On 04/15/2014 05:36 PM, Misnyovszki Adam wrote:
On Tue, 15 Apr 2014 12:51:47 +0200
Petr Viktorin pvikt...@redhat.com wrote:
On 04/15/2014 12:41 PM, Misnyovszki Adam wrote:
Hi,
this patch fixes FreeIPA Jenkins CI test
freeipa-integration-forced_client_reenrollment-f19, by turning sshfp
records
Did anyone hit https://bugzilla.redhat.com/show_bug.cgi?id=1088163 or is it
something specific to my environment?
Thanks.
--
Martin Kosek mko...@redhat.com
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
___
Freeipa-devel
Dmitri,
Thanks for the feedback. I've had a chance to revise the proposal and
incorporated your feedback. The first thing to note is that while this
implementation is focused on FirewallD support I want to leave open
the possibility of supporting other firewalls should anyone else be
interested
Martin,
I think that making the firewall configuration automatic is the best
solution. I've updated
http://www.freeipa.org/page/V4/Firewall_Configuration for automatic
configuration unless --no-firewall is passed.
You guys know the user-base better than I do, but I would imagine that
users would
I was looking into ticket
https://fedorahosted.org/freeipa/ticket/4054
and experimenting with ACIs allowing privileged users to manage only their own
LDAP objects.
As already proposed in the Bugzilla, I had success with following ACIs:
# ldapmodify -h `hostname` -D
On Wed, 16 Apr 2014, Martin Kosek wrote:
Did anyone hit https://bugzilla.redhat.com/show_bug.cgi?id=1088163 or
is it something specific to my environment?
I've seen this before several times but couldn't reproduce at all.
Latest change to ipa_kdb_passwords.c where the code that does handle the
On 04/16/2014 10:02 AM, Martin Kosek wrote:
I was looking into ticket
https://fedorahosted.org/freeipa/ticket/4054
and experimenting with ACIs allowing privileged users to manage only
their own LDAP objects.
As already proposed in the Bugzilla, I had success with following ACIs:
On 11.4.2014 13:31, Petr Viktorin wrote:
One of the default_attributes of permission is memberofindirect, a
virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect, ipaldap
tries to add the attribute
On 16.4.2014 10:20, Petr Viktorin wrote:
On 04/16/2014 10:02 AM, Martin Kosek wrote:
I was looking into ticket
https://fedorahosted.org/freeipa/ticket/4054
and experimenting with ACIs allowing privileged users to manage only
their own LDAP objects.
As already proposed in the Bugzilla, I had
On 04/16/2014 07:48 AM, Martin Kosek wrote:
On 04/15/2014 06:10 PM, Ludwig Krispenz wrote:
On 04/15/2014 05:45 PM, Ludwig Krispenz wrote:
On 04/15/2014 05:10 PM, Martin Kosek wrote:
On 04/15/2014 05:08 PM, Simo Sorce wrote:
On Tue, 2014-04-15 at 16:48 +0200, Martin Kosek wrote:
On
On 04/16/2014 10:35 AM, Jan Cholasta wrote:
On 11.4.2014 13:31, Petr Viktorin wrote:
One of the default_attributes of permission is memberofindirect, a
virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with
On 04/16/2014 12:07 PM, Petr Viktorin wrote:
On 04/16/2014 07:48 AM, Martin Kosek wrote:
On 04/15/2014 06:10 PM, Ludwig Krispenz wrote:
On 04/15/2014 05:45 PM, Ludwig Krispenz wrote:
On 04/15/2014 05:10 PM, Martin Kosek wrote:
On 04/15/2014 05:08 PM, Simo Sorce wrote:
On Tue, 2014-04-15
On 04/16/2014 09:59 AM, Justin Brown wrote:
Martin,
I think that making the firewall configuration automatic is the best
solution. I've updated
http://www.freeipa.org/page/V4/Firewall_Configuration for automatic
configuration unless --no-firewall is passed.
You guys know the user-base
On 04/14/2014 04:00 PM, Simo Sorce wrote:
On Mon, 2014-04-14 at 12:55 +0200, Martin Kosek wrote:
When heading for a lunch today, I had a discussion with Petr3 about ACIs for
cn=etc,SUFFIX. On our initial meeting back at DevConf.cz time, we said we will
simply allow all attributes in cn=etc for
Read access is given to all authenticated users.
