Similarly to automount, a single permission is added for reading all the
trust objects.
Read access is given to all authenticated users.
--
Petr³
From a499784cbea2f1282a07629a94e67e14c14a35d0 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 26 Mar 2014 17:11:23 +0100
On 04/16/2014 02:55 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 13:31 +0200, Martin Kosek wrote:
On 04/16/2014 12:50 PM, Petr Viktorin wrote:
On 04/14/2014 04:00 PM, Simo Sorce wrote:
On Mon, 2014-04-14 at 12:55 +0200, Martin Kosek wrote:
When heading for a lunch today, I had a discussion
On 04/16/2014 03:58 PM, Martin Kosek wrote:
On 04/16/2014 03:52 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 10:35 +0200, Jan Cholasta wrote:
On 11.4.2014 13:31, Petr Viktorin wrote:
One of the default_attributes of permission is memberofindirect, a
virtual attribute manufactured by ldap2
On 04/16/2014 04:35 PM, Martin Kosek wrote:
On 04/15/2014 02:33 PM, Petr Viktorin wrote:
Read access to both rules and definitions is given to a new privilege,
'Automember Readers', as well as the existing 'Automember Task Administrator'.
This needs a mild rebase in 40-delegation.update. When
On 04/16/2014 03:04 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 15:00 +0200, Petr Viktorin wrote:
Simo, Rob, would you be OK with changing virtual operation
objectclass to our
own one to have a better control over it?
No, in general I am not ok to change objects that already exist in
IPA
On 04/16/2014 03:41 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 15:08 +0200, Martin Kosek wrote:
On 04/15/2014 04:55 PM, Petr Viktorin wrote:
Hello,
At Devconf, we decided what most of the default read permissions should look
like, but we did not get to user.
Here is a draft of 4 read
On 04/16/2014 04:21 PM, Misnyovszki Adam wrote:
On Wed, 16 Apr 2014 07:59:39 +0200
Martin Kosek mko...@redhat.com wrote:
On 04/15/2014 05:36 PM, Misnyovszki Adam wrote:
On Tue, 15 Apr 2014 12:51:47 +0200
Petr Viktorin pvikt...@redhat.com wrote:
On 04/15/2014 12:41 PM, Misnyovszki Adam wrote
On 04/15/2014 03:21 PM, Misnyovszki Adam wrote:
On Tue, 15 Apr 2014 09:54:22 +0200
Petr Vobornik pvobo...@redhat.com wrote:
OTP Token add failed because of invalid function call. qr_widget
doesn't contain `on_value_changed` method since it inherits from
`IPA.widget` and not from
On 04/17/2014 02:33 PM, Tomas Babej wrote:
ACK for 256 - 259.
On 04/01/2014 10:45 AM, Jan Cholasta wrote:
Hi,
while working with Martin Bašti on issues in his dns plugin patches we
ran into several limitations in the framework. The attached patches
remove these limitations.
Also, Tomáš Babej
Hello,
While working on the trust permissions I found a typo in the
'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix.
--
Petr³
From ef98055a524dffbe98098def896f40592a3fdac4 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 17 Apr 2014 19:06:52
On 04/09/2014 11:29 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Petr Viktorin wrote:
On 03/14/2014 07:58 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 03/12/2014 07:48 PM, Rob Crittenden wrote:
[...]
Here are a couple more enhancements I'm considering, this seems
simpler
than
On 04/18/2014 10:33 AM, Martin Kosek wrote:
FYI - I saw numerous questions about ipa tool backward compatibility (the
most recent is https://bugzilla.redhat.com/show_bug.cgi?id=1089015), so I
created a section about it:
http://www.freeipa.org/page/Client#Compatibility
and added it to FAQ.
On 04/18/2014 10:57 AM, Jan Cholasta wrote:
On 17.4.2014 16:58, Petr Viktorin wrote:
On 04/17/2014 02:33 PM, Tomas Babej wrote:
ACK for 256 - 259.
