ipa-replica-manage can use the current kerberos credentials for some
commands now. To make it a bit nicer to use fall back to prompt for the
DM password if there are no credentials. I've found it handy to have
this in development.
I also fix up the errors when deleting a replica too (my test c
If a host is already enrolled (either as a client or a former replica)
then ipa-replica-install will fail spectacularly with an error about a
missing keytab. This is because some entries already exist and it
totally confuses things. We need to start this host from scratch, so
catch this conditi
For v2 upgrades we want the LDAP server to be quiet so we will shut it
down, disable its TCP listeners and bring it back up to update over
ldapi. This also enables autobind so we can bind as root and perform
operations as Directory Manager and not require a password.
To use this mode run ipa-l
On 05/27/2010 10:59 AM, Rob Crittenden wrote:
Add another default hbac service, su-l.
rob
Ack
--
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
__
Stephen Gallagher wrote:
On 05/26/2010 03:24 PM, Rob Crittenden wrote:
Replica preparation and installation is not working in F-13 because of
gpg2. It now requires the --batch argument when using the --passphrase*
options.
This patch is for ipa-1.2.2 but the same principal applies to master as
Add another default hbac service, su-l.
rob
freeipa-454-hbac.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Pavel Zuna wrote:
On 05/26/2010 03:50 PM, Rob Crittenden wrote:
I moved these contents into an update so that each entry could get its
own UUID. The templater for ldif files is a little less robust and can
only assign a single UUID per file. If this is ever an issue we can
address it then butit
Sumit Bose wrote:
On Wed, May 26, 2010 at 09:51:21AM -0400, Rob Crittenden wrote:
Sumit Bose wrote:
On Fri, May 21, 2010 at 04:30:12PM -0400, Rob Crittenden wrote:
Add the ipqUniqueID object to HBAC services and make sure that they
get the memberOf attribute if they are members of service grou
Dmitri Pal wrote:
Rob Crittenden wrote:
Dmitri Pal wrote:
Rob Crittenden wrote:
Use correct OID base for ipaVolumeKey (its an objectClass, not an
attribute).
Re-number to use contiguous values. There were some pretty big gaps.
rob
-
Pavel Zuna wrote:
On 05/20/2010 07:54 PM, Rob Crittenden wrote:
Add the 'all' serviceCategory to the default allow_all HBAC rule and add
some standard services: ftp, login, sshd, su, sudo.
rob
ack.
Pavel
pushed to master. I'm going to submit a separate patch for su-l as
requested by Steve
Pavel Zuna wrote:
On 05/20/2010 05:56 PM, Rob Crittenden wrote:
Move the dogtag SELinux rules loading into the spec file
I couldn't put the dogtag rules into the spec file until we required
dogtag as a component. If it wasn't pre-loaded them the rules loading
would fail because types would be m
Pavel Zuna wrote:
On 05/19/2010 07:28 PM, Rob Crittenden wrote:
Include -clone_uri argument to pkisilent setting the clone URI.
This makes creating a clone from a clone work as expected.
Note that this depends on some fixes in the pki-ca, pki-common and
pki-silent packages. I tested this again
On 05/21/2010 10:30 PM, Rob Crittenden wrote:
Add the ipqUniqueID object to HBAC services and make sure that they get
the memberOf attribute if they are members of service groups.
rob
ack.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.c
On 05/26/2010 03:50 PM, Rob Crittenden wrote:
I moved these contents into an update so that each entry could get its
own UUID. The templater for ldif files is a little less robust and can
only assign a single UUID per file. If this is ever an issue we can
address it then butit isn't a problem for
On 05/21/2010 11:35 PM, Rob Crittenden wrote:
Fix this test to work from source tree root
It would work if you ran the test from its location in tests/test_ipalib
but this isn't the most common method. If you want to run it individually
you can do:
$ ./make-test tests/test_ipalib/test_text.py
On 05/20/2010 07:54 PM, Rob Crittenden wrote:
Add the 'all' serviceCategory to the default allow_all HBAC rule and add
some standard services: ftp, login, sshd, su, sudo.
rob
ack.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https:
On 05/20/2010 05:56 PM, Rob Crittenden wrote:
Move the dogtag SELinux rules loading into the spec file
I couldn't put the dogtag rules into the spec file until we required
dogtag as a component. If it wasn't pre-loaded them the rules loading
would fail because types would be missing.
rob
This
On 05/19/2010 07:28 PM, Rob Crittenden wrote:
Include -clone_uri argument to pkisilent setting the clone URI.
This makes creating a clone from a clone work as expected.
Note that this depends on some fixes in the pki-ca, pki-common and
pki-silent packages. I tested this against pre-release vers
On Wed, May 26, 2010 at 09:51:21AM -0400, Rob Crittenden wrote:
> Sumit Bose wrote:
> >On Fri, May 21, 2010 at 04:30:12PM -0400, Rob Crittenden wrote:
> >>Add the ipqUniqueID object to HBAC services and make sure that they
> >>get the memberOf attribute if they are members of service groups.
> >>
>
19 matches
Mail list logo