[Freeipa-devel] [freeipa PR#21] custodia: include known CA certs in the PKCS#12 file for Dogtag (comment)

mbasti-rh commented on a pull request """ I cannot connect to LDAPS even if only CA-less servers are installed """ See the full comment at https://github.com/freeipa/freeipa/pull/21#issuecomment-242746093 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#21] custodia: include known CA certs in the PKCS#12 file for Dogtag (comment)

pvoborni commented on a pull request """ Promotion of replica is missing ds.enable_ssl step (or how is it called). Tomas is working on it in ticket https://fedorahosted.org/freeipa/ticket/6226 """ See the full comment at https://github.com/freeipa/freeipa/pull/21#issuecomment-242750401 --

[Freeipa-devel] [freeipa PR#28] Added a sleep interval after domainlevel raise in tests (comment)

mbasti-rh commented on a pull request """ Maybe comment next to sleep why the sleep is there, may not hurt """ See the full comment at https://github.com/freeipa/freeipa/pull/28#issuecomment-242727734 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#23] Time-Based HBAC Policies (synchronize)

stlaz's pull request #23: "Time-Based HBAC Policies" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/23 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/23/head:pr23 git checkout pr23

[Freeipa-devel] [freeipa PR#21] custodia: include known CA certs in the PKCS#12 file for Dogtag (comment)

mbasti-rh commented on a pull request """ Yes, I can reproduce it without this PR. ACK for this """ See the full comment at https://github.com/freeipa/freeipa/pull/21#issuecomment-242751300 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#21] custodia: include known CA certs in the PKCS#12 file for Dogtag (closed)

jcholast's pull request #21: "custodia: include known CA certs in the PKCS#12 file for Dogtag" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/21 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa

[Freeipa-devel] [freeipa PR#28] Added a sleep interval after domainlevel raise in tests (comment)

ofayans commented on a pull request """ Done. """ See the full comment at https://github.com/freeipa/freeipa/pull/28#issuecomment-242733667 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#28] Added a sleep interval after domainlevel raise in tests (synchronize)

ofayans's pull request #28: "Added a sleep interval after domainlevel raise in tests" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/28 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On Fri, 2016-08-26 at 11:55 +0200, Martin Basti wrote: > > On 26.08.2016 11:43, Jan Cholasta wrote: > > Hi, > > > > On 11.8.2016 12:34, Stanislav Laznicka wrote: > >> Hello, > >> > >> I updated the design of the Time-Based HBAC Policies according to the > >> discussion we led here earlier. Please

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 26.8.2016 11:55, Martin Basti wrote: On 26.08.2016 11:43, Jan Cholasta wrote: Hi, On 11.8.2016 12:34, Stanislav Laznicka wrote: Hello, I updated the design of the Time-Based HBAC Policies according to the discussion we led here earlier. Please check the design page

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/26/2016 12:39 PM, Martin Basti wrote: > > > On 26.08.2016 12:37, Petr Vobornik wrote: >> On 08/26/2016 12:23 PM, Martin Basti wrote: >>> >>> On 26.08.2016 12:20, Alexander Bokovoy wrote: On Fri, 26 Aug 2016, Jan Cholasta wrote: > On 26.8.2016 11:55, Martin Basti wrote: >>

[Freeipa-devel] [freeipa PR#26] Don't ignore --ignore-last-of-role for last CA (opened)

stlaz's pull request #26: "Don't ignore --ignore-last-of-role for last CA" was opened PR body: """ Use a handler created for the purpose of deciding whether to raise exception or not. https://fedorahosted.org/freeipa/ticket/6259 """ See the full pull-request at

[Freeipa-devel] [freeipa PR#23] Time-Based HBAC Policies (synchronize)

stlaz's pull request #23: "Time-Based HBAC Policies" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/23 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/23/head:pr23 git checkout pr23

[Freeipa-devel] [freeipa PR#21] custodia: include known CA certs in the PKCS#12 file for Dogtag (+ack)

jcholast's pull request #21: "custodia: include known CA certs in the PKCS#12 file for Dogtag" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/21 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#28] Added a sleep interval after domainlevel raise in tests (opened)

ofayans's pull request #28: "Added a sleep interval after domainlevel raise in tests" was opened PR body: """ Due to race conditions the test sometimes catches 2 one-way segments instead of one bidirectional. We need to give the master time to merge the one-way segments before we test the

[Freeipa-devel] [freeipa PR#28] Added a sleep interval after domainlevel raise in tests (closed)

ofayans's pull request #28: "Added a sleep interval after domainlevel raise in tests" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/28 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa

[Freeipa-devel] [freeipa PR#28] Added a sleep interval after domainlevel raise in tests (+pushed)

ofayans's pull request #28: "Added a sleep interval after domainlevel raise in tests" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/28 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#28] Added a sleep interval after domainlevel raise in tests (comment)

mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9dffe55e6582bca7b1a4b8ad3042c63c5ccde51a """ See the full comment at https://github.com/freeipa/freeipa/pull/28#issuecomment-242747200 -- Manage your subscription for the Freeipa-devel

[Freeipa-devel] [freeipa PR#21] custodia: include known CA certs in the PKCS#12 file for Dogtag (comment)

mbasti-rh commented on a pull request """ On replica: ``` [root@vm-058-017 ~]# ipa-ca-install Directory Manager (existing master) password: Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/25]: creating

[Freeipa-devel] [freeipa PR#28] Added a sleep interval after domainlevel raise in tests (+ack)

ofayans's pull request #28: "Added a sleep interval after domainlevel raise in tests" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/28 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#20] cert: include CA name in cert command output (synchronize)

jcholast's pull request #20: "cert: include CA name in cert command output" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/20 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/20/head:pr20

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 26.08.2016 12:20, Alexander Bokovoy wrote: On Fri, 26 Aug 2016, Jan Cholasta wrote: On 26.8.2016 11:55, Martin Basti wrote: On 26.08.2016 11:43, Jan Cholasta wrote: Hi, On 11.8.2016 12:34, Stanislav Laznicka wrote: Hello, I updated the design of the Time-Based HBAC Policies

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 26.08.2016 11:43, Jan Cholasta wrote: Hi, On 11.8.2016 12:34, Stanislav Laznicka wrote: Hello, I updated the design of the Time-Based HBAC Policies according to the discussion we led here earlier. Please check the design page http://www.freeipa.org/page/V4/Time-Based_Account_Policies.

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On Fri, 26 Aug 2016, Jan Cholasta wrote: On 26.8.2016 11:55, Martin Basti wrote: On 26.08.2016 11:43, Jan Cholasta wrote: Hi, On 11.8.2016 12:34, Stanislav Laznicka wrote: Hello, I updated the design of the Time-Based HBAC Policies according to the discussion we led here earlier. Please

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 26.08.2016 12:13, Jan Cholasta wrote: On 26.8.2016 11:55, Martin Basti wrote: On 26.08.2016 11:43, Jan Cholasta wrote: Hi, On 11.8.2016 12:34, Stanislav Laznicka wrote: Hello, I updated the design of the Time-Based HBAC Policies according to the discussion we led here earlier. Please

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 26.08.2016 12:37, Petr Vobornik wrote: On 08/26/2016 12:23 PM, Martin Basti wrote: On 26.08.2016 12:20, Alexander Bokovoy wrote: On Fri, 26 Aug 2016, Jan Cholasta wrote: On 26.8.2016 11:55, Martin Basti wrote: On 26.08.2016 11:43, Jan Cholasta wrote: Hi, On 11.8.2016 12:34,

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/26/2016 12:47 PM, Standa Laznicka wrote: > On 08/26/2016 12:39 PM, Martin Basti wrote: >> >> >> On 26.08.2016 12:37, Petr Vobornik wrote: >>> On 08/26/2016 12:23 PM, Martin Basti wrote: On 26.08.2016 12:20, Alexander Bokovoy wrote: > On Fri, 26 Aug 2016, Jan Cholasta wrote:

[Freeipa-devel] [freeipa PR#20] cert: include CA name in cert command output (synchronize)

jcholast's pull request #20: "cert: include CA name in cert command output" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/20 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/20/head:pr20

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/26/2016 12:27 PM, Jan Cholasta wrote: On 26.8.2016 12:21, Martin Basti wrote: On 26.08.2016 12:13, Jan Cholasta wrote: On 26.8.2016 11:55, Martin Basti wrote: On 26.08.2016 11:43, Jan Cholasta wrote: Hi, On 11.8.2016 12:34, Stanislav Laznicka wrote: Hello, I updated the design of

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 26.8.2016 12:21, Martin Basti wrote: On 26.08.2016 12:13, Jan Cholasta wrote: On 26.8.2016 11:55, Martin Basti wrote: On 26.08.2016 11:43, Jan Cholasta wrote: Hi, On 11.8.2016 12:34, Stanislav Laznicka wrote: Hello, I updated the design of the Time-Based HBAC Policies according to

[Freeipa-devel] [freeipa PR#27] Tests: Fix integration sudo tests setup and checks (opened)

mirielka's pull request #27: "Tests: Fix integration sudo tests setup and checks" was opened PR body: """ Adding 'defaults' sudorule to prevent requesting further user authentication. Adding checks that if a user should be rejected access, a proper error message is displayed.

Re: [Freeipa-devel] [PATCH] 0097 Add options to write lightweight CA cert or chain to file

On 19.8.2016 13:11, Fraser Tweedale wrote: Bump for review. On Wed, Aug 17, 2016 at 12:09:39AM +1000, Fraser Tweedale wrote: On Tue, Aug 16, 2016 at 08:10:08AM +0200, Jan Cholasta wrote: On 16.8.2016 07:24, Fraser Tweedale wrote: On Mon, Aug 15, 2016 at 08:19:33AM +0200, Jan Cholasta wrote:

Re: [Freeipa-devel] [PATCH] 0095 cert-request: allow directoryName in SAN extension

Hi, On 22.7.2016 07:18, Fraser Tweedale wrote: While I was poking around SAN-processing code, I decided to implement a small enhancement: allowing the subject principal's DN to appear in SAN. https://fedorahosted.org/freeipa/ticket/6112 Patch depends on my other patches 0090, 0092, 0093,

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

Hi, On 11.8.2016 12:34, Stanislav Laznicka wrote: Hello, I updated the design of the Time-Based HBAC Policies according to the discussion we led here earlier. Please check the design page http://www.freeipa.org/page/V4/Time-Based_Account_Policies. The biggest changes are in the Implementation

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/26/2016 12:23 PM, Martin Basti wrote: > > > On 26.08.2016 12:20, Alexander Bokovoy wrote: >> On Fri, 26 Aug 2016, Jan Cholasta wrote: >>> On 26.8.2016 11:55, Martin Basti wrote: On 26.08.2016 11:43, Jan Cholasta wrote: > Hi, > > On 11.8.2016 12:34, Stanislav

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/26/2016 12:39 PM, Martin Basti wrote: On 26.08.2016 12:37, Petr Vobornik wrote: On 08/26/2016 12:23 PM, Martin Basti wrote: On 26.08.2016 12:20, Alexander Bokovoy wrote: On Fri, 26 Aug 2016, Jan Cholasta wrote: On 26.8.2016 11:55, Martin Basti wrote: On 26.08.2016 11:43, Jan

[Freeipa-devel] [freeipa PR#25] Added install check before executing ipa-* command (opened)

Akasurde's pull request #25: "Added install check before executing ipa-* command" was opened PR body: """ Fixes: https://fedorahosted.org/freeipa/ticket/6261 Signed-off-by: Abhijeet Kasurde """ See the full pull-request at https://github.com/freeipa/freeipa/pull/25 ... or

[Freeipa-devel] [freeipa PR#27] Tests: Fix integration sudo tests setup and checks (edited)

mirielka's pull request #27: "Tests: Fix integration sudo tests setup and checks" was edited See the full pull-request at https://github.com/freeipa/freeipa/pull/27 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/27/head:pr27

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote: > On Fri, 26 Aug 2016, Simo Sorce wrote: > >On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: > >> > I miss "why" part of "To be able to handle backward compatibility > >> with > >> > ease, a new object called ipaHBACRulev2 is

[Freeipa-devel] [freeipa PR#30] Print to debug output answer from CA (opened)

mbasti-rh's pull request #30: "Print to debug output answer from CA" was opened PR body: """ CA request may fail due various erros, without debug output we cannot decide what is wrong. """ See the full pull-request at https://github.com/freeipa/freeipa/pull/30 ... or pull the PR as Git branch:

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On Fri, 26 Aug 2016, Simo Sorce wrote: On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: > I miss "why" part of "To be able to handle backward compatibility with > ease, a new object called ipaHBACRulev2 is introduced. " in the design > page. If the reason is the above - old client's

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (opened)

tomaskrizek's pull request #29: "Enable LDAPS in replica promotion" was opened PR body: """ With CA-less master and CA-less replica, attempting to install CA on replica would fail. LDAPS has to be enabled during replica promotion, because it is required by Dogtag.

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: > > I miss "why" part of "To be able to handle backward compatibility > with > > ease, a new object called ipaHBACRulev2 is introduced. " in the > design > > page. If the reason is the above - old client's should ignore time > rules > > then

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote: > Ie we could set both "allow" and "allow_with_time" on an object for > cases where the admin wants to enforce the time part only o newer > client > but otherwise apply the rule to any client. I notice that SSSD does not like it if there are

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: > On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote: > > On Fri, 26 Aug 2016, Simo Sorce wrote: > > >On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: > > >> > I miss "why" part of "To be able to handle backward compatibility > >

[Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronize)

LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout

[Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronize)

LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout

[Freeipa-devel] [freeipa PR#24] [master, ipa-4-3] Raise error when running ipa-adtrust-install with empty netbios--name (edited)

mirielka's pull request #24: "[master, ipa-4-3] Raise error when running ipa-adtrust-install with empty netbios--name" was edited See the full pull-request at https://github.com/freeipa/freeipa/pull/24 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa

[Freeipa-devel] [freeipa PR#24] [master, ipa-4-3] Raise error when running ipa-adtrust-install with empty netbios--name (opened)

mirielka's pull request #24: "[master, ipa-4-3] Raise error when running ipa-adtrust-install with empty netbios--name" was opened PR body: """ When running ipa-adtrust-install, a netbios-name option must be specified. Currently if an invalid netbios name in form of empty string is specified, the

Re: [Freeipa-devel] [PATCH] 0090, 0092..0094 cert-show: show subject alternative names

On 23.8.2016 11:46, Fraser Tweedale wrote: Thanks for review; rebased and updated patch attached. Only 0090 has substantive changes. Cheers, Fraser On Mon, Aug 22, 2016 at 09:22:08AM +0200, Jan Cholasta wrote: On 19.8.2016 13:11, Fraser Tweedale wrote: Bump for review. On Mon, Aug 15, 2016