Re: [Freeipa-devel] KDC proxy implementation specs

On Fri, 2015-05-29 at 08:11 +0200, Jan Cholasta wrote: > Dne 29.5.2015 v 08:07 Nathaniel McCallum napsal(a): > > On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote: > > > Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a): > > > > On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote: > > >

Re: [Freeipa-devel] KDC proxy implementation specs

Dne 29.5.2015 v 08:07 Nathaniel McCallum napsal(a): On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote: Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a): On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote: Jan has suggested to ipaConfigString=kdcProxyEnabled in cn=KDC,cn=$FQDN,cn=m

Re: [Freeipa-devel] KDC proxy implementation specs

On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote: > Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a): > > On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote: > > > Jan has suggested to ipaConfigString=kdcProxyEnabled in > > > cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of > > > i

Re: [Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

On Thu, May 28, 2015 at 12:37:10PM +0200, Petr Vobornik wrote: > On 05/28/2015 11:48 AM, Martin Basti wrote: > >On 27/05/15 16:04, Fraser Tweedale wrote: > >>Hello all, > >> > >>Fresh certificate management patchset; Changelog: > >> > >>- Now depends on patch freeipa-ftweedal-0014 for correct > >>

Re: [Freeipa-devel] KDC proxy implementation specs

Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a): On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote: Jan has suggested to ipaConfigString=kdcProxyEnabled in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of ipaConfigString=enabledService in cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=e

Re: [Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: > On 28/05/15 11:48, Martin Basti wrote: > >On 27/05/15 16:04, Fraser Tweedale wrote: > >>Hello all, > >> > >>Fresh certificate management patchset; Changelog: > >> > >>- Now depends on patch freeipa-ftweedal-0014 for correct > >>cert-re

Re: [Freeipa-devel] Testing Migration

Drew Erny wrote: Hi, freeipa-devel, More newbie questions. I have what I believe to be a fix for Ticket #2547 (https://fedorahosted.org/freeipa/ticket/2547) written, but I need to test this fix. I need to migrate an LDAP database that is in the previously expected for (all users and groups under

[Freeipa-devel] Testing Migration

Hi, freeipa-devel, More newbie questions. I have what I believe to be a fix for Ticket #2547 (https://fedorahosted.org/freeipa/ticket/2547) written, but I need to test this fix. I need to migrate an LDAP database that is in the previously expected for (all users and groups under 1 level) and m

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/28/2015 05:53 PM, Ludwig Krispenz wrote: On 05/28/2015 05:35 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 17:18 +0200, Ludwig Krispenz wrote: On 05/28/2015 05:03 PM, Martin Kosek wrote: On 05/28/2015 04:59 PM, Ludwig Krispenz wrote: On 05/28/2015 04:46 PM, Simo Sorce wrote: On Thu, 201

Re: [Freeipa-devel] Sudorules user validation help

Ok, so should I write a regex that matches that broader pattern, and only allow sudorules users to be added that follow those broader restrictions? On 05/28/2015 02:09 PM, Alexander Bokovoy wrote: On Thu, 28 May 2015, Martin Kosek wrote: On 05/28/2015 04:27 PM, Drew Erny wrote: In the ticket

Re: [Freeipa-devel] Sudorules user validation help

On Thu, 28 May 2015, Martin Kosek wrote: On 05/28/2015 04:27 PM, Drew Erny wrote: In the ticket, however, it's stated that if the user wants to use any combination of weird characters, they should be able to. Would it be better to just define a function like def validate_username(username, igno

Re: [Freeipa-devel] [PATCH 0377-0382] Synchronize changes from LDAP after reconnect

Hi, functionality seems to work fine. I have not checked the code thoroughly. Kind of a test is attached (requires setting named's ldap connection appropriately). ACK Matúš Honěk - Original Message - From: "Petr Spacek" To: tho...@redhat.com, "Matus Honek" Cc: freeipa-devel@redhat.c

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/28/2015 05:35 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 17:18 +0200, Ludwig Krispenz wrote: On 05/28/2015 05:03 PM, Martin Kosek wrote: On 05/28/2015 04:59 PM, Ludwig Krispenz wrote: On 05/28/2015 04:46 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote:

