URL: https://github.com/freeipa/freeipa/pull/768
Title: #768: Ticket#6854 caless
abbra commented:
"""
PKINIT certificates are using by `krb5kdc` which uses OpenSSL. It means they
cannot be placed in an NSSDB.
"""
See the full comment at
https://githu
URL: https://github.com/freeipa/freeipa/pull/756
Title: #756: Added plugins directory to paclient subpackages
abbra commented:
"""
Note that we want this fix in 4.4 branch as well -- it affects F25.
"""
See the full comment at
https://github.com/freeipa/freeipa/p
URL: https://github.com/freeipa/freeipa/pull/751
Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/751
Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition
abbra commented:
"""
LGTM.
For the record, this is broken since cf1c4e84e74ea15fe5cf7219872cf131bd53281e
which is in 4.5.0 release. So we n
URL: https://github.com/freeipa/freeipa/pull/724
Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust
is…
abbra commented:
"""
LGTM
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/724#issuecomment-29585549
URL: https://github.com/freeipa/freeipa/pull/724
Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust
is…
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
abbra commented:
"""
Yep. Then this PR can be merged once you removed distinction external/full.
"""
See the full comment at
https://g
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
abbra commented:
"""
I agree that it is internal detail whether we use local pkinit or not. However,
we need to know that it is existing as oposed
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
abbra commented:
"""
I read through the code and I believe it addresses all use cases we have been
discussing. LGTM.
"""
See the full
URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: ipaclient/ipapython macOS compatibility fixes
abbra commented:
"""
Well, given that it is not officially supported yet, go ahead.
"""
See the full comment at
https://github.com/freeipa/freeipa/p
URL: https://github.com/freeipa/freeipa/pull/716
Title: #716: Fix minor typos
abbra commented:
"""
Thanks for this pull request.
There are no tickets associated with these changes.
The changes themselves are controversial. Do not change `--forwarder-*` to
`--forward
URL: https://github.com/freeipa/freeipa/pull/709
Title: #709: Fix s4u2self with adtrust
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: ipaserver/dcerpc: unify error processing
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/682/head:pr682
git checkout pr682
From
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: ipaserver/dcerpc: unify error processing
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/682/head:pr682
git checkout pr682
From
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: ipaserver/dcerpc: unify error processing
Action: edited
Changed field: title
Original value:
"""
ipserver/dcerpc: unify error processing
"""
--
Manage your subscription for the Fre
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: ipserver/dcerpc: unify error processing
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/682/head:pr682
git checkout pr682
From
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: ipserver/dcerpc: unify error processing
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/682/head:pr682
git checkout pr682
From
URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: ipaclient/ipapython macOS compatibility fixes
abbra commented:
"""
Ok, so far I cannot build a wheel from git repo on Mac OS X as we have a number
of limitations ourselves -- we need to fix our configure to allow j
URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: ipaclient/ipapython macOS compatibility fixes
abbra commented:
"""
I still need to test the whole set on Mac OS X myself as we have no way to test
that in CI. Thus, this PR will depend on me (or some one else fro
URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: ipaclient/ipapython macOS compatibility fixes
abbra commented:
"""
Note that we need something similar to
https://github.com/untitaker/python-atomicwrites/commit/2bdd9dae62b7434c7b2383ce45fb515bdf70c3c3
to behave pro
URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: ipaclient/ipapython macOS compatibility fixes
abbra commented:
"""
Please don't set ACK yet, I'm not finished with review.
I do not want to replace fdatasync() with fsync(), this is not correct towards
other platf
URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: ipaclient/ipapython macOS compatibility fixes
Label: -ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: [WIP] ipserver/dcerpc: unify error processing
Action: edited
Changed field: title
Original value:
"""
[WIP] ipserver/dcerpc: unify error processing
"""
--
Manage your subscription for
URL: https://github.com/freeipa/freeipa/pull/682
Title: #682: [WIP] ipserver/dcerpc: unify error processing
abbra commented:
"""
Updated patches and descriptions to include bug references.
