On Sun, 2012-02-26 at 11:22 -0500, John Dennis wrote:
...
There is one other minor issue not included in any previous patches nor
this one, the VERSION file should be updated to force the apache
configuration to be updated.
Thanks for the patches John, a lot of work have been done. I would
On Fri, 2012-02-24 at 16:45 -0500, Rob Crittenden wrote:
Add Requires oddjob-mkhomedir on the client subpackage. This will avoid
SELinux issues if mkhomedir is configured.
rob
ACK. I just needed to fix the log in the spec file, I am sure I am not
an author of the change in 967 :-)
Pushed
Patch 16 defers validation conversion until after {add,del,set}attr is
processed, so that we don't search for an integer in a list of strings
(this caused ticket #2405), and so that the end result of these
operations is validated (#2407).
Patch 17 makes these options honor params marked
On Fri, 2012-02-24 at 15:01 -0500, Rob Crittenden wrote:
Limit the characters in a netgroup name to alpha, digits, -, _ and .
rob
NACK.
1) The regular expressions is not correct, you forget the ending $.
Thus it matches any string with the right beginning. Like this one:
# ipa netgroup-add
On Fri, 2012-01-27 at 13:21 -0500, Rob Crittenden wrote:
The ipa-replica-manage tool was trying to contact the AD server to do
replica management including re-initialize, force-sync and del. The AD
server is unaware of IPA, the winsync plugin handles this for us.
This patch avoids contact
On Fri, 2012-02-24 at 13:09 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
On Wed, 2012-02-08 at 14:52 -0500, Rob Crittenden wrote:
We currnently only support a single winsync agreement against any given
host so all we need to do is check to see if we have one with the remote
host.
On Sat, 2012-02-25 at 17:43 -0500, Rob Crittenden wrote:
This patch does two things:
1. Prompts when deleting a master to make clear that this is irreversible
2. Does not allow a deleted master to be reconnected.
Reconnecting to a deleted master causes all heck to break loose because
we
Ondrej Hamada wrote:
When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes the InvalidSyntax error is raised.
New tests were also added to the unit-tests.
We are pretty trusting that the data coming out of LDAP matches its
schema but it is possible to stuff non-printable characters into most
attributes.
I've added a sanity checker to keep a value as a python str type
(treated as binary internally). This will result in a base64 encoded
blob be
On 02/27/2012 03:44 PM, Rob Crittenden wrote:
We are pretty trusting that the data coming out of LDAP matches its
schema but it is possible to stuff non-printable characters into most
attributes.
I've added a sanity checker to keep a value as a python str type
(treated as binary internally).
Petr Viktorin wrote:
On 02/27/2012 03:44 PM, Rob Crittenden wrote:
We are pretty trusting that the data coming out of LDAP matches its
schema but it is possible to stuff non-printable characters into most
attributes.
I've added a sanity checker to keep a value as a python str type
(treated as
Martin Kosek wrote:
On Fri, 2012-02-24 at 15:01 -0500, Rob Crittenden wrote:
Limit the characters in a netgroup name to alpha, digits, -, _ and .
rob
NACK.
1) The regular expressions is not correct, you forget the ending $.
Thus it matches any string with the right beginning. Like this one:
Simo Sorce wrote:
On Sat, 2012-02-25 at 19:10 -0500, Rob Crittenden wrote:
We need to start 389-ds when configuring memcached during an ugprade
because that process adds the new service to cn=masters.
ACK
Simo.
pushed to master and ipa-2-2
rob
Martin Kosek wrote:
On Mon, 2012-02-20 at 14:34 +0100, Martin Kosek wrote:
On Fri, 2012-02-10 at 16:42 +0100, Martin Kosek wrote:
On Tue, 2012-02-07 at 16:26 +0100, Martin Kosek wrote:
On Mon, 2012-02-06 at 15:56 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2012-01-30 at 11:52
On Wed, 2012-02-01 at 17:55 +0100, Martin Kosek wrote:
UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a
On Mon, 2012-02-27 at 09:44 -0500, Rob Crittenden wrote:
We are pretty trusting that the data coming out of LDAP matches its
schema but it is possible to stuff non-printable characters into most
attributes.
I've added a sanity checker to keep a value as a python str type
(treated as
On Mon, 2012-02-27 at 10:07 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2012-02-24 at 15:01 -0500, Rob Crittenden wrote:
Limit the characters in a netgroup name to alpha, digits, -, _ and .
rob
NACK.
1) The regular expressions is not correct, you forget the ending $.
