On Wed, Sep 21, 2016 at 12:01:44PM +0200, Jan Pazdziora wrote:
>
> I've recently hit again the situation of IPA installer not happy
> about the provided IP address not being local to it, this time in
> containerized environment:
>
> https://bugzilla.redhat.com/show_
requirement in the installer come
from and what would break if it was removed altogether?
Thanks,
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo
. I would prefer a scheme where they could be
> combined though for maximum flexibility with as little as possible
> ambiguity.
I agree that managing separate host group membership might be
and extra work. But it seems to be the only way to remove the ambiguity.
--
Jan Pazdziora
Senior Principal So
this difference, they may be
> surprised to find out there are clients that do not honor it.
I prefer the first option. We shouldn't introduce new feature and make
its behaviour ambiguous from the very start.
If the access is denied for old clients when the time-based mechanism
is used, at least i
On Mon, Aug 08, 2016 at 12:52:33PM +0200, Martin Kosek wrote:
>
> I discussed this with Jan Pazdziora on IRC, outside of this mail thread, so
> let
> me repeat my suggestion here. I still think it is premature to add plugins
> like
> that to FreeIPA core git. We are not
ning the delegated certificated fails.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
A and is working on some
polished instructions for the FreeIPA WebUI.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to Fre
ive to merge
The reason I was given when discussing it with a GitHub person was
that it's a performance issue. They are worried that people would use
it for multi-hundred-commit branches and the WebUI would not be able
to provide the same fast response as for single diff/commit.
--
Jan Pazdziora
Seni
gt;
> E.g.
>
> schemes: {http, https, ftp, ftps}
> URI: /home/pspacek
> host: any
> allow: pspacek
> should grant user pspacek access to directory /home/pspacek on any host as
> long as the scheme is http/https/ftp/ftps.
So you propose cartesian product of the schemes and U
P address of the IPA server itself can change with new start,
so the fact that SSSD couldn't talk to IPA was actually correct --
at that time, my client it was trying to talk to the IPA server on IP
address that was no longer valid.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity M
protocol
(scheme) there, there isn't service host name there, and there isn't
port there.
Can you please show (here or in the design page) how you envision
the situation
https://www.redhat.com/archives/freeipa-devel/2016-March/msg00462.html
would be modeled?
--
Jan Pazdziora
Senior Principal
cated access
centrally (in IPA)?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/pag
t users starting with "admin_", which is a problem if there is
How do you proposed to do that? You'd have to have a user group.
> unknown or infinite or large number of those users. Regular expressions
> seem to be more powerful.
More powerful: certainly. But your proposal also make
xclude /
deny / longest record not found.
I don't like manual excludes either.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contri
the site accessible by all with the
> exceptions defined in "exclude" access rules and then build the rules specific
> to these excluded parts of the application URL tree.
Right, and we also need to give admin a very easy way to define those
excludes implicitly, by having the
enticated sections, with more restricted access to subsections
underneath. How do you envision configuration to look like, and how
will the (missing) user identity be handled in that case?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Ma
od_authnz_pam.
If that turns out not to be a viable option, using SSSD's D-Bus
interface might the way to go, in which case it would likely be new
module, something like mod_authz_sssd.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription f
On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote:
> On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
> > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> ...
> > You present two solutions to the problem -- deny rules, and regular
> > expressi
presentation.
My preference would be not to do the methods at this time but have
the data structured in such a way that it's easy to extend later.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing
ly should be a checkbox for the
user to explicitly enable case-insensitivity.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
C
http(s)://www.example.com/auth/admin/ HBAC rule name 3
User group: network-admins
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman
ing
built into the mechanism.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
milar functionality to what you propose with the
regular expression approach, except the computers will do the work
of keeping things in sync, not users.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel maili
ate location could increase visibility
and decrease confusion.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
rg/coprs/g/freeipa/freeipa-4-2-rc/
> [2] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-rc/
Unfortunately, it seems the existing 4.3.0 repo at
https://copr.fedorainfracloud.org/coprs/pvoborni/freeipa-4-3/
now contains only mod_auth_gssapi, at least for Fedora 23
e 2.0 value in particular -- not
sure who and where checks that value.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
One-liner.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
>From 612495129cb84fca972c0331adc591ea59dafd21 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdzi...@redhat.com>
Date: Tue, 13 Oct 2015 13:07:24 +0200
Subject: [PATCH] The delega
around them.
