On 2015-05-27 15:16, Christian Heimes wrote:
Hello,
here is my first patch for FreeIPA. The patch integrates python-kdcproxy
for MS-KKDCP support (aka Kerberos over HTTPS).
https://www.freeipa.org/page/V4/KDC_Proxy
Ticket: https://fedorahosted.org/freeipa/ticket/4801
freeipa-cheimes
On 2015-06-22 16:22, Nathaniel McCallum wrote:
On Mon, 2015-06-22 at 10:10 -0400, Simo Sorce wrote:
On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote:
I'd still prefer a user mapping to managing a keytab. This patch is
just way too complex for what it does.
User mapping ?
On 2015-06-23 16:55, Nathaniel McCallum wrote:
- Original Message -
Ah, got it!
What's the simplest way to download and test the new package on my VM?
Download the package from koji.
http://koji.fedoraproject.org/koji/packageinfo?packageID=19292
Ah, that's much simpler than
On 2015-06-23 11:37, Christian Heimes wrote:
Hi,
I've created a new patch that implements the KDC switch as a
ExecStartPre hook in httpd.service.
My patch has a bug. Apache's SetEnv doesn't set an operating system env
var. The information is only available as WSGI env var.
I'm going to set
This is hopefully the final patch. I've tested a fresh installation and
upgrade from 4.2 alpha 1.
Christian
From f503bb15304edea863ba1bad91657b1f880f0e4b Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Tue, 23 Jun 2015 17:01:00 +0200
Subject: [PATCH] Provide Kerberos over
On 2015-06-23 14:58, Nathaniel McCallum wrote:
I agree. One other small nitpick is that the python-kdcproxy dependency
is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL
and Fedora. The only remaining step here is to push python-kdcproxy in
the same update as the next FreeIPA
On 2015-06-23 14:56, Simo Sorce wrote:
Why are you using #!/usr/bin/env python2.7 ?
We do not use this idiom, as it breaks in some cases, at most in some
sources that are v2 only we use #!/usr/bin/python2, please change it.
Force of habit. I'm used to use /usr/bin/env in my own packages.
On 2015-06-23 15:14, Nathaniel McCallum wrote:
On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote:
On 2015-06-23 14:58, Nathaniel McCallum wrote:
I agree. One other small nitpick is that the python-kdcproxy
dependency
is still wrong. Please make it depend on 0.3. 0.3 is already
,
right?
head - desk!
Of course you are right. The old code ran the update code. I fixed it.
Rob also suggested that I use .uldif as prefix. My LDIFs aren't strictly
LDIFs because they use dynamic templates.
From 93cc97a9ffdf0d76c377b731d418999d95fe299a Mon Sep 17 00:00:00 2001
From: Christian Heimes
On 2015-06-23 19:55, Nathaniel McCallum wrote:
The behavior I'm worried about here is this:
1. Admin installs or updates FreeIPA (w/ kdcproxy)
2. Admin disables kdcproxy
3. Admin updates to the next version
After step #3, is kdcproxy enabled or disabled? I don't have a clear answer
to
On 2015-06-25 06:04, Martin Kosek wrote:
We need to make sure it is at least in
https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/builds/
https://copr.fedoraproject.org/coprs/mkosek/freeipa-master/builds/
I started the COPR builds based on the F22 SRPMs.
Thanks Martin!
You can
Hi,
today my patch for Kerberos over HTTP landed in FreeIPA. It introduces a
new dependency on python-kdcproxy 0.3. The package is not yet
available from the official repositories. You can download it from Koji:
http://koji.fedoraproject.org/koji/packageinfo?packageID=19292
F21 builds are
on the current host:
# ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.ldif
# systemctl restart httpd.service
Regards,
Christian
From b860590e6859fc0edcd9543b1a0dc6e58d93afa6 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Tue, 23 Jun 2015 11:09:46 +0200
Subject: [PATCH] Provide
On 2015-06-17 18:09, Nathaniel McCallum wrote:
* There is a new permission: Read IPA Masters KDC Proxy. Is this
necessary. Can't the config be world-readable and admin writable? There
is no extra security in hiding this attribute. This also completely
removes the need for a keytab since
On 2015-06-22 16:01, Nathaniel McCallum wrote:
I'd still prefer a user mapping to managing a keytab. This patch is just way
too complex for what it does.
