The attached patch adds --out option to user-show for saving user's
certificate(s) to file.
Thanks,
Fraser
From 0e3f681d21724ba2ab09737977c18b13392d9f53 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Fri, 24 Jul 2015 09:31:26 -0400
Subject: [PATCH] user-show: add --out option to
On Fri, Jul 24, 2015 at 05:53:56PM +0200, Tomas Babej wrote:
>
>
> On 07/24/2015 05:34 PM, Martin Basti wrote:
> > On 24/07/15 16:52, Tomas Babej wrote:
> >>
> >> On 07/24/2015 03:40 PM, Fraser Tweedale wrote:
> >>> The attached patch add
On Wed, Jul 29, 2015 at 03:48:47PM +0200, Jan Cholasta wrote:
> Dne 29.7.2015 v 15:46 Martin Basti napsal(a):
> >On 29/07/15 15:41, Martin Basti wrote:
> >>On 25/07/15 03:40, Fraser Tweedale wrote:
> >>>On Fri, Jul 24, 2015 at 05:53:56PM +0200, Tomas Babej wrote:
&g
:00:00 2001
From: Fraser Tweedale
Date: Fri, 24 Jul 2015 09:23:07 -0400
Subject: [PATCH] Work around python-nss bug on unrecognised OIDs
A bug in python-nss causes an error to be thrown when converting an
unrecognised OID to a string. If cert-request receives a PKCS #10
CSR with an unknown
On Thu, Jul 30, 2015 at 10:19:19AM +1000, Fraser Tweedale wrote:
> On Wed, Jul 29, 2015 at 03:48:47PM +0200, Jan Cholasta wrote:
> > Dne 29.7.2015 v 15:46 Martin Basti napsal(a):
> > >On 29/07/15 15:41, Martin Basti wrote:
> > >>On 25/07/15 03:40, Fraser Tweedale wrot
The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5099.
Thanks,
Fraser
From 294205795f595095f14eecb451f974cbf867ebe3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Tue, 4 Aug 2015 01:13:09 -0400
Subject: [PATCH] Add permission for bypassing CA ACL enforcement
Add the
The attached patch addresses
https://fedorahosted.org/freeipa/ticket/5089
Thanks,
Fraser
From 6002c60a4794c0e6ecc315e21575ef618cff6f06 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Thu, 23 Jul 2015 23:07:10 -0400
Subject: [PATCH] certprofile: add profile format explanation
Part of: https
Small doc fix.
Cheers,
Fraser
From 2879f147cacef06f0b3373ac21a78b9d08f8afbb Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Wed, 5 Aug 2015 15:50:07 +1000
Subject: [PATCH] Fix otptoken-remove-managedby command summary
---
ipalib/plugins/otptoken.py | 2 +-
1 file changed, 1 insertion
The attached patch fixes
https://bugzilla.redhat.com/show_bug.cgi?id=1251225
Thanks,
Fraser
From 0431e9b8c8d1ea903e2b68e7fc33f10c38d11bda Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Fri, 7 Aug 2015 03:21:43 -0400
Subject: [PATCH] Fix default CA ACL added during upgrade
The upgrade
On Fri, Aug 07, 2015 at 11:47:57AM +0200, Martin Babinsky wrote:
> On 08/07/2015 10:04 AM, Fraser Tweedale wrote:
> >The attached patch fixes
> >https://bugzilla.redhat.com/show_bug.cgi?id=1251225
> >
> >Thanks,
> >Fraser
> >
> >
> >
> ACK
Patch 0035 fixes #5190 - Users unable to self-issue certificate with
SAN.
Patch 0034 adds more context to the virtual command ACIError denial
messages.
Thanks,
Fraser
From 9653b4bf835b36bc8e328405b2f19af0ebb3312e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Sun, 9 Aug 2015 01:54:41
The attached patch fixes a bug in KRB5PrincipalName / UPN SAN
validation.
