Re: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs

> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote: >>>>>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote: >>>>>>> New patches attached. Comments inline. >>>>>> Thanks Fraser! >>>>>> >>>>>> ...

Re: [Freeipa-devel] Stage users - inconsistent permission names

On 06/10/2015 10:01 AM, David Kupka wrote: > On 06/10/2015 09:12 AM, Martin Kosek wrote: >> Hello Thierry/David, >> >> I saw the new privileges and permissions for the Staged Users functionality >> and >> found couple spelling/English issues that I think we sho

[Freeipa-devel] Stage users - inconsistent permission names

er "System: Modify User RDN" Permission name: System: Write Delete Users RDN by administrators Why is this permission needed, isn't "System: Modify Preserved Users" enough? -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. --

Re: [Freeipa-devel] Community Portal Milestone

On 06/10/2015 05:11 AM, Adam Young wrote: > On 06/09/2015 06:34 PM, Simo Sorce wrote: >> On Tue, 2015-06-09 at 16:15 -0400, Drew Erny wrote: >>> Hey, Freeipa, same thread new subtopic. >>> >>> So, I was bouncing some ideas around with another developer (ayoung) and >>> I think I have a pretty good

Re: [Freeipa-devel] [PATCH] Password vault

On 06/09/2015 11:13 PM, Endi Sukma Dewata wrote: > Please take a look at the attached patch to add symmetric & asymmetric vaults. > Some comments about the patch: > > 1. The vault_add was split into a client-side vault_add and server-side > vault_add_internal since the parameters are different (i.

[Freeipa-devel] #5056: Rename topologysegment-refresh to topologysegment-reinitialize

FYI, as mentioned on today conversation, I filed the ticket to rename topologysegment-refresh to topologysegment-reinitialize: https://fedorahosted.org/freeipa/ticket/5056 If there are any objections, please shout. If not, Petr - you know what to do... -- Martin Kosek Supervisor, Software

Re: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs

On 06/08/2015 03:31 AM, Fraser Tweedale wrote: > New patches attached. Comments inline. Thanks Fraser! ... >> 5) >> Missing referint plugin configuration for attribute >> 'ipacaaclmembercertprofile' >> Please add it into install/updates/25-referint.update (+ other member >> attributes if missing

Re: [Freeipa-devel] Password Maxlife 0 causes expiration of 90 days

On 06/05/2015 05:07 PM, Simo Sorce wrote: > On Fri, 2015-06-05 at 10:37 -0400, Drew Erny wrote: >> On 06/04/2015 05:41 PM, Alexander Bokovoy wrote: >>> On Thu, 04 Jun 2015, Drew Erny wrote: https://fedorahosted.org/freeipa/ticket/2795 I've tracked down the source of this bug; it's nu

Re: [Freeipa-devel] Suggestion for the A part of IPA

On 06/02/2015 10:29 AM, Innes, Duncan wrote: Just a bit of a head's up and a refresh of this with perhaps some new data. Good to hear :-) We recently also started investigating the Audit capabilities for (notice I write "for" and not "in") IPA. You can check my initial nudge to the freeipa-use

Re: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs

gt;>>>> On 02/06/15 14:11, Fraser Tweedale wrote: >>>>>> On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: >>>>>>> On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: >>>>>>>> On Fri, May 29, 2015

Re: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation

On 06/03/2015 04:10 PM, Petr Vobornik wrote: > On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >> replicas installed from older versions do not have a binddn group >> just accept the errror > > ACK > > Pushed to master: 8457edc14dade724b486540800bcdafb7d9a6f76 > > Note that this group will be pop

Re: [Freeipa-devel] Database error on replicas

On 06/03/2015 10:33 AM, Oleg Fayans wrote: > Hi, > > With the latest freeipa code containing Topology plugin patches, I am unable > to > make any changes in replicas. > > I have the following topology: > replica1 <=> master <=> replica3 > Here is the output of the ipa topologysegment-find comman

Re: [Freeipa-devel] [PATCH] Password vault

On 06/02/2015 08:34 PM, Simo Sorce wrote: > On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote: >> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a): >>> On 5/28/2015 12:46 AM, Jan Cholasta wrote: > On a related note, since KRA is optional, can we move the vaults > container to cn=kra,cn=

Re: [Freeipa-devel] [PATCH] Password vault

On 06/02/2015 11:22 PM, Alexander Bokovoy wrote: > On Tue, 02 Jun 2015, Endi Sukma Dewata wrote: >> Please take a look at the new patch. >> >> On 6/2/2015 10:05 AM, Martin Kosek wrote: >>>>> 4) In the vault-archive forward method, you use "pki" m