I don't get what you mean with 'user mapping'. Are you referring to
EXTERNAL bind over ldapi?
signature.asc
Description: OpenPGP digital
On 2015-06-12 23:58, Adam Young wrote:
So...I've been spoiled a bit by Gerrit. Here is what I just did to get
them to apply:
cd freeipa
git clean -xdf .
#use the -3 to do 3 way merge
git am -3
On 2015-06-17 18:09, Nathaniel McCallum wrote:
On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote:
On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
It doesn't apply again.
On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
On 2015-05-27 15:16, Christian Heimes wrote:
Hello,
here
On 2015-05-27 11:59, Martin Kosek wrote:
On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
On Wed, 27 May 2015, Martin Kosek wrote:
On 05/26/2015 05:40 PM, Jan Cholasta wrote:
Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
...
Finally I haven't figured out the best way to configure
account
The KDC Proxy WSGI app now uses a separate user account to run the
daemon process. The keytab is only readable by that user, too.
From 32b64b8b385853c04158596d010bb8977e2e03a8 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Thu, 21 May 2015 12:42:27 +0200
Subject
On 2015-05-27 15:51, Nathaniel McCallum wrote:
As I understand the problem, there is an assumption that an optional
component has a distinct service to start and stop. That is not the
case here. This is just new config for apache.
More details:
The KDC Proxy uses the same Apache instance as
On 2015-05-27 14:47, Petr Vobornik wrote:
Install/uninstall is not the same thing as enable/disable. Installation
is a set of steps which first configures and then (optionally) enables
the component.
E.g:
1. modify configuration file(s), ldap entries
2. run something which starts the
:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Thu, 21 May 2015 12:42:27 +0200
Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over
On 2015-05-27 15:41, Petr Vobornik wrote:
It would be great to have a privileged daemon which could observed
replicated configuration and perform such tasks on all servers so we
would eliminate manual tasks(and errors and misconceptions which are
caused by forgotten manual tasks) as much as
On 2015-05-28 10:02, Jan Cholasta wrote:
The python-kdcproxy package is a new dependency for the freeipa-server
package. It will always get installed with the server.
Why? None of the IPA core functionality depends on it, so it should be
optional. Also the overall trend in IPA is to have
On 2015-05-28 07:32, Jan Cholasta wrote:
Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
On 2015-05-27 15:51, Nathaniel McCallum wrote:
As I understand the problem, there is an assumption that an optional
component has a distinct service to start and stop. That is not the
case here
On 2015-05-28 13:30, Jan Cholasta wrote:
Dne 28.5.2015 v 12:53 Christian Heimes napsal(a):
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major
disagreement, let us
start with enabling KDCPROXY by default during upgrade/install, the
new ACI
Hello,
thanks you for your input. The former thread has 58 messages in total.
Since last Friday we have came to an agreement in most points. I like to
some up our decisions and focus on some minor details.
decisions
-
python-kdcproxy will be installed as a dependency of freeipa-server.
On 2015-05-28 16:53, Simo Sorce wrote:
We can't have 2 different keytabs with the same principal name.
If we need privilege separation we'll have to work on integrating
GSS-Proxy and give the keytab only to GSS-Proxy leaving it off the hands
of both the framework, the proxy, and apache itself.
On 2015-05-28 16:48, Nathaniel McCallum wrote:
An apache module would also provide similar benefits. I'm not sure I
necessarily want to stick with python here if we're optimizing for
performance. Another option would be to add it to the KDC itself and
proxy through Apache like we do for
On 2015-05-28 17:10, Simo Sorce wrote:
On Thu, 2015-05-28 at 17:00 +0200, Christian Heimes wrote:
On 2015-05-28 16:53, Simo Sorce wrote:
We can't have 2 different keytabs with the same principal name.
