrote: > >> On 07/28/2016 01:01 PM, Martin Basti wrote: > >>> > >>> On 25.07.2016 11:46, Simo Sorce wrot

Re: [Freeipa-devel] [PATCH 0197] re-set canonical principal name on migrated users

2016-07-29 Thread Simo Sorce
On Fri, 2016-07-29 at 15:19 +0200, Martin Basti wrote: > > On 29.07.2016 15:12, Simo Sorce wrote: > > On Fri, 2016-07-29 at 15:10 +0200, Martin Basti wrote: > >> On 29.07.2016 14:42, Florence Blanc-Renaud wrote: > >>> On 07/28/2016 10:56 AM, Martin B

Re: [Freeipa-devel] [PATCH 0197] re-set canonical principal name on migrated users

2016-07-29 Thread Simo Sorce
ui => OK > > > > > > But the patch produces new pep8 complaints: > > ./ipaserver/plugins/migration.py:39:1: E402 module level import not at > > top of file > > This is caused by old code, it should not prevent this patch to be > acked. Imports are

Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-07-26 Thread Simo Sorce
On Mon, 2016-07-25 at 11:26 -0400, Simo Sorce wrote: > On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote: > > Simo Sorce wrote: > > > On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote: > > >> Simo Sorce wrote: > > >>> As described in #2

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

2016-07-25 Thread Simo Sorce
On Mon, 2016-07-25 at 12:13 -0400, Ben Lipton wrote: > On 07/25/2016 11:07 AM, Simo Sorce wrote: > > On Mon, 2016-07-25 at 11:04 -0400, Simo Sorce wrote: > >> On Mon, 2016-07-25 at 10:51 -0400, Ben Lipton wrote: > >>> On 07/25/2016 05:07 AM, Simo Sorce wrote: >

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

2016-07-25 Thread Simo Sorce
On Mon, 2016-07-25 at 12:09 -0400, Ben Lipton wrote: > On 07/25/2016 12:03 PM, Simo Sorce wrote: > > On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote: > >>> But maybe I'm not seeing the proper priorities here. Perhaps it's > >> more > >>> of a pr

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

2016-07-25 Thread Simo Sorce
ent side. I would definitely veto any scheme where the client must send the private key to the server. I thought the server would generate the CSR, but then it would be sent to the client for signing ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freei

Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-07-25 Thread Simo Sorce
On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> As described in #232 start restricting the use of the setkeytab > >>> operation to

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

2016-07-25 Thread Simo Sorce
On Mon, 2016-07-25 at 11:04 -0400, Simo Sorce wrote: > On Mon, 2016-07-25 at 10:51 -0400, Ben Lipton wrote: > > On 07/25/2016 05:07 AM, Simo Sorce wrote: > > > On Mon, 2016-07-25 at 10:50 +0200, Jan Cholasta wrote: > > >> Anyway, my main grudge is that the

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

2016-07-25 Thread Simo Sorce
On Mon, 2016-07-25 at 10:51 -0400, Ben Lipton wrote: > On 07/25/2016 05:07 AM, Simo Sorce wrote: > > On Mon, 2016-07-25 at 10:50 +0200, Jan Cholasta wrote: > >> Anyway, my main grudge is that the transformation rules shouldn't > >> really > >> be stored on and

Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-07-25 Thread Simo Sorce
On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > As described in #232 start restricting the use of the setkeytab > > operation to just the computers objects. > > > > I haven't tested this with older RHEL/CentOS machines that actully use

[Freeipa-devel] [PATCH] restrict setkeytab operation

2016-07-25 Thread Simo Sorce
with this approach. Simo. -- Simo Sorce * Red Hat, Inc * New York From 26afe94cea65ba50041592cf31f97b9e0502aeb0 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 25 Jul 2016 06:46:24 -0400 Subject: [PATCH] Restrict the old setkeytab operation Allow it only to set computer