Thanks,
Fraser
From 5f2b87fb4a5b6d93bd8e946e53e27137280682c1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Sun, 9 Aug 2015 05:55:04 -0400
Subject: [PATCH] Fix KRB5PrincipalName / UPN SAN comparison
Depending on how
://bugzilla.redhat.com/show_bug.cgi?id=1246729
Thanks,
Fraser
From f2a386f54d586a1bee7158ff59fd5135b593190a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Fri, 24 Jul 2015 09:32:51 -0400
Subject: [PATCH] Add profile for DNP3 / IEC 62351-8 certificates
The DNP3 smart-grid standard uses certificate
Whups, that should be patch number >> 0037 <<
On Mon, Aug 10, 2015 at 02:39:04PM +1000, Fraser Tweedale wrote:
> The attached patch adds a DNP3 profile, addressing
> https://fedorahosted.org/freeipa/ticket/4752.
>
> It depends on my patch 0029 [1] which is a workaround f
On Mon, Aug 10, 2015 at 06:50:57PM +0200, Milan Kubík wrote:
> Hi,
>
> On 08/10/2015 05:24 PM, Scott Poore wrote:
> >
> >- Original Message -
> >>From: "Milan Kubík"
> >>To: "freeipa-devel" , "Scott Poore"
> >
On Mon, Aug 10, 2015 at 11:36:31AM +0200, Milan Kubík wrote:
> On 08/05/2015 02:57 PM, Milan Kubík wrote:
> >Hi list,
> >
> >I'm sending the test plan [1] for certificate profiles and preliminary
> >patches for it.
> >The plan covers basic CRUD test and some corner cases. I'm open to more
> >sugges
On Sun, Aug 09, 2015 at 08:03:47PM +1000, Fraser Tweedale wrote:
> The attached patch fixes a bug in KRB5PrincipalName / UPN SAN
> validation.
>
> Thanks,
> Fraser
For testing this, the following `openssl req' config will serve as a
starting point; customise the names /
On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote:
> usercertificate attr was moved from "System Modify Users" to this
> new permission.
>
> https://fedorahosted.org/freeipa/ticket/5177
>
> Note: hosts have permission "System: Manage Host Certificates", services
> don't have it but us
On Tue, Aug 04, 2015 at 03:21:29PM +1000, Fraser Tweedale wrote:
> The attached patch fixes
> https://fedorahosted.org/freeipa/ticket/5099.
>
> Thanks,
> Fraser
Ping; this patch needs review.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.red
The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5205
Thanks,
Fraser
From 7186acfbf70bb6963b8bb72bbda5fece3fb20dd2 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Thu, 13 Aug 2015 01:42:06 -0400
Subject: [PATCH] cert-request: remove allowed extensions check
cert-request
The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5198
Thanks,
Fraser
From 0dd316bf0cbab7b6701bd69f142e82b30bee25b8 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Thu, 13 Aug 2015 02:32:54 -0400
Subject: [PATCH] Prohibit deletion of included profiles
Deletion of included
On Thu, Aug 13, 2015 at 09:53:35AM +0300, Alexander Bokovoy wrote:
> On Thu, 13 Aug 2015, Fraser Tweedale wrote:
> >The attached patch fixes
> >https://fedorahosted.org/freeipa/ticket/5198
> >
> >Thanks,
> >Fraser
>
> >From 0dd316bf0cbab7b6701bd69f142e82b
On Thu, Aug 13, 2015 at 11:04:42AM +0200, Petr Vobornik wrote:
> On 08/13/2015 05:28 AM, Fraser Tweedale wrote:
> >On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote:
> >>usercertificate attr was moved from "System Modify Users" to this
> &
On Thu, Aug 13, 2015 at 12:01:09PM +0300, Alexander Bokovoy wrote:
> On Thu, 13 Aug 2015, Fraser Tweedale wrote:
> >On Thu, Aug 13, 2015 at 09:53:35AM +0300, Alexander Bokovoy wrote:
> >>On Thu, 13 Aug 2015, Fraser Tweedale wrote:
> >>>The attached patch fixes
> &g
On Thu, Aug 13, 2015 at 12:31:27PM +0300, Alexander Bokovoy wrote:
> On Thu, 13 Aug 2015, Fraser Tweedale wrote:
> >On Thu, Aug 13, 2015 at 12:01:09PM +0300, Alexander Bokovoy wrote:
> >>On Thu, 13 Aug 2015, Fraser Tweedale wrote:
> >>>On Thu, Aug 13, 2015 at 09:53
On Thu, Aug 13, 2015 at 12:30:10PM +0300, Alexander Bokovoy wrote:
> On Thu, 13 Aug 2015, Fraser Tweedale wrote:
> >On Thu, Aug 13, 2015 at 11:04:42AM +0200, Petr Vobornik wrote:
> >>On 08/13/2015 05:28 AM, Fraser Tweedale wrote:
> >>>On Wed, Aug 12, 2015 at 02:56:5
The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5247.
Thanks,
Fraser
From 2cb4ab6eeedccc3471ed9bf983add4687ecd5c1a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Mon, 24 Aug 2015 20:25:10 -0400
Subject: [PATCH] certprofile: prevent rename (modrdn)
Fixes: https
On Tue, Aug 25, 2015 at 01:39:42PM +0300, Alexander Bokovoy wrote:
> On Tue, 25 Aug 2015, Petr Vobornik wrote:
> >On 08/25/2015 07:37 AM, Alexander Bokovoy wrote:
> >>On Tue, 25 Aug 2015, Fraser Tweedale wrote:
> >>>The attached patch fixes
> >>>ht
On Mon, Aug 31, 2015 at 12:24:13PM +0200, Martin Basti wrote:
>
>
> On 08/18/2015 04:06 PM, Milan Kubík wrote:
> >On 08/11/2015 03:17 AM, Fraser Tweedale wrote:
> >>On Mon, Aug 10, 2015 at 11:36:31AM +0200, Milan Kubík wrote:
> >>>On 08/05/2015 02:57
This patch *removes* the --rename option from certprofile-mod.
For context see: https://bugzilla.redhat.com/show_bug.cgi?id=1257163#c6
Thanks,
Fraser
From 89fae00bfa31cca3784afbbf057a62942e6729e3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Tue, 1 Sep 2015 21:04:34 -0400
Subject: [PATCH
On Wed, Sep 02, 2015 at 08:08:09AM +0200, Jan Cholasta wrote:
> Hi,
>
> On 2.9.2015 03:16, Fraser Tweedale wrote:
> >This patch *removes* the --rename option from certprofile-mod.
> >For context see: https://bugzilla.redhat.com/show_bug.cgi?id=1257163#c6
>
> Inste
On Tue, Sep 15, 2015 at 02:10:57PM +0200, Martin Kosek wrote:
> Hi Nathan and others,
>
> I am now going through FreeIPA 4.4 items and I am thinking about ECC support
> in
> FreeIPA:
>
> https://fedorahosted.org/freeipa/ticket/3951
>
> AFAIK, ECC should be already supported in Dogtag. Could you
On Thu, Sep 24, 2015 at 01:19:51PM +0200, Martin Kosek wrote:
> On 09/15/2015 03:26 PM, Fraser Tweedale wrote:
> > On Tue, Sep 15, 2015 at 02:10:57PM +0200, Martin Kosek wrote:
> >> Hi Nathan and others,
> >>
> >> I am now going through FreeIPA 4.4 items and I
On Fri, Oct 09, 2015 at 08:39:10AM -0400, Rob Crittenden wrote:
> Jan Orel wrote:
> > Hello,
> >
> > this patch removes (IMHO) redundat check in cert_show, which fails when
> > host tries to re-submit certificate of different host/service which he
> > can manage.
> >
> > I also reported the bug
I have been alluding for a while about my ideas for future
FreeIPA/Dogtag PKI integration; I finally put the ideas down in a
blog post. If you are interested in this aspect of IdM please read
it; all feedback is welcome!
http://blog-ftweedal.rhcloud.com/2015/11/freeipa-pki-current-plans-and-a-fut
,
Fraser
From c6991e5095f7a8f7c13d1dd943a26b0b06365f6a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Fri, 20 Nov 2015 15:39:00 +1100
Subject: [PATCH 42/43] TLS and Dogtag HTTPS request logging improvements
Pretty printing the TLS peer certificate to logs on every request
introduces a lot of
] due to the prevalence of the other issue.