Re: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation

On 06/02/2015 06:00 PM, Alexander Bokovoy wrote: On Tue, 02 Jun 2015, Simo Sorce wrote: On Tue, 2015-06-02 at 17:45 +0200, Martin Kosek wrote: On 06/02/2015 05:41 PM, Alexander Bokovoy wrote: > On Tue, 02 Jun 2015, Martin Kosek wrote: >> On 06/02/2015 05:32 PM, Alexander Bokovoy wrot

Re: [Freeipa-devel] [PATCHES 0001-0013 v5.1] Profiles and CA ACLs

On 06/02/2015 06:37 PM, Martin Basti wrote: On 02/06/15 14:11, Fraser Tweedale wrote: On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote: ... 4) * Maybe I do everything wrong :) I'm not able to create certificate stored in FILE, via ipa-getcert request. I'm getting error: statu

Re: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation

On 06/02/2015 05:41 PM, Alexander Bokovoy wrote: > On Tue, 02 Jun 2015, Martin Kosek wrote: >> On 06/02/2015 05:32 PM, Alexander Bokovoy wrote: >>> On Tue, 02 Jun 2015, Martin Kosek wrote: >>>> On 06/02/2015 05:24 PM, Ludwig Krispenz wrote: >>>>> >

Re: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation

On 06/02/2015 05:32 PM, Alexander Bokovoy wrote: > On Tue, 02 Jun 2015, Martin Kosek wrote: >> On 06/02/2015 05:24 PM, Ludwig Krispenz wrote: >>> >>> On 06/02/2015 05:16 PM, Martin Kosek wrote: >>>> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: >>&g

Re: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation

On 06/02/2015 05:24 PM, Ludwig Krispenz wrote: > > On 06/02/2015 05:16 PM, Martin Kosek wrote: >> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: >>> On 06/02/2015 03:53 PM, Petr Vobornik wrote: >>>> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >>>&g

Re: [Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation

On 06/02/2015 05:08 PM, Ludwig Krispenz wrote: > > On 06/02/2015 03:53 PM, Petr Vobornik wrote: >> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote: >>> >>> On 06/02/2015 12:09 PM, Oleg Fayans wrote: Hi all, The following error was caught during replica installation (I used all th

Re: [Freeipa-devel] [PATCH] Password vault

On 06/02/2015 02:07 PM, Endi Sukma Dewata wrote: > On 6/2/2015 1:10 AM, Martin Kosek wrote: >> Hi Endi, >> >> Quickly skimming through your patches raised couple questions on my side: >> >> 1) Will it be possible to also store plain text password via Vault? It &g

Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands

On 06/02/2015 02:19 PM, Martin Babinsky wrote: > On 06/02/2015 02:10 PM, Tomas Babej wrote: >> Hi, >> >> With Domain Level 1 and above, the usage of ipa-replica-manage commands >> that alter the replica topology is deprecated. Following commands >> are prohibited: >> >> * connect >> * disconnect >>

Re: [Freeipa-devel] [PATCH] Password vault

On 06/02/2015 12:04 PM, Jan Cholasta wrote: > Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a): >> On 5/28/2015 12:46 AM, Jan Cholasta wrote: On a related note, since KRA is optional, can we move the vaults container to cn=kra,cn=vaults? This is the convetion used by the other option

Re: [Freeipa-devel] [PATCH] Password vault

On 06/02/2015 02:00 AM, Endi Sukma Dewata wrote: Please take a look at the updated patch. On 5/27/2015 12:39 AM, Jan Cholasta wrote: 21) vault_archive is not a retrieve operation, it should be based on LDAPUpdate instead of LDAPRetrieve. Or Command actually, since it does not do anything with L

Re: [Freeipa-devel] [PATCH 429] replica-install: Allow install on top of already configured client

On 05/28/2015 03:35 PM, Jan Cholasta wrote: Dne 26.5.2015 v 17:49 Jan Cholasta napsal(a): Dne 20.5.2015 v 17:27 Jan Cholasta napsal(a): Hi, the attached patch implements the initial bits for . Test by running ipa-client-install and then ipa-replic

Re: [Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

On 05/29/2015 11:21 AM, Martin Basti wrote: On 29/05/15 06:17, Fraser Tweedale wrote: On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: On 28/05/15 11:48, Martin Basti wrote: On 27/05/15 16:04, Fraser Tweedale wrote: Hello all, Fresh certificate management patchset; Changelog: -