On Mon, 2012-02-27 at 10:36 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2012-02-20 at 14:34 +0100, Martin Kosek wrote:
On Fri, 2012-02-10 at 16:42 +0100, Martin Kosek wrote:
On Tue, 2012-02-07 at 16:26 +0100, Martin Kosek wrote:
On Mon, 2012-02-06 at 15:56 -0500, Rob
Simo Sorce wrote:
On Mon, 2012-02-27 at 09:44 -0500, Rob Crittenden wrote:
We are pretty trusting that the data coming out of LDAP matches its
schema but it is possible to stuff non-printable characters into most
attributes.
I've added a sanity checker to keep a value as a python str type
Rob Crittenden wrote:
Simo Sorce wrote:
On Mon, 2012-02-27 at 09:44 -0500, Rob Crittenden wrote:
We are pretty trusting that the data coming out of LDAP matches its
schema but it is possible to stuff non-printable characters into most
attributes.
I've added a sanity checker to keep a value as
Martin Kosek wrote:
An easy way to check if master-replica UDP port check actually works is
to simply configure few iptables rules to drop packets for tested UDP or
TCP ports:
A INPUT -m udp -p udp --dport 88 -j DROP
-A INPUT -m tcp -p tcp --dport 88 -j DROP
UDP port checks in
On Wed, 2012-02-22 at 23:04 -0500, Rob Crittenden wrote:
Check to see if SELinux is enabled and restorecon exists before trying
to run it. This will prevent client install failures if SELinux isn't
enabled.
rob
Works fine. Better safe than sorry.
ACK. Pushed to master, ipa-2-2.
Martin
Martin Kosek wrote:
Changing a client hostname after ipa-client-install would break
the enrollment on IPA server. Update relevant man pages to contain
such information.
https://fedorahosted.org/freeipa/ticket/1967
ACK
___
Freeipa-devel mailing list
JR Aquino wrote:
ipa-server-install has a method for validating forward and reverse via
ipaserver/install/installutils.py
ipa-client-install does not currently have an equivalent
This patch adds valid_dns to ipapython/ipautil.py to validate foward and
reverse DNS
This patch adds the valid_dns
Attached is a revised patch, it addresses the following concerns raised
during review:
* The version in ipa.conf has been bumped.
* Rob reported duplicate session cookies being returned. As far as I can
tell this was due to a Python bug where it reused the value of a default
keyword
On 02/27/2012 05:10 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Simo Sorce wrote:
On Mon, 2012-02-27 at 09:44 -0500, Rob Crittenden wrote:
We are pretty trusting that the data coming out of LDAP matches its
schema but it is possible to stuff non-printable characters into most
attributes.
Martin Kosek wrote:
SSH public key support includes a feature to automatically add/update
client SSH fingerprints in SSHFP records. However, the update won't
work for zones created before this support was added as they don't
allow clients to update SSHFP records in their update policies.
This
On Mon, 2012-02-27 at 11:40 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
Changing a client hostname after ipa-client-install would break
the enrollment on IPA server. Update relevant man pages to contain
such information.
https://fedorahosted.org/freeipa/ticket/1967
ACK
Pushed
On Mon, 2012-02-27 at 11:47 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
SSH public key support includes a feature to automatically add/update
client SSH fingerprints in SSHFP records. However, the update won't
work for zones created before this support was added as they don't
allow
On Feb 27, 2012, at 8:43 AM, Rob Crittenden wrote:
JR Aquino wrote:
ipa-server-install has a method for validating forward and reverse via
ipaserver/install/installutils.py
ipa-client-install does not currently have an equivalent
This patch adds valid_dns to ipapython/ipautil.py to validate
On Tue, 2012-02-21 at 17:41 -0500, Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 2012-02-21 at 15:57 -0500, Rob Crittenden wrote:
+other_ldap = ldap2(shared_instance=False,
+ ldap_uri='ldap://%s' % host,
+
On 02/27/2012 03:22 PM, Rob Crittenden wrote:
Ondrej Hamada wrote:
When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes the InvalidSyntax error is raised.
New tests were also
John Dennis wrote:
Attached is a revised patch, it addresses the following concerns raised
during review:
* The version in ipa.conf has been bumped.
* Rob reported duplicate session cookies being returned. As far as I can
tell this was due to a Python bug where it reused the value of a default
Martin Kosek wrote:
On Tue, 2012-02-21 at 17:27 +0100, Martin Kosek wrote:
This set of 3 DNS patches fixes 2 minor issues found during DNS test day
(217, 218) and there is slightly longer patch (219) which improves and
consolidates hostname/domain name validation.
