pport kadmin.
>> We shouldn't.
>>
>> Simo.
>>
>
> I would like to discuss consequences of adding kdc URI records:
>
> 1. basically all ipa clients enrolled using autodiscovery will use
> kdcproxy instead of KDC on port 88, because URI takes precedence over
On 2017-04-27 16:16, Martin Bašti wrote:
>
>
> On 27.04.2017 14:19, Christian Heimes wrote:
>> On 2017-04-27 14:00, Martin Bašti wrote:
>>> I would like to discuss consequences of adding kdc URI records:
>>>
>>> 1. basically all ipa clients enrolled
otiate a TGT and
then installs the trust anchor in the global trust store. It should be
enough to reverse the order and inject the trust anchor first.
Christian
--
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security
Red Hat GmbH, http://www.de.redhat.com/, Register
Hi,
for a while make causes unsolicited modifications to all translation
files. I have to reset all PO files a couple of times a day during
development:
git checkout -- po/*.po
It's slowly wearing me off. I opened ticket
https://fedorahosted.org/freeipa/ticket/6605 a while ago. It contains
On 2017-01-17 12:56, David Kupka wrote:
> Hi Christian,
> uniqueness of uid is not checked in staging area on purpose, it may be
> changed multiple times before the stageuser is transformed into user
> (activated). The uid uniqueness is then checked during activation.
>
> Third party application
On 2017-01-16 15:52, David Kupka wrote:
> Hello everyone!
>
> I've noticed that our API for stageuser is missing some commands that
> user has (stageuser-{add,remove}-{principal,cert}). I was wondering if
> there is reason for it but after asking some fellows developers it seems
> that there's
On 2016-12-19 15:07, John Dennis wrote:
> I'm not a big fan of NSS, it has it's issues. As the author of the
> Python binding I'm quite aware of all the nasty behaviors NSS has and
> needs to be worked around. I wouldn't be sad to see it go but OpenSSL
> has it's own issues too. If you remove NSS
On 2016-12-12 10:37, Alexander Bokovoy wrote:
> On ma, 12 joulu 2016, Alexander Bokovoy wrote:
>> On ma, 12 joulu 2016, Christian Heimes wrote:
>>> On 2016-12-12 09:54, Alexander Bokovoy wrote:
>>>> On ma, 12 joulu 2016, Christian Heimes wrote:
>>>>>
On 2016-12-12 09:54, Alexander Bokovoy wrote:
> On ma, 12 joulu 2016, Christian Heimes wrote:
>> Hi Simo,
>>
>> I'm wondering if we need to change kdcproxy for anon pkinit. What kind
>> of Kerberos requests are performed by anon pkinit and to establish a
>> FAST tu
Hi Simo,
I'm wondering if we need to change kdcproxy for anon pkinit. What kind
of Kerberos requests are performed by anon pkinit and to establish a
FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
and AP-REQ+KRB-PRV. Responses are not filtered.
Regards,
Christian
On 2016-11-21 14:44, Petr Spacek wrote:
>>> 3.3 ipaplatform auto-configuration
>>>
>>> I'm not sure if guessing platform from ID_LIKE is really a good idea. It
>>> might work fine for centos -> rhel, but in general we can't really
>>> assume it will always work, as the platforms listed in ID_LIKE
On 2016-11-21 13:31, Jan Cholasta wrote:
> Hi,
>
> On 11.11.2016 15:25, Christian Heimes wrote:
>> Hello,
>>
>> I have released the first version of a new design document. It describes
>> how I'm going to improve integration of FreeIPA's client libraries
On 2016-11-21 11:38, Jan Cholasta wrote:
> On 21.11.2016 11:04, Christian Heimes wrote:
>> On 2016-11-21 10:46, Jan Cholasta wrote:
>>> On 21.11.2016 10:32, Christian Heimes wrote:
>>>> On 2016-11-21 10:26, Jan Cholasta wrote:
>>>>> On 11.11.2016 18:28,
On 2016-11-21 10:46, Jan Cholasta wrote:
> On 21.11.2016 10:32, Christian Heimes wrote:
>> On 2016-11-21 10:26, Jan Cholasta wrote:
>>> On 11.11.2016 18:28, Christian Heimes wrote:
>>>> On 2016-11-11 17:46, Martin Basti wrote:
>>>>>
>>&g
On 2016-11-21 10:26, Jan Cholasta wrote:
> On 11.11.2016 18:28, Christian Heimes wrote:
>> On 2016-11-11 17:46, Martin Basti wrote:
>>>
>>>
>>> On 11.11.2016 15:25, Christian Heimes wrote:
>>>> Hello,
>>>>
>>>> I have release
On 2016-11-11 18:33, Rob Crittenden wrote:
> Martin Basti wrote:
>> 2) if I understand correctly, you want to separate client installer code
>> and client CLI code. In past we had freeipa-admintools but it was
>> removed because it was really tightly bounded to installed client. Do
>> you want to
On 2016-11-11 17:46, Martin Basti wrote:
>
>
> On 11.11.2016 15:25, Christian Heimes wrote:
>> Hello,
>>
>> I have released the first version of a new design document. It describes
>> how I'm going to improve integration of FreeIPA's client libraries
>> (ip
Hello,
I have released the first version of a new design document. It describes
how I'm going to improve integration of FreeIPA's client libraries
(ipalib, ipapython, ipaclient, ipaplatform) for third party developers.
http://www.freeipa.org/page/V4/Integration_Improvements
Regards,
Christian
On 2016-08-23 12:42, Petr Vobornik wrote:
> On 08/11/2016 04:13 PM, Martin Basti wrote:
>>
>>
>> On 08.08.2016 16:10, Christian Heimes wrote:
>>> The server-del plugin now removes the Custodia keys for encryption and
>>> key signing from LDAP.
>>>
On 2016-08-23 12:49, Petr Vobornik wrote:
> On 08/09/2016 01:53 PM, Martin Basti wrote:
>>
>>
>> On 08.08.2016 16:09, Christian Heimes wrote:
>>> I have split up patch 0032 into two smaller patches. This patch only
>>> addresses the server.keys file.
>
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.
https://fedorahosted.org/freeipa/ticket/6015
From be4d66075d108fd9188a3a0b906bace6f6ea5122 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 8 Aug 2016 16:06:08
of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.
https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056
From 29cdaa5e27e7b8b3690d222c43eb0edfefdd82ba Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
On 2016-07-07 14:54, Martin Basti wrote:
> Patch needs changes in ipa-4-3 branch
Here are patches for master and ipa-4-3 branch. I have rebased both
patches to head.
Christian
From e3a99ef8a6245d6e1bca22b3b0cede5d2ff608e8 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com
On 2016-07-19 17:03, Martin Basti wrote:
>
>
> On 12.07.2016 16:45, Christian Heimes wrote:
>> Custodia's server.keys file contain the private RSA keys for encrypting
>> and signing Custodia messages. The file was created with permission 644
>> and is onl
/system/httpd.service.d/.
https://fedorahosted.org/freeipa/ticket/6158
https://bugzilla.redhat.com/show_bug.cgi?id=1362537
From c6ab5d9323c1cc389ab221e0fc1c5290cc0075d4 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 2 Aug 2016 16:58:07 +0200
Subject: [PATCH] Correc
: Christian Heimes <chei...@redhat.com>
Date: Fri, 8 Jul 2016 20:06:57 +0200
Subject: [PATCH] Secure permission and cleanup Custodia server.keys
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only s
On 2016-07-07 14:54, Martin Basti wrote:
> Patch needs changes in ipa-4-3 branch
My patch? Do you want me to submit a patch for 4.3 branch?
Christian
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel mailing list:
On 2016-07-01 11:17, Petr Spacek wrote:
> On 1.7.2016 11:04, Christian Heimes wrote:
>> On 2016-07-01 10:59, Petr Spacek wrote:
>>> On 1.7.2016 10:55, Christian Heimes wrote:
>>>> On 2016-07-01 10:48, Petr Spacek wrote:
>>>>&
On 2016-07-01 10:48, Petr Spacek wrote:
> On 1.7.2016 10:42, Christian Heimes wrote:
>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
>> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
>> returns OK. The ca_statu
-install waits for master:8080 instead of replica:8080,
which might be blocked by a firewall.
https://fedorahosted.org/freeipa/ticket/6016
From 134f639aadad1b63e8715ec05fa06b53a3f12e74 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Fri, 1 Jul 2016 10:21:06 +0200
S
On 2016-06-28 12:49, Martin Kosek wrote:
> On 06/28/2016 12:49 PM, Jan Cholasta wrote:
>> On 28.6.2016 12:33, Martin Kosek wrote:
>>> On 06/28/2016 12:23 PM, Fraser Tweedale wrote:
On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote:
> Hi Fraser,
>
> I was testing FreeIPA
On 2016-05-25 11:46, Martin Kosek wrote:
> On 05/25/2016 10:03 AM, Jan Pazdziora wrote:
>> On Mon, May 23, 2016 at 04:24:38PM +0200, Florence Blanc-Renaud wrote:
>>>
>>> - I start working on a specific issue and decide to create a branch on my
>>> git repository (on my laptop)
>>> git clone
On 2016-05-24 16:29, Nathaniel McCallum wrote:
> Using a pragma instead of guards is easier to write, less error prone
> and avoids name clashes (a source of very subtle bugs). This pragma
> is supported on almost all compilers, including all the compilers we
> care about:
On 2016-05-06 15:50, Martin Babinsky wrote:
> On 05/06/2016 03:43 PM, Petr Spacek wrote:
>> Hello,
>>
>> I wonder if we should stop supporting new installations where
>> Kerberos realm != uppercase(primary DNS domain).
>>
>> It breaks a lot of stuff, is harder to manager and docs are full of
>>
Hi Fraser,
and now to the review of your design doc for RFC 2818-compliant subject
alternative names in certs,
http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance
1) RFC 2818 vs. RFC 6125
First I like to address a more general topic. Your design mentions RFC
6125 shortly. IMHO RFC
Hi Fraser,
I'm the reviewer for your Sub-CAs and RFC 2818 designs. Let's start with
Sub-CAs first. http://www.freeipa.org/page/V4/Sub-CAs
In general the design is well written -- accurate as usual. I didn't
want to ACK the design with a simple LGTM, so I put myself in the
position of a customer
Hi,
while I was working on my Ansible playbook I ran into an issue. It is
hard to detect if a FreeIPA server instance is fully installed and all
its services are ready to handle requests. It's even harder to check it
remotely. I have figured out some heuristics to detect that a sever is
*not*
On 2016-04-07 11:09, Petr Spacek wrote:
> On 7.4.2016 08:43, Fraser Tweedale wrote:
>> Hi team,
>>
>> I updated the Sub-CAs design page with more detail for the key
>> replication[1]. This part of the design is nearly complete (a large
>> patchset is in review over at pki-devel@) but there are
On 2016-03-21 12:02, Jan Cholasta wrote:
> Hi,
>
> On 18.3.2016 15:26, Christian Heimes wrote:
>> Hi,
>>
>> I'd like to use FreeIPA's RPC interface from Ansible directly. But the
>> output of plugins is rather unfriendly and unpythonic:
>>
>>>>
On 2016-03-21 10:29, Petr Spacek wrote:
> On 20.3.2016 21:56, Martin Basti wrote:
>> Patches attached.
>
> I do not really like
> freeipa-mbasti-0442-pylint-remove-bare-except
> because it replaces most of
>
> try: ... except:
>
> with
>
> try: ... except Exception:
>
>
> which AFAIK does
Hi,
I'd like to use FreeIPA's RPC interface from Ansible directly. But the
output of plugins is rather unfriendly and unpythonic:
>>> print(api.Command.dnsconfig_show())
{u'result': {u'dn': u'cn=dns,dc=ipa,dc=example', u'idnsallowsyncptr':
(u'FALSE',)}, u'value': None, u'summary': None}
Please
ror, rebased it and attaching two
>> versions for master and for 4.3 branch.
>> I haven't found any missing cases and it works for me. If you're OK with the
>> modified patches it can be pushed.
>>
>> David
>>
>> - Original Message -
>> From: &quo
On 2016-02-11 14:43, Martin Kosek wrote:
>> Pushed to:
>> master: 5ac3a3cee534a16db86c541b9beff4939f03410e
>> ipa-4-3: c3496a4a4893c75789bdf0c617e46923361fb43b
>>
>
> Very cool! Thanks guys! Looking forward to deploying FreeIPA 4.3.1 on the
> FreeIPA public demo :-)
I have to change the cipher
On 2016-01-29 15:05, Martin Basti wrote:
>
>
> On 29.01.2016 14:42, Christian Heimes wrote:
>> On 2016-01-28 09:47, Martin Basti wrote:
>>>
>>> On 22.01.2016 12:32, Martin Kosek wrote:
>>>> On 01/21/2016 04:21 PM, Christian Heimes wrote:
>>
On 2016-01-28 09:47, Martin Basti wrote:
>
>
> On 22.01.2016 12:32, Martin Kosek wrote:
>> On 01/21/2016 04:21 PM, Christian Heimes wrote:
>>> The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf
>>> has been modernized. Insecure or less secur
On 2016-01-21 11:29, Martin Basti wrote:
>
>
> On 18.01.2016 17:55, Christian Heimes wrote:
>> On 2016-01-18 17:28, Martin Basti wrote:
>>> https://fedorahosted.org/freeipa/ticket/5538
>>>
>>> Patch attached
>> ACK
>>
>>
> Pushed t
TLS_RSA_WITH_AES_256_CBC_SHA
https://fedorahosted.org/freeipa/ticket/5589
From 26d356970ef1f7de7b00fe237f67345c507c7989 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 21 Jan 2016 16:09:10 +0100
Subject: [PATCH] Modernize mod_nss's cipher suites
The list of sup
On 2016-01-20 02:54, Fraser Tweedale wrote:
> On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote:
>> ipaplatform.constants has platform specific names for a couple of system
>> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, DS_USER
>> and
On 2016-01-20 12:15, Abhijeet Kasurde wrote:
> Hi Christian,
>
> On 01/20/2016 04:15 PM, Christian Heimes wrote:
>> On 2016-01-20 08:30, Abhijeet Kasurde wrote:
>>> Ping for review request.
>> Hi,
>>
>> your initial patch has a small problem. Please pr
On 2016-01-20 08:30, Abhijeet Kasurde wrote:
> Ping for review request.
Hi,
your initial patch has a small problem. Please provide a new patch with
port 464 instead of 749.
Christian
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel
/freeipa/ticket/5619
From bd49251543c480ed3d4527b3aeb32f0df6fc9e67 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 19 Jan 2016 14:18:30 +0100
Subject: [PATCH] Move user/group constants for PKI and DS into ipaplatform
https://fedorahosted.org/freeipa/ticke
On 2016-01-19 13:43, Martin Basti wrote:
> +
> +def fake_class(name_or_class_obj, members=[]):
Please use a non-mutable argument here. members=() will do the job just
fine.
> +if isinstance(name_or_class_obj, scoped_nodes.Class):
> +cl = name_or_class_obj
> +else:
> +cl =
On 2016-01-18 17:28, Martin Basti wrote:
> https://fedorahosted.org/freeipa/ticket/5538
>
> Patch attached
ACK
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
On 2016-01-15 13:44, Tomas Babej wrote:
> Hi,
>
> For the dates older than 1900, Python is unable to convert the datetime
> representation to string using strftime:
>
> https://bugs.python.org/issue1777412
>
> Work around the issue adding a custom method to convert the datetime
> objects to
On 2016-01-08 13:26, Martin Kosek wrote:
> Hi Fraser and other X.509 SMEs,
>
> I wanted to check with you on what we have or plan to have with respect to
> certificate/cipher strength in FreeIPA.
>
> When I visit the FreeIPA public demo for example, I usually see following
> errors with recent
On 2016-01-08 16:49, Petr Spacek wrote:
> On 8.1.2016 13:56, Fraser Tweedale wrote:
>> On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote:
Hi Fraser and other X.509 SMEs,
I wanted to check with you on what we have or plan to have with respect to
certificate/cipher
On 2016-01-05 11:30, Tomas Babej wrote:
>
>
> On 01/05/2016 08:54 AM, Jan Cholasta wrote:
>> Hi,
>>
>> the attached patch replaces the default_encoding_utf8 binary module with
>> 2 lines of equivalent Python code.
>>
>> Honza
>>
>>
>>
>
> This looks fine to me, however, I wonder, why this
The combination of a bug in Dogtag's sslget command and a new feature
in mod_nss causes an incomplete uninstallation of KRA. The bug has been
fixed in Dogtag 10.2.6-13.
https://fedorahosted.org/freeipa/ticket/5469
https://fedorahosted.org/pki/ticket/1704
Signed-off-by: Christian Heimes <c
On 2016-01-04 23:38, Nalin Dahyabhai wrote:
> On Mon, Dec 21, 2015 at 12:17:08PM +0530, Abhijeet Kasurde wrote:
>> Hi All,
>>
>> Please review patches attached.
>
> The port number should probably be changed from 749 to 464.
Nalin is correct. kpasswd and admin server use different ports:
$
Hi,
in ticket https://fedorahosted.org/freeipa/ticket/5538 Ludwig has
suggested to exclude Dogtag's o=ipaca tree from the changelog. Sometimes
vault-archive fails because of a failed write to the Retro Changelog.
The RetroCL was enabled in https://fedorahosted.org/freeipa/ticket/3967
for the
On 2015-12-07 19:59, Petr Vobornik wrote:
> On 7.12.2015 16:26, Christian Heimes wrote:
>> On 2015-12-07 16:17, Alexander Bokovoy wrote:
>>> On Mon, 07 Dec 2015, Christian Heimes wrote:
>>>> The patch fixes SELinux violations in Fedora 23.
>>>>
>&g
by raising an ImportError.
From 5ac052f085c74f058703c5da29d59849c11e571f Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 3 Dec 2015 14:26:19 +0100
Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in
cryptography
ipaserver.dcerpc uses M2Crypto
On 2015-12-07 16:17, Alexander Bokovoy wrote:
> On Mon, 07 Dec 2015, Christian Heimes wrote:
>> The patch fixes SELinux violations in Fedora 23.
>>
>> Background: Recent versions of cryptography cause SELinux violation
>> which will lead to a segfault, see
>
On 2015-12-03 11:04, Jan Cholasta wrote:
> On 2.12.2015 13:44, Petr Spacek wrote:
>> On 2.12.2015 13:23, Jan Cholasta wrote:
>>> On 2.12.2015 12:54, Petr Spacek wrote:
>>>> On 2.12.2015 12:51, Christian Heimes wrote:
>>>>> On 2015-12-02 08:37,
On 2015-12-02 08:37, Petr Spacek wrote:
> On 1.12.2015 18:42, Christian Heimes wrote:
>> From 33be1f56a64e53d261a1058c4606a7e48c0aac52 Mon Sep 17 00:00:00 2001
>> From: Christian Heimes <chei...@redhat.com>
>> Date: Tue, 1 Dec 2015 15:49:53 +0100
>> Subject:
In the case of a failed installation or uninstallation of a Dogtag
subsystem, the error output of pkispawn / pkidestroyed are now shown to
the user. It makes it more obvious what went wrong and makes it easier
to debug a problem.
The error handler also attempts to get the full name of the
Now the correct patch file instead of a vim swap file...
From 33be1f56a64e53d261a1058c4606a7e48c0aac52 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 1 Dec 2015 15:49:53 +0100
Subject: [PATCH 25] Improve error logging for Dogtag subsystem installation
In th
On 2015-10-09 15:11, Jan Cholasta wrote:
> On 9.10.2015 15:00, Christian Heimes wrote:
>> On 2015-10-09 13:21, Jan Orel wrote:
>>> Hello,
>>>
>>> this patch removes (IMHO) redundat check in cert_show, which fails when
>>> host tries to re-submit c
On 2015-09-30 08:05, Alexander Bokovoy wrote:
> On Tue, 29 Sep 2015, Brian Stinson wrote:
>> Hi FreeIPA!
>>
>> We are starting a working group of member projects looking to solve
>> problems
>> related to Community Authentication. The FreeIPA Community Portal
>> feature added
>> this summer is one
On 2015-09-23 12:40, Jan Cholasta wrote:
> On 23.9.2015 11:44, Christian Heimes wrote:
>> On 2015-09-23 10:54, Jan Cholasta wrote:
>>>> Correction, the HTTP server works, but it spits lots of errors in
>>>> error_log about /var/lib/kdcproxy not existing.
&
On 2015-09-23 10:54, Jan Cholasta wrote:
>> Correction, the HTTP server works, but it spits lots of errors in
>> error_log about /var/lib/kdcproxy not existing.
>>
>> Is the KDCProxy supposed to be installked/enabled on upgrade ?
>> If not, why not ?
>> Even if it is not enabled, shouldn't the
The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
A timeout does no longer result into an Apache startup error.
https://fedorahosted.org/freeipa/ticket/5292
From 7ae756234534f0c6e750b5820733c6c5cb0682c6 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.
On 2015-09-10 14:58, Rob Crittenden wrote:
> Christian Heimes wrote:
>> The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
>> A timeout does no longer result into an Apache startup error.
>>
>> https://fedorahosted.org/freeipa/ticket/529
On 2015-08-21 12:55, Petr Viktorin wrote:
On 08/14/2015 07:44 PM, Petr Viktorin wrote:
Hello,
These patches bring IPA another step towards compatibility with Python 3.
Most of these were made by fixers from the python-modernize tool, but
I reviewed and edited the results.
Here are the
a6eb87a73c1462a4de516f19b219b51e415852e5 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Wed, 19 Aug 2015 13:32:01 +0200
Subject: [PATCH] Add flag to list all service and user vaults
The vault-find plugin has two additional arguments to list all
service vaults or user vaults
On 2015-08-13 12:10, Petr Vobornik wrote:
On 07/23/2015 08:38 PM, Christian Heimes wrote:
The ipa vault commands now load the public keys in order to verify them.
The validation also prevents a user from accidentally sending her
private keys to the server. The patch fixes #5142 and #5142
On 2015-08-13 14:05, Petr Vobornik wrote:
On 08/13/2015 12:38 PM, Christian Heimes wrote:
On 2015-08-13 12:10, Petr Vobornik wrote:
On 07/23/2015 08:38 PM, Christian Heimes wrote:
The ipa vault commands now load the public keys in order to verify
them.
The validation also prevents a user
On 2015-08-12 18:10, Tomas Babej wrote:
On 08/10/2015 05:39 PM, Petr Viktorin wrote:
On 08/03/2015 11:07 AM, Christian Heimes wrote:
On 2015-07-31 19:14, Petr Viktorin wrote:
Hello,
Here is a batch of mostly mechanical changes: removing deprecated
features to prepare for Python 3.
Out
Python 3 porting mode for make-lint
http://docs.pylint.org/features.html#general-options
From eb0565a16934a85df5075a6389dc49239e08f699 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Mon, 3 Aug 2015 11:18:03 +0200
Subject: [PATCH] make-lint Python 3 porting mode
pylint
On 2015-07-31 23:14, Simo Sorce wrote:
On Fri, 2015-07-31 at 19:14 +0200, Petr Viktorin wrote:
Hello,
Here is a batch of mostly mechanical changes: removing deprecated
features to prepare for Python 3.
Do we have accompanying lint (or similar) tests that will prevent new
patches from
On 2015-08-03 11:30, Jan Cholasta wrote:
Hi,
Dne 3.8.2015 v 11:22 Christian Heimes napsal(a):
Python 3 porting mode for make-lint
http://docs.pylint.org/features.html#general-options
I would rather wait until all the modernization patches are pulled in
and then make the porting mode
On 2015-07-31 19:14, Petr Viktorin wrote:
Hello,
Here is a batch of mostly mechanical changes: removing deprecated
features to prepare for Python 3.
Out of curiosity, what tool did you use for patch 695-absolute-imports?
Python-modernize adds from __future__ import absolute_imports and
changes
file can't be, an internal error was raised. The patch wraps all reads
and turns any IOError and UnicodeError into a ValidationError.
https://fedorahosted.org/freeipa/ticket/5155
From 71b3fcd6862bae2bfc6ea3e6fd38014ed77d4bac Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date
Hello,
While I was working on the ticket
https://fedorahosted.org/freeipa/ticket/5155, I noticed a couple of
additional places that may raise an IOError. Instead of a File()
paramaeter, the vault plugin uses Str() paramater in combination with
open() to read files.
For passwords I can mostly
On 2015-07-30 15:06, Michael Šimáček wrote:
I didn't use ctypes, because it was advised against on this list:
https://www.redhat.com/archives/freeipa-devel/2012-February/msg00268.html
For the tests it's probably fine, but so is using klist.
It would actually help a lot with getting the default
On 2015-07-30 14:37, Jan Cholasta wrote:
Hi,
Dne 30.7.2015 v 14:07 Christian Heimes napsal(a):
Hello,
While I was working on the ticket
https://fedorahosted.org/freeipa/ticket/5155, I noticed a couple of
additional places that may raise an IOError. Instead of a File()
paramaeter
callback?
(can find it in dns plugin, search for context)
Sounds good to me!
Christian
PS: Context is a fancy name for a TLS dict. ;)
From 1c7a67f331fb7d07f1e306e292e97b1df810958c Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Thu, 23 Jul 2015 17:48:56 +0200
Subject
On 2015-07-29 10:09, Michael Šimáček wrote:
GSSAPI doesn't provide any method (that I'm aware of) to get default
ccache name. In most cases this is not needed as we can simply not pass
any name and it will use the default. The ldap plugin had to be adjusted
for this - the connect method now
2001
From: Christian Heimes chei...@redhat.com
Date: Tue, 28 Jul 2015 16:12:40 +0200
Subject: [PATCH] Change internal rsa_(public|private)_key variable names
In two places the vault plugin refers to rsa public or rsa private key
although the code can handle just any kind of asymmetric algorithms,
e.g
On 2015-07-24 05:15, Fraser Tweedale wrote:
diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
index
5550ed942521dbab2e783fba1570520268f9b378..fe8934690fe09499f0bacb6610d9815a2b4367a4
100644
--- a/ipalib/plugins/certprofile.py
+++ b/ipalib/plugins/certprofile.py
@@
Hello,
while I was working on https://fedorahosted.org/freeipa/ticket/5142 and
patch 019, I noticed the variable names rsa_public_key and
rsa_private_key in vault.py. load_pem_public_key() can load and return
other key formats (DSA, ECDSA), too. Does vault mean to support the
other algorithms?
44212c91336f2dfbfdc1b6cefea3f928ba9074e9 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Thu, 23 Jul 2015 17:48:56 +0200
Subject: [PATCH] certprofile-import: do not require profileId in profile data
certprofile-import no longer requires profileId in profile data. Instead
The certprofile-import plugin expects a raw Dogtag config file. The XML
format is not supported. --help gives a hint about the correct file format.
https://fedorahosted.org/freeipa/ticket/5089
From 1344425af2886797ec9cef40a325e56a8d1752eb Mon Sep 17 00:00:00 2001
From: Christian Heimes chei
mykey.pem
ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault
public key: Could not unserialize key data.
https://fedorahosted.org/freeipa/ticket/5142
https://fedorahosted.org/freeipa/ticket/5143
From fd380c4539fdd18a7d10786230c15a259b097af6 Mon Sep 17 00:00:00 2001
From: Christian
On 2015-07-23 11:06, Alexander Bokovoy wrote:
On Thu, 23 Jul 2015, Christian Heimes wrote:
This patch removes the dependency on M2Crypto in favor for cryptography.
Cryptography is more strict about the key size and doesn't support
non-standard key sizes:
from M2Crypto import RC4
from
On 2015-07-23 10:54, Jan Cholasta wrote:
Hi,
Dne 23.7.2015 v 10:43 Christian Heimes napsal(a):
This patch removes the dependency on M2Crypto in favor for cryptography.
Cryptography is more strict about the key size and doesn't support
non-standard key sizes:
from M2Crypto import RC4
from
://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4
https://fedorahosted.org/freeipa/ticket/5148
From da4aa9baa932e335ad0bd0f3cfe2551667c7ca76 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Tue, 21 Jul 2015 15:18:40
Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Thu, 23 Jul 2015 12:20:49 +0200
Subject: [PATCH] Require Dogtag PKI = 10.2.6
Dogtag 10.2.6 comes with two fixes for cloning from 9.x to 10.x
instances:
https://fedorahosted.org/pki/ticket/1495
https://fedorahosted.org
On 2015-07-22 20:23, Nathaniel McCallum wrote:
Related: CVE-2015-5159
https://bugzilla.redhat.com/show_bug.cgi?id=1245200
The patch prevents a flood attack but I consider more a workaround than
a solution. I'll update kdcproxy tomorrow.
Christian
signature.asc
Description: OpenPGP digital
On 2015-07-22 20:38, Nathaniel McCallum wrote:
On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote:
On 2015-07-22 20:23, Nathaniel McCallum wrote:
Related: CVE-2015-5159
https://bugzilla.redhat.com/show_bug.cgi?id=1245200
The patch prevents a flood attack but I consider more
1 - 100 of 160 matches
Mail list logo