Re: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs

On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: > Hi team, > > This patchset implements the 'ca' plugin for creating and managing > lightweight sub-CAs, and updates the 'caacl' plugin and > 'cert-request' command to support multiple CAs. > > A brief overview of the patches: > >

Re: [Freeipa-devel] V4/Sub-CAs review

On Mon, Jun 06, 2016 at 08:29:16AM +0200, Jan Cholasta wrote: > On 1.6.2016 06:49, Fraser Tweedale wrote: > > On Mon, May 23, 2016 at 10:02:44AM +0200, Jan Cholasta wrote: > > > > > > > 2) > > > > > > > > > > > > > > It should be mentioned

Re: [Freeipa-devel] [PATCH] 0034: webui: Authentication indicators

On 06/06/2016 07:03 PM, Petr Vobornik wrote: On 06/06/2016 12:27 PM, Pavel Vomacka wrote: On 06/02/2016 06:22 PM, Petr Vobornik wrote: On 06/01/2016 10:41 AM, Pavel Vomacka wrote: On 05/27/2016 05:58 PM, Pavel Vomacka wrote: On 05/27/2016 05:44 PM, Nathaniel McCallum wrote: On Fri,

Re: [Freeipa-devel] [PATCH 0102] test: test_cli: Do not expect defaults in kwargs.

On 03.06.2016 12:35, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4739 With this patch all but one test in test_cli.py will pass again. The one failing is bug in the dns* commands prompt behavior and will be fixed soon. Shame! That is not a way how we name patches :) ACK

Re: [Freeipa-devel] [PATCH] 0002 Add the culprit line when a configuration file has an incorrect format

On 03.06.2016 09:45, Florence Blanc-Renaud wrote: On 06/02/2016 07:18 PM, Martin Basti wrote: On 30.05.2016 18:11, Florence Blanc-Renaud wrote: Hi Martin, thanks for the review and the suggestion. Please find the updated patch attached. Flo. On 05/30/2016 11:00 AM, Martin Basti

Re: [Freeipa-devel] [PATCH] 0039-40: DNS Location: WebUI

On 05.06.2016 18:34, Pavel Vomacka wrote: Hello, please review attached patches which add WebUI part of DNS Locations feature. -- Pavel^3 Vomacka NACK 1) When I edit location description and click on revert button, then that nice location table just disappear :) 2) Can we put a

Re: [Freeipa-devel] [PATCH 0041] Increase nsslapd-db-locks

On 03.06.2016 13:38, Stanislav Laznicka wrote: Hello, The attached patch implements solution to https://fedorahosted.org/freeipa/ticket/5914. The patch is rather hacky as nsslapd-db-locks requires to be modified when DS is not running although I accept proposals for better solution.

Re: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck

On 02.06.2016 14:58, Florence Blanc-Renaud wrote: Hi, this patch modifies ipa-replica-conncheck when it performs the SSH connection to the master, so that the username is always fully qualified. https://fedorahosted.org/freeipa/ticket/5812 -- Florence Blanc-Renaud Identity Management

Re: [Freeipa-devel] ipapwd_extop vs password_extop

On Mon, 06 Jun 2016, thierry bordaz wrote: On 06/06/2016 11:07 AM, Alexander Bokovoy wrote: On Mon, 06 Jun 2016, thierry bordaz wrote: Hello, In DS it is possible to register callbacks for extended op. For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), there is a default

Re: [Freeipa-devel] [PATCH] 0034: webui: Authentication indicators

On 06/06/2016 12:27 PM, Pavel Vomacka wrote: > > > On 06/02/2016 06:22 PM, Petr Vobornik wrote: >> On 06/01/2016 10:41 AM, Pavel Vomacka wrote: >>> >>> On 05/27/2016 05:58 PM, Pavel Vomacka wrote: On 05/27/2016 05:44 PM, Nathaniel McCallum wrote: > On Fri, 2016-05-27 at 17:43

[Freeipa-devel] [PATCH] 0042: Fix bad searching of reverse DNS zone

Fix bad searching of reverse DNS zone https://fedorahosted.org/freeipa/ticket/5796 -- Pavel^3 Vomacka From ff1e9d9930146ae998bec34e739d0cd8a1fdaa55 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Mon, 6 Jun 2016 18:56:03 +0200 Subject: [PATCH] Fix bad searching of

