Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

On 07/25/2016 07:45 AM, Jan Cholasta wrote: On 25.7.2016 13:11, Alexander Bokovoy wrote: On Mon, 25 Jul 2016, Jan Cholasta wrote: On 20.7.2016 16:05, Ben Lipton wrote: Hi, Thanks very much for the feedback! Some responses below; I hope you'll let me know what you think of my reasoning. On

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On 08/08/2016 05:20 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, thierry bordaz wrote: On 08/08/2016 04:20 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, thierry bordaz wrote: On 08/08/2016 10:56 AM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Lukas Slebodnik wrote: On

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On Mon, 08 Aug 2016, thierry bordaz wrote: On 08/08/2016 04:20 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, thierry bordaz wrote: On 08/08/2016 10:56 AM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Lukas Slebodnik wrote: On (08/08/16 11:35), Alexander Bokovoy wrote: On Mon, 08

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On 08/08/2016 04:20 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, thierry bordaz wrote: On 08/08/2016 10:56 AM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Lukas Slebodnik wrote: On (08/08/16 11:35), Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Martin Basti wrote: On 08.08.2016

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On Mon, 08 Aug 2016, thierry bordaz wrote: On 08/08/2016 10:56 AM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Lukas Slebodnik wrote: On (08/08/16 11:35), Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Martin Basti wrote: On 08.08.2016 09:34, Alexander Bokovoy wrote: When SSSD resolves

[Freeipa-devel] [PATCH 0035] Remove Custodia server keys from LDAP

The server-del plugin now removes the Custodia keys for encryption and key signing from LDAP. https://fedorahosted.org/freeipa/ticket/6015 From be4d66075d108fd9188a3a0b906bace6f6ea5122 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 8 Aug 2016 16:06:08 +0200

[Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys

I have split up patch 0032 into two smaller patches. This patch only addresses the server.keys file. Custodia's server.keys file contain the private RSA keys for encrypting and signing Custodia messages. The file was created with permission 644 and is only secured by permission 700 of the

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On 08/08/2016 10:56 AM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Lukas Slebodnik wrote: On (08/08/16 11:35), Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Martin Basti wrote: On 08.08.2016 09:34, Alexander Bokovoy wrote: > When SSSD resolves AD users on behalf of slapi-nis, it can

Re: [Freeipa-devel] [PATCH] ipa_pwd_extop: Fix warning declaration shadows previous

On 08.08.2016 13:58, thierry bordaz wrote: On 08/08/2016 01:56 PM, Lukas Slebodnik wrote: On (08/08/16 13:30), thierry bordaz wrote: On 08/05/2016 02:16 PM, Lukas Slebodnik wrote: ehlo, attached patches fixes few compiler warnings in ipa-extop. Sorry for not following naming convention

Re: [Freeipa-devel] [PATCH] 0001: Silence sshd messages during install

On 08.08.2016 13:58, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Jan Cholasta wrote: On 19.7.2016 08:40, Jan Cholasta wrote: Hi, On 9.7.2016 14:46, Ben Lipton wrote: On 07/07/2016 11:19 AM, Ben Lipton wrote: Thanks for the review! Comments below. On 07/01/2016 07:42 AM, Martin Basti

Re: [Freeipa-devel] certmonger proxy configuration not possible ?

what I feared... ok. I will open an enhancement ticket. Hopefully somebody can provide a preliminary patch I can apply. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Monday, August 08, 2016 11:48 AM To: Marx, Peter Cc: Rob Crittenden;

Re: [Freeipa-devel] [PATCH] 0001: Silence sshd messages during install

On Mon, 08 Aug 2016, Jan Cholasta wrote: On 19.7.2016 08:40, Jan Cholasta wrote: Hi, On 9.7.2016 14:46, Ben Lipton wrote: On 07/07/2016 11:19 AM, Ben Lipton wrote: Thanks for the review! Comments below. On 07/01/2016 07:42 AM, Martin Basti wrote: On 29.06.2016 20:46, Ben Lipton wrote:

Re: [Freeipa-devel] [PATCH] ipa_pwd_extop: Fix warning declaration shadows previous

On 08/08/2016 01:56 PM, Lukas Slebodnik wrote: On (08/08/16 13:30), thierry bordaz wrote: On 08/05/2016 02:16 PM, Lukas Slebodnik wrote: ehlo, attached patches fixes few compiler warnings in ipa-extop. Sorry for not following naming convention for patches. But I do not remeber my numer and

Re: [Freeipa-devel] [PATCH] ipa_pwd_extop: Fix warning declaration shadows previous

On (08/08/16 13:30), thierry bordaz wrote: > > >On 08/05/2016 02:16 PM, Lukas Slebodnik wrote: >> ehlo, >> >> attached patches fixes few compiler warnings in ipa-extop. >> Sorry for not following naming convention for patches. >> But I do not remeber my numer and you will use github/pagure >>

Re: [Freeipa-devel] [PATCH 0154] client: RPM require initscripts to get *-domainname.service

On 8.8.2016 13:37, Jan Cholasta wrote: > Hi, > > On 8.8.2016 13:22, Petr Spacek wrote: >> Hello, >> >> client: RPM require initscripts to get *-domainname.service >> >> https://fedorahosted.org/freeipa/ticket/4831 > > IIRC there was a task associated with the ticket to investigate if there is a

Re: [Freeipa-devel] [PATCH] 0001: Silence sshd messages during install

On 19.7.2016 08:40, Jan Cholasta wrote: Hi, On 9.7.2016 14:46, Ben Lipton wrote: On 07/07/2016 11:19 AM, Ben Lipton wrote: Thanks for the review! Comments below. On 07/01/2016 07:42 AM, Martin Basti wrote: On 29.06.2016 20:46, Ben Lipton wrote: The attached patch silences some

Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate

On 08/08/2016 01:31 PM, Jan Pazdziora wrote: > On Mon, Aug 08, 2016 at 12:52:33PM +0200, Martin Kosek wrote: >> >> I discussed this with Jan Pazdziora on IRC, outside of this mail thread, so >> let >> me repeat my suggestion here. I still think it is premature to add plugins >> like >> that to

Re: [Freeipa-devel] [PATCH 685] parameters: move the `confirm` kwarg to Param

On 8.8.2016 13:26, Martin Basti wrote: On 08.08.2016 13:27, Jan Cholasta wrote: Hi, the attached patch fixes . Honza Please document this change in Param dosctring --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -418,6 +418,7 @@

Re: [Freeipa-devel] [PATCH 0154] client: RPM require initscripts to get *-domainname.service

Hi, On 8.8.2016 13:22, Petr Spacek wrote: Hello, client: RPM require initscripts to get *-domainname.service https://fedorahosted.org/freeipa/ticket/4831 IIRC there was a task associated with the ticket to investigate if there is a better way of setting the domain name on boot. So... is

Re: [Freeipa-devel] [PATCH] 0100: Fix question marks in adders in topology graph

On 08/05/2016 02:15 PM, Pavel Vomacka wrote: Hello, Please review attached patch. https://fedorahosted.org/freeipa/ticket/6175 Changed commit message. -- Pavel^3 Vomacka From c792fbdf68e338c763079615595de68f63c0107a Mon Sep 17 00:00:00 2001 From: Pavel Vomacka

Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate

On Mon, Aug 08, 2016 at 12:52:33PM +0200, Martin Kosek wrote: > > I discussed this with Jan Pazdziora on IRC, outside of this mail thread, so > let > me repeat my suggestion here. I still think it is premature to add plugins > like > that to FreeIPA core git. We are not agreed yet how we will

Re: [Freeipa-devel] [PATCH] ipa_pwd_extop: Fix warning declaration shadows previous

On 08/05/2016 02:16 PM, Lukas Slebodnik wrote: ehlo, attached patches fixes few compiler warnings in ipa-extop. Sorry for not following naming convention for patches. But I do not remeber my numer and you will use github/pagure anyway. LS Hi Lukas,

[Freeipa-devel] [PATCH 0215-0216] Child domain fixes for AD trust

Hi! Attached two patches attempt to fix some of the issues we see with child domains. SSSD only 'sees' users from child domains if there is an ID range for each of them. However, after refactoring of trust code when external trust was introduced, part of the range creation had wrong assumption

Re: [Freeipa-devel] [PATCH 685] parameters: move the `confirm` kwarg to Param

On 08.08.2016 13:27, Jan Cholasta wrote: Hi, the attached patch fixes . Honza Please document this change in Param dosctring --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -418,6 +418,7 @@ class Param(ReadOnly):

[Freeipa-devel] [PATCH 685] parameters: move the `confirm` kwarg to Param

Hi, the attached patch fixes . Honza -- Jan Cholasta From 9756b9d426b09e38d1ecbdb1e84ec8f5b0f9a957 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 8 Aug 2016 13:09:39 +0200 Subject: [PATCH] parameters: move the

[Freeipa-devel] [PATCH 0154] client: RPM require initscripts to get *-domainname.service

Hello, client: RPM require initscripts to get *-domainname.service https://fedorahosted.org/freeipa/ticket/4831 -- Petr^2 Spacek From b542e09b6d52b7ce22e47b6c08eb692b9f3b91b7 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Mon, 8 Aug 2016 13:13:18 +0200 Subject: [PATCH]

Re: [Freeipa-devel] [PATCH 0112-7] Speeding up cli help

On 4.8.2016 16:32, David Kupka wrote: On 03/08/16 16:33, Jan Cholasta wrote: On 3.8.2016 16:23, David Kupka wrote: On 21/07/16 10:12, Jan Cholasta wrote: Hi, On 20.7.2016 14:32, David Kupka wrote: On 15/07/16 12:53, David Kupka wrote: Hello! After Honza introduced thin client that builds

Re: [Freeipa-devel] [PATCH 0196] baseldap: Fix MidairCollision instantiation during entry modification

On 08/05/2016 01:33 PM, thierry bordaz wrote: On 07/26/2016 05:22 PM, Alexander Bokovoy wrote: On Tue, 26 Jul 2016, Martin Babinsky wrote: Fix for https://fedorahosted.org/freeipa/ticket/6097 Since this issue was found during investigation of other ticket[1], you can test it by

Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate

On Mon, 08 Aug 2016, Martin Kosek wrote: On 08/05/2016 02:57 PM, Tibor Dudlak wrote: Hi, I have extended my previous patch for authentication with user certificate/smartcard. This patch includes patches and plugin described here: http://www.freeipa.org/page/V4/External_Authentication/Setup

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

On Mon, 08 Aug 2016, Petr Vobornik wrote: On 08/08/2016 12:26 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Alexander Bokovoy wrote: Hi! Attached patch is what is needed to allow external plugins for FreeIPA framework to be functional if they need to extend a schema. The idea is that we

Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate

On 08/05/2016 02:57 PM, Tibor Dudlak wrote: > Hi, > > I have extended my previous patch for authentication with user > certificate/smartcard. This patch includes patches and plugin described here: > http://www.freeipa.org/page/V4/External_Authentication/Setup > Page also contains steps to

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

On 08/08/2016 12:26 PM, Alexander Bokovoy wrote: > On Mon, 08 Aug 2016, Alexander Bokovoy wrote: >> Hi! >> >> Attached patch is what is needed to allow external plugins for FreeIPA >> framework to be functional if they need to extend a schema. >> >> The idea is that we would have a separate

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

On Mon, 08 Aug 2016, Petr Spacek wrote: On 8.8.2016 11:34, Alexander Bokovoy wrote: Hi! Attached patch is what is needed to allow external plugins for FreeIPA framework to be functional if they need to extend a schema. The idea is that we would have a separate directory as

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

On 8.8.2016 11:34, Alexander Bokovoy wrote: > Hi! > > Attached patch is what is needed to allow external plugins for FreeIPA > framework to be functional if they need to extend a schema. > > The idea is that we would have a separate directory as > /usr/share/ipa/schema.d and will allow to use

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

On Mon, 08 Aug 2016, Alexander Bokovoy wrote: Hi! Attached patch is what is needed to allow external plugins for FreeIPA framework to be functional if they need to extend a schema. The idea is that we would have a separate directory as /usr/share/ipa/schema.d and will allow to use schema

Re: [Freeipa-devel] certmonger proxy configuration not possible ?

On Mon, 08 Aug 2016, Marx, Peter wrote: I am trying this but it has no effect - as if the environment is not passed to the called helper scep-submit. In /usr/lib/systemd/certmonger.service there is already a link defined to add stuff: [Service] .. EnvironmentFile=/etc/sysconfig/certmonger In

[Freeipa-devel] [PATCH 0214] Support schema files for external plugins

Hi! Attached patch is what is needed to allow external plugins for FreeIPA framework to be functional if they need to extend a schema. The idea is that we would have a separate directory as /usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from it and its subdirectories during

Re: [Freeipa-devel] certmonger proxy configuration not possible ?

I am trying this but it has no effect - as if the environment is not passed to the called helper scep-submit. In /usr/lib/systemd/certmonger.service there is already a link defined to add stuff: [Service] .. EnvironmentFile=/etc/sysconfig/certmonger In /etc/sysconfig/certmonger I added my

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On Mon, 08 Aug 2016, Lukas Slebodnik wrote: On (08/08/16 11:35), Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Martin Basti wrote: On 08.08.2016 09:34, Alexander Bokovoy wrote: > When SSSD resolves AD users on behalf of slapi-nis, it can accept any > user identifier, including user principal

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On (08/08/16 11:35), Alexander Bokovoy wrote: >On Mon, 08 Aug 2016, Martin Basti wrote: >> >> >> On 08.08.2016 09:34, Alexander Bokovoy wrote: >> > When SSSD resolves AD users on behalf of slapi-nis, it can accept any >> > user identifier, including user principal name (UPN) which may be >> >

Re: [Freeipa-devel] [PATCH] 0097 Add options to write lightweight CA cert or chain to file

On 8.8.2016 09:06, Fraser Tweedale wrote: On Mon, Aug 08, 2016 at 08:54:05AM +0200, Jan Cholasta wrote: Hi, On 8.8.2016 06:34, Fraser Tweedale wrote: Please review the attached patch with adds --certificate-out and --certificate-chain-out options to `ca-show' command. Note that

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On Mon, 08 Aug 2016, Martin Basti wrote: On 08.08.2016 09:34, Alexander Bokovoy wrote: When SSSD resolves AD users on behalf of slapi-nis, it can accept any user identifier, including user principal name (UPN) which may be different than the canonical user name which SSSD returns. As result,

Re: [Freeipa-devel] [PATCH 0003] Test validity of URIs in certificate

On 02.08.2016 14:50, Lenka Doudova wrote: On 07/29/2016 11:43 AM, Lenka Doudova wrote: On 07/29/2016 11:41 AM, Lenka Doudova wrote: On 07/28/2016 01:35 PM, Peter Lacko wrote: Hops, fixed. Peter - Original Message - From: "Lenka Doudova"

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On 08.08.2016 09:34, Alexander Bokovoy wrote: When SSSD resolves AD users on behalf of slapi-nis, it can accept any user identifier, including user principal name (UPN) which may be different than the canonical user name which SSSD returns. As result, the entry created by slapi-nis will be

[Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

When SSSD resolves AD users on behalf of slapi-nis, it can accept any user identifier, including user principal name (UPN) which may be different than the canonical user name which SSSD returns. As result, the entry created by slapi-nis will be using canonical user name but the filter for search

Re: [Freeipa-devel] [PATCH] 0097 Add options to write lightweight CA cert or chain to file

On Mon, 08 Aug 2016, Fraser Tweedale wrote: On Mon, Aug 08, 2016 at 08:54:05AM +0200, Jan Cholasta wrote: Hi, On 8.8.2016 06:34, Fraser Tweedale wrote: > Please review the attached patch with adds --certificate-out and > --certificate-chain-out options to `ca-show' command. > > Note that

Re: [Freeipa-devel] [PATCH] 0097 Add options to write lightweight CA cert or chain to file

On Mon, Aug 08, 2016 at 08:54:05AM +0200, Jan Cholasta wrote: > Hi, > > On 8.8.2016 06:34, Fraser Tweedale wrote: > > Please review the attached patch with adds --certificate-out and > > --certificate-chain-out options to `ca-show' command. > > > > Note that --certificate-chain-out currently

Re: [Freeipa-devel] [PATCH] 0097 Add options to write lightweight CA cert or chain to file

Hi, On 8.8.2016 06:34, Fraser Tweedale wrote: Please review the attached patch with adds --certificate-out and --certificate-chain-out options to `ca-show' command. Note that --certificate-chain-out currently writes a bogus file due to a bug in Dogtag that will be fixed in this week's build.

Re: [Freeipa-devel] [PATCH] 0002 New User Role Tests

On 07/20/2016 05:31 PM, Peter Lacko wrote: Sorry for late reply, I was waiting how the discussion with tracker improvement will end, but since there's no progress and I'm leaving soon, I'm attaching new patch. I also created mapping between old and new tests [1], to make life of reviewer