Re: [Freeipa-devel] PATCH: Improve on #2795 patches

2016-07-25 Thread Simo Sorce
On Wed, 2016-07-20 at 15:17 +0200, David Kupka wrote: > On 20/07/16 12:11, Simo Sorce wrote: > > Attached patch introduces a helper function and avoids the questionable > > replace+delete operations where possible (still employed in the > > entry_to_mods function). > &

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

2016-07-25 Thread Simo Sorce
; break all the clients). W/o entering in specific +1 as a general comment on this. If it can be done on the client, probably better be done there. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/lis

Re: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2

2016-07-20 Thread Simo Sorce
On Wed, 2016-07-20 at 12:14 -0400, Ben Lipton wrote: > On 07/20/2016 10:37 AM, Simo Sorce wrote: > > > > On Wed, 2016-07-20 at 10:17 -0400, Ben Lipton wrote: > > > > > > On 07/20/2016 06:27 AM, Simo Sorce wrote: > > > > > > >

Re: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2

2016-07-20 Thread Simo Sorce
On Tue, 2016-07-19 at 16:20 -0400, Ben Lipton wrote: > Hi, > > I have updated the design page  > http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generati > on/Mapping_Rules  > with my plan for implementing user-configurable rules for mapping > IPA  > data into certificate requests.

[Freeipa-devel] PATCH: Improve on #2795 patches

2016-07-20 Thread Simo Sorce
fec7ed2d2d7d8352d1a6a9cf5607476c9fd5d65f Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Tue, 19 Jul 2016 07:43:50 -0400 Subject: [PATCH] Simplify date manipulation in pwd plugin Use a helper function to perform operations on dates in LDAP attributes. Related to #2795 Signed-off-by: Simo So

Re: [Freeipa-devel] [PATCH] 0023 Bug in the ipapwd plugin

2016-07-19 Thread Simo Sorce
On Tue, 2016-07-19 at 10:17 +0200, thierry bordaz wrote: > > > On 07/13/2016 10:02 PM, Lukas Slebodnik wrote: > > On (13/07/16 16:50), thierry bordaz wrote: > >> https://fedorahosted.org/freeipa/ticket/6030 > >> >From 4efedc5e674db92f9f7c160429df543422ed8afb Mon Sep 17 00:00:00 > 2001 > >> From:

Re: [Freeipa-devel] [DESIGN] Time-Based HBAC Policies

2016-07-15 Thread Simo Sorce
On Fri, 2016-07-15 at 14:29 +0200, Stanislav Laznicka wrote: > On 07/15/2016 02:10 PM, Simo Sorce wrote: > > > > On Wed, 2016-05-18 at 15:28 +0200, Stanislav Laznicka wrote: > > > > > > On 05/18/2016 02:19 PM, Alexander Bokovoy wrote: > > > > &g

Re: [Freeipa-devel] [DESIGN] Time-Based HBAC Policies

2016-07-15 Thread Simo Sorce
On Wed, 2016-05-18 at 15:28 +0200, Stanislav Laznicka wrote: > On 05/18/2016 02:19 PM, Alexander Bokovoy wrote: > > > > On Wed, 18 May 2016, Stanislav Laznicka wrote: > > > > > > > > > > > > > > > > > when removal succeeds but addition fails for some reason? > > > > > The  > > > > > operation

Re: [Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation

2016-07-13 Thread Simo Sorce
On Wed, 2016-07-13 at 16:35 +0200, Martin Babinsky wrote: > On 07/13/2016 04:28 PM, Simo Sorce wrote: > > > > On Wed, 2016-07-13 at 16:19 +0200, Martin Babinsky wrote: > > > > > > On 07/13/2016 03:08 PM, Simo Sorce wrote: > > > > > > > >

Re: [Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation

2016-07-13 Thread Simo Sorce
On Wed, 2016-07-13 at 16:19 +0200, Martin Babinsky wrote: > On 07/13/2016 03:08 PM, Simo Sorce wrote: > > > > On Wed, 2016-07-13 at 14:37 +0200, Petr Vobornik wrote: > > > > > > On 07/12/2016 04:19 PM, Simo Sorce wrote: > > > > > > > > &