Re: [Freeipa-devel] #4905: [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)

On 05/29/2015 12:33 PM, Sumit Bose wrote: On Fri, May 29, 2015 at 12:10:24PM +0200, Martin Kosek wrote: On 05/29/2015 11:26 AM, Sumit Bose wrote: On Fri, May 29, 2015 at 10:38:41AM +0200, Martin Kosek wrote: Hello all, I would like to discuss the scope needed for ticket 4905 [1]. This is

Re: [Freeipa-devel] topology + domainlevels + testing

rtin On 05/29/2015 12:02 PM, Martin Kosek wrote: On 05/29/2015 11:28 AM, Oleg Fayans wrote: Hi all, Is there already a separate testplan for Domain Levels feature? If not, should I probably take care of domainlevel-specific testcases in the scope of the Topology testplan, since these

Re: [Freeipa-devel] #4905: [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)

On 05/29/2015 11:26 AM, Sumit Bose wrote: On Fri, May 29, 2015 at 10:38:41AM +0200, Martin Kosek wrote: Hello all, I would like to discuss the scope needed for ticket 4905 [1]. This is mostly question for Sumit as he is working on the SSSD SC support. The main minimal target is to allow SSSD

Re: [Freeipa-devel] topology* commands not exported through ipalib.api.Command

On 05/29/2015 12:06 PM, Oleg Fayans wrote: Hi Martin, Thanks for the clarification! On 05/29/2015 12:05 PM, Martin Kosek wrote: On 05/29/2015 12:01 PM, Oleg Fayans wrote: Hi Ludwig, Should topology plugin export it's commands through ipalib.api? Currently when I import ipalib.ap

Re: [Freeipa-devel] topology* commands not exported through ipalib.api.Command

On 05/29/2015 12:01 PM, Oleg Fayans wrote: Hi Ludwig, Should topology plugin export it's commands through ipalib.api? Currently when I import ipalib.api and inspect available commands in api.Command, there are no topology-specific commands. The full list of commands currently exported through th

Re: [Freeipa-devel] topology + domainlevels + testing

On 05/29/2015 11:28 AM, Oleg Fayans wrote: Hi all, Is there already a separate testplan for Domain Levels feature? If not, should I probably take care of domainlevel-specific testcases in the scope of the Topology testplan, since these features are closely correlated right now? Another question

[Freeipa-devel] #4905: [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)

c for FreeIPA 4.2 or FreeIPA 4.2.x. [1] https://fedorahosted.org/freeipa/ticket/4905 [2] http://www.freeipa.org/page/V4/User_Certificates [3] https://fedorahosted.org/freeipa/ticket/55#comment:3 [4] https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/plugins/pkinit.py -- Martin Kosek Super

Re: [Freeipa-devel] Testing Migration

On 05/28/2015 09:47 PM, Drew Erny wrote: Hi, freeipa-devel, More newbie questions. I have what I believe to be a fix for Ticket #2547 (https://fedorahosted.org/freeipa/ticket/2547) written, but I need to test this fix. I need to migrate an LDAP database that is in the previously expected for (al

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/28/2015 05:53 PM, Ludwig Krispenz wrote: On 05/28/2015 05:35 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 17:18 +0200, Ludwig Krispenz wrote: On 05/28/2015 05:03 PM, Martin Kosek wrote: On 05/28/2015 04:59 PM, Ludwig Krispenz wrote: On 05/28/2015 04:46 PM, Simo Sorce wrote: On Thu

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/28/2015 04:59 PM, Ludwig Krispenz wrote: > > On 05/28/2015 04:46 PM, Simo Sorce wrote: >> On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: >>> On 05/28/2015 03:26 PM, Simo Sorce wrote: >>>> On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: >&

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:57 PM, Simo Sorce wrote: > On Thu, 2015-05-28 at 16:14 +0200, Martin Kosek wrote: >> On 05/28/2015 04:07 PM, Simo Sorce wrote: >>> On Thu, 2015-05-28 at 16:02 +0200, Martin Kosek wrote: >>>> On 05/28/2015 04:00 PM, Simo Sorce wrote: >>>>&

Re: [Freeipa-devel] Sudorules user validation help

if we choose to ignore the pattern, we do not need the extra validator function at all. We would just skip validation in the pre callback if a user is being added. > > On 05/28/2015 09:40 AM, Drew Erny wrote: >> OK, I see now what you mean by that. That is a simpler solution. I'll

