On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
===
On 06/23/2014 09:29 AM, Alexander Bokovoy wrote:
On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The
On 06/23/2014 09:29 AM, Alexander Bokovoy wrote:
On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
3. This code currently emits a warning from the call to otptoken-add:
WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.89
How do I
On 06/20/2014 02:14 PM, Petr Viktorin wrote:
My patch 0580 was wrong; non-POSIX groups obviously lack the posixgroup
objectclass. Actually the only objectclasses that all groups share are top and
ipaobject.
This makes permission plugin updater join multiple
permission_filter_objectclasses
On 06/20/2014 11:17 PM, Martin Kosek wrote:
On 06/20/2014 05:06 PM, Petr Viktorin wrote:
All these should be independent, except for conflicts in ACI.txt that are
easily solved by running makeaci.
Umh, now the fun begins as I see :) There will probably need to be some
rebase,
it clashed
On 06/19/2014 10:18 AM, Timo Aaltonen wrote:
Hi
While porting the client code for current master I noticed that there
are some hardcodings to use /usr/lib{,64} paths for various things. This
is problematic for Debian and it's derivatives, since we use proper
multiarch(tm) which
On 06/23/2014 10:01 AM, Martin Kosek wrote:
On 06/20/2014 02:14 PM, Petr Viktorin wrote:
My patch 0580 was wrong; non-POSIX groups obviously lack the posixgroup
objectclass. Actually the only objectclasses that all groups share are top and
ipaobject.
This makes permission plugin updater join
On 06/20/2014 10:35 PM, Martin Kosek wrote:
[...]
Everything worked as expected, I tested both enrollments with privileged
user and setting the OTP/class.
I have just one request (you will not like this) - before pushing please
also fix casing for the new host permissions to match others:
+
On 06/18/2014 02:09 PM, Jan Cholasta wrote:
...
3) I am thinking why do we need to introduce all the ASN parsing? I am
talking
about _decode_krb5principalname and others. If we do not use the result
anywhere, why should we include this part at all?
To work around shortcomings of
Hi,
this fixes initial findings of trust-after-aci-refactoring
investigation. Consider this effort still WIP (not this patch though).
https://fedorahosted.org/freeipa/ticket/4385
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej |
Hi Petr,
I have to be bold I fear…
You can read about the basic idea here:
https://www.redhat.com/archives/freeipa-devel/2014-April/msg00565.html
You are proposing to drag around the private keys between pieces of software,
in a format encrypted to an externally generated, symmetric master
A fix for the default read ACIs. See commit message.
--
Petr³
From a91f37a62c88ef83e0d745493218d0446331e3e3 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Mon, 23 Jun 2014 13:37:33 +0200
Subject: [PATCH] netgroup: Add objectclass attribute to read permissions
The entries
23.06.2014 11:32, Martin Kosek kirjoitti:
On 06/19/2014 10:18 AM, Timo Aaltonen wrote:
Hi
While porting the client code for current master I noticed that there
are some hardcodings to use /usr/lib{,64} paths for various things. This
is problematic for Debian and it's derivatives,
Hello list,
I'm working on key wrapping mechanism described in thread LDAP schema for
DNSSEC keys [0] and I'm really puzzled from the maze of crypto here. I would
really appreciate any suggestions or comments on this.
- I have difficulties to pick and use proper wrapping mechanisms and their
On Mon, 23 Jun 2014, Tomas Babej wrote:
Hi,
this fixes initial findings of trust-after-aci-refactoring
investigation. Consider this effort still WIP (not this patch though).
https://fedorahosted.org/freeipa/ticket/4385
ACK. With this fix we are able to establish trust with git master.
There
On Fri, 2014-06-20 at 19:55 -0400, Simo Sorce wrote:
On Fri, 2014-06-20 at 16:50 -0400, Nathaniel McCallum wrote:
On Fri, 2014-06-20 at 16:05 -0400, Simo Sorce wrote:
On Fri, 2014-06-20 at 14:47 -0400, Nathaniel McCallum wrote:
This change would have very small impact on your patch set,
On 06/23/2014 03:00 PM, Alexander Bokovoy wrote:
On Mon, 23 Jun 2014, Tomas Babej wrote:
Hi,
this fixes initial findings of trust-after-aci-refactoring
investigation. Consider this effort still WIP (not this patch though).
https://fedorahosted.org/freeipa/ticket/4385
ACK. With this fix we
On 20.6.2014 18:18, Endi Sukma Dewata wrote:
On 6/18/2014 6:11 AM, Petr Vobornik wrote:
1. As discussed on IRC, the plugin is causing an error due to missing
extend.js. This needs to be fixed.
Fixed
4. I agree that the facet shouldn't define the hash. The hash should be
part of the plugin
On Fri, 2014-06-20 at 19:55 -0400, Simo Sorce wrote:
On Fri, 2014-06-20 at 16:50 -0400, Nathaniel McCallum wrote:
On Fri, 2014-06-20 at 16:05 -0400, Simo Sorce wrote:
On Fri, 2014-06-20 at 14:47 -0400, Nathaniel McCallum wrote:
This change would have very small impact on your patch set,
On 06/23/2014 03:09 PM, Petr Viktorin wrote:
On 06/23/2014 03:00 PM, Alexander Bokovoy wrote:
On Mon, 23 Jun 2014, Tomas Babej wrote:
Hi,
this fixes initial findings of trust-after-aci-refactoring
investigation. Consider this effort still WIP (not this patch though).
On Mon, 2014-06-23 at 09:42 +0200, Martin Kosek wrote:
On 06/23/2014 09:29 AM, Alexander Bokovoy wrote:
On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new
Hello,
Bump NVR to 4.4.
Update NEWS for upcoming 4.4 release.
--
Petr^2 Spacek
From 3a705963ed575f01b792a7e89d825cf56ce99734 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 23 Jun 2014 17:10:22 +0200
Subject: [PATCH] Update NEWS for upcoming 4.4 release.
On 06/23/2014 02:26 PM, Petr Viktorin wrote:
A fix for the default read ACIs. See commit message.
Thanks, works fine.
ACK, pushed to master.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
On Mon, 2014-06-23 at 17:44 +0200, Martin Basti wrote:
Hello,
I have following issues:
#1 Upgrading existing replicas to support DNSSEC won't work for current
design (replica-file as storage for temporal replica key).
Temporal private key needs to be copied to replica, and no encrypted
On 06/23/2014 02:59 PM, Petr Viktorin wrote:
On 06/23/2014 10:07 AM, Martin Kosek wrote:
On 06/20/2014 11:17 PM, Martin Kosek wrote:
On 06/20/2014 05:06 PM, Petr Viktorin wrote:
All these should be independent, except for conflicts in ACI.txt that are
easily solved by running makeaci.
Umh,
Search for privileges was limited to bindruletype==permission. There
was no reason to do that.
This patch removes the restriction.
Related to:
https://fedorahosted.org/freeipa/ticket/4079
--
Petr Vobornik
From 213e6d486c42bd1ccc38bf9597fe9ad6821ec9ee Mon Sep 17 00:00:00 2001
From: Petr Vobornik
On 6/23/2014 8:15 AM, Petr Vobornik wrote:
1. I'm not sure if we really need a HashCreator. Ideally the router
should map a hash to a page. Links to another page can be hardcoded too
(and substitute the parameters).
The main purpose of a hash creator is to update hash when a facet state
- Original Message -
Can you check if ipaProtectedOperation is in the aci attribute in the
base tree object ?
It should be there as excluded, and that should cause admin to not be
able to retrieve keytabs.
It was not. While running ipa-ldap-updater I got the following:
- Original Message -
Hi Petr,
I have to be bold I fear…
You can read about the basic idea here:
https://www.redhat.com/archives/freeipa-devel/2014-April/msg00565.html
You are proposing to drag around the private keys between pieces of software,
in a format encrypted to an
On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote:
On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2.
On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote:
- Original Message -
- Original Message -
Can you check if ipaProtectedOperation is in the aci attribute in the
base tree object ?
It should be there as excluded, and that should cause admin to not be
able to
31 matches
Mail list logo