Re: [Freeipa-devel] [PATCH] 958 admintools: missing python3-ipaclient dependency

On 06/06/2016 07:28 AM, Jan Cholasta wrote: > Hi, > > On 3.6.2016 18:29, Petr Vobornik wrote: >> admintools doesn't pull python[2|3]-ipaclient by default which ends >> with exception if CLI is used. > > Please use this ticket URL: done, new patch

Re: [Freeipa-devel] [PATCH] 0033 webui: Mention SAN names in 'Issue new certificate'

On 06/04/2016 02:17 AM, Fraser Tweedale wrote: > On Fri, Jun 03, 2016 at 05:17:12PM +0200, Petr Vobornik wrote: >> On 05/10/2016 04:52 PM, Pavel Vomacka wrote: >>> Hi all, >>> >>> please review the patch for webUI which adds SAN names into 'Issue new >>> certificate' dialog. The SAN names are

Re: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember

On 03.06.2016 14:28, Stanislav Laznicka wrote: On 06/03/2016 02:19 PM, Martin Basti wrote: On 03.06.2016 14:13, Stanislav Laznicka wrote: https://fedorahosted.org/freeipa/ticket/5892 NACK please remove it from LDAPAddReverseMember too, it contains the same code Martin^2 Please see

Re: [Freeipa-devel] [PATCH 0036] Increased mod_wsgi socket-timeout

On 02.06.2016 19:34, Martin Basti wrote: On 01.06.2016 06:04, Martin Basti wrote: On 31.05.2016 09:41, Stanislav Laznicka wrote: On 05/30/2016 02:12 PM, Petr Spacek wrote: On 28.5.2016 15:59, Martin Basti wrote: On 27.05.2016 14:52, Stanislav Laznicka wrote:

Re: [Freeipa-devel] ipapwd_extop vs password_extop

On 06/06/2016 11:07 AM, Alexander Bokovoy wrote: On Mon, 06 Jun 2016, thierry bordaz wrote: Hello, In DS it is possible to register callbacks for extended op. For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), there is a default callback that is implemented in DS core

[Freeipa-devel] [PATCH 0499] Pylint: exclude some files/dirs from check

See commit message, yacctab.py causes lint errors and must be excluded Patch attached. From b8059400c5adf050576854a60455b94eed6e9cfb Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 6 Jun 2016 16:20:07 +0200 Subject: [PATCH] Exclude unneeded dirs and files from pylint

[Freeipa-devel] [PATCH] 0041: webui: add create/retrieve keytab tables for hosts

Hello, please review attached patch. Ticket: https://fedorahosted.org/freeipa/ticket/5931 -- Pavel^3 Vomacka From bef7a296008a32b981d78d521ce452e06b8b59c8 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Mon, 6 Jun 2016 12:59:24 +0200 Subject: [PATCH] Add lists of

Re: [Freeipa-devel] [PATCH] 0052..0054 Configure lightweight CA key replication

On Wed, Jun 01, 2016 at 02:49:29PM +1000, Fraser Tweedale wrote: > Updated patches attached; comments inline. > > On Thu, May 05, 2016 at 04:52:29PM +1000, Fraser Tweedale wrote: > > > I would rather add a new ACI than have one super-ACI for everything. That > > > way you don't have to invent any

Re: [Freeipa-devel] [PATCH] 0051 Allow CustodiaClient to be used by arbitrary principals

On Wed, Jun 01, 2016 at 02:49:06PM +1000, Fraser Tweedale wrote: > Updated patch attached; comments inline below. > > On Mon, Apr 25, 2016 at 07:55:46AM +0200, Jan Cholasta wrote: > > I think it would be better to merge the `client` and `client_servicename` > > into a single `client_principal`

[Freeipa-devel] [PATCH] 0006 add context to exception on LdapEntry decode error

Hi, please find attached the patch for Ticket 5434 add context to exception on LdapEntry decode error https://fedorahosted.org/freeipa/ticket/5434 From 8094fca2e0a11c1c108959da3a8f05c3d9c62bb7 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Fri, 3 Jun 2016

[Freeipa-devel] [PATCH 0497] Py3: fix unicode/str error in LDAP*ReverseMember

https://fedorahosted.org/freeipa/ticket/5923 Patch attached. From 4e4480deef0b336ef89915b3e5dd91a12767051a Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 6 Jun 2016 12:12:45 +0200 Subject: [PATCH] Py3: Fix unicode/str error in LDAP*ReverseMember There was