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:14 PM, Ludwig Krispenz wrote: > > On 05/28/2015 04:04 PM, Martin Kosek wrote: >> On 05/28/2015 04:04 PM, Ludwig Krispenz wrote: >>> On 05/28/2015 04:00 PM, Martin Kosek wrote: >>>> On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: >>>>

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:07 PM, Simo Sorce wrote: > On Thu, 2015-05-28 at 16:02 +0200, Martin Kosek wrote: >> On 05/28/2015 04:00 PM, Simo Sorce wrote: >>> On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: >>>> On 05/27/2015 04:59 PM, Martin Kosek wrote: >>>

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:04 PM, Ludwig Krispenz wrote: > > On 05/28/2015 04:00 PM, Martin Kosek wrote: >> On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: >>> On 05/28/2015 03:47 PM, Martin Kosek wrote: >>>> On 05/27/2015 04:59 PM, Martin Kosek wrote: >>>> ..

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 04:00 PM, Simo Sorce wrote: > On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: >> On 05/27/2015 04:59 PM, Martin Kosek wrote: >> ... >>> Domain Levels >>> - Done, committed >>> - Defaults to Level 1, i.e. Topology plugin powered i

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: > > On 05/28/2015 03:47 PM, Martin Kosek wrote: >> On 05/27/2015 04:59 PM, Martin Kosek wrote: >> ... >>> Domain Levels >>> - Done, committed >>> - Defaults to Level 1, i.e. Topology plugin powered in

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/27/2015 04:59 PM, Martin Kosek wrote: ... > Domain Levels > - Done, committed > - Defaults to Level 1, i.e. Topology plugin powered infra enabled With respect to related Simo's response in http://www.redhat.com/archives/freeipa-devel/2015-May/msg00553.html Would we want to e

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On 05/28/2015 02:29 PM, Petr Spacek wrote: > On 28.5.2015 12:06, Fraser Tweedale wrote: >> On Thu, May 28, 2015 at 11:52:25AM +0200, Martin Kosek wrote: >>> On 05/28/2015 11:17 AM, Martin Basti wrote: >>>> On 28/05/15 10:46, Martin Kosek wrote: >>>>&g

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/28/2015 03:06 PM, Simo Sorce wrote: > On Thu, 2015-05-28 at 07:42 +0200, Jan Cholasta wrote: >> Dne 27.5.2015 v 15:54 Simo Sorce napsal(a): >>> On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): > On Wed, 2015-05-27 at 13:57 +0200, Jan

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/28/2015 12:27 PM, Alexander Bokovoy wrote: > On Thu, 28 May 2015, Christian Heimes wrote: >> On 2015-05-28 12:10, Petr Spacek wrote: I see. My question is - if we go this way, what is then the reasonable subset configuration functionality realistic for FreeIPA 4.2 GA? (As we w

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/28/2015 11:12 AM, Alexander Bokovoy wrote: > On Thu, 28 May 2015, Petr Spacek wrote: >> On 28.5.2015 07:42, Jan Cholasta wrote: >>> Dne 27.5.2015 v 15:54 Simo Sorce napsal(a): On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: > Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): >>

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On 05/28/2015 11:17 AM, Martin Basti wrote: > On 28/05/15 10:46, Martin Kosek wrote: >> On 05/27/2015 06:12 PM, Martin Basti wrote: >>> On 27/05/15 15:53, Fraser Tweedale wrote: >>>> This patch adds supports for multiple user / host certificates. No >>>>

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/28/2015 09:05 AM, Petr Spacek wrote: > On 28.5.2015 08:55, Jan Cholasta wrote: >> Dne 26.5.2015 v 16:32 Petr Spacek napsal(a): >>> On 26.5.2015 16:16, Martin Kosek wrote: >>>> On 05/26/2015 04:13 PM, thierry bordaz wrote: >>>>> On 05/26/2

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

On 05/27/2015 06:12 PM, Martin Basti wrote: > On 27/05/15 15:53, Fraser Tweedale wrote: >> This patch adds supports for multiple user / host certificates. No >> schema change is needed ('usercertificate' attribute is already >> multi-value). The revoke-previous-cert behaviour of host-mod and >> u

Re: [Freeipa-devel] Sudorules user validation help

On 05/27/2015 08:41 PM, Drew Erny wrote: > Hey, Freeipa-devel, > > I'm working on ticket #3226 (https://fedorahosted.org/freeipa/ticket/3226) > > I've identified the problem. The sudorules add user command adds the user > validations at the end of it's pre-callback using add_external_pre_callback