If we need privilege separation we'll have to work on integrating
GSS-Proxy and give
On 2015-05-28 13:29, Martin Basti wrote:
On 28/05/15 12:53, Christian Heimes wrote:
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major disagreement, let
us
start with enabling KDCPROXY by default during upgrade/install, the new ACI
On 2015-06-29 17:28, Petr Vobornik wrote:
On 06/29/2015 03:22 PM, Fraser Tweedale wrote:
On Mon, Jun 29, 2015 at 10:54:50AM +0200, Christian Heimes wrote:
Hello,
the attached patch fixes the first bug, that was reported by Fraser
today. installutils.remove_file() uses os.path.exists
Hello,
since May 1st I'm a new Red Hat employee and developer with the FreeIPA
team. Some of you may already recognize my name from my contributions to
CPython core, Python security and TLS/SSL improvements, or a couple of
PEPs. I'm very glad that I can now work on Open Source as a full time
job.
On 2015-05-22 13:02, Martin Kosek wrote:
The original proposal was to do it globally in cn=config. But if it is
about to be stored in the cn=masters, per-replica, this looks as the
right way.
My first proposal used cn=ipaConfig,cn=etc because it was the first
place I found. It took me a bit to
On 2015-05-22 14:02, Petr Vobornik wrote:
Actually the service part of IPA servers is not covered in the
proposal. The proposal just says that it can be added later.
There will be question if it should even be called services. Maybe
capabilities would be better term given that KDC Proxy is
On 2015-05-26 15:57, Nathaniel McCallum wrote:
/KdcProxy
The URI uses the virtual directory /KdcProxy unless otherwise
configured.
https://msdn.microsoft.com/en-us/library/hh553891.aspx
Also, the proxy should be available over both HTTP and HTTPS.
Easy-peasy! I'm using /KdcProxy
On 2015-05-26 16:24, Martin Kosek wrote:
On 05/26/2015 04:17 PM, Christian Heimes wrote:
On 2015-05-26 15:57, Nathaniel McCallum wrote:
/KdcProxy
The URI uses the virtual directory /KdcProxy unless otherwise
configured.
https://msdn.microsoft.com/en-us/library/hh553891.aspx
Also
On 2015-05-26 16:50, Nathaniel McCallum wrote:
Right. So as I see it, we have three options:
1. Merge kdcproxy soon with a global switch.
A. Build per-replica switches later.
B. Never build per-replica switches.
2. Merge kdcproxy later with per-replica switches.
I don't think having
On 2015-05-26 17:11, Nathaniel McCallum wrote:
I don't want to add code that:
1. is half-baked
2. we aren't committed to supporting.
I'd rather land per-replica switches as a separate commit with
everything polished and supportable.
Well then ... I'm going to remove the code for
Hello,
I like to ask for your opinion regarding the pre-exec hook
'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error
cases like LDAP connection timeout more gracefully. At the moment any
error causes the script to return a non-zero exit code. This breaks the
service and
2001
From: Christian Heimes chei...@redhat.com
Date: Tue, 7 Jul 2015 15:10:28 +0200
Subject: [PATCH] otptoken: use ipapython.nsslib instead of Python's ssl module
The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl
On 2015-08-13 12:10, Petr Vobornik wrote:
On 07/23/2015 08:38 PM, Christian Heimes wrote:
The ipa vault commands now load the public keys in order to verify them.
The validation also prevents a user from accidentally sending her
private keys to the server. The patch fixes #5142 and #5142
On 2015-08-13 14:05, Petr Vobornik wrote:
On 08/13/2015 12:38 PM, Christian Heimes wrote:
On 2015-08-13 12:10, Petr Vobornik wrote:
On 07/23/2015 08:38 PM, Christian Heimes wrote:
The ipa vault commands now load the public keys in order to verify
them.
The validation also prevents a user
a6eb87a73c1462a4de516f19b219b51e415852e5 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Wed, 19 Aug 2015 13:32:01 +0200
Subject: [PATCH] Add flag to list all service and user vaults
The vault-find plugin has two additional arguments to list all
service vaults or user vaults
On 2015-08-21 12:55, Petr Viktorin wrote:
On 08/14/2015 07:44 PM, Petr Viktorin wrote:
Hello,
These patches bring IPA another step towards compatibility with Python 3.
Most of these were made by fixers from the python-modernize tool, but
I reviewed and edited the results.
Here are the
On 2015-06-29 07:31, Fraser Tweedale wrote:
Hi Christian,
With the kdcproxy change landed, if IPA has been installed and then
uninstalled, and then freeipa-server package erased or downgraded,
the /etc/httpd/conf.d/ipa-kdc-proxy.conf symlink remains, and is
broken, resulting in an inability
: Christian Heimes chei...@redhat.com
Date: Mon, 29 Jun 2015 10:45:15 +0200
Subject: [PATCH] Fix removal of ipa-kdc-proxy.conf symlink
installutils.remove_file() ignored broken symlinks. Now it uses
os.path.lexists() to detect and also remove dangling symlinks.
---
ipaserver/install
2001
From: Christian Heimes chei...@redhat.com
Date: Tue, 28 Jul 2015 16:12:40 +0200
Subject: [PATCH] Change internal rsa_(public|private)_key variable names
In two places the vault plugin refers to rsa public or rsa private key
although the code can handle just any kind of asymmetric algorithms,
e.g
file can't be, an internal error was raised. The patch wraps all reads
and turns any IOError and UnicodeError into a ValidationError.
https://fedorahosted.org/freeipa/ticket/5155
From 71b3fcd6862bae2bfc6ea3e6fd38014ed77d4bac Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date
Hello,
While I was working on the ticket
https://fedorahosted.org/freeipa/ticket/5155, I noticed a couple of
additional places that may raise an IOError. Instead of a File()
paramaeter, the vault plugin uses Str() paramater in combination with
open() to read files.
For passwords I can mostly
On 2015-07-30 15:06, Michael Šimáček wrote:
I didn't use ctypes, because it was advised against on this list:
https://www.redhat.com/archives/freeipa-devel/2012-February/msg00268.html
For the tests it's probably fine, but so is using klist.
It would actually help a lot with getting the default
On 2015-07-30 14:37, Jan Cholasta wrote:
Hi,
Dne 30.7.2015 v 14:07 Christian Heimes napsal(a):
Hello,
While I was working on the ticket
https://fedorahosted.org/freeipa/ticket/5155, I noticed a couple of
additional places that may raise an IOError. Instead of a File()
paramaeter
On 2015-07-29 10:09, Michael Šimáček wrote:
GSSAPI doesn't provide any method (that I'm aware of) to get default
ccache name. In most cases this is not needed as we can simply not pass
any name and it will use the default. The ldap plugin had to be adjusted
for this - the connect method now
Python 3 porting mode for make-lint
http://docs.pylint.org/features.html#general-options
From eb0565a16934a85df5075a6389dc49239e08f699 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Mon, 3 Aug 2015 11:18:03 +0200
Subject: [PATCH] make-lint Python 3 porting mode
pylint
On 2015-07-31 23:14, Simo Sorce wrote:
On Fri, 2015-07-31 at 19:14 +0200, Petr Viktorin wrote:
Hello,
Here is a batch of mostly mechanical changes: removing deprecated
features to prepare for Python 3.
Do we have accompanying lint (or similar) tests that will prevent new
patches from
On 2015-08-03 11:30, Jan Cholasta wrote:
Hi,
Dne 3.8.2015 v 11:22 Christian Heimes napsal(a):
Python 3 porting mode for make-lint
http://docs.pylint.org/features.html#general-options
I would rather wait until all the modernization patches are pulled in
and then make the porting mode
On 2015-07-31 19:14, Petr Viktorin wrote:
Hello,
Here is a batch of mostly mechanical changes: removing deprecated
features to prepare for Python 3.
Out of curiosity, what tool did you use for patch 695-absolute-imports?
Python-modernize adds from __future__ import absolute_imports and
changes
callback?
(can find it in dns plugin, search for context)
Sounds good to me!
Christian
PS: Context is a fancy name for a TLS dict. ;)
From 1c7a67f331fb7d07f1e306e292e97b1df810958c Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Thu, 23 Jul 2015 17:48:56 +0200
Subject
On 2015-08-12 18:10, Tomas Babej wrote:
On 08/10/2015 05:39 PM, Petr Viktorin wrote:
On 08/03/2015 11:07 AM, Christian Heimes wrote:
On 2015-07-31 19:14, Petr Viktorin wrote:
Hello,
Here is a batch of mostly mechanical changes: removing deprecated
features to prepare for Python 3.
Out
On 2015-07-22 20:23, Nathaniel McCallum wrote:
Related: CVE-2015-5159
https://bugzilla.redhat.com/show_bug.cgi?id=1245200
The patch prevents a flood attack but I consider more a workaround than
a solution. I'll update kdcproxy tomorrow.
Christian
signature.asc
Description: OpenPGP digital
On 2015-07-22 20:38, Nathaniel McCallum wrote:
On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote:
On 2015-07-22 20:23, Nathaniel McCallum wrote:
Related: CVE-2015-5159
https://bugzilla.redhat.com/show_bug.cgi?id=1245200
The patch prevents a flood attack but I consider more
On 2015-07-24 05:15, Fraser Tweedale wrote:
diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
index
5550ed942521dbab2e783fba1570520268f9b378..fe8934690fe09499f0bacb6610d9815a2b4367a4
100644
--- a/ipalib/plugins/certprofile.py
+++ b/ipalib/plugins/certprofile.py
@@
Hello,
while I was working on https://fedorahosted.org/freeipa/ticket/5142 and
patch 019, I noticed the variable names rsa_public_key and
rsa_private_key in vault.py. load_pem_public_key() can load and return
other key formats (DSA, ECDSA), too. Does vault mean to support the
other algorithms?
the mechanism to krb5 and removes ntlmssp and
iakerb support from Apache's ipa.conf.
The new feature was added to mod_auth_gssapi 1.3.0.
https://fedorahosted.org/freeipa/ticket/5114
From 758fd87a9e8a72412a9e3111e1564a4d875fec07 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Fri
44212c91336f2dfbfdc1b6cefea3f928ba9074e9 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Thu, 23 Jul 2015 17:48:56 +0200
Subject: [PATCH] certprofile-import: do not require profileId in profile data
certprofile-import no longer requires profileId in profile data. Instead
The certprofile-import plugin expects a raw Dogtag config file. The XML
format is not supported. --help gives a hint about the correct file format.
https://fedorahosted.org/freeipa/ticket/5089
From 1344425af2886797ec9cef40a325e56a8d1752eb Mon Sep 17 00:00:00 2001
From: Christian Heimes chei
mykey.pem
ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault
public key: Could not unserialize key data.
https://fedorahosted.org/freeipa/ticket/5142
https://fedorahosted.org/freeipa/ticket/5143
From fd380c4539fdd18a7d10786230c15a259b097af6 Mon Sep 17 00:00:00 2001
From: Christian
On 2015-07-23 11:06, Alexander Bokovoy wrote:
On Thu, 23 Jul 2015, Christian Heimes wrote:
This patch removes the dependency on M2Crypto in favor for cryptography.
Cryptography is more strict about the key size and doesn't support
non-standard key sizes:
from M2Crypto import RC4
from
On 2015-07-23 10:54, Jan Cholasta wrote:
Hi,
Dne 23.7.2015 v 10:43 Christian Heimes napsal(a):
This patch removes the dependency on M2Crypto in favor for cryptography.
Cryptography is more strict about the key size and doesn't support
non-standard key sizes:
from M2Crypto import RC4
from
://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4
https://fedorahosted.org/freeipa/ticket/5148
From da4aa9baa932e335ad0bd0f3cfe2551667c7ca76 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Tue, 21 Jul 2015 15:18:40
Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Thu, 23 Jul 2015 12:20:49 +0200
Subject: [PATCH] Require Dogtag PKI = 10.2.6
Dogtag 10.2.6 comes with two fixes for cloning from 9.x to 10.x
instances:
https://fedorahosted.org/pki/ticket/1495
https://fedorahosted.org
('num', 'messages')
Christian
From 6b57eb232641370f7d91febdc663bfcc62a795e7 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Mon, 13 Jul 2015 14:02:29 +0200
Subject: [PATCH] Remove tuple unpacking from except clause
Python 3 doesn't support tuple unpacking in except clauses
On 2015-07-13 15:21, Tomas Babej wrote:
On 07/13/2015 02:59 PM, Rob Crittenden wrote:
Christian Heimes wrote:
The patch replaces implicit tuple unpacking from except clauses with
explicit unpacking of the exception objects' args attribute.
