Re: [Freeipa-devel] [PATCH] ipa trust-add command should be interactive
Hi, On 16.7.2014 05:48, Gabe Alford wrote: Hello, Adds AD admin and password to interactive commands. https://fedorahosted.org/freeipa/ticket/3034 Thanks, Gabe I think that instead of making the parameters mandatory, you should instead set alwaysask=True on them. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0243] ipalib: idrange: Make non-implemented range types fail the
Hi, On 16.7.2014 14:05, Tomas Babej wrote: Hi, The ipa-ipa-trust and ipa-ad-winsync ID Range types were allowed to pass the validation tests, however, they are not implemented nor checked by the 389 server plugin. https://fedorahosted.org/freeipa/ticket/4323 ACK. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa trust-add command should be interactive
On 07/21/2014 09:56 AM, Jan Cholasta wrote: Hi, On 16.7.2014 05:48, Gabe Alford wrote: Hello, Adds AD admin and password to interactive commands. https://fedorahosted.org/freeipa/ticket/3034 Thanks, Gabe I think that instead of making the parameters mandatory, you should instead set alwaysask=True on them. Honza Trust can be established either with user+password options OR with --trust-secret option - i.e. you cannot use mandatory options nor alwaysask. This would rather lead to interactive_prompt_callback checking if any of authentication method is passed and asking for them if they aren't. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa trust-add command should be interactive
On 21.7.2014 10:28, Martin Kosek wrote: On 07/21/2014 09:56 AM, Jan Cholasta wrote: Hi, On 16.7.2014 05:48, Gabe Alford wrote: Hello, Adds AD admin and password to interactive commands. https://fedorahosted.org/freeipa/ticket/3034 Thanks, Gabe I think that instead of making the parameters mandatory, you should instead set alwaysask=True on them. Honza Trust can be established either with user+password options OR with --trust-secret option - i.e. you cannot use mandatory options nor alwaysask. Ah, right. This would rather lead to interactive_prompt_callback checking if any of authentication method is passed and asking for them if they aren't. +1 Martin -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 697-702 webui: usability improvements in attribute widget
On 18.7.2014 00:06, Endi Sukma Dewata wrote: On 7/10/2014 8:02 AM, Petr Vobornik wrote: ACK. Comments below: == [PATCH] 699 webui: optimize (re)creation of option widget == There is a case where attributes widget can contain 1000 items. It's about 3000 nodes. It's slow in jQuery. Simple move to dojo speeds it up (is closer to native calls) while maintaining developer friendliness. Now the biggest lag is in browser's render. It's probably not worth developer time to optimize that. Is it common to have many items in this widget (doesn't have to be bigger than 1000, but just large enough)? Maybe the UI should provide some kind of paging interface, not just for performance reason, but also for usability. It's not common, it's only in one case and therefore IMO we don't have to spend more time on this issue. WRT paging: IMHO the classic one won't help, but 'infinite scroll paging' might. I would rather see this type of paging on search facets first. == [PATCH] 700 webui: custom attr in attributes widget == Web UI doesn't always know what are the possible attributes for target object. This will allow to add custom attributes if necessary. Right now you can add an undefined attribute, but it will fail when you try to save it. Should the UI perform a schema validation before accepting the new attribute? Or should the UI provide a list of valid attributes? If we knew the list of valid attrs/schema we would not need this patch. pushed to: master: * b68f819de75073285c17c28a30afe5b5dbfe5176 webui: improve usability of attributes widget * 740d42257fc00235b1cebdc90866fe34bf9464b3 webui: add filter to attributes widget * 9fa447cb6e5f1476072cf167eec8502cfc3e38e3 webui: optimize (re)creation of option widget * 4aefc0d6fe7a4879a9b8024eb7424b4dfa5fa7ca webui: custom attr in attributes widget * d2f2fc5addc0634b24ccda7a5aae1ed1d3c6001a webui: attr widget: get list of possible attrs from ipapermdefaultattr * 8fcf6d6b34400c1924f509701856b86e4f647624 webui: option_widget_base: sort options ipa-4-1: * b68f819de75073285c17c28a30afe5b5dbfe5176 webui: improve usability of attributes widget * 740d42257fc00235b1cebdc90866fe34bf9464b3 webui: add filter to attributes widget * 9fa447cb6e5f1476072cf167eec8502cfc3e38e3 webui: optimize (re)creation of option widget * 