Re: [Freeipa-devel] New replica installation and topology - we need stable base

On 05/27/2015 05:05 PM, Oleg Fayans wrote: > > > On 05/27/2015 04:59 PM, Martin Kosek wrote: >> Hello all, >> >> As FreeIPA 4.2 deadlines are approaching us slowly, there is a concern that >> not >> all of the new replica install way (replication-package-

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/28/2015 07:29 AM, Jan Cholasta wrote: > Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a): >> On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: >>> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote: >>> >>> ipa config-mod

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/28/2015 10:02 AM, Jan Cholasta wrote: > Dne 28.5.2015 v 09:45 Christian Heimes napsal(a): >> On 2015-05-28 07:32, Jan Cholasta wrote: >>> Dne 27.5.2015 v 16:01 Christian Heimes napsal(a): On 2015-05-27 15:51, Nathaniel McCallum wrote: > As I understand the problem, there is an assump

[Freeipa-devel] New replica installation and topology - we need stable base

ce? I am for example not sure if the "IPA masters" hostgroup is needed for Topology work without Custodia, I think Ludwig used some other group for authorization purposes in Topology. Thanks. -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. -- M

Re: [Freeipa-devel] Fix password changes via kadmin

On 05/27/2015 03:55 PM, Alexander Bokovoy wrote: > On Wed, 27 May 2015, Simo Sorce wrote: >> On Wed, 2015-05-27 at 15:25 +0200, Martin Babinsky wrote: >>> On 05/25/2015 10:48 AM, Martin Babinsky wrote: >>> > On 04/06/2015 12:53 AM, Simo Sorce wrote: >>> >> Fix for bug 4914. >>> >> >>> >> I've teste

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/27/2015 01:33 PM, Christian Heimes wrote: > On 2015-05-27 11:59, Martin Kosek wrote: >> On 05/27/2015 11:53 AM, Alexander Bokovoy wrote: >>> On Wed, 27 May 2015, Martin Kosek wrote: >>>> On 05/26/2015 05:40 PM, Jan Cholasta wrote: >>>>> Dn

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/26/2015 04:32 PM, Petr Spacek wrote: > On 26.5.2015 16:16, Martin Kosek wrote: ... > If you really want to avoid unforeseen issues rather go and get rid of > "major.minor" logic we have in the topology plugin right now :-) Ludwig, I thought we agreed to avoid using major.

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/27/2015 11:53 AM, Alexander Bokovoy wrote: > On Wed, 27 May 2015, Martin Kosek wrote: >> On 05/26/2015 05:40 PM, Jan Cholasta wrote: >>> Dne 22.5.2015 v 12:24 Christian Heimes napsal(a): >> ... >>>> Finally I haven't figured out the best way to config

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/26/2015 05:40 PM, Jan Cholasta wrote: > Dne 22.5.2015 v 12:24 Christian Heimes napsal(a): ... >> Finally I haven't figured out the best way to configure the instance. An >> admin should be able to enable / disable KDC proxy. Should I write a >> script or a ipa plugin for the job? > > A scrip

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/26/2015 04:17 PM, Christian Heimes wrote: On 2015-05-26 15:57, Nathaniel McCallum wrote: /KdcProxy "The URI uses the virtual directory /KdcProxy unless otherwise configured." https://msdn.microsoft.com/en-us/library/hh553891.aspx Also, the proxy should be available over both HTTP and HT

Re: [Freeipa-devel] Domain level for topology plugin = 2

On 05/26/2015 04:13 PM, thierry bordaz wrote: On 05/26/2015 02:12 PM, Petr Spacek wrote: Hello, it came to my mind that domain level for topology plugin should actually be number 2, not 1. We already used number 1 for incompatible changes in DNS tree and I believe that it is not a good idea to

Re: [Freeipa-devel] [PATCH] 1112 Add service constraint delegation plugin

On 05/20/2015 06:02 PM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Add a plugin to manage service delegations, like the one allowing the HTTP service to obtain an ldap service ticket on behalf of the user. This does not include impersonation targets, so one cannot yet li

Re: [Freeipa-devel] [PATCHES 145-148] ipa-kdb: add unit-test for filter_logon_info()

On 05/26/2015 01:33 PM, Sumit Bose wrote: Hi, these patches add some unit tests and some additional improvements related to the issues described in https://bugzilla.redhat.com/show_bug.cgi?id=1222475 . The original issue is fixed by a patch from Alexander attached to the ticket. The first patch