Either that workaround step is needed and needs to be documented, or
that step should not be needed and there should be a ticket describing
the issue.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the F
the test body to
achieve deterministic situation in which running that final check
makes sense.
I can imagine that simple
# workaround 5348
time.sleep(20)
and then some script which would find all these comments and compare
them to resolved tickets might be enough.
--
Jan Pa
not, so (IIUIC) you will keep having
nondeterministic failures in master.
I was mostly interested in the general approach that we have to
workarounds -- how do we track them, how do we make sure they don't
stick in tests forever, even after the issue was already properly
addressed.
--
Jan Pazdzior
process for finding these workarounds and
reverting them, so that the tests test the real, expected behaviour?
Also, instead of blind sleeps, wouldn't it be better to have some
polling for status of the services we are waiting for?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management
8: Error reading from remote server returned by
/ipa/keys/ra/ipaCert
[Tue Oct 06 13:24:31.017069 2015] [wsgi:error] [pid 10789] ipa: INFO:
[jsonserver_kerb] ad...@example.test: ping(): SUCCESS
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage
it failed to create that log file.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/C
/hosts.)
I believe you also need to have the PTR sync enabled in the forward zone
(pesen.net).
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/fr
gt; >I think so, yes.
>
> Turns out it is already there.
Oleg, were you able to build from the branch now?
Simo, could you maybe make a copr repo from your branch?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscri
down
> close to the bottom.
Simo,
could you please add the
How To Test
steps to http://www.freeipa.org/page/V4/Replica_Promotion?
It would make the functional check of this patchset easier, spelling
out how the workflow is supposed to work.
Thank you,
--
Jan Pazdziora
Senior Principal So
t seem to
suffer from the lack of tickets.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
pa/milestone/FreeIPA%204.2.1
it says there are 56 active tickets and clicking that 56 I get to
https://fedorahosted.org/freeipa/query?milestone=FreeIPA+4.2.1=new=assigned=reopened=status
where I can see eight critical defects (besides numerous major).
Is that expected?
--
Jan Pazd
nd it would then not be clear what
> version it is fixed in.
Moving all resolved "FreeIPA 4.2.x backlog" to the correct milestone
at the point that release is released and/or branched might be
reasonable approximation.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Manage
of the transaction.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
did not reload the file contexts
mid-transaction
https://bugzilla.redhat.com/show_bug.cgi?id=505066#c9
and I'm not sure things have changed since RHEL 5.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription
of
selinux-policy after it's done with ipa-server.
Yes, it's just a theoretical situation but we should not shortcut
Requires with Requires(pre), it might teach people reading the .spec
files bad habits.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
be added so
that it's clear that this step should be removed when the ticket
is addressed.
Otherwise, great effort with the How to Test section.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing
On Tue, Jul 28, 2015 at 03:25:50PM +0300, Alexander Bokovoy wrote:
On Tue, 28 Jul 2015, Jan Pazdziora wrote:
I do run it in container so it could be related, so I'm mostly looking
for blind hints about what might have changed in the installer or
in dogtag itself in 4.2 that could cause
On Tue, Jul 28, 2015 at 03:56:47PM +0200, Jan Pazdziora wrote:
INFO: Server startup in 5444 ms
INFO: Server startup in 5936 ms
INFO: Server startup in 5804 ms
Running netstat at the time when the tomcat should have restarted and
be ready shows
# /usr/bin/netstat -tln
Active Internet
these builds and why we weren't using COPR. The
The Fedora infra admins should be able to provide HTTP logs for the
repo, if you needs some numbers about potential usage.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription
On Tue, Jul 14, 2015 at 08:31:19AM +0200, Petr Spacek wrote:
On 13.7.2015 19:37, Jan Pazdziora wrote:
However -- what is the purpose of the DNS check when adding service?
The service is typically a Kerberos service, which usually is not going to
work if the host does not have DNS record
but the current
ipa: ERROR: Host does not have corresponding DNS A record
is just bad user experience.
Do you propose to change that ERROR to warning, for example,
relaxing the requirement for the DNS records being present?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management
that check be removed altogether?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page
You could try running: rpm -Va --nofiles --nodigest
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http
On Fri, Mar 27, 2015 at 09:15:29AM +0100, Jan Pazdziora wrote:
On Thu, Mar 26, 2015 at 06:14:34PM +0100, Petr Vobornik wrote:
The FreeIPA team would like to announce FreeIPA v4.1.4 security release!
