Re: [Freeipa-devel] [PATCH] 1109 No client machine cert

Martin Kosek wrote: > On 09/05/2014 03:15 PM, Rob Crittenden wrote: >> Alexander Bokovoy wrote: >>> On Fri, 05 Sep 2014, Martin Kosek wrote: >>>> On 09/04/2014 05:13 PM, Rob Crittenden wrote: >>>>> Jan Cholasta wrote: >>>>>>

Re: [Freeipa-devel] [PATCH] 1109 No client machine cert

Alexander Bokovoy wrote: > On Fri, 05 Sep 2014, Martin Kosek wrote: >> On 09/04/2014 05:13 PM, Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> Hi, >>>> >>>> Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): >>>>> No longer r

Re: [Freeipa-devel] [PATCH] 1109 No client machine cert

Jan Cholasta wrote: > Hi, > > Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): >> No longer request and install a cert for the IPA client machine. >> >> rob > > The original plan was to keep generating the certificate, but in > /etc/ipa/nssdb instead of /e

[Freeipa-devel] [PATCH] 1109 No client machine cert

No longer request and install a cert for the IPA client machine. rob >From 0468e18bb949e9dd8fc60c5f20581c1aea72be29 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 3 Sep 2014 15:14:45 -0400 Subject: [PATCH] No longer generate a machine certificate on client installs ht

Re: [Freeipa-devel] Compat tree permissions

Alexander Bokovoy wrote: > On Wed, 03 Sep 2014, Martin Kosek wrote: >> On 09/03/2014 02:04 PM, Alexander Bokovoy wrote: >>> On Wed, 03 Sep 2014, Martin Kosek wrote: On 09/03/2014 01:02 PM, Alexander Bokovoy wrote: > On Wed, 03 Sep 2014, Martin Kosek wrote: >> On 09/03/2014 12:39 PM, Al

Re: [Freeipa-devel] [PATCH] 0010 Add 'host' setting into default.conf configuration file

David Kupka wrote: > On 08/26/2014 03:08 PM, Jan Cholasta wrote: >> Hi, >> >> Dne 26.8.2014 v 13:01 David Kupka napsal(a): >>> https://fedorahosted.org/freeipa/ticket/4481 >> >> Doing this will break ipa-client-automount and ipa-certupdate, because >> they assume that api.env.host contains the host

Re: [Freeipa-devel] [PATCH] - Add DRM to IPA

Ade Lee wrote: > On Thu, 2014-08-14 at 14:29 +0200, Petr Viktorin wrote: >> On 08/14/2014 10:53 AM, Martin Kosek wrote: >>> On 08/13/2014 09:54 PM, Ade Lee wrote: In Dogtag, we have decided to revert the name of the DRM to the old name KRA. DRM was really only used in docs/marketing

Re: [Freeipa-devel] [PATCH] 0008 Use certmonger D-Bus API instead of messing with its files.

David Kupka wrote: > On 08/19/2014 09:58 AM, Martin Kosek wrote: >> On 08/19/2014 09:05 AM, David Kupka wrote: >>> FreeIPA will use certmonger D-Bus API as discussed in this thread >>> https://www.redhat.com/archives/freeipa-devel/2014-July/msg00304.html >>> >>> This change should prevent hard-to-r

Re: [Freeipa-devel] [PATCH] - Add DRM to IPA

Ade Lee wrote: > Attached is a new patch. I believe I have addressed all the issues > raided by pviktori, edewata and rcrit. > > Please let me know if I missed something! > > Incidentally, to get all this to work, you should use the latest Dogtag > 10.2 build, which also contains a fix for pkide

Re: [Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install

Jan Cholasta wrote: > Hi, > > the attached patch fixes . > +cert_group.add_option("--ca-key-algorithm", dest="ca_key_algorithm", + help="Key algorithm of the IPA CA certificate (default SHA256withRSA)") Why not set the defa

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

Jan Cholasta wrote: > Dne 29.7.2014 v 16:33 Rob Crittenden napsal(a): >> Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a): >>>>> This is oh-so close. AFAICT it generally does what it should, I >>>

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

Rob Crittenden wrote: > Jan Cholasta wrote: >> Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a): >>> This is oh-so close. AFAICT it generally does what it should, I think it >>> is ready for a wider audience. Just a few more things: >>> >>> 306: A while

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

Jan Cholasta wrote: > Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a): >> This is oh-so close. AFAICT it generally does what it should, I think it >> is ready for a wider audience. Just a few more things: >> >> 306: A while True loop is used for something which AFAICT ca

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

Jan Cholasta wrote: > On 22.7.2014 15:21, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> On 2.7.2014 19:37, Jan Cholasta wrote: >>>>> On 2.7.2014 19:08, Rob Crittenden wrote: >>>>>> Trimming to

Re: [Freeipa-devel] ipa-replica-manage and topology plugin

Ludwig Krispenz wrote: > Hi, > I am working on ticket #4302 and am building a protoptype to verify if > the current design [1] will work an what is missing. > > Now the question comes up, how will this be managed and what happens > with eg ipa-replica-manage ? If the topology plugin is deployed an

Re: [Freeipa-devel] LDAP updater with --test option

Martin Basti wrote: > Hi list, > > maybe I missed something, but I expected, there are no modifications > with this option. > > With --test option the LDAP schema is not updated, but update plugins > don't care about --test option ('live_run' in code). > > Update plugins use and IPA api directl

Re: [Freeipa-devel] [PATCH 0246] baseldap: Fix undefined variable reference in

Tomas Babej wrote: > > On 07/24/2014 12:35 PM, Tomas Babej wrote: >> Hi, >> >> on receiving a PublicError we fail with InternalError since msg is not >> defined. >> >> >> >> ___ >> Freeipa-devel mailing list >> Freeipa-devel@redhat.com >> https://www.red

Re: [Freeipa-devel] [PATCH] 0006 Fix group-remove-member crash when group is removed from a protected group

Martin Kosek wrote: > On 07/23/2014 04:08 PM, David Kupka wrote: >> https://fedorahosted.org/freeipa/ticket/4448 > > Alternatively, we could also update the "if" condition to avoid running this > section at all when options['user'] does not exist or is empty. This would > save > us at least from

Re: [Freeipa-devel] [PATCH] 0105 FIX: LDAP_updater

Martin Basti wrote: > This patch fixes ordering problem of schema updates > > Martin should it be in IPA 4.0.x ? It requires rebased ldap_python (will > be in Fedora 21) > > Patch attached It looks like the modlist is only generated during a live run which would diminish the utility of the --tes

Re: [Freeipa-devel] Reasons for not using certmonger DBus API

Jan Cholasta wrote: > On 23.7.2014 12:23, Martin Kosek wrote: >> On 07/23/2014 10:49 AM, Jan Cholasta wrote: >>> On 23.7.2014 10:38, Martin Kosek wrote: On 07/23/2014 10:33 AM, Jan Cholasta wrote: > On 23.7.2014 10:12, Martin Kosek wrote: >> On 07/23/2014 09:56 AM, David Kupka wrote: >

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

Rob Crittenden wrote: > Jan Cholasta wrote: >> On 2.7.2014 19:37, Jan Cholasta wrote: >>> On 2.7.2014 19:08, Rob Crittenden wrote: >>>> Trimming to respond to your questions. >>>>>> Not sure if this is related: >>>>>> # pki cert-fi

Re: [Freeipa-devel] [PATCH] - Add DRM to IPA

Ade Lee wrote: > Hi all, > > I have rebased all the previous patches against master, and have squashed > them all into a single patch. > Its a large patch, but as many folks have already reviewed the constituent > precursor patches, most if it > should be familiar and easier to review. > > The

Re: [Freeipa-devel] weird data interaction

Petr Viktorin wrote: > On 07/17/2014 10:31 PM, Rob Crittenden wrote: >> Saw something very weird today but my setup was also a bit odd so it may >> not be worthy of a ticket. Need a second opinion. >> >> Ok, so I wanted to test Jan's CA patches. They don't

[Freeipa-devel] weird data interaction

Saw something very weird today but my setup was also a bit odd so it may not be worthy of a ticket. Need a second opinion. Ok, so I wanted to test Jan's CA patches. They don't apply to current master due to the churn pre-4.0, so I just rewound the world to July 3 and applied them on the master bra

Re: [Freeipa-devel] Password Vault Implementation

Endi Sukma Dewata wrote: > On 7/15/2014 9:27 AM, Simo Sorce wrote: >> I am curious about this: "Currently there is no NSS backend for Python >> Cryptography." >> Yet we use python-nss in some projects already, so what is missing >> there ? >> >> Simo. > > Does the IPA client currently require pyth

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

Jan Cholasta wrote: > On 2.7.2014 19:37, Jan Cholasta wrote: >> On 2.7.2014 19:08, Rob Crittenden wrote: >>> Trimming to respond to your questions. >>>>> Not sure if this is related: >>>>> # pki cert-find >>>>> PKIException: Inter

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

Jan Cholasta wrote: > On 28.6.2014 00:19, Rob Crittenden wrote: >> >> I'm going to consolidate all reviews for 241 - 303 here. I'm not doing >> this in any particular order. Trimming to respond to your questions. >> Not sure if this is related: >> # pki

[Freeipa-devel] Smart proxy Fedora package

The smart proxy source was pulled from the IPA tree and moved into its own repository. I've created a Fedora package for it if someone can review it: https://bugzilla.redhat.com/show_bug.cgi?id=1114764 rob ___ Freeipa-devel mailing list Freeipa-devel@r

Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong

Tomas Babej wrote: > > On 07/01/2014 12:19 PM, Martin Kosek wrote: >> On 06/26/2014 10:44 AM, Jan Cholasta wrote: >>> On 26.6.2014 10:39, Petr Viktorin wrote: On 06/26/2014 10:33 AM, Jan Cholasta wrote: > On 26.6.2014 09:40, Petr Viktorin wrote: >> On 06/26/2014 09:33 AM, Jan Cholasta

[Freeipa-devel] [PATCH] 1108 Remove smartproxy

The Foreman Smart Proxy server has its own upstream now at https://fedorahosted.org/freeipa-foreman-smartproxy/ so this source is no longer needed. rob >From 12ce774bc4e7867d583e6f80a1bc0a181e685d9c Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 30 Jun 2014 18:27:31 -0400 Subj

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

Rob Crittenden wrote: > Jan Cholasta wrote: >> On 26.6.2014 20:05, Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> On 16.6.2014 15:35, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> the attached patches implement >>&

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

Jan Cholasta wrote: > On 16.6.2014 15:35, Jan Cholasta wrote: >> Hi, >> >> the attached patches implement >> . >> >> My patches 241-253 and 262-294 are required for this >> (, >>

Re: [Freeipa-devel] [PATCHES] 241-253 CA certificate renewal

Jan Cholasta wrote: > On 12.6.2014 09:49, Jan Cholasta wrote: >> On 20.5.2014 21:38, Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> On 25.4.2014 10:51, Jan Cholasta wrote: >>>>> On 24.4.2014 23:16, Rob Crittenden wrote: >>>>>>

Re: [Freeipa-devel] [PATCHES] 267-294 Support multiple CA certificates in LDAP

Comments buried deep inline. Jan Cholasta wrote: > On 16.6.2014 22:36, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> Hi, >>>> >>>> the attached patches implement >>>> <https://fedorahosted.org/f

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

Petr Viktorin wrote: > On 06/19/2014 02:19 PM, Martin Kosek wrote: >> On 06/19/2014 01:39 PM, Petr Viktorin wrote: >>> See commit message. >>> >>> This was found in the review of host write permissions (my patches >>> 0578-0579). >> >> Wouldn't it be better to filter based on objectclass? I.e.: >>

Re: [Freeipa-devel] Virtual operation ACIs (Was Re: 0578-0579 Convert Host default permissions to managed)

Petr Viktorin wrote: > I'll address the other issues separately. > > On 06/18/2014 05:46 PM, Martin Kosek wrote: >> 3) I hit one issue when I open the Web UI host tab, I get >> "Insufficient access: >> No such virtual command" error triggered by "cert-show" command. >> >> We will need to add the p

Re: [Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs

Simo Sorce wrote: > On Tue, 2014-06-17 at 15:30 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Mon, 2014-06-16 at 09:53 +0200, Petr Viktorin wrote: >>>> On 06/13/2014 10:20 PM, Simo Sorce wrote: >>>> [...] >>>>> 2) and

Re: [Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs

Simo Sorce wrote: > On Mon, 2014-06-16 at 09:53 +0200, Petr Viktorin wrote: >> On 06/13/2014 10:20 PM, Simo Sorce wrote: >> [...] >>> 2) and I think this is a MUCH bigger issue, the Admin users are >>> unbounded and pass any Access Control Check and this means they can now >>> retrieve any key for

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

Simo Sorce wrote: > On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: >> * ipa stageuser-add --from-delete >> >> It moves a deleted entry to staging container where >> >> uidNumber: > prevous active account> >> gidNumber:

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

thierry bordaz wrote: > On 06/16/2014 03:04 PM, Rob Crittenden wrote: >> thierry bordaz wrote: >>> Hello, >>> >>> When a stage user is activate (ipa stageuse-activate), UUID plugin >>> (DS) checks that the ipaUniqueID value of the new active us

Re: [Freeipa-devel] [PATCHES] 267-294 Support multiple CA certificates in LDAP

Rob Crittenden wrote: > Jan Cholasta wrote: >> Hi, >> >> the attached patches implement >> <https://fedorahosted.org/freeipa/ticket/3259> and >> <https://fedorahosted.org/freeipa/ticket/3520>. >> >> This work depends on my patches 241-25

Re: [Freeipa-devel] [PATCHES] 267-294 Support multiple CA certificates in LDAP

Jan Cholasta wrote: > Hi, > > the attached patches implement > and > . > > This work depends on my patches 241-253 and 262-266 > (). >

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

thierry bordaz wrote: > Hello, > > When a stage user is activate (ipa stageuse-activate), UUID plugin > (DS) checks that the ipaUniqueID value of the new active user is > 'autogenerate'. > This is useful to prevent a provisioning systems to create Active > user with invalid ip

Re: [Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs

Rob Crittenden wrote: > Simo Sorce wrote: >> On Wed, 2014-06-11 at 17:03 -0400, Rob Crittenden wrote: >>> 0001 >>> >>> When is_allowed_to_access_attr() fails it should include the value of >>> access in the error log for debugging. >> >> Ok

Re: [Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs

Simo Sorce wrote: > On Wed, 2014-06-11 at 17:03 -0400, Rob Crittenden wrote: >> 0001 >> >> When is_allowed_to_access_attr() fails it should include the value of >> access in the error log for debugging. > > Ok added more detailed logging > >> Nit:

Re: [Freeipa-devel] [PATCHES] 267-294 Support multiple CA certificates in LDAP

Martin Kosek wrote: > On 06/13/2014 02:55 PM, Simo Sorce wrote: >> On Fri, 2014-06-13 at 09:05 +0200, Martin Kosek wrote: >>> On 06/12/2014 07:45 PM, Jan Cholasta wrote: >>> ... Note that automatic distribution of CA certificates to IPA systems is not implemented yet (it's planned for IPA

Re: [Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs

;>>>> On Mon, 2014-06-09 at 17:53 -0400, Nathaniel McCallum wrote: >>>>>> On Mon, 2014-06-09 at 15:02 -0400, Simo Sorce wrote: >>>>>>> On Mon, 2014-06-09 at 13:39 -0400, Rob Crittenden wrote: >>>>>>>> Simo Sorce wrote: >>>

Re: [Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs

Simo Sorce wrote: > This patch set is an initial implementation of ticket #3859 > > It seem to be working fine in my initial testing but I have not yet > tested all cases. > > However I wonted to throw it on the list to get some initial feedback > about the choices I made wrt access control and i

Re: [Freeipa-devel] joining rhel5 ipa clients to rhel 7 server failing caused by time offset.

Michael Gregg wrote: > > I was trying to join my rhel 5 client to a rhel 7 domain, and getting > the following error: > > [root@oracle ~]# ipa-client-install -p admin -w -U > root: ERRORLDAP Error: Connect error: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate v

Re: [Freeipa-devel] Move replication topology to the shared tree

Simo Sorce wrote: > First of all, very good summary, thanks a lot! > Replies in line. > > On Mon, 2014-06-02 at 10:46 +0200, Ludwig Krispenz wrote: >> Ticket 4302 is a request for an enhancement: Move replication topology >> to the shared tree >> >> >> There has been some discussion in comments i

Re: [Freeipa-devel] User life cycle: question regarding the design

itri Pal wrote: >>>>>> On 05/26/2014 01:49 AM, Martin Kosek wrote: >>>>>>> On 05/23/2014 04:55 PM, Simo Sorce wrote: >>>>>>>> On Fri, 2014-05-23 at 10:13 -0400, Rob Crittenden wrote: >>>>>>>>> Th

Re: [Freeipa-devel] [PATCHES] 0562-0563 Fix internal error when global policy is not readable

Petr Viktorin wrote: > On 05/30/2014 11:02 AM, Petr Viktorin wrote: >> On 05/29/2014 07:13 PM, Rob Crittenden wrote: >>> Petr Viktorin wrote: >>>> When investigating this issue I became very annoyed by the star import >>>> hiding where na

Re: [Freeipa-devel] [PATCHES] 0562-0563 ix internal error when global policy is not readable

Petr Viktorin wrote: > When investigating this issue I became very annoyed by the star import > hiding where names come from, so I did some cleanup first. > > > In krbtpolicy, an ACIError is now raised if: > - the user doesn't have permission to read any one of the ticket policy > attributes on

Re: [Freeipa-devel] [PATCH] 6 - Dogtag DRM -IPA plugin

Petr Viktorin wrote: > On 05/28/2014 08:48 AM, Fraser Tweedale wrote: >> On Tue, May 27, 2014 at 05:57:40PM -0400, Ade Lee wrote: >>> There have been a couple of changes in the Dogtag interface, that >>> require some changes in the IPA patches. Also, I had to add back a >>> function in order to re

Re: [Freeipa-devel] Supported Staged entries

Simo Sorce wrote: > On Wed, 2014-05-28 at 15:56 +0200, Martin Kosek wrote: >> On 05/28/2014 02:48 PM, Simo Sorce wrote: >>> On Wed, 2014-05-28 at 09:38 +0200, thierry bordaz wrote: On 05/28/2014 08:22 AM, Martin Kosek wrote: > On 05/27/2014 08:18 PM, Simo Sorce wrote: >> On Tue, 2014-0

Re: [Freeipa-devel] Supported Staged entries

Simo Sorce wrote: > On Wed, 2014-05-28 at 09:38 +0200, thierry bordaz wrote: >> On 05/28/2014 08:22 AM, Martin Kosek wrote: >>> On 05/27/2014 08:18 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 21:14 +0300, Alexander Bokovoy wrote: > On Tue, 27 May 2014, Simo Sorce wrote: >> On Tue, 2014

Re: [Freeipa-devel] User life cycle: question regarding the design

Martin Kosek wrote: > On 05/23/2014 07:48 AM, Jan Cholasta wrote: >> On 22.5.2014 19:27, Simo Sorce wrote: >>> On Thu, 2014-05-22 at 15:35 +0200, Martin Kosek wrote: On 05/21/2014 10:11 PM, Dmitri Pal wrote: > On 05/21/2014 03:06 PM, Martin Kosek wrote: >> On 05/21/2014 08:14 PM, Simo

Re: [Freeipa-devel] Understanding FreeIPA replica internals

Dmitri Pal wrote: > On 05/23/2014 06:42 AM, Martin Kosek wrote: >> On 05/23/2014 07:01 AM, James wrote: >>> I'm trying to understand some of the FreeIPA replication internals so >>> that I can better know how to do this properly in Puppet without >>> storing any secret information in Puppet, and so

Re: [Freeipa-devel] [PATCHES] 241-253 CA certificate renewal

Jan Cholasta wrote: > On 25.4.2014 10:51, Jan Cholasta wrote: >> On 24.4.2014 23:16, Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> On 10.4.2014 22:06, Rob Crittenden wrote: >>>>> Some in-line, a whole ton of data appended to end. >>>>

Re: [Freeipa-devel] FreeIPA on AWS EC2

Dmitri Pal wrote: > On 05/09/2014 10:01 PM, daiEric wrote: >> hi >> Is there any solution to deploy FreeIpa on ubuntu linux？ > > I thought we did a lot to make this happen and it is now possible but to > be fair I did not see any instructions and guidelines so I am not sure. AFAIK the server work

Re: [Freeipa-devel] [PATCH 0049] Add support for protected tokens

Nathaniel McCallum wrote: On Thu, 2014-05-08 at 13:51 -0400, Simo Sorce wrote: On Thu, 2014-05-08 at 12:26 -0400, Nathaniel McCallum wrote: On Wed, 2014-05-07 at 11:17 -0400, Simo Sorce wrote: On Wed, 2014-05-07 at 09:54 -0400, Dmitri Pal wrote: On 05/07/2014 09:05 AM, Nathaniel McCallum wrot

Re: [Freeipa-devel] [PATCH] 1107 smartproxy cleanup

Nathaniel McCallum wrote: On Thu, 2014-05-08 at 09:12 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Remove some unused files, fix an import which means we don't need to import from ipaserver, fix up Requires so it should work better running on a different box

Re: [Freeipa-devel] [PATCH] 1107 smartproxy cleanup

Rob Crittenden wrote: Rob Crittenden wrote: Remove some unused files, fix an import which means we don't need to import from ipaserver, fix up Requires so it should work better running on a different box than the IPA server. Found and fixed a couple more minor issues. Fix one more

Re: [Freeipa-devel] [PATCH] 1107 smartproxy cleanup

Rob Crittenden wrote: Remove some unused files, fix an import which means we don't need to import from ipaserver, fix up Requires so it should work better running on a different box than the IPA server. Found and fixed a couple more minor issues. rob

[Freeipa-devel] [PATCH] 1107 smartproxy cleanup

Remove some unused files, fix an import which means we don't need to import from ipaserver, fix up Requires so it should work better running on a different box than the IPA server. rob >From 9b04f60d3d0b0f2a28d1f88311e1aba815e188b9 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date

Re: [Freeipa-devel] bind DN of executing command

Sumit Bose wrote: On Fri, May 02, 2014 at 05:06:06PM -0400, Nathaniel McCallum wrote: I need the DN of the user who is running the current command. This may be defined as the user who is bound or will bind to execute the LDAP commands I have prepared. Does anyone know how to do this in the Free

Re: [Freeipa-devel] [PATCH] 6 - Dogtag DRM -IPA plugin

Ade Lee wrote: I have attached a patch that contains code for the new dogtag DRM plugin vault functionality. This patch should be applied on top of the ones used to install a DRM. Forthcoming is a patch to actually start using this plugin. All the imports should be at the top of the file. In

Re: [Freeipa-devel] [PATCHES] 0546-0547 Allow alternate "aci" keyword in ACIs

Petr Viktorin wrote: On 04/30/2014 07:25 PM, Rob Crittenden wrote: Petr Viktorin wrote: Hello, The first patch adds "==" to ACI object to simplify comparisons. The second patch moves existing "tests" to the test suite. The third patch adds support for an alternate &

Re: [Freeipa-devel] [PATCHES] 0546-0547 Allow alternate "aci" keyword in ACIs

Petr Viktorin wrote: Hello, The first patch adds "==" to ACI object to simplify comparisons. The second patch moves existing "tests" to the test suite. The third patch adds support for an alternate "aci" keyword that DS supports (but I couldn't get any documentaion on it). Dogtag adds ACIs with

Re: [Freeipa-devel] [PATCH] 1106 IPA REST smart proxy

Petr Viktorin wrote: On 04/23/2014 08:52 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/09/2014 11:29 PM, Rob Crittenden wrote: Rob Crittenden wrote: Petr Viktorin wrote: On 03/14/2014 07:58 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 03/12/2014 07:48 PM, Rob Crittenden wrote

Re: [Freeipa-devel] [PATCHES] 241-253 CA certificate renewal

Petr Viktorin wrote: On 04/24/2014 11:16 PM, Rob Crittenden wrote: Jan Cholasta wrote: On 10.4.2014 22:06, Rob Crittenden wrote: Some in-line, a whole ton of data appended to end. Jan Cholasta wrote: On 7.4.2014 20:09, Rob Crittenden wrote: Rob Crittenden wrote: [...] $ ipa-cacert-manage

Re: [Freeipa-devel] [PATCHES] 241-253 CA certificate renewal

Jan Cholasta wrote: On 10.4.2014 22:06, Rob Crittenden wrote: Some in-line, a whole ton of data appended to end. Jan Cholasta wrote: On 7.4.2014 20:09, Rob Crittenden wrote: Rob Crittenden wrote: 242 I wonder if it would be clearer to use variables instead of a raw list in the return

Re: [Freeipa-devel] [PATCH] 1106 IPA REST smart proxy

Petr Viktorin wrote: On 04/09/2014 11:29 PM, Rob Crittenden wrote: Rob Crittenden wrote: Petr Viktorin wrote: On 03/14/2014 07:58 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 03/12/2014 07:48 PM, Rob Crittenden wrote: [...] Here are a couple more enhancements I'm considering,

Re: [Freeipa-devel] [PATCH] Add DRM to IPA

Wcj8rJ' returned non-zero exit status 1 Thanks, Ade On Tue, 2014-04-15 at 11:41 -0400, Rob Crittenden wrote: Ade Lee wrote: Attached a new patch to address some of the concerns below, specifically I created a new base class DogtagInstance, in which much of the common CA/KRA code is plac

Re: [Freeipa-devel] Client compatibility article

Martin Kosek wrote: On 04/18/2014 01:40 PM, Petr Viktorin wrote: On 04/18/2014 01:29 PM, Martin Kosek wrote: On 04/18/2014 10:52 AM, Petr Viktorin wrote: On 04/18/2014 10:33 AM, Martin Kosek wrote: FYI - I saw numerous questions about "ipa" tool backward compatibility (the most recent is http

Re: [Freeipa-devel] Managed permission versioning

Simo Sorce wrote: On Thu, 2014-04-17 at 18:25 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Thu, 2014-04-17 at 15:00 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Thu, 2014-04-17 at 15:48 +0200, Martin Kosek wrote: I would like to discuss more on the managed read permissions

Re: [Freeipa-devel] Managed permission versioning

Simo Sorce wrote: On Thu, 2014-04-17 at 15:00 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Thu, 2014-04-17 at 15:48 +0200, Martin Kosek wrote: I would like to discuss more on the managed read permissions upgrades [1]. Right now, we simply merge an old permission with the new one, making

Re: [Freeipa-devel] Managed permission versioning

Simo Sorce wrote: On Thu, 2014-04-17 at 15:48 +0200, Martin Kosek wrote: I would like to discuss more on the managed read permissions upgrades [1]. Right now, we simply merge an old permission with the new one, making sure that we only add new attributes instead of just replacing them, to preven

Re: [Freeipa-devel] [PATCH] 12 Call generate-rndc-key.sh during ipa-server-install

Misnyovszki Adam wrote: Hi, this patch modifies ipa-server-install to warn the user, if there is a lack of entropy, also runs generate-rndc-key.sh before named restart, to ensure, that it can start before systemd timeouts. I think the exception should be logged in check_entropy() in case this

Re: [Freeipa-devel] [PATCH] 0528 Add managed read permission to automount

Martin Kosek wrote: On 04/16/2014 02:14 PM, Petr Viktorin wrote: A single permission granting anonymous read access covers automountlocation, automountmap, and automountkey. This works fine, I am just wondering about the ACI: 1) Simo, are you OK with one ACI covering all automount objects? I

Re: [Freeipa-devel] [PATCH][RFC] 13 - Log pretty-printed request and response

Misnyovszki Adam wrote: Hi, this patch enables logging json dumps of request and response, using the --log-payload switch in ipa cli. RFC tag is to ensure that I handled the --log-payload switch correctly in ipa cli. Be careful, it only logs, so --log-payload without -v switch doesn't make the du

Re: [Freeipa-devel] [PATCH] Add DRM to IPA

Ade Lee wrote: Attached a new patch to address some of the concerns below, specifically I created a new base class DogtagInstance, in which much of the common CA/KRA code is placed. I'm sure we could go further in reducing duplication, and I'm open to further suggestions and refinements. I did

Re: [Freeipa-devel] [PATCHES] 241-253 CA certificate renewal

Some in-line, a whole ton of data appended to end. Jan Cholasta wrote: On 7.4.2014 20:09, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: Hi, the attached patches implement automatic CA certificate renewal as well as the initial version of the CA certificate management tool

Re: [Freeipa-devel] [PATCH] 1106 IPA REST smart proxy

Rob Crittenden wrote: Petr Viktorin wrote: On 03/14/2014 07:58 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 03/12/2014 07:48 PM, Rob Crittenden wrote: [...] Here are a couple more enhancements I'm considering, this seems simpler than inter-diff since it is so small. Not r

Re: [Freeipa-devel] [PATCH] 1106 IPA REST smart proxy

Petr Viktorin wrote: On 03/14/2014 07:58 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 03/12/2014 07:48 PM, Rob Crittenden wrote: [...] Here are a couple more enhancements I'm considering, this seems simpler than inter-diff since it is so small. Not really. Having a patch file w

Re: [Freeipa-devel] Ipa-server-install Firewall Support

reeipa.org/page/Feature_template So maybe something like http://www.freeipa.org/page/V4/Firewalld rob Thanks, Justin On Mon, Apr 7, 2014 at 6:51 PM, Dmitri Pal wrote: On 04/07/2014 09:00 AM, Rob Crittenden wrote: Simo Sorce wrote: On Fri, 2014-04-04 at 09:59 +0200, Petr Spacek wrote: On 4.4.2014 09:1

Re: [Freeipa-devel] [PATCH] Add DRM to IPA

Martin Kosek wrote: On 04/07/2014 10:40 PM, Rob Crittenden wrote: Ade Lee wrote: This patch adds the capability of installing a Dogtag DRM to an IPA instance. With this patch, when ipa-server-install is run, a Dogtag CA and a Dogtag DRM are created. The DRM shares the

Re: [Freeipa-devel] Random Certificate Serial Numbers

Dmitri Pal wrote: On 04/07/2014 03:48 AM, Martin Kosek wrote: Hi Rob, Ade and others, In the past, Rob was investigating enabling random certificate serial numbers for FreeIPA PKI [1]. We also have a ticket [2] planned to enable it for 4.0. Can we simply switch it on for PKI with pkispawn attr

Re: [Freeipa-devel] global account lockout

, Simo Sorce wrote: On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote: On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote: Ludwig Krispenz wrote: Hi, please review the following feature design. It introduces a global account lockout, while trying to keep the replication traffic minimal

Re: [Freeipa-devel] [PATCH] Add DRM to IPA

Ade Lee wrote: This patch adds the capability of installing a Dogtag DRM to an IPA instance. With this patch, when ipa-server-install is run, a Dogtag CA and a Dogtag DRM are created. The DRM shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, th

Re: [Freeipa-devel] [PATCH] Add DRM to IPA

Dmitri Pal wrote: On 04/04/2014 02:50 PM, Ade Lee wrote: This patch adds the capability of installing a Dogtag DRM to an IPA instance. With this patch, when ipa-server-install is run, a Dogtag CA and a Dogtag DRM are created. The DRM shares the same tomcat instance and DS i

Re: [Freeipa-devel] [PATCHES] 241-253 CA certificate renewal

Rob Crittenden wrote: Jan Cholasta wrote: Hi, the attached patches implement automatic CA certificate renewal as well as the initial version of the CA certificate management tool. Requires my patches 172-196. In order to test, you must install current git version of certmonger (see <ht

Re: [Freeipa-devel] global account lockout

Ludwig Krispenz wrote: Hi, please review the following feature design. It introduces a global account lockout, while trying to keep the replication traffic minimal. In my opinion for a real global account lockout the basic lockout attributes have to be replicated otherwise the benefit is minimal

Re: [Freeipa-devel] questions regarding ldap schema for pkcs11

Simo Sorce wrote: On Fri, 2014-04-04 at 13:19 +0200, Petr Spacek wrote: On 4.4.2014 10:20, Ludwig Krispenz wrote: In the review discussion for the ldap schema for pkcs11 there was one topic, which we wanted to get the opinion from a broader audience before making a final decision. I'll add my

Re: [Freeipa-devel] Ipa-server-install Firewall Support

Simo Sorce wrote: On Fri, 2014-04-04 at 09:59 +0200, Petr Spacek wrote: On 4.4.2014 09:17, Martin Kosek wrote: On 04/04/2014 09:04 AM, Justin Brown wrote: I would actually do it the opposite way and open the ports after the FreeIPA server is fully configured. After all, I do not think we want

Re: [Freeipa-devel] [PATCHES] 241-253 CA certificate renewal

Jan Cholasta wrote: Hi, the attached patches implement automatic CA certificate renewal as well as the initial version of the CA certificate management tool. Requires my patches 172-196. In order to test, you must install current git version of certmonger (see

Re: [Freeipa-devel] [PATCH] 468 Make ipa-client-automount backwards compatible

Martin Kosek wrote: ipa-client-automount calls automountlocation-show command during the process. Unfortunately, FreeIPA commands are forward compatible only and thus fail the installer. Similarly to ipa-client-install, call XML-RPC interface directly with version fixed to 2.0 (command was alrea

Re: [Freeipa-devel] LDAP ACI testing

Petr Spacek wrote: Hello list, thread "[Freeipa-devel] Read access to container entries" reminds me an idea I have in mind for a while: We could check effective ACIs [1] for interesting objects (Kerberos master key, trust objects etc.) and make sure that there is nothing like 'read by anonymous

Re: [Freeipa-devel] Talking json/rpc with java client

Alexander Bokovoy wrote: On Thu, 20 Mar 2014, Massimiliano Perrone (tirasa.net) wrote: On 03/18/2014 05:26 PM, Alexander Bokovoy wrote: On Tue, 18 Mar 2014, Massimiliano Perrone (example.com) wrote: The difference between the two calls is on the last TGS_REQ; because the first one is on ldap/o

Re: [Freeipa-devel] Use of NetworkManager - to disable or not disable

Gabe Alford wrote: All, Looking at https://fedorahosted.org/freeipa/ticket/4156, I wanted to see if disabling NetworkManager is still required or not. I could see in some environments admins may disable it so having it in the docs wouldn't be a bad idea IMHO. Thoughts? Gabe

<    1   2   3   4   5   6   7   8   9   10   >