[1] https://fedorahosted.org/freeipa/ticket/5459
[2] https://www.redhat.com/archives/freeipa-devel/2015-November/msg00298.html
Thanks,
Fraser
From 8c3f2ce4a985e873277b7e84a8b95acca80c0348 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Mon, 23 Nov 2015
On Mon, Nov 23, 2015 at 10:05:32AM +0100, Jan Cholasta wrote:
> On 23.11.2015 06:54, Fraser Tweedale wrote:
> >Hi all,
> >
> >The attached patches fix #5459[1]: Default CA ACL rule is not
> >created during ipa-replica-install.
> >
> >These patches apply
On Tue, Nov 24, 2015 at 02:36:17PM -0500, Simo Sorce wrote:
> On Tue, 2015-11-24 at 17:34 +0100, Jan Cholasta wrote:
> > On 24.11.2015 17:30, Simo Sorce wrote:
> > > On Tue, 2015-11-24 at 09:14 +0100, Jan Cholasta wrote:
> > >> On 24.11.2015 09:06, Petr Spacek wrote:
> > >>> On 24.11.2015 07:32, Ja
On Tue, Nov 24, 2015 at 05:38:45PM +0100, Jan Cholasta wrote:
> On 24.11.2015 17:17, Martin Babinsky wrote:
> >On 11/24/2015 05:10 PM, Martin Babinsky wrote:
> >>On 11/24/2015 05:01 PM, Martin Babinsky wrote:
> >>>On 11/24/2015 04:58 PM, Jan Cholasta wrote:
> On 24.11.2015 16:48, Martin Babinsk
On Wed, Nov 25, 2015 at 09:28:27AM +0100, Martin Babinsky wrote:
> On 11/25/2015 07:21 AM, Jan Cholasta wrote:
> >On 25.11.2015 05:56, Fraser Tweedale wrote:
> >>On Tue, Nov 24, 2015 at 05:38:45PM +0100, Jan Cholasta wrote:
> >>>On 24.11.2015 17:17, Martin Babinsky wr
On Wed, Nov 25, 2015 at 09:44:09AM -0500, Simo Sorce wrote:
> On Wed, 2015-11-25 at 14:34 +1000, Fraser Tweedale wrote:
> > On Tue, Nov 24, 2015 at 02:36:17PM -0500, Simo Sorce wrote:
> > > On Tue, 2015-11-24 at 17:34 +0100, Jan Cholasta wrote:
> > > > On 24.1
e984b2cbfd419a2a71aa40ba4b42dd29857a66d9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Mon, 7 Dec 2015 16:14:28 +1100
Subject: [PATCH] Create server certs with DNS altname
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install or
On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> > The attached patch fixes
> > https://fedorahosted.org/freeipa/ticket/4970.
> >
> > Note that the problem is addressed by adding the appropriate request
&g
On Tue, Dec 08, 2015 at 08:46:39AM +1000, Fraser Tweedale wrote:
> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> > On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> > > The attached patch fixes
> > > https://fedorahosted.org/freeipa/ticket/4970.
> &g
On Tue, Dec 08, 2015 at 09:00:20AM +0100, Martin Kosek wrote:
> On 12/08/2015 02:22 AM, Fraser Tweedale wrote:
> > On Tue, Dec 08, 2015 at 08:46:39AM +1000, Fraser Tweedale wrote:
> >> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> >>> On 12/07/2015 0
On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:
> Fraser Tweedale wrote:
> > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> >> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> >>> The attached patch fixes
> >>> ht
Just some drive-by cleanup of an unused function.
Cheers,
Fraser
From 6eb963aac30376a1d86bbdc4b9ce299cbec5220a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Mon, 14 Dec 2015 16:52:40 +1100
Subject: [PATCH] dogtaginstance: remove unused function 'check_inst'
---
ipaplatform/bas
On Tue, Dec 15, 2015 at 04:23:33PM +0100, Martin Kosek wrote:
> On 12/15/2015 08:54 AM, Jan Cholasta wrote:
> > Hi,
> >
> > recently I and David discussed the direction of installers with regard to
> > requesting certificates. Currently there are four (!) different ways of
> > requesting certifica
On Wed, Dec 16, 2015 at 09:17:09AM +0100, Jan Cholasta wrote:
> On 16.12.2015 08:54, Martin Kosek wrote:
> >On 12/16/2015 08:09 AM, Jan Cholasta wrote:
> >>On 16.12.2015 01:40, Fraser Tweedale wrote:
> >>>On Tue, Dec 15, 2015 at 04:23:33PM +0100, Martin Kosek wrote
On Wed, Dec 16, 2015 at 11:11:42AM +0100, Martin Kosek wrote:
> On 12/16/2015 09:17 AM, Jan Cholasta wrote:
> > On 16.12.2015 08:54, Martin Kosek wrote:
> ...
