On 06/18/2014 06:09 PM, Simo Sorce wrote:
On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote:
On 06/18/2014 04:45 PM, Simo Sorce wrote:
On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz wrote:
On 06/18/2014 03:31 PM, Simo Sorce wrote:
On Wed, 2014-06-18 at 12:47 +0200, Martin Kosek
Hello list,
the thread named's LDAP connection hangs on freeipa-users list [1] opened
question Why do we use Kerberos for named-DS connection? Named connects
over LDAPI to local DS instance anyway.
Maybe we can get rid of Kerberos for this particular connection and use
autobind instead. It
On Thu, Jun 19, 2014 at 09:43:06AM +0200, Petr Spacek wrote:
Hello list,
the thread named's LDAP connection hangs on freeipa-users list [1] opened
question Why do we use Kerberos for named-DS connection? Named connects
over LDAPI to local DS instance anyway.
Maybe we can get rid of
Hi
While porting the client code for current master I noticed that there
are some hardcodings to use /usr/lib{,64} paths for various things. This
is problematic for Debian and it's derivatives, since we use proper
multiarch(tm) which means paths like
On Thu, 19 Jun 2014, Petr Spacek wrote:
Hello list,
the thread named's LDAP connection hangs on freeipa-users list [1]
opened question Why do we use Kerberos for named-DS connection?
Named connects over LDAPI to local DS instance anyway.
Maybe we can get rid of Kerberos for this particular
On 19.6.2014 11:02, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
the thread named's LDAP connection hangs on freeipa-users list [1] opened
question Why do we use Kerberos for named-DS connection? Named connects
over LDAPI to local DS instance anyway.
Maybe we can get rid of
On 06/19/2014 09:06 AM, Martin Kosek wrote:
On 06/18/2014 06:09 PM, Simo Sorce wrote:
On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote:
On 06/18/2014 04:45 PM, Simo Sorce wrote:
On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz wrote:
On 06/18/2014 03:31 PM, Simo Sorce wrote:
On Wed,
I'll address the other issues separately.
On 06/18/2014 05:46 PM, Martin Kosek wrote:
3) I hit one issue when I open the Web UI host tab, I get Insufficient access:
No such virtual command error triggered by cert-show command.
We will need to add the permission System: Read Virtual Operations
On Thu, 19 Jun 2014, Petr Spacek wrote:
On 19.6.2014 11:02, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
the thread named's LDAP connection hangs on freeipa-users list [1] opened
question Why do we use Kerberos for named-DS connection? Named connects
over LDAPI to local DS
On 19.6.2014 13:13, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
On 19.6.2014 11:02, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
the thread named's LDAP connection hangs on freeipa-users list [1] opened
question Why do we use Kerberos for named-DS
On Thu, 19 Jun 2014, Petr Spacek wrote:
On 19.6.2014 13:13, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
On 19.6.2014 11:02, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
the thread named's LDAP connection hangs on freeipa-users list [1] opened
question
See commit message.
This was found in the review of host write permissions (my patches
0578-0579).
--
PetrĀ³
From 3b30eb633431f83817cd3513b44c69d5de40be3c Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 19 Jun 2014 13:01:06 +0200
Subject: [PATCH] Allow read access
On 06/18/2014 05:46 PM, Martin Kosek wrote:
On 06/11/2014 06:39 PM, Petr Viktorin wrote:
Patch 0578 does the conversion
Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides
permissions needed for automatic enrollment (from
On 06/19/2014 12:52 PM, Petr Viktorin wrote:
I'll address the other issues separately.
On 06/18/2014 05:46 PM, Martin Kosek wrote:
3) I hit one issue when I open the Web UI host tab, I get Insufficient
access:
No such virtual command error triggered by cert-show command.
We will need to
On 06/19/2014 01:39 PM, Petr Viktorin wrote:
See commit message.
This was found in the review of host write permissions (my patches 0578-0579).
Wouldn't it be better to filter based on objectclass? I.e.:
(targetfilter=(!(objectclass=ipaConfigObject))
instead of DN based target filter? It
On Wed, 18 Jun 2014, Nathaniel McCallum wrote:
On Wed, 2014-06-04 at 18:47 +0300, Alexander Bokovoy wrote:
On Thu, 01 May 2014, Nathaniel McCallum wrote:
On Tue, 2014-03-11 at 11:09 -0400, Simo Sorce wrote:
On Tue, 2014-03-11 at 16:05 +0200, Alexander Bokovoy wrote:
On Tue, 11 Mar 2014, Jan
On Thu, 2014-06-19 at 09:06 +0200, Martin Kosek wrote:
On 06/18/2014 06:09 PM, Simo Sorce wrote:
On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote:
On 06/18/2014 04:45 PM, Simo Sorce wrote:
On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz wrote:
On 06/18/2014 03:31 PM, Simo Sorce
On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote:
I'll address the other issues separately.
