On Fri, 2015-05-29 at 17:23 -0400, Adam Young wrote:
On 05/28/2015 01:29 AM, Jan Cholasta wrote:
Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan
On 05/28/2015 01:29 AM, Jan Cholasta wrote:
Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod
On 2015-05-28 10:02, Jan Cholasta wrote:
The python-kdcproxy package is a new dependency for the freeipa-server
package. It will always get installed with the server.
Why? None of the IPA core functionality depends on it, so it should be
optional. Also the overall trend in IPA is to have
On 28.5.2015 07:42, Jan Cholasta wrote:
Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod --enable-kdcproxy=TRUE
ipa
On 2015-05-28 07:32, Jan Cholasta wrote:
Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
On 2015-05-27 15:51, Nathaniel McCallum wrote:
As I understand the problem, there is an assumption that an optional
component has a distinct service to start and stop. That is not the
case here. This is
Dne 28.5.2015 v 09:45 Christian Heimes napsal(a):
On 2015-05-28 07:32, Jan Cholasta wrote:
Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
On 2015-05-27 15:51, Nathaniel McCallum wrote:
As I understand the problem, there is an assumption that an optional
component has a distinct service to
On 05/28/2015 07:29 AM, Jan Cholasta wrote:
Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod --enable-kdcproxy=TRUE
On 05/28/2015 10:02 AM, Jan Cholasta wrote:
Dne 28.5.2015 v 09:45 Christian Heimes napsal(a):
On 2015-05-28 07:32, Jan Cholasta wrote:
Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
On 2015-05-27 15:51, Nathaniel McCallum wrote:
As I understand the problem, there is an assumption that an
Dne 28.5.2015 v 12:53 Christian Heimes napsal(a):
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major disagreement, let us
start with enabling KDCPROXY by default during upgrade/install, the new ACI and
the per-replica standard configuration.
API
On Thu, 28 May 2015, Petr Spacek wrote:
On 28.5.2015 07:42, Jan Cholasta wrote:
Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa
On 28/05/15 12:53, Christian Heimes wrote:
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major disagreement, let us
start with enabling KDCPROXY by default during upgrade/install, the new ACI and
the per-replica standard configuration.
API CLI/UI
On 05/28/2015 12:27 PM, Alexander Bokovoy wrote:
On Thu, 28 May 2015, Christian Heimes wrote:
On 2015-05-28 12:10, Petr Spacek wrote:
I see. My question is - if we go this way, what is then the reasonable
subset
configuration functionality realistic for FreeIPA 4.2 GA? (As we want this
On 28.5.2015 11:59, Martin Kosek wrote:
On 05/28/2015 11:12 AM, Alexander Bokovoy wrote:
On Thu, 28 May 2015, Petr Spacek wrote:
On 28.5.2015 07:42, Jan Cholasta wrote:
Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43
On Thu, 28 May 2015, Christian Heimes wrote:
On 2015-05-28 12:10, Petr Spacek wrote:
I see. My question is - if we go this way, what is then the reasonable subset
configuration functionality realistic for FreeIPA 4.2 GA? (As we want this
feature in for 4.2). Is ipa-kdcproxy-manage doable?
What
On 28.5.2015 12:53, Christian Heimes wrote:
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major disagreement,
let us start with enabling KDCPROXY by default during upgrade/install,
the new ACI and the per-replica standard configuration.
API
Dne 28.5.2015 v 13:56 Christian Heimes napsal(a):
On 2015-05-28 13:30, Jan Cholasta wrote:
Dne 28.5.2015 v 12:53 Christian Heimes napsal(a):
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major
disagreement, let us
start with enabling KDCPROXY by
On 28/05/15 14:06, Christian Heimes wrote:
On 2015-05-28 13:29, Martin Basti wrote:
On 28/05/15 12:53, Christian Heimes wrote:
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major disagreement, let us
start with enabling KDCPROXY by default during
On 05/28/2015 03:06 PM, Simo Sorce wrote:
On Thu, 2015-05-28 at 07:42 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta
On Thu, 2015-05-28 at 12:14 +0300, Alexander Bokovoy wrote:
On Thu, 28 May 2015, Martin Kosek wrote:
On 05/28/2015 10:02 AM, Jan Cholasta wrote:
Dne 28.5.2015 v 09:45 Christian Heimes napsal(a):
On 2015-05-28 07:32, Jan Cholasta wrote:
Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
On
On 2015-05-28 13:30, Jan Cholasta wrote:
Dne 28.5.2015 v 12:53 Christian Heimes napsal(a):
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major
disagreement, let us
start with enabling KDCPROXY by default during upgrade/install, the
new ACI and
On 2015-05-28 13:29, Martin Basti wrote:
On 28/05/15 12:53, Christian Heimes wrote:
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major disagreement, let
us
start with enabling KDCPROXY by default during upgrade/install, the new ACI
and
the
On 26.5.2015 17:56, Christian Heimes wrote:
On 2015-05-26 17:11, Nathaniel McCallum wrote:
I don't want to add code that: 1. is half-baked 2. we aren't committed
to supporting.
I'd rather land per-replica switches as a separate commit with
everything polished and supportable.
Well then
On 2015-05-27 11:59, Martin Kosek wrote:
On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
On Wed, 27 May 2015, Martin Kosek wrote:
On 05/26/2015 05:40 PM, Jan Cholasta wrote:
Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
...
Finally I haven't figured out the best way to configure the
On 05/26/2015 05:40 PM, Jan Cholasta wrote:
Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
...
Finally I haven't figured out the best way to configure the instance. An
admin should be able to enable / disable KDC proxy. Should I write a
script or a ipa plugin for the job?
A script,
On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
On Wed, 27 May 2015, Martin Kosek wrote:
On 05/26/2015 05:40 PM, Jan Cholasta wrote:
Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
...
Finally I haven't figured out the best way to configure the instance. An
admin should be able to enable
On 05/27/2015 01:33 PM, Christian Heimes wrote:
On 2015-05-27 11:59, Martin Kosek wrote:
On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
On Wed, 27 May 2015, Martin Kosek wrote:
On 05/26/2015 05:40 PM, Jan Cholasta wrote:
Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
...
Finally I
On Wed, 27 May 2015, Martin Kosek wrote:
On 05/26/2015 05:40 PM, Jan Cholasta wrote:
Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
...
Finally I haven't figured out the best way to configure the instance. An
admin should be able to enable / disable KDC proxy. Should I write a
script or a
On 05/27/2015 03:34 PM, Christian Heimes wrote:
On 2015-05-27 14:47, Petr Vobornik wrote:
Install/uninstall is not the same thing as enable/disable. Installation
is a set of steps which first configures and then (optionally) enables
the component.
E.g:
1. modify configuration file(s), ldap
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod --enable-kdcproxy=TRUE
ipa config-mod --enable-kdcproxy=FALSE
I don't like this approach, as it is completely inconsistent with
every
other optional component. There should be *one* way to handle them
and
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod --enable-kdcproxy=TRUE
ipa config-mod --enable-kdcproxy=FALSE
I don't like this approach, as it
On 2015-05-27 15:51, Nathaniel McCallum wrote:
As I understand the problem, there is an assumption that an optional
component has a distinct service to start and stop. That is not the
case here. This is just new config for apache.
More details:
The KDC Proxy uses the same Apache instance as
On 05/27/2015 01:57 PM, Jan Cholasta wrote:
Dne 27.5.2015 v 13:34 Martin Kosek napsal(a):
On 05/27/2015 01:33 PM, Christian Heimes wrote:
On 2015-05-27 11:59, Martin Kosek wrote:
On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
On Wed, 27 May 2015, Martin Kosek wrote:
On 05/26/2015 05:40
On Wed, 2015-05-27 at 15:41 +0200, Petr Vobornik wrote:
On 05/27/2015 03:34 PM, Christian Heimes wrote:
On 2015-05-27 14:47, Petr Vobornik wrote:
Install/uninstall is not the same thing as enable/disable.
Installation
is a set of steps which first configures and then (optionally)
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod --enable-kdcproxy=TRUE
ipa config-mod --enable-kdcproxy=FALSE
I don't like this approach, as it is completely inconsistent with
every
other optional component. There
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod --enable-kdcproxy=TRUE
ipa config-mod --enable-kdcproxy=FALSE
I don't like this approach, as it is
Dne 27.5.2015 v 13:34 Martin Kosek napsal(a):
On 05/27/2015 01:33 PM, Christian Heimes wrote:
On 2015-05-27 11:59, Martin Kosek wrote:
On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
On Wed, 27 May 2015, Martin Kosek wrote:
On 05/26/2015 05:40 PM, Jan Cholasta wrote:
Dne 22.5.2015 v 12:24
Dne 27.5.2015 v 14:47 Petr Vobornik napsal(a):
On 05/27/2015 01:57 PM, Jan Cholasta wrote:
Dne 27.5.2015 v 13:34 Martin Kosek napsal(a):
On 05/27/2015 01:33 PM, Christian Heimes wrote:
On 2015-05-27 11:59, Martin Kosek wrote:
On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
On Wed, 27 May
On 2015-05-27 14:47, Petr Vobornik wrote:
Install/uninstall is not the same thing as enable/disable. Installation
is a set of steps which first configures and then (optionally) enables
the component.
E.g:
1. modify configuration file(s), ldap entries
2. run something which starts the
On Wed, 2015-05-27 at 15:41 +0200, Petr Vobornik wrote:
On 05/27/2015 03:34 PM, Christian Heimes wrote:
On 2015-05-27 14:47, Petr Vobornik wrote:
Install/uninstall is not the same thing as enable/disable. Installation
is a set of steps which first configures and then (optionally) enables
On 2015-05-27 15:41, Petr Vobornik wrote:
It would be great to have a privileged daemon which could observed
replicated configuration and perform such tasks on all servers so we
would eliminate manual tasks(and errors and misconceptions which are
caused by forgotten manual tasks) as much as
Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod --enable-kdcproxy=TRUE
ipa config-mod --enable-kdcproxy=FALSE
Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
On 2015-05-27 15:51, Nathaniel McCallum wrote:
As I understand the problem, there is an assumption that an optional
component has a distinct service to start and stop. That is not the
case here. This is just new config for apache.
More
Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
ipa config-mod --enable-kdcproxy=TRUE
ipa config-mod --enable-kdcproxy=FALSE
I
Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
Hello,
since May 1st I'm a new Red Hat employee and developer with the FreeIPA
team. Some of you may already recognize my name from my contributions to
CPython core, Python security and TLS/SSL improvements, or a couple of
PEPs. I'm very glad
On Fri, 2015-05-22 at 12:24 +0200, Christian Heimes wrote:
Here is what I have so far:
1) The FreeIPA webui already depends on Apache and mod_wsgi. KDC
proxy
will run from the same Apache HTTPD instance but it will use a
different
mod_wsgi daemon configuration. A second WSGI daemon is
On 2015-05-26 15:57, Nathaniel McCallum wrote:
/KdcProxy
The URI uses the virtual directory /KdcProxy unless otherwise
configured.
https://msdn.microsoft.com/en-us/library/hh553891.aspx
Also, the proxy should be available over both HTTP and HTTPS.
Easy-peasy! I'm using /KdcProxy
On 05/26/2015 04:17 PM, Christian Heimes wrote:
On 2015-05-26 15:57, Nathaniel McCallum wrote:
/KdcProxy
The URI uses the virtual directory /KdcProxy unless otherwise
configured.
https://msdn.microsoft.com/en-us/library/hh553891.aspx
Also, the proxy should be available over both HTTP and
On Tue, 2015-05-26 at 16:43 +0200, Christian Heimes wrote:
On 2015-05-26 16:24, Martin Kosek wrote:
On 05/26/2015 04:17 PM, Christian Heimes wrote:
On 2015-05-26 15:57, Nathaniel McCallum wrote:
/KdcProxy
The URI uses the virtual directory /KdcProxy unless otherwise
On 2015-05-26 16:24, Martin Kosek wrote:
On 05/26/2015 04:17 PM, Christian Heimes wrote:
On 2015-05-26 15:57, Nathaniel McCallum wrote:
/KdcProxy
The URI uses the virtual directory /KdcProxy unless otherwise
configured.
https://msdn.microsoft.com/en-us/library/hh553891.aspx
Also, the
On 2015-05-26 16:50, Nathaniel McCallum wrote:
Right. So as I see it, we have three options:
1. Merge kdcproxy soon with a global switch.
A. Build per-replica switches later.
B. Never build per-replica switches.
2. Merge kdcproxy later with per-replica switches.
I don't think having
On Tue, 2015-05-26 at 17:09 +0200, Christian Heimes wrote:
On 2015-05-26 16:50, Nathaniel McCallum wrote:
Right. So as I see it, we have three options:
1. Merge kdcproxy soon with a global switch.
A. Build per-replica switches later.
B. Never build per-replica switches.
2. Merge
On 2015-05-26 17:11, Nathaniel McCallum wrote:
I don't want to add code that:
1. is half-baked
2. we aren't committed to supporting.
I'd rather land per-replica switches as a separate commit with
everything polished and supportable.
Well then ... I'm going to remove the code for
Hello,
since May 1st I'm a new Red Hat employee and developer with the FreeIPA
team. Some of you may already recognize my name from my contributions to
CPython core, Python security and TLS/SSL improvements, or a couple of
PEPs. I'm very glad that I can now work on Open Source as a full time
job.
On 05/22/2015 12:24 PM, Christian Heimes wrote:
Hello,
since May 1st I'm a new Red Hat employee and developer with the FreeIPA
team. Some of you may already recognize my name from my contributions to
CPython core, Python security and TLS/SSL improvements, or a couple of
PEPs. I'm very glad that
On 2015-05-22 13:02, Martin Kosek wrote:
The original proposal was to do it globally in cn=config. But if it is
about to be stored in the cn=masters, per-replica, this looks as the
right way.
My first proposal used cn=ipaConfig,cn=etc because it was the first
place I found. It took me a bit to
On 05/22/2015 01:17 PM, Christian Heimes wrote:
On 2015-05-22 13:02, Martin Kosek wrote:
The original proposal was to do it globally in cn=config. But if it is
about to be stored in the cn=masters, per-replica, this looks as the
right way.
My first proposal used cn=ipaConfig,cn=etc because it
On 22/05/15 13:02, Martin Kosek wrote:
On 05/22/2015 12:24 PM, Christian Heimes wrote:
Hello,
since May 1st I'm a new Red Hat employee and developer with the FreeIPA
team. Some of you may already recognize my name from my contributions to
CPython core, Python security and TLS/SSL improvements,
On 2015-05-22 14:02, Petr Vobornik wrote:
Actually the service part of IPA servers is not covered in the
proposal. The proposal just says that it can be added later.
There will be question if it should even be called services. Maybe
capabilities would be better term given that KDC Proxy is
58 matches
Mail list logo