Re: [Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation

2016-07-13 Thread Simo Sorce
On Wed, 2016-07-13 at 14:37 +0200, Petr Vobornik wrote: > On 07/12/2016 04:19 PM, Simo Sorce wrote: > > > > On Tue, 2016-07-12 at 15:46 +0200, Martin Babinsky wrote: > > > > > > On 07/12/2016 02:00 PM, Martin Babinsky wrote: > > > > > > >

Re: [Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation

2016-07-13 Thread Simo Sorce
On Wed, 2016-07-13 at 13:53 +0200, Martin Babinsky wrote: > On 07/12/2016 04:19 PM, Simo Sorce wrote: > > > > On Tue, 2016-07-12 at 15:46 +0200, Martin Babinsky wrote: > > > > > > On 07/12/2016 02:00 PM, Martin Babinsky wrote: > > > > > > >

Re: [Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation

2016-07-12 Thread Simo Sorce
On Tue, 2016-07-12 at 15:46 +0200, Martin Babinsky wrote: > On 07/12/2016 02:00 PM, Martin Babinsky wrote: > > > > On 07/12/2016 01:05 PM, Alexander Bokovoy wrote: > > > > > > On Mon, 11 Jul 2016, Martin Babinsky wrote: > > > > > > > > From 185bde00a76459430d95ff207bf1fb3fe31e811a Mon Sep 17 >

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

2016-06-22 Thread Simo Sorce
On Wed, 2016-06-22 at 18:36 +0200, Martin Babinsky wrote: > On 06/22/2016 06:26 PM, Simo Sorce wrote: > > On Wed, 2016-06-22 at 09:46 +0200, Martin Babinsky wrote: > >> On 10/05/2015 03:00 PM, Martin Babinsky wrote: > >>> These patches implement the plumbin

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

2016-06-22 Thread Simo Sorce
> plumbing for further work (API for alias handling etc.) is in place. > If the patches were all reviewed and tested I say push them. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DESIGN] IPA client in AD DNS domain

2016-05-24 Thread Simo Sorce
On Tue, 2016-05-24 at 16:32 +0300, Alexander Bokovoy wrote: > On Tue, 24 May 2016, Simo Sorce wrote: > >On Tue, 2016-05-24 at 10:44 +0300, Alexander Bokovoy wrote: > >> >Alternative technical approach is to add aliases to an host's > >> attribute and >

Re: [Freeipa-devel] [PATCHES 0089-0093] Authentication Indicators

2016-05-24 Thread Simo Sorce
n a proper OID for OTP_REQUIRED_OID ? @@ -446,6 +446,9 @@ IPA Extensions and Controls OIDs 2.16.840.1.113730.3.8.10.6 Token Resynchronization Control OID +2.16.840.1.113730.3.8.10.7 Token Required Control OID +Control to signal an OTP bind is required +

Re: [Freeipa-devel] [DESIGN] IPA client in AD DNS domain

2016-05-24 Thread Simo Sorce
ce attributes on the main object, but it still is a manual setting of "referrals" somewhere. > I really do not like these ad-hoc hacks and I'm looking for a > systematic solution. Is this just for certs ? Or something else ? Simo. -- Simo Sorce * Red Hat, Inc * New York --

Re: [Freeipa-devel] [DESIGN] IPA client in AD DNS domain

2016-05-24 Thread Simo Sorce
ord here to just mean "host that have multiple identities" like clusters/load ballancers/proxies etc... ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] pwpolicy: Do not expire passwords when maxlife is set to 0 (infinity).

2016-05-04 Thread Simo Sorce
On Wed, 2016-05-04 at 15:39 +0200, Martin Kosek wrote: > On 05/02/2016 02:28 PM, David Kupka wrote: > > https://fedorahosted.org/freeipa/ticket/2795 > > That patch looks suspiciously short given the struggles I saw in > http://www.redhat.com/archives/freeipa-devel/2015-June/msg00198.html > :-) >

Re: [Freeipa-devel] External trust to AD

2016-05-03 Thread Simo Sorce
gt;|} > > > >We should also add 'external' param to output of trust_find and > >trust_show + corresponding change in Web UI and CLI. > It will be part of trust type string, not a separate param. I reviewed the design and associated tickts, and all checks out for me. I