Re: [Freeipa-devel] Domain level for topology plugin = 2

On Thu, 2015-05-28 at 17:18 +0200, Ludwig Krispenz wrote: > On 05/28/2015 05:03 PM, Martin Kosek wrote: > > On 05/28/2015 04:59 PM, Ludwig Krispenz wrote: > >> On 05/28/2015 04:46 PM, Simo Sorce wrote: > >>> On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: > On 05/28/2015 03:26 PM, Si

Re: [Freeipa-devel] KDC proxy implementation specs

On Thu, 2015-05-28 at 17:13 +0200, Christian Heimes wrote: > On 2015-05-28 17:10, Simo Sorce wrote: > > On Thu, 2015-05-28 at 17:00 +0200, Christian Heimes wrote: > >> On 2015-05-28 16:53, Simo Sorce wrote: > >>> We can't have 2 different keytabs with the same principal name. > >>> If we need privi

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/28/2015 05:03 PM, Martin Kosek wrote: On 05/28/2015 04:59 PM, Ludwig Krispenz wrote: On 05/28/2015 04:46 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 2

Re: [Freeipa-devel] KDC proxy implementation specs

On 2015-05-28 17:10, Simo Sorce wrote: > On Thu, 2015-05-28 at 17:00 +0200, Christian Heimes wrote: >> On 2015-05-28 16:53, Simo Sorce wrote: >>> We can't have 2 different keytabs with the same principal name. >>> If we need privilege separation we'll have to work on integrating >>> GSS-Proxy and g

Re: [Freeipa-devel] KDC proxy implementation specs

Simo Sorce wrote: On Thu, 2015-05-28 at 17:00 +0200, Christian Heimes wrote: On 2015-05-28 16:53, Simo Sorce wrote: We can't have 2 different keytabs with the same principal name. If we need privilege separation we'll have to work on integrating GSS-Proxy and give the keytab only to GSS-Proxy l

Re: [Freeipa-devel] KDC proxy implementation specs

On Thu, 2015-05-28 at 17:00 +0200, Christian Heimes wrote: > On 2015-05-28 16:53, Simo Sorce wrote: > > We can't have 2 different keytabs with the same principal name. > > If we need privilege separation we'll have to work on integrating > > GSS-Proxy and give the keytab only to GSS-Proxy leaving i

Re: [Freeipa-devel] KDC proxy implementation specs

On Thu, 2015-05-28 at 17:07 +0200, Christian Heimes wrote: > On 2015-05-28 16:48, Nathaniel McCallum wrote: > > An apache module would also provide similar benefits. I'm not sure > > I > > necessarily want to stick with python here if we're optimizing for > > performance. Another option would be t

Re: [Freeipa-devel] KDC proxy implementation specs

On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote: > Hello, > > thanks you for your input. The former thread has 58 messages in > total. > Since last Friday we have came to an agreement in most points. I like > to > some up our decisions and focus on some minor details. > > decisions >

Re: [Freeipa-devel] KDC proxy implementation specs

On 2015-05-28 16:48, Nathaniel McCallum wrote: > An apache module would also provide similar benefits. I'm not sure I > necessarily want to stick with python here if we're optimizing for > performance. Another option would be to add it to the KDC itself and > proxy through Apache like we do for Tom

Re: [Freeipa-devel] Domain level for topology plugin = 2

On Thu, 2015-05-28 at 16:59 +0200, Ludwig Krispenz wrote: > On 05/28/2015 04:46 PM, Simo Sorce wrote: > > On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: > >> On 05/28/2015 03:26 PM, Simo Sorce wrote: > >>> On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: > On 28.5.2015 10:49, M

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/28/2015 04:46 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin Kosek wrote: On 05/28/2015 09:05 AM, Petr Spacek wrote: On 28.5.2015

Re: [Freeipa-devel] Domain level for topology plugin = 2

On Thu, 2015-05-28 at 16:40 +0200, Martin Basti wrote: > On 28/05/15 16:29, Simo Sorce wrote: > > On Thu, 2015-05-28 at 16:23 +0200, Oleg Fayans wrote: > >> Hi Simo, > >> > >> On 05/28/2015 03:52 PM, Simo Sorce wrote: > >>> On Thu, 2015-05-28 at 15:39 +0200, Oleg Fayans wrote: > On 05/28/2015