Example:
e = RuntimeError('num', 'messages
have a look at the patches. I have split the patch into four
files, one for every file. Is that right?
Christian
From 995001a2960da3482300791baa4a8cbf5b325fc7 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Tue, 14 Jul 2015 10:49:39 +0200
Subject: [PATCH 07/10] Remove tuple
The patch replaces file() with open() and a proper with statement.
The patch is related to https://fedorahosted.org/freeipa/ticket/5127
Christian
From db8e96818344b5d9c59789b1a77abc0f958873a0 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Tue, 14 Jul 2015 13:18:55 +0200
On 2015-07-14 13:24, Christian Heimes wrote:
The patch replaces file() with open() and a proper with statement.
The patch is related to https://fedorahosted.org/freeipa/ticket/5127
Christian
The first patch has a typo.
Note to self: save file first, then commit
Christian
From
a67beee26511750e73b0132f08683bcab8a26c76 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Wed, 15 Jul 2015 21:49:16 +0200
Subject: [PATCH] Create pkiuser user and group during installation
The group 'pkiuser' and user 'pkiuser' are now created during the
installation of the pki-server package
On 2015-07-16 12:51, Christian Heimes wrote:
Hi,
the patch fixes the SELinux denial for kdcproxy's home directory. I have
successfully tested a migration from FreeIPA 4.1. The user, group and
home directory are successfully created with the correct permissions.
https://fedorahosted.org
On 2015-07-16 13:46, Tomas Babej wrote:
On 07/16/2015 01:35 PM, Christian Heimes wrote:
On 2015-07-16 12:51, Christian Heimes wrote:
Hi,
the patch fixes the SELinux denial for kdcproxy's home directory. I have
successfully tested a migration from FreeIPA 4.1. The user, group and
home
On 2015-07-07 18:40, Christian Heimes wrote:
Hello,
the patch removes the dependency on Python's ssl module and
python-backports-ssl_match_hostname.
https://fedorahosted.org/freeipa/ticket/5068
Open question
-
Is paths.IPA_NSSDB_DIR the correct NSSDB?
My patch hasn't been
On 2015-07-14 13:56, Jan Cholasta wrote:
Hi,
the attached patch fixes client-only builds.
LGTM.
I didn't know about the difference between server and client-only
builds. Thanks for the fix!
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the
2015 19:14:42 +0300
Subject: [PATCH] Fix minor typos
ame - name
overriden - overridden
ablity - ability
enties - entries
the the - the
https://fedorahosted.org/freeipa/ticket/5109
Reviewed-By: Christian Heimes chei...@redhat.com
---
daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c| 2
On 2015-07-20 15:23, Alexander Bokovoy wrote:
Hi,
this patch fixes Coverity CID 13130. The bug turned out to be impossible
to cause crash in 389-ds externally because all conditions that could
cause not to properly allocate req could not be influenced via extended
operation (req could be
On 2015-07-21 14:02, Michael Simacek wrote:
Hi,
This is a first part of my effort to port FreeIPA from Python3-incompatible
Kerberos libraries to python-gssapi. This patch should replace python-kerberos
with python-gssapi (both use C GSSAPI behind the scenes).
def
On 2015-10-09 15:11, Jan Cholasta wrote:
> On 9.10.2015 15:00, Christian Heimes wrote:
>> On 2015-10-09 13:21, Jan Orel wrote:
>>> Hello,
>>>
>>> this patch removes (IMHO) redundat check in cert_show, which fails when
>>> host tries to re-submit c
On 2015-07-07 15:41, Simo Sorce wrote:
On Tue, 2015-07-07 at 08:48 -0400, Nathaniel McCallum wrote:
On Jul 6, 2015, at 11:35 AM, Christian Heimes chei...@redhat.com wrote:
Hello,
I like to ask for your opinion regarding the pre-exec hook
'ipa-httpd-kdcproxy' in httpd.service. Alex has asked
Hi,
the patch addresses the error handling of ipa-httpd-kdcproxy as
discussed in the other thread.