"""
See the full comment at
https://github.com/freeipa/freeipa/p
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: [WIP] ipserver/dcerpc: unify error processing
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/682/head:pr682
git checkout pr682
URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: Fix libkrb5 filename for macOS
abbra commented:
"""
There is a PEP8 error:
PEP-8 errors:
./ipapython/session_storage.py:11:21: E225 missing whitespace around operator
"""
See the full comment
URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: Fix libkrb5 filename for macOS
abbra commented:
"""
Ok. Let me look at it next week when I'll have time. Could you please add a
short step by step instruction how you configured IPA client on Mac OS X?
"&quo
URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: Fix libkrb5 filename for macOS
abbra commented:
"""
Thanks. Do you have IPA client code working on Mac OS X?
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/699#issuecom
URL: https://github.com/freeipa/freeipa/pull/632
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry
abbra commented:
"""
LGTM.
`nltest /sc_verify:ipa.example.test` works thanks to this pull request:
```
C:\Users\Administrator>nltest /sc_quer
URL: https://github.com/freeipa/freeipa/pull/632
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/632
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry
abbra commented:
"""
Thanks. I read through the code and it looks good to me. I'm going to test it
together with my work on ipasam_update_sam_acc
URL: https://github.com/freeipa/freeipa/pull/682
Title: #682: ipserver/dcerpc: unify error processing
abbra commented:
"""
Note: this is WIP, I'm waiting for Sudhir to provide a bug and logs that show
the changes he encountered when running existing test suite against Samba
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: ipserver/dcerpc: unify error processing
Action: opened
PR body:
"""
Samba error code reporting changes from version to version but we also
did not provide proper input into DCE RPC error processing
URL: https://github.com/freeipa/freeipa/pull/672
Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet
abbra commented:
"""
> @sumit-bose What happens when the shared library is missing? Does 32bit kinit
> fail or work on a X86_64 system when 32bi
URL: https://github.com/freeipa/freeipa/pull/629
Author: abbra
Title: #629: adtrust: make sure that runtime hostname result is consistent
with the configuration
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa
URL: https://github.com/freeipa/freeipa/pull/629
Title: #629: adtrust: make sure that runtime hostname result is consistent with
the configuration
abbra commented:
"""
Removed backslashes and also moved the check to be the first step when creating
an instance.
"&quo
URL: https://github.com/freeipa/freeipa/pull/629
Author: abbra
Title: #629: adtrust: make sure that runtime hostname result is consistent
with the configuration
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa
URL: https://github.com/freeipa/freeipa/pull/669
Title: #669: server: make sure we test for sss_nss_getlistbycert
abbra commented:
"""
On the systems where pkg-config is available, positive result from pkg-config
check means headers are available because pkg-config
URL: https://github.com/freeipa/freeipa/pull/668
Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires
abbra commented:
"""
I submitted https://github.com/freeipa/freeipa/pull/669 for that
"""
See the full comment at
https://github.com/freeipa
URL: https://github.com/freeipa/freeipa/pull/669
Author: abbra
Title: #669: server: make sure we test for sss_nss_getlistbycert
Action: opened
PR body:
"""
Fixes https://pagure.io/freeipa/issue/6828
"""
To pull the PR as Git branch:
git remote add ghfreeipa http
URL: https://github.com/freeipa/freeipa/pull/668
Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires
abbra commented:
"""
No, It will make downstream harder because RHEL downstream will only have
1.15.2 with patches on top of that version.
I have a pull
URL: https://github.com/freeipa/freeipa/pull/649
Title: #649: Session cookie storage and handling fixes
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/649
Title: #649: Session cookie storage and handling fixes
abbra commented:
"""
LGTM to me. @simo5 explained that `expiry=...` substring is part of the actual
cookie `mod_session` adds (it is timestamp in nanonseconds) -- Cookie clas
URL: https://github.com/freeipa/freeipa/pull/640
Title: #640: Remove pkinit options from master/replica on DL0
abbra commented:
"""
Good question. I think we should remove all mentioning of PKINIT options for
DL0 and explicitly configure local CA there. On DL1 we already requ
URL: https://github.com/freeipa/freeipa/pull/617
Title: #617: Allow renaming of sudo and HBAC rules
abbra commented:
"""
I haven't seen any custom plugin that used `rdn_is_private_key`. We can
document the change in release notes.
"""
See the full comment
URL: https://github.com/freeipa/freeipa/pull/649
Title: #649: Session cookie storage and handling fixes
abbra commented:
"""
@simo5, I think I found why it happened -- I actually had krbMaxTicketLife set
for HTTP/... principal to 300 seconds.
So I think your patches are goo
URL: https://github.com/freeipa/freeipa/pull/639
Title: #639: WebUI: Login for AD Users
abbra commented:
"""
LGTM and works just fine:
"""
See the full comment at
https://github.com/freeipa/freeipa/p
URL: https://github.com/freeipa/freeipa/pull/649
Title: #649: Session cookie storage and handling fixes
abbra commented:
"""
I tested the whole patchset. It worked for me first time I've got cookie
expired. However, it broke in ~10 minutes afterwards -- apparently, keyring
c
URL: https://github.com/freeipa/freeipa/pull/575
Title: #575: IPA certauth plugin
abbra commented:
"""
The code LGTM. Once updated SSSD is added to freeipa-master copr, let's see
what CI says.
Authentication indicators' handling would need to be added in a separate PR
onc
URL: https://github.com/freeipa/freeipa/pull/644
Title: #644: extdom: improve certificate request
abbra commented:
"""
LGTM. I read the code but since SSSD counterpart is currently on review, travis
fails the build.
"""
See the full comment at
https://githu
URL: https://github.com/freeipa/freeipa/pull/638
Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches
abbra commented:
"""
Yes, KCM will work. However, I wonder if we could use a different approach by
storing cookie in a fake ticket with a proper lifetime se
URL: https://github.com/freeipa/freeipa/pull/617
Title: #617: Allow renaming of sudo and HBAC rules
abbra commented:
"""
I like the idea but please address @HonzaCholasta comments.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/617#issuecom
URL: https://github.com/freeipa/freeipa/pull/637
Author: abbra
Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current
connection
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/637
URL: https://github.com/freeipa/freeipa/pull/637
Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current
connection
abbra commented:
"""
Removed try: finally: block, I agree that it is better to propagate error up
the stack.
"""
URL: https://github.com/freeipa/freeipa/pull/638
Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches
abbra commented:
"""
Note: this is WIP, please test it against KEYRING: ccaches.
"""
See the full comment at
https://github.com/freeipa
URL: https://github.com/freeipa/freeipa/pull/638
Author: abbra
Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches
Action: opened
PR body:
"""
MIT Kerberos allows to store configuration entries in the ccache.
Unfortunately, there are big differences betwe
URL: https://github.com/freeipa/freeipa/pull/637
Author: abbra
Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current
connection
Action: opened
PR body:
"""
For external users which are mapped to some DN in LDAP server, we
wouldn't neccesary be able to
URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py
abbra commented:
"""
Ok, let's go with `user-mod` as original request goes, based on the fact that
we are not changing the password, we are changing its properties.
URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py
abbra commented:
"""
Hm. `ipa user-mod` has --random and also supports specifying --password, so
yes, both interfaces should be provided.
"""
URL: https://github.com/freeipa/freeipa/pull/629
Author: abbra
Title: #629: adtrust: make sure that runtime hostname result is consistent
with the configuration
Action: opened
PR body:
"""
FreeIPA's `ipasam` module to Samba uses gethostname() call to identify
own ser
URL: https://github.com/freeipa/freeipa/pull/621
Title: #621: Add --force-password-reset to user_mod in user.py
abbra commented:
"""
I would prefer this to be an option in `ipa passwd`, e.g. `ipa passwd
--force-reset` which instead of modifying a user passwo
URL: https://github.com/freeipa/freeipa/pull/617
Title: #617: Allow renaming of sudo rules
abbra commented:
"""
I don't like it is done on the client side. This will not work for Web UI, for
example.
Additionally, no validation of cn={newname} is here to be a single value
URL: https://github.com/freeipa/freeipa/pull/600
Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags
abbra commented:
"""
LGTM. Falling back to a standard check is fine.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/600#issuecom
URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution
abbra commented:
"""
Yes, it is expected too. Remember that 'Default Trust View' is a view that
applies globally. You have already global setting to
URL: https://github.com/freeipa/freeipa/pull/582
Title: #582: Remove pkinit from ipa-replica-prepare
abbra commented:
"""
They were in DL0 in `ipa-server-install` for very long time and never worked.
We left them there to make sure we can get them back to work sometime
URL: https://github.com/freeipa/freeipa/pull/582
Title: #582: Remove pkinit from ipa-replica-prepare
abbra commented:
"""
LGTM.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/582#issuecomment-286447734
--
Manage your subscription for the Fre
URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution
abbra commented:
"""
I don't see ACI.txt regenerated.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/573#issuecom
URL: https://github.com/freeipa/freeipa/pull/570
Author: abbra
Title: #570: ipaserver/dcerpc.py: use arcfour_encrypt from samba
Action: opened
PR body:
"""
Samba Python bindings provide samba.arcfour_encrypt(key, data). Instead
of implementing own wrapper, use Samba's.
URL: https://github.com/freeipa/freeipa/pull/564
Title: #564: Reconfigure Kerberos library config as the last step of KDC install
abbra commented:
"""
@simo5 KDC starts just fine with missing certs. It disables PKINIT if certs
aren't reachable. However, if KDC is not running at
URL: https://github.com/freeipa/freeipa/pull/564
Title: #564: Reconfigure Kerberos library config as the last step of KDC install
abbra commented:
"""
LGTM.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/564#issuecomment-28541839
URL: https://github.com/freeipa/freeipa/pull/535
Title: #535: add whoami command
abbra commented:
"""
Done. I've also updated the design page to reflect the changes.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/535#issuecomment-28534046
URL: https://github.com/freeipa/freeipa/pull/535
Author: abbra
Title: #535: add whoami command
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/535/head:pr535
git checkout pr535
From
URL: https://github.com/freeipa/freeipa/pull/535
Title: #535: add whoami command
abbra commented:
"""
Updated.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/535#issuecomment-285310604
--
Manage your subscription for the Freeipa-devel mailin
URL: https://github.com/freeipa/freeipa/pull/535
Author: abbra
Title: #535: add whoami command
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/535/head:pr535
git checkout pr535
From
URL: https://github.com/freeipa/freeipa/pull/535
Author: abbra
Title: #535: add whoami command
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/535/head:pr535
git checkout pr535
From
URL: https://github.com/freeipa/freeipa/pull/535
Title: #535: add whoami command
abbra commented:
"""
We can disable it for CLI, that's not a problem.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/535#issuecomment-285085254
--
Manage you
URL: https://github.com/freeipa/freeipa/pull/420
Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals
abbra commented:
"""
Thanks. LGTM and works for me with IPA user, IPA host principal, and AD user.
The latter cannot yet actually use Web UI but that i
URL: https://github.com/freeipa/freeipa/pull/420
Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/547
Title: #547: Use GSS-SPNEGO if connecting locally
abbra commented:
"""
LGTM but I think we should also update Requires: in the spec file to use
cyrus-sasl-2.1.26-29.fc26 or later.
"""
See the full comment at
http
URL: https://github.com/freeipa/freeipa/pull/545
Title: #545: install_check: require IPv6 stack to be enabled
abbra commented:
"""
how the /proc check going to play with containers?
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/545#issuecom
URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands
abbra commented:
"""
You are correct in the fact that the search filter need to be modified to allow
matching entries without nsAccountLock attribute set.
&q
URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands
abbra commented:
"""
The nsaccountlock *is* virtual attribute in 389-ds:
attributeTypes: ( 2.16.840.1.113730.3.1.610 NAME 'nsAccountLock'
DE
URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands
abbra commented:
"""
Yes, you can add nsaccountlock attribute retrieval in the `pre_callback` and
process it in the `post_callback`. nsaccountlock is an operat
URL: https://github.com/freeipa/freeipa/pull/535
Title: #535: add whoami command
abbra commented:
"""
Design page: http://www.freeipa.org/page/V4/Who_Am_I_Command
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/535#issuecomment-28371655
URL: https://github.com/freeipa/freeipa/pull/535
Author: abbra
Title: #535: add whoami command
Action: opened
PR body:
"""
`ipa whoami` command allows to query details about currently
authenticated identity. The command returns following information:
* object class na
URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: do not attempt to issue PKINIT cert in CA-less
abbra commented:
"""
ACK for the patch. However, I'm not claiming that CA does not need to be
trusted. What I'm saying is that for Anonymous PKINIT's u
URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: do not attempt to issue PKINIT cert in CA-less
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: properly handle PKINIT-related options
abbra commented:
"""
This PR does not handle upgrade case which is what Local CA considers. We don't
need other systems trust the certificate and we don't need
URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: properly handle PKINIT-related options
abbra commented:
"""
No, you are wrong. Certmonger has own local self-signed CA in all installs:
# getcert list-cas
CA 'local':
URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: properly handle PKINIT-related options
abbra commented:
"""
This was, perhaps, missed in the original commit, though. The idea was that in
CA-less mode we change request to use Local CA.
"&quo
URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: properly handle PKINIT-related options
abbra commented:
"""
An idea behind the original solution was to always produce PKINIT certificate
by certmonger in case of CA-less install to be able to have a
URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands
abbra commented:
"""
nsaccountlock is an operational attribute, not a normal one. I don't like it
being created all the time. You have to request it explici
URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card
abbra commented:
"""
One thing I don't like is that SELinux policy requirements aren't mentioned. To
allow ipaapi user to talk to SSSD dbus interface, you have t
URL: https://github.com/freeipa/freeipa/pull/479
Title: #479: Merge AD trust installer into composite ones
abbra commented:
"""
Unless you specified --add-sids to ipa-adtrust-install (or `add_sids=True` in
ADTrustInstance.setup() call), no task would be run. 'Activating sidgen t
URL: https://github.com/freeipa/freeipa/pull/508
Title: #508: Fix ipa.service unit re. gssproxy
abbra commented:
"""
Good point. I think we shouldn't restart ourselves as we anyway are listening
on all interfaces with 0.0.0.0.
"""
See the full comment at
http
URL: https://github.com/freeipa/freeipa/pull/479
Title: #479: Merge AD trust installer into composite ones
abbra commented:
"""
If you can differentiate how the installer is being run, then for composite
installer always run add_sids.
"""
See the full comment
URL: https://github.com/freeipa/freeipa/pull/508
Title: #508: Fix ipa.service unit re. gssproxy
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
URL: https://github.com/freeipa/freeipa/pull/508
Title: #508: Fix ipa.service unit re. gssproxy
abbra commented:
"""
LGTM. Thank you finding and fixing this issue.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/508#issuecomment-28246785
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
abbra commented:
"""
@tiran we do use PrivateTmp already. This is not about PrivateTmp, though,
because we don't store credentials caches in a private tmp.
"&quo
1 - 100 of 163 matches
Mail list logo