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/28/2015 04:59 PM, Ludwig Krispenz wrote: > > On 05/28/2015 04:46 PM, Simo Sorce wrote: >> On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: >>> On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: > On 28.5.2015 10:49, Martin Kosek

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:57 PM, Simo Sorce wrote: > On Thu, 2015-05-28 at 16:14 +0200, Martin Kosek wrote: >> On 05/28/2015 04:07 PM, Simo Sorce wrote: >>> On Thu, 2015-05-28 at 16:02 +0200, Martin Kosek wrote: On 05/28/2015 04:00 PM, Simo Sorce wrote: > On Thu, 2015-05-28 at 15:47 +0200, Martin K

Re: [Freeipa-devel] KDC proxy implementation specs

On 2015-05-28 16:53, Simo Sorce wrote: > We can't have 2 different keytabs with the same principal name. > If we need privilege separation we'll have to work on integrating > GSS-Proxy and give the keytab only to GSS-Proxy leaving it off the hands > of both the framework, the proxy, and apache itse

Re: [Freeipa-devel] Sudorules user validation help

On 05/28/2015 04:27 PM, Drew Erny wrote: > In the ticket, however, it's stated that if the user wants to use any > combination of weird characters, they should be able to. Would it be better to > just define a function like > > def validate_username(username, ignore_pattern=False): > > and have i

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On Thu, 2015-05-28 at 16:14 +0200, Martin Kosek wrote: > On 05/28/2015 04:07 PM, Simo Sorce wrote: > > On Thu, 2015-05-28 at 16:02 +0200, Martin Kosek wrote: > >> On 05/28/2015 04:00 PM, Simo Sorce wrote: > >>> On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: > On 05/27/2015 04:59 PM, Ma

Re: [Freeipa-devel] Domain level for topology plugin = 2

On Thu, 2015-05-28 at 10:46 -0400, Simo Sorce wrote: > On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: > > On 05/28/2015 03:26 PM, Simo Sorce wrote: > > > On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: > > >> On 28.5.2015 10:49, Martin Kosek wrote: > > >>> On 05/28/2015 09:05 AM, P

Re: [Freeipa-devel] KDC proxy implementation specs

On Thu, 2015-05-28 at 10:48 -0400, Nathaniel McCallum wrote: > On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote: > > Hello, > > > > thanks you for your input. The former thread has 58 messages in > > total. > > Since last Friday we have came to an agreement in most points. I like > > to

Re: [Freeipa-devel] Domain level for topology plugin = 2

On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: > On 05/28/2015 03:26 PM, Simo Sorce wrote: > > On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: > >> On 28.5.2015 10:49, Martin Kosek wrote: > >>> On 05/28/2015 09:05 AM, Petr Spacek wrote: > On 28.5.2015 08:55, Jan Cholasta wrote

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 28/05/15 16:29, Simo Sorce wrote: On Thu, 2015-05-28 at 16:23 +0200, Oleg Fayans wrote: Hi Simo, On 05/28/2015 03:52 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:39 +0200, Oleg Fayans wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote:

[Freeipa-devel] KDC proxy implementation specs

Hello, thanks you for your input. The former thread has 58 messages in total. Since last Friday we have came to an agreement in most points. I like to some up our decisions and focus on some minor details. decisions - python-kdcproxy will be installed as a dependency of freeipa-server. T

Re: [Freeipa-devel] Domain level for topology plugin = 2

On Thu, 2015-05-28 at 16:23 +0200, Oleg Fayans wrote: > Hi Simo, > > On 05/28/2015 03:52 PM, Simo Sorce wrote: > > On Thu, 2015-05-28 at 15:39 +0200, Oleg Fayans wrote: > >> On 05/28/2015 03:26 PM, Simo Sorce wrote: > >>> On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: > On 28.5.2015 10

Re: [Freeipa-devel] Sudorules user validation help

In the ticket, however, it's stated that if the user wants to use any combination of weird characters, they should be able to. Would it be better to just define a function like def validate_username(username, ignore_pattern=False): and have it ignore all username validation? On 05/28/2015 09:

