Dne 7.7.2015 v 16:42 Endi Sukma Dewata napsal(a):
- Original Message -
On 07/07/2015 10:51 AM, Jan Cholasta wrote:
Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a):
Here is the rebased patch for vault access control.
LGTM, except:
@@ -356,6 +386,13 @@ class vault(LDAPObject):
Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a):
Here is the rebased patch for vault access control.
LGTM, except:
@@ -356,6 +386,13 @@ class vault(LDAPObject):
{
'objectclass': ['nsContainer'],
'cn': rdn['cn'],
+
Dne 3.7.2015 v 14:23 Endi Sukma Dewata napsal(a):
On 7/1/2015 1:53 AM, Jan Cholasta wrote:
I think it would be better to use a new attribute type which
inherits
from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey
directly
for assymetric vault public keys, so that assymetric public
On 07/07/2015 10:51 AM, Jan Cholasta wrote:
Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a):
Here is the rebased patch for vault access control.
LGTM, except:
@@ -356,6 +386,13 @@ class vault(LDAPObject):
{
'objectclass': ['nsContainer'],
- Original Message -
On 07/07/2015 10:51 AM, Jan Cholasta wrote:
Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a):
Here is the rebased patch for vault access control.
LGTM, except:
@@ -356,6 +386,13 @@ class vault(LDAPObject):
{
On 7/1/2015 1:53 AM, Jan Cholasta wrote:
I think it would be better to use a new attribute type which
inherits
from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey
directly
for assymetric vault public keys, so that assymetric public key and
escrow public key are on the same level and
Here is the rebased patch for vault access control.
--
Endi S. Dewata
From 6bec99d51552a6415c45d655f95627e341fae44b Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 17 Oct 2014 12:05:34 -0400
Subject: [PATCH] Added vault access control.
New LDAP ACIs have been added
Dne 25.6.2015 v 19:01 Endi Sukma Dewata napsal(a):
On 6/25/2015 12:35 AM, Jan Cholasta wrote:
I think it would be better to use a new attribute type which inherits
from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey
directly
for assymetric vault public keys, so that assymetric
On 6/25/2015 12:35 AM, Jan Cholasta wrote:
I think it would be better to use a new attribute type which inherits
from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey
directly
for assymetric vault public keys, so that assymetric public key and
escrow public key are on the same level
Dne 23.6.2015 v 05:27 Endi Sukma Dewata napsal(a):
Please take a look at the new patch.
On 6/17/2015 1:32 AM, Jan Cholasta wrote:
I think it would be better to use a new attribute type which inherits
from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey
directly
for assymetric vault
Please take a look at the new patch.
On 6/17/2015 1:32 AM, Jan Cholasta wrote:
I think it would be better to use a new attribute type which inherits
from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey directly
for assymetric vault public keys, so that assymetric public key and
Dne 16.6.2015 v 01:02 Endi Sukma Dewata napsal(a):
On 6/15/2015 2:22 AM, Jan Cholasta wrote:
I think it would be better to use a new attribute type which inherits
from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey directly
for assymetric vault public keys, so that assymetric public
On 6/15/2015 2:22 AM, Jan Cholasta wrote:
I think it would be better to use a new attribute type which inherits
from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey directly
for assymetric vault public keys, so that assymetric public key and
escrow public key are on the same level and
Dne 10.6.2015 v 08:13 Martin Kosek napsal(a):
On 06/09/2015 11:13 PM, Endi Sukma Dewata wrote:
Please take a look at the attached patch to add symmetric asymmetric vaults.
Some comments about the patch:
I think it would be better to use a new attribute type which inherits
from ipaPublicKey
Dne 15.6.2015 v 09:22 Jan Cholasta napsal(a):
Dne 10.6.2015 v 08:13 Martin Kosek napsal(a):
On 06/09/2015 11:13 PM, Endi Sukma Dewata wrote:
Please take a look at the attached patch to add symmetric
asymmetric vaults.
Some comments about the patch:
I think it would be better to use a new
Dne 8.6.2015 v 12:04 Jan Cholasta napsal(a):
Dne 5.6.2015 v 21:50 Endi Sukma Dewata napsal(a):
On 6/5/2015 7:13 AM, Jan Cholasta wrote:
BTW, ipa-kra-install is broken with pki-core-10.2.4-1, but it works with
pki-core-10.2.1-3.
There's a bug in IPA:
Dne 5.6.2015 v 21:50 Endi Sukma Dewata napsal(a):
On 6/5/2015 7:13 AM, Jan Cholasta wrote:
If KRA is not installed, vault-archive and vault-retrieve fail with
internal error.
Added a code to check KRA installation in all vault commands. If you
know a way not to load the vault plugin if the
Dne 3.6.2015 v 14:17 Jan Cholasta napsal(a):
Dne 2.6.2015 v 02:00 Endi Sukma Dewata napsal(a):
Please take a look at the updated patch.
On 5/27/2015 12:39 AM, Jan Cholasta wrote:
21) vault_archive is not a retrieve operation, it should be
based on
LDAPUpdate instead of LDAPRetrieve. Or
On 6/5/2015 7:13 AM, Jan Cholasta wrote:
If KRA is not installed, vault-archive and vault-retrieve fail with
internal error.
Added a code to check KRA installation in all vault commands. If you
know a way not to load the vault plugin if the KRA is not installed
please let me know, that's
Dne 2.6.2015 v 20:40 Simo Sorce napsal(a):
On Tue, 2015-06-02 at 07:07 -0500, Endi Sukma Dewata wrote:
On 6/2/2015 1:10 AM, Martin Kosek wrote:
Hi Endi,
Quickly skimming through your patches raised couple questions on my side:
1) Will it be possible to also store plain text password via
On 06/02/2015 11:22 PM, Alexander Bokovoy wrote:
On Tue, 02 Jun 2015, Endi Sukma Dewata wrote:
Please take a look at the new patch.
On 6/2/2015 10:05 AM, Martin Kosek wrote:
4) In the vault-archive forward method, you use pki module. However,
this module will be only available on FreeIPA
On 06/02/2015 08:34 PM, Simo Sorce wrote:
On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote:
Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
On 5/28/2015 12:46 AM, Jan Cholasta wrote:
On a related note, since KRA is optional, can we move the vaults
container to cn=kra,cn=vaults? This is
On Wed, 03 Jun 2015, Endi Sukma Dewata wrote:
On 6/3/2015 1:41 AM, Martin Kosek wrote:
On 06/02/2015 11:22 PM, Alexander Bokovoy wrote:
On Tue, 02 Jun 2015, Endi Sukma Dewata wrote:
I think ideally the
client and server code should be in separate files (so they can be deployed
separately
On 6/3/2015 8:52 AM, Alexander Bokovoy wrote:
Having to use the same plugins for client and server is a framework
limitation/poor design. Having to use conditional imports to work
around the limitation is a bad programming practice. The fact that
trust plugin has to implement a similar
On 6/3/2015 1:41 AM, Martin Kosek wrote:
On 06/02/2015 11:22 PM, Alexander Bokovoy wrote:
On Tue, 02 Jun 2015, Endi Sukma Dewata wrote:
I think ideally the
client and server code should be in separate files (so they can be deployed
separately too), but the framework doesn't seem to allow that.
On 6/2/2015 1:34 PM, Simo Sorce wrote:
On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote:
Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
On 5/28/2015 12:46 AM, Jan Cholasta wrote:
On a related note, since KRA is optional, can we move the vaults
container to cn=kra,cn=vaults? This is
Dne 3.6.2015 v 14:58 Endi Sukma Dewata napsal(a):
On 6/2/2015 1:34 PM, Simo Sorce wrote:
On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote:
Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
On 5/28/2015 12:46 AM, Jan Cholasta wrote:
On a related note, since KRA is optional, can we move
Dne 2.6.2015 v 02:00 Endi Sukma Dewata napsal(a):
Please take a look at the updated patch.
On 5/27/2015 12:39 AM, Jan Cholasta wrote:
21) vault_archive is not a retrieve operation, it should be
based on
LDAPUpdate instead of LDAPRetrieve. Or Command actually, since it
does
not do anything with
On Wed, 2015-06-03 at 09:27 +0200, Martin Kosek wrote:
On 06/02/2015 08:34 PM, Simo Sorce wrote:
On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote:
Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
On 5/28/2015 12:46 AM, Jan Cholasta wrote:
On a related note, since KRA is optional,
Dne 3.6.2015 v 15:20 Simo Sorce napsal(a):
On Wed, 2015-06-03 at 09:27 +0200, Martin Kosek wrote:
On 06/02/2015 08:34 PM, Simo Sorce wrote:
On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote:
Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
On 5/28/2015 12:46 AM, Jan Cholasta wrote:
On
On Tue, 2015-06-02 at 07:07 -0500, Endi Sukma Dewata wrote:
On 6/2/2015 1:10 AM, Martin Kosek wrote:
Hi Endi,
Quickly skimming through your patches raised couple questions on my side:
1) Will it be possible to also store plain text password via Vault? It
talks about taking in the
On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote:
Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
On 5/28/2015 12:46 AM, Jan Cholasta wrote:
On a related note, since KRA is optional, can we move the vaults
container to cn=kra,cn=vaults? This is the convetion used by the other
Please take a look at the new patch.
On 6/2/2015 10:05 AM, Martin Kosek wrote:
4) In the vault-archive forward method, you use pki module. However,
this module will be only available on FreeIPA PKI-powered servers and
not on FreeIPA clients - so this will not work unless freeipa-client
gets a
On Tue, 02 Jun 2015, Endi Sukma Dewata wrote:
Please take a look at the new patch.
On 6/2/2015 10:05 AM, Martin Kosek wrote:
4) In the vault-archive forward method, you use pki module. However,
this module will be only available on FreeIPA PKI-powered servers and
not on FreeIPA clients - so
On 06/02/2015 12:04 PM, Jan Cholasta wrote:
Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
On 5/28/2015 12:46 AM, Jan Cholasta wrote:
On a related note, since KRA is optional, can we move the vaults
container to cn=kra,cn=vaults? This is the convetion used by the other
optional components
On 6/2/2015 1:10 AM, Martin Kosek wrote:
Hi Endi,
Quickly skimming through your patches raised couple questions on my side:
1) Will it be possible to also store plain text password via Vault? It
talks about taking in the binary data or the text file, but will it also
work with plain user
Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
On 5/28/2015 12:46 AM, Jan Cholasta wrote:
On a related note, since KRA is optional, can we move the vaults
container to cn=kra,cn=vaults? This is the convetion used by the other
optional components (DNS and recently CA).
I mean
On 06/02/2015 02:07 PM, Endi Sukma Dewata wrote:
On 6/2/2015 1:10 AM, Martin Kosek wrote:
Hi Endi,
Quickly skimming through your patches raised couple questions on my side:
1) Will it be possible to also store plain text password via Vault? It
talks about taking in the binary data or the
On Tue, 02 Jun 2015, Martin Kosek wrote:
But it's not recommended since the data will be stored in the command history
and someone could see and decode it. I think passing a plain text password as
command line argument would be even worse. The --data parameter is mainly used
for unit testing.
On 06/02/2015 02:00 AM, Endi Sukma Dewata wrote:
Please take a look at the updated patch.
On 5/27/2015 12:39 AM, Jan Cholasta wrote:
21) vault_archive is not a retrieve operation, it should be based on
LDAPUpdate instead of LDAPRetrieve. Or Command actually, since it
does
not do anything with
Please take a look at the updated patch.
On 5/27/2015 12:39 AM, Jan Cholasta wrote:
21) vault_archive is not a retrieve operation, it should be based on
LDAPUpdate instead of LDAPRetrieve. Or Command actually, since it
does
not do anything with LDAP. The same applies to vault_retrieve.
The
On 5/28/2015 12:46 AM, Jan Cholasta wrote:
On a related note, since KRA is optional, can we move the vaults
container to cn=kra,cn=vaults? This is the convetion used by the other
optional components (DNS and recently CA).
I mean cn=vaults,cn=kra of course.
If you are talking about the
Dne 27.5.2015 v 07:39 Jan Cholasta napsal(a):
Dne 27.5.2015 v 02:38 Endi Sukma Dewata napsal(a):
Please take a look at the attached patch to add vault-archive/retrieve
commands.
On 4/20/2015 1:12 AM, Jan Cholasta wrote:
16) You do way too much stuff in vault_add.forward(). Only code that
must
Dne 28.5.2015 v 07:43 Jan Cholasta napsal(a):
Dne 27.5.2015 v 07:39 Jan Cholasta napsal(a):
Dne 27.5.2015 v 02:38 Endi Sukma Dewata napsal(a):
Please take a look at the attached patch to add vault-archive/retrieve
commands.
On 4/20/2015 1:12 AM, Jan Cholasta wrote:
16) You do way too much
Please take a look at the attached patch to add vault-archive/retrieve
commands.
On 4/20/2015 1:12 AM, Jan Cholasta wrote:
16) You do way too much stuff in vault_add.forward(). Only code that
must be done on the client needs to be there, i.e. handling of the
data, text and in options.
The
Dne 27.5.2015 v 02:38 Endi Sukma Dewata napsal(a):
Please take a look at the attached patch to add vault-archive/retrieve
commands.
On 4/20/2015 1:12 AM, Jan Cholasta wrote:
16) You do way too much stuff in vault_add.forward(). Only code that
must be done on the client needs to be there, i.e.
Dne 21.5.2015 v 17:45 Endi Sukma Dewata napsal(a):
Please take a look at the new patch.
On 5/20/2015 1:53 AM, Jan Cholasta wrote:
I suppose you meant you're OK with not adding host vaults now?
Yes.
The only way to know if the design will be future proof is if we have at
least some idea how
Dne 19.5.2015 v 16:40 Endi Sukma Dewata napsal(a):
Before I send another patch I have some questions below.
On 5/19/2015 3:27 AM, Jan Cholasta wrote:
I changed the 'host vaults' to become 'service vaults'. The interface
will look like this:
$ ipa vault-find --service HTTP/server.example.com
$
Dne 18.5.2015 v 21:17 Endi Sukma Dewata napsal(a):
Please take a look at the attached new patch which includes some of your
changes you proposed.
On 5/14/2015 7:17 PM, Endi Sukma Dewata wrote:
On 5/14/2015 1:42 PM, Jan Cholasta wrote:
Question: Services in IPA are identified by Kerberos
Before I send another patch I have some questions below.
On 5/19/2015 3:27 AM, Jan Cholasta wrote:
I changed the 'host vaults' to become 'service vaults'. The interface
will look like this:
$ ipa vault-find --service HTTP/server.example.com
$ ipa vault-add test --service
Please take a look at the attached new patch which includes some of your
changes you proposed.
On 5/14/2015 7:17 PM, Endi Sukma Dewata wrote:
On 5/14/2015 1:42 PM, Jan Cholasta wrote:
Question: Services in IPA are identified by Kerberos principal. Why are
service vaults identified by hostname
Dne 14.5.2015 v 05:01 Endi Sukma Dewata napsal(a):
On 5/13/2015 4:09 AM, Jan Cholasta wrote:
Dne 12.5.2015 v 12:52 Endi Sukma Dewata napsal(a):
Please take a look at the attached patch (#353-9). It obsoletes all
previous patches. See comments below.
On 4/20/2015 1:12 AM, Jan Cholasta wrote:
On 5/14/2015 1:42 PM, Jan Cholasta wrote:
Question: Services in IPA are identified by Kerberos principal. Why are
service vaults identified by hostname alone?
The service vaults are actually identified by the hostname and service
name assuming the principal is in this format: name/host@realm.
Dne 12.5.2015 v 12:52 Endi Sukma Dewata napsal(a):
Please take a look at the attached patch (#353-9). It obsoletes all
previous patches. See comments below.
On 4/20/2015 1:12 AM, Jan Cholasta wrote:
I'm planning to merge the vault and vault container object and use the
vault type attribute to
On 5/13/2015 4:09 AM, Jan Cholasta wrote:
Dne 12.5.2015 v 12:52 Endi Sukma Dewata napsal(a):
Please take a look at the attached patch (#353-9). It obsoletes all
previous patches. See comments below.
On 4/20/2015 1:12 AM, Jan Cholasta wrote:
I'm planning to merge the vault and vault container
Please take a look at the attached patch (#353-9). It obsoletes all
previous patches. See comments below.
On 4/20/2015 1:12 AM, Jan Cholasta wrote:
I'm planning to merge the vault and vault container object and use the
vault type attribute to distinguish between the two. See more discussion
Dne 3.4.2015 v 05:37 Endi Sukma Dewata napsal(a):
Hi,
Attached are new patches replacing all old ones. Please take a look at
them. They should applied in this order: 365, 353-8, 355-6, 357-3,
359-2, 360-1, 364-1, 361-1.
Thanks for squashing patches 362-364 into the original patches, it's
Dne 11.3.2015 v 15:12 Endi Sukma Dewata napsal(a):
Thanks for the review. New patch attached to be applied on top of all
previous patches. Please see comments below.
Thanks. I have replied to some of your comments below.
On 3/6/2015 3:53 PM, Jan Cholasta wrote:
Patch 353:
1) Please follow
On 3/13/2015 2:27 AM, Endi Sukma Dewata wrote:
On 3/11/2015 9:12 PM, Endi Sukma Dewata wrote:
Thanks for the review. New patch attached to be applied on top of all
previous patches. Please see comments below.
New patch #362-1 attached replacing #362. It fixed some issues in
Thanks for the review. New patch attached to be applied on top of all
previous patches. Please see comments below.
On 3/6/2015 3:53 PM, Jan Cholasta wrote:
Patch 353:
1) Please follow PEP8 in new code.
The pep8 tool reports these errors in existing files:
./ipalib/constants.py:98:80: E501
On 3/11/2015 9:12 PM, Endi Sukma Dewata wrote:
Thanks for the review. New patch attached to be applied on top of all
previous patches. Please see comments below.
New patch #362-1 attached replacing #362. It fixed some issues in
handle_not_found().
--
Endi S. Dewata
From
Hi Endi,
Dne 24.2.2015 v 04:09 Endi Sukma Dewata napsal(a):
On 2/16/2015 2:50 AM, Endi Sukma Dewata wrote:
Hi,
Attached are the updated patches for the password vault, and some new
ones (please disregard previous patch submissions). Please give them a
try. Thanks.
New patches attached
62 matches
Mail list logo