On 06/04/2014 06:04 PM, thierry bordaz wrote:
On 06/04/2014 05:41 PM, Simo Sorce wrote:
On Wed, 2014-06-04 at 13:46 +0200, Ludwig Krispenz wrote:
On 06/04/2014 10:43 AM, thierry bordaz wrote:
So my proposal would contain the following components
1] Store replication configuration
On 06/05/2014 03:14 PM, Ludwig Krispenz wrote:
On 06/05/2014 02:45 PM, Simo Sorce wrote:
On Thu, 2014-06-05 at 11:27 +0200, Ludwig Krispenz wrote:
On 06/04/2014 06:04 PM, thierry bordaz wrote:
But this requires that the node database is already initialized (have
the same replicageneration
On 06/04/2014 10:43 AM, thierry bordaz wrote:
So my proposal would contain the following components
1] Store replication configuration in the shared tree in a
combination of server and connection view (think we need both) and
map replication configuration to these entries. I would prefer
Hi Simo,
just for clarification. The plan is to move the repl config into the
shared tree for the main database and eventually for others like
o=ipaca. Should the topology info live in cn=etc for all databases or
each in the database it configures ?
If the main database is always replicated I
On 06/03/2014 02:53 PM, Simo Sorce wrote:
On Tue, 2014-06-03 at 14:15 +0200, Ludwig Krispenz wrote:
Hi Simo,
just for clarification. The plan is to move the repl config into the
shared tree for the main database and eventually for others like
o=ipaca. Should the topology info live in cn=etc
Ticket 4302 is a request for an enhancement: Move replication topology
to the shared tree
There has been some discussion in comments in the ticket, but I'd like
to open the discussion to a wider audience to get an agreement on what
should be implemented, before writing a design spec.
The
On 06/02/2014 04:08 PM, Rob Crittenden wrote:
Simo Sorce wrote:
First of all, very good summary, thanks a lot!
Replies in line.
On Mon, 2014-06-02 at 10:46 +0200, Ludwig Krispenz wrote:
Ticket 4302 is a request for an enhancement: Move replication topology
to the shared tree
There has been
On 05/28/2014 04:56 PM, Martin Kosek wrote:
On 05/28/2014 04:50 PM, Simo Sorce wrote:
On Wed, 2014-05-28 at 16:27 +0200, Petr Viktorin wrote:
Simo, I hazily remember discussing that we should only allow specific
attributes on add, otherwise users can add entries with any extra
objectclasses
On 05/28/2014 05:08 PM, Martin Kosek wrote:
On 05/28/2014 05:03 PM, Ludwig Krispenz wrote:
On 05/28/2014 04:56 PM, Martin Kosek wrote:
On 05/28/2014 04:50 PM, Simo Sorce wrote:
On Wed, 2014-05-28 at 16:27 +0200, Petr Viktorin wrote:
Simo, I hazily remember discussing that we should only
Hi Petr,
On 05/02/2014 08:48 PM, Petr Spacek wrote:
On 1.5.2014 16:10, Rich Megginson wrote:
On 04/30/2014 10:19 AM, Petr Spacek wrote:
Hello list,
following text summarizes schema DIT layout for DNSSEC key storage
in LDAP.
This is subset of full PKCS#11 schema [0]. It stores bare keys
On 04/15/2014 05:45 PM, Ludwig Krispenz wrote:
On 04/15/2014 05:10 PM, Martin Kosek wrote:
On 04/15/2014 05:08 PM, Simo Sorce wrote:
On Tue, 2014-04-15 at 16:48 +0200, Martin Kosek wrote:
On 04/15/2014 03:16 PM, Simo Sorce wrote:
On Tue, 2014-04-15 at 13:13 +0200, Petr Viktorin wrote
On 04/09/2014 12:31 AM, Simo Sorce wrote:
On Tue, 2014-04-08 at 12:00 +0200, Ludwig Krispenz wrote:
Replication storms. In my opinion the replication of a mod of one or
two attribute in a entry will be faster than the bind itself.
Think about the amplification effect in an environment with 20
On 04/09/2014 04:17 PM, Rich Megginson wrote:
On 04/09/2014 08:09 AM, Simo Sorce wrote:
On Wed, 2014-04-09 at 15:50 +0200, Ludwig Krispenz wrote:
Something like this is what we have experienced for real and cause
us to
actually disable replication of all the lockout related attributes
Sorce wrote:
On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote:
On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote:
Ludwig Krispenz wrote:
Hi,
please review the following feature design. It introduces a global
account lockout, while
Hi,
please review the following feature design. It introduces a global
account lockout, while trying to keep the replication traffic minimal.
In my opinion for a real global account lockout the basic lockout
attributes have to be replicated otherwise the benefit is minimal: an
attacker could
In the review discussion for the ldap schema for pkcs11 there was one
topic, which we wanted to get the opinion from a broader audience before
making a final decision.
In pkcs11 there are many boolean attributes, like CKA_EXTRACTABLE,
CKA_DERIVE, CKA_VERIFY and there are two suggestions how
Hi Petr,
we already discussed on IRC, but see some comments below
On 03/28/2014 04:11 PM, Petr Viktorin wrote:
Hello,
I'm trying to add ACIs to allow read access to containers, and I need
some input.
