Jan Zelený wrote:
https://fedorahosted.org/freeipa/ticket/563
https://fedorahosted.org/freeipa/ticket/588
Jan
This is a good start, I think we need to include some guidance on why
this exists and why it exists where it does.
It exists so a user interface can know in advance what the
Martin Kosek wrote:
On Thu, 2011-02-17 at 08:55 -0500, Jan Zeleny wrote:
Sending updated patch
Jan
- Original Message -
From: Jan Zelenýjzel...@redhat.com
To: freeipa-devel@redhat.com
Sent: Thursday, February 17, 2011 1:29:28 PM
Subject: [Freeipa-devel] [PATCH] 49 Fixed user-add help
nsaccountlock doesn't have a visible Param but we want do so some basic
validation to be sure garbage doesn't get in there so do it in the
pre_callback of add and mod.
ticket 968
rob
freeipa-rcrit-729-nsaccountlock.patch
Description: application/mbox
Make managed netgroups (those created as a result of creating a
hostgroup) should be immutable. This aci will deny writes to a managed
netgroup.
ticket 962
rob
From 3032abc7900b619a8dde5219d8b0c53cf667e865 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Thu, 17 Feb
Configure SSSD to look in DNS for the IPA servers first, then fall back
to the server we configured against.
ticket 980
rob
From 3b47206b22417dad843bac1934b7cfd4b1ba15e4 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Thu, 17 Feb 2011 15:19:24 -0500
Subject: [PATCH
Jan Zelený wrote:
Rob Crittendenrcrit...@redhat.com wrote:
Jan Zelený wrote:
https://fedorahosted.org/freeipa/ticket/563
https://fedorahosted.org/freeipa/ticket/588
Jan
This is a good start, I think we need to include some guidance on why
this exists and why it exists where it does.
It
Adam Tkac wrote:
On Wed, Feb 16, 2011 at 05:26:55PM +0100, Jan Zeleny wrote:
Adam Tkacat...@redhat.com wrote:
On Wed, Feb 16, 2011 at 10:53:14AM +0100, Jan Zelený wrote:
This patch ensures that PTR records added by FreeIPA are compliant with
RFC.
Nack.
In my opinion the
Pavel Zůna wrote:
On 2011-02-17 05:09, Rob Crittenden wrote:
Pavel Zůna wrote:
My efforts in fixing localization all around the framework and preparing
it for localizing docstrings have resulted in a lot of patches. Because
I understand they have become a bit hard to track, I decided to post
Jakub Hrozek wrote:
On Thu, Feb 17, 2011 at 12:01:05PM -0500, Rob Crittenden wrote:
nsaccountlock doesn't have a visible Param but we want do so some
basic validation to be sure garbage doesn't get in there so do it in
the pre_callback of add and mod.
ticket 968
rob
Ack
pushed to master
JR Aquino wrote:
On 2/17/11 11:02 AM, Rob Crittendenrcrit...@redhat.com wrote:
Make managed netgroups (those created as a result of creating a
hostgroup) should be immutable. This aci will deny writes to a managed
netgroup.
ticket 962
rob
___
Jakub Hrozek wrote:
On Thu, Feb 17, 2011 at 03:23:18PM -0500, Rob Crittenden wrote:
Configure SSSD to look in DNS for the IPA servers first, then fall
back to the server we configured against.
ticket 980
rob
Works fine (tested both service discovery and failover), ack
pushed to master
Jakub Hrozek wrote:
To test, try running ipa cert-remove-hold 11 with a selfsigned install
ack, pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Simo Sorce wrote:
On Thu, 17 Feb 2011 11:53:52 -0500
Simo Sorcesso...@redhat.com wrote:
On Thu, 17 Feb 2011 11:34:30 -0500
Simo Sorcesso...@redhat.com wrote:
If DNS Updates are available then try to register the ip address as
determined by connecting to the ipa server.
This allows also
that enables replication. This happens
using an SSL connection to the server. I'm thinking this is some
interaction the openldap NSS connection.
The fix is to use an ldapi connection instead.
ticket 965
rob
From 02c91465d361c88cc901e5f97e0c9ef1f1e4656e Mon Sep 17 00:00:00 2001
From: Rob
David O'Brien wrote:
Jan Zelený wrote:
Rob Crittenden rcrit...@redhat.com wrote:
Jan Zelený wrote:
https://fedorahosted.org/freeipa/ticket/831
Jan
I think I'd like David's take on this, but my initial reaction is I'd
prefer the word maximum to maximal.
rob
The second patch
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/18/2011 05:19 AM, Rob Crittenden wrote:
Right before rc1 I discovered a problem in ipa-replica-prepare. It was
crashign when trying to generate the SSL certificates. The first time it
failed on nss_shutdown() claiming
Nathan Kinder wrote:
Works for me, I thought I acked this last night. I guess not so ACK.
pushed to master.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
John Dennis wrote:
pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Jakub Hrozek wrote:
On Thu, Feb 17, 2011 at 11:30:03AM +0100, Jan Zelený wrote:
Better, thanks. I'd also like to change the code which is using this function,
so the conversion doesn't take place twice.
I think it's safe. The documentation on unicode() says:
---
More precisely, if object is
Jan Zeleny wrote:
JR Aquinojr.aqu...@citrix.com wrote:
On 2/17/11 3:23 AM, Jan Zelenýjzel...@redhat.com wrote:
JR Aquinojr.aqu...@citrix.com wrote:
This patch fixes the netgroup plugin's behavior of adding duplicate
entries
when the managed entry plugin creates a netgroup with a
Jakub Hrozek wrote:
On Fri, Feb 18, 2011 at 11:11:25AM -0500, Rob Crittenden wrote:
Add exit code info to the ipa command man page.
The tool I use, manedit, also escaped all dashes. Seems benign so I left it.
Yep, renders OK.
ticket 803
rob
Ack
pushed to master
JR Aquino wrote:
On 2/17/11 2:20 PM, Rob Crittendenrcrit...@redhat.com wrote:
JR Aquino wrote:
On 2/17/11 11:02 AM, Rob Crittendenrcrit...@redhat.com wrote:
Make managed netgroups (those created as a result of creating a
hostgroup) should be immutable. This aci will deny writes to a
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The doc= value was misleading. The minimum value in SOA record defines
how long should NXDOMAIN responses be cached. As per RFC 2308, the
maximum allowed value should be 3 hours.
Also, many parameters allowed negative values
This creates a new custom attribute, memberofindirect_[plugin]. Using
this you can tell the difference between being an actual memberof
another entry and being a memberof as the result if inheritence. This is
particularly useful when trying to remove members of an entry, you can
only remove
Simo Sorce wrote:
On Mon, 21 Feb 2011 11:56:39 +0100
Jakub Hrozekjhro...@redhat.com wrote:
On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote:
I had to add a couple of short sleep calls to make things work a
little better. The memberof plugin runs as a postop and we have no
way
Jakub Hrozek wrote:
On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote:
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual
memberof another entry and being a memberof as the result if
inheritence
Dmitri Pal wrote:
On 02/21/2011 08:52 AM, Rob Crittenden wrote:
Simo Sorce wrote:
On Mon, 21 Feb 2011 11:56:39 +0100
Jakub Hrozekjhro...@redhat.com wrote:
On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote:
I had to add a couple of short sleep calls to make things work
Rob Crittenden wrote:
Jakub Hrozek wrote:
On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote:
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual
memberof another entry and being a memberof as the result
Rob Crittenden wrote:
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/17/2011 04:35 AM, Rob Crittenden wrote:
Add default roles and permissions for HBAC, SUDO and pw policy
Created some default roles as examples. In doing so I realized that we
were completely missing
Set krb5_realm in sssd.conf in the ipa provider.
ticket 925
rob
freeipa-rcrit-735-sssd.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Jakub Hrozek wrote:
On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote:
Rob Crittenden wrote:
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/17/2011 04:35 AM, Rob Crittenden wrote:
Add default roles and permissions for HBAC, SUDO and pw policy
Created
Jakub Hrozek wrote:
On Mon, Feb 21, 2011 at 09:44:49AM -0500, Rob Crittenden wrote:
Rob Crittenden wrote:
Jakub Hrozek wrote:
On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote:
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference
Jakub Hrozek wrote:
On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote:
Set krb5_realm in sssd.conf in the ipa provider.
ticket 925
rob
This works fine, so Ack.
One question, though, why don't we add the realm only if
ipa_domain.upper() != krb5_realm? It would make the config
Set a hard limit of 256 for the # of commands in a batch request we'll
handle.
ticket 984
rob
freeipa-rcrit-736-limit.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
Jakub Hrozek wrote:
https://fedorahosted.org/freeipa/ticket/991
ack, pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Move some BuildRequires so building with ONLY_CLIENT works.
I tested with:
$ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1'
./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm
rob
freeipa-rcrit-737-spec.patch
Description: application/mbox
___
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm not sure about checking the flags - this might be a little too much
validation.
https://fedorahosted.org/freeipa/ticket/840
I think the flags length check needs to change. I would do this instead:
flags =
JR Aquino wrote:
On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote:
JR Aquinojr.aqu...@citrix.com wrote:
Lets try now. Attached is the corrected patch.
There were several spots in ipa-client-install where the server could be
defined and it was getting missed.
I have omitted any change
Jan Zelený wrote:
Loading of the schema is now performed in the first request that requires it.
https://fedorahosted.org/freeipa/ticket/583
Jan
We still need to enforce that we get the schema, some low-level
functions depend on it. Also, if the UI doesn't get its aciattrs (which
are
Jakub Hrozek wrote:
On Thu, Feb 17, 2011 at 08:25:37PM +0100, Jakub Hrozek wrote:
On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelený wrote:
Jakub Hrozekjhro...@redhat.com wrote:
On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelený wrote:
Jakub Hrozekjhro...@redhat.com wrote:
Hi,
Add a man page for the IPA configuration file default.conf.
ticket 969
rob
freeipa-rcrit-738-man.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Jan Zelený wrote:
Jakub Hrozekjhro...@redhat.com wrote:
On Tue, Feb 22, 2011 at 11:21:41AM +0100, Jakub Hrozek wrote:
Note the %else.
Sorry, %endif. That separates BRs for !ONLY_CLIENT from those that are
needed in both cases.
Yes I noticed that and I understand that part. I meant the
Jakub Hrozek wrote:
On Mon, Feb 21, 2011 at 11:30:04AM -0500, Rob Crittenden wrote:
Jakub Hrozek wrote:
On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote:
Set krb5_realm in sssd.conf in the ipa provider.
ticket 925
rob
This works fine, so Ack.
One question, though, why don't
Jan Zeleny wrote:
Rob Crittendenrcrit...@redhat.com wrote:
Move some BuildRequires so building with ONLY_CLIENT works.
I tested with:
$ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1'
./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm
rob
I'm a little confused. Some of the lines are
Martin Kosek wrote:
On Mon, 2011-02-21 at 11:48 -0500, Rob Crittenden wrote:
Set a hard limit of 256 for the # of commands in a batch request we'll
handle.
ticket 984
rob
ACK.
Works for me. Tested by custom JSON command via curl.
Martin
pushed to master
Jakub Hrozek wrote:
On Mon, Feb 21, 2011 at 01:18:07PM -0500, Rob Crittenden wrote:
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm not sure about checking the flags - this might be a little too much
validation.
https://fedorahosted.org/freeipa/ticket/840
I think
David O'Brien wrote:
Rob Crittenden wrote:
Add a man page for the IPA configuration file default.conf.
ticket 969
rob
NACK
A few too many typos and other errors.
Spaces between the equals sign are ignored.
Do you mean, Spaces surrounding equals signs are ignored.?
+Specifies the base DN
Martin Kosek wrote:
On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote:
Rob Crittendenrcrit...@redhat.com wrote:
Jakub Hrozek wrote:
On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote:
Rob Crittenden wrote:
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin Kosek wrote:
On Tue, 2011-02-22 at 09:22 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote:
Rob Crittendenrcrit...@redhat.com wrote:
Jakub Hrozek wrote:
On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote:
Rob
Martin Kosek wrote:
This patch fixes Entitlements privileges and ACIs. There were
missing descriptions or the ACIs could not be processed by
Permissino plugin because of missing prefix.
https://fedorahosted.org/freeipa/ticket/997
ack, pushed to master
Based on feedback from David here is a hopefully clearer description of
permissions.
ticket 996
rob
freeipa-rcrit-739-permission.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
Pavel Zůna wrote:
On 2011-02-17 22:52, Rob Crittenden wrote:
Pavel Zůna wrote:
On 2011-02-17 05:09, Rob Crittenden wrote:
Pavel Zůna wrote:
My efforts in fixing localization all around the framework and
preparing
it for localizing docstrings have resulted in a lot of patches.
Because
I
Jan Zelený wrote:
Rob Crittendenrcrit...@redhat.com wrote:
Jan Zelený wrote:
Loading of the schema is now performed in the first request that requires
it.
https://fedorahosted.org/freeipa/ticket/583
Jan
We still need to enforce that we get the schema, some low-level
functions depend on
Jakub Hrozek wrote:
On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote:
Based on feedback from David here is a hopefully clearer description
of permissions.
ticket 996
rob
I think you sent a wrong patch, this is the default.conf manpage one.
D'oh, here you go.
rob
freeipa
Jakub Hrozek wrote:
On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote:
Jakub Hrozek wrote:
On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote:
Based on feedback from David here is a hopefully clearer description
of permissions.
ticket 996
rob
I think you sent
David O'Brien wrote:
Rob Crittenden wrote:
Jakub Hrozek wrote:
On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote:
Jakub Hrozek wrote:
On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote:
Based on feedback from David here is a hopefully clearer description
David O'Brien wrote:
Rob Crittenden wrote:
David O'Brien wrote:
Rob Crittenden wrote:
Add a man page for the IPA configuration file default.conf.
ticket 969
rob
NACK
A few too many typos and other errors.
Spaces between the equals sign are ignored.
Do you mean, Spaces surrounding
We weren't searching the cn=sudo container so all members of a
sudocmdgroup looked indirect.
Add a label for sudo command groups.
Update the tests to include verifying that membership is done properly.
ticket 1003
rob
freeipa-rcrit-741-sudocmd.patch
Description: application/mbox
Rob Crittenden wrote:
It was a design decision to now allow nesting sudo command groups,
remove it.
ticket 1004
rob
Updated patch attached. This is going to require an API change.
rob
freeipa-rcrit-742-2-sudocmdgroup.patch
Description: application/mbox
We should have been doing this all along but with 389-ds-base-1.2.8.a3
we need to supply the SuitespotGroup directive in the installation
template. The 389-ds instance installation will fail otherwise, being
unable to write to /var/run/dirsrv.
ticket 1010
rob
Simo Sorce wrote:
Setting up a winsync agreement was broken.
This patch fixes the code to allow setting up a winsync agreement that
requires access to a non-IPA ldap server.
Simo.
This changes the side we initiate the replication startup on. I don't
know a ton about the internals of 389-ds
Simo Sorce wrote:
On Mon, 28 Feb 2011 10:49:29 -0500
Rob Crittendenrcrit...@redhat.com wrote:
Simo Sorce wrote:
Setting up a winsync agreement was broken.
This patch fixes the code to allow setting up a winsync agreement
that requires access to a non-IPA ldap server.
Simo.
This changes
Use Sudo instead of SUDO in labels, descriptions, etc.
ticket 1005
rob
freeipa-rcrit-744-sudo.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
To all freeipa-interest, freeipa-users and freeipa-devel list members,
The FreeIPA project team is pleased to announce the availability of the
Release Candidate 2 release of freeIPA 2.0 server [1].
* Binaries are available for F-14 and F-15 [2].
* Please do not hesitate to share feedback,
Simo Sorce wrote:
On Mon, 28 Feb 2011 11:18:45 -0500
Rob Crittendenrcrit...@redhat.com wrote:
Simo Sorce wrote:
On Mon, 28 Feb 2011 10:49:29 -0500
Rob Crittendenrcrit...@redhat.com wrote:
Simo Sorce wrote:
Setting up a winsync agreement was broken.
This patch fixes the code to allow
Simo Sorce wrote:
If no bind password is provided it is not possible to create the basic
replication user. Creating this user is not necessary for winsync
agreements or to create new replica connections that use gssapi auth so
make it optional if krb credentials are used.
Simo.
ack
Rich Megginson wrote:
On 02/18/2011 03:10 PM, Simo Sorce wrote:
Fixes #266
I haven't been able to test this as the Windows machine we have
available decided to not behave today.