Christian
From 85dc0cc3f597accdee6f6de9d7b4d41b2173a8d9 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Tue, 7 Jul 2015 16:05:48 +0200
Subject: [PATCH] Improve error
, changed
the port back to 389 and started DS again, ipa-server-upgrade worked again.
Christian
From 90c77671a3f8969adb06d7c6092369e90acfd59b Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Fri, 10 Jul 2015 18:18:29 +0200
Subject: [PATCH] Start dirsrv for kdcproxy upgrade
The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
A timeout does no longer result into an Apache startup error.
https://fedorahosted.org/freeipa/ticket/5292
From 7ae756234534f0c6e750b5820733c6c5cb0682c6 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.
On 2015-09-10 14:58, Rob Crittenden wrote:
> Christian Heimes wrote:
>> The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
>> A timeout does no longer result into an Apache startup error.
>>
>> https://fedorahosted.org/freeipa/ticket/529
On 2015-09-30 08:05, Alexander Bokovoy wrote:
> On Tue, 29 Sep 2015, Brian Stinson wrote:
>> Hi FreeIPA!
>>
>> We are starting a working group of member projects looking to solve
>> problems
>> related to Community Authentication. The FreeIPA Community Portal
>> feature added
>> this summer is one
On 2015-09-23 12:40, Jan Cholasta wrote:
> On 23.9.2015 11:44, Christian Heimes wrote:
>> On 2015-09-23 10:54, Jan Cholasta wrote:
>>>> Correction, the HTTP server works, but it spits lots of errors in
>>>> error_log about /var/lib/kdcproxy not existing.
&
On 2015-09-23 10:54, Jan Cholasta wrote:
>> Correction, the HTTP server works, but it spits lots of errors in
>> error_log about /var/lib/kdcproxy not existing.
>>
>> Is the KDCProxy supposed to be installked/enabled on upgrade ?
>> If not, why not ?
>> Even if it is not enabled, shouldn't the
by raising an ImportError.
From 5ac052f085c74f058703c5da29d59849c11e571f Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 3 Dec 2015 14:26:19 +0100
Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in
cryptography
ipaserver.dcerpc uses M2Crypto
On 2015-12-07 16:17, Alexander Bokovoy wrote:
> On Mon, 07 Dec 2015, Christian Heimes wrote:
>> The patch fixes SELinux violations in Fedora 23.
>>
>> Background: Recent versions of cryptography cause SELinux violation
>> which will lead to a segfault, see
>
On 2015-12-07 19:59, Petr Vobornik wrote:
> On 7.12.2015 16:26, Christian Heimes wrote:
>> On 2015-12-07 16:17, Alexander Bokovoy wrote:
>>> On Mon, 07 Dec 2015, Christian Heimes wrote:
>>>> The patch fixes SELinux violations in Fedora 23.
>>>>
>&g
On 2015-12-03 11:04, Jan Cholasta wrote:
> On 2.12.2015 13:44, Petr Spacek wrote:
>> On 2.12.2015 13:23, Jan Cholasta wrote:
>>> On 2.12.2015 12:54, Petr Spacek wrote:
>>>> On 2.12.2015 12:51, Christian Heimes wrote:
>>>>> On 2015-12-02 08:37,
In the case of a failed installation or uninstallation of a Dogtag
subsystem, the error output of pkispawn / pkidestroyed are now shown to
the user. It makes it more obvious what went wrong and makes it easier
to debug a problem.
The error handler also attempts to get the full name of the
Now the correct patch file instead of a vim swap file...
From 33be1f56a64e53d261a1058c4606a7e48c0aac52 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 1 Dec 2015 15:49:53 +0100
Subject: [PATCH 25] Improve error logging for Dogtag subsystem installation
In th
On 2015-12-02 08:37, Petr Spacek wrote:
> On 1.12.2015 18:42, Christian Heimes wrote:
>> From 33be1f56a64e53d261a1058c4606a7e48c0aac52 Mon Sep 17 00:00:00 2001
>> From: Christian Heimes <chei...@redhat.com>
>> Date: Tue, 1 Dec 2015 15:49:53 +0100
>> Subject:
1 - 100 of 160 matches
Mail list logo