It can be downloaded from http://www.freeipa.org/page/Downloads. The builds
before the bits hit stable Fedora.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page
://admin.fedoraproject.org/updates/freeipa-4.1.4-1.fc21
is in testing and it will be a while before it gets to Fedora proper,
copr repo would give us a stable (no fiddling with updates-testing
enablement) yum source.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage
: mod_auth_kerb = 5.4-16
+Requires: mod_auth_gssapi
Do we assume we will no longer do an upstream 4.2 release on
Fedora 20? Otherwise this should be covered by some %ifs to use
mod_auth_kerb on Fedora 20.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage
that second line could be dropped altogether?
Also, it's FreeIPA with capital IPA -- shouldn't the letters on the
box be capitalized as well?
In any case, since Máirín authored the logo, she should be consulted
about the changes.
--
Jan Pazdziora
Principal Software Engineer, Identity Management
://www.freeipa.org/page/Contribute/Code
might be enough.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Go to http://www.freeipa.org/page/Contribute/Code
of this feature is to regain the one-way trust support, yet
without giving an elevated access to TDO credentials.
You might also want to either add a note or a link, explaining why
one-way trust is harder than two-way, IOW, why we lost the one-way
ability when we have the two-way one.
--
Jan
On Wed, Dec 03, 2014 at 05:16:23PM +0100, Martin Basti wrote:
On 02/12/14 13:00, Jan Pazdziora wrote:
Hello,
presumably explicitly specifying zone is not needed and can be
harmful.
This should be fixed in template for uploading SSHFP keys as well.
I have zone bububu.test.
2014-12
Hello,
presumably explicitly specifying zone is not needed and can be
harmful.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
From 934c5672cb0f73fc7d237cbf916707693dff9c39 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora jpazdzi...@redhat.com
Date: Tue, 2
Hello,
Martin suggests dependency on subscription-manager is no longer needed.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
From 4243c4016d5e9844e555f134ce091cf85c01fcb2 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora jpazdzi...@redhat.com
Date: Tue, 2
package, it might not be immediatelly obvious, what
is causing the possible bloat.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com
On Mon, Oct 20, 2014 at 03:58:27PM +0200, Petr Vobornik wrote:
The plan is to release 4.1 and then 4.0.4. Besides usual tarballs, 4.1 will
go into Fedora rawhide, f21-updates-testing and mkosek/freeipa copr repo (to
be usable on F20).
And RHEL 7 / CentOS 7?
--
Jan Pazdziora
Principal
just run the tests once per day, no matter what?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
-0 (with potential future mkosek/freeipa-4-0 copr)
centos-7-4-1 (with potential future mkosek/freeipa-4-1 copr)
Makes sense?
Yes, thanks.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel
, the
4.0.3 content is still available?
I'd like to use these yum repos for Docker images and I wonder what
naming I should use for the branches and tags -- centos-7-upstream,
centos-7-4.0.3, or something else?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
.
Could we make this functionality part of the ipa-server-install script
itself? It could be useful outside of puppet as well?
Do you have any proposal how to go about ipa-client-install in puppet,
without having the password stored/exposed there?
--
Jan Pazdziora
Principal Software Engineer
...
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
. Sometimes pki-selinux fails to load its policy
for some reason. The best thing to do is to force re-install
Did you try to use %posttrans instead of %post?
https://bugzilla.redhat.com/show_bug.cgi?id=505066
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
I found error message
Failed to data from service file: Failed to get list of services to
probe status:
in my logs while experimenting with something and it confused me
a bit, hence this patch.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
;
char *domain_id;
uint32_t base_id;
uint32_t id_range_size;
uint32_t base_rid;
uint32_t secondary_base_rid;
};
-- no forest_root_id and no id_range_type.
So NACK for applying to master. Perhaps there is some dependency
patch?
--
Jan
sense, I don't see why freeipa-docs needs to share
the same list of committers.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman
, this antipattern seems needed even if the proper solution would
be to fix wsgi to properly export util. Is there bug filed for that.
Ack based on reading the code and wsgiref documentation where the same
import style is used.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red
On Tue, Apr 01, 2014 at 10:05:39AM +0200, Tomas Babej wrote:
Yes, that was the intention. Mistake on my part, I'll send updated patches.
Updated patch attached.
Ack based on reading the code and documentation for
slapi_ch_free_string.