> >>> 7. cert-request fetches the configuration for the specified sub-CA,
> >>> or the
> >>> default sub-CA if none was specified, from LD
9fb59b95553d3f02aa401142a87723e5d0fb2b8a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Wed, 6 Jan 2016 14:50:42 +1100
Subject: [PATCH] Decode HTTP reason phrase as iso-8859-1
The HTTP reason phrase sent by Dogtag is encoded in iso-8859-1; use
this charset instead of utf8 when decoding it to avoid decoding
On Thu, Jan 07, 2016 at 07:56:15AM +0100, Jan Cholasta wrote:
> Hi,
>
> On 6.1.2016 05:26, Fraser Tweedale wrote:
> >Happy new year, all.
> >
> >The attached patch fixes a unicode decode error triggered in some
> >locales, which causes failure of installation (an
On Thu, Jan 07, 2016 at 08:00:51PM +1000, Fraser Tweedale wrote:
> On Thu, Jan 07, 2016 at 07:56:15AM +0100, Jan Cholasta wrote:
> > Hi,
> >
> > On 6.1.2016 05:26, Fraser Tweedale wrote:
> > >Happy new year, all.
> > >
> > >The attached patc
On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote:
> Hi Fraser and other X.509 SMEs,
>
> I wanted to check with you on what we have or plan to have with respect to
> certificate/cipher strength in FreeIPA.
>
> When I visit the FreeIPA public demo for example, I usually see following
>
On Fri, Jan 08, 2016 at 02:02:07PM +0100, Martin Kosek wrote:
> On 01/08/2016 01:56 PM, Fraser Tweedale wrote:
> > On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote:
> >> Hi Fraser and other X.509 SMEs,
> >>
> >> I wanted to check with you on what we
On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote:
> ipaplatform.constants has platform specific names for a couple of system
> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, DS_USER
> and DS_GROUP are defined in other modules. Similar to #5587 the patch my
> patch
On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote:
> On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:
> > Fraser Tweedale wrote:
> > > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> > >> On 12/07/2015 06:26 AM, Fras
raser
From df99d69569ddc173c7495eb5cd85133079a24ba9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Wed, 20 Jan 2016 18:35:15 +1100
Subject: [PATCH] Remove workaround for CA running check
A workaround was introduced for ticket #4676 that used wget to
perform an (unauthenticated) https request to check the CA status.
Later, wget w
On Wed, Jan 20, 2016 at 09:30:29AM +0100, Martin Kosek wrote:
> On 01/20/2016 08:45 AM, Fraser Tweedale wrote:
> > The attached patch removes a workaround introduced as part of
> > https://fedorahosted.org/freeipa/ticket/4676.
> >
> > Alternatively, if we want to k
On Wed, Jan 20, 2016 at 07:52:32PM +1000, Fraser Tweedale wrote:
> Good pickup on the curl dependency; indeed it is no longer needed.
> Updated patch attached.
>
Whups, that was same patch, different name. *Here* is the new patch.
From ba5750b7a805841abd8d4795d9c4bcec2a3518a0 Mon Sep 17
On Tue, Feb 09, 2016 at 11:14:47AM +0100, Martin Basti wrote:
> Hello,
>
> I prepared page for keeping the information about domain levels, what are
> features, which version introduced the particular domain level.
>
> http://www.freeipa.org/page/Domain_Levels
>
> Martin^2
>
Thanks, it is a use
On Mon, Feb 22, 2016 at 02:03:49PM +0100, Martin Babinsky wrote:
> https://fedorahosted.org/freeipa/ticket/5682
>
> --
> Martin^3 Babinsky
>
Thanks for the patch. Conditional ACK.
