Rob Crittenden wrote:
> Dmitri Pal wrote:
>> Simo Sorce wrote:
>>> On Fri, 2009-10-30 at 15:56 -0400, Dmitri Pal wrote:
>>>
But then you have to update it on all replicas and will definitely
forget to do it.
Is it really a hassle to have it in the DS?
>>> Yes it means you
On Fri, 2009-10-30 at 16:36 -0400, Dmitri Pal wrote:
> No. No. No.
> You got me totally wrong.
> Of cause out of band by puppet/cfengine/etc...
> It is just FF needs to store these properties somewhere these engines
> actually can reach.
> An d this is what we need to make sure that FF guys address
Simo Sorce wrote:
> On Fri, 2009-10-30 at 16:25 -0400, Dmitri Pal wrote:
>
>> Simo Sorce wrote:
>>
>>> On Fri, 2009-10-30 at 15:57 -0400, Rob Crittenden wrote:
>>>
>>>
The message is not configurable, it just says that something is
trying
to modify your user prefer
On Fri, 2009-10-30 at 16:25 -0400, Dmitri Pal wrote:
> Simo Sorce wrote:
> > On Fri, 2009-10-30 at 15:57 -0400, Rob Crittenden wrote:
> >
> >> The message is not configurable, it just says that something is
> >> trying
> >> to modify your user preferences.
> >>
> >
> > And rightly so, this
I wasn't able to find a command-line program to remove principals from a
keytab so I wrote my own. ktutil can do it but it doesn't take
command-line arguments. Java ships a utility named ktab but adding a
huge dependency for one app seem a bit much :-)
In any case, this program has 2 modes:
1
Dmitri Pal wrote:
Simo Sorce wrote:
On Fri, 2009-10-30 at 15:56 -0400, Dmitri Pal wrote:
But then you have to update it on all replicas and will definitely
forget to do it.
Is it really a hassle to have it in the DS?
Yes it means you have to build a UI to manage that attribute, create
On Fri, 2009-10-30 at 16:21 -0400, Dmitri Pal wrote:
> Simo Sorce wrote:
> > On Fri, 2009-10-30 at 15:56 -0400, Dmitri Pal wrote:
> >
> >> But then you have to update it on all replicas and will definitely
> >> forget to do it.
> >> Is it really a hassle to have it in the DS?
> >>
> >
> > Y
Simo Sorce wrote:
> On Fri, 2009-10-30 at 15:57 -0400, Rob Crittenden wrote:
>
>> The message is not configurable, it just says that something is
>> trying
>> to modify your user preferences.
>>
>
> And rightly so, this is a security warning. If it were modifiable a
> rogue server could ch
Simo Sorce wrote:
> On Fri, 2009-10-30 at 15:56 -0400, Dmitri Pal wrote:
>
>> But then you have to update it on all replicas and will definitely
>> forget to do it.
>> Is it really a hassle to have it in the DS?
>>
>
> Yes it means you have to build a UI to manage that attribute, create it,
Rob Crittenden wrote:
> Dmitri Pal wrote:
Why make them fail?
>>> True, it isn't ideal but all users fail the first time in the browser
>>> as it is. There isn't a stable way to pre-configure the browser
>>> currently. It either involves directly modifying files in the firefox
>>> rpm which w
On Fri, 2009-10-30 at 15:57 -0400, Rob Crittenden wrote:
>
> The message is not configurable, it just says that something is
> trying
> to modify your user preferences.
And rightly so, this is a security warning. If it were modifiable a
rogue server could change the message to ask: "do you like
On Fri, 2009-10-30 at 15:56 -0400, Dmitri Pal wrote:
> But then you have to update it on all replicas and will definitely
> forget to do it.
> Is it really a hassle to have it in the DS?
Yes it means you have to build a UI to manage that attribute, create it,
find a place where to store it in the
Dmitri Pal wrote:
Why make them fail?
True, it isn't ideal but all users fail the first time in the browser
as it is. There isn't a stable way to pre-configure the browser
currently. It either involves directly modifying files in the firefox
rpm which will both cause rpm verification issues and
Simo Sorce wrote:
> On Fri, 2009-10-30 at 15:52 -0400, Dmitri Pal wrote:
>
>> I guess if we put the message into an attribute somewhere in the
>> cn=config and pull it from DS instead of making it a part of the page
>> itself
>> we would give the admin choice what to tell user to do in this case
> Neither anything else :)
> I guess the best thing is to allow each site to put up a customize
> message with instructions on what to do next and by default set a
> message valid for a fully kerberized machine.
>
> Simo.
>
>
We agree :-)
--
Thank you,
Dmitri Pal
Engineering Manager IPA proj
On Fri, 2009-10-30 at 15:52 -0400, Dmitri Pal wrote:
> I guess if we put the message into an attribute somewhere in the
> cn=config and pull it from DS instead of making it a part of the page
> itself
> we would give the admin choice what to tell user to do in this case.