[Freeipa-devel] [PATCH] 496 Fix typo in ipa-server-upgrade man page

Pushed to master (oneliner): d0a330aa1ce250da3ab552f6517945c7cf871ad1 -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From c0642ba63f41d269d3208bf9fc69da0503aff3fa Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Tue, 26 May 2015 07:52:50 +0200 Subject

Re: [Freeipa-devel] Yet another user certificates/Smart Card thread

On 05/25/2015 04:40 PM, Jan Cholasta wrote: Dne 25.5.2015 v 16:26 Fraser Tweedale napsal(a): On Mon, May 25, 2015 at 03:56:46PM +0200, Martin Kosek wrote: On 05/25/2015 03:13 PM, Jan Cholasta wrote: Hi, Dne 25.5.2015 v 14:55 Martin Babinsky napsal(a): Hello all, long post ahead! I became a

Re: [Freeipa-devel] Yet another user certificates/Smart Card thread

On 05/25/2015 04:19 PM, Martin Babinsky wrote: > On 05/25/2015 03:56 PM, Martin Kosek wrote: >> On 05/25/2015 03:13 PM, Jan Cholasta wrote: >>> Hi, >>> >>> Dne 25.5.2015 v 14:55 Martin Babinsky napsal(a): >>>> Hello all, long post ahead! >>>

Re: [Freeipa-devel] Yet another user certificates/Smart Card thread

On 05/25/2015 03:13 PM, Jan Cholasta wrote: > Hi, > > Dne 25.5.2015 v 14:55 Martin Babinsky napsal(a): >> Hello all, long post ahead! >> >> I became a proud owner of https://fedorahosted.org/freeipa/ticket/4238, >> and while Martin's design page >> (http://www.freeipa.org/page/V4/User_Certificates

Re: [Freeipa-devel] using pyhbac for CA ACLs

On 05/25/2015 09:35 AM, Fraser Tweedale wrote: > Hi everyone, > > CA ACLs (the forthcoming `caacl' plugin) will be used to declare > which users/hosts/services can get certificates from which CAs and > profiles. For v4.2, we will enforce the ACLs in the framework; the > plan is to move ACL enforc

Re: [Freeipa-devel] proposal: new API command to list IPA servers

On 05/21/2015 04:29 PM, Rob Crittenden wrote: Petr Vobornik wrote: Hi all, proposal is to create following two commands: ipa server-find ipa server-show FQDN These commands will display a list of IPA servers stored in cn=masters,cn=ipa,cn=etc,$SUFFIX No mod and add commands atm. They c

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/22/2015 12:24 PM, Christian Heimes wrote: Hello, since May 1st I'm a new Red Hat employee and developer with the FreeIPA team. Some of you may already recognize my name from my contributions to CPython core, Python security and TLS/SSL improvements, or a couple of PEPs. I'm very glad that

Re: [Freeipa-devel] [PATCH 0376] Add schema for unknown record types

On 05/22/2015 09:17 AM, Martin Basti wrote: On 21/05/15 12:42, Petr Spacek wrote: Hello, Add schema for unknown record types. This patch complements my previous patch 367. The change was pushed to https://github.com/pspacek/bind-dyndb-ldap/tree/unknown_record_types , too. ACK Hmmm, I w

Re: [Freeipa-devel] [PATCHES 0001-0011 v3] Profile management

On 05/21/2015 05:33 PM, Martin Basti wrote: On 20/05/15 16:41, Fraser Tweedale wrote: Hi Honza, Martin et al, Latest patches attached. On top of previous patches (most review matters addressed**) patches 0008..0011 add support for profiles and user certificates to `ipa cert-request'. ** those

Re: [Freeipa-devel] certprofiles -- problem with delete

On 05/21/2015 03:10 PM, Fraser Tweedale wrote: > On Thu, May 21, 2015 at 02:36:14PM +0200, Milan Kubik wrote: >> Hi Fraser and list, >> >> I ran into this when I was tinkering with the commands. >> >> The ipa certprofile plugin[s] does not take the backend result into the >> picture right now. When

Re: [Freeipa-devel] [TEST PLAN] User lifecycle plugin

On 05/19/2015 05:54 PM, thierry bordaz wrote: > On 05/13/2015 05:54 PM, Martin Basti wrote: >> On 13/05/15 17:44, David Kupka wrote: >>> On 05/13/2015 02:57 PM, Lenka Ryznarova wrote: Hi, I've prepared test plan design for User Lifecycle Plugin - [1]. Please review and let me kn

Re: [Freeipa-devel] [PATCH 0325] Add Domain Level feature

On 05/19/2015 03:56 PM, Tomas Babej wrote: > > > On 05/19/2015 03:51 PM, Martin Kosek wrote: >> On 05/19/2015 03:49 PM, Ludwig Krispenz wrote: >>> On 05/19/2015 03:36 PM, Martin Kosek wrote: >>>> On 05/19/2015 03:22 PM, Tomas Babej wrote: >>>> ...

