Re: [Freeipa-devel] [PATCH] admiyo-0151-enroll-dialog-layout.

2011-01-19 Thread Endi Sukma Dewata
On 1/19/2011 1:32 AM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] test speedup patch

2011-01-19 Thread Pavel Zuna
On 01/19/2011 04:17 AM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Attached is a rough cut of a patch to try to speed up the cli a little bit. Basically in production mode it will skip some things during initialization. My concept is that we develop in mode !=

Re: [Freeipa-devel] [PATCH] 680 ldap lockout

2011-01-19 Thread Jan Zelený
Rob Crittenden rcrit...@redhat.com wrote: Rob Crittenden wrote: Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: Update kerberos password policy values on LDAP binds. This is so locked-out accounts in kerberos don't try things using LDAP instead. On a failed bind this will

Re: [Freeipa-devel] [PATCH] 680 ldap lockout

2011-01-19 Thread Simo Sorce
On Wed, 19 Jan 2011 14:15:05 +0100 Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Rob Crittenden wrote: Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: Update kerberos password policy values on LDAP binds. This is so locked-out accounts in

Re: [Freeipa-devel] [PATCH] test speedup patch

2011-01-19 Thread Rob Crittenden
Pavel Zuna wrote: On 01/19/2011 04:17 AM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Attached is a rough cut of a patch to try to speed up the cli a little bit. Basically in production mode it will skip some things during initialization. My concept is that we develop

Re: [Freeipa-devel] [PATCH] test speedup patch

2011-01-19 Thread JR Aquino
Just tested. I do see a performance increase of ~30% Without the Patch time ipa user-find -- 1 user matched -- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Account activation status: False Member of groups:

Re: [Freeipa-devel] [PATCH] test speedup patch

2011-01-19 Thread Adam Young
On 01/19/2011 10:26 AM, JR Aquino wrote: Just tested. I do see a performance increase of ~30% Without the Patch time ipa user-find -- 1 user matched -- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Account

[Freeipa-devel] Mapping of CLI attributes to LDAP attributes

2011-01-19 Thread Jan Zelený
Hi, I've been thinking about the concept of mapping CLI attributes to LDAP attributes (ticket #447) and I'd like to get a second opinion. The most simple solution would be to add this functionality to existing help. For the sake of lucidity, it should be hidden by default. To achieve this a

Re: [Freeipa-devel] Mapping of CLI attributes to LDAP attributes

2011-01-19 Thread Adam Young
On 01/19/2011 10:53 AM, Jan Zelený wrote: Hi, I've been thinking about the concept of mapping CLI attributes to LDAP attributes (ticket #447) and I'd like to get a second opinion. The most simple solution would be to add this functionality to existing help. For the sake of lucidity, it should

[Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Adam Young
I've been working with Kyle Baker to implement the cleanup of the migration and the error reporting pages. One thing that is messing us up is the fact that the URL as exposed on the server is different than the file structure. I'd like to propose the folowing changes: First: rename

Re: [Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts

2011-01-19 Thread JR Aquino
On 1/18/11 4:02 PM, Simo Sorce sso...@redhat.com wrote: We need to use authenticated lda binds in init scripts as otherwise starting components fails when the option to restrict anonymous access to ldap is set. In order to do that we need to also start the KDC unconditionally, so it has been

Re: [Freeipa-devel] Mapping of CLI attributes to LDAP attributes

2011-01-19 Thread Dmitri Pal
Jan Zelený wrote: Hi, I've been thinking about the concept of mapping CLI attributes to LDAP attributes (ticket #447) and I'd like to get a second opinion. The most simple solution would be to add this functionality to existing help. For the sake of lucidity, it should be hidden by

Re: [Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Dmitri Pal
Adam Young wrote: I've been working with Kyle Baker to implement the cleanup of the migration and the error reporting pages. One thing that is messing us up is the fact that the URL as exposed on the server is different than the file structure. I'd like to propose the folowing changes:

Re: [Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Adam Young
On 01/19/2011 11:29 AM, Dmitri Pal wrote: Adam Young wrote: I've been working with Kyle Baker to implement the cleanup of the migration and the error reporting pages. One thing that is messing us up is the fact that the URL as exposed on the server is different than the file structure. I'd

Re: [Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Rob Crittenden
Adam Young wrote: I've been working with Kyle Baker to implement the cleanup of the migration and the error reporting pages. One thing that is messing us up is the fact that the URL as exposed on the server is different than the file structure. I'd like to propose the folowing changes: First:

[Freeipa-devel] [PATCH] 682 performance patch

2011-01-19 Thread Rob Crittenden
This patch skips some self-testing and locking done by the framework when in production mode. The assumption is that all development is done in mode != production so no inconsistencies can sneak in. While this patch doesn't seem to do much it improved command-line performance for me somewhere

Re: [Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Dmitri Pal
Rob Crittenden wrote: Adam Young wrote: I've been working with Kyle Baker to implement the cleanup of the migration and the error reporting pages. One thing that is messing us up is the fact that the URL as exposed on the server is different than the file structure. I'd like to propose the

Re: [Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Adam Young
On 01/19/2011 12:06 PM, Dmitri Pal wrote: Rob Crittenden wrote: Adam Young wrote: I've been working with Kyle Baker to implement the cleanup of the migration and the error reporting pages. One thing that is messing us up is the fact that the URL as exposed on the server is different than the

Re: [Freeipa-devel] Rename insta//static to install/ui

2011-01-19 Thread Dmitri Pal
Adam Young wrote: On 01/19/2011 12:06 PM, Dmitri Pal wrote: Rob Crittenden wrote: Adam Young wrote: I've been working with Kyle Baker to implement the cleanup of the migration and the error reporting pages. One thing that is messing us up is the fact that the URL as exposed on the server is

Re: [Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts

2011-01-19 Thread Simo Sorce
On Wed, 19 Jan 2011 16:18:09 + JR Aquino jr.aqu...@citrix.com wrote: On 1/18/11 4:02 PM, Simo Sorce sso...@redhat.com wrote: We need to use authenticated lda binds in init scripts as otherwise starting components fails when the option to restrict anonymous access to ldap is set. In

[Freeipa-devel] [PATCH] 0063 Fix ipa_uuid misbehavior

2011-01-19 Thread Simo Sorce
ipa_uuid was returning an improper error if a modify operation was performed on an entry that doesn't exists. This was preventing the dna plugin from working correctly. Do not error on missing entries, let DS handle the case and report the proper error code. Ticket 813 Simo. -- Simo Sorce *

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Rob Crittenden
Pavel Zuna wrote: Fix #798 Pavel I don't think this is the right fix. IIRC the idea was that pre-created hosts with a password (either provided or random) would not have a principal. The principal would be added once the host is enrolled. This will fix the plugin as far as adding

Re: [Freeipa-devel] [PATCH] 0063 Fix ipa_uuid misbehavior

2011-01-19 Thread Rob Crittenden
Simo Sorce wrote: ipa_uuid was returning an improper error if a modify operation was performed on an entry that doesn't exists. This was preventing the dna plugin from working correctly. Do not error on missing entries, let DS handle the case and report the proper error code. Ticket 813

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Dmitri Pal
Rob Crittenden wrote: Pavel Zuna wrote: Fix #798 Pavel I don't think this is the right fix. IIRC the idea was that pre-created hosts with a password (either provided or random) would not have a principal. The principal would be added once the host is enrolled. I though that enrollment

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Simo Sorce
On Wed, 19 Jan 2011 15:12:03 -0500 Rob Crittenden rcrit...@redhat.com wrote: Pavel Zuna wrote: Fix #798 Pavel I don't think this is the right fix. IIRC the idea was that pre-created hosts with a password (either provided or random) would not have a principal. The principal would

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Simo Sorce
On Wed, 19 Jan 2011 15:22:22 -0500 Dmitri Pal d...@redhat.com wrote: I though that enrollment is based only on presence of the keytab. By keytab I guess you mean the krbPrincipalKey attribute. The presence of that attribute is unknown to all users except cn=Directory Manager and uid=kdc, so no

[Freeipa-devel] New Font and I18N

2011-01-19 Thread Adam Young
Ben, Since we are going to need Chinese and Japanese support in the font for IPA, I'm thinking that we should 1. Get the translations the site. 2. Identify the Glyphs requires 3. Identify the process for people to submit Glyphs to the font base from the FreeIPA website. I'm assuming

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Rob Crittenden
Simo Sorce wrote: On Wed, 19 Jan 2011 15:22:22 -0500 Dmitri Pald...@redhat.com wrote: I though that enrollment is based only on presence of the keytab. By keytab I guess you mean the krbPrincipalKey attribute. The presence of that attribute is unknown to all users except cn=Directory

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Dmitri Pal
Rob Crittenden wrote: Simo Sorce wrote: On Wed, 19 Jan 2011 15:22:22 -0500 Dmitri Pald...@redhat.com wrote: I though that enrollment is based only on presence of the keytab. By keytab I guess you mean the krbPrincipalKey attribute. The presence of that attribute is unknown to all users

[Freeipa-devel] [PATCH] 683 block anonymous access to hbac info

2011-01-19 Thread Rob Crittenden
Add a couple of acis to block anonymous access to cn=hbac and to member attributes. This is so you can't hunt for what roles, groups, etc. a user might be in (so you can target an attack). ticket 811 rob From b1d9409042946406b0354af17c9345c1bdf9ec0f Mon Sep 17 00:00:00 2001 From: Rob

Re: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info

2011-01-19 Thread Simo Sorce
On Wed, 19 Jan 2011 17:51:56 -0500 Rob Crittenden rcrit...@redhat.com wrote: +aci: (targetattr = member || memberOf || memberHost || memberUser)(version 3.0; acl No anonymous access to member information; deny (read,search,compare) userdn != ldap:///all;;) Nack, without 'member', nss_ldap

Re: [Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts

2011-01-19 Thread Simo Sorce
On Wed, 19 Jan 2011 12:20:25 -0500 Simo Sorce sso...@redhat.com wrote: On Wed, 19 Jan 2011 16:18:09 + JR Aquino jr.aqu...@citrix.com wrote: On 1/18/11 4:02 PM, Simo Sorce sso...@redhat.com wrote: We need to use authenticated lda binds in init scripts as otherwise starting

[Freeipa-devel] [PATCH] 0064 Fix authentication for init scripts

2011-01-19 Thread Simo Sorce
In order for ipactl to function even when anonymous access is disabled we need to authenticate. Use sASL/EXTERNAL to let root get access as a very low privileged special user. Ticket #795 This patch is a replacement of 0061 where I was using SASL/GSSAPI Simo. -- Simo Sorce * Red Hat, Inc *

[Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc

2011-01-19 Thread Simo Sorce
Long ago we decided to use the ldapi socket to let the KDC access the ldap data in order to avoid comunication over the network (even if it is 127.0.0.1). This patch finally implements that. Although beware that this patch will need you to either create custom policy or to set selinux in

Re: [Freeipa-devel] [PATCH] 0063 Fix ipa_uuid misbehavior

2011-01-19 Thread Simo Sorce
On Wed, 19 Jan 2011 15:15:53 -0500 Rob Crittenden rcrit...@redhat.com wrote: Simo Sorce wrote: ipa_uuid was returning an improper error if a modify operation was performed on an entry that doesn't exists. This was preventing the dna plugin from working correctly. Do not error on

Re: [Freeipa-devel] [PATCH] 0059 Add command to test if DNS is active

2011-01-19 Thread Adam Young
On 01/17/2011 01:11 PM, Simo Sorce wrote: This patch implements the feature requested in ticket #600 The internal dns_is_enabled command returns whether the DNS service is enable on at least one of the server in the domain. The UI can use this command to determine whether to show the DNS

Re: [Freeipa-devel] [PATCH] 0059 Add command to test if DNS is active

2011-01-19 Thread Simo Sorce
On Wed, 19 Jan 2011 20:17:56 -0500 Adam Young ayo...@redhat.com wrote: On 01/17/2011 01:11 PM, Simo Sorce wrote: This patch implements the feature requested in ticket #600 The internal dns_is_enabled command returns whether the DNS service is enable on at least one of the server in the