The DS's access control system is not designed to allow access to a
single entry but not
On 03/31/2014 12:32 PM, Martin Kosek wrote:
On 03/31/2014 10:41 AM, Ludwig Krispenz wrote:
Hi Petr,
we already discussed on IRC, but see some comments below
On 03/28/2014 04:11 PM, Petr Viktorin wrote:
Hello,
I'm trying to add ACIs to allow read access to containers, and I need some
input
On 03/31/2014 02:59 PM, Petr Spacek wrote:
Hello list,
thread [Freeipa-devel] Read access to container entries reminds me
an idea I have in mind for a while:
We could check effective ACIs [1] for interesting objects (Kerberos
master key, trust objects etc.) and make sure that there is
On 03/31/2014 03:23 PM, Martin Kosek wrote:
On 03/31/2014 01:52 PM, Ludwig Krispenz wrote:
On 03/31/2014 12:32 PM, Martin Kosek wrote:
On 03/31/2014 10:41 AM, Ludwig Krispenz wrote:
...
In general I think we should implement 1), there will be other scenarios where
it could be useful
On 03/13/2014 03:20 PM, Rich Megginson wrote:
On 03/13/2014 03:08 AM, Petr Spacek wrote:
Hello list,
my journey to the IETF wonderland revealed one more RFC draft:
LDAP Queue Length Control
http://tools.ietf.org/html/draft-hollstein-queuelength-control-01
I have no idea if this can really
On 03/11/2014 11:33 AM, Petr Spacek wrote:
On 10.3.2014 12:08, Martin Kosek wrote:
On 03/10/2014 11:49 AM, Petr Spacek wrote:
On 7.3.2014 17:33, Dmitri Pal wrote:
I do not think it is the right architectural approach to try to fix
a specific
use case with one off solution while we already
On 03/12/2014 01:09 PM, Petr Spacek wrote:
On 12.3.2014 12:12, Ludwig Krispenz wrote:
On 03/11/2014 11:33 AM, Petr Spacek wrote:
On 10.3.2014 12:08, Martin Kosek wrote:
On 03/10/2014 11:49 AM, Petr Spacek wrote:
On 7.3.2014 17:33, Dmitri Pal wrote:
I do not think it is the right
On 03/12/2014 04:28 PM, Petr Spacek wrote:
On 12.3.2014 14:07, Ludwig Krispenz wrote:
On 03/12/2014 01:09 PM, Petr Spacek wrote:
On 12.3.2014 12:12, Ludwig Krispenz wrote:
On 03/11/2014 11:33 AM, Petr Spacek wrote:
On 10.3.2014 12:08, Martin Kosek wrote:
On 03/10/2014 11:49 AM, Petr
On 03/12/2014 06:08 PM, Petr Spacek wrote:
On 12.3.2014 16:54, Ludwig Krispenz wrote:
On 03/12/2014 04:28 PM, Petr Spacek wrote:
On 12.3.2014 14:07, Ludwig Krispenz wrote:
On 03/12/2014 01:09 PM, Petr Spacek wrote:
On 12.3.2014 12:12, Ludwig Krispenz wrote:
On 03/11/2014 11:33 AM, Petr
Hi,
starting a new thread, after a lot of discussion and feedback, which I
tried to integrate into thecurrent draft at:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/pkcs11Schema
Here are some design decisions I made and which need to be finally decided.
1] Add nss trust
On 02/27/2014 10:17 AM, Jan Cholasta wrote:
On 26.2.2014 17:37, Petr Spacek wrote:
On 26.2.2014 15:20, Ludwig Krispenz wrote:
I was talking about 'layer of indirection' previously. I'm digging
into
details and it seems like a good idea to imitate what DNS
registrars do
- use concept of key
On 02/27/2014 02:14 PM, Jan Cholasta wrote:
On 18.2.2014 17:19, Martin Kosek wrote:
On 02/18/2014 04:38 PM, Jan Cholasta wrote:
On 18.2.2014 16:35, Petr Spacek wrote:
On 18.2.2014 16:31, Jan Cholasta wrote:
2] low level replacement for eg the sqlite3 database in softhsm.
That's what I
On 02/27/2014 03:56 PM, Jan Cholasta wrote:
On 27.2.2014 15:23, Ludwig Krispenz wrote:
On 02/27/2014 02:14 PM, Jan Cholasta wrote:
On 18.2.2014 17:19, Martin Kosek wrote:
On 02/18/2014 04:38 PM, Jan Cholasta wrote:
On 18.2.2014 16:35, Petr Spacek wrote:
On 18.2.2014 16:31, Jan Cholasta
Hi,
in the replication section you describe the behaviour when replicating
to older versions of ds, but this is for n1, how about the new design ?
Ludwig
On 02/27/2014 04:46 PM, thierry bordaz wrote:
Hello,
Thanks to all your feedbacks, they helped me a lot and raised a severe
limitation
On 02/27/2014 05:48 PM, Jan Cholasta wrote:
On 27.2.2014 17:24, Ludwig Krispenz wrote:
On 02/27/2014 03:56 PM, Jan Cholasta wrote:
On 27.2.2014 15:23, Ludwig Krispenz wrote:
On 02/27/2014 02:14 PM, Jan Cholasta wrote:
On 18.2.2014 17:19, Martin Kosek wrote:
On 02/18/2014 04:38 PM, Jan
On 02/27/2014 05:46 PM, Rich Megginson wrote:
On 02/27/2014 09:37 AM, Petr Spacek wrote:
On 27.2.2014 17:24, Ludwig Krispenz wrote:
On 02/27/2014 03:56 PM, Jan Cholasta wrote:
On 27.2.2014 15:23, Ludwig Krispenz wrote:
On 02/27/2014 02:14 PM, Jan Cholasta wrote:
On 18.2.2014 17:19
I was talking about 'layer of indirection' previously. I'm digging into
details and it seems like a good idea to imitate what DNS registrars do
- use concept of key sets. It means that keys are not linked to a zone
one by one but rather a whole set of keys is linked to a zone.
It eases key
On 02/24/2014 08:20 PM, Simo Sorce wrote:
On Mon, 2014-02-24 at 13:11 +0100, Ludwig Krispenz wrote:
Hi,
here is a draft to start discussion. Lt me know if it is the right
direction and what you're missing.
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/pkcs11Schema
I think we
On 02/25/2014 01:30 PM, Petr Spacek wrote:
On 25.2.2014 11:28, Ludwig Krispenz wrote:
On 02/24/2014 08:20 PM, Simo Sorce wrote:
On Mon, 2014-02-24 at 13:11 +0100, Ludwig Krispenz wrote:
Hi,
here is a draft to start discussion. Lt me know if it is the right
direction and what you're missing
On 02/25/2014 01:47 PM, Jan Cholasta wrote:
Hi,
here is a draft of the PKCS#11 design:
http://www.freeipa.org/page/V3/PKCS11_in_LDAP.
On 24.2.2014 13:11, Ludwig Krispenz wrote:
Hi,
here is a draft to start discussion. Lt me know if it is the right
direction and what you're missing.
https
On 02/25/2014 01:47 PM, Jan Cholasta wrote:
Hi,
here is a draft of the PKCS#11 design:
http://www.freeipa.org/page/V3/PKCS11_in_LDAP.
On 24.2.2014 13:11, Ludwig Krispenz wrote:
Hi,
here is a draft to start discussion. Lt me know if it is the right
direction and what you're missing.
https
On 02/25/2014 01:47 PM, Jan Cholasta wrote:
Hi,
here is a draft of the PKCS#11 design:
http://www.freeipa.org/page/V3/PKCS11_in_LDAP.
On 24.2.2014 13:11, Ludwig Krispenz wrote:
Hi,
here is a draft to start discussion. Lt me know if it is the right
direction and what you're missing.
https
On 02/25/2014 02:44 PM, Simo Sorce wrote:
On Tue, 2014-02-25 at 11:28 +0100, Ludwig Krispenz wrote:
On 02/24/2014 08:20 PM, Simo Sorce wrote:
On Mon, 2014-02-24 at 13:11 +0100, Ludwig Krispenz wrote:
Hi,
here is a draft to start discussion. Lt me know if it is the right
direction and what
On 02/25/2014 03:11 PM, Simo Sorce wrote:
On Tue, 2014-02-25 at 14:54 +0100, Ludwig Krispenz wrote:
Any reason why we should follow in detail what softshm does ?
because I did't know what is really needed. If you want to have a
pkcs11
module, which stores data in ldap, I though it should have
On 02/25/2014 05:12 PM, Simo Sorce wrote:
On Tue, 2014-02-25 at 16:18 +0100, Jan Cholasta wrote:
On 25.2.2014 16:11, Simo Sorce wrote:
On Tue, 2014-02-25 at 15:59 +0100, Petr Spacek wrote:
On 25.2.2014 15:11, Simo Sorce wrote:
On Tue, 2014-02-25 at 14:54 +0100, Ludwig Krispenz wrote:
Any
Hi,
here is a draft to start discussion. Lt me know if it is the right
direction and what you're missing.
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/pkcs11Schema
Ludwig
On 02/18/2014 03:17 PM, Jan Cholasta wrote:
Hi,
On 18.2.2014 14:02, Ludwig Krispenz wrote:
Hi
discuss,
but any input is welcome.
Regards,
Ludwig
On 02/18/2014 03:17 PM, Jan Cholasta wrote:
Hi,
On 18.2.2014 14:02, Ludwig Krispenz wrote:
Hi,
yesterday jan asked me about the status of the schema and if it would be
ready for certificate storage an dthat puzzled me a bit and showed that
I
Hi,
yesterday jan asked me about the status of the schema and if it would be
ready for certificate storage an dthat puzzled me a bit and showed that
I still do not really understand what you want to store in LDAP.
Two me there are two very different approaches.
1] LDAP as store for high
201 - 244 of 244 matches
Mail list logo