Hi,
in ticket https://fedorahosted.org/freeipa/ticket/5538 Ludwig has
suggested to exclude Dogtag's o=ipaca tree from the changelog. Sometimes
vault-archive fails because of a failed write to the Retro Changelog.
The RetroCL was enabled in https://fedorahosted.org/freeipa/ticket/3967
for the
On 2016-01-05 11:30, Tomas Babej wrote:
>
>
> On 01/05/2016 08:54 AM, Jan Cholasta wrote:
>> Hi,
>>
>> the attached patch replaces the default_encoding_utf8 binary module with
>> 2 lines of equivalent Python code.
>>
>> Honza
>>
>>
>>
>
> This looks fine to me, however, I wonder, why this
The combination of a bug in Dogtag's sslget command and a new feature
in mod_nss causes an incomplete uninstallation of KRA. The bug has been
fixed in Dogtag 10.2.6-13.
https://fedorahosted.org/freeipa/ticket/5469
https://fedorahosted.org/pki/ticket/1704
Signed-off-by: Christian Heimes <c
On 2016-01-04 23:38, Nalin Dahyabhai wrote:
> On Mon, Dec 21, 2015 at 12:17:08PM +0530, Abhijeet Kasurde wrote:
>> Hi All,
>>
>> Please review patches attached.
>
> The port number should probably be changed from 749 to 464.
Nalin is correct. kpasswd and admin server use different ports:
$
On 2016-01-08 13:26, Martin Kosek wrote:
> Hi Fraser and other X.509 SMEs,
>
> I wanted to check with you on what we have or plan to have with respect to
> certificate/cipher strength in FreeIPA.
>
> When I visit the FreeIPA public demo for example, I usually see following
> errors with recent
On 2016-01-08 16:49, Petr Spacek wrote:
> On 8.1.2016 13:56, Fraser Tweedale wrote:
>> On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote:
Hi Fraser and other X.509 SMEs,
I wanted to check with you on what we have or plan to have with respect to
certificate/cipher
On 2016-01-15 13:44, Tomas Babej wrote:
> Hi,
>
> For the dates older than 1900, Python is unable to convert the datetime
> representation to string using strftime:
>
> https://bugs.python.org/issue1777412
>
> Work around the issue adding a custom method to convert the datetime
> objects to
On 2016-01-18 17:28, Martin Basti wrote:
> https://fedorahosted.org/freeipa/ticket/5538
>
> Patch attached
ACK
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
On 2016-06-28 12:49, Martin Kosek wrote:
> On 06/28/2016 12:49 PM, Jan Cholasta wrote:
>> On 28.6.2016 12:33, Martin Kosek wrote:
>>> On 06/28/2016 12:23 PM, Fraser Tweedale wrote:
On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote:
> Hi Fraser,
>
> I was testing FreeIPA
On 2016-02-11 14:43, Martin Kosek wrote:
>> Pushed to:
>> master: 5ac3a3cee534a16db86c541b9beff4939f03410e
>> ipa-4-3: c3496a4a4893c75789bdf0c617e46923361fb43b
>>
>
> Very cool! Thanks guys! Looking forward to deploying FreeIPA 4.3.1 on the
> FreeIPA public demo :-)
I have to change the cipher
On 2016-01-28 09:47, Martin Basti wrote:
>
>
> On 22.01.2016 12:32, Martin Kosek wrote:
>> On 01/21/2016 04:21 PM, Christian Heimes wrote:
>>> The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf
>>> has been modernized. Insecure or less secur
On 2016-01-29 15:05, Martin Basti wrote:
>
>
> On 29.01.2016 14:42, Christian Heimes wrote:
>> On 2016-01-28 09:47, Martin Basti wrote:
>>>
>>> On 22.01.2016 12:32, Martin Kosek wrote:
>>>> On 01/21/2016 04:21 PM, Christian Heimes wrote:
>>
On 2016-01-21 11:29, Martin Basti wrote:
>
>
> On 18.01.2016 17:55, Christian Heimes wrote:
>> On 2016-01-18 17:28, Martin Basti wrote:
>>> https://fedorahosted.org/freeipa/ticket/5538
>>>
>>> Patch attached
>> ACK
>>
>>
> Pushed t
TLS_RSA_WITH_AES_256_CBC_SHA
https://fedorahosted.org/freeipa/ticket/5589
From 26d356970ef1f7de7b00fe237f67345c507c7989 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 21 Jan 2016 16:09:10 +0100
Subject: [PATCH] Modernize mod_nss's cipher suites
The list of sup
/freeipa/ticket/5619
From bd49251543c480ed3d4527b3aeb32f0df6fc9e67 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 19 Jan 2016 14:18:30 +0100
Subject: [PATCH] Move user/group constants for PKI and DS into ipaplatform
https://fedorahosted.org/freeipa/ticke
On 2016-01-19 13:43, Martin Basti wrote:
> +
> +def fake_class(name_or_class_obj, members=[]):
Please use a non-mutable argument here. members=() will do the job just
fine.