> "Kinit" or "logoff/login"
Dmitri Pal wrote:
> Ok I buy this.
> Just have questions below...
>
> Simo Sorce wrote:
>
>> Ok now on a more serious note ...
>>
>> On Fri, 2009-10-30 at 14:28 -0400, Dmitri Pal wrote:
>>
>>
>>> Why we can't call kinit (or equivalent) on their behalf as soon as we
>>> migrated them righ
On Fri, 2009-10-30 at 15:43 -0400, Dmitri Pal wrote:
> Ok I buy this.
> Just have questions below...
>
> Simo Sorce wrote:
> > Ok now on a more serious note ...
> >
> > On Fri, 2009-10-30 at 14:28 -0400, Dmitri Pal wrote:
> >
> >> Why we can't call kinit (or equivalent) on their behalf as soon
>
>> Why make them fail?
>
> True, it isn't ideal but all users fail the first time in the browser
> as it is. There isn't a stable way to pre-configure the browser
> currently. It either involves directly modifying files in the firefox
> rpm which will both cause rpm verification issues and be l
Ok I buy this.
Just have questions below...
Simo Sorce wrote:
> Ok now on a more serious note ...
>
> On Fri, 2009-10-30 at 14:28 -0400, Dmitri Pal wrote:
>
>> Why we can't call kinit (or equivalent) on their behalf as soon as we
>> migrated them right away ourselves and then redirect then to t
Ok now on a more serious note ...
On Fri, 2009-10-30 at 14:28 -0400, Dmitri Pal wrote:
> Why we can't call kinit (or equivalent) on their behalf as soon as we
> migrated them right away ourselves and then redirect then to the right
> place - self service page?
We could call kinit and store the cr
On Fri, 2009-10-30 at 14:28 -0400, Dmitri Pal wrote:
>
> Am I smoking something?
Sorry but I think so :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/f
Dmitri Pal wrote:
Rob Crittenden wrote:
Pavel Zuna wrote:
Rob Crittenden wrote:
Pavel Zuna wrote:
Example output of migration plugin:
I have a DS server setup on a VM at 192.168.122.4 and I made a few
tweaks to show how errors are reported.
# ipa migrate-ds ldap://192.168.122.4:389
Password
Rob Crittenden wrote:
> Pavel Zuna wrote:
>> Rob Crittenden wrote:
>>> Pavel Zuna wrote:
Example output of migration plugin:
I have a DS server setup on a VM at 192.168.122.4 and I made a few
tweaks to show how errors are reported.
# ipa migrate-ds ldap://192.168.122.4
Pavel Zuna wrote:
Rob Crittenden wrote:
Pavel Zuna wrote:
Example output of migration plugin:
I have a DS server setup on a VM at 192.168.122.4 and I made a few
tweaks to show how errors are reported.
# ipa migrate-ds ldap://192.168.122.4:389
Password:
Enter password again to verify:
--
Pavel Zuna wrote:
> Rob Crittenden wrote:
>> Pavel Zuna wrote:
>>> Example output of migration plugin:
>>>
>>> I have a DS server setup on a VM at 192.168.122.4 and I made a few
>>> tweaks to show how errors are reported.
>>>
>>> # ipa migrate-ds ldap://192.168.122.4:389
>>> Password:
>>> Enter pas
On Fri, 2009-10-30 at 10:54 -0400, Rob Crittenden wrote:
>
> One of our goals is to promote the usage of single sign-on using
> kerberos. Enabling the password fallback can be practical and needed
> in
> some cases but I think by default we want to leave it off.
+1
Simo.
--
Simo Sorce * Red
Rob Crittenden wrote:
Pavel Zuna wrote:
Example output of migration plugin:
I have a DS server setup on a VM at 192.168.122.4 and I made a few
tweaks to show how errors are reported.
# ipa migrate-ds ldap://192.168.122.4:389
Password:
Enter password again to verify:
---
migrate-ds:
-
Pavel Zuna wrote:
Example output of migration plugin:
I have a DS server setup on a VM at 192.168.122.4 and I made a few
tweaks to show how errors are reported.
# ipa migrate-ds ldap://192.168.122.4:389
Password:
Enter password again to verify:
---
migrate-ds:
---
Migrated:
Pavel Zuna wrote:
Rob Crittenden wrote:
The user plugin is crapping out on line 317 of ldap2.py because attr
is coming back None. The attribute it is looking for is member.
I think the fix involves setting member_attributes = ['member'] to the
user plugin.
I wonder if we need to make the ld
Pavel Zůna wrote:
Pavel Zůna wrote:
As we started converting NULL values to None a while back,
List.normalize blows up if we set an empty tuple default value.
Pavel
nack!
This actually introduces a bigger problem than it solves, my mistake.
Fixed version attached.
To demonstrate the bug t
Pavel Zůna wrote:
As we started converting NULL values to None a while back,
List.normalize blows up if we set an empty tuple default value.
Pavel
ack, pushed to master
smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-devel maili
32 matches
Mail list logo