Re: [Freeipa-devel] [PATCH 0123-132] DNS upgrade: change forwarding policy to "only" if private IPs are used

On 06.06.2016 14:28, Petr Spacek wrote: On 6.6.2016 11:55, Martin Basti wrote: On 30.05.2016 12:49, Petr Spacek wrote: On 29.5.2016 14:45, Martin Basti wrote: On 27.05.2016 14:12, Petr Spacek wrote: On 25.5.2016 12:50, Martin Basti wrote: On 20.05.2016 12:19, Petr Spacek wrote: On

Re: [Freeipa-devel] [PATCH 0123-132] DNS upgrade: change forwarding policy to "only" if private IPs are used

On 6.6.2016 11:55, Martin Basti wrote: > > > On 30.05.2016 12:49, Petr Spacek wrote: >> On 29.5.2016 14:45, Martin Basti wrote: >>> >>> On 27.05.2016 14:12, Petr Spacek wrote: On 25.5.2016 12:50, Martin Basti wrote: > On 20.05.2016 12:19, Petr Spacek wrote: >> On 11.5.2016 12:08,

Re: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter

On Mon, 06 Jun 2016, Jan Cholasta wrote: On 6.6.2016 13:22, Martin Basti wrote: On 06.06.2016 13:14, Alexander Bokovoy wrote: On Mon, 06 Jun 2016, Martin Basti wrote: On 06.06.2016 12:36, Alexander Bokovoy wrote: Hi, MS-ADTS spec requires that TrustPartner field should be equal to the

Re: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter

On 6.6.2016 13:22, Martin Basti wrote: On 06.06.2016 13:14, Alexander Bokovoy wrote: On Mon, 06 Jun 2016, Martin Basti wrote: On 06.06.2016 12:36, Alexander Bokovoy wrote: Hi, MS-ADTS spec requires that TrustPartner field should be equal to the commonName (cn) of the trust. We used it a

Re: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter

On 06.06.2016 13:14, Alexander Bokovoy wrote: On Mon, 06 Jun 2016, Martin Basti wrote: On 06.06.2016 12:36, Alexander Bokovoy wrote: Hi, MS-ADTS spec requires that TrustPartner field should be equal to the commonName (cn) of the trust. We used it a bit wrongly to express trust

Re: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter

On Mon, 06 Jun 2016, Martin Basti wrote: On 06.06.2016 12:36, Alexander Bokovoy wrote: Hi, MS-ADTS spec requires that TrustPartner field should be equal to the commonName (cn) of the trust. We used it a bit wrongly to express trust relationship between parent and child domains. In fact, we

Re: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter

On 06.06.2016 12:36, Alexander Bokovoy wrote: Hi, MS-ADTS spec requires that TrustPartner field should be equal to the commonName (cn) of the trust. We used it a bit wrongly to express trust relationship between parent and child domains. In fact, we have parent-child relationship recorded in

[Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user

Hi, In case an ID override was created for an Active Directory user in the default trust view, allow mapping the incoming GSSAPI authenticated connection to the ID override for this user. This allows to self-manage ID override parameters from the CLI, for example, SSH public keys or

[Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter

Hi, MS-ADTS spec requires that TrustPartner field should be equal to the commonName (cn) of the trust. We used it a bit wrongly to express trust relationship between parent and child domains. In fact, we have parent-child relationship recorded in the DN (child domains are part of the parent

[Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users

Hi, Add support for additional user name principal suffixes from trusted Active Directory forests. UPN suffixes are property of the forest and as such are associated with the forest root domain. FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued attribute of ipaNTTrustedDomain

[Freeipa-devel] [PATCH] 0201 Add support for an external trust to Active Directory domain

Hi, this patch adds support for external trust to Active Directory. External trust is a trust that can be created between Active Directory domains that are in different forests or between an Active Directory domain. Since FreeIPA does not support non-Kerberos means of communication, external

Re: [Freeipa-devel] [PATCH] 0002 New User Role Tests

On 02.06.2016 16:16, Peter Lacko wrote: Rebased with updated tests. Peter - Original Message - From: "Martin Basti" To: "Peter Lacko" Cc: freeipa-devel@redhat.com Sent: Thursday, June 2, 2016 1:50:06 PM Subject: Re: [Freeipa-devel] [PATCH] 0002