> +if isinstance(name_or_class_obj, scoped_nodes.Class):
> +cl = name_or_class_obj
> +else:
> +cl =
On 2016-01-20 02:54, Fraser Tweedale wrote:
> On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote:
>> ipaplatform.constants has platform specific names for a couple of system
>> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, DS_USER
>> and
On 2016-01-20 12:15, Abhijeet Kasurde wrote:
> Hi Christian,
>
> On 01/20/2016 04:15 PM, Christian Heimes wrote:
>> On 2016-01-20 08:30, Abhijeet Kasurde wrote:
>>> Ping for review request.
>> Hi,
>>
>> your initial patch has a small problem. Please pr
On 2016-01-20 08:30, Abhijeet Kasurde wrote:
> Ping for review request.
Hi,
your initial patch has a small problem. Please provide a new patch with
port 464 instead of 749.
Christian
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel
ror, rebased it and attaching two
>> versions for master and for 4.3 branch.
>> I haven't found any missing cases and it works for me. If you're OK with the
>> modified patches it can be pushed.
>>
>> David
>>
>> - Original Message -
>> From: &quo
On 2016-04-07 11:09, Petr Spacek wrote:
> On 7.4.2016 08:43, Fraser Tweedale wrote:
>> Hi team,
>>
>> I updated the Sub-CAs design page with more detail for the key
>> replication[1]. This part of the design is nearly complete (a large
>> patchset is in review over at pki-devel@) but there are
Hi,
I'd like to use FreeIPA's RPC interface from Ansible directly. But the
output of plugins is rather unfriendly and unpythonic:
>>> print(api.Command.dnsconfig_show())
{u'result': {u'dn': u'cn=dns,dc=ipa,dc=example', u'idnsallowsyncptr':
(u'FALSE',)}, u'value': None, u'summary': None}
Please
On 2016-03-21 12:02, Jan Cholasta wrote:
> Hi,
>
> On 18.3.2016 15:26, Christian Heimes wrote:
>> Hi,
>>
>> I'd like to use FreeIPA's RPC interface from Ansible directly. But the
>> output of plugins is rather unfriendly and unpythonic:
>>
>>>>
On 2016-03-21 10:29, Petr Spacek wrote:
> On 20.3.2016 21:56, Martin Basti wrote:
>> Patches attached.
>
> I do not really like
> freeipa-mbasti-0442-pylint-remove-bare-except
> because it replaces most of
>
> try: ... except:
>
> with
>
> try: ... except Exception:
>
>
> which AFAIK does
On 2016-05-24 16:29, Nathaniel McCallum wrote:
> Using a pragma instead of guards is easier to write, less error prone
> and avoids name clashes (a source of very subtle bugs). This pragma
> is supported on almost all compilers, including all the compilers we
> care about:
On 2016-05-06 15:50, Martin Babinsky wrote:
> On 05/06/2016 03:43 PM, Petr Spacek wrote:
>> Hello,
>>
>> I wonder if we should stop supporting new installations where
>> Kerberos realm != uppercase(primary DNS domain).
>>
>> It breaks a lot of stuff, is harder to manager and docs are full of
>>
Hi Fraser,
and now to the review of your design doc for RFC 2818-compliant subject
alternative names in certs,
http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance
1) RFC 2818 vs. RFC 6125
First I like to address a more general topic. Your design mentions RFC
6125 shortly. IMHO RFC
Hi,
while I was working on my Ansible playbook I ran into an issue. It is
hard to detect if a FreeIPA server instance is fully installed and all
its services are ready to handle requests. It's even harder to check it
remotely. I have figured out some heuristics to detect that a sever is
*not*
Hi Fraser,
I'm the reviewer for your Sub-CAs and RFC 2818 designs. Let's start with
Sub-CAs first. http://www.freeipa.org/page/V4/Sub-CAs
In general the design is well written -- accurate as usual. I didn't
want to ACK the design with a simple LGTM, so I put myself in the
position of a customer
On 2016-05-25 11:46, Martin Kosek wrote:
> On 05/25/2016 10:03 AM, Jan Pazdziora wrote:
>> On Mon, May 23, 2016 at 04:24:38PM +0200, Florence Blanc-Renaud wrote:
>>>
>>> - I start working on a specific issue and decide to create a branch on my
>>> git repository (on my laptop)
>>> git clone
/system/httpd.service.d/.
https://fedorahosted.org/freeipa/ticket/6158
https://bugzilla.redhat.com/show_bug.cgi?id=1362537
From c6ab5d9323c1cc389ab221e0fc1c5290cc0075d4 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 2 Aug 2016 16:58:07 +0200
Subject: [PATCH] Correc
On 2016-07-07 14:54, Martin Basti wrote:
> Patch needs changes in ipa-4-3 branch
Here are patches for master and ipa-4-3 branch. I have rebased both
patches to head.
Christian
From e3a99ef8a6245d6e1bca22b3b0cede5d2ff608e8 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com
On 2016-07-07 14:54, Martin Basti wrote:
> Patch needs changes in ipa-4-3 branch
My patch? Do you want me to submit a patch for 4.3 branch?
Christian
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel mailing list:
: Christian Heimes <chei...@redhat.com>
Date: Fri, 8 Jul 2016 20:06:57 +0200
Subject: [PATCH] Secure permission and cleanup Custodia server.keys
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only s
of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.
https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056
From 29cdaa5e27e7b8b3690d222c43eb0edfefdd82ba Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.
https://fedorahosted.org/freeipa/ticket/6015
From be4d66075d108fd9188a3a0b906bace6f6ea5122 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 8 Aug 2016 16:06:08
On 2016-07-19 17:03, Martin Basti wrote:
>
>
> On 12.07.2016 16:45, Christian Heimes wrote:
>> Custodia's server.keys file contain the private RSA keys for encrypting
>> and signing Custodia messages. The file was created with permission 644
>> and is onl
-install waits for master:8080 instead of replica:8080,
which might be blocked by a firewall.
https://fedorahosted.org/freeipa/ticket/6016
From 134f639aadad1b63e8715ec05fa06b53a3f12e74 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Fri, 1 Jul 2016 10:21:06 +0200
S
On 2016-07-01 11:17, Petr Spacek wrote:
> On 1.7.2016 11:04, Christian Heimes wrote:
>> On 2016-07-01 10:59, Petr Spacek wrote:
>>> On 1.7.2016 10:55, Christian Heimes wrote:
>>>> On 2016-07-01 10:48, Petr Spacek wrote:
>>>>&
On 2016-07-01 10:48, Petr Spacek wrote:
> On 1.7.2016 10:42, Christian Heimes wrote:
>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
>> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
>> returns OK. The ca_statu
Hi,
for a while make causes unsolicited modifications to all translation
files. I have to reset all PO files a couple of times a day during
development:
git checkout -- po/*.po
It's slowly wearing me off. I opened ticket
https://fedorahosted.org/freeipa/ticket/6605 a while ago. It contains
On 2017-01-16 15:52, David Kupka wrote:
> Hello everyone!
>
> I've noticed that our API for stageuser is missing some commands that
> user has (stageuser-{add,remove}-{principal,cert}). I was wondering if
> there is reason for it but after asking some fellows developers it seems
> that there's
On 2017-01-17 12:56, David Kupka wrote:
> Hi Christian,
> uniqueness of uid is not checked in staging area on purpose, it may be
> changed multiple times before the stageuser is transformed into user
> (activated). The uid uniqueness is then checked during activation.
>
> Third party application
On 2016-08-23 12:49, Petr Vobornik wrote:
> On 08/09/2016 01:53 PM, Martin Basti wrote:
>>
>>
>> On 08.08.2016 16:09, Christian Heimes wrote:
>>> I have split up patch 0032 into two smaller patches. This patch only
>>> addresses the server.keys file.
>
On 2016-08-23 12:42, Petr Vobornik wrote:
> On 08/11/2016 04:13 PM, Martin Basti wrote:
>>
>>
>> On 08.08.2016 16:10, Christian Heimes wrote:
>>> The server-del plugin now removes the Custodia keys for encryption and
>>> key signing from LDAP.
>>>
Hello,
I have released the first version of a new design document. It describes
how I'm going to improve integration of FreeIPA's client libraries
(ipalib, ipapython, ipaclient, ipaplatform) for third party developers.
http://www.freeipa.org/page/V4/Integration_Improvements
Regards,
Christian
On 2016-11-11 17:46, Martin Basti wrote:
>
>
> On 11.11.2016 15:25, Christian Heimes wrote:
>> Hello,
>>
>> I have released the first version of a new design document. It describes
>> how I'm going to improve integration of FreeIPA's client libraries
>> (ip
On 2016-11-11 18:33, Rob Crittenden wrote:
> Martin Basti wrote:
>> 2) if I understand correctly, you want to separate client installer code
>> and client CLI code. In past we had freeipa-admintools but it was
>> removed because it was really tightly bounded to installed client. Do
>> you want to
On 2016-11-21 10:46, Jan Cholasta wrote:
> On 21.11.2016 10:32, Christian Heimes wrote:
>> On 2016-11-21 10:26, Jan Cholasta wrote:
>>> On 11.11.2016 18:28, Christian Heimes wrote:
>>>> On 2016-11-11 17:46, Martin Basti wrote:
>>>>>
>>&g
On 2016-11-21 10:26, Jan Cholasta wrote:
> On 11.11.2016 18:28, Christian Heimes wrote:
>> On 2016-11-11 17:46, Martin Basti wrote:
>>>
>>>
>>> On 11.11.2016 15:25, Christian Heimes wrote:
>>>> Hello,
>>>>
>>>> I have release
On 2016-11-21 11:38, Jan Cholasta wrote:
> On 21.11.2016 11:04, Christian Heimes wrote:
>> On 2016-11-21 10:46, Jan Cholasta wrote:
>>> On 21.11.2016 10:32, Christian Heimes wrote:
>>>> On 2016-11-21 10:26, Jan Cholasta wrote:
>>>>> On 11.11.2016 18:28,
On 2016-11-21 13:31, Jan Cholasta wrote:
> Hi,
>
> On 11.11.2016 15:25, Christian Heimes wrote:
>> Hello,
>>
>> I have released the first version of a new design document. It describes
>> how I'm going to improve integration of FreeIPA's client libraries
On 2016-11-21 14:44, Petr Spacek wrote:
>>> 3.3 ipaplatform auto-configuration
>>>
>>> I'm not sure if guessing platform from ID_LIKE is really a good idea. It
>>> might work fine for centos -> rhel, but in general we can't really
>>> assume it will always work, as the platforms listed in ID_LIKE
On 2016-12-12 09:54, Alexander Bokovoy wrote:
> On ma, 12 joulu 2016, Christian Heimes wrote:
>> Hi Simo,
>>
>> I'm wondering if we need to change kdcproxy for anon pkinit. What kind
>> of Kerberos requests are performed by anon pkinit and to establish a
>> FAST tu
Hi Simo,
I'm wondering if we need to change kdcproxy for anon pkinit. What kind
of Kerberos requests are performed by anon pkinit and to establish a
FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
and AP-REQ+KRB-PRV. Responses are not filtered.
Regards,
Christian
On 2016-12-12 10:37, Alexander Bokovoy wrote:
> On ma, 12 joulu 2016, Alexander Bokovoy wrote:
>> On ma, 12 joulu 2016, Christian Heimes wrote:
>>> On 2016-12-12 09:54, Alexander Bokovoy wrote:
>>>> On ma, 12 joulu 2016, Christian Heimes wrote:
>>>>>
On 2016-12-19 15:07, John Dennis wrote:
> I'm not a big fan of NSS, it has it's issues. As the author of the
> Python binding I'm quite aware of all the nasty behaviors NSS has and
> needs to be worked around. I wouldn't be sad to see it go but OpenSSL
> has it's own issues too. If you remove NSS
otiate a TGT and
then installs the trust anchor in the global trust store. It should be
enough to reverse the order and inject the trust anchor first.
Christian
--
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security
Red Hat GmbH, http://www.de.redhat.com/, Register
On 2017-04-27 16:16, Martin Bašti wrote:
>
>
> On 27.04.2017 14:19, Christian Heimes wrote:
>> On 2017-04-27 14:00, Martin Bašti wrote:
>>> I would like to discuss consequences of adding kdc URI records:
>>>
>>> 1. basically all ipa clients enrolled
pport kadmin.
>> We shouldn't.
>>
>> Simo.
>>
>
> I would like to discuss consequences of adding kdc URI records:
>
> 1. basically all ipa clients enrolled using autodiscovery will use
> kdcproxy instead of KDC on port 88, because URI takes precedence over
101 - 160 of 160 matches
Mail list logo