Patch is tested and works, but I am wary about checking for
substring match against RemoteRetrieveError reason stri
On Tue, Feb 23, 2016 at 07:32:31AM +0100, Jan Cholasta wrote:
> On 23.2.2016 06:40, Fraser Tweedale wrote:
> >On Mon, Feb 22, 2016 at 02:03:49PM +0100, Martin Babinsky wrote:
> >>https://fedorahosted.org/freeipa/ticket/5682
> >>
> >>--
> >>M
Hi all (especially those interested in certificates),
Please provide early review of my design for RFC 2818 compliance
which will address the following tickets:
- #4970 Server certificate profile should always include a Subject Alternate
name for the host
- #5706 [RFE] Support SAN-only certifica
On Fri, Mar 04, 2016 at 12:49:46PM +0100, Tomas Babej wrote:
> Hi,
>
> this fixes incorrect usercertificate attribute docstrings in several IPA
> objects.
>
> Tomas
>
ACK.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Cont
On Tue, Mar 08, 2016 at 11:43:49AM +0100, Martin Basti wrote:
> https://fedorahosted.org/freeipa/ticket/5684
>
> patch attached
I think the comment in install/updates/20-sslciphers.update should
be updated. Apart from that, ACK.
Cheers,
Fraser
--
Manage your subscription for the Freeipa-devel
On Wed, Mar 09, 2016 at 09:53:35AM +0100, Martin Basti wrote:
>
>
> On 09.03.2016 04:47, Fraser Tweedale wrote:
> >On Tue, Mar 08, 2016 at 11:43:49AM +0100, Martin Basti wrote:
> >>https://fedorahosted.org/freeipa/ticket/5684
> >>
> >>patch attached
&g
On Wed, Mar 09, 2016 at 01:30:01PM +0100, Martin Basti wrote:
> https://fedorahosted.org/freeipa/ticket/5298
>
> Patch attached.
>
ACK
Thanks,
Fraser
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: htt
On Thu, Mar 10, 2016 at 07:15:59AM +0100, Jan Cholasta wrote:
> On 10.3.2016 03:35, Fraser Tweedale wrote:
> >On Wed, Mar 09, 2016 at 01:30:01PM +0100, Martin Basti wrote:
> >>https://fedorahosted.org/freeipa/ticket/5298
> >>
> >>Patch attached.
> >
On Mon, Mar 07, 2016 at 07:33:52AM +0100, Jan Cholasta wrote:
> Hi,
>
> On 29.2.2016 07:59, Fraser Tweedale wrote:
> >Hi all (especially those interested in certificates),
> >
> >Please provide early review of my design for RFC 2818 compliance
> >which w
tion. It also allows one to put
> multiple SANs in one ssl server cert:
> https://fedorahosted.org/pki/ticket/1316#comment:14
> again, it's only limited to pkispawn option so it serves a different
> purpose.
>
> Christina
>
> On 03/10/2016 05:06 PM, Fraser Tweedale wro
The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander
for finding and reporting.
Cheers,
Fraser
From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Mon, 14 Mar 2016 14:49:47 +1100
Subject: [PATCH] caacl
On Mon, Mar 14, 2016 at 09:29:37AM -0700, Christina Fu wrote:
>
>
> On 03/12/2016 11:51 PM, Fraser Tweedale wrote:
> >On Fri, Mar 11, 2016 at 10:20:49AM -0800, Christina Fu wrote:
> >>Hi Fraser,
> >>
> >>I think the general idea looks good. If teste
On Mon, Mar 14, 2016 at 03:10:55PM +0100, Martin Kosek wrote:
> On 03/14/2016 06:18 AM, Alexander Bokovoy wrote:
> > On Mon, 14 Mar 2016, Fraser Tweedale wrote:
> >> The attached patch fixes
> >> https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander
>
On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote:
> Luká Hellebrandt wrote:
> >I created a design page for the feature:
> >
> >http://www.freeipa.org/page/URI-based-HBAC-design
> >
> >
>
> Can you make the ticket reference a link?