On 04/01/2014 10:45 AM, Jan Cholasta wrote:
Hi,
while working with Martin Bašti on issues in his dns plugin patches we
ran into several
On 04/17/2014 04:31 PM, Petr Viktorin wrote:
On 04/17/2014 12:22 PM, Tomas Babej wrote:
On 04/09/2014 01:33 PM, Petr Viktorin wrote:
On 04/09/2014 12:07 PM, Tomas Babej wrote:
Hi,
the following batch deals with the following:
* cleans up apache's semaphores prior to installing IPA (CA
On 04/18/2014 01:29 PM, Martin Kosek wrote:
On 04/18/2014 10:52 AM, Petr Viktorin wrote:
On 04/18/2014 10:33 AM, Martin Kosek wrote:
FYI - I saw numerous questions about ipa tool backward compatibility (the
most recent is https://bugzilla.redhat.com/show_bug.cgi?id=1089015), so I
created
.html
--
Petr³
From 25e7e954ddf97fd9dbae85d5708548c6b46a5fc9 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 17 Apr 2014 12:36:33 +0200
Subject: [PATCH] Add a new ipaVirtualOperation objectClass to virtual
operations
The entries are moved from the ldif file to an update
On 04/17/2014 10:12 PM, Alexander Bokovoy wrote:
On Thu, 17 Apr 2014, Simo Sorce wrote:
On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote:
On 04/17/2014 07:11 PM, Petr Viktorin wrote:
Hello,
While working on the trust permissions I found a typo in the
'ipanttrustauthoutgoing' attribute
On 04/18/2014 01:50 PM, Jan Cholasta wrote:
On 18.4.2014 12:43, Petr Viktorin wrote:
On 04/18/2014 10:57 AM, Jan Cholasta wrote:
On 17.4.2014 16:58, Petr Viktorin wrote:
On 04/17/2014 02:33 PM, Tomas Babej wrote:
ACK for 256 - 259.
On 04/01/2014 10:45 AM, Jan Cholasta wrote:
Hi,
while
On 04/22/2014 12:54 PM, Tomas Babej wrote:
On 04/18/2014 01:14 PM, Petr Viktorin wrote:
[...]
There are some test failures in
ipatests/test_integration/test_testconfig.py that I missed. This patch
fixes them. Does it look good to you?
Yes, thank you for the catch. ACK.
Thanks, pushed
On 04/18/2014 04:17 PM, Simo Sorce wrote:
On Fri, 2014-04-18 at 16:11 +0200, Martin Kosek wrote:
On 04/18/2014 04:07 PM, Simo Sorce wrote:
On Fri, 2014-04-18 at 15:49 +0200, Martin Kosek wrote:
On 04/18/2014 03:43 PM, Simo Sorce wrote:
On Fri, 2014-04-18 at 13:50 +0200, Petr Viktorin wrote
.
Does that sound reasonable?
--
Petr³
From 6cb4199fcc3a10a288734fff513b1e24bce45cd7 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: [PATCH] Add managed read permissions to trust
A single permission is added to cover trust
On 04/18/2014 03:40 PM, Martin Kosek wrote:
On 04/18/2014 01:55 PM, Petr Viktorin wrote:
On 04/17/2014 10:12 PM, Alexander Bokovoy wrote:
On Thu, 17 Apr 2014, Simo Sorce wrote:
On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote:
On 04/17/2014 07:11 PM, Petr Viktorin wrote:
Hello,
While
On 04/14/2014 12:55 PM, Martin Kosek wrote:
[...]
dn: cn=masters,cn=ipa,cn=etc,SUFFIX
- ADD aci allowing reading hosts (to have it separate from global cn=etc one so
that we can once assign it only to ipamasters hostgroup for example)
We don't have an ipamasters hostgroup. Should we?
--
--
Petr³
From ed223228c277028f62de6dd7c01e752a99cb6cb2 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 27 Mar 2014 15:36:54 +0100
Subject: [PATCH] Add support for non-plugin default permissions
Add support for managed permissions that are not tied to an object
class
On 04/23/2014 01:55 PM, Petr Spacek wrote:
On 21.4.2014 14:48, Simo Sorce wrote:
On Mon, 2014-04-21 at 08:39 -0400, Rob Crittenden wrote:
Simo Sorce wrote:
On Thu, 2014-04-17 at 18:25 -0400, Rob Crittenden wrote:
Simo Sorce wrote:
On Thu, 2014-04-17 at 15:00 -0400, Rob Crittenden wrote:
On 04/14/2014 01:04 PM, Petr Viktorin wrote:
Read access is given to all authenticated users.