4aefc0d6fe7a4879a9b8024eb7424b4dfa5fa7ca webui: custom attr in attributes widget * d2f2fc5addc0634b24ccda7a5aae1ed1d3c6001a webui: attr widget: get list of possible attrs from ipapermdefaultattr * 8fcf6d6b34400c1924f509701856b86e4f647624 webui: option_widget_base: sort options ipa-4-0: * b68f819de75073285c17c28a30afe5b5dbfe5176 webui: improve usability of attributes widget * 740d42257fc00235b1cebdc90866fe34bf9464b3 webui: add filter to attributes widget * 9fa447cb6e5f1476072cf167eec8502cfc3e38e3 webui: optimize (re)creation of option widget * 4aefc0d6fe7a4879a9b8024eb7424b4dfa5fa7ca webui: custom attr in attributes widget * d2f2fc5addc0634b24ccda7a5aae1ed1d3c6001a webui: attr widget: get list of possible attrs from ipapermdefaultattr * 8fcf6d6b34400c1924f509701856b86e4f647624 webui: option_widget_base: sort options -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 703-707 webui: improvements in permission details page
On 18.7.2014 00:08, Endi Sukma Dewata wrote: ACK. See comment below: pushed to: master: * 1a904708cc68f742a19036224b267d92644968fc webui: reflect readonly state * e60cfa28626d7e224e2b4aebbe8af8e3fdf1d1c0 webui: fix add of input group class * 75a96fb4c2f58d9ad54a374136afa656ac9a737e webui: show managed fields as readonly and not disabled * 62ac6edcf42d0b736a4363aad0593dc70832ace2 webui: fix selection of empty value in a select widget * 8ba75506c2a9b7deae32d17b4e878de005b98a31 webui: disable ipapermbindruletype if permission in a privilege ipa-4-1: * 1a904708cc68f742a19036224b267d92644968fc webui: reflect readonly state * e60cfa28626d7e224e2b4aebbe8af8e3fdf1d1c0 webui: fix add of input group class * 75a96fb4c2f58d9ad54a374136afa656ac9a737e webui: show managed fields as readonly and not disabled * 62ac6edcf42d0b736a4363aad0593dc70832ace2 webui: fix selection of empty value in a select widget * 8ba75506c2a9b7deae32d17b4e878de005b98a31 webui: disable ipapermbindruletype if permission in a privilege ipa-4-0: * 1a904708cc68f742a19036224b267d92644968fc webui: reflect readonly state * e60cfa28626d7e224e2b4aebbe8af8e3fdf1d1c0 webui: fix add of input group class * 75a96fb4c2f58d9ad54a374136afa656ac9a737e webui: show managed fields as readonly and not disabled * 62ac6edcf42d0b736a4363aad0593dc70832ace2 webui: fix selection of empty value in a select widget * 8ba75506c2a9b7deae32d17b4e878de005b98a31 webui: disable ipapermbindruletype if permission in a privilege On 7/10/2014 7:38 AM, Petr Vobornik wrote: == [PATCH] 707 webui: disable ipapermbindruletype if permission in a privilege == User is not able to change Bind Rule Type if permission is already member of a privilege. Let's disable it and don't confuse user. If you open a permission, go to the Privileges tab, add/remove a privilege, then go back to the Settings tab, the Bind rule type is not updated automatically, you'd have to click Refresh to see the change. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 708 webui: fix disabled state of service's PAC type
On 18.7.2014 00:09, Endi Sukma Dewata wrote: On 7/10/2014 7:38 AM, Petr Vobornik wrote: Nested options (MS-PAC and PAD) of service's PAC type should be disabled if no value is supplied (default value is Inherited from server configuration). That was not the case - regression. This patch fixes it and along with it simplifies the update method of option_widget_base to be more comprehensible. ACK. Pushed to: master: ad593a5c06d447006f14446cbdfbf5b437a0d111 ipa-4-0: ad593a5c06d447006f14446cbdfbf5b437a0d111 ipa-4-1: ad593a5c06d447006f14446cbdfbf5b437a0d111 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] webui: 696 support wildcard attribute level rights
On 18.7.2014 00:03, Endi Sukma Dewata wrote: On 7/10/2014 7:23 AM, Petr Vobornik wrote: Reproduction: * add 'extensibleObject' object class to target object https://fedorahosted.org/freeipa/ticket/4380 This is the original if-condition: (!rights !(that.flags.indexOf('w_if_no_aci') -1 write_oc)) || (rights rights.indexOf('w') 0) Here if 'rights' has a value but there's no 'w' in it, the expression will evaluate to true. This is the new code: !can_write !rights !