Re: [Freeipa-devel] Locations design v2: LDAP schema & user interface

2016-04-21 Thread Simo Sorce
On Thu, 2016-04-21 at 17:39 +0200, Petr Spacek wrote: > On 19.4.2016 19:17, Simo Sorce wrote: > > On Tue, 2016-04-19 at 11:11 +0200, Petr Spacek wrote: > >> On 18.4.2016 21:33, Simo Sorce wrote: > >>> On Mon, 2016-04-18 at 17:44 +0200, Petr Spacek wrote: > >&

Re: [Freeipa-devel] [DESIGN] Sub-CAs; authenticating to Custodia

2016-04-19 Thread Simo Sorce
On Tue, 2016-04-19 at 21:57 -0400, Simo Sorce wrote: > On Wed, 2016-04-20 at 11:32 +1000, Fraser Tweedale wrote: > > On Tue, Apr 19, 2016 at 07:48:27AM +0200, Jan Cholasta wrote: > > > On 14.4.2016 08:56, Jan Cholasta wrote: > > > >On 7.4.2016 16:17, Petr Spacek wr

Re: [Freeipa-devel] [DESIGN] Sub-CAs; authenticating to Custodia

2016-04-19 Thread Simo Sorce
>>> > > >>>Now for next question: what should service principal name be? I > > >>>think `dogtag/example@example.com' but am open to other > > >>>suggestions, e.g. `pki/...'. > > >> > > >>Do you plan to attempt to stan

Re: [Freeipa-devel] Locations design v2: LDAP schema & user interface

2016-04-19 Thread Simo Sorce
On Tue, 2016-04-19 at 11:11 +0200, Petr Spacek wrote: > On 18.4.2016 21:33, Simo Sorce wrote: > > On Mon, 2016-04-18 at 17:44 +0200, Petr Spacek wrote: > >> * Find, filter and copy hand-made records from main tree into the > >> _locations sub-trees. This means

Re: [Freeipa-devel] [DESIGN] Kerberos principal alias handling

2016-04-19 Thread Simo Sorce
On Tue, 2016-04-19 at 12:37 +0200, Martin Babinsky wrote: > On 04/19/2016 10:11 AM, David Kupka wrote: > > On 18/04/16 21:42, Simo Sorce wrote: > >> On Wed, 2016-04-13 at 07:50 +0200, David Kupka wrote: > >>> On 08/04/16 17:10, Martin Babinsky wrote: > >&

Re: [Freeipa-devel] [PATCH] 0051 Allow CustodiaClient to be used by arbitrary principals

2016-04-18 Thread Simo Sorce
On Thu, 2016-04-14 at 16:33 +1000, Fraser Tweedale wrote: > On Wed, Apr 13, 2016 at 11:15:50AM +1000, Fraser Tweedale wrote: > > On Tue, Apr 12, 2016 at 09:31:30AM -0400, Simo Sorce wrote: > > > On Sat, 2016-04-09 at 10:11 +1000, Fraser Tweedale wrote: > > > > On F

Re: [Freeipa-devel] [DESIGN] Kerberos principal alias handling

2016-04-18 Thread Simo Sorce
it conditional and this all starts to sound a lot like a new domain level. OTOH only alias resolution fails on older KDCs, so that may be ok in some cases. Are there any strong opinions? Should we make this change optional and activate it only when enough features come up that demand a new domain level ?