Exposed attributes are:
[top]
objectClass
[ipaObject]
ipaUniqueID
[ipaService]
managedBy
memberOf
ipaKrbAuthzData (a.k.a. pac_type)
[pkiUser]
userCertificate
[krbPrincipalAux
On 04/23/2014 01:42 PM, Jan Cholasta wrote:
On 23.4.2014 13:13, Martin Kosek wrote:
On 04/23/2014 01:03 PM, Petr Viktorin wrote:
On 04/14/2014 12:55 PM, Martin Kosek wrote:
[...]
dn: cn=masters,cn=ipa,cn=etc,SUFFIX
- ADD aci allowing reading hosts (to have it separate from global
cn=etc one
, a developer's personal test modifications shouldn't
override the main config.
https://github.com/encukou/freeipa-ci
--
Petr³
From da0dfceeaca61368ba676695ac1dd033ee8957e5 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 23 Apr 2014 20:09:57 +0200
Subject: [PATCH] Move
don't think we
want to include that.
Simo, should admins be allowed to read krbExtraData?
The second patch makes the test suite pass with the anon read ACI removed.
--
Petr³
From c052f61bb0c1395a170fdf88bfbf729cf37d95a0 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed
On 04/23/2014 08:56 PM, Simo Sorce wrote:
On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote:
Admin access to read-only attributes such as ipaUniqueId, memberOf,
krbPrincipalName is provided by the anonymous read ACI, which will go
away. This patch adds a blanket read ACI for these.
I also
On 04/24/2014 03:18 PM, Martin Kosek wrote:
On 04/24/2014 02:28 PM, Simo Sorce wrote:
On Thu, 2014-04-24 at 14:17 +0200, Martin Kosek wrote:
On 04/24/2014 09:41 AM, Petr Viktorin wrote:
On 04/23/2014 08:56 PM, Simo Sorce wrote:
On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote:
Admin
On 04/24/2014 11:16 PM, Rob Crittenden wrote:
Jan Cholasta wrote:
On 10.4.2014 22:06, Rob Crittenden wrote:
Some in-line, a whole ton of data appended to end.
Jan Cholasta wrote:
On 7.4.2014 20:09, Rob Crittenden wrote:
Rob Crittenden wrote:
[...]
$ ipa-cacert-manage -v renew
:
On 04/24/2014 09:41 AM, Petr Viktorin wrote:
On 04/23/2014 08:56 PM, Simo Sorce wrote:
On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote:
Admin access to read-only attributes such as ipaUniqueId, memberOf,
krbPrincipalName is provided by the anonymous read ACI, which will go
away. This patch
On 04/23/2014 02:46 PM, Martin Kosek wrote:
On 04/22/2014 01:38 PM, Petr Viktorin wrote:
On 04/16/2014 05:56 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Martin Kosek wrote:
In general I am not sure all authenticated users need access
On 04/25/2014 01:08 PM, Martin Kosek wrote:
On 04/25/2014 01:01 PM, Petr Viktorin wrote:
On 04/24/2014 05:15 PM, Simo Sorce wrote:
On Thu, 2014-04-24 at 16:47 +0200, Martin Kosek wrote:
On 04/24/2014 03:42 PM, Simo Sorce wrote:
On Thu, 2014-04-24 at 15:18 +0200, Martin Kosek wrote:
On 04/24
On 04/28/2014 11:14 AM, Alexander Bokovoy wrote:
On Fri, 18 Apr 2014, Petr Viktorin wrote:
From 00756cf2c9682b32dba3388e07dda3fad916e284 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 17 Apr 2014 19:06:52 +0200
Subject: [PATCH] trust plugin: Remove ipatrustauth
On 04/24/2014 11:35 AM, Martin Kosek wrote:
On 04/23/2014 10:53 PM, Martin Kosek wrote:
On 04/23/2014 08:07 PM, Simo Sorce wrote:
[...]