The testing should be pretty
On 02/27/2012 01:50 PM, Rob Crittenden wrote:
John Dennis wrote:
Attached is a revised patch, it addresses the following concerns raised
during review:
* The version in ipa.conf has been bumped.
* Rob reported duplicate session cookies being returned. As far as I can
tell this was due to a
Ondrej Hamada wrote:
On 02/21/2012 02:32 PM, Ondrej Hamada wrote:
On 02/20/2012 06:53 PM, Rob Crittenden wrote:
Ondrej Hamada wrote:
https://fedorahosted.org/freeipa/ticket/2274
Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails
On Sun, 2012-02-26 at 21:41 +0200, Alexander Bokovoy wrote:
Hi Krzysztof,
first thank you for bringing up the topic of wider use of FreeIPA on
different platforms.
Thanks a lot indeed.
The plan looks good, the only thing I'd like to stress is that we need
to shot at maintainability and
JR Aquino wrote:
On Feb 27, 2012, at 8:43 AM, Rob Crittenden wrote:
JR Aquino wrote:
ipa-server-install has a method for validating forward and reverse via
ipaserver/install/installutils.py
ipa-client-install does not currently have an equivalent
This patch adds valid_dns to
Petr Viktorin wrote:
`ipautil.run` expects a tuple for its `nolog` argument, but works with
any other iterable (sometimes we use lists as well). Since strings are
also iterable, and yield their characters, this caused every individual
character in the password to be replaced, leading to log
Petr Viktorin wrote:
On 02/20/2012 08:51 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/2159 says various config options
are not marked Required, so entering an empty value for it will pass
validation (and IPA will blow up later when it expects a
Petr Viktorin wrote:
Patch 16 defers validation conversion until after {add,del,set}attr is
processed, so that we don't search for an integer in a list of strings
(this caused ticket #2405), and so that the end result of these
operations is validated (#2407).
Patch 17 makes these options
Petr Viktorin wrote:
This depends on my patch 0015.
Since CSV escaping was entirely broken before that patch (however we
decide to fix the problem), let's also fix the escaping syntax itself,
without worrying about backwards compatibility.
I tried to solve this according to Rob's comment on
Martin Kosek wrote:
On Mon, 2012-02-27 at 10:07 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2012-02-24 at 15:01 -0500, Rob Crittenden wrote:
Limit the characters in a netgroup name to alpha, digits, -, _ and .
rob
NACK.
1) The regular expressions is not correct, you forget
John Dennis wrote:
On 02/27/2012 01:50 PM, Rob Crittenden wrote:
John Dennis wrote:
Attached is a revised patch, it addresses the following concerns raised
during review:
* The version in ipa.conf has been bumped.
* Rob reported duplicate session cookies being returned. As far as I can
tell
On Feb 27, 2012, at 1:29 PM, Rob Crittenden wrote:
JR Aquino wrote:
On Feb 27, 2012, at 8:43 AM, Rob Crittenden wrote:
JR Aquino wrote:
ipa-server-install has a method for validating forward and reverse via
ipaserver/install/installutils.py
ipa-client-install does not currently have an
On 02/27/2012 05:53 PM, Rob Crittenden wrote:
John Dennis wrote:
On 02/27/2012 01:50 PM, Rob Crittenden wrote:
John Dennis wrote:
Attached is a revised patch, it addresses the following concerns raised
during review:
* The version in ipa.conf has been bumped.
* Rob reported duplicate
Petr Viktorin wrote:
On 02/27/2012 05:10 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Simo Sorce wrote:
On Mon, 2012-02-27 at 09:44 -0500, Rob Crittenden wrote:
We are pretty trusting that the data coming out of LDAP matches its
schema but it is possible to stuff non-printable characters
John Dennis wrote:
Previously sessions expired after session_auth_duration had elapsed
commencing from the start of the session. We new support a rolling
expiration where the expiration is advanced by session_auth_duration
everytime the session is accessed, this is equivalent to a inactivity
John Dennis wrote:
rebased patch against current ipa-2-2 branch
ACK, pushed to master and ipa-2-2
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
John Dennis wrote:
On 02/27/2012 05:53 PM, Rob Crittenden wrote:
John Dennis wrote:
On 02/27/2012 01:50 PM, Rob Crittenden wrote:
John Dennis wrote:
Attached is a revised patch, it addresses the following concerns
raised
during review:
* The version in ipa.conf has been bumped.
* Rob
50 matches
Mail list logo