--
Petr³
From 1234bfbc321444365cdf7e7b263cf46e1eb25624 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 26 Mar 2014 16:29:16 +0100
Subject: [PATCH] Add managed read permission to idrange
Part of the work for:
On 04/16/2014 10:35 AM, Jan Cholasta wrote:
On 16.4.2014 10:20, Petr Viktorin wrote:
On 04/16/2014 10:02 AM, Martin Kosek wrote:
I was looking into ticket
https://fedorahosted.org/freeipa/ticket/4054
and experimenting with ACIs allowing privileged users to manage only
their own LDAP objects.
On 16.4.2014 05:01, Gabe Alford wrote:
The following patches update the Solaris documentation and add a proxy
agent/profile for Solaris.
- Solaris documentation update
https://fedorahosted.org/freeipa/ticket/3731
- Patch adds default Proxy Agent and default_secure profile through
Hi,
Attached patch attempts to improve NFS configuration section.
Please review, if it is OK, I'll prepare patch to update the other parts
as we have quite a duplication across the guide.
https://fedorahosted.org/freeipa/ticket/4310
--
/ Alexander Bokovoy
From
On Wed, 16 Apr 2014, Alexander Bokovoy wrote:
Hi,
Attached patch attempts to improve NFS configuration section.
Please review, if it is OK, I'll prepare patch to update the other parts
as we have quite a duplication across the guide.
https://fedorahosted.org/freeipa/ticket/4310
To ease the
On 04/16/2014 10:09 AM, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Martin Kosek wrote:
Did anyone hit https://bugzilla.redhat.com/show_bug.cgi?id=1088163 or is it
something specific to my environment?
I've seen this before several times but couldn't reproduce at all.
Latest change to
A single permission granting anonymous read access covers
automountlocation, automountmap, and automountkey.
--
Petr³
From 76e983917332c2a8db89b944e2aab78ea14d5662 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: [PATCH] Add managed
On 04/16/2014 09:56 AM, Justin Brown wrote:
...
L: This is interesting, and I have a couple of questions on how this
should work.
1) Is there an actual use-case when a tool actually would want to
check status of a port without correcting it? It seems to me that any
sort of is_port_open()
On Wed, 2014-04-16 at 10:02 +0200, Martin Kosek wrote:
I was looking into ticket
https://fedorahosted.org/freeipa/ticket/4054
and experimenting with ACIs allowing privileged users to manage only their
own
LDAP objects.
As already proposed in the Bugzilla, I had success with following
On Wed, 2014-04-16 at 10:20 +0200, Petr Viktorin wrote:
On 04/16/2014 10:02 AM, Martin Kosek wrote:
I was looking into ticket
https://fedorahosted.org/freeipa/ticket/4054
and experimenting with ACIs allowing privileged users to manage only
their own LDAP objects.
As already proposed
On Wed, 2014-04-16 at 13:12 +0200, Martin Kosek wrote:
On 04/16/2014 10:35 AM, Jan Cholasta wrote:
On 16.4.2014 10:20, Petr Viktorin wrote:
On 04/16/2014 10:02 AM, Martin Kosek wrote:
I was looking into ticket
https://fedorahosted.org/freeipa/ticket/4054
and experimenting with ACIs
On 04/16/2014 02:45 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 10:20 +0200, Petr Viktorin wrote:
On 04/16/2014 10:02 AM, Martin Kosek wrote:
I was looking into ticket
https://fedorahosted.org/freeipa/ticket/4054
and experimenting with ACIs allowing privileged users to manage only
their own
Similarly to automount, a single permission is added for reading all the
trust objects.
Read access is given to all authenticated users.
--
Petr³
From a499784cbea2f1282a07629a94e67e14c14a35d0 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 26 Mar 2014 17:11:23 +0100
On Wed, 2014-04-16 at 13:31 +0200, Martin Kosek wrote:
On 04/16/2014 12:50 PM, Petr Viktorin wrote:
On 04/14/2014 04:00 PM, Simo Sorce wrote:
On Mon, 2014-04-14 at 12:55 +0200, Martin Kosek wrote:
When heading for a lunch today, I had a discussion with Petr3 about ACIs
for
On 04/16/2014 02:49 PM, Petr Viktorin wrote:
On 04/16/2014 02:45 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 10:20 +0200, Petr Viktorin wrote:
On 04/16/2014 10:02 AM, Martin Kosek wrote:
I was looking into ticket
https://fedorahosted.org/freeipa/ticket/4054
and experimenting with ACIs
On 04/16/2014 02:55 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 13:31 +0200, Martin Kosek wrote:
On 04/16/2014 12:50 PM, Petr Viktorin wrote:
On 04/14/2014 04:00 PM, Simo Sorce wrote:
On Mon, 2014-04-14 at 12:55 +0200, Martin Kosek wrote:
When heading for a lunch today, I had a discussion
On Wed, 2014-04-16 at 14:55 +0200, Petr Viktorin wrote:
Similarly to automount, a single permission is added for reading all
the
trust objects.
Read access is given to all authenticated users.
NACK!!
See inline
From a499784cbea2f1282a07629a94e67e14c14a35d0 Mon Sep 17 00:00:00 2001
From:
On Wed, 2014-04-16 at 15:00 +0200, Petr Viktorin wrote:
Simo, Rob, would you be OK with changing virtual operation
objectclass to our
own one to have a better control over it?
No, in general I am not ok to change objects that already exist in
IPA
as it make upgrades with new and old
Hi,
this patch enables logging json dumps of request and response, using
the --log-payload switch in ipa cli. RFC tag is to ensure that I
handled the --log-payload switch correctly in ipa cli. Be careful, it
only logs, so --log-payload without -v switch doesn't make the dump
visible in command
On 04/15/2014 04:55 PM, Petr Viktorin wrote:
Hello,
At Devconf, we decided what most of the default read permissions should look
like, but we did not get to user.
Here is a draft of 4 read permissions. Please comment.
Basic info (anonymous):
[top]
objectclass
[person]
cn, sn,
On Wed, 16 Apr 2014, Simo Sorce wrote:
+'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
+'ipanttrustposixoffset',
'ipantsupportedencryptiontypes',
+'ipantsidblacklistincoming',
'ipantsidblacklistoutgoing',
+# ipaNTDomainAttrs:
On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
+'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
+'ipanttrustposixoffset',
'ipantsupportedencryptiontypes',
+
On Wed, 2014-04-16 at 15:08 +0200, Martin Kosek wrote:
On 04/15/2014 04:55 PM, Petr Viktorin wrote:
Hello,
At Devconf, we decided what most of the default read permissions should look
like, but we did not get to user.
Here is a draft of 4 read permissions. Please comment.
Basic
On Wed, 2014-04-16 at 09:31 +0200, Martin Kosek wrote:
Did anyone hit https://bugzilla.redhat.com/show_bug.cgi?id=1088163 or is it
something specific to my environment?
a lot of people is starting to use libvirtd switches to make entropy
available to their VMs or using other in VM entropy
On 04/16/2014 03:41 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 15:08 +0200, Martin Kosek wrote:
On 04/15/2014 04:55 PM, Petr Viktorin wrote:
...
[mepOriginEntry]
mepManagedEntry
This is used to bind user to it's private group. We use it for example in
group-detach command to
On Wed, 2014-04-16 at 14:55 +0200, Martin Kosek wrote:
On 04/16/2014 02:49 PM, Petr Viktorin wrote:
On 04/16/2014 02:45 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 10:20 +0200, Petr Viktorin wrote:
On 04/16/2014 10:02 AM, Martin Kosek wrote:
I was looking into ticket
On Wed, 2014-04-16 at 10:35 +0200, Jan Cholasta wrote:
On 11.4.2014 13:31, Petr Viktorin wrote:
One of the default_attributes of permission is memberofindirect, a
virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an
On 04/16/2014 03:52 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 10:35 +0200, Jan Cholasta wrote:
On 11.4.2014 13:31, Petr Viktorin wrote:
One of the default_attributes of permission is memberofindirect, a
virtual attribute manufactured by ldap2, which is set when a permission
is part of a
On Wed, 16 Apr 2014, Simo Sorce wrote:
On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
+'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
+'ipanttrustposixoffset',
'ipantsupportedencryptiontypes',
+
Hello,
Update .gitignore to skip Eclipse and Autotools files.
--
Petr^2 Spacek
From e16b64e91d2b2153b296d0429d04097ba2823134 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Wed, 16 Apr 2014 16:00:23 +0200
Subject: [PATCH] Update .gitignore to skip Eclipse and Autotools files
On 04/16/2014 12:34 PM, Petr Viktorin wrote:
On 04/16/2014 12:07 PM, Petr Viktorin wrote:
On 04/16/2014 07:48 AM, Martin Kosek wrote:
On 04/15/2014 06:10 PM, Ludwig Krispenz wrote:
On 04/15/2014 05:45 PM, Ludwig Krispenz wrote:
On 04/15/2014 05:10 PM, Martin Kosek wrote:
On 04/15/2014
On Wed, 16 Apr 2014 07:59:39 +0200
Martin Kosek mko...@redhat.com wrote:
On 04/15/2014 05:36 PM, Misnyovszki Adam wrote:
On Tue, 15 Apr 2014 12:51:47 +0200
Petr Viktorin pvikt...@redhat.com wrote:
On 04/15/2014 12:41 PM, Misnyovszki Adam wrote:
Hi,
this patch fixes FreeIPA Jenkins CI
On 04/15/2014 02:33 PM, Petr Viktorin wrote:
Read access to both rules and definitions is given to a new privilege,
'Automember Readers', as well as the existing 'Automember Task Administrator'.
This needs a mild rebase in 40-delegation.update. When I resolved the conflict
patch worked fine, no
On 04/16/2014 01:02 PM, Petr Viktorin wrote:
Read access is given to all authenticated users.
Works fine, no problem found - ACK.
Pushed to master: bb4e47d9ea249d7f3ead460284dd67312cc82bd5
Martin
___
Freeipa-devel mailing list
On 04/16/2014 02:14 PM, Petr Viktorin wrote:
A single permission granting anonymous read access covers automountlocation,
automountmap, and automountkey.
This works fine, I am just wondering about the ACI:
1) Simo, are you OK with one ACI covering all automount objects? I personally
am, I
On 04/16/2014 03:59 PM, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
+'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
+
On Wed, 16 Apr 2014, Martin Kosek wrote:
On 04/16/2014 03:59 PM, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
+'ipanttrusteddomainsid',
On 04/16/2014 05:10 PM, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Martin Kosek wrote:
On 04/16/2014 03:59 PM, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
+
On Wed, 16 Apr 2014, Martin Kosek wrote:
On 04/16/2014 05:10 PM, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Martin Kosek wrote:
On 04/16/2014 03:59 PM, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
On Wed, 16
On 04/16/2014 05:22 PM, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Martin Kosek wrote:
On 04/16/2014 05:10 PM, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Martin Kosek wrote:
On 04/16/2014 03:59 PM, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
On Wed, 2014-04-16 at
On Wed, 16 Apr 2014, Martin Kosek wrote:
In general I am not sure all authenticated users need access to all this
info. Alexander ?
SSSD needs to read some of this information for subdomains support.
That would be at least host/*@REALM who needs to access it.
Can you please list exactly which
Misnyovszki Adam wrote:
Hi,
this patch enables logging json dumps of request and response, using
the --log-payload switch in ipa cli. RFC tag is to ensure that I
handled the --log-payload switch correctly in ipa cli. Be careful, it
only logs, so --log-payload without -v switch doesn't make the
On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Martin Kosek wrote:
In general I am not sure all authenticated users need access to all
this
info. Alexander ?
SSSD needs to read some of this information for subdomains support.
That would be at least
Martin Kosek wrote:
On 04/16/2014 02:14 PM, Petr Viktorin wrote:
A single permission granting anonymous read access covers automountlocation,
automountmap, and automountkey.
This works fine, I am just wondering about the ACI:
1) Simo, are you OK with one ACI covering all automount objects?
On Wed, 2014-04-16 at 11:59 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On 04/16/2014 02:14 PM, Petr Viktorin wrote:
A single permission granting anonymous read access covers
automountlocation,
automountmap, and automountkey.
This works fine, I am just wondering about the ACI:
On Wed, Apr 16, 2014 at 04:59:55PM +0300, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
+'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
+
On 04/16/2014 08:39 AM, Martin Kosek wrote:
On 04/16/2014 09:56 AM, Justin Brown wrote:
...
L: This is interesting, and I have a couple of questions on how this
should work.
1) Is there an actual use-case when a tool actually would want to
check status of a port without correcting it? It seems
On 04/15/2014 05:13 AM, Sumit Bose wrote:
Hi,
I have started to write a design page for 'Migrating existing
environments to Trust'
http://www.freeipa.org/page/V3/Migrating_existing_environments_to_Trust
It shall cover https://fedorahosted.org/freeipa/ticket/3318 and
On 04/16/2014 06:15 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 11:59 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On 04/16/2014 02:14 PM, Petr Viktorin wrote:
A single permission granting anonymous read access covers
automountlocation,
automountmap, and automountkey.
This works
63 matches
Mail list logo