Re: [Freeipa-devel] Locations design v2: LDAP schema & user interface

2016-04-18 Thread Simo Sorce
by default and needs additional configuration > anyway so simply upgrading should not break anything. It is also useless this way. > I'm eager to hear opinions and answers to questions above. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeip

Re: [Freeipa-devel] [PATCH] 0051 Allow CustodiaClient to be used by arbitrary principals

2016-04-12 Thread Simo Sorce
On Sat, 2016-04-09 at 10:11 +1000, Fraser Tweedale wrote: > On Fri, Apr 08, 2016 at 10:47:19AM -0400, Simo Sorce wrote: > > On Sat, 2016-04-09 at 00:23 +1000, Fraser Tweedale wrote: > > > -name = gssapi.Name('host@

Re: [Freeipa-devel] DNs of Custodia keys

2016-04-12 Thread Simo Sorce
On Tue, 2016-04-12 at 21:26 +1000, Fraser Tweedale wrote: > On Tue, Apr 12, 2016 at 12:55:50PM +0200, Jan Cholasta wrote: > > Hi, > > > > On 12.4.2016 09:03, Fraser Tweedale wrote: > > >Hi Simo and Honza et al, > > > > > >I have a design challenge pertaining to DNs for Custodia keys. > > >DNs for

Re: [Freeipa-devel] [DESIGN] Kerberos principal alias handling

2016-04-11 Thread Simo Sorce
Name: user_TWO@ > krbPrincipalName: *user_**One*@ > > So KDB, searching as case insentive > "krbPrincipalName:caseIgnoreIA5Match:=USER_one@" will > retrieve user_one and user_two ? Yes, but it is an error to have the same alias (differing just by

Re: [Freeipa-devel] [DESIGN] Kerberos principal alias handling

2016-04-11 Thread Simo Sorce
w replicas can work in the same topology. > > > Ok I will make this more clear. Old attributes should not be populated, we are abandoning them because they can't work, they will simply not be removed from the schema to avoid constraints violations, but they will rapidly be deprecated and not us

Re: [Freeipa-devel] [PATCH] 0051 Allow CustodiaClient to be used by arbitrary principals

2016-04-08 Thread Simo Sorce
On Sat, 2016-04-09 at 00:23 +1000, Fraser Tweedale wrote: > -name = gssapi.Name('host@%s' % (self.client,), > > - gssapi.NameType.hostbased_service) If you remove this then on a serve that has nfs keys in the keytab you may end up acquiring the wrong

Re: [Freeipa-devel] [DESIGN] Sub-CAs; authenticating to Custodia

2016-04-07 Thread Simo Sorce
On Thu, 2016-04-07 at 16:43 +1000, Fraser Tweedale wrote: > Hi team, > > I updated the Sub-CAs design page with more detail for the key > replication[1]. This part of the design is nearly complete (a large > patchset is in review over at pki-devel@) but there are various > options about how to

Re: [Freeipa-devel] [DESIGN] Server Roles

2016-03-19 Thread Simo Sorce
am not sure why we use enable/disable verbs here, why not a simple add/remove ? enable/disabled usually means you can add a role but keep it disabled, or that you can keep a role installed and just disabled it, but that is not really the case. Also I would like to draw attention to one other aspect. Ro

Re: [Freeipa-devel] [PATCH] 955 sessions: use unique mod_auth_gssapi ccaches

2016-03-19 Thread Simo Sorce
- Original Message - > From: "Petr Vobornik" <pvobo...@redhat.com> > To: "Simo Sorce" <s...@redhat.com> > Cc: "freeipa-devel" <freeipa-devel@redhat.com> > Sent: Wednesday, March 16, 2016 12:16:02 PM > Subject: Re: [PATCH] 955

Re: [Freeipa-devel] [DESIGN] Server Roles

2016-03-18 Thread Simo Sorce
On Fri, 2016-03-18 at 15:28 +0100, Petr Vobornik wrote: > On 03/18/2016 02:59 PM, Simo Sorce wrote: > > On Fri, 2016-03-18 at 14:44 +0100, Petr Vobornik wrote: > >> On 03/18/2016 10:59 AM, Martin Kosek wrote: > >>> On 03/18/2016 10:47 AM, Martin Babinsky wrote:

Re: [Freeipa-devel] [PATCH] 0008 Add X-Frame-Options and frame-ancestors options

2016-03-10 Thread Simo Sorce
On Thu, 2016-03-10 at 19:20 +0100, Pavel Vomacka wrote: > > On 03/10/2016 07:02 PM, Simo Sorce wrote: > > On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote: > >> Hi, > >> > >> These two options allow preventing clickjacking attacks. They don't &