I know, we may need to provide another permission admins can use to turn
on anonymous searches for those attributes too.
We may also decide that on upgrade
On 04/29/2014 04:27 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 04/23/2014 08:52 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 04/09/2014 11:29 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Petr Viktorin wrote:
On 03/14/2014 07:58 PM, Rob Crittenden wrote:
Petr Viktorin wrote
This adds the idnsSecInlineSigning attribute and related option.
https://fedorahosted.org/freeipa/ticket/3801
Simo, is adding a MAY attribute to an existing objectClass okay?
--
Petr³
From 6cd0ee326598ef36583415087ab673645d3e6593 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
9f9681c2e302923e28941c97f6b489b4d46ded8a Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: [PATCH] Add managed read permissions to user
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
ipalib/plugins/user.py | 55
5d1bdbf5b84cb4dc286b72274edfc03d9158dc20 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 29 Apr 2014 21:46:26 +0200
Subject: [PATCH] Remove the global anonymous read ACI
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
install/share/default-aci.ldif
On 04/30/2014 05:11 AM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 04/29/2014 04:27 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 04/23/2014 08:52 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 04/09/2014 11:29 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Petr Viktorin wrote
This should fix https://fedorahosted.org/freeipa/ticket/3829
--
Petr³
From f5127411bdc21102022ed3d4849371501fc625f7 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Mon, 28 Apr 2014 14:23:19 +0200
Subject: [PATCH] Replace replica admins read access ACI with a permission
, so we'll need this fix when parsing ACIs
there.
Rob, you wrote the parser; does this look OK to you?
--
Petr³
From 346d21d35a56c287772443bc49cfd0c9e15f1493 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 30 Apr 2014 17:24:06 +0200
Subject: [PATCH] ipalib.aci: Add
On 04/30/2014 07:25 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
Hello,
The first patch adds == to ACI object to simplify comparisons.
The second patch moves existing tests to the test suite.
The third patch adds support for an alternate aci keyword that DS
supports (but I couldn't get any
On 04/30/2014 04:57 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 04/30/2014 05:11 AM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 04/29/2014 04:27 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 04/23/2014 08:52 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 04/09/2014 11:29
On 04/30/2014 08:24 PM, Petr Viktorin wrote:
On 04/30/2014 07:25 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
Hello,
The first patch adds == to ACI object to simplify comparisons.
The second patch moves existing tests to the test suite.
The third patch adds support for an alternate aci
On 05/07/2014 06:15 PM, Dmitri Pal wrote:
On 05/07/2014 11:46 AM, Nathaniel McCallum wrote:
On Wed, 2014-05-07 at 09:50 -0400, Dmitri Pal wrote:
On 05/07/2014 04:06 AM, Jan Cholasta wrote:
On 6.5.2014 19:55, Nathaniel McCallum wrote:
I know it is a bit late on this, but for the OTP token
On 05/07/2014 03:05 PM, Tomas Babej wrote:
Hi,
this fixes the problem on builders, which do distro-sync while having
freeipa packages present from previous build run.
This causes unnecessary downgrades., which may result into failures (as
now with the smartproxy pushed).
I've put the
On 05/09/2014 04:14 AM, Gabe Alford wrote:
Hello,
Just wondering if there are any takers in reviewing this patch.
Sorry, looks like it fell through the cracks :(
AFAIK the OS; entity should work for both Fedora and RHEL, so it should
be possible to only have one copy of the
On 05/09/2014 05:09 AM, Gabe Alford wrote:
Hello,
Came across this issue in my environment the other day and
thought I would send a quick patch for review for
https://fedorahosted.org/freeipa/ticket/3733
Thanks for the patch!
This works, but configure_nsswitch would now fail if it
On 05/14/2014 11:21 AM, thierry bordaz wrote:
Hello,
Quite beginner in freeipa land, I am trying to add options to
'user-add' sub-command but desperately failing to make it work.
I did the following modification:
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 13 May 2014 16:48:49 +0200
Subject: [PATCH] ipa-client-automount: Use rpcclient, not xmlclient, for
automountlocation_show
Fix for a regression in 66fb4d5e849a049e95d3ef4fcf2b86217488634d
https://fedorahosted.org/freeipa/ticket/4290
---
ipa
On 05/14/2014 04:24 PM, Gabe Alford wrote:
Thanks. Updated patch.
Great! ACK, there's just some whitespace left in the patch.
Removed trailing whitespace, pushed to master:
98102832789412f567a96693dfe27b0e00cc98e5
On Wed, May 14, 2014 at 3:49 AM, Petr Viktorin pvikt...@redhat.com
.
Please look at FreeIPA_Guide.ent and
Identity_Management_Guide.ent.
Petr^2 Spacek
On Tue, May 13, 2014 at 7:55 AM, Petr Viktorin
pvikt...@redhat.com mailto:pvikt...@redhat.com
wrote:
On 05/09
On 05/16/2014 01:54 PM, Martin Kosek wrote:
On 04/29/2014 11:00 PM, Petr Viktorin wrote:
Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously
[0].
Patch 0541 is some minor refactoring for the next part.
Patch 0542 sets the read acces to addressbook attributes
Hello list,
Here's a conversation that started internally. I'm making it public.
On 05/19/2014 01:00 PM, Martin Kosek wrote:
On 05/19/2014 12:46 PM, Petr Viktorin wrote:
On 05/19/2014 08:25 AM, Martin Kosek wrote:
On 05/19/2014 08:24 AM, Martin Kosek wrote:
On 05/16/2014 04:48 PM, thierry
On 05/19/2014 03:19 PM, Petr Viktorin wrote:
Hello list,
Here's a conversation that started internally. I'm making it public.
On 05/19/2014 01:00 PM, Martin Kosek wrote:
On 05/19/2014 12:46 PM, Petr Viktorin wrote:
On 05/19/2014 08:25 AM, Martin Kosek wrote:
On 05/19/2014 08:24 AM, Martin
On 05/16/2014 02:00 PM, Martin Kosek wrote:
On 04/29/2014 11:02 PM, Petr Viktorin wrote:
I didn't test this as much as I'd like to, but it might come in handy when
testing my earlier patches.
The ACI is removed in the managed permissions plugin because I want to make
sure it's done after all
On 05/16/2014 02:30 PM, Martin Kosek wrote:
On 04/30/2014 05:16 PM, Petr Viktorin wrote:
This should fix https://fedorahosted.org/freeipa/ticket/3829
You mistakenly assigned the permission to all authenticated users. When I
changed bind type from all to permission, it gave the expected
On 05/21/2014 08:09 AM, Martin Kosek wrote:
On 05/19/2014 03:53 PM, Petr Viktorin wrote:
On 05/16/2014 02:30 PM, Martin Kosek wrote:
On 04/30/2014 05:16 PM, Petr Viktorin wrote:
This should fix https://fedorahosted.org/freeipa/ticket/3829
You mistakenly assigned the permission to all
Cholasta wrote:
On 19.5.2014 15:19, Petr Viktorin wrote:
Hello list,
Here's a conversation that started internally. I'm making it
public.
On 05/19/2014 01:00 PM, Martin Kosek wrote:
On 05/19/2014 12:46 PM, Petr Viktorin wrote:
On 05/19/2014 08:25 AM, Martin Kosek wrote:
On 05/19/2014 08:24 AM
IPA interactive Python console)
1
2
[no newline]
$ ipa console (echo 'print 1'; echo 'print 2')
1
2
--
Petr³
From 32038c91e005f7d66926f887e6a21bb74350b897 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 15 May 2014 15:42:48 +0200
Subject: [PATCH] ipalib.cli: Add
This fixes https://fedorahosted.org/freeipa/ticket/4349.
See the ticket for a description.
--
Petr³
From 423a7337dcd10cc88b2fb90872923bb21ada4713 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Fri, 16 May 2014 13:18:36 +0200
Subject: [PATCH] ldap2.find_entries: Do
, this server as an
example of how the will work.
The third patch fixes https://fedorahosted.org/freeipa/ticket/4344
--
Petr³
From c56f12a069ebcc21a292a95f00771d1a81d6a09c Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 14 May 2014 16:08:28 +0200
Subject: [PATCH] Add
On 05/21/2014 08:08 AM, Martin Kosek wrote:
On 05/19/2014 03:27 PM, Petr Viktorin wrote:
On 05/16/2014 02:00 PM, Martin Kosek wrote:
On 04/29/2014 11:02 PM, Petr Viktorin wrote:
I didn't test this as much as I'd like to, but it might come in handy when
testing my earlier patches.
The ACI
On 05/21/2014 12:14 PM, Simo Sorce wrote:
On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote:
On 05/16/2014 04:33 PM, Petr Viktorin wrote:
On 05/16/2014 01:54 PM, Martin Kosek wrote:
On 04/29/2014 11:00 PM, Petr Viktorin wrote:
Patch 0540 adds a bunch of managed read ACIs for user
On 05/22/2014 04:12 PM, Nathaniel McCallum wrote:
On Tue, 2014-05-13 at 12:55 -0400, Nathaniel McCallum wrote:
On Tue, 2014-05-13 at 16:47 +0200, Jan Cholasta wrote:
On 12.5.2014 20:50, Nathaniel McCallum wrote:
On Mon, 2014-05-12 at 18:40 +0200, Misnyovszki Adam wrote:
On Tue, 06 May 2014
On 05/22/2014 04:43 PM, Alexander Bokovoy wrote:
On Thu, 22 May 2014, Nathaniel McCallum wrote:
On Fri, 2014-05-02 at 17:49 -0400, Nathaniel McCallum wrote:
If the KDC doesn't use the FreeIPA password for authentication, then it
is futile to provide this information. Doing so will only confuse
On 05/22/2014 05:13 PM, Petr Vobornik wrote:
On 22.5.2014 17:00, Nathaniel McCallum wrote:
On Thu, 2014-05-22 at 10:53 -0400, Nathaniel McCallum wrote:
On Thu, 2014-05-22 at 16:45 +0200, Petr Viktorin wrote:
On 05/22/2014 04:12 PM, Nathaniel McCallum wrote:
On Tue, 2014-05-13 at 12:55 -0400
On 05/25/2014 09:29 PM, Martin Kosek wrote:
On 05/23/2014 04:50 PM, Simo Sorce wrote:
On Fri, 2014-05-23 at 10:59 +0200, Martin Kosek wrote:
On 05/22/2014 04:20 PM, Petr Viktorin wrote:
On 05/21/2014 12:14 PM, Simo Sorce wrote:
On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote:
On 05/16
On 05/26/2014 12:09 PM, Martin Kosek wrote:
On 05/26/2014 12:04 PM, Petr Viktorin wrote:
On 05/25/2014 09:29 PM, Martin Kosek wrote:
On 05/23/2014 04:50 PM, Simo Sorce wrote:
On Fri, 2014-05-23 at 10:59 +0200, Martin Kosek wrote:
On 05/22/2014 04:20 PM, Petr Viktorin wrote:
On 05/21/2014 12
On 05/23/2014 02:26 PM, Martin Kosek wrote:
On 05/22/2014 04:03 PM, Petr Viktorin wrote:
On 05/21/2014 08:08 AM, Martin Kosek wrote:
On 05/19/2014 03:27 PM, Petr Viktorin wrote:
On 05/16/2014 02:00 PM, Martin Kosek wrote:
On 04/29/2014 11:02 PM, Petr Viktorin wrote:
I didn't test
All FreeIPA developers, hang on to your hats (be they red or otherwise)!
In master, the global ACI granting read/search/compare rights to anyyone
has been and removed in favor of granular managed permissions.
Please help test the change.
Emergency override:
If you find an issue, first report
On 05/22/2014 03:36 PM, Jan Cholasta wrote:
On 22.5.2014 15:07, Petr Viktorin wrote:
This fixes https://fedorahosted.org/freeipa/ticket/4349.
See the ticket for a description.
Looks OK to me, ACK.
Thanks, pushed to master: 988b2cebf4bf6657eb50f5ecc57bd39425739b8b
--
Petr
On 05/14/2014 12:50 PM, Petr Viktorin wrote:
On 04/30/2014 10:00 AM, thierry bordaz wrote:
On 04/29/2014 10:07 PM, Martin Kosek wrote:
On 04/29/2014 08:17 PM, Simo Sorce wrote:
On Tue, 2014-04-29 at 20:00 +0200, Petr Viktorin wrote:
This adds the idnsSecInlineSigning attribute and related
On 05/22/2014 03:07 PM, Petr Viktorin wrote:
Hello,
Here I start upgrading the existing default permissions to the new
Managed style.
https://fedorahosted.org/freeipa/ticket/4346
The patches rely on my patch 0551
(https://fedorahosted.org/freeipa/ticket/4349)
You may run into what seems
On 05/22/2014 03:07 PM, Petr Viktorin wrote:
Hello,
Here I start upgrading the existing default permissions to the new
Managed style.
https://fedorahosted.org/freeipa/ticket/4346
The patches rely on my patch 0551
(https://fedorahosted.org/freeipa/ticket/4349)
You may run into what seems
On 05/20/2014 06:15 PM, Tomas Babej wrote:
Hi,
the following set of patches fixes:
https://fedorahosted.org/freeipa/ticket/4274
https://fedorahosted.org/freeipa/ticket/4263
https://fedorahosted.org/freeipa/ticket/4324
https://fedorahosted.org/freeipa/ticket/4340
On 05/14/2014 04:56 PM, Tomas Babej wrote:
Hi,
the sudo integration job is already in master, so it's time for the job
to be pushed to the upstream test job repository.
Tomas
Thanks, ACK, pushed to CI master: c691941610f2d431867938e6438f36d7ec3cddc1
--
Petr³
git pull
On 05/26/2014 12:15 PM, Petr Viktorin wrote:
On 05/23/2014 02:26 PM, Martin Kosek wrote:
On 05/22/2014 04:03 PM, Petr Viktorin wrote:
On 05/21/2014 08:08 AM, Martin Kosek wrote:
[...]
The problem is that you used your testing suffix instead of suffix
variable.
Shame on me. I've updated
the installation commands.
--
Petr³
From 05267604ae559135587b135fe9ac394617a70247 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 13 Mar 2014 14:39:03 +0100
Subject: [PATCH] ipalib.version: Add VENDOR_VERSION
This will allow us to make vendors' lives easier by embedding a
vendor tag
On 05/27/2014 11:16 AM, Alexander Bokovoy wrote:
On Tue, 27 May 2014, Petr Viktorin wrote:
Hello,
This fixes https://fedorahosted.org/freeipa/ticket/4219
AFAIK the vendor version (e.g. 4.0.0-0.fc20) was not available to
IPA, so I have it added to version.py when building packages. I wonder
See the ticket commit message.
https://fedorahosted.org/freeipa/ticket/4309
--
Petr³
From 3e9f26a423af1db2fe15b326059f901f7bcca70e Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 27 May 2014 12:21:33 +0200
Subject: [PATCH] pwpolicy-mod: Fix crash when priority
On 05/26/2014 12:13 PM, Petr Viktorin wrote:
[...]
Thanks for the thorough review!
Pushed to master: 63becae88c6c270b98f0432dc474b661b82f3119
Okay guys, we have another issue:
user-add (and the migration plugin) needs access to cn=UPG
Definition,cn=Definitions,cn=Managed Entries,cn=etc
On 05/28/2014 09:06 AM, Fraser Tweedale wrote:
Hi all,
Today I hit the WARNING: Your system is running out of entropy, you
may experience long delays message while testing Ade's
ipa-server-install changes.
I got a lot more entropy a lot faster by installing haveged(8), and
I blogged about it
: Petr Viktorin pvikt...@redhat.com
Date: Tue, 27 May 2014 16:22:33 +0200
Subject: [PATCH] krbtpolicy plugin: Fix internal error when global policy is
not readable
Part of the work for: https://fedorahosted.org/freeipa/ticket/4354
---
ipalib/plugins/krbtpolicy.py | 5 +++--
1 file changed, 3
On 05/28/2014 02:44 PM, Martin Kosek wrote:
On 05/27/2014 01:27 PM, Petr Viktorin wrote:
See the ticket commit message.
https://fedorahosted.org/freeipa/ticket/4309
Yup, this fixed the crash. ACK!
Martin
Thanks, pushed to master: 8bbd52e347f3e6395d469528e1220fd9158e5609
--
Petr
On 05/28/2014 08:48 AM, Fraser Tweedale wrote:
On Tue, May 27, 2014 at 05:57:40PM -0400, Ade Lee wrote:
There have been a couple of changes in the Dogtag interface, that
require some changes in the IPA patches. Also, I had to add back a
function in order to rebase to the latest IPA code.
Most
On 05/28/2014 02:45 PM, Martin Kosek wrote:
On 05/26/2014 12:48 PM, Petr Viktorin wrote:
On 05/14/2014 12:50 PM, Petr Viktorin wrote:
On 04/30/2014 10:00 AM, thierry bordaz wrote:
On 04/29/2014 10:07 PM, Martin Kosek wrote:
On 04/29/2014 08:17 PM, Simo Sorce wrote:
On Tue, 2014-04-29 at 20
On 05/27/2014 05:13 PM, Simo Sorce wrote:
On Tue, 2014-05-27 at 18:01 +0300, Alexander Bokovoy wrote:
On Tue, 27 May 2014, Petr Viktorin wrote:
On 05/26/2014 12:13 PM, Petr Viktorin wrote:
[...]
Thanks for the thorough review!
Pushed to master: 63becae88c6c270b98f0432dc474b661b82f3119
On 05/27/2014 04:20 PM, Martin Kosek wrote:
On 05/26/2014 04:44 PM, Petr Viktorin wrote:
On 05/22/2014 03:07 PM, Petr Viktorin wrote:
Hello,
Here I start upgrading the existing default permissions to the new
Managed style.
https://fedorahosted.org/freeipa/ticket/4346
The patches rely on my
the decisions, I think we are now running in circles.
Let me start from Petr3's API proposal which was a functionally complete
proposal and start from there:
On 05/22/2014 10:47 AM, Petr Viktorin wrote:
...
My proposal would be that the move commands use the verb for the target and an
option
On 05/29/2014 10:03 AM, Martin Kosek wrote:
On 05/28/2014 03:40 PM, Petr Viktorin wrote:
Hello,
Some of IPA plugins assume that everyone has access to everything. Here are
some fixes for that.
Patch 0560 adds a new permission for the UPG Definition, which is required to
add users correctly
if the user is not available at all, you get a NotFound, but
if global policy is not found it's assumed that it's just unreadable.
--
Petr³
From 4760edee0db8dd7f1d24daeee0b2501c485dc828 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 29 May 2014 15:39:26 +0200
Subject
On 05/29/2014 07:13 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
When investigating this issue I became very annoyed by the star import
hiding where names come from, so I did some cleanup first.
In krbtpolicy, an ACIError is now raised if:
- the user doesn't have permission to read any one
On 05/30/2014 11:02 AM, Petr Viktorin wrote:
On 05/29/2014 07:13 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
When investigating this issue I became very annoyed by the star import
hiding where names come from, so I did some cleanup first.
In krbtpolicy, an ACIError is now raised
there:
On 05/22/2014 10:47 AM, Petr Viktorin wrote:
...
My proposal would be that the move commands use the verb for the target
and an
option for the source, and add/mod use an option for the container:
1) adding a new user
(to active) ipa user-add tuser ...
(to stage)ipa user-add tuser --staged
On 06/02/2014 03:59 PM, Petr Vobornik wrote:
Hi List,
the purpose if this mail is to start a discussion about reorganization
of navigation items. Users are not fond of such change so we should come
up with a solution which would last for some time.
Problem:
UX recommendation is that one menu
I found two bugs in the ACI comparison code, one new and one old.
This fixes them and adds some more tests.
--
Petr³
From 104d76aa7d9fa1480c915365ef5ec03ddf6fc6ff Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Mon, 2 Jun 2014 17:31:48 +0200
Subject: [PATCH] ipalib.aci
1201 - 1300 of 1752 matches
Mail list logo