Re: [Freeipa-devel] Domain level for topology plugin = 2

Hi Simo, On 05/28/2015 03:52 PM, Simo Sorce wrote: > On Thu, 2015-05-28 at 15:39 +0200, Oleg Fayans wrote: >> On 05/28/2015 03:26 PM, Simo Sorce wrote: >>> On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin Kosek wrote: > On 05/28/2015 09:05 AM, Petr Spacek w

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:17 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 16:04 +0200, Martin Kosek wrote: On 05/28/2015 04:04 PM, Ludwig Krispenz wrote: On 05/28/2015 04:00 PM, Martin Kosek wrote: On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: On 05/28/2015 03:47 PM, Martin Kosek wrote: On 05/27/201

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On Thu, 2015-05-28 at 16:04 +0200, Martin Kosek wrote: > On 05/28/2015 04:04 PM, Ludwig Krispenz wrote: > > > > On 05/28/2015 04:00 PM, Martin Kosek wrote: > >> On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: > >>> On 05/28/2015 03:47 PM, Martin Kosek wrote: > On 05/27/2015 04:59 PM, Martin Ko

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:14 PM, Ludwig Krispenz wrote: > > On 05/28/2015 04:04 PM, Martin Kosek wrote: >> On 05/28/2015 04:04 PM, Ludwig Krispenz wrote: >>> On 05/28/2015 04:00 PM, Martin Kosek wrote: On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: > On 05/28/2015 03:47 PM, Martin Kosek wrote: >>>

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On Thu, 2015-05-28 at 16:02 +0200, Jan Cholasta wrote: > f3010498af2a4b98512d219b8e09101176c172fe. This is perfect! Thanks a lot. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/pa

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:07 PM, Simo Sorce wrote: > On Thu, 2015-05-28 at 16:02 +0200, Martin Kosek wrote: >> On 05/28/2015 04:00 PM, Simo Sorce wrote: >>> On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... > Domain Levels > - Done, comm

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:04 PM, Martin Kosek wrote: On 05/28/2015 04:04 PM, Ludwig Krispenz wrote: On 05/28/2015 04:00 PM, Martin Kosek wrote: On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: On 05/28/2015 03:47 PM, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... Domain Levels - D

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On Thu, 2015-05-28 at 16:02 +0200, Martin Kosek wrote: > On 05/28/2015 04:00 PM, Simo Sorce wrote: > > On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: > >> On 05/27/2015 04:59 PM, Martin Kosek wrote: > >> ... > >>> Domain Levels > >>> - Done, committed > >>> - Defaults to Level 1, i.e. Topol

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 28.5.2015 15:26, Simo Sorce wrote: > On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: >> On 28.5.2015 10:49, Martin Kosek wrote: >>> On 05/28/2015 09:05 AM, Petr Spacek wrote: On 28.5.2015 08:55, Jan Cholasta wrote: > Dne 26.5.2015 v 16:32 Petr Spacek napsal(a): >> On 26.5.2015

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:04 PM, Ludwig Krispenz wrote: > > On 05/28/2015 04:00 PM, Martin Kosek wrote: >> On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: >>> On 05/28/2015 03:47 PM, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... > Domain Levels > - Done, committed >>>

Re: [Freeipa-devel] New replica installation and topology - we need stable base

Dne 28.5.2015 v 16:00 Simo Sorce napsal(a): On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... Domain Levels - Done, committed - Defaults to Level 1, i.e. Topology plugin powered infra enabled With respect to related Simo's response in http:

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:00 PM, Martin Kosek wrote: On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: On 05/28/2015 03:47 PM, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... Domain Levels - Done, committed - Defaults to Level 1, i.e. Topology plugin powered infra enabled With respec

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:00 PM, Simo Sorce wrote: > On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: >> On 05/27/2015 04:59 PM, Martin Kosek wrote: >> ... >>> Domain Levels >>> - Done, committed >>> - Defaults to Level 1, i.e. Topology plugin powered infra enabled >> >> With respect to related Simo's