I may try again next week assuming I have time.
ack
Second ack. I tested the patch and it worked fine.
rob
Rob Crittenden wrote:
Pavel Zuna wrote:
On 02/23/2011 07:09 PM, Pavel Zůna wrote:
On 2011-02-22 20:16, Rob Crittenden wrote:
Pavel Zůna wrote:
On 2011-02-17 22:52, Rob Crittenden wrote:
Pavel Zůna wrote:
On 2011-02-17 05:09, Rob Crittenden wrote:
Pavel Zůna wrote:
My efforts in fixing
Adam Young wrote:
On 02/28/2011 03:28 PM, Endi Sukma Dewata wrote:
On 2/28/2011 12:51 PM, Endi Sukma Dewata wrote:
On 2/28/2011 10:47 AM, Rob Crittenden wrote:
Use Sudo instead of SUDO in labels, descriptions, etc.
ticket 1005
rob
This patch is ACKed. The capitalization is now
Endi Sukma Dewata wrote:
On 2/28/2011 10:47 AM, Rob Crittenden wrote:
Use Sudo instead of SUDO in labels, descriptions, etc.
ticket 1005
rob
This patch is ACKed. The capitalization is now consistent in the CLI.
However, the UI capitalizes the labels in the action panel and the title
Adam Young wrote:
I have not tested this, just ran:
git revert 79d22f8341026450ba7ca564e24812c9351c7e70
Please test before ACKing. I will test as well now.
ack
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
Simo Sorce wrote:
This patch registers winsync replica in the public tree with enough
information to know which master is handling the agreement.
Now when listing replicas, the type is also returned and winsync
agreements are listed.
When listing a specific server with --verbose, in case of a
Rob Crittenden wrote:
Simo Sorce wrote:
This patch registers winsync replica in the public tree with enough
information to know which master is handling the agreement.
Now when listing replicas, the type is also returned and winsync
agreements are listed.
When listing a specific server
Jakub Hrozek wrote:
On Mon, Feb 21, 2011 at 04:12:31PM +0100, Pavel Zůna wrote:
This goes on top of my other localization patches!
This patch replaces xgettext with a custom pygettext to generate
translatable strings from plugin files in ipalib/plugins. pygettext
was modified to handle plural
The dogtag team tells me we should restart their LDAP backend right
after installation. In some configurations not doing this can cause
problems (using the CA as we do isn't one of the known cases but better
safe than sorry). To do this we bring down dogtag, restart 389-ds, then
bring dogtag
Martin Kosek wrote:
When IPA replica or server is configured it does not check for
possibly installed client. This will cause the installation to
fail in the very end.
This patch adds a check for already configured client and suggests
removing it before server/replica installation.
Martin Kosek wrote:
On Thu, 2011-03-03 at 15:29 +0100, Martin Kosek wrote:
On Mon, 2011-02-28 at 18:15 +, JR Aquino wrote:
On 2/25/11 9:27 AM, Pavel Zůnapz...@redhat.com wrote:
On 2011-02-25 18:12, JR Aquino wrote:
On 2/25/11 5:58 AM, Pavel Zunapz...@redhat.com wrote:
On
Skip the DNS checks during installation if we're configuring IPA as a
DNS server.
ticket 1036
rob
freeipa-rcrit-747-install.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
Simo Sorce wrote:
On Thu, 03 Mar 2011 16:11:24 -0500
Rob Crittendenrcrit...@redhat.com wrote:
Skip the DNS checks during installation if we're configuring IPA as a
DNS server.
ticket 1036
ACK
Simo.
pushed to master
___
Freeipa-devel mailing
David O'Brien wrote:
Rob Crittenden wrote:
Fix style and grammatical issues in built-in command help.
There is a rather large API.txt change but it is only due to changes
in the doc string in parameters.
ticket 729
rob
Couple of picks:
--maxusername=INT Max. username length when creating
Endi Sukma Dewata wrote:
The month in krblastpwdchange (LDAP Generalized Time) is 1-based
but the month in JavaScript Date.setUTCFullYear() is 0-based so it
needs a conversion.
Ticket 1053
ack, pushed to master
___
Freeipa-devel mailing list
certmonger stop_tracking() is robust enough to do the right thing if no
certificate exists so go ahead and always call it. If the certificate
failed to be issued for some reason the request will still in certmonger
after uninstalling. This would cause problems when trying to reinstall
the
When I applied some fixes to the help text as suggested by David for
patch 746 I missed that it affected the API. It is just a doc string
change, pushed under the one-liner rule.
