[Freeipa-devel] [PATCH] [DOC] document that wildcards are not supported in FreeIPA <= 3.2

Hello, Not sure how relevant this patch is to the current documentation considering (I believe) that wildcards are supported in versions 3.3 and up. Patch for https://fedorahosted.org/freeipa/ticket/3616 Thanks, Gabe From 1cc5d540027e1f01912263f83d6a2cceb0731cea Mon Sep 17 00:00:00 2001 From: Ga

Re: [Freeipa-devel] global account lockout

On Tue, 2014-04-08 at 12:00 +0200, Ludwig Krispenz wrote: > Replication storms. In my opinion the replication of a mod of one or > two attribute in a entry will be faster than the bind itself. Think about the amplification effect in an environment with 20 replicas. 1 login attempt -> 20+ replicati

Re: [Freeipa-devel] Ipa-server-install Firewall Support

Justin Brown wrote: Dmitri, I'd be more than happy to, but I'm having trouble figuring out where it should go. Could you send me a link to a similar design page? I'd put it under here: http://www.freeipa.org/page/V4_Proposals There is a template at http://www.freeipa.org/page/Feature_templat

Re: [Freeipa-devel] Ipa-server-install Firewall Support

Dmitri, I'd be more than happy to, but I'm having trouble figuring out where it should go. Could you send me a link to a similar design page? Thanks, Justin On Mon, Apr 7, 2014 at 6:51 PM, Dmitri Pal wrote: > On 04/07/2014 09:00 AM, Rob Crittenden wrote: >> >> Simo Sorce wrote: >>> >>> On Fri,

Re: [Freeipa-devel] Ipa-server-install Firewall Support

Not sure where to jump in but I had one comment: Puppet-IPA [1] + Shorewall make a lovely pair :) Cheers, James [1] https://github.com/purpleidea/puppet-ipa On Mon, Apr 7, 2014 at 7:51 PM, Dmitri Pal wrote: > On 04/07/2014 09:00 AM, Rob Crittenden wrote: >> >> Simo Sorce wrote: >>> >>> On Fri

Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added

On 04/08/2014 04:17 PM, Misnyovszki Adam wrote: On Mon, 07 Apr 2014 09:43:10 +0200 Petr Viktorin wrote: On 03/27/2014 03:37 PM, Misnyovszki Adam wrote: On Wed, 26 Mar 2014 13:15:55 +0100 Petr Viktorin wrote: [...] Looks great! I'm just concerned about the error returned when the task take

Re: [Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects

On 04/08/2014 12:46 PM, Martin Kosek wrote: On 04/08/2014 11:03 AM, Petr Viktorin wrote: On 04/07/2014 01:30 PM, Martin Kosek wrote: On 04/03/2014 12:09 PM, Petr Viktorin wrote: Hello, This adds read permissions to read Sudo commands, command groups, rules. Read access is given to all authent

Re: [Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions

On 04/08/2014 04:39 PM, Martin Kosek wrote: On 04/08/2014 01:14 PM, Petr Viktorin wrote: On 04/08/2014 12:53 PM, Martin Kosek wrote: On 04/08/2014 11:03 AM, Petr Viktorin wrote: ... The patch is functional, but I am not really a big fan of placing it in the plugin. I would prefer if the ACI d

Re: [Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions

On 04/08/2014 01:14 PM, Petr Viktorin wrote: > On 04/08/2014 12:53 PM, Martin Kosek wrote: >> On 04/08/2014 11:03 AM, Petr Viktorin wrote: ... >> The patch is functional, but I am not really a big fan of placing it in the >> plugin. I would prefer if the ACI definition is also in the sudo plugin >>

Re: [Freeipa-devel] [PATCH] Add DRM to IPA

On Tue, 2014-04-08 at 09:52 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On 04/07/2014 10:40 PM, Rob Crittenden wrote: > >> Ade Lee wrote: > >>> This patch adds the capability of installing a Dogtag DRM > >>> to an IPA instance. With this patch, when ipa-server-install > >>>

Re: [Freeipa-devel] [PATCH 0034] Deny LDAP binds for user accounts with expired principal

On 04/08/2014 04:23 PM, Alexander Bokovoy wrote: > On Tue, 08 Apr 2014, Martin Kosek wrote: >> +auth_failed = true; >> +goto done; >> +} >> +} > I think indenting is broken for these two brackets. >

