Re: [Freeipa-devel] [PATCHES 180-182] ipatests: Improvements!
On Tue, 06 May 2014, Tomas Babej wrote: On 05/05/2014 06:08 PM, Alexander Bokovoy wrote: On Fri, 02 May 2014, Jakub Hrozek wrote: On Wed, Apr 30, 2014 at 03:59:01PM +0200, Tomas Babej wrote: Hi, * patch 180 fixes incorrect hostname usage when connecting to legacy clients * patch 181 sets up SSSD in debug_level 7 by default * patch 182 does the same, but on the legacy clients -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ACK to the general intent of debug_level by default. Have you considered using the python ConfigAPI sssd has to change the sections rather than running a sed script? I agree. The patchset in current form does work fine for me in the tests. However, I'd rather wait for a new revision which incorporates changes requested by the Jakub. I'm not sure using python ConfigAPI would be a better option here, for one particular reason - the tests themselves are not run on the machine where we want to change the config. Hence we need to enclose everything we want done on the client in the run_command method. Moving from sed to using python ConfigAPI would mean moving from: +host.run_command(['sed', '-i', + '/debug_level = 7/d', + '/etc/sssd/sssd.conf' + ], raiseonerr=False) + +# Add the debug directive to each section +host.run_command(['sed', '-i', + '/\[*\]/ a\debug_level = 7', + '/etc/sssd/sssd.conf' + ], raiseonerr=False) to creating the python script file of ~10-15 lines on the client and then running it on the client itself via: + host.run_command(['python', 'set_sssd_debug_level.py']) Given that, it does not seem that much simpler than using two sed commands to me. Yes, it is clearly an overkill in this case. ACK. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 180-182] ipatests: Improvements!
On Fri, 09 May 2014, Alexander Bokovoy wrote: On Tue, 06 May 2014, Tomas Babej wrote: On 05/05/2014 06:08 PM, Alexander Bokovoy wrote: On Fri, 02 May 2014, Jakub Hrozek wrote: On Wed, Apr 30, 2014 at 03:59:01PM +0200, Tomas Babej wrote: Hi, * patch 180 fixes incorrect hostname usage when connecting to legacy clients * patch 181 sets up SSSD in debug_level 7 by default * patch 182 does the same, but on the legacy clients -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ACK to the general intent of debug_level by default. Have you considered using the python ConfigAPI sssd has to change the sections rather than running a sed script? I agree. The patchset in current form does work fine for me in the tests. However, I'd rather wait for a new revision which incorporates changes requested by the Jakub. I'm not sure using python ConfigAPI would be a better option here, for one particular reason - the tests themselves are not run on the machine where we want to change the config. Hence we need to enclose everything we want done on the client in the run_command method. Moving from sed to using python ConfigAPI would mean moving from: +host.run_command(['sed', '-i', + '/debug_level = 7/d', + '/etc/sssd/sssd.conf' + ], raiseonerr=False) + +# Add the debug directive to each section +host.run_command(['sed', '-i', + '/\[*\]/ a\debug_level = 7', + '/etc/sssd/sssd.conf' + ], raiseonerr=False) to creating the python script file of ~10-15 lines on the client and then running it on the client itself via: + host.run_command(['python', 'set_sssd_debug_level.py']) Given that, it does not seem that much simpler than using two sed commands to me. Yes, it is clearly an overkill in this case. ACK. Pushed patches 180-182 to master. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0001] Fixed typo in ipa-replica-manage man page
From a42383b2662697c3a54add7be6546a31d6a39353 Mon Sep 17 00:00:00 2001 From: Thorsten Scherf tsch...@redhat.com Date: Fri, 9 May 2014 15:21:10 +0200 Subject: [PATCH] Fixed typo in ipa-replica-manage man page --- install/tools/man/ipa-replica-manage.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1 index a981c72f59e23024110e0d9e8331cd50cbb22130..613b18ca4dc4f71860af82bdb48817b5a01e9d4c 100644 --- a/install/tools/man/ipa-replica-manage.1 +++ b/install/tools/man/ipa-replica-manage.1 @@ -217,7 +217,7 @@ Remove a winsync replication agreement: .SH PASSSYNC PassSync is a Windows service that runs on AD Domain Controllers to intercept password changes. It sends these password changes to the IPA LDAP server over TLS. These password changes bypass normal IPA password policy settings and the password is not set to immediately expire. This is because by the time IPA receives the password change it has already been accepted by AD so it is too late to reject it. .TP -IPA maintains a list of DNs that are excempt from password policy. A special user is added automatically when a winsync replication agreement is created. The DN of this user is added to the excemption list stored in passSyncManagersDNs in the entry cn=ipa_pwd_extop,cn=plugins,cn=config. +IPA maintains a list of DNs that are excempt from password policy. A special user is added automatically when a winsync replication agreement is created. The DN of this user is added to the exemption list stored in passSyncManagersDNs in the entry cn=ipa_pwd_extop,cn=plugins,cn=config. .SH EXIT STATUS 0 if the command was successful -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0001] Fixed typo in ipa-replica-manage man page