Re: [Freeipa-devel] [PATCH] 0008 Add X-Frame-Options and frame-ancestors options

2016-03-10 Thread Simo Sorce
On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote: > Hi, > > These two options allow preventing clickjacking attacks. They don't > allow open FreeIPA in frame, iframe or object element. Will these apply to the whole server or just to /ipa ? Simo. -- Simo Sorce * Red Hat, In

Re: [Freeipa-devel] [PATCH] 955 sessions: use unique mod_auth_gssapi ccaches

2016-03-10 Thread Simo Sorce
I was thinking about keeping a record of the expiration time (not sure where yet), and then provide a cron job or a systemd timer to clean up all expired stuff. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mail

Re: [Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names

2016-03-08 Thread Simo Sorce
On Tue, 2016-03-08 at 17:20 +0100, Martin Babinsky wrote: > On 03/08/2016 05:00 PM, Simo Sorce wrote: > > On Tue, 2016-03-08 at 16:51 +0100, Martin Babinsky wrote: > >> On 03/08/2016 04:49 PM, Simo Sorce wrote: > >>> On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky

Re: [Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names

2016-03-08 Thread Simo Sorce
On Tue, 2016-03-08 at 16:51 +0100, Martin Babinsky wrote: > On 03/08/2016 04:49 PM, Simo Sorce wrote: > > On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote: > >> On 12/01/2015 10:08 PM, Simo Sorce wrote: > >>> On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky

Re: [Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names

2016-03-08 Thread Simo Sorce
On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote: > On 12/01/2015 10:08 PM, Simo Sorce wrote: > > On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote: > >> On 11/30/2015 07:42 PM, Simo Sorce wrote: > >>> On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky

Re: [Freeipa-devel] Supporting UPNs of trusted forests

2016-03-02 Thread Simo Sorce
discussed with Sumit > -- one is to store TLNs as attributes of TDO, another is to create > separate TDOs, building on the fact you noticed: > >Btw trustdomain object has ipantflatname and ipanttrusteddomainsid > >attributes as optional so it is possible to store it there assuming > >modification of KDB driver. > This is what I did already in the prototype: > https://abbra.fedorapeople.org/.paste/0001-WIP-support-UPNs-for-trusted-domain-users.master.patch > > So we are sure that either way would work, the question is what would be > more usable UX-wise. How does Windows represent them ? I'd try to stick to something close to what AD does to avoid pain if later is found that the way Windows does things is necessary (or just easier) to keep adding further options down the road. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [REVIEW] Intial stab towards Authentication Indicators

2016-02-26 Thread Simo Sorce
On Fri, 2016-02-26 at 15:44 -0500, Nathaniel McCallum wrote: > On Fri, 2016-02-26 at 11:20 -0500, Simo Sorce wrote: > > On Fri, 2016-02-26 at 10:24 -0500, Nathaniel McCallum wrote: > > > I was thinking: > > > 1. Bind as the entity validating the 2nd factor.

Re: [Freeipa-devel] URI in HBAC rules - patch - request for feedback

2016-02-26 Thread Simo Sorce
On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote: > On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote: > > On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote: > > > Hi, FreeIPA and SSSD communities! > > > > > > I am working on adding UR

Re: [Freeipa-devel] [REVIEW] Intial stab towards Authentication Indicators

2016-02-26 Thread Simo Sorce
On Fri, 2016-02-26 at 10:24 -0500, Nathaniel McCallum wrote: > On Fri, 2016-02-26 at 10:12 -0500, Simo Sorce wrote: > > On Fri, 2016-02-26 at 09:30 -0500, Nathaniel McCallum wrote: > > > > > > On Thu, 2016-02-25 at 16:51 -0500, Simo Sorce wrote: > > > >

Re: [Freeipa-devel] URI in HBAC rules - patch - request for feedback

2016-02-26 Thread Simo Sorce
It is not clear to me what happen on an older client if URL is used but not the service? Or is service always enforced ? (It is not clear to me that it is). HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.re

  1   2   3   4   5   6   7   8   9   10   >