--- a/API.txt
+++ b/API.txt
@@ -708,7 +708,7 @@ option: Str('idnsupdatepolicy', attribute=True,
If a hostname was provided it wasn't used to configure either certmonger
or sssd. This resulted in a non-working configuration.
Additionally on un-enrollment the wrong hostname was unenrolled, it used
the value of gethostname() rather than the one that was passed into the
installer.
We have
John Dennis wrote:
ack, pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
chkconfig the ipa service to off on unistall
ticket 1056
rob
freeipa-rcrit-750-service.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Martin Kosek wrote:
There are cases when ipactl returns success even when it fails. Plus,
when the error really is detected the status codes are not LSB
compliant. This may result in consequent issues.
This patch improves error handling in ipactl and adds LSB compliant
status codes. Namely:
0
Martin Kosek wrote:
On Fri, 2011-03-04 at 13:14 -0500, Rob Crittenden wrote:
certmonger stop_tracking() is robust enough to do the right thing if no
certificate exists so go ahead and always call it. If the certificate
failed to be issued for some reason the request will still in certmonger
Martin Kosek wrote:
On Mon, 2011-03-07 at 11:52 -0500, Rob Crittenden wrote:
Nalin Dahyabhai wrote:
On Fri, Mar 04, 2011 at 05:59:26PM -0500, Rob Crittenden wrote:
If a hostname was provided it wasn't used to configure either
certmonger or sssd. This resulted in a non-working configuration
Martin Kosek wrote:
On Mon, 2011-03-07 at 16:30 -0500, Rob Crittenden wrote:
chkconfig the ipa service to off on unistall
ticket 1056
rob
ACK, works fine.
Martin
pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https
Martin Kosek wrote:
This patch fixes a typo in class Service, function __get_conn which
causes ipa-dns-install script to fail every time.
https://fedorahosted.org/freeipa/ticket/1065
Ack, pushed to master.
___
Freeipa-devel mailing list
Martin Kosek wrote:
On Thu, 2011-03-10 at 00:10 -0500, Rob Crittenden wrote:
The replication between dogtag servers wasn't using TLS or SSL. This
uses a new option to pkisilent to create replication agreements that use
TLS.
The SSL cert we will use is the same as the main 389-ds instance via
Sylvain Baubeau wrote:
Hi,
I was facing an error with ipapython that caused an NSPRError exception to
be raised at line 159 of ipapython/nsslib.py :
157 logging.debug(connecting: %s, net_addr)
158 try:
159 self.sock.connect(net_addr,
Dmitri Pal wrote:
Hi,
1) I confirmed that capitalization in the host name makes things not work.
I had a VM wit ha capital letter in the name.
Everything installed fine but then ipa command did not work and the
httpd error log was complaining that the host principal was not found.
I
Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.
This fixes 2 AVCS:
* One because we are enabling port 7390 because an SSL port must be
defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
Instead generate a separate NSS
Adam Young wrote:
Even though my name is on the patch, Simo wrote it and is the author in
the patch.
This looks good I just have one question. Is it not safe to assume that
the default kerberos realm is the realm? I think that is where any realm
that would be passed into this would be
We now use TLS for the LDAP connection so need to fetch the IPA CA
remotely very early in the process. Because we weren't honoring the
server flags when doing DNS discovery we didn't know where to fetch the
CA from.
ticket 1090
rob
freeipa-rcrit-753-client.patch
Description:
Adam Young wrote:
On 03/15/2011 05:26 AM, Martin Kosek wrote:
On Mon, 2011-03-14 at 15:28 -0400, Adam Young wrote:
Even though my name is on the patch, Simo wrote it and is the author in
the patch.
Patch looks good. Installation and replication with a realm different to
domain name works
Pavel Zuna wrote:
On 03/14/2011 09:33 PM, Rob Crittenden wrote:
Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.
This fixes 2 AVCS:
* One because we are enabling port 7390 because an SSL port must be
defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds
If a hostname has mixed-case in /etc/hosts or a mixed-case name is
passed into either the client or host installer we need to prevent
installation. The hostname should be lower-case otherwise all sorts of
odd problems will happen.
ticket 1080
rob
freeipa-rcrit-754-hostname.patch
1101 - 1200 of 3315 matches
Mail list logo