>
> Is it expected that a full URI will be used, in
On Thu, Mar 24, 2016 at 01:09:24PM +0100, Jan Pazdziora wrote:
> On Thu, Mar 24, 2016 at 11:39:17AM +1000, Fraser Tweedale wrote:
> >
> > Further to Rob's points, what about including the method being used
> > (HTTP GET/POST/PUT/PATCH)? In a RESTful world this seems li
On Tue, Mar 29, 2016 at 12:47:04PM +0200, Lubomir Rintel wrote:
> Hi,
>
> I'm part of the Red Hat's NetworkManager crowd. We're aware that you've
> made some effort on making it easy to get a short-lived certificate for
> use with VPN (and EAP-TLS) [1].
>
> [1] http://www.freeipa.org/page/User_ce
Hi team,
I updated the Sub-CAs design page with more detail for the key
replication[1]. This part of the design is nearly complete (a large
patchset is in review over at pki-devel@) but there are various
options about how to authenticate to Custodia.
[1] http://www.freeipa.org/page/V4/Sub-CAs#Ke
On Thu, Apr 07, 2016 at 12:29:00PM +0200, Jan Cholasta wrote:
> On 7.4.2016 12:13, Christian Heimes wrote:
> >On 2016-04-07 11:09, Petr Spacek wrote:
> >>On 7.4.2016 08:43, Fraser Tweedale wrote:
> >>>Hi team,
> >>>
> >>>I update
Hi all,
The attached patch (first of many for long-awaited sub-CAs feature)
makes it possible to use CustodiaClient without root privileges, as
an arbitrary principal.
Cheers,
Fraser
From 8e6cab0e47dd4e3152d8bbd84c8675353aa2cb4a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Fri, 8 Apr
On Fri, Apr 08, 2016 at 10:47:19AM -0400, Simo Sorce wrote:
> On Sat, 2016-04-09 at 00:23 +1000, Fraser Tweedale wrote:
> > -name = gssapi.Name('host@%s' % (self.client,),
> >
> > - gssapi.NameType.hostbased_service)
>
> If
Hi Simo and Honza et al,
I have a design challenge pertaining to DNs for Custodia keys.
DNs for Custodia keys for host principals currently take the form:
cn={sig,enc}/$HOSTNAME,cn=custodia,cn=ipa,cn=etc,$SUFFIX
This prevents the creation of Custodia keys for service principals
(pursuant to
On Tue, Apr 12, 2016 at 12:55:50PM +0200, Jan Cholasta wrote:
> Hi,
>
> On 12.4.2016 09:03, Fraser Tweedale wrote:
> >Hi Simo and Honza et al,
> >
> >I have a design challenge pertaining to DNs for Custodia keys.
> >DNs for Custodia keys for host principals curren
On Tue, Apr 12, 2016 at 09:31:30AM -0400, Simo Sorce wrote:
> On Sat, 2016-04-09 at 10:11 +1000, Fraser Tweedale wrote:
> > On Fri, Apr 08, 2016 at 10:47:19AM -0400, Simo Sorce wrote:
> > > On Sat, 2016-04-09 at 00:23 +1000, Fraser Tweedale wrote:
> > > > -
On Wed, Apr 13, 2016 at 11:15:50AM +1000, Fraser Tweedale wrote:
> On Tue, Apr 12, 2016 at 09:31:30AM -0400, Simo Sorce wrote:
> > On Sat, 2016-04-09 at 10:11 +1000, Fraser Tweedale wrote:
> > > On Fri, Apr 08, 2016 at 10:47:19AM -0400, Simo Sorce wrote:
> > > > On
dependency on the (unreleased) Dogtag 10.3.0b1
- it just puts the necessary principals/keys/configuration in place.
Cheers,
Fraser
From aa91bd3c6773d42c864a8f34eabad8b90bb01f8b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Mon, 11 Apr 2016 12:42:35 +1000
Subject: [PATCH 53/54] Optionally add
On Tue, Apr 19, 2016 at 07:48:27AM +0200, Jan Cholasta wrote:
> On 14.4.2016 08:56, Jan Cholasta wrote:
> >On 7.4.2016 16:17, Petr Spacek wrote:
> >>On 7.4.2016 15:20, Fraser Tweedale wrote:
> >>>On Thu, Apr 07, 2016 at 12:29:00PM +0200, Jan Cholasta wrote:
>
On Mon, Apr 18, 2016 at 03:44:08PM -0400, Simo Sorce wrote:
> On Thu, 2016-04-14 at 16:33 +1000, Fraser Tweedale wrote:
> > On Wed, Apr 13, 2016 at 11:15:50AM +1000, Fraser Tweedale wrote:
> > > On Tue, Apr 12, 2016 at 09:31:30AM -0400, Simo Sorce wrote:
> > > > On
On Thu, Apr 14, 2016 at 04:39:37PM +1000, Fraser Tweedale wrote:
> Hi all,
>
> The attached patches configure lightweight CA key replication on IPA
> CAs, on upgrade and installation.
>
> Patches 0051..0052 from my other mail are also needed for the system
> to work, but t
The attached patch is part of lightweight CA support. It just adds
some ACL rules to Dogtag database, and does not depend the version
of Dogtag (so it's ok to merge immediately, when ACKed).
Thanks,
Fraser
From 362f7f9ec385cc2625d852ccf514508e231e78db Mon Sep 17 00:00:00 2001
From: F
Christian, thank you for the review.
Responses inline. I will update the design page soon with
clarifications and information about backup.
On Tue, Apr 19, 2016 at 01:24:54PM +0200, Christian Heimes wrote:
> Hi Fraser,
>
> I'm the reviewer for your Sub-CAs and RFC 2818 designs. Let's start with
On Tue, Apr 19, 2016 at 11:06:15AM -0400, Rob Crittenden wrote:
> Christian Heimes wrote:
> >Hi Fraser,
> >
> >and now to the review of your design doc for RFC 2818-compliant subject
> >alternative names in certs,
> >http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance
> >
> >
> >1) RFC 2
On Tue, Apr 19, 2016 at 04:14:01PM +0200, Christian Heimes wrote:
> Hi Fraser,
>
> and now to the review of your design doc for RFC 2818-compliant subject
> alternative names in certs,
> http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance
>
>
> 1) RFC 2818 vs. RFC 6125
>
> First I li
On Thu, Apr 21, 2016 at 10:22:33AM +0300, Alexander Bokovoy wrote:
> On Thu, 21 Apr 2016, Fraser Tweedale wrote:
> >On Tue, Apr 19, 2016 at 11:06:15AM -0400, Rob Crittenden wrote:
> >>Christian Heimes wrote:
> >>>Hi Fraser,
> >>>
> >>>and now t
On Tue, Apr 26, 2016 at 10:02:45AM +0200, Jan Cholasta wrote:
> On 21.4.2016 05:30, Fraser Tweedale wrote:
> >On Thu, Apr 14, 2016 at 04:39:37PM +1000, Fraser Tweedale wrote:
> >>Hi all,
> >>
> >>The attached patches configure lightweight CA key replic
Continuing the discussion for #5836[1] as requested from triage
session.
[1] https://fedorahosted.org/freeipa/ticket/5836
IMO it is not important for FreeIPA 4.4. It is nice to have but I
doubt it will make it.
Honza suggested it should be the other way around, i.e. CA specifies
default profile
On Tue, May 03, 2016 at 05:05:58PM +1000, Fraser Tweedale wrote:
> On Tue, Apr 26, 2016 at 10:02:45AM +0200, Jan Cholasta wrote:
> > On 21.4.2016 05:30, Fraser Tweedale wrote:
> > >On Thu, Apr 14, 2016 at 04:39:37PM +1000, Fraser Tweedale wrote:
> > >>Hi all,
>
On Thu, May 05, 2016 at 07:48:05AM +0200, Jan Cholasta wrote:
> On 4.5.2016 06:04, Fraser Tweedale wrote:
> >On Tue, May 03, 2016 at 05:05:58PM +1000, Fraser Tweedale wrote:
> >>On Tue, Apr 26, 2016 at 10:02:45AM +0200, Jan Cholasta wrote:
> >>>On 21.4.2016 05:30, F
raser
From 42ad22dddf4ea05792a64dbab8ff810fa4a075f2 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Tue, 19 Apr 2016 11:47:29 +1000
Subject: [PATCH] Add custodia store for lightweight CA key replication
Due to limitations in Dogtag's use of NSSDB, importing private keys
must be done by the Dogtag Java process itself.
201 - 300 of 390 matches
Mail list logo