NACK There is still another typo: excempt Fix that an it is an ACK from me. :) Nathaniel - Original Message - ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0001] Fixed typo in ipa-replica-manage man page
On [Fri, 09.05.2014 10:25], Nathaniel McCallum wrote: NACK There is still another typo: excempt right, I missed that one. New patch attached. Cheers, Thorsten Fix that an it is an ACK from me. :) Nathaniel - Original Message - ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From cf9078547397db08f13c5e85d88219beb5b188d8 Mon Sep 17 00:00:00 2001 From: Thorsten Scherf tsch...@redhat.com Date: Fri, 9 May 2014 17:17:04 +0200 Subject: [PATCH] Fixed typo in ipa-replica-manage man page --- install/tools/man/ipa-replica-manage.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1 index 613b18ca4dc4f71860af82bdb48817b5a01e9d4c..ab890284dacd8c53b620abf1e36b8d77bb077ba2 100644 --- a/install/tools/man/ipa-replica-manage.1 +++ b/install/tools/man/ipa-replica-manage.1 @@ -217,7 +217,7 @@ Remove a winsync replication agreement: .SH PASSSYNC PassSync is a Windows service that runs on AD Domain Controllers to intercept password changes. It sends these password changes to the IPA LDAP server over TLS. These password changes bypass normal IPA password policy settings and the password is not set to immediately expire. This is because by the time IPA receives the password change it has already been accepted by AD so it is too late to reject it. .TP -IPA maintains a list of DNs that are excempt from password policy. A special user is added automatically when a winsync replication agreement is created. The DN of this user is added to the exemption list stored in passSyncManagersDNs in the entry cn=ipa_pwd_extop,cn=plugins,cn=config. +IPA maintains a list of DNs that are except from password policy. A special user is added automatically when a winsync replication agreement is created. The DN of this user is added to the exemption list stored in passSyncManagersDNs in the entry cn=ipa_pwd_extop,cn=plugins,cn=config. .SH EXIT STATUS 0 if the command was successful -- 1.9.0 pgpOG_vw0k71b.pgp Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] minimum python version
On 05/06/2014 07:55 AM, Alexander Bokovoy wrote: On Tue, 06 May 2014, Fraser Tweedale wrote: Hi all, What's are the versions of Python that must be supported in the freeipa codebase? And do older branches have to support earlier versions? Any Python language features that should be avoided, by policy? Forward-portability considerations? We attempt to not overcomplicate backport efforts for stable branches. This means we stuck mostly with features provided by the Python 2.6 (2.6.6 in RHEL 6, for example). In master branch and FreeIPA versions post RHEL-6 (i.e. FreeIPA 3.0.0 based) we require at least Python 2.7. For instance, we already use set literals ({1,2,3}) that require Python 2.7. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA on AWS EC2
hi Is there any solution to deploy FreeIpa on ubuntu linux? thanks Eric dai 在 2014年5月10日,4:01,Martin Kosek mko...@redhat.com 写道: On 05/08/2014 06:55 PM, Dmitri Pal wrote: On 05/08/2014 11:59 AM, Hendri Morris wrote: Is there any plan to bring FreeIPA to Amazon AWS EC2? At this point the client doesn't even install on Amazon Linux (Redhat Clone Optimized for AWS). Goes straight to dependency hell. I deployed a multi-server FreeIPA in a enterprise environment and absolutely love the product. Please add AWS to the roadmap! https://owa.telit.com/owa/CookieAuth.dll?ae=Itema=Newt=IPM.Notecc=MTQuMy4xNTguMSxlbi1VUyw0Mjk0OTY3Mjk1LEhUTUwsMCwwpspid=_1399557927266_619631222# https://owa.telit.com/owa/CookieAuth.dll?ae=Itema=Newt=IPM.Notecc=MTQuMy4xNTguMSxlbi1VUyw0Mjk0OTY3Mjk1LEhUTUwsMCwwpspid=_1399557927266_619631222# *www.ilstechnology.com* http://www.ilstechnology.com ** *Hendri Morris* Senior Cloud Engineer deviceWISE Operations This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Have you tried this? http://cloud-mechanic.blogspot.com/2013/10/diversion-kerberos-freeipa-in-aws-ec2.html Great to hear you like FreeIPA! As you get in a dependency hell, I would assume it is not a problem of FreeIPA vs. AWS, but rather some packaging issue in your image of choice (i.e. the Red Hat clone). I personally tried deploying FreeIPA in Red Hat OpenStack instance for a public demo testing instance and did not hit much resistance. You just need to keep your hostname static (did with cloud-init) and make sure the DNS is sane and it should work ok. I plan to write some article about the OpenStack demo soon, stay tuned. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel