Re: [Freeipa-devel] [PATCHES] 0197-0206 Installing without a CA, with custom SSL certs

On 03/28/2013 12:20 PM, Petr Viktorin wrote: On 03/26/2013 04:48 PM, Petr Viktorin wrote: [...] This update adds a check for validity of the server cert's hostname, using python-nss. And another update. Patch 204: Fix default ID range in ipa-server-install New patch 206: The host p

Re: [Freeipa-devel] [RFE] CA-less install

On 03/27/2013 04:40 PM, John Dennis wrote: On 03/27/2013 11:23 AM, Petr Viktorin wrote: I don't want to check the subject because this RFE was prompted by IPA's normal CA rejecting valid wildcart certs. Is there a reasonable way to ask NSS if it will trust the cert? Yes. NSS

Re: [Freeipa-devel] [RFE] CA-less install

On 03/22/2013 01:10 PM, Petr Viktorin wrote: The design page for CA-less installation with user-provided SSL certs is available at http://freeipa.org/page/V3/CA-less_install. I've also copied it to this mail. Does it answer all your questions? I have added "Affected commands&quo

Re: [Freeipa-devel] [PATCHES] 0197-0204 Installing without a CA, with custom SSL certs

On 03/29/2013 06:17 PM, Petr Vobornik wrote: Hello, attaching Web UI part. Petr Works well for me, if someone can check if the Javascript looks fine then ACK. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.c

Re: [Freeipa-devel] [PATCHES] 0197-0207 Installing without a CA, with custom SSL certs

On 04/02/2013 10:48 AM, Jan Cholasta wrote: On 29.3.2013 15:31, Petr Viktorin wrote: On 03/29/2013 11:20 AM, Jan Cholasta wrote: On 29.3.2013 11:14, Jan Cholasta wrote: Also I was able to install IPA with revoked certificates, but it doesn't seem to break anything - the CRL specified i

[Freeipa-devel] [PATCH] 0208 make-testcert: Add better messages for errors with CA-less

On 03/18/2013 12:58 PM, Petr Viktorin wrote: Hello, While the work is not complete, these patches allowed me to install an IPA server without a CA, using PKCS#12 files for the server certs. The patches don't break normal installation. The --selfsign option (but not yet the code behind i

Re: [Freeipa-devel] [RFE] CA-less install

On 03/22/2013 01:10 PM, Petr Viktorin wrote: The design page for CA-less installation with user-provided SSL certs is available at http://freeipa.org/page/V3/CA-less_install. I've also copied it to this mail. Does it answer all your questions? Since the patches were pushed, I've

Re: [Freeipa-devel] [RFE] Drop --selfsign

On 03/20/2013 05:11 PM, Petr Viktorin wrote: Here is a RFE for https://fedorahosted.org/freeipa/ticket/3494. It's for dropping the --selfsign option from ipa-server-install. The functionality itself stays in for now (on upgraded self-signed masters). http://freeipa.org/page/V3/Drop_sel

Re: [Freeipa-devel] [RFE] CA-less install

On 04/02/2013 02:14 AM, Robert Relyea wrote: On 03/29/2013 07:40 AM, John Dennis wrote: On 03/29/2013 07:57 AM, Petr Viktorin wrote: On 03/27/2013 04:40 PM, John Dennis wrote: On 03/27/2013 11:23 AM, Petr Viktorin wrote: I don't want to check the subject because this RFE was prompt

[Freeipa-devel] String freeze

Hello, IPA 3.2.0 is in string freeze now. I've uploaded the source strings to Transifex. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0209 Display full command documentation in online help

This fixes a regression in the help improvements. More info in the patch. -- Petr³ From d377daac9fac1f6cf713efc5f683a5efd6bf7b6c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 3 Apr 2013 10:40:30 +0200 Subject: [PATCH] Display full command documentation in online help ipa -h only

Re: [Freeipa-devel] [PATCH] WIP backup and restore

On 04/04/2013 03:04 PM, Rob Crittenden wrote: Rob Crittenden wrote: Petr Viktorin wrote: On 03/23/2013 05:06 AM, Rob Crittenden wrote: There are strict limits on what can be restored where. Only exact matching hostnames and versions are allowed right now. We can probably relax the hostname

Re: [Freeipa-devel] Confused by some messages

On 04/06/2013 11:05 PM, Jérôme Fenal wrote: Same for: Issued on from Issued on to Revoked on from Revoked on to Valid not after from Valid not after to Valid not before from Valid not before to All inipalib/plugins/internal.py around line 330 These are UI labels for the options below. 2013

Re: [Freeipa-devel] [PATCH] WIP backup and restore

On 04/05/2013 10:54 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/04/2013 03:04 PM, Rob Crittenden wrote: Rob Crittenden wrote: Petr Viktorin wrote: On 03/23/2013 05:06 AM, Rob Crittenden wrote: There are strict limits on what can be restored where. Only exact matching hostnames and

Re: [Freeipa-devel] [PATCH] 0012 Fix output for some CLI commands

On 04/08/2013 01:40 PM, Ana Krivokapic wrote: Hello, This patch addresseshttps://fedorahosted.org/freeipa/ticket/3503. See the commit message for details. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. freeipa-akrivoka-0012-Fix-output-for-some-CLI-commands.pa

[Freeipa-devel] FreeIPA string freeze

Hello, FreeIPA translators! We wanted to give enough time for translations, so we made an upstream string freeze last week, giving about two weeks of translation time until the beta. We didn't expect most of the translations to be done already -- Ukrainian at 100% and French with 40 strings mi

Re: [Freeipa-devel] [PATCH] WIP backup and restore

On 04/05/2013 10:54 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/04/2013 03:04 PM, Rob Crittenden wrote: Rob Crittenden wrote: Petr Viktorin wrote: On 03/23/2013 05:06 AM, Rob Crittenden wrote: There are strict limits on what can be restored where. Only exact matching hostnames and

Re: [Freeipa-devel] FreeIPA string freeze

On 04/08/2013 05:54 PM, Yuri Chornoivan wrote: написане Mon, 08 Apr 2013 18:45:30 +0300, Petr Viktorin : Hello, FreeIPA translators! We wanted to give enough time for translations, so we made an upstream string freeze last week, giving about two weeks of translation time until the beta. We

[Freeipa-devel] [PATCH] 0214 Remove 'cn' attribute from idnsRecord and idnsZone objectClasses

This removes the "cn" attribute from the idnsRecord objectclass. For more robust upgrades, any existing cn attributes are removed in preupgrade https://fedorahosted.org/freeipa/ticket/3514 -- Petr³ From b6e17a2a378515b41e2a793a6f90c621c41b65be Mon Sep 17 00:00:00 2001 From: Pet

Re: [Freeipa-devel] [PATCH] 0214 Remove 'cn' attribute from idnsRecord and idnsZone objectClasses

On 04/10/2013 12:56 PM, Martin Kosek wrote: On 04/10/2013 12:47 PM, Petr Viktorin wrote: This removes the "cn" attribute from the idnsRecord objectclass. For more robust upgrades, any existing cn attributes are removed in preupgrade https://fedorahosted.org/freeipa/ticket/3514 I a

Re: [Freeipa-devel] [PATCH] WIP backup and restore

On 04/09/2013 11:21 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/05/2013 10:54 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/04/2013 03:04 PM, Rob Crittenden wrote: Rob Crittenden wrote: Petr Viktorin wrote: On 03/23/2013 05:06 AM, Rob Crittenden wrote: There are strict

Re: [Freeipa-devel] [PATCH] 0012 Fix output for some CLI commands

On 04/08/2013 06:15 PM, Ana Krivokapic wrote: On 04/08/2013 04:33 PM, Jan Cholasta wrote: On 8.4.2013 15:41, Jan Cholasta wrote: Hi, On 8.4.2013 13:40, Ana Krivokapic wrote: Hello, This patch addresses https://fedorahosted.org/freeipa/ticket/3503. See the commit message for details. the p

Re: [Freeipa-devel] [PATCH] WIP backup and restore

On 04/10/2013 08:27 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/09/2013 11:21 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/05/2013 10:54 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/04/2013 03:04 PM, Rob Crittenden wrote: Rob Crittenden wrote: Petr Viktorin wrote

Re: [Freeipa-devel] [PATCH] 1095 apply updates in order

On 04/10/2013 08:02 PM, Rob Crittenden wrote: The original design of the LDAP updater was to use numbered update files which would be applied in order in blocks of 10. We ended up just applying everything together, sorted by length of the DN. Why not just sort the files lexicographically, and _

Re: [Freeipa-devel] [PATCH 0047] Allow underscore in DNAME targets

On 04/11/2013 12:05 PM, Tomas Babej wrote: Hi, Makes DNAME target validation less strict and allows underscore. This is requirement for IPA sites. https://fedorahosted.org/freeipa/ticket/3550 Tomas I checked with Petr², and he said it would make sense to also enable underscores for the othe

Re: [Freeipa-devel] [PATCH 0047] Allow underscore in DNAME targets

On 04/11/2013 02:43 PM, Simo Sorce wrote: On Thu, 2013-04-11 at 14:24 +0200, Petr Viktorin wrote: On 04/11/2013 12:05 PM, Tomas Babej wrote: Hi, Makes DNAME target validation less strict and allows underscore. This is requirement for IPA sites. https://fedorahosted.org/freeipa/ticket/3550

Re: [Freeipa-devel] [PATCH 0047] Allow underscore in DNAME targets

On 04/11/2013 03:59 PM, Simo Sorce wrote: On Thu, 2013-04-11 at 14:52 +0200, Petr Viktorin wrote: On 04/11/2013 02:43 PM, Simo Sorce wrote: On Thu, 2013-04-11 at 14:24 +0200, Petr Viktorin wrote: On 04/11/2013 12:05 PM, Tomas Babej wrote: Hi, Makes DNAME target validation less strict and

Re: [Freeipa-devel] [PATCHES] 0014-0016 Deprecate HBAC source hosts

On 04/11/2013 12:01 AM, Rob Crittenden wrote: Ana Krivokapic wrote: Hello, This patch set deprecates HBAC source hosts from IPA. See commit messages and the design page[1] for details. https://fedorahosted.org/freeipa/ticket/3528 [1] http://www.freeipa.org/page/V3/HBACSourceHosts Been a wh

Re: [Freeipa-devel] [PATCH] 1095 apply updates in order

On 04/11/2013 09:39 PM, Rob Crittenden wrote: Rob Crittenden wrote: Petr Viktorin wrote: [...] In the README, 10 - 19 should be Schema & configuration. OK. While you're at it you can update the FDS Server reference (FDS was Fedora Directory Server, right?) Yeah, shows how ol

Re: [Freeipa-devel] [PATCH] WIP backup and restore

On 04/11/2013 11:43 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/10/2013 08:27 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/09/2013 11:21 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/05/2013 10:54 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/04/2013 03:04

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

On 04/12/2013 01:24 PM, Jan Cholasta wrote: Hi, the attached patches fix . Honza We used short names in the CNAMEs: $ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca Record name: ipa-ca CNAME record: vm-109

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

On 04/12/2013 02:30 PM, Jan Cholasta wrote: On 12.4.2013 14:19, Petr Viktorin wrote: On 04/12/2013 01:24 PM, Jan Cholasta wrote: Hi, the attached patches fix <https://fedorahosted.org/freeipa/ticket/3547>. Honza We used short names in the CNAMEs: $ ipa dnsrecor

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

On 04/12/2013 03:58 PM, Martin Kosek wrote: On 04/12/2013 03:50 PM, Petr Viktorin wrote: On 04/12/2013 02:30 PM, Jan Cholasta wrote: On 12.4.2013 14:19, Petr Viktorin wrote: On 04/12/2013 01:24 PM, Jan Cholasta wrote: Hi, the attached patches fix <https://fedorahosted.org/freeipa/tic

Re: [Freeipa-devel] [PATCH 0048] Add nfs:NONE to default PAC types only when needed

On 04/12/2013 04:10 PM, Tomas Babej wrote: Hi, We need to add nfs:NONE as a default PAC type only if there's no other default PAC type for nfs. Adds a update plugin which determines whether default PAC type for nfs is set and adds nfs:NONE PAC type accordingly. https://fedorahosted.org/freeipa/

[Freeipa-devel] [PATCH] 0215 ipa-server-install: correct help text for --external_{cert, ca}_file

Hello, this fixes incorrect descriptions of the --external_cert_file & --external_ca_file options. https://fedorahosted.org/freeipa/ticket/3523 -- Petr³ From fba3d395b4c32e2b760ef6182be6df61c052474b Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 20 Mar 2013 14:44:22 +0100 Sub

Re: [Freeipa-devel] [PATCH] 0215 ipa-server-install: correct help text for --external_{cert, ca}_file

On 04/15/2013 11:50 AM, Ana Krivokapic wrote: On 04/15/2013 10:20 AM, Petr Viktorin wrote: Hello, this fixes incorrect descriptions of the --external_cert_file & --external_ca_file options. https://fedorahosted.org/freeipa/ticket/3523 ___ Fre

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

On 04/15/2013 12:31 PM, Jan Cholasta wrote: On 12.4.2013 16:55, Simo Sorce wrote: - Original Message - On 04/12/2013 03:50 PM, Petr Viktorin wrote: A question: do we support users that *want* a CNAME in ipa-ca? AFAIK that is the usual way to do load-balancing, which is the

Re: [Freeipa-devel] [PATCH 0048] Add nfs:NONE to default PAC types only when needed

On 04/15/2013 12:32 PM, Tomas Babej wrote: On 04/12/2013 04:52 PM, Petr Viktorin wrote: On 04/12/2013 04:10 PM, Tomas Babej wrote: Hi, We need to add nfs:NONE as a default PAC type only if there's no other default PAC type for nfs. Adds a update plugin which determines whether defaul

Re: [Freeipa-devel] FreeIPA string freeze

On 04/10/2013 06:26 PM, Jérôme Fenal wrote: Le 10/04/2013 14:27, Yuri Chornoivan a écrit : Wed, 10 Apr 2013 13:37:10 +0300 було написано Petr Viktorin : On 04/08/2013 05:54 PM, Yuri Chornoivan wrote: написане Mon, 08 Apr 2013 18:45:30 +0300, Petr Viktorin : Hello, FreeIPA translators! We

[Freeipa-devel] [PATCH] 0216 Update translations from Transifex

Hello, Since the beta will be released soon, we should pull in all the hard work our translators have contributed. Ukrainian and French are almost complete ("almost" only due to our extremely lax string freeze). New languages: Catalan and Basque* Thanks to all translators! Validation finds

Re: [Freeipa-devel] [PATCH] 0216 Update translations from Transifex

fix it. 2013/4/15 Petr Viktorin mailto:pvikt...@redhat.com>> Hello, Since the beta will be released soon, we should pull in all the hard work our translators have contributed. Ukrainian and French are almost complete ("almost" only due to

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

On 04/15/2013 04:47 PM, Simo Sorce wrote: On 04/15/2013 12:31 PM, Jan Cholasta wrote: I have changed the patch so that the CNAMEs are replaced with A/ if and only if they all point to IPA masters, otherwise a warning is printed. Is that OK? OK with me, patch works well. ACK unless Simo rea

Re: [Freeipa-devel] [PATCH 0119] Fix dnsrecord-mod, regression in 4.x

On 09/04/2014 05:12 PM, Jan Cholasta wrote: Dne 4.9.2014 v 16:45 Martin Basti napsal(a): On 04/09/14 16:36, Jan Cholasta wrote: Hi, Dne 4.9.2014 v 16:13 Martin Basti napsal(a): Regression is caused by different output types for dnsrecord-mod and dnsrecord-del. dnsrecord-mod internally calls r

Re: [Freeipa-devel] [PATCH] 318 Backup CS.cfg before modifying it

On 09/03/2014 06:35 PM, Jan Cholasta wrote: Hi, the attached patch fixes . Honza ACK Neither patch applies to 4.1, though. Could you send a version for that as well? -- Petr³ ___ Freeipa-devel mail

Re: [Freeipa-devel] [PATCH 0107-0108] Fix DNS wildcard validation

On 09/05/2014 12:21 PM, Petr Spacek wrote: On 3.9.2014 14:40, Martin Basti wrote: On 02/09/14 17:33, Petr Spacek wrote: On 21.8.2014 10:58, Martin Basti wrote: On 21/08/14 08:43, Petr Spacek wrote: On 20.8.2014 17:37, Martin Basti wrote: +# dissallowed wildcard (RFC 4592) +no

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

PM, Petr Viktorin wrote: On 09/03/2014 02:27 PM, Petr Viktorin wrote: On 09/03/2014 01:27 PM, Petr Viktorin wrote: Hello, This adds managed read permissions to the compat tree. For users it grants anonymous access; authenticated users can read groups, hosts and netgroups. I'm unsure if th

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

On 09/05/2014 01:34 PM, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Petr Viktorin wrote: On 09/05/2014 09:18 AM, Martin Kosek wrote: ... Thanks! Looks sane to me. We would just need to remove Views related ACIs for the 4.0.x version that we will need for today. Thanks indeed! Here is the

Re: [Freeipa-devel] [PATCH] Make CA-less ipa-server-install option --root-ca-file optional

On 08/07/2014 05:46 PM, Petr Viktorin wrote: On 08/06/2014 09:42 AM, Jan Cholasta wrote: Dne 5.8.2014 v 10:30 Jan Cholasta napsal(a): Hi, the attached patch fixes the code part of <https://fedorahosted.org/freeipa/ticket/4457>. Works for me, thanks! Pushed to:

Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation

On 09/05/2014 02:44 PM, Jan Cholasta wrote: Dne 5.9.2014 v 09:25 David Kupka napsal(a): On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

On 09/05/2014 01:51 PM, Petr Viktorin wrote: On 09/05/2014 01:34 PM, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Petr Viktorin wrote: On 09/05/2014 09:18 AM, Martin Kosek wrote: ... Thanks! Looks sane to me. We would just need to remove Views related ACIs for the 4.0.x version that we will

Re: [Freeipa-devel] [PATCH] Make CA-less ipa-server-install option --root-ca-file optional

On 09/05/2014 02:03 PM, Petr Viktorin wrote: On 08/07/2014 05:46 PM, Petr Viktorin wrote: On 08/06/2014 09:42 AM, Jan Cholasta wrote: Dne 5.8.2014 v 10:30 Jan Cholasta napsal(a): Hi, the attached patch fixes the code part of <https://fedorahosted.org/freeipa/ticket/4457>. Works

Re: [Freeipa-devel] [PATCH] 318 Backup CS.cfg before modifying it

On 09/05/2014 01:47 PM, Jan Cholasta wrote: Dne 5.9.2014 v 12:05 Petr Viktorin napsal(a): On 09/03/2014 06:35 PM, Jan Cholasta wrote: Hi, the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4166>. Honza ACK Neither patch applies to 4.1, though. Could you send a versi

Re: [Freeipa-devel] FreeIPA 4.0.2

On 09/05/2014 03:19 PM, Martin Kosek wrote: Hello Team, The time has come and we are about to spin the release wheels for FreeIPA 4.0.2! Let us do quick check before the release. This version Release Man is Petr Viktorin. I can start the release process in a few hours, if the new bind-dyndb

Re: [Freeipa-devel] [PATCH] 1109 No client machine cert

On 09/03/2014 09:23 PM, Rob Crittenden wrote: No longer request and install a cert for the IPA client machine. https://fedorahosted.org/freeipa/ticket/4449 ACK Pushed to: master: c1bf5203937827369c7ce023d03c75d2da6d83ee ipa-4-1: 058c1f453c4e2df38eec57ba605cd5dc492eb978 ipa-4-0: 2dd2fd7e1aa470

[Freeipa-devel] Announcing FreeIPA 4.0.2

Tests: DNS wildcard records === Martin Košek (2) === * Do not crash client basedn discovery when SSF not met * ipa-adtrust-install does not re-add member in adtrust agents group === Nathaniel McCallum (1) === * Ensure ipaUserAuthTypeClass when needed on user creation === Petr Viktorin (8) === * Upda

Re: [Freeipa-devel] [PATCH] 0083 Remove internaldb pasword from password.conf

On 09/02/2014 11:37 AM, Jan Cholasta wrote: Patch attached. Dne 2.9.2014 v 09:03 Jan Cholasta napsal(a): Also, Dogtag certificate renewal does not work with internaldb removed, I'm working on a patch to fix that. Dne 1.9.2014 v 18:19 Petr Viktorin napsal(a): On 11/06/2013 01:41 PM

Re: [Freeipa-devel] [PATCH 0032] Hardcoded lib dir in freeipa.spec

On 09/08/2014 04:10 PM, Gabe Alford wrote: Hello, This patch should fix https://fedorahosted.org/freeipa/ticket/4528 Thanks, Gabe Thank you! ACK, pushed to: master: 8cb27bfa4fe73fa4c236f5e7d9591a28ee064f2b ipa-4-1: ce86e5d874b86a5118a84459e0624f61c49210d6 -- Petr³ _

Re: [Freeipa-devel] Fwd: [freeipa] update to Java/8

On 09/09/2014 01:52 PM, Petr Vobornik wrote: On 5.9.2014 12:35, Martin Kosek wrote: Petr, why do we require java-1.7.0-openjdk in BuildRequires anyway? Shouldn't rhino be enough? I don't think that rhino pulls Java. The correct patch would be the one which we already used upstream: http://www

Re: [Freeipa-devel] [PATCH] 11 - re-enable uninstall option in ipa-kra-install

On 09/02/2014 05:05 AM, Ade Lee wrote: Re-enable uninstall feature for ipa-kra-install The underlying Dogtag issue (Dogtag ticket 1113) has been fixed. We can therefore re-enable the uninstall option for ipa-kra-install. Also, fixes an incorrect path in the ipa-pki-proxy.conf, and

Re: [Freeipa-devel] [PATCHES 247-259] ID views - management part

On 08/01/2014 12:30 PM, Tomas Babej wrote: Hi, the following set of patches implements the ID view creation and management of views and ID overrides in IPA. Pending questions: 1.) The patch 253 implements basic managed permissions for ID views and ID overrides. Do we want to have a separate per

Re: [Freeipa-devel] [PATCHES 247-259] ID views - management part

On 09/10/2014 03:10 PM, Petr Viktorin wrote: On 08/01/2014 12:30 PM, Tomas Babej wrote: Hi, the following set of patches implements the ID view creation and management of views and ID overrides in IPA. Pending questions: 1.) The patch 253 implements basic managed permissions for ID views and

Re: [Freeipa-devel] [PATCH 0063] Update qrcode support for newer python-qrcode

On 09/10/2014 11:50 PM, Nathaniel McCallum wrote: On Wed, 2014-09-10 at 17:41 -0400, Nathaniel McCallum wrote: This substantially reduces the FreeIPA dependencies and allows QR codes to fit in a standard terminal. https://fedorahosted.org/freeipa/ticket/4430 A note about this patch: Quick re

Re: [Freeipa-devel] FreeIPA 4.0.3?

On 09/11/2014 01:37 PM, Martin Kosek wrote: Hi team, It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking upgrade from older releases: https://fedorahosted.org/freeipa/ticket/4529 We also have packaging fix requested by Fedora Server roles group: https://fedorahosted.org

Re: [Freeipa-devel] FreeIPA 4.0.3?

Kosek wrote: On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: On 09/11/2014 01:37 PM, Martin Kosek wrote: Hi team, It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking upgrade from older releases: https

Re: [Freeipa-devel] FreeIPA 4.0.3?

:09 +0200, Ludwig Krispenz wrote: On 09/11/2014 04:04 PM, Martin Kosek wrote: On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: On 09/11/2014 01:37 PM, Martin Kosek wrote: Hi team, It seems we have pretty serious bug in our FreeIPA 4.0.2

Re: [Freeipa-devel] FreeIPA 4.0.3?

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ... Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade

Re: [Freeipa-devel] FreeIPA 4.0.3?

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ... Also, we will need to add the F21 389-ds

Re: [Freeipa-devel] FreeIPA 4.0.3?

On 09/11/2014 04:51 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr

Re: [Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

On 09/11/2014 10:24 PM, Martin Kosek wrote: On 09/11/2014 08:49 PM, Simo Sorce wrote: On Thu, 2014-09-11 at 20:28 +0200, Martin Kosek wrote: On 09/11/2014 05:37 PM, Simo Sorce wrote: On Thu, 2014-09-11 at 17:03 +0200, Martin Kosek wrote: Hello, We have another important issue to resolve. Cur

Re: [Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

On 09/12/2014 09:48 AM, Alexander Bokovoy wrote: On Fri, 12 Sep 2014, Martin Kosek wrote: Operational Attributes) Removing a default ACI is difficult (read: new code that could go wrong) if we want to handle 4.0.2 properly, since installing/upgrading to 4.0.2 will always add it back. Perhaps w

[Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn & timestamp entries to individual permissions

added for 4.0.2, is removed on upgrade. -- Petr³ From f794853264041cac730855c12ba96ab9cc564762 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 12 Sep 2014 09:59:52 +0200 Subject: [PATCH] permission plugin: Auto-add operational atttributes to read permissions The attributes entryusn, creat

Re: [Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn & timestamp entries to individual permissions

On 09/12/2014 04:25 PM, Martin Kosek wrote: On 09/12/2014 01:53 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/4534 The entryusn and timestamp operational attributes are now automatically added to every read permission that targets objectclass, whether managed or user-created

[Freeipa-devel] [PATCH] 0644 Update referential integrity config for DS 1.3.3

https://fedorahosted.org/freeipa/ticket/4537 See commit message for the story behind this one. -- Petr³ From e36ecfee32a331bfd031a48df2abe7e0ce8ec987 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 12 Sep 2014 17:14:14 +0200 Subject: [PATCH] Update referential integrity config for DS

Re: [Freeipa-devel] [PATCH] 0644 Update referential integrity config for DS 1.3.3

On 09/12/2014 05:47 PM, Ludwig Krispenz wrote: On 09/12/2014 05:43 PM, Martin Kosek wrote: On 09/12/2014 05:35 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/4537 See commit message for the story behind this one. Thanks. Works as a charm, so ACK. just for my

Re: [Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn & timestamp entries to individual permissions

On 09/12/2014 05:02 PM, Martin Kosek wrote: On 09/12/2014 04:46 PM, Petr Viktorin wrote: On 09/12/2014 04:25 PM, Martin Kosek wrote: On 09/12/2014 01:53 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/4534 The entryusn and timestamp operational attributes are now

[Freeipa-devel] FreeIPA 4.0.3 ?

There were some critical issues in 4.0.2, mainly with integration: https://fedorahosted.org/freeipa/ticket/4529 - broken upgrades https://fedorahosted.org/freeipa/ticket/4430 - python-qrcode packaging fix https://fedorahosted.org/freeipa/ticket/4395 - update of SSL ciphers https://fedorahosted.or

[Freeipa-devel] Announcing FreeIPA 4.0.3

qrcode support for newer python-qrcode === Petr Viktorin (4) === * Update referential integrity config for DS 1.3.3 * permission plugin: Auto-add operational atttributes to read permissions * Allow deleting obsolete permissions; remove operational attribute permissions * Become IPA 4.0.3

Re: [Freeipa-devel] [PATCH] 11 - re-enable uninstall option in ipa-kra-install

On 09/10/2014 01:34 PM, Petr Viktorin wrote: On 09/02/2014 05:05 AM, Ade Lee wrote: Re-enable uninstall feature for ipa-kra-install The underlying Dogtag issue (Dogtag ticket 1113) has been fixed. We can therefore re-enable the uninstall option for ipa-kra-install. Also, fixes

Re: [Freeipa-devel] Announcing FreeIPA 4.0.3

On 09/15/2014 04:45 PM, Nathaniel McCallum wrote: FYI, for any Fedora testers out there, we have updated to 4.0.3 in Fedora 21 in part because it substantially reduces the size of the install media for the upcoming Alpha release. If you'd like to test and provide feedback on the packages, the lin

Re: [Freeipa-devel] [PATCH 0269] ipalib: host_del: Extend LDAPDelete's takes_options instead

On 09/16/2014 02:46 PM, Jan Cholasta wrote: Dne 16.9.2014 v 13:21 Tomas Babej napsal(a): Hi, The host-del command did not accept --continue option, since the takes_options was overriden and did not take the options from LDAPDelete. Fix the behaviour. https://fedorahosted.org/freeipa/ticket/44

[Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable

https://fedorahosted.org/freeipa/ticket/4551 See ticket & commit message for details. -- Petr³ From 2247f62f84ae098451b57fd274b1c87be61ff507 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 19 Sep 2014 15:57:44 +0200 Subject: [PATCH] ipa-replica-prepare: Wait for the DNS entry t

[Freeipa-devel] [PATCH] 0647 test_permission_plugin: Check legacy permissions

This has been wrong for some time, now I got around to fixing it properly. It should go to all branches (4.0, 4.1, master). -- Petr³ From e069d262fd7021a3a6841065654de4f32eae4c71 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 19 Sep 2014 12:34:14 +0200 Subject: [PATCH

Re: [Freeipa-devel] [PATCH 0122] Add dogtag 10.2 to specfile

On 09/12/2014 04:46 PM, Martin Basti wrote: On 12/09/14 16:38, Martin Kosek wrote: On 09/12/2014 04:14 PM, Martin Basti wrote: On 12/09/14 16:02, Martin Basti wrote: I always forgot to install dogtag 10.2, so here is updated specfile. COPR: http://copr.fedoraproject.org/coprs/vakwetu/dogtag/

Re: [Freeipa-devel] [PATCH] 0105 FIX: LDAP_updater

On 09/01/2014 04:31 PM, Martin Basti wrote: On 24/07/14 09:06, Martin Basti wrote: On 23/07/14 15:17, Martin Basti wrote: This patch fixes ordering problem of schema updates Martin should it be in IPA 4.0.x ? It requires rebased ldap_python (will be in Fedora 21) Patch attached I found a b

Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable

On 09/22/2014 01:48 PM, Petr Spacek wrote: On 22.9.2014 10:38, Martin Kosek wrote: On 09/22/2014 10:31 AM, Petr Spacek wrote: On 22.9.2014 10:14, Martin Kosek wrote: On 09/19/2014 07:29 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/4551 See ticket & commit message

Re: [Freeipa-devel] [PATCH 0298-0302] Implement handling of inactive master zones

On 09/22/2014 02:01 PM, Martin Basti wrote: On 19/09/14 15:46, Petr Spacek wrote: Hello, This patch set fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/127 https://bugzilla.redhat.com/show_bug.cgi?id=1138317 Please review it ASAP, it targets IPA 4.1/Fedora 21. Tomas and Martin, please c

Re: [Freeipa-devel] [PATCHES 247-259] ID views - management part

0. It depends on patch 269, sent in separate thread. Tomas On 09/10/2014 03:10 PM, Petr Viktorin wrote: On 08/01/2014 12:30 PM, Tomas Babej wrote: Hi, the following set of patches implements the ID view creation and management of views and ID overrides in IPA. Pending questions: 1.) The patc

Re: [Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}

On 09/23/2014 12:10 PM, Tomas Babej wrote: On 08/26/2014 01:16 PM, Petr Viktorin wrote: On 07/30/2014 04:26 PM, Petr Viktorin wrote: On 07/29/2014 06:03 PM, Petr Viktorin wrote: On 07/29/2014 05:02 PM, Petr Viktorin wrote: Hello, The first patch here consolidates our system user creation

[Freeipa-devel] [PATCH] JSON client: Log pretty-printed request and response with -vvv or above

"36480" ] }, "summary": null, "value": "admin" }, "version": "4.0.0GIT88bea65" } User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 364800

Re: [Freeipa-devel] [PATCH] JSON client: Log pretty-printed request and response with -vv or above

On 09/23/2014 03:13 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/4233 After talking to Rob, I've changed what the -v means a bit more: A single -v just turns on INFO logging, as before: $ ipa -v ping ipa: INFO: trying https://vm-073.idm.lab.eng.brq.redhat.com/ipa/jso

Re: [Freeipa-devel] [PATCH] 323 Fix certmonger code causing the ca_renewal_master update plugin to fail

On 09/23/2014 02:34 PM, David Kupka wrote: On 09/17/2014 03:57 PM, Jan Cholasta wrote: Hi, the attached patch fixes . Honza Works for me, thanks for patch. ACK. Pushed to: master: f680a63158d172042c91537a1cb7f6f53766e2ad ipa-4-1: 1a327cf4292

Re: [Freeipa-devel] [PATCHES 0114-0115] DNS: allow to add root zone '.'

On 09/23/2014 05:45 PM, Petr Vobornik wrote: On 25.8.2014 14:52, Martin Basti wrote: [...] 1. Please follow pep8 for the new code. # git diff HEAD~7 -U0 | pep8 --diff --ignore=E501 Produces 25 erros. Only E124 and E128 could be ignored if they are part of old code. FWIW, our style guide is

Re: [Freeipa-devel] [PATCH] 0105 FIX: LDAP_updater

On 09/23/2014 02:51 PM, Martin Basti wrote: On 22/09/14 14:04, Petr Viktorin wrote: On 09/01/2014 04:31 PM, Martin Basti wrote: On 24/07/14 09:06, Martin Basti wrote: On 23/07/14 15:17, Martin Basti wrote: This patch fixes ordering problem of schema updates Martin should it be in IPA 4.0.x

Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable

On 09/23/2014 06:00 PM, Petr Spacek wrote: On 22.9.2014 14:09, Petr Viktorin wrote: On 09/22/2014 01:48 PM, Petr Spacek wrote: On 22.9.2014 10:38, Martin Kosek wrote: On 09/22/2014 10:31 AM, Petr Spacek wrote: On 22.9.2014 10:14, Martin Kosek wrote: On 09/19/2014 07:29 PM, Petr Viktorin

Re: [Freeipa-devel] [PATCHES] 0631-0632 Integration tests for backup & restore

On 09/23/2014 12:17 PM, Tomas Babej wrote: On 08/06/2014 04:52 PM, Petr Viktorin wrote: On 08/06/2014 04:36 PM, Petr Viktorin wrote: Hello, These patches add integration tests for backup & restore. They depend on my earlier backup/restore patches, 0624-0627. I'm also attaching a

Re: [Freeipa-devel] [PATCH] JSON client: Log pretty-printed request and response with -vv or above

On 09/24/2014 01:50 PM, David Kupka wrote: On 09/23/2014 04:15 PM, Petr Viktorin wrote: On 09/23/2014 03:13 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/4233 After talking to Rob, I've changed what the -v means a bit more: A single -v just turns on INFO loggin

Re: [Freeipa-devel] [PATCH][RFC] 13 - Log pretty-printed request and response

On 04/16/2014 05:42 PM, Rob Crittenden wrote: Misnyovszki Adam wrote: Hi, this patch enables logging json dumps of request and response, using the --log-payload switch in ipa cli. RFC tag is to ensure that I handled the --log-payload switch correctly in ipa cli. Be careful, it only logs, so --lo

Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable

On 09/24/2014 01:54 PM, Petr Spacek wrote: On 24.9.2014 13:47, Petr Viktorin wrote: On 09/23/2014 06:00 PM, Petr Spacek wrote: On 22.9.2014 14:09, Petr Viktorin wrote: On 09/22/2014 01:48 PM, Petr Spacek wrote: On 22.9.2014 10:38, Martin Kosek wrote: On 09/22/2014 10:31 AM, Petr Spacek

Re: [Freeipa-devel] [PATCH] 755 webui-ci: case-insensitive record check

On 09/25/2014 03:30 AM, Fraser Tweedale wrote: On Wed, Sep 24, 2014 at 09:16:52AM -0500, Endi Sukma Dewata wrote: On 9/24/2014 8:26 AM, Petr Vobornik wrote: On 24.9.2014 04:43, Endi Sukma Dewata wrote: On 9/22/2014 9:49 AM, Petr Vobornik wrote: [PATCH] webui-ci: case-insensitive record check

Re: [Freeipa-devel] [PATCHES] 0633-0634 Move setting SELinux booleans to platform code; Set SELinux booleans when restoring

On 09/24/2014 06:02 PM, thierry bordaz wrote: On 08/15/2014 10:40 PM, Petr Viktorin wrote: A fix for https://fedorahosted.org/freeipa/ticket/4157 This depends on my patches 0631-0632 (for backup/restore integration tests). Our setsebool code was repeated a few times. Instead of adding

<    1   2   3   4   5   6   7   8   9   10   >