Simo Sorce wrote:
On Fri, 08 Oct 2010 15:07:53 -0400
Rob Crittenden wrote:
Rob Crittenden wrote:
Disallow writes on serverHostName, enrolledBy and memberOf
Regular users already can't write these, it just affects admins.
serverHostName because this is tied to the FQDN so should on
Simo Sorce wrote:
On Thu, 14 Oct 2010 14:45:20 -0400
Rob Crittenden wrote:
Fix an SELinux problem by granting /usr/sbin/ipa_kpasswd "name_bind"
access.
This requires selinux-policy-3.6.32-123 on F12 and I took an educated
guess and set the minimum on F13 to selinux-policy-3.7.19-4
Simo Sorce wrote:
On Wed, 20 Oct 2010 17:14:56 -0400
Rob Crittenden wrote:
Rob Crittenden wrote:
Dmitri Pal wrote:
Simo Sorce wrote:
On Fri, 15 Oct 2010 17:27:07 -0400
Rob Crittenden wrote:
Remove the enrolledBy when a host is unenrolled (which is the
same as disabling the host
Simo Sorce wrote:
On Wed, 20 Oct 2010 13:19:29 -0400
Rob Crittenden wrote:
The first test is a mismatch in the sample output of an exception.
The second test adds certificate information output to the service
plugin.
ACK
Simo.
pushed to master
rob
Simo Sorce wrote:
On Fri, 22 Oct 2010 17:46:55 -0400
Rob Crittenden wrote:
Simo Sorce wrote:
This plugin intercepts a modrdn change so that when a user is
renamed the krbprincipalname is changhed accordingly.
The second patch activates the plugin.
Simo.
Should ipaModRDNscope be set to
Adam Young wrote:
On 10/25/2010 08:23 AM, Ben Dubrovsky wrote:
Hi,
I'm sympathetic to the argument that Nielsen makes about reset.
One thing to consider, however, is that he's arguing from a point of
view that differentiates applications from web pages -- that when
people are using the web, th
Adam Young wrote:
This fixes the file: URL for displaying DNS search page.
ack
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Simo Sorce wrote:
On Mon, 25 Oct 2010 10:39:06 -0400
Rob Crittenden wrote:
Simo Sorce wrote:
On Fri, 22 Oct 2010 17:46:55 -0400
Rob Crittenden wrote:
Simo Sorce wrote:
This plugin intercepts a modrdn change so that when a user is
renamed the krbprincipalname is changhed accordingly
Adam Young wrote:
Implementation of the UI for DNS records.
Search uses filters.
Much of the code has been cut and pasted from search.js and add.js, but
then significantly modified. Moving forward, we'll have to determine if
it is worth the effort to integrate.
ack
_
Add entitlement plugin for counting client entitlements. This just adds
the capability to tie to a candlepin server or manually import
entitlement certificates. The code to use these to count clients is
still under development.
rob
freeipa-585-entitle.patch
Description: application/mbox
Adam Young wrote:
find_entries param
Fixes a bug where find_entries was not passed a parameter for filter.
Instead of fixing the call point, this patch adds a defaulty value for
the parameter,
ack
___
Freeipa-devel mailing list
Freeipa-devel@redhat.
Use kerberos password policy.
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.
There currently is no way to unlock a locked account across a replica.
MIT Kerberos 1.9 is adding support for doing so. Once that is availab
Add --rights flag to *-show in baseldap so you can retrieve the
effective rights to modify the entry you are viewing.
The output is a dict of attributes. Each value is a list of rights.
It is pretty nasty looking output so I'm only displaying it when --all
is used. This is designed for the UI
Dmitri Pal wrote:
Dmitri Pal wrote:
Simo Sorce wrote:
On Wed, 20 Oct 2010 15:42:17 -0400
Dmitri Pal wrote:
Any suggestions what it should be?
Should we create a new attribute or there is something handy to reuse?
Probably makes sense to add a custom attribute, properly named.
Ok I
Remove group nesting from the HBAC service groups.
ticket https://fedorahosted.org/freeipa/ticket/389
rob
rcrit-freeipa-588-hbac.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailma
Don't allow managed groups to have group password policy.
UPG cannot have members and we use memberOf in class of service to
determine which policy to apply.
ticket https://fedorahosted.org/freeipa/ticket/160
rob
rcrit-freeipa-589-pwpolicy.patch
Description: application/mbox
___
Error out of configure when it finds some missing headers.
rob
rcrit-freeipa-590-configure.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Simo Sorce wrote:
On Tue, 26 Oct 2010 15:16:04 -0400
Rob Crittenden wrote:
Error out of configure when it finds some missing headers.
rob
ACK
pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com
Adam Young wrote:
On 10/26/2010 11:21 PM, Simo Sorce wrote:
So, I have been working on this ipa_uuid plugin as of late and one of
the last tasks was to let it modify the RDN if ipaUniqueID is part of
the DN of an entry we want to create.
Example:
dn: ipauniqueid=autogenerate,cn=hbac,dc=...
cn:
Simo Sorce wrote:
On Wed, 27 Oct 2010 09:35:17 -0400
Adam Young wrote:
I'm not up to speed on this code. Why do a find right after create?
I guess to pick up all attributes added automatically by DS, not sure
why it just is.
Simo.
Yes, that's exactly it. We have other autogenerated valu
Simo Sorce wrote:
This plugin intercepts a modrdn change so that when a user is renamed
the krbprincipalname is changhed accordingly.
The second patch activates the plugin.
Simo.
ack x2
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
Simo Sorce wrote:
I had some unusued functions in the uuid and modrdn plugins, do to
copy&paste.
Remove unused functions.
Simo.
ack x2
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Simo Sorce wrote:
These are a few minor fixes and cleanups I split in multiple patches
for easier review.
1. makes sure we reset the generate flag at every loop, so that we do
not risk a false positive if multiple UUIDs are generated on an entry.
2. makes unlocks safer by tracking when we need
Simo Sorce wrote:
When the ipaUuidEnforce option is set to TRUE only the Directory
Manager is allowed to set arbitrary values. Any attempt to set
values != the ipaUuidGenerate value by non DirMgr users will throw an
error.
This is useful to enforce UUIDs are always set by the server.
At this m
Simo Sorce wrote:
These patches apply on top of the previous ipa_uuid related patches.
#1 handles automatic generation of the uuid when the uuid
attribute is the RDN (fixes #413).
#2 prevents cases of false positives when enforcing is set and we are
handling a simple modification of an object
Return reason for failure when updating group membership fails.
We used to return a list of dns that failed to be added. We now return a
list of tuples instead. The tuple looks like (dn, reason) where reason
is the exