On 04/24/2012 10:47 AM, Ondrej Hamada wrote:
On 04/23/2012 07:58 PM, Simo Sorce wrote:
On Mon, 2012-04-23 at 13:50 -0400, Dmitri Pal wrote:
Ah OK. Another semantic difference. Doing it in phases is one thing and
delivering is another. Let us say we identified 10 things that needs to
be
On Thu, 2012-05-03 at 19:37 +0200, Ondrej Hamada wrote:
On 04/24/2012 10:47 AM, Ondrej Hamada wrote:
On 04/23/2012 07:58 PM, Simo Sorce wrote:
On Mon, 2012-04-23 at 13:50 -0400, Dmitri Pal wrote:
Ah OK. Another semantic difference. Doing it in phases is one thing and
delivering is
On 04/23/2012 07:58 PM, Simo Sorce wrote:
On Mon, 2012-04-23 at 13:50 -0400, Dmitri Pal wrote:
Ah OK. Another semantic difference. Doing it in phases is one thing and
delivering is another. Let us say we identified 10 things that needs to
be implemented. The problem is so huge that Ondrej would
On 04/20/2012 04:29 PM, Simo Sorce wrote:
On Fri, 2012-04-20 at 16:09 -0400, Dmitri Pal wrote:
I was under the assumption that to be able to wrap things properly you
need both user password in clear that you have only at the moment the
hashes are created and the key for the branch office
On Mon, 2012-04-23 at 09:54 -0400, Dmitri Pal wrote:
On 04/20/2012 04:29 PM, Simo Sorce wrote:
On Fri, 2012-04-20 at 16:09 -0400, Dmitri Pal wrote:
I was under the assumption that to be able to wrap things properly you
need both user password in clear that you have only at the moment the
On 04/23/2012 10:02 AM, Simo Sorce wrote:
On Mon, 2012-04-23 at 09:54 -0400, Dmitri Pal wrote:
On 04/20/2012 04:29 PM, Simo Sorce wrote:
On Fri, 2012-04-20 at 16:09 -0400, Dmitri Pal wrote:
I was under the assumption that to be able to wrap things properly you
need both user password in
On Mon, 2012-04-23 at 13:04 -0400, Dmitri Pal wrote:
On 04/23/2012 10:02 AM, Simo Sorce wrote:
On Mon, 2012-04-23 at 09:54 -0400, Dmitri Pal wrote:
On 04/20/2012 04:29 PM, Simo Sorce wrote:
On Fri, 2012-04-20 at 16:09 -0400, Dmitri Pal wrote:
I was under the assumption that to be able
On 04/23/2012 01:35 PM, Simo Sorce wrote:
On Mon, 2012-04-23 at 13:04 -0400, Dmitri Pal wrote:
On 04/23/2012 10:02 AM, Simo Sorce wrote:
On Mon, 2012-04-23 at 09:54 -0400, Dmitri Pal wrote:
On 04/20/2012 04:29 PM, Simo Sorce wrote:
On Fri, 2012-04-20 at 16:09 -0400, Dmitri Pal wrote:
I was
On Mon, 2012-04-23 at 13:50 -0400, Dmitri Pal wrote:
Ah OK. Another semantic difference. Doing it in phases is one thing and
delivering is another. Let us say we identified 10 things that needs to
be implemented. The problem is so huge that Ondrej would likely be able
to tackle only couple
On 04/19/2012 07:43 PM, Simo Sorce wrote:
Ok, this come close to a proper solution but not quite.
So first of all, kerberos keys are available in the master, we do not
need to also store the clear txt password and regenerate them, but we do
need to be able to convey them to the replica wrapped
On Fri, 2012-04-20 at 16:09 -0400, Dmitri Pal wrote:
I was under the assumption that to be able to wrap things properly you
need both user password in clear that you have only at the moment the
hashes are created and the key for the branch office replica. Is this
the wrong assumption? If you
On 04/18/2012 08:30 PM, Rich Megginson wrote:
On 04/17/2012 06:42 AM, Simo Sorce wrote:
On Tue, 2012-04-17 at 01:13 +0200, Ondrej Hamada wrote:
Sorry for inactivity, I was struggling with a lot of school stuff.
I've summed up the main goals, do you agree on them or should I
add/remove any?
On Thu, 2012-04-19 at 14:18 +0200, Ondrej Hamada wrote:
On 04/18/2012 08:30 PM, Rich Megginson wrote:
* Credentials expiration on replica should be configurable
What does this mean ?
We should store credentials for a subset of users only. As this subset
might change over time, we should
On 04/19/2012 09:03 AM, Simo Sorce wrote:
On Thu, 2012-04-19 at 14:18 +0200, Ondrej Hamada wrote:
On 04/18/2012 08:30 PM, Rich Megginson wrote:
* Credentials expiration on replica should be configurable
What does this mean ?
We should store credentials for a subset of users only. As this
On 04/19/2012 04:10 PM, Dmitri Pal wrote:
On 04/19/2012 09:03 AM, Simo Sorce wrote:
On Thu, 2012-04-19 at 14:18 +0200, Ondrej Hamada wrote:
On 04/18/2012 08:30 PM, Rich Megginson wrote:
* Credentials expiration on replica should be configurable
What does this mean ?
We should store
On 04/19/2012 11:26 AM, Ondrej Hamada wrote:
There is one aspect that is missing in this discussion. If we are
talking about a remote office and about a Consumer that serves this
office we need to understand not only the flow of the initial
authentication but are there other authentications
On Thu, 2012-04-19 at 10:10 -0400, Dmitri Pal wrote:
If the eSSO is not required and we talk about the initial login only
we
can have a DS instance as a consumer do not need to have the whole IPA
becuase KDC, CA and management frameworks are not needed. This DS can
replicate a subset of the
On Thu, 2012-04-19 at 17:26 +0200, Ondrej Hamada wrote:
Sorry, I wrote it unclear. I meant that the credentials, we store on
Consumer should be there available only for a specified period of time.
Why ?
After that time they should be flushed away (means they are still valid,
just not
On 04/19/2012 12:33 PM, Simo Sorce wrote:
On Thu, 2012-04-19 at 10:10 -0400, Dmitri Pal wrote:
If the eSSO is not required and we talk about the initial login only
we
can have a DS instance as a consumer do not need to have the whole IPA
becuase KDC, CA and management frameworks are not
On Thu, 2012-04-19 at 15:00 -0400, Dmitri Pal wrote:
Local server is the central hub for the authentications in the remote
office. The client machines with SSSD or LDAP clients might not have
access to the central datacenter directly. Another reason for having
such login server is to reduce
On 04/19/2012 03:44 PM, Simo Sorce wrote:
On Thu, 2012-04-19 at 15:00 -0400, Dmitri Pal wrote:
Local server is the central hub for the authentications in the remote
office. The client machines with SSSD or LDAP clients might not have
access to the central datacenter directly. Another reason
On Thu, 2012-04-19 at 16:29 -0400, Dmitri Pal wrote:
On 04/19/2012 03:44 PM, Simo Sorce wrote:
On Thu, 2012-04-19 at 15:00 -0400, Dmitri Pal wrote:
Local server is the central hub for the authentications in the remote
office. The client machines with SSSD or LDAP clients might not have
On 04/19/2012 05:28 PM, Simo Sorce wrote:
On Thu, 2012-04-19 at 16:29 -0400, Dmitri Pal wrote:
On 04/19/2012 03:44 PM, Simo Sorce wrote:
On Thu, 2012-04-19 at 15:00 -0400, Dmitri Pal wrote:
Local server is the central hub for the authentications in the remote
office. The client machines with
On Thu, 2012-04-19 at 18:25 -0400, Dmitri Pal wrote:
On 04/19/2012 05:28 PM, Simo Sorce wrote:
On Thu, 2012-04-19 at 16:29 -0400, Dmitri Pal wrote:
On 04/19/2012 03:44 PM, Simo Sorce wrote:
On Thu, 2012-04-19 at 15:00 -0400, Dmitri Pal wrote:
Local server is the central hub for the
On 04/17/2012 06:42 AM, Simo Sorce wrote:
On Tue, 2012-04-17 at 01:13 +0200, Ondrej Hamada wrote:
Sorry for inactivity, I was struggling with a lot of school stuff.
I've summed up the main goals, do you agree on them or should I
add/remove any?
GOALS
On Tue, 2012-04-17 at 01:13 +0200, Ondrej Hamada wrote:
Sorry for inactivity, I was struggling with a lot of school stuff.
I've summed up the main goals, do you agree on them or should I
add/remove any?
GOALS
===
Create Hub and Consumer
Sorry for inactivity, I was struggling with a lot of school stuff.
I've summed up the main goals, do you agree on them or should I
add/remove any?
GOALS
===
Create Hub and Consumer types of replica with following features:
* Hub is read-only
* Hub
On 04/06/2012 09:15 AM, Ondrej Hamada wrote:
On 04/04/2012 06:16 PM, Ondrej Hamada wrote:
On 04/04/2012 03:02 PM, Simo Sorce wrote:
On Tue, 2012-04-03 at 18:45 +0200, Ondrej Hamada wrote:
On 03/13/2012 01:13 AM, Dmitri Pal wrote:
On 03/12/2012 06:10 PM, Simo Sorce wrote:
On Mon, 2012-03-12
On 04/04/2012 06:16 PM, Ondrej Hamada wrote:
On 04/04/2012 03:02 PM, Simo Sorce wrote:
On Tue, 2012-04-03 at 18:45 +0200, Ondrej Hamada wrote:
On 03/13/2012 01:13 AM, Dmitri Pal wrote:
On 03/12/2012 06:10 PM, Simo Sorce wrote:
On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote:
On
On 04/03/2012 12:45 PM, Ondrej Hamada wrote:
On 03/13/2012 01:13 AM, Dmitri Pal wrote:
On 03/12/2012 06:10 PM, Simo Sorce wrote:
On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote:
On 03/12/2012 04:16 PM, Simo Sorce wrote:
On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote:
USER'S
On Tue, 2012-04-03 at 18:45 +0200, Ondrej Hamada wrote:
On 03/13/2012 01:13 AM, Dmitri Pal wrote:
On 03/12/2012 06:10 PM, Simo Sorce wrote:
On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote:
On 03/12/2012 04:16 PM, Simo Sorce wrote:
On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada
On 04/04/2012 03:02 PM, Simo Sorce wrote:
On Tue, 2012-04-03 at 18:45 +0200, Ondrej Hamada wrote:
On 03/13/2012 01:13 AM, Dmitri Pal wrote:
On 03/12/2012 06:10 PM, Simo Sorce wrote:
On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote:
On 03/12/2012 04:16 PM, Simo Sorce wrote:
On Mon,
On 03/13/2012 01:13 AM, Dmitri Pal wrote:
On 03/12/2012 06:10 PM, Simo Sorce wrote:
On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote:
On 03/12/2012 04:16 PM, Simo Sorce wrote:
On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote:
USER'S operations when connection is OK:
On 03/08/2012 04:54 PM, Dmitri Pal wrote:
On 03/06/2012 01:30 PM, Ondrej Hamada wrote:
On 03/06/2012 05:47 PM, Dmitri Pal wrote:
On 03/06/2012 10:59 AM, Simo Sorce wrote:
On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote:
[...]
For a read-only KDC we need to investigate what's the better
On 03/12/2012 03:38 PM, Ondrej Hamada wrote:
On 03/08/2012 04:54 PM, Dmitri Pal wrote:
On 03/06/2012 01:30 PM, Ondrej Hamada wrote:
On 03/06/2012 05:47 PM, Dmitri Pal wrote:
On 03/06/2012 10:59 AM, Simo Sorce wrote:
On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote:
[...]
For a read-only
On 03/12/2012 01:51 PM, Dmitri Pal wrote:
On 03/12/2012 03:38 PM, Ondrej Hamada wrote:
On 03/08/2012 04:54 PM, Dmitri Pal wrote:
On 03/06/2012 01:30 PM, Ondrej Hamada wrote:
On 03/06/2012 05:47 PM, Dmitri Pal wrote:
On 03/06/2012 10:59 AM, Simo Sorce wrote:
On Tue, 2012-03-06 at 10:56
On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote:
USER'S operations when connection is OK:
---
read data - local
write data - forwarding to master
authentication:
-credentials cached -- authenticate against credentials in local cache
On 03/12/2012 04:16 PM, Simo Sorce wrote:
On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote:
USER'S operations when connection is OK:
---
read data - local
write data - forwarding to master
authentication:
-credentials cached --
On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote:
On 03/12/2012 04:16 PM, Simo Sorce wrote:
On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote:
USER'S operations when connection is OK:
---
read data - local
write data -
On 03/12/2012 06:10 PM, Simo Sorce wrote:
On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote:
On 03/12/2012 04:16 PM, Simo Sorce wrote:
On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote:
USER'S operations when connection is OK:
---
On 03/06/2012 01:30 PM, Ondrej Hamada wrote:
On 03/06/2012 05:47 PM, Dmitri Pal wrote:
On 03/06/2012 10:59 AM, Simo Sorce wrote:
On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote:
[...]
For a read-only KDC we need to investigate what's the better
solution.
There are many ways we can
[...]
For a read-only KDC we need to investigate what's the better solution.
There are many ways we can handle the issue, one of the simplest is
probably to allow the RO KDC to use a special LDAP Extended operation
against a full R/W server to get the user keys to sign, authenticating
with
On 03/06/2012 10:59 AM, Simo Sorce wrote:
On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote:
[...]
For a read-only KDC we need to investigate what's the better
solution.
There are many ways we can handle the issue, one of the simplest is
probably to allow the RO KDC to use a special LDAP
On 03/06/2012 05:47 PM, Dmitri Pal wrote:
On 03/06/2012 10:59 AM, Simo Sorce wrote:
On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote:
[...]
For a read-only KDC we need to investigate what's the better
solution.
There are many ways we can handle the issue, one of the simplest is
probably
On Sat, 2012-03-03 at 18:33 -0500, Dmitri Pal wrote:
On 03/01/2012 08:32 AM, Ondrej Hamada wrote:
On 02/29/2012 04:36 PM, Simo Sorce wrote:
On Wed, 2012-02-29 at 16:19 +0100, Ondrej Hamada wrote:
Hi everyone,
I'm currently working on my thesis. It's objective is $SUBJ and we
already
On 03/01/2012 08:32 AM, Ondrej Hamada wrote:
On 02/29/2012 04:36 PM, Simo Sorce wrote:
On Wed, 2012-02-29 at 16:19 +0100, Ondrej Hamada wrote:
Hi everyone,
I'm currently working on my thesis. It's objective is $SUBJ and we
already have ticket for that: #194. The task is to create two more
Hi everyone,
I'm currently working on my thesis. It's objective is $SUBJ and we
already have ticket for that: #194
https://fedorahosted.org/freeipa/ticket/194. The task is to create two
more replica types - the HUB and Consumer. In 389-DS both the HUB and
Consumer are read-only. Additionally
On Wed, 2012-02-29 at 16:19 +0100, Ondrej Hamada wrote:
Hi everyone,
I'm currently working on my thesis. It's objective is $SUBJ and we
already have ticket for that: #194. The task is to create two more
replica types - the HUB and Consumer. In 389-DS both the HUB and
Consumer are read-only.
48 matches
Mail list logo