On 06/18/2014 05:46 PM, Martin Kosek wrote:
3) I hit one issue when I open the Web UI host tab, I get Insufficient
access:
No such virtual command error triggered by cert-show command.
On 06/19/2014 02:33 PM, Simo Sorce wrote:
On Thu, 2014-06-19 at 09:06 +0200, Martin Kosek wrote:
On 06/18/2014 06:09 PM, Simo Sorce wrote:
On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote:
On 06/18/2014 04:45 PM, Simo Sorce wrote:
On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz
On 06/19/2014 02:33 PM, Simo Sorce wrote:
On Thu, 2014-06-19 at 09:06 +0200, Martin Kosek wrote:
On 06/18/2014 06:09 PM, Simo Sorce wrote:
On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote:
On 06/18/2014 04:45 PM, Simo Sorce wrote:
On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz
On 06/19/2014 02:43 PM, Simo Sorce wrote:
On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote:
I'll address the other issues separately.
On 06/18/2014 05:46 PM, Martin Kosek wrote:
3) I hit one issue when I open the Web UI host tab, I get Insufficient
access:
No such virtual command
On Thu, 2014-06-19 at 14:47 +0200, Martin Kosek wrote:
On 06/19/2014 02:33 PM, Simo Sorce wrote:
On Thu, 2014-06-19 at 09:06 +0200, Martin Kosek wrote:
On 06/18/2014 06:09 PM, Simo Sorce wrote:
On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote:
On 06/18/2014 04:45 PM, Simo Sorce
On 06/19/2014 02:31 PM, Alexander Bokovoy wrote:
On Wed, 18 Jun 2014, Nathaniel McCallum wrote:
On Wed, 2014-06-04 at 18:47 +0300, Alexander Bokovoy wrote:
On Thu, 01 May 2014, Nathaniel McCallum wrote:
On Tue, 2014-03-11 at 11:09 -0400, Simo Sorce wrote:
On Tue, 2014-03-11 at 16:05 +0200,
On Thu, 2014-06-19 at 14:49 +0200, Martin Kosek wrote:
On 06/19/2014 02:43 PM, Simo Sorce wrote:
On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote:
I'll address the other issues separately.
On 06/18/2014 05:46 PM, Martin Kosek wrote:
3) I hit one issue when I open the Web UI host
On 06/19/2014 02:54 PM, Simo Sorce wrote:
On Thu, 2014-06-19 at 14:49 +0200, Martin Kosek wrote:
On 06/19/2014 02:43 PM, Simo Sorce wrote:
On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote:
I'll address the other issues separately.
On 06/18/2014 05:46 PM, Martin Kosek wrote:
3) I hit
On 18.6.2014 13:42, Martin Basti wrote:
Rebased patches with pep8 fixes attached
git diff HEAD~4 -U0 | pep8 --diff --ignore=E501,E126,E128,E124
./ipalib/plugins/dns.py:1754:9: E265 block comment should start with '# '
./ipalib/plugins/dns.py:1755:9: E265 block comment should start with '# '
On Thu, 2014-06-19 at 14:13 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
On 19.6.2014 11:02, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
the thread named's LDAP connection hangs on freeipa-users list [1] opened
question Why do we use Kerberos
On Thu, 2014-06-19 at 09:43 +0200, Petr Spacek wrote:
Hello list,
the thread named's LDAP connection hangs on freeipa-users list [1] opened
question Why do we use Kerberos for named-DS connection? Named connects
over LDAPI to local DS instance anyway.
Maybe we can get rid of Kerberos
Hello,
Thanks for all you feedbacks and help about which attributes to
preserved and how to limit authentication (simple and krb) to Active
accounts, here are my understandings:
1. Staging (container: cn=staged
users,cn=accounts,cn=provisioning,SUFFIX)
plugins scoping
On 19.6.2014 15:28, Simo Sorce wrote:
On Thu, 2014-06-19 at 09:43 +0200, Petr Spacek wrote:
Hello list,
the thread named's LDAP connection hangs on freeipa-users list [1] opened
question Why do we use Kerberos for named-DS connection? Named connects
over LDAPI to local DS instance anyway.
On Thu, 2014-06-19 at 15:32 +0200, thierry bordaz wrote:
(those values must be active DN entries)
userPassword/krb keys: copied from source entry if
they
exists
Uhmm this may actually fail, as we prevent storing pre-hashed
passwords :/
We'll
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 14:13 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
On 19.6.2014 11:02, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
the thread named's LDAP connection hangs on freeipa-users list [1]
On 19.6.2014 15:36, Simo Sorce wrote:
On Thu, 2014-06-19 at 14:13 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
On 19.6.2014 11:02, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
the thread named's LDAP connection hangs on freeipa-users list [1]
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 09:43 +0200, Petr Spacek wrote:
Hello list,
the thread named's LDAP connection hangs on freeipa-users list [1] opened
question Why do we use Kerberos for named-DS connection? Named connects
over LDAPI to local DS instance anyway.
On 06/19/2014 12:52 PM, Tomas Babej wrote:
On 06/18/2014 10:52 AM, Petr Viktorin wrote:
On 06/17/2014 02:15 PM, Tomas Babej wrote:
On 06/17/2014 12:03 PM, Timo Aaltonen wrote:
On 17.06.2014 11:16, Martin Kosek wrote:
Attached is a new version of patch 226, and a new patch 228, which moves
On 06/19/2014 02:19 PM, Martin Kosek wrote:
On 06/19/2014 01:39 PM, Petr Viktorin wrote:
See commit message.
This was found in the review of host write permissions (my patches 0578-0579).
Wouldn't it be better to filter based on objectclass? I.e.:
On Thu, 2014-06-19 at 16:41 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 14:13 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
On 19.6.2014 11:02, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
the
Petr Viktorin wrote:
I'll address the other issues separately.
On 06/18/2014 05:46 PM, Martin Kosek wrote:
3) I hit one issue when I open the Web UI host tab, I get
Insufficient access:
No such virtual command error triggered by cert-show command.
We will need to add the permission
On Thu, 2014-06-19 at 15:41 +0200, Petr Spacek wrote:
On 19.6.2014 15:36, Simo Sorce wrote:
On Thu, 2014-06-19 at 14:13 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
On 19.6.2014 11:02, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
the thread
On 19.6.2014 16:02, Simo Sorce wrote:
On Thu, 2014-06-19 at 16:41 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 14:13 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek wrote:
On 19.6.2014 11:02, Alexander Bokovoy wrote:
On Thu,
Petr Viktorin wrote:
On 06/19/2014 02:19 PM, Martin Kosek wrote:
On 06/19/2014 01:39 PM, Petr Viktorin wrote:
See commit message.
This was found in the review of host write permissions (my patches
0578-0579).
Wouldn't it be better to filter based on objectclass? I.e.:
On Thu, 19 Jun 2014, Simo Sorce wrote:
and named successfully started, with 389-ds showing autobind to the same
krprincipalname=dns/... in the logs.
why do we need to associate bind to dns/whatever ??
Because we already have ACIs given to dns/hostname to handle DNS
entries.
Which are easy
On Thu, 2014-06-19 at 16:05 +0200, Petr Spacek wrote:
On 19.6.2014 16:02, Simo Sorce wrote:
On Thu, 2014-06-19 at 16:41 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 14:13 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Petr Spacek
On Thu, 2014-06-19 at 17:10 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
and named successfully started, with 389-ds showing autobind to the same
krprincipalname=dns/... in the logs.
why do we need to associate bind to dns/whatever ??
Because we already have
On 06/19/2014 04:03 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 06/19/2014 02:19 PM, Martin Kosek wrote:
On 06/19/2014 01:39 PM, Petr Viktorin wrote:
See commit message.
This was found in the review of host write permissions (my patches
0578-0579).
Wouldn't it be better to filter
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:10 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
and named successfully started, with 389-ds showing autobind to the same
krprincipalname=dns/... in the logs.
why do we need to associate bind to
On Thu, 2014-06-19 at 17:24 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:10 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
and named successfully started, with 389-ds showing autobind to the
same
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:24 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:10 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
and named successfully started, with 389-ds showing
On Thu, 2014-06-19 at 17:33 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:24 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:10 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce
On Thu, 19 Jun 2014, Simo Sorce wrote:
I may need to revive my sysaccounts module...
There is one more issue though, and this one really concerns me.
If you need to put there multiple accounts because different servers
have different local accounts, then you open up access to unrelated
On 06/19/2014 03:59 PM, Petr Viktorin wrote:
On 06/19/2014 02:19 PM, Martin Kosek wrote:
On 06/19/2014 01:39 PM, Petr Viktorin wrote:
See commit message.
This was found in the review of host write permissions (my patches
0578-0579).
Wouldn't it be better to filter based on objectclass?
On Thu, 2014-06-19 at 17:47 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
I may need to revive my sysaccounts module...
There is one more issue though, and this one really concerns me.
If you need to put there multiple accounts because different servers
have
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:47 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
I may need to revive my sysaccounts module...
There is one more issue though, and this one really concerns me.
If you need to put there multiple accounts
On 06/19/2014 04:58 PM, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:47 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
I may need to revive my sysaccounts module...
There is one more issue though, and this one really
On 19.6.2014 17:06, Martin Kosek wrote:
On 06/19/2014 04:58 PM, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:47 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
I may need to revive my sysaccounts module...
There is one more
On 06/19/2014 04:50 PM, Martin Kosek wrote:
On 06/19/2014 03:59 PM, Petr Viktorin wrote:
On 06/19/2014 02:19 PM, Martin Kosek wrote:
On 06/19/2014 01:39 PM, Petr Viktorin wrote:
See commit message.
This was found in the review of host write permissions (my patches 0578-0579).
Wouldn't it
On 06/19/2014 05:11 PM, Petr Viktorin wrote:
On 06/19/2014 04:50 PM, Martin Kosek wrote:
On 06/19/2014 03:59 PM, Petr Viktorin wrote:
On 06/19/2014 02:19 PM, Martin Kosek wrote:
On 06/19/2014 01:39 PM, Petr Viktorin wrote:
See commit message.
This was found in the review of host write
On Thu, 19 Jun 2014, Martin Kosek wrote:
On 06/19/2014 04:58 PM, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:47 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
I may need to revive my sysaccounts module...
There is one more
On 06/19/2014 09:16 AM, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Martin Kosek wrote:
On 06/19/2014 04:58 PM, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:47 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
I may need to
On 06/19/2014 03:41 PM, Simo Sorce wrote:
On Thu, 2014-06-19 at 15:32 +0200, thierry bordaz wrote:
(those values must be active DN entries)
userPassword/krb keys: copied from source entry if
they
exists
Uhmm this may actually fail, as we
On Thu, 19 Jun 2014, Rich Megginson wrote:
On 06/19/2014 09:16 AM, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Martin Kosek wrote:
On 06/19/2014 04:58 PM, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:47 +0300, Alexander Bokovoy wrote:
On Thu, 19
This also fixes an error where the default value was not respecting
the KEY_LENGTH variable.
(NOTE: the os.urandom() change should not change the security properties
of the existing code. However, the failure of the previous code to
respect KEY_LENGTH causes us to violate the RFC.)
From
On Thu, 2014-06-19 at 17:32 +0200, thierry bordaz wrote:
On 06/19/2014 03:41 PM, Simo Sorce wrote:
On Thu, 2014-06-19 at 15:32 +0200, thierry bordaz wrote:
(those values must be active DN entries)
userPassword/krb keys: copied from source entry if
they
On Thu, 2014-06-19 at 12:36 -0400, Nathaniel McCallum wrote:
This also fixes an error where the default value was not respecting
the KEY_LENGTH variable.
(NOTE: the os.urandom() change should not change the security properties
of the existing code. However, the failure of the previous code
On Thu, 2014-06-19 at 17:06 +0200, Martin Kosek wrote:
On 06/19/2014 04:58 PM, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 17:47 +0300, Alexander Bokovoy wrote:
On Thu, 19 Jun 2014, Simo Sorce wrote:
I may need to revive my sysaccounts module...
On Thu, 2014-06-19 at 09:23 -0600, Rich Megginson wrote:
and if we limit who can use it I don't think
anyone will be crying too much.
If we change it to be incompatible, we may break existing _389_
customers, even if they are potentially using something that violates
RFC4513.
I am not
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
=== NOTE ===
1. This patch depends on the new Fedora package: python-yubico. If you
would like to help with the
67 matches
Mail list logo