Re: [Freeipa-devel] [PATCH 0325] Add Domain Level feature

On 05/19/2015 03:49 PM, Ludwig Krispenz wrote: > > On 05/19/2015 03:36 PM, Martin Kosek wrote: >> On 05/19/2015 03:22 PM, Tomas Babej wrote: >> ... >>>> 3) Domain level is just a single integer and it should be treated as such, >>>> there's no need

Re: [Freeipa-devel] [PATCH 0325] Add Domain Level feature

On 05/19/2015 03:22 PM, Tomas Babej wrote: ... >> 3) Domain level is just a single integer and it should be treated as such, >> there's no need for an LDAPObject plugin and other unnecessary complexities. >> The implemetation could be as simple as (from top of my head, untested): > > That's right,

Re: [Freeipa-devel] ipa wiki formatting

On 05/18/2015 02:51 PM, Ludwig Krispenz wrote: > Hi, > > for our docs on the wiki there is a table of contents, which is created from > the section headers an the sections in the table of contents are automatically > numbered, eg > > 1. first chapter > 1.1 subchapter > 1.2 next sub > 2. second >

Re: [Freeipa-devel] Revoking user/service/host certificates

On 05/18/2015 03:36 PM, Fraser Tweedale wrote: > On Mon, May 18, 2015 at 11:51:41AM +0200, Martin Kosek wrote: >> Hi Fraser (and list), >> >> Recently, we have proposed 2 new policies for treating user/host/service >> certificates based on the per-profile policy: >&g

[Freeipa-devel] Revoking user/service/host certificates

the profile me stored in the certificate itself, just like MS CA does for some certificates? Thanks. -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo

Re: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands

On 05/15/2015 04:44 PM, David Kupka wrote: > Hello Thierry, > thanks for the patch set. Overall functionality of ULC feature looks good to > me and is definitely "alpha ready". > > I found following issues but don't insist on fixing it right now: Given we are now only fixing bugs and not doing b

Re: [Freeipa-devel] Wiki: automatic bookkeeping of Design documents

On 05/06/2015 08:47 AM, Martin Kosek wrote: Hello all, Knowing the sorrow and unmaintained state of the pages collecting links to our designs [1][2], I think we need to execute the second half of my evil plan for Design Document management. We have the Feature design box (see top right corner

Re: [Freeipa-devel] ipa-replica-manage del fails to delete host entry

On 05/06/2015 03:07 PM, Tomas Babej wrote: > > > On 05/06/2015 02:47 PM, Ludwig Krispenz wrote: >> >> Hi, >> in recent posts about corrupted ruvs, there also was the error about failing >> cleanup, like: >> >> ipa-replica-manage del vm-162.idm.lab.eng.brq.redhat.com >> >> .. >> Failed to cleanup

Re: [Freeipa-devel] Domain Level feature kick-off

On 05/11/2015 04:34 PM, Jan Cholasta wrote: > Dne 11.5.2015 v 16:29 Petr Vobornik napsal(a): >> On 05/11/2015 04:13 PM, Jan Cholasta wrote: >>> Dne 11.5.2015 v 15:56 Martin Kosek napsal(a): >>>> On 05/11/2015 03:50 PM, Jan Cholasta wrote: >>>>>

Re: [Freeipa-devel] Domain Level feature kick-off

On 05/11/2015 03:50 PM, Jan Cholasta wrote: > Dne 11.5.2015 v 15:34 Martin Kosek napsal(a): >> On 05/11/2015 03:18 PM, Jan Cholasta wrote: >>> Dne 6.5.2015 v 09:29 Martin Kosek napsal(a): >>>> Hello, >>>> >>>> as already discussed in Decem

Re: [Freeipa-devel] Domain Level feature kick-off

On 05/11/2015 03:18 PM, Jan Cholasta wrote: > Dne 6.5.2015 v 09:29 Martin Kosek napsal(a): >> Hello, >> >> as already discussed in December [1], we will need to implement domain levels >> in FreeIPA 4.2 to make sure we can manage the replication agreement by >> To

Re: [Freeipa-devel] Wiki: automatic bookkeeping of Design documents

On 05/06/2015 12:20 PM, Petr Vobornik wrote: > On 05/06/2015 08:47 AM, Martin Kosek wrote: >> Hello all, >> >> Knowing the sorrow and unmaintained state of the pages collecting links to >> our >> designs [1][2], I think we need to execute the second half of my evi

[Freeipa-devel] Domain Level feature kick-off

.html [3] https://fedorahosted.org/freeipa/ticket/5018 [4] http://www.redhat.com/archives/freeipa-devel/2015-April/msg00096.html -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/m

Re: [Freeipa-devel] User Certificates in 4.2 - design and questions

On 05/05/2015 08:38 AM, Martin Kosek wrote: > On 05/04/2015 09:23 PM, Simo Sorce wrote: >> On Mon, 2015-05-04 at 16:41 +0200, Martin Kosek wrote: ... >> So I am fine *not* revoking certs automatically and instead documenting >> best practices for certs lifecycle management (i

[Freeipa-devel] Wiki: automatic bookkeeping of Design documents

it's worth it. [1] http://www.freeipa.org/page/V4_Proposals [2] http://www.freeipa.org/page/V4_Designs [3] http://www.freeipa.org/page/V4/User_Certificates [4] http://www.freeipa.org/page/Talk:V4_Designs -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red

Re: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install

On 04/29/2015 06:25 PM, Jan Cholasta wrote: > Dne 20.4.2015 v 16:56 Jan Cholasta napsal(a): >> Dne 20.4.2015 v 15:14 Martin Basti napsal(a): >>> On 17/04/15 16:15, Jan Cholasta wrote: Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): > Hi, > > the attached patch adds the basics of the

Re: [Freeipa-devel] User Certificates in 4.2 - design and questions

On 05/04/2015 09:23 PM, Simo Sorce wrote: > On Mon, 2015-05-04 at 16:41 +0200, Martin Kosek wrote: >> On 05/04/2015 03:01 PM, Fraser Tweedale wrote: >>> On Mon, May 04, 2015 at 10:50:15AM +0200, Martin Kosek wrote: >>>> Hello, >>>> >>>> Please

Re: [Freeipa-devel] User Certificates in 4.2 - design and questions

On 05/04/2015 03:01 PM, Fraser Tweedale wrote: > On Mon, May 04, 2015 at 10:50:15AM +0200, Martin Kosek wrote: >> Hello, >> >> Please let me promote the design for one of the major FreeIPA 4.2 features, >> the >> (user) certificates and Smart Card integration: >

[Freeipa-devel] User Certificates in 4.2 - design and questions

hem, regardless whether they are stored in userCertificate attribute or not? Thanks. -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-deve

Re: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command

On 04/29/2015 12:59 PM, Martin Kosek wrote: > On 04/29/2015 12:50 PM, Martin Basti wrote: >> On 29/04/15 12:39, Martin Kosek wrote: >>> On 04/29/2015 12:15 PM, Martin Basti wrote: >>>> On 29/04/15 08:52, Jan Cholasta wrote: >>>>> Dne 29.4.2015 v 08:45

Re: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command

On 04/29/2015 12:50 PM, Martin Basti wrote: > On 29/04/15 12:39, Martin Kosek wrote: >> On 04/29/2015 12:15 PM, Martin Basti wrote: >>> On 29/04/15 08:52, Jan Cholasta wrote: >>>> Dne 29.4.2015 v 08:45 Martin Kosek napsal(a): >>>>> On 04/29/2015 07

Re: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command

On 04/29/2015 12:15 PM, Martin Basti wrote: > On 29/04/15 08:52, Jan Cholasta wrote: >> Dne 29.4.2015 v 08:45 Martin Kosek napsal(a): >>> On 04/29/2015 07:34 AM, Jan Cholasta wrote: ... >>>> The command line tool class should be named "ServerUpgrade"

Re: [Freeipa-devel] [PATCHES 0031-0032] set up a dedicated CCache file for Apache during install/upgrade

On 04/28/2015 05:42 PM, Martin Babinsky wrote: > The attached patches address https://fedorahosted.org/freeipa/ticket/4973 and > implement the solution proposed in Comment 2. > > Please review the hell out of them. Why did you split the work in 2 patches? It looks like you first did the first app

<    1   2   3   4   5   6   7   8   9   10   >