On 03/27/2014 03:37 PM, Misnyovszki Adam wrote:
On Wed, 26 Mar 2014 13:15:55 +0100
Petr Viktorin pvikt...@redhat.com wrote:
[...]
Looks great! I'm just concerned about the error returned when the
task takes too long:
$ ipa automember-rebuild --type group
ipa: ERROR: LDAP timeout
I
Hi Rob, Ade and others,
In the past, Rob was investigating enabling random certificate serial numbers
for FreeIPA PKI [1]. We also have a ticket [2] planned to enable it for 4.0.
Can we simply switch it on for PKI with pkispawn attribute:
[CA]
pki_random_serial_numbers_enable=True
or is there
On 03/03/2014 08:16 PM, Tomas Babej wrote:
The updated patch addresses all the mentioned issues.
Also enables systemd's specific domainname service instead of relying
ypbind being present on the system.
Please note that nisdomainname is not configured on boot time at the
moment. The
Hi,
please review the following feature design. It introduces a global
account lockout, while trying to keep the replication traffic minimal.
In my opinion for a real global account lockout the basic lockout
attributes have to be replicated otherwise the benefit is minimal: an
attacker could
On 04/03/2014 12:09 PM, Petr Viktorin wrote:
Hello,
This adds read permissions to read HBAC rules, services, and service groups.
Read access is given to all authenticated users.
So far looked OK in my tests. What about the ACIs like the following one?
(targetattr = *)(version 3.0; acl No
On 04/07/2014 01:28 PM, Martin Kosek wrote:
On 04/03/2014 12:09 PM, Petr Viktorin wrote:
Hello,
This adds read permissions to read HBAC rules, services, and service groups.
Read access is given to all authenticated users.
So far looked OK in my tests. What about the ACIs like the following
On 04/03/2014 12:09 PM, Petr Viktorin wrote:
Hello,
This adds read permissions to read Sudo commands, command groups, rules.
Read access is given to all authenticated users.
Looks good. What about ou=sudoers? I think we should also allow it in this
patch for authenticated users. This is the
Simo Sorce wrote:
On Fri, 2014-04-04 at 09:59 +0200, Petr Spacek wrote:
On 4.4.2014 09:17, Martin Kosek wrote:
On 04/04/2014 09:04 AM, Justin Brown wrote:
I would actually do it the opposite way and open the ports after the FreeIPA
server is fully configured. After all, I do not think we
Simo Sorce wrote:
On Fri, 2014-04-04 at 13:19 +0200, Petr Spacek wrote:
On 4.4.2014 10:20, Ludwig Krispenz wrote:
In the review discussion for the ldap schema for pkcs11 there was one topic,
which we wanted to get the opinion from a broader audience before making a
final decision.
I'll add my
Hi,
this patch fixes the issue with using freeipa specific rpms when
defining custom jobs.
Tomas
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
From fa75dd96908346d354c40fb6587fdf9b7b11870d Mon Sep 17 00:00:00 2001
On 04/07/2014 04:08 PM, Tomas Babej wrote:
Hi,
this patch fixes the issue with using freeipa specific rpms when
defining custom jobs.
Tomas
Thanks!
Pushed to https://github.com/encukou/freeipa-ci.git as
01778989306e19e53b98d4acc72772631a8bb9dd
--
PetrĀ³
On 04/03/2014 01:34 PM, Petr Viktorin wrote:
Hello,
This adds anonymous read access to containers, as discussed in this thread:
https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html
Additionally access is granted for $SUFFIX itself with targetfilter
(objectclass=domain),
On Mon, 2014-04-07 at 16:43 +0200, Martin Kosek wrote:
On 04/03/2014 01:34 PM, Petr Viktorin wrote:
Hello,
This adds anonymous read access to containers, as discussed in this thread:
https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html
Additionally access is granted
Ludwig Krispenz wrote:
Hi,
please review the following feature design. It introduces a global
account lockout, while trying to keep the replication traffic minimal.
In my opinion for a real global account lockout the basic lockout
attributes have to be replicated otherwise the benefit is
On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote:
Ludwig Krispenz wrote:
Hi,
please review the following feature design. It introduces a global
account lockout, while trying to keep the replication traffic minimal.
In my opinion for a real global account lockout the basic lockout
On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote:
Ludwig Krispenz wrote:
Hi,
please review the following feature design. It introduces a global
account lockout, while trying to keep the replication traffic minimal.
In my
On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote:
Ludwig Krispenz wrote:
Hi,
please review the following feature design. It introduces a global
account lockout,
On 04/07/2014 10:13 AM, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote:
Ludwig Krispenz wrote:
Hi,
please review the following feature design. It introduces a
Rob Crittenden wrote:
Jan Cholasta wrote:
Hi,
the attached patches implement automatic CA certificate renewal as well
as the initial version of the CA certificate management tool.
Requires my patches 172-196.
In order to test, you must install current git version of certmonger
(see
On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote:
On 04/07/2014 10:13 AM, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote:
Ludwig Krispenz wrote:
On 04/07/2014 12:31 PM, Simo Sorce wrote:
On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote:
On 04/07/2014 10:13 AM, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 11:26 -0400, Rob
On 04/07/2014 02:31 PM, Simo Sorce wrote:
On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote:
On 04/07/2014 10:13 AM, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 11:26 -0400, Rob
On 04/04/2014 02:50 PM, Ade Lee wrote:
This patch adds the capability of installing a Dogtag DRM
to an IPA instance. With this patch, when ipa-server-install
is run, a Dogtag CA and a Dogtag DRM are created. The DRM
shares the same tomcat instance and DS instance as the
Dmitri Pal wrote:
On 04/04/2014 02:50 PM, Ade Lee wrote:
This patch adds the capability of installing a Dogtag DRM
to an IPA instance. With this patch, when ipa-server-install
is run, a Dogtag CA and a Dogtag DRM are created. The DRM
shares the same tomcat instance and DS
On Mon, 2014-04-07 at 14:47 -0400, Dmitri Pal wrote:
On 04/07/2014 02:31 PM, Simo Sorce wrote:
On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote:
On 04/07/2014 10:13 AM, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:01 -0400, Simo
On 04/07/2014 01:00 PM, Simo Sorce wrote:
On Mon, 2014-04-07 at 14:47 -0400, Dmitri Pal wrote:
On 04/07/2014 02:31 PM, Simo Sorce wrote:
On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote:
On 04/07/2014 10:13 AM, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote:
On
Ade Lee wrote:
This patch adds the capability of installing a Dogtag DRM
to an IPA instance. With this patch, when ipa-server-install
is run, a Dogtag CA and a Dogtag DRM are created. The DRM
shares the same tomcat instance and DS instance as the Dogtag CA.
Moreover,
Rich Megginson wrote:
On 04/07/2014 01:00 PM, Simo Sorce wrote:
On Mon, 2014-04-07 at 14:47 -0400, Dmitri Pal wrote:
On 04/07/2014 02:31 PM, Simo Sorce wrote:
On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote:
On 04/07/2014 10:13 AM, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:10
On 04/07/2014 09:00 AM, Rob Crittenden wrote:
Simo Sorce wrote:
On Fri, 2014-04-04 at 09:59 +0200, Petr Spacek wrote:
On 4.4.2014 09:17, Martin Kosek wrote:
On 04/04/2014 09:04 AM, Justin Brown wrote:
I would actually do it the opposite way and open the ports after
the FreeIPA server is
On 04/07/2014 03:48 AM, Martin Kosek wrote:
Hi Rob, Ade and others,
In the past, Rob was investigating enabling random certificate serial numbers
for FreeIPA PKI [1]. We also have a ticket [2] planned to enable it for 4.0.
Can we simply switch it on for PKI with pkispawn attribute:
[CA]
30 matches
Mail list logo