Re: [Freeipa-devel] [PATCH] 0034: webui: Authentication indicators

On 06/02/2016 06:22 PM, Petr Vobornik wrote: On 06/01/2016 10:41 AM, Pavel Vomacka wrote: On 05/27/2016 05:58 PM, Pavel Vomacka wrote: On 05/27/2016 05:44 PM, Nathaniel McCallum wrote: On Fri, 2016-05-27 at 17:43 +0200, Pavel Vomacka wrote: On 05/12/2016 11:13 PM, Nathaniel McCallum

Re: [Freeipa-devel] [Testplan Review] Manage replication topology

On 06/06/2016 11:53 AM, Martin Basti wrote: On 06.06.2016 10:00, Oleg Fayans wrote: Hi Petr, I've updated the testplan according to your notes. What should we do with this testcase about abort-clean-ruv? I mean, it would be quite complicated to reliably automate. Should we leave the

Re: [Freeipa-devel] [PATCH 0123-132] DNS upgrade: change forwarding policy to "only" if private IPs are used

On 30.05.2016 12:49, Petr Spacek wrote: On 29.5.2016 14:45, Martin Basti wrote: On 27.05.2016 14:12, Petr Spacek wrote: On 25.5.2016 12:50, Martin Basti wrote: On 20.05.2016 12:19, Petr Spacek wrote: On 11.5.2016 12:08, Martin Basti wrote: On 03.05.2016 14:59, Petr Spacek wrote: Hello,

Re: [Freeipa-devel] [Testplan Review] Manage replication topology

On 06.06.2016 10:00, Oleg Fayans wrote: Hi Petr, I've updated the testplan according to your notes. What should we do with this testcase about abort-clean-ruv? I mean, it would be quite complicated to reliably automate. Should we leave the testcase anyway with a note that the stem may fail if

Re: [Freeipa-devel] ipapwd_extop vs password_extop

On Mon, 06 Jun 2016, thierry bordaz wrote: Hello, In DS it is possible to register callbacks for extended op. For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), there is a default callback that is implemented in DS core server. Freeipa enables a plugin

[Freeipa-devel] ipapwd_extop vs password_extop

Hello, In DS it is possible to register callbacks for extended op. For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), there is a default callback that is implemented in DS core server. Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' that also

Re: [Freeipa-devel] [PATCH] script for provisioning

On 06/05/2016 10:45 AM, Martin Basti wrote: On 03.06.2016 17:49, thierry bordaz wrote: Hello, A performance bottleneck during provisioning was described http://www.freeipa.org/page/V4/Performance_Improvements#typical_provisioning:_ldapadd_entries.2C_migrate-ds... I wrote the attached

Re: [Freeipa-devel] [Testplan Review]

Hi Petr, I've updated the testplan according to your notes. What should we do with this testcase about abort-clean-ruv? I mean, it would be quite complicated to reliably automate. Should we leave the testcase anyway with a note that the stem may fail if the command is not issued fast enough? On

Re: [Freeipa-devel] [python-pytest-multihost][PATCH 0003] Added force option to rmdir

On 06/03/2016 03:00 PM, Abhijeet Kasurde wrote: Hi All, Please review this patch. Self-NACK -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0065 Remove service and host cert issuer validation

On 3.6.2016 07:15, Fraser Tweedale wrote: The attached patch enables cert issuance to hosts and services using sub-CAs. Thanks, ACK. Rebased and pushed to master: fa149cff86a67ebfe2739df6467a6e10e47742cd -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue

On 06/03/2016 12:51 PM, Martin Basti wrote: > > > On 03.06.2016 08:53, Petr Spacek wrote: >> On 2.6.2016 17:53, Martin Basti wrote: >>> Typo - redundant ' ' at the end. Conditional NACK, warnings mentioned in

Re: [Freeipa-devel] V4/Sub-CAs review

On 1.6.2016 06:49, Fraser Tweedale wrote: On Mon, May 23, 2016 at 10:02:44AM +0200, Jan Cholasta wrote: 2) It should be mentioned here that the primary CA is also handled by this plugin. I would like to propose two additional fields: *