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: > > On 05/28/2015 03:47 PM, Martin Kosek wrote: >> On 05/27/2015 04:59 PM, Martin Kosek wrote: >> ... >>> Domain Levels >>> - Done, committed >>> - Defaults to Level 1, i.e. Topology plugin powered infra enabled >> With respect to related Simo's respo

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: > On 05/27/2015 04:59 PM, Martin Kosek wrote: > ... > > Domain Levels > > - Done, committed > > - Defaults to Level 1, i.e. Topology plugin powered infra enabled > > With respect to related Simo's response in > http://www.redhat.com/archives/f

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On 28.5.2015 15:43, Martin Kosek wrote: > On 05/28/2015 02:29 PM, Petr Spacek wrote: >> On 28.5.2015 12:06, Fraser Tweedale wrote: >>> On Thu, May 28, 2015 at 11:52:25AM +0200, Martin Kosek wrote: On 05/28/2015 11:17 AM, Martin Basti wrote: > On 28/05/15 10:46, Martin Kosek wrote: >> O

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/28/2015 03:52 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:39 +0200, Oleg Fayans wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin Kosek wrote: On 05/28/2015 09:05 AM, Petr Spacek wrote: On 28.5.2015 08:

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On Thu, 2015-05-28 at 15:43 +0200, Martin Kosek wrote: > On 05/28/2015 02:29 PM, Petr Spacek wrote: > > On 28.5.2015 12:06, Fraser Tweedale wrote: > >> On Thu, May 28, 2015 at 11:52:25AM +0200, Martin Kosek wrote: > >>> On 05/28/2015 11:17 AM, Martin Basti wrote: > On 28/05/15 10:46, Martin Ko

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 03:47 PM, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... Domain Levels - Done, committed - Defaults to Level 1, i.e. Topology plugin powered infra enabled With respect to related Simo's response in http://www.redhat.com/archives/freeipa-devel/2015-May/msg0055

Re: [Freeipa-devel] Domain level for topology plugin = 2

On Thu, 2015-05-28 at 15:39 +0200, Oleg Fayans wrote: > > On 05/28/2015 03:26 PM, Simo Sorce wrote: > > On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: > >> On 28.5.2015 10:49, Martin Kosek wrote: > >>> On 05/28/2015 09:05 AM, Petr Spacek wrote: > On 28.5.2015 08:55, Jan Cholasta wrote:

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin Kosek wrote: On 05/28/2015 09:05 AM, Petr Spacek wrote: On 28.5.2015 08:55, Jan Cholasta wrote: Dne 26.5.2015 v 16:32 Petr Spacek napsal(a): On 26.5.2015 16:16, Martin

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/27/2015 04:59 PM, Martin Kosek wrote: ... > Domain Levels > - Done, committed > - Defaults to Level 1, i.e. Topology plugin powered infra enabled With respect to related Simo's response in http://www.redhat.com/archives/freeipa-devel/2015-May/msg00553.html Would we want to enable Topology (

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On 05/28/2015 02:29 PM, Petr Spacek wrote: > On 28.5.2015 12:06, Fraser Tweedale wrote: >> On Thu, May 28, 2015 at 11:52:25AM +0200, Martin Kosek wrote: >>> On 05/28/2015 11:17 AM, Martin Basti wrote: On 28/05/15 10:46, Martin Kosek wrote: > On 05/27/2015 06:12 PM, Martin Basti wrote:

Re: [Freeipa-devel] Sudorules user validation help

OK, I see now what you mean by that. That is a simpler solution. I'll do it that way. On 05/28/2015 04:44 AM, Martin Kosek wrote: On 05/27/2015 08:41 PM, Drew Erny wrote: Hey, Freeipa-devel, I'm working on ticket #3226 (https://fedorahosted.org/freeipa/ticket/3226) I've identified the proble

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 2015-05-28 15:28, Martin Kosek wrote: > In the end, Alexander had a good point that there will be some needed > associated configuration changes in DNS, when the KdcProxy is > enabled/disabled: > > http://www.redhat.com/archives/freeipa-devel/2015-May/msg00522.html > > In which case, we may w

Re: [Freeipa-devel] [PATCH 429] replica-install: Allow install on top of already configured client

Dne 26.5.2015 v 17:49 Jan Cholasta napsal(a): Dne 20.5.2015 v 17:27 Jan Cholasta napsal(a): Hi, the attached patch implements the initial bits for . Test by running ipa-client-install and then ipa-replica-install on the same host. Updated patch a

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On Thu, 2015-05-28 at 12:10 +0200, Petr Spacek wrote: > On 28.5.2015 11:59, Martin Kosek wrote: > > On 05/28/2015 11:12 AM, Alexander Bokovoy wrote: > >> On Thu, 28 May 2015, Petr Spacek wrote: > >>> On 28.5.2015 07:42, Jan Cholasta wrote: > Dne 27.5.2015 v 15:54 Simo Sorce napsal(a): > >

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/28/2015 03:06 PM, Simo Sorce wrote: > On Thu, 2015-05-28 at 07:42 +0200, Jan Cholasta wrote: >> Dne 27.5.2015 v 15:54 Simo Sorce napsal(a): >>> On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): > On Wed, 2015-05-27 at 13:57 +0200, Jan

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On Thu, 2015-05-28 at 12:14 +0300, Alexander Bokovoy wrote: > On Thu, 28 May 2015, Martin Kosek wrote: > >On 05/28/2015 10:02 AM, Jan Cholasta wrote: > >> Dne 28.5.2015 v 09:45 Christian Heimes napsal(a): > >>> On 2015-05-28 07:32, Jan Cholasta wrote: > Dne 27.5.2015 v 16:01 Christian Heimes n

Re: [Freeipa-devel] Domain level for topology plugin = 2

On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: > On 28.5.2015 10:49, Martin Kosek wrote: > > On 05/28/2015 09:05 AM, Petr Spacek wrote: > >> On 28.5.2015 08:55, Jan Cholasta wrote: > >>> Dne 26.5.2015 v 16:32 Petr Spacek napsal(a): > On 26.5.2015 16:16, Martin Kosek wrote: > > On 05

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On Thu, 2015-05-28 at 07:42 +0200, Jan Cholasta wrote: > Dne 27.5.2015 v 15:54 Simo Sorce napsal(a): > > On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: > >> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): > >>> On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote: > >> > >> ipa co

Re: [Freeipa-devel] [PATCH 0039] ipa-kdb: common function to get key encodings/salt types

On Thu, 2015-05-28 at 14:43 +0200, Martin Babinsky wrote: > A small improvement upon simo's fix for > https://fedorahosted.org/freeipa/ticket/4914 > > -- > Martin^3 Babinsky LGTM. Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/fre

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On 28/05/15 14:29, Petr Spacek wrote: On 28.5.2015 12:06, Fraser Tweedale wrote: On Thu, May 28, 2015 at 11:52:25AM +0200, Martin Kosek wrote: On 05/28/2015 11:17 AM, Martin Basti wrote: On 28/05/15 10:46, Martin Kosek wrote: On 05/27/2015 06:12 PM, Martin Basti wrote: On 27/05/15 15:53, Fra

[Freeipa-devel] [PATCH 0039] ipa-kdb: common function to get key encodings/salt types

A small improvement upon simo's fix for https://fedorahosted.org/freeipa/ticket/4914 -- Martin^3 Babinsky From 51f8bcd716fbddf5913cd79ba574a396e0956f0d Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 22 May 2015 17:23:00 +0200 Subject: [PATCH] ipa-kdb: common function to get key encod

Re: [Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

On 28/05/15 11:48, Martin Basti wrote: On 27/05/15 16:04, Fraser Tweedale wrote: Hello all, Fresh certificate management patchset; Changelog: - Now depends on patch freeipa-ftweedal-0014 for correct cert-request behaviour with host and service principals. - Updated Dogtag dependency to 10.

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On 28.5.2015 12:06, Fraser Tweedale wrote: > On Thu, May 28, 2015 at 11:52:25AM +0200, Martin Kosek wrote: >> On 05/28/2015 11:17 AM, Martin Basti wrote: >>> On 28/05/15 10:46, Martin Kosek wrote: On 05/27/2015 06:12 PM, Martin Basti wrote: > On 27/05/15 15:53, Fraser Tweedale wrote: >

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 28.5.2015 10:49, Martin Kosek wrote: > On 05/28/2015 09:05 AM, Petr Spacek wrote: >> On 28.5.2015 08:55, Jan Cholasta wrote: >>> Dne 26.5.2015 v 16:32 Petr Spacek napsal(a): On 26.5.2015 16:16, Martin Kosek wrote: > On 05/26/2015 04:13 PM, thierry bordaz wrote: >> On 05/26/2015 02:1

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 28/05/15 14:06, Christian Heimes wrote: On 2015-05-28 13:29, Martin Basti wrote: On 28/05/15 12:53, Christian Heimes wrote: On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by default during

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 2015-05-28 13:29, Martin Basti wrote: > On 28/05/15 12:53, Christian Heimes wrote: >> On 2015-05-28 12:46, Martin Kosek wrote: >>> I am fine with this too. So if there is not another major disagreement, let >>> us >>> start with enabling KDCPROXY by default during upgrade/install, the new ACI

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 2015-05-28 13:30, Jan Cholasta wrote: > Dne 28.5.2015 v 12:53 Christian Heimes napsal(a): >> On 2015-05-28 12:46, Martin Kosek wrote: >>> I am fine with this too. So if there is not another major >>> disagreement, let us >>> start with enabling KDCPROXY by default during upgrade/install, the >>>

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

Dne 28.5.2015 v 13:56 Christian Heimes napsal(a): On 2015-05-28 13:30, Jan Cholasta wrote: Dne 28.5.2015 v 12:53 Christian Heimes napsal(a): On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by d

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 28.5.2015 12:53, Christian Heimes wrote: > On 2015-05-28 12:46, Martin Kosek wrote: >> I am fine with this too. So if there is not another major disagreement, >> let us start with enabling KDCPROXY by default during upgrade/install, >> the new ACI and the per-replica standard configuration. >>

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

Dne 28.5.2015 v 12:53 Christian Heimes napsal(a): On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by default during upgrade/install, the new ACI and the per-replica standard configuration. API C

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 28/05/15 12:53, Christian Heimes wrote: On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by default during upgrade/install, the new ACI and the per-replica standard configuration. API CLI/UI c

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

Updated patch attached. Notably restores/adds revocation behaviour to host-mod and service-mod. Thanks, Fraser On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: > On 27/05/15 15:53, Fraser Tweedale wrote: > >This patch adds supports for multiple user / host certificates. No > >schem

[Freeipa-devel] [PATCHES 326-328] ID Views improvements

Hi, this couple of patches improves ID Views and ID overrides handling. See commit messages for details. Tomas >From 8acc50c10d9886668a0147b46f311f9aa83294bb Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 27 May 2015 14:31:13 +0200 Subject: [PATCH] idviews: Set dcerpc detection flag prope

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 2015-05-28 12:46, Martin Kosek wrote: > I am fine with this too. So if there is not another major disagreement, let us > start with enabling KDCPROXY by default during upgrade/install, the new ACI > and > the per-replica standard configuration. > > API CLI/UI can come later (4.2.x or 4.3). LG

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/28/2015 12:27 PM, Alexander Bokovoy wrote: > On Thu, 28 May 2015, Christian Heimes wrote: >> On 2015-05-28 12:10, Petr Spacek wrote: I see. My question is - if we go this way, what is then the reasonable subset configuration functionality realistic for FreeIPA 4.2 GA? (As we w

Re: [Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

On 05/28/2015 11:48 AM, Martin Basti wrote: On 27/05/15 16:04, Fraser Tweedale wrote: Hello all, Fresh certificate management patchset; Changelog: - Now depends on patch freeipa-ftweedal-0014 for correct cert-request behaviour with host and service principals. - Updated Dogtag dependency t

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On Thu, 28 May 2015, Christian Heimes wrote: On 2015-05-28 12:10, Petr Spacek wrote: I see. My question is - if we go this way, what is then the reasonable subset configuration functionality realistic for FreeIPA 4.2 GA? (As we want this feature in for 4.2). Is ipa-kdcproxy-manage doable? What

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 2015-05-28 12:10, Petr Spacek wrote: >> I see. My question is - if we go this way, what is then the reasonable subset >> configuration functionality realistic for FreeIPA 4.2 GA? (As we want this >> feature in for 4.2). Is ipa-kdcproxy-manage doable? >> >> What is the proposed API here? >> >> ip

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 28.5.2015 11:59, Martin Kosek wrote: > On 05/28/2015 11:12 AM, Alexander Bokovoy wrote: >> On Thu, 28 May 2015, Petr Spacek wrote: >>> On 28.5.2015 07:42, Jan Cholasta wrote: Dne 27.5.2015 v 15:54 Simo Sorce napsal(a): > On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: >> Dne

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On Thu, May 28, 2015 at 11:52:25AM +0200, Martin Kosek wrote: > On 05/28/2015 11:17 AM, Martin Basti wrote: > > On 28/05/15 10:46, Martin Kosek wrote: > >> On 05/27/2015 06:12 PM, Martin Basti wrote: > >>> On 27/05/15 15:53, Fraser Tweedale wrote: > This patch adds supports for multiple user /

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/28/2015 11:12 AM, Alexander Bokovoy wrote: > On Thu, 28 May 2015, Petr Spacek wrote: >> On 28.5.2015 07:42, Jan Cholasta wrote: >>> Dne 27.5.2015 v 15:54 Simo Sorce napsal(a): On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: > Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): >>

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On 28/05/15 11:17, Fraser Tweedale wrote: On Thu, May 28, 2015 at 10:40:22AM +0200, Martin Basti wrote: On 28/05/15 10:13, Fraser Tweedale wrote: On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On 05/28/2015 11:17 AM, Martin Basti wrote: > On 28/05/15 10:46, Martin Kosek wrote: >> On 05/27/2015 06:12 PM, Martin Basti wrote: >>> On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user / host certificates. No schema change is needed ('usercertificate'

Re: [Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

On 27/05/15 16:04, Fraser Tweedale wrote: Hello all, Fresh certificate management patchset; Changelog: - Now depends on patch freeipa-ftweedal-0014 for correct cert-request behaviour with host and service principals. - Updated Dogtag dependency to 10.2.4-1. Should should be in f22 soon,

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On Thu, May 28, 2015 at 10:40:22AM +0200, Martin Basti wrote: > On 28/05/15 10:13, Fraser Tweedale wrote: > >On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: > >>On 27/05/15 15:53, Fraser Tweedale wrote: > >>>This patch adds supports for multiple user / host certificates. No > >>>sche

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On 28/05/15 10:46, Martin Kosek wrote: On 05/27/2015 06:12 PM, Martin Basti wrote: On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user / host certificates. No schema change is needed ('usercertificate' attribute is already multi-value). The revoke-previous-cer

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On Thu, 28 May 2015, Martin Kosek wrote: On 05/28/2015 10:02 AM, Jan Cholasta wrote: Dne 28.5.2015 v 09:45 Christian Heimes napsal(a): On 2015-05-28 07:32, Jan Cholasta wrote: Dne 27.5.2015 v 16:01 Christian Heimes napsal(a): On 2015-05-27 15:51, Nathaniel McCallum wrote: As I understand the

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On Thu, 28 May 2015, Petr Spacek wrote: On 28.5.2015 07:42, Jan Cholasta wrote: Dne 27.5.2015 v 15:54 Simo Sorce napsal(a): On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote: ipa conf

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/28/2015 09:05 AM, Petr Spacek wrote: > On 28.5.2015 08:55, Jan Cholasta wrote: >> Dne 26.5.2015 v 16:32 Petr Spacek napsal(a): >>> On 26.5.2015 16:16, Martin Kosek wrote: On 05/26/2015 04:13 PM, thierry bordaz wrote: > On 05/26/2015 02:12 PM, Petr Spacek wrote: >> Hello, >> >

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On 05/27/2015 06:12 PM, Martin Basti wrote: > On 27/05/15 15:53, Fraser Tweedale wrote: >> This patch adds supports for multiple user / host certificates. No >> schema change is needed ('usercertificate' attribute is already >> multi-value). The revoke-previous-cert behaviour of host-mod and >> u

  1   2   >