--
Jan Pazdziora
Principal Software Engineer
On Wed, Mar 26, 2014 at 05:30:13PM -0600, Gabe Alford wrote:
All,
Please review this patch for https://fedorahosted.org/freeipa/ticket/4156
Added links to documentation on configuring NetworkManager.
Thank you for the patch.
ACK.
--
Jan Pazdziora
Principal Software Engineer, Identity
-client-3.0.0-37.el6.x86_64, tried without
--no-sudo and sudo was added to sssd.conf's services list and sudoeers
added to /etc/nsswitch.conf.
Rerun with --uninstall and run again with the --no-sudo parameter,
those settings were not longer there.
--
Jan Pazdziora
Principal Software Engineer
On Mon, Mar 24, 2014 at 02:57:30PM +0100, Martin Kosek wrote:
On 03/24/2014 02:47 PM, Jan Pazdziora wrote:
On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote:
Hi,
Makes ipa-client-install configure SSSD as the data provider
for the sudo service by default. This behaviour can
On Tue, Mar 18, 2014 at 09:02:13AM +0100, Marco Di Sabatino Di Diodoro wrote:
what are the requirements or packages that a client must have to call
JSON/RPC with java? We have a 401 error.
What packages / code do you attempt to use when you get that 401?
--
Jan Pazdziora
Principal Software
for the explanation.
In that case, ack on the patch, provided you add a nice comment. ;-)
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com
/freeipa/ticket/4225
The patch does not seem to apply against master.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo
by the admin (without the daemon
restart).
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
not totally happy about this patch.
What happens when the ACI is already in LDAP and some part of that
self.obj.add_aci(entry) operation fails? Won't you go and instead of
doing noop, remove the ACI instead?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
are not present (e.g when running the ipa-client-install in
Is it correct that there are no backslashes in this occurence of
ipa-client-install?
a kickstart, before ever running sshd), they will not be uploaded to the
client host entry on the server.
+
--
Jan Pazdziora
Principal Software Engineer
On Wed, Mar 05, 2014 at 12:33:01PM +0100, Tomas Babej wrote:
Thanks Jan, both fixed.
Ack.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https
that evaluate to False that are neither
numeric nor boolean should be converted to None.
[...]
Ack, all original values pass the _is_null() test.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel
On Thu, Feb 20, 2014 at 12:20:12PM +0100, Petr Viktorin wrote:
On 02/19/2014 04:54 PM, Jan Pazdziora wrote:
However: since this is about restoring a backup, can't the backup
contain the extended attributes, so that the SELinux context gets
restored to the original state (which could
the restorecon will give you)?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
why.
Maybe poking relevant Fedora people could yield some definitive
answer?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman
.
For Origin and Enterprise, the installers will typically install and
configure bind, so for the on-site scenarios the solution is already
there. And of course, you can use FreeIPA/IdM as well.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
installing Origin:
https://bugzilla.redhat.com/show_bug.cgi?id=1027089
But if you were able to overcome those issues, nsupdate with GSS-TSIG
should just work.
Just for the note, with OpenShift Enterprise 1.2.x the feature is
there and working.
--
Jan Pazdziora
Principal Software Engineer
installer
will continue marching towards the goal you gave it, possibly
increasing the number of (wrong) changes which will need to be
restored.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing
it upon the next run. Leaving things in consistent state is higher
value than idempotence.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https
that matters is that there is a machine which
is able to provide a service, on some well-known stable public host
name. Which physical VM serves that service can change rapidly. A one
VM providing the service can change to five with some HA proxy in
front of them.
--
Jan Pazdziora | adelton
On Tue, Sep 10, 2013 at 11:10:25AM -0400, Dmitri Pal wrote:
Regarding SNI, it apparently is not supported in server-side NSS
(https://bugzilla.mozilla.org/show_bug.cgi?id=360421)
We need to either push for a solution to this or allow to switch to
mod_ssl.
Jan Pazdziora investigated
modifying anything, you won't need the token at all.
--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman
, if clicked by a logged-in admin.
Could we change the CSRF protection method from the Referrer check to
some user session specific token?
--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
not change with upgrade,
the hash would stay the same and the browser would not need to reload
it.
--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel
time
because I think the modifications make development less transparent
(more changes on different places).
Fair enough.
--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa
operation you do against the server would be my course of
investigation.
--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https
for that.
--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
/bin/env python
-- shouldn't it be changed as well?
--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman
1 - 100 of 110 matches
Mail list logo