Re: [Freeipa-devel] [PATCH 0034] Deny LDAP binds for user accounts with expired principal

On Tue, 08 Apr 2014, Martin Kosek wrote: +auth_failed = true; +goto done; +} +} I think indenting is broken for these two brackets. Thanks Alexander, fixed. Updated version attached. Tomas Simo, Alexander - are

Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added

On Mon, 07 Apr 2014 09:43:10 +0200 Petr Viktorin wrote: > On 03/27/2014 03:37 PM, Misnyovszki Adam wrote: > > On Wed, 26 Mar 2014 13:15:55 +0100 > > Petr Viktorin wrote: > [...] > >> > >> Looks great! I'm just concerned about the error returned when the > >> task takes too long: > >> $ ipa

Re: [Freeipa-devel] [PATCH 0034] Deny LDAP binds for user accounts with expired principal

On 03/27/2014 02:40 PM, Martin Kosek wrote: > On 01/07/2014 01:47 PM, Tomas Babej wrote: >> >> On 01/07/2014 07:23 AM, Alexander Bokovoy wrote: >>> On Mon, 06 Jan 2014, Tomas Babej wrote: On 01/06/2014 12:16 PM, Tomas Babej wrote: > On 04/15/2013 12:43 PM, Tomas Babej wrote: >> On

Re: [Freeipa-devel] Random Certificate Serial Numbers

On Mon, 2014-04-07 at 09:48 +0200, Martin Kosek wrote: > Hi Rob, Ade and others, > > In the past, Rob was investigating enabling random certificate serial numbers > for FreeIPA PKI [1]. We also have a ticket [2] planned to enable it for 4.0. > Can we simply switch it on for PKI with pkispawn attr

Re: [Freeipa-devel] [PATCH] Add DRM to IPA

Martin Kosek wrote: On 04/07/2014 10:40 PM, Rob Crittenden wrote: Ade Lee wrote: This patch adds the capability of installing a Dogtag DRM to an IPA instance. With this patch, when ipa-server-install is run, a Dogtag CA and a Dogtag DRM are created. The DRM shares the

Re: [Freeipa-devel] Random Certificate Serial Numbers

Dmitri Pal wrote: On 04/07/2014 03:48 AM, Martin Kosek wrote: Hi Rob, Ade and others, In the past, Rob was investigating enabling random certificate serial numbers for FreeIPA PKI [1]. We also have a ticket [2] planned to enable it for 4.0. Can we simply switch it on for PKI with pkispawn attr

Re: [Freeipa-devel] [PATCH 0162] ipa-pwd-extop: Fix memory leak in ipapwd_pre_bind

On 04/01/2014 01:59 PM, Alexander Bokovoy wrote: > On Tue, 01 Apr 2014, Tomas Babej wrote: >> Hi, >> >> We need to free the entry before returning from the function. >> >> https://fedorahosted.org/freeipa/ticket/4295 > ACK. Pushed to master. Martin ___

Re: [Freeipa-devel] [PATCH 0158] Extend ipa-range-check DS plugin to handle range types

On 04/01/2014 10:52 AM, Tomas Babej wrote: > > On 04/01/2014 10:40 AM, Alexander Bokovoy wrote: >> On Tue, 01 Apr 2014, Tomas Babej wrote: >>> From 736b3f747188696fd4a46ca63d91a6cca942fd56 Mon Sep 17 00:00:00 2001 >>> From: Tomas Babej >>> Date: Wed, 5 Mar 2014 12:28:18 +0100 >>> Subject: [PATCH]

Re: [Freeipa-devel] [PATCH 0161] ipa-range-check: Fix memory leaks when freeing range object

On 04/03/2014 04:31 PM, Alexander Bokovoy wrote: > On Wed, 02 Apr 2014, Martin Kosek wrote: >> On 04/01/2014 12:03 PM, Jan Pazdziora wrote: >>> On Tue, Apr 01, 2014 at 10:05:39AM +0200, Tomas Babej wrote: > Yes, that was the intention. Mistake on my part, I'll send updated > patches.

[Freeipa-devel] [PATCHES] 0510-0511 Add managed read permissions to group & hostgroup

Hello, These add read permissions to read user groups and hostgroups. For most attributes, anonymous read access is given. For member, memberOf, memberUID, read access is given only to authenticated users. -- Petr³ From af2054d54dbb9818255b87e2b78ecc37b87e469a Mon Sep 17 00:00:00 2001 From: Pe

Re: [Freeipa-devel] [PATCH][RFC] 9 CA-less tests generate failure

On 04/04/2014 10:59 AM, Misnyovszki Adam wrote: > Hi, > > CA-less test suite always generate failures when installing revoked > certificates. This is a known issue, described in > https://fedorahosted.org/freeipa/ticket/4270 , this fix skips these > tests, outputting a notification message for the

Re: [Freeipa-devel] [PATCH] 261 Fix upload of CA certificate to LDAP in CA-less install

On 04/08/2014 01:16 PM, Jan Cholasta wrote: > Hi, > > the attached patch fixes . > > Honza Works for me, ACK. Pushed to master: 915cd6942c0acb00688ba7a8b0d2519be9a47fb3 Martin ___ Freeipa-devel mailing l

Re: [Freeipa-devel] [PATCH] 0148: ipa-sam: when deleting subtree, deal with possible LDAP errors

On Tue, Mar 11, 2014 at 03:39:57PM +0100, Petr Spacek wrote: > On 11.3.2014 15:32, Alexander Bokovoy wrote: > >after discussing with Petr Spacek, following patch fixes ticket 4224. > > Code seems okay but I didn't do functional test. To just close this tread the changes form this patch are alread

[Freeipa-devel] [PATCH] 261 Fix upload of CA certificate to LDAP in CA-less install

Hi, the attached patch fixes . Honza -- Jan Cholasta >From 7439c75bc2db63ebf2268a02e4972fefbc7d828a Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 8 Apr 2014 13:12:47 +0200 Subject: [PATCH] Fix upload of CA certificate to LDAP in CA-less in

Re: [Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions

On 04/08/2014 12:53 PM, Martin Kosek wrote: On 04/08/2014 11:03 AM, Petr Viktorin wrote: Patch 0508: This documents the inputs for the permission updater in the module itself. This is taken from the design page. I expect it'll need an addition now and then, so I think it's better to have this n

Re: [Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions

On 04/08/2014 11:03 AM, Petr Viktorin wrote: > > Patch 0508: > This documents the inputs for the permission updater in the module itself. > This > is taken from the design page. I expect it'll need an addition now and then, > so > I think it's better to have this near the code it corresponds to.

Re: [Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects

On 04/08/2014 11:03 AM, Petr Viktorin wrote: > On 04/07/2014 01:30 PM, Martin Kosek wrote: >> On 04/03/2014 12:09 PM, Petr Viktorin wrote: >>> Hello, >>> This adds read permissions to read Sudo commands, command groups, rules. >>> >>> Read access is given to all authenticated users. >> >> Looks goo

Re: [Freeipa-devel] global account lockout

Looks like there was a great discussion while I was away :-) There seem to be great concerns (and mybe confusion) about replication update resoultions, conflicts and amount of meta data stored. I think it's not as bad as you may think. Large amounts of metadata can only accumulate for multiva

[Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions

Patch 0508: This documents the inputs for the permission updater in the module itself. This is taken from the design page. I expect it'll need an addition now and then, so I think it's better to have this near the code it corresponds to. Patch 0509: So far the new default permissions have b

Re: [Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects

On 04/07/2014 01:30 PM, Martin Kosek wrote: On 04/03/2014 12:09 PM, Petr Viktorin wrote: Hello, This adds read permissions to read Sudo commands, command groups, rules. Read access is given to all authenticated users. Looks good. What about "ou=sudoers"? I think we should also allow it in thi

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On 8.4.2014 10:49, Jan Cholasta wrote: On 8.4.2014 10:31, Petr Spacek wrote: On 8.4.2014 10:29, Jan Cholasta wrote: On 8.4.2014 10:19, Petr Spacek wrote: On 8.4.2014 10:14, Jan Cholasta wrote: On 8.4.2014 10:09, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Jan Cholasta wrote: On 8.4.2014 1

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On 8.4.2014 10:31, Petr Spacek wrote: On 8.4.2014 10:29, Jan Cholasta wrote: On 8.4.2014 10:19, Petr Spacek wrote: On 8.4.2014 10:14, Jan Cholasta wrote: On 8.4.2014 10:09, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Jan Cholasta wrote: On 8.4.2014 10:01, Alexander Bokovoy wrote: On Tue,

Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers

On 04/07/2014 05:00 PM, Simo Sorce wrote: On Mon, 2014-04-07 at 16:43 +0200, Martin Kosek wrote: On 04/03/2014 01:34 PM, Petr Viktorin wrote: Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On 8.4.2014 10:29, Jan Cholasta wrote: On 8.4.2014 10:19, Petr Spacek wrote: On 8.4.2014 10:14, Jan Cholasta wrote: On 8.4.2014 10:09, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Jan Cholasta wrote: On 8.4.2014 10:01, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Petr Spacek wrote: On 8.4

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On 8.4.2014 10:19, Petr Spacek wrote: On 8.4.2014 10:14, Jan Cholasta wrote: On 8.4.2014 10:09, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Jan Cholasta wrote: On 8.4.2014 10:01, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Petr Spacek wrote: On 8.4.2014 09:22, Jan Cholasta wrote: On 4.4

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On 8.4.2014 10:14, Jan Cholasta wrote: On 8.4.2014 10:09, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Jan Cholasta wrote: On 8.4.2014 10:01, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Petr Spacek wrote: On 8.4.2014 09:22, Jan Cholasta wrote: On 4.4.2014 12:59, Petr Spacek wrote: On 3.4

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On Tue, 08 Apr 2014, Jan Cholasta wrote: On 8.4.2014 10:09, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Jan Cholasta wrote: On 8.4.2014 10:01, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Petr Spacek wrote: On 8.4.2014 09:22, Jan Cholasta wrote: On 4.4.2014 12:59, Petr Spacek wrote: On 3

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On 8.4.2014 10:09, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Jan Cholasta wrote: On 8.4.2014 10:01, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Petr Spacek wrote: On 8.4.2014 09:22, Jan Cholasta wrote: On 4.4.2014 12:59, Petr Spacek wrote: On 3.4.2014 15:35, Jan Cholasta wrote: I woul

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On Tue, 08 Apr 2014, Jan Cholasta wrote: On 8.4.2014 10:01, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Petr Spacek wrote: On 8.4.2014 09:22, Jan Cholasta wrote: On 4.4.2014 12:59, Petr Spacek wrote: On 3.4.2014 15:35, Jan Cholasta wrote: I would shorten "origin_sign" to just "sign". Sign

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On 8.4.2014 10:01, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Petr Spacek wrote: On 8.4.2014 09:22, Jan Cholasta wrote: On 4.4.2014 12:59, Petr Spacek wrote: On 3.4.2014 15:35, Jan Cholasta wrote: I would shorten "origin_sign" to just "sign". Sign of what? Decay? :-) I don't think that si

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On Tue, 08 Apr 2014, Petr Spacek wrote: On 8.4.2014 09:22, Jan Cholasta wrote: On 4.4.2014 12:59, Petr Spacek wrote: On 3.4.2014 15:35, Jan Cholasta wrote: I would shorten "origin_sign" to just "sign". Sign of what? Decay? :-) I don't think that sign is descriptive enough, I would personally

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On 8.4.2014 09:50, Petr Spacek wrote: On 8.4.2014 09:22, Jan Cholasta wrote: On 4.4.2014 12:59, Petr Spacek wrote: On 3.4.2014 15:35, Jan Cholasta wrote: I would shorten "origin_sign" to just "sign". Sign of what? Decay? :-) I don't think that sign is descriptive enough, I would personally st

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On 8.4.2014 09:22, Jan Cholasta wrote: On 4.4.2014 12:59, Petr Spacek wrote: On 3.4.2014 15:35, Jan Cholasta wrote: I would shorten "origin_sign" to just "sign". Sign of what? Decay? :-) I don't think that sign is descriptive enough, I would personally stick with origin_sign. Whoops, I meant

Re: [Freeipa-devel] questions regarding ldap schema for pkcs11

On 7.4.2014 15:07, Rob Crittenden wrote: Simo Sorce wrote: On Fri, 2014-04-04 at 13:19 +0200, Petr Spacek wrote: On 4.4.2014 10:20, Ludwig Krispenz wrote: In the review discussion for the ldap schema for pkcs11 there was one topic, which we wanted to get the opinion from a broader audience bef

Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin

On 4.4.2014 12:59, Petr Spacek wrote: On 3.4.2014 15:35, Jan Cholasta wrote: I would shorten "origin_sign" to just "sign". Sign of what? Decay? :-) I don't think that sign is descriptive enough, I would personally stick with origin_sign. Whoops, I meant "origin". The "_sign" bit seems a littl