Re: [Freeipa-devel] [PATCHES] 213-224 Use old entry state in LDAP mods

On 20.12.2013 13:06, Petr Viktorin wrote: I now have a failing test in test_permission_rollback. Let's think about this case for a moment: The permission system has rollback: if an ACI update fails, the entry is rolled back. Currently it works (for ipapermlocation changes) like this: - The old

[Freeipa-devel] [PATCH] 445 hbactest does not work for external users

Original patch for ticket #3803 implemented support to resolve SIDs through SSSD. However, it also broke hbactest for external users. The result of the updated external member group search must be local non-external groups, not the external ones. Otherwise the rule is not matched.

Re: [Freeipa-devel] [PATCH] 445 hbactest does not work for external users

On Fri, 10 Jan 2014, Martin Kosek wrote: Original patch for ticket #3803 implemented support to resolve SIDs through SSSD. However, it also broke hbactest for external users. The result of the updated external member group search must be local non-external groups, not the external ones.

Re: [Freeipa-devel] [PATCH 0027] Add config.h.in~ and rpmbuild to git ignore

On 01/09/2014 10:25 PM, Nathaniel McCallum wrote: On Thu, 2014-01-02 at 09:58 +0100, Petr Viktorin wrote: On 12/23/2013 06:54 PM, Nathaniel McCallum wrote: Attached. config.in.h~ is a product of your specfific editor, right? You should add it to your personal ignore list, e.g. with: $ echo

Re: [Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile

On 01/09/2014 03:37 PM, Simo Sorce wrote: On Thu, 2014-01-09 at 15:27 +0100, Martin Kosek wrote: On 01/09/2014 03:12 PM, Simo Sorce wrote: On Thu, 2014-01-09 at 09:04 -0500, Simo Sorce wrote: On Thu, 2014-01-09 at 09:51 +0100, Martin Kosek wrote: On 01/09/2014 12:26 AM, Simo Sorce wrote: On

Re: [Freeipa-devel] [PATCHES] 213-224 Use old entry state in LDAP mods

On 01/10/2014 12:43 PM, Jan Cholasta wrote: On 20.12.2013 13:06, Petr Viktorin wrote: I now have a failing test in test_permission_rollback. Let's think about this case for a moment: The permission system has rollback: if an ACI update fails, the entry is rolled back. Currently it works (for

Re: [Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile

Simo Sorce wrote: On Thu, 2014-01-09 at 10:44 -0500, Rob Crittenden wrote: Martin Kosek wrote: On 01/09/2014 03:12 PM, Simo Sorce wrote: Also maybe we should allow admins to bypass the need to have an actual object to represent the alt name ? I'd rather not. This would allow a rogue admin

Re: [Freeipa-devel] [PATCHES] 225-230 Drop support for the legacy LDAP API

On 01/07/2014 01:54 PM, Jan Cholasta wrote: On 16.12.2013 14:45, Petr Viktorin wrote: On 12/16/2013 10:22 AM, Jan Cholasta wrote: On 13.12.2013 15:16, Petr Viktorin wrote: On 12/10/2013 04:05 PM, Jan Cholasta wrote: Hi, I believe the time has come to drop support for the legacy (dn,

[Freeipa-devel] [RFE] Multivalued target filters in permissions

Another permission design page coming up: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions related thread: http://www.redhat.com/archives/freeipa-devel/2013-December/msg00063.html ticket: https://fedorahosted.org/freeipa/ticket/4074 Originally the ticket also included

Re: [Freeipa-devel] [PATCH 0032] Update ACIs to permit users to add/delete their own tokens

On Thu, 2014-01-09 at 21:30 -0800, Noriko Hosoi wrote: Simo Sorce wrote: On Thu, 2014-01-09 at 15:15 -0800, Noriko Hosoi wrote: Simo Sorce wrote: On Thu, 2014-01-09 at 16:32 -0500, Nathaniel McCallum wrote: This patch is independent from my patches 0028-0031 and can be merged in any

Re: [Freeipa-devel] [PATCH 0032] Update ACIs to permit users to add/delete their own tokens

On Fri, 2014-01-10 at 12:15 -0500, Simo Sorce wrote: On Thu, 2014-01-09 at 21:30 -0800, Noriko Hosoi wrote: Simo Sorce wrote: On Thu, 2014-01-09 at 15:15 -0800, Noriko Hosoi wrote: Simo Sorce wrote: On Thu, 2014-01-09 at 16:32 -0500, Nathaniel McCallum wrote: This patch is

Re: [Freeipa-devel] [PATCH 0032] Update ACIs to permit users to add/delete their own tokens

Hi Simo, Simo Sorce wrote: On Fri, 2014-01-10 at 12:15 -0500, Simo Sorce wrote: This is not what I had in mind, our use cases is something like this: aci: (target=ldap:///dc=bar)(targetattr=*) (version 3.0; acl userattr test; allow (add) userattr = managedby#USERDN;) ldapmodify -D

Re: [Freeipa-devel] [PATCH 0032] Update ACIs to permit users to add/delete their own tokens

On Thu, 2014-01-09 at 17:37 -0500, Simo Sorce wrote: On Thu, 2014-01-09 at 16:32 -0500, Nathaniel McCallum wrote: This patch is independent from my patches 0028-0031 and can be merged in any order. This patch has a bug, but I can't figure it out. We need to set

Re: [Freeipa-devel] [PATCH 0137] ipalib: Add DateTime parameter

On Thu, 2014-01-09 at 16:30 +0100, Tomas Babej wrote: Hi, Adds a parameter that represents a DateTime format using datetime.datetime object from python's native datetime library. In the CLI, accepts one of the following formats: Accepts subset of values defined by ISO 8601:

Re: [Freeipa-devel] FreeIPA OTP End-to-End

On Thu, 09 Jan 2014, Nathaniel McCallum wrote: New RPMs are up: http://npmccallum.fedorapeople.org/freeipa-otp/rpms/ Just as a note -- we can use copr service to provide a better experience for testing. I made a copr repo with previous patchset last year: