[Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

Hello all, I have written up a design proposal for making certificate requests easier to generate when using alternate certificate profiles: http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation. The use case for this is described in

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

On 06/14/2016 08:27 AM, Ben Lipton wrote: Hello all, I have written up a design proposal for making certificate requests easier to generate when using alternate certificate profiles: http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation. The use case for this is described

Re: [Freeipa-devel] [PATCH 0003] Fix several small typos

On 07/14/2016 04:09 AM, Alexander Bokovoy wrote: On Wed, 13 Jul 2016, Ben Lipton wrote: Nothing too exciting, just fixes a few typos I've noticed in comments. ACK. However, please file a ticket and mention it in the commit message. Thanks, updated patch attached. From

Re: [Freeipa-devel] [PATCH 0003] Fix several small typos

On 07/18/2016 04:54 PM, Lukas Slebodnik wrote: On (18/07/16 16:38), Petr Spacek wrote: On 14.7.2016 16:11, Ben Lipton wrote: On 07/14/2016 04:09 AM, Alexander Bokovoy wrote: On Wed, 13 Jul 2016, Ben Lipton wrote: Nothing too exciting, just fixes a few typos I've noticed in comments. ACK

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

On 07/25/2016 05:07 AM, Simo Sorce wrote: On Mon, 2016-07-25 at 10:50 +0200, Jan Cholasta wrote: Anyway, my main grudge is that the transformation rules shouldn't really be stored on and processed by the server. The server should know the *what* (mapping rules), but not the *how*

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

On 07/25/2016 08:12 AM, Alexander Bokovoy wrote: On Mon, 25 Jul 2016, Jan Cholasta wrote: This is turning out to be a common (and, I think, reasonable) reaction to the proposal. It is rather complex, and I worry that it will be difficult to configure. On the other hand, there is some hidden

[Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

-side. Very excited to hear your thoughts! Ben From b2b9d3acd4eb7529f7d6ca5d58ddff546481fdf0 Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Tue, 5 Jul 2016 14:19:35 -0400 Subject: [PATCH 1/9] Add schema to support automatic CSR generation This adds the schema discussed i

Re: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2

On 07/21/2016 11:43 AM, Petr Spacek wrote: On 20.7.2016 19:25, Ben Lipton wrote: On 07/20/2016 12:21 PM, Simo Sorce wrote: On Wed, 2016-07-20 at 12:14 -0400, Ben Lipton wrote: On 07/20/2016 10:37 AM, Simo Sorce wrote: On Wed, 2016-07-20 at 10:17 -0400, Ben Lipton wrote: On 07/20/2016 06:27

Re: [Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

On 07/29/2016 09:39 AM, Petr Spacek wrote: On 27.7.2016 19:06, Ben Lipton wrote: Hi all, I think the automatic CSR generation feature (https://fedorahosted.org/freeipa/ticket/4899, http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation) is stable enough to review now

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

On 07/25/2016 12:03 PM, Simo Sorce wrote: On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote: But maybe I'm not seeing the proper priorities here. Perhaps it's more of a problem because clients are easier to update with bugfixes than the server? Or maybe the preference for the client

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

On 07/25/2016 11:07 AM, Simo Sorce wrote: On Mon, 2016-07-25 at 11:04 -0400, Simo Sorce wrote: On Mon, 2016-07-25 at 10:51 -0400, Ben Lipton wrote: On 07/25/2016 05:07 AM, Simo Sorce wrote: On Mon, 2016-07-25 at 10:50 +0200, Jan Cholasta wrote: Anyway, my main grudge

Re: [Freeipa-devel] Karma Requests for Dogtag 10.3.5-1 and ldapjdk

On 08/10/2016 12:21 PM, Matthew Harmsen wrote: *The following candidate builds of Dogtag 10.3.5 and ldapjdk on Fedora 24, 25, and 26 (rawhide) consist of the following:* * *Fedora 24:* o *dogtag-pki-10.3.5-1.fc24 *

Re: [Freeipa-devel] [PATCH 0013-0015] Automatic CSR generation - usability improvements

On 08/10/2016 05:07 AM, Alexander Bokovoy wrote: On Wed, 10 Aug 2016, Petr Spacek wrote: On 9.8.2016 22:07, Ben Lipton wrote: Aaand there's a typo in patch 15. Updated version attached. Ben, it would be great if you can always send whole patch set, including the patches which were

[Freeipa-devel] [PATCH 0013-0015] Automatic CSR generation - usability improvements

These improvements may make it easier to test the other patches. Thanks, Ben From 4108cc1e1dd1751993c3ac40f5f5dfbe18e03ca2 Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Fri, 5 Aug 2016 09:29:13 -0400 Subject: [PATCH 13/15] Automate full cert request flow Adds `cert

Re: [Freeipa-devel] [PATCH 0153] Fix ipa-replica-prepare's error message about missing local CA instanc

On 08/01/2016 11:38 AM, Petr Spacek wrote: Hello, Fix ipa-replica-prepare's error message about missing local CA instance ipa-replica-prepare must be run on a replica with CA or all the certs needs to be provided (for CA-less case). The old messages were utterly confusing because they mixed

[Freeipa-devel] [PATCH 0003] Fix several small typos

Nothing too exciting, just fixes a few typos I've noticed in comments. Thanks, Ben From 26d9ba08e06a145fa9d67a039d23c3fdb272b23e Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Fri, 8 Jul 2016 11:41:43 -0400 Subject: [PATCH] Fix several small typos --- ipatests/test_

[Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2

Hi, I have updated the design page http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Mapping_Rules with my plan for implementing user-configurable rules for mapping IPA data into certificate requests. In brief: we will use Jinja2 for templating. Data rules (which map

Re: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2

On 07/20/2016 06:27 AM, Simo Sorce wrote: On Tue, 2016-07-19 at 16:20 -0400, Ben Lipton wrote: Hi, I have updated the design page http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generati on/Mapping_Rules with my plan for implementing user-configurable rules for mapping IPA data

Re: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2

On 07/20/2016 12:21 PM, Simo Sorce wrote: On Wed, 2016-07-20 at 12:14 -0400, Ben Lipton wrote: On 07/20/2016 10:37 AM, Simo Sorce wrote: On Wed, 2016-07-20 at 10:17 -0400, Ben Lipton wrote: On 07/20/2016 06:27 AM, Simo Sorce wrote: On Tue, 2016-07-19 at 16:20 -0400, Ben Lipton wrote: Hi, I

Re: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2

On 07/20/2016 10:37 AM, Simo Sorce wrote: On Wed, 2016-07-20 at 10:17 -0400, Ben Lipton wrote: On 07/20/2016 06:27 AM, Simo Sorce wrote: On Tue, 2016-07-19 at 16:20 -0400, Ben Lipton wrote: Hi, I have updated the design page http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Gene

Re: [Freeipa-devel] [PATCH] 0001: Silence sshd messages during install

Thanks for the review! Comments below. On 07/01/2016 07:42 AM, Martin Basti wrote: On 29.06.2016 20:46, Ben Lipton wrote: The attached patch silences some annoying messages I've been getting when upgrading the freeipa-client package on F24: """ WARNING: 'UseLogin yes' i

Re: [Freeipa-devel] [WIP] Automatic CSR generation - first steps

to hearing your thoughts, either in the pull request or here on the mailing list. Thanks, Ben On 06/27/2016 01:44 PM, Ben Lipton wrote: My email client is playing tricks on me - https://github.com/LiptonB/freeipa/pull/2 is the correct link. On 06/27/2016 01:14 PM, Ben Lipton wrote: Hi, I have

Re: [Freeipa-devel] [PATCH] 0001: Silence sshd messages during install

On 07/07/2016 11:19 AM, Ben Lipton wrote: Thanks for the review! Comments below. On 07/01/2016 07:42 AM, Martin Basti wrote: On 29.06.2016 20:46, Ben Lipton wrote: The attached patch silences some annoying messages I've been getting when upgrading the freeipa-client package on F24

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

On 07/25/2016 07:45 AM, Jan Cholasta wrote: On 25.7.2016 13:11, Alexander Bokovoy wrote: On Mon, 25 Jul 2016, Jan Cholasta wrote: On 20.7.2016 16:05, Ben Lipton wrote: Hi, Thanks very much for the feedback! Some responses below; I hope you'll let me know what you think of my reasoning

Re: [Freeipa-devel] [PATCH 0013-0015] Automatic CSR generation - usability improvements

Aaand there's a typo in patch 15. Updated version attached. On 08/09/2016 02:22 PM, Ben Lipton wrote: Hello, The attached patches improve upon my last patchset to: 0013: Add support for generating a full script that makes a CSR, rather than just a config, and use that support to automate

[Freeipa-devel] [PATCH] 0001: Silence sshd messages during install

uot; Since the script causing the message only looks at the return code from sshd to determine the right options to use, I thought it might be ok to discard the output. What do you think? Ben From bb102411cceb557d9869a384af7d7473483f8d9a Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com

Re: [Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

On 08/10/2016 08:52 AM, Ben Lipton wrote: The pull request at https://github.com/LiptonB/freeipa/pull/4/commits has been brought up to date (with a force push), and also includes 3 more patches, described below. The patchset is also attached. To make sure that everything applies, I just

Re: [Freeipa-devel] CSR autogeneration next steps

On 01/12/2017 04:35 AM, Jan Cholasta wrote: On 11.1.2017 00:38, Ben Lipton wrote: On 01/10/2017 01:58 AM, Jan Cholasta wrote: On 19.12.2016 21:59, Ben Lipton wrote: On 12/15/2016 11:11 PM, Ben Lipton wrote: On 12/12/2016 03:52 AM, Jan Cholasta wrote: On 5.12.2016 16:48, Ben Lipton wrote

Re: [Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

On 08/01/2016 11:57 PM, Fraser Tweedale wrote: On Fri, Jul 29, 2016 at 11:13:16AM -0400, Ben Lipton wrote: On 07/29/2016 09:39 AM, Petr Spacek wrote: On 27.7.2016 19:06, Ben Lipton wrote: Hi all, I think the automatic CSR generation feature (https://fedorahosted.org/freeipa/ticket/4899, http

Re: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2

On 07/27/2016 02:42 PM, Ben Lipton wrote: On 07/21/2016 11:43 AM, Petr Spacek wrote: Besides this nit, http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Mapping_Rules#Planned_implementation sounds reasonable. I like how it prevents bad data from template-injection

Re: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2

On 09/02/2016 05:04 AM, Petr Spacek wrote: On 2.9.2016 04:19, Ben Lipton wrote: On 07/27/2016 02:42 PM, Ben Lipton wrote: On 07/21/2016 11:43 AM, Petr Spacek wrote: Besides this nit, http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Mapping_Rules#Planned_implementation

Re: [Freeipa-devel] Github review feature

On 09/16/2016 03:17 AM, Martin Basti wrote: Sorry for stealing your thread, but you started asking about github review emails :) Standard review inline comments are disabled on purpose, each comment generates one email, so we decided that is better after review to write a regular comment

Re: [Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (comment)

On 09/15/2016 02:12 AM, jcholast wrote: jcholast commented on a pull request """ In addition to my inline comments above: 1. "Certificate mapping" does not really evoke "certificate request templating" to me, and is also used in the context of mapping identities to certificates. Could we use

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

On 08/25/2016 04:11 PM, Rob Crittenden wrote: Ben Lipton wrote: On 08/23/2016 03:54 AM, Jan Cholasta wrote: On 8.8.2016 22:23, Ben Lipton wrote: On 07/25/2016 07:45 AM, Jan Cholasta wrote: On 25.7.2016 13:11, Alexander Bokovoy wrote: On Mon, 25 Jul 2016, Jan Cholasta wrote: On 20.7.2016 16

Re: [Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

On 08/16/2016 03:04 PM, Martin Kosek wrote: On 08/16/2016 08:12 PM, Alexander Bokovoy wrote: On Tue, 16 Aug 2016, Ben Lipton wrote: On 08/10/2016 08:52 AM, Ben Lipton wrote: The pull request at https://github.com/LiptonB/freeipa/pull/4/commits has been brought up to date (with a force push

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

On 08/23/2016 03:54 AM, Jan Cholasta wrote: On 8.8.2016 22:23, Ben Lipton wrote: On 07/25/2016 07:45 AM, Jan Cholasta wrote: On 25.7.2016 13:11, Alexander Bokovoy wrote: On Mon, 25 Jul 2016, Jan Cholasta wrote: On 20.7.2016 16:05, Ben Lipton wrote: Hi, Thanks very much for the feedback

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

On 10/17/2016 02:16 AM, Jan Cholasta wrote: On 13.10.2016 17:23, Ben Lipton wrote: Thank you, this was a really helpful clarification of your point. Comments below. Once again, I'm sorry I missed the email for so long. Ben On 09/05/2016 06:52 AM, Jan Cholasta wrote: On 27.8.2016 22:40, Ben

[Freeipa-devel] CSR autogeneration next steps

Hi everybody, Soon I'm going to have to reduce the amount of time I spend on new development work for the CSR autogeneration project, and I want to leave the project in as organized a state as possible. So, I'm taking inventory of the work I've done in order to make sure that what's ready

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

On 10/20/2016 03:52 PM, Ben Lipton wrote: On 10/17/2016 02:16 AM, Jan Cholasta wrote: On 13.10.2016 17:23, Ben Lipton wrote: Thank you, this was a really helpful clarification of your point. Comments below. Once again, I'm sorry I missed the email for so long. Ben On 09/05/2016 06:52 AM, Jan

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

Thank you, this was a really helpful clarification of your point. Comments below. Once again, I'm sorry I missed the email for so long. Ben On 09/05/2016 06:52 AM, Jan Cholasta wrote: On 27.8.2016 22:40, Ben Lipton wrote: On 08/25/2016 04:11 PM, Rob Crittenden wrote: Ben Lipton wrote

[Freeipa-devel] Travis CI unexpected PEP8 errors

Hi all, I'm pretty sure this is unrelated to the CI issues discussed in other threads recently, but they reminded me that I've been having this odd issue. https://travis-ci.org/freeipa/freeipa/jobs/183756995 is the most recent run on my pull request,

Re: [Freeipa-devel] Travis CI unexpected PEP8 errors

On 12/14/2016 03:42 AM, Martin Babinsky wrote: On 12/14/2016 09:00 AM, Standa Laznicka wrote: On 12/14/2016 02:53 AM, Ben Lipton wrote: Hi all, I'm pretty sure this is unrelated to the CI issues discussed in other threads recently, but they reminded me that I've been having this odd issue

Re: [Freeipa-devel] CSR autogeneration next steps

On 12/12/2016 03:52 AM, Jan Cholasta wrote: On 5.12.2016 16:48, Ben Lipton wrote: Hi Jan, thanks for the comments. On 12/05/2016 04:25 AM, Jan Cholasta wrote: Hi Ben, On 3.11.2016 00:12, Ben Lipton wrote: Hi everybody, Soon I'm going to have to reduce the amount of time I spend on new

Re: [Freeipa-devel] CSR autogeneration next steps

On 01/10/2017 01:58 AM, Jan Cholasta wrote: On 19.12.2016 21:59, Ben Lipton wrote: On 12/15/2016 11:11 PM, Ben Lipton wrote: On 12/12/2016 03:52 AM, Jan Cholasta wrote: On 5.12.2016 16:48, Ben Lipton wrote: Hi Jan, thanks for the comments. On 12/05/2016 04:25 AM, Jan Cholasta wrote: Hi

Re: [Freeipa-devel] CSR autogeneration next steps

Hi Jan, thanks for the comments. On 12/05/2016 04:25 AM, Jan Cholasta wrote: Hi Ben, On 3.11.2016 00:12, Ben Lipton wrote: Hi everybody, Soon I'm going to have to reduce the amount of time I spend on new development work for the CSR autogeneration project, and I want to leave the project

Re: [Freeipa-devel] CSR autogeneration next steps

On 12/15/2016 11:11 PM, Ben Lipton wrote: On 12/12/2016 03:52 AM, Jan Cholasta wrote: On 5.12.2016 16:48, Ben Lipton wrote: Hi Jan, thanks for the comments. On 12/05/2016 04:25 AM, Jan Cholasta wrote: Hi Ben, On 3.11.2016 00:12, Ben Lipton wrote: Hi everybody, Soon I'm going to have