(that.flags.indexOf('w_if_no_aci') -1 write_oc) Here if 'rights' has any value the expression will evaluate to false. Is this correct? You're right, there is an error. Attaching new version. The code is rewritten to be more comprehensible - use cases are in separate variables. -- Petr Vobornik From e6c51dadeb29effccf4309ab3c66aa19e559ef8b Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 19 Jun 2014 17:09:38 +0200 Subject: [PATCH] webui: support wildcard attribute level rights Reproduction: * add 'extensibleObject' object class to target object https://fedorahosted.org/freeipa/ticket/4380 --- install/ui/src/freeipa/field.js | 24 +++- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js index c2e96b392bdba057828c3d5d465e7e17a52ee535..5905bbab601565d401e847de454ef86b0cd3ab97 100644 --- a/install/ui/src/freeipa/field.js +++ b/install/ui/src/freeipa/field.js @@ -450,6 +450,12 @@ field.field = IPA.field = function(spec) { var writable = true; +function has_write(record, param) { +var rights = record.attributelevelrights[param]; +var has = !!rights rights.indexOf('w') -1; +return has; +} + if (that.metadata) { if (that.metadata.primary_key) { writable = false; @@ -460,21 +466,21 @@ field.field = IPA.field = function(spec) { } } -if (record record.attributelevelrights) { +if (record record.attributelevelrights writable) { var rights = record.attributelevelrights[that.acl_param]; -var oc_rights= record.attributelevelrights['objectclass']; -var write_oc = oc_rights oc_rights.indexOf('w') -1; +var write_attr = has_write(record, that.acl_param); +var write_all = has_write(record, '*'); -// Some objects in LDAP may not have set proper object class and +// Some objects in LDAP may not have proper object class set and // therefore server doesn't send proper attribute rights. Flag // 'w_if_no_aci' should be used when we want to ensure that UI // shows edit interface in such cases. Usable only when user can // modify object classes. -// For all others, lack of rights means no write. -if ((!rights !(that.flags.indexOf('w_if_no_aci') -1 write_oc)) || - (rights rights.indexOf('w') 0)) { -writable = false; -} +var write_oc = has_write(record, 'objectclass'); +var may_add_oc = !rights write_oc that.flags.indexOf('w_if_no_aci') -1; + +// If no rights, change writable to False: +writable = write_attr || write_all || may_add_oc; } that.set_writable(writable); -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 709 webui: fix nested items creation in dropdown list
Items nested in other items were created in root list instead of nested list. Note: this feature is not used in current UI but it's likely to be used by a plugin -- Petr Vobornik From 0f83a4bfb5d164f0fbd6d6520091fbea21887673 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 11 Jul 2014 16:38:56 +0200 Subject: [PATCH] webui: fix nested items creation in dropdown list Items nested in other items were created in root list instead of nested list. --- install/ui/src/freeipa/widgets/DropdownWidget.js | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/install/ui/src/freeipa/widgets/DropdownWidget.js b/install/ui/src/freeipa/widgets/DropdownWidget.js index 181cfc5cfeb6f68852b7b00f4d7a0b178795e5fc..1f925a80a09782274226e7faf32c0c370fd32e04 100644 --- a/install/ui/src/freeipa/widgets/DropdownWidget.js +++ b/install/ui/src/freeipa/widgets/DropdownWidget.js @@ -191,7 +191,7 @@ define(['dojo/_base/declare', _itemsSetter: function(value) { this._clear_items(); this.items = value; -this._render_items(this.items, this.dom_node); +this._render_items(this.items); }, _clear_items: function() { @@ -201,9 +201,9 @@ define(['dojo/_base/declare', } }, -_render_list: function(container) { +_render_list: function(container, nested) { -var ul = this.ul_node = construct.create('ul', { +var ul = construct.create('ul', { 'class': 'dropdown-menu' }); if (this.right_aligned) { @@ -212,14 +212,15 @@ define(['dojo/_base/declare', if (container) { construct.place(ul, container); } +if (!nested) this.ul_node = ul; return ul; }, _render_items: function(items, container) { -var ul = this.ul_node; +if (!container) container = this.ul_node; array.forEach(items, function(item) { -this._render_item(item, ul); +this._render_item(item, container); }, this); }, @@ -257,7 +258,8 @@ define(['dojo/_base/declare', if (item.items item.items.length 0) { dom_class.add(li, 'dropdown-submenu'); -this._render_items(item.items, li); +var ul = this._render_list(li, true); +this._render_items(item.items, ul); } else { on(a, 'click', lang.hitch(this, function(event) { this.on_item_click(event, item); -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0002 Improve password validity check
On 07/18/2014 12:52 PM, Martin Kosek wrote: On 07/18/2014 12:33 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/2796 1) Would it be easier/more convenient to just implement following simple check instead of bad_prefix/bad_suffix? if password.strip() != password: raise ValueError('Password must not start or end with whitespace') Yes it would. Edited patch attached. 2) The main goal of the ticket 2796 was not fixed yet. It sometimes happen that when installation crashes somewhere right after pkicreate, it does not record and and does not uninstall the PKI component during ipa-server-install --uninstall. You may artificially invoke some crash in cainstance.py after pkicreate to test it. When fixing it, check how is_configured() in Service object works an how self.backup_state is called in other service modules (like dsinstance.py) where the detection works correctly. You're completely right, Martin. I was unable to reproduce the bug (to force pkicreate/pkispawn to fail) so I thought that it was fixed by the password restriction. Then I discovered that most of the banned characters for password are no longer causing troubles a focused on this. But it's yet another issue. Martin -- David Kupka From e9985196820757e61b07eb6470b6dec66502f497 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Mon, 21 Jul 2014 15:53:07 +0200 Subject: [PATCH] Improve password validity check. Allow use of characters that no longer cause troubles. Check for leading and trailing characters in case of 389 Direcory Manager password. --- install/tools/ipa-server-install | 28 ++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 671a226d625ab9e8168c569a6d83c35dfae52115..e05b5fce7b77059cac2ad2318827c1df3ee5706b 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -121,7 +121,31 @@ def validate_dm_password(password): raise ValueError(Password must only contain ASCII characters) # Disallow characters that pkisilent doesn't process properly: -bad_characters = ' \\%' +bad_characters = '\\' +if any(c in bad_characters for c in password): +raise ValueError('Password must not contain these characters: %s' % +', '.join('%s' % c for c in bad_characters)) + +# TODO: Check https://fedorahosted.org/389/ticket/47849 +# Actual behavior of setup-ds.pl is that it does not accept white +# space characters in password when called interactively but does when +# provided such password in INF file. But it ignores leading and trailing +# white spaces in INF file. + +# Disallow leading/trailing whaitespaces +if password.strip() != password: +raise ValueError('Password must not start or end with whitespace.') + +def validate_admin_password(password): +if len(password) 8: +raise ValueError(Password must be at least 8 characters long) +if any(ord(c) 0x20 for c in password): +raise ValueError(Password must not contain control characters) +if any(ord(c) = 0x7F for c in password): +raise ValueError(Password must only contain ASCII characters) + +# Disallow characters that pkisilent doesn't process properly: +bad_characters = '\\' if any(c in bad_characters for c in password): raise ValueError('Password must not contain these characters: %s' % ', '.join('%s' % c for c in bad_characters)) @@ -450,7 +474,7 @@ def read_admin_password(): print This user is a regular system account used for IPA server administration. print #TODO: provide the option of generating a random password -admin_password = read_password(IPA admin) +admin_password = read_password(IPA admin, validator=validate_admin_password) return admin_password def check_dirsrv(unattended): -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Always record that pkicreate has been executed
https://fedorahosted.org/freeipa/ticket/2796 -- David Kupka From 5d1e323d87aa4bf2b21ed11b062e68e56fe9d887 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Mon, 21 Jul 2014 15:57:18 +0200 Subject: [PATCH] Always record that pkicreate has been executed. Record that pkicreate/pkispawn has been executed to allow cleanup even if the installation did not finish correctly. https://fedorahosted.org/freeipa/ticket/2796 --- ipaserver/install/cainstance.py | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b13a77d5811343175288c1191991f1ee6e6b721a..03aec95710d19b0f6cdc8eb6185ab0e832b28031 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -602,6 +602,7 @@ class CAInstance(service.Service): 'Contents of pkispawn configuration file (%s):\n%s' % (cfg_file, ipautil.nolog_replace(f.read(), nolog))) +self.backup_state('installed', True) try: ipautil.run(args, nolog=nolog) except ipautil.CalledProcessError, e: @@ -646,6 +647,7 @@ class CAInstance(service.Service): '-redirect', 'logs=/var/log/pki-ca', '-enable_proxy' ] +self.backup_state('installed', True) ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) def __enable(self): @@ -1320,6 +1322,8 @@ class CAInstance(service.Service): if not enabled is None and not enabled: self.disable() +# Just eat this state if it exists +installed = self.restore_state(installed) try: if self.dogtag_constants.DOGTAG_VERSION = 10: ipautil.run([paths.PKIDESTROY, -i, @@ -1355,9 +1359,12 @@ class CAInstance(service.Service): # remove CRL files root_logger.info(Remove old CRL files) -for f in get_crl_files(): -root_logger.debug(Remove %s, f) -installutils.remove_file(f) +try: +for f in get_crl_files(): +root_logger.debug(Remove %s, f) +installutils.remove_file(f) +except OSError, e: +root_logger.warning(Error while removing old CRL files: %s % e) # remove CRL directory root_logger.info(Remove CRL directory) -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Fix login password expiration detection with OTP
On 14.7.2014 21:01, Nathaniel McCallum wrote: The preexisting code would execute two steps. First, it would perform a kinit. If the kinit failed, it would attempt to bind using the same credentials to determine if the password were expired. While this method is fairly ugly, it mostly worked in the past. However, with OTP this breaks. This is because the OTP code is consumed by the kinit step. But because the password is expired, the kinit step fails. When the bind is executed, the OTP token is already consumed, so bind fails. This causes all password expirations to be reported as invalid credentials. After discussion with MIT, the best way to handle this case with the standard tools is to set LC_ALL=C and check the output from the command. This eliminates the bind step altogether. The end result is that OTP works and all password failures are more performant. https://fedorahosted.org/freeipa/ticket/4412 ACK Pushed to: master: e4771302812388cc7f9773ce48d0bc3b34855248 ipa-4-1: e4771302812388cc7f9773ce48d0bc3b34855248 ipa-4-0: e4771302812388cc7f9773ce48d0bc3b34855248 Initially, when testing, I got preauthentication error because I had old version of krb5: 1.11.5-4 instead of 1.11.5-5. Should we add version dependency = 1.11.5-5 to spec file? -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Fix login password expiration detection with OTP
On Mon, 2014-07-21 at 16:39 +0200, Petr Vobornik wrote: On 14.7.2014 21:01, Nathaniel McCallum wrote: The preexisting code would execute two steps. First, it would perform a kinit. If the kinit failed, it would attempt to bind using the same credentials to determine if the password were expired. While this method is fairly ugly, it mostly worked in the past. However, with OTP this breaks. This is because the OTP code is consumed by the kinit step. But because the password is expired, the kinit step fails. When the bind is executed, the OTP token is already consumed, so bind fails. This causes all password expirations to be reported as invalid credentials. After discussion with MIT, the best way to handle this case with the standard tools is to set LC_ALL=C and check the output from the command. This eliminates the bind step altogether. The end result is that OTP works and all password failures are more performant. https://fedorahosted.org/freeipa/ticket/4412 ACK Pushed to: master: e4771302812388cc7f9773ce48d0bc3b34855248 ipa-4-1: e4771302812388cc7f9773ce48d0bc3b34855248 ipa-4-0: e4771302812388cc7f9773ce48d0bc3b34855248 Initially, when testing, I got preauthentication error because I had old version of krb5: 1.11.5-4 instead of 1.11.5-5. Should we add version dependency = 1.11.5-5 to spec file? I would guess: yes. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0059] Update freeipa-server krb5-server dependency to 1.11.5-5
Previous versions of libkrb5 can't handle expired passwords inside the FAST tunnel. This breaks the password change UI in FreeIPA. From 2541ccf8614e86b9093a8cea9adb4ae117886c16 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Mon, 21 Jul 2014 12:32:03 -0400 Subject: [PATCH] Update freeipa-server krb5-server dependency to 1.11.5-5 Previous versions of libkrb5 can't handle expired passwords inside the FAST tunnel. This breaks the password change UI in FreeIPA. --- freeipa.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 6b1f0a95299f674f8a2062f5b3897e4decaba223..447b532b66a0329a5715aca98222ab0ef1aebee4 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -90,7 +90,7 @@ Requires: 389-ds-base = 1.3.2.19 Requires: openldap-clients 2.4.35-4 Requires: nss = 3.14.3-12.0 Requires: nss-tools = 3.14.3-12.0 -Requires: krb5-server = 1.11.5-3 +Requires: krb5-server = 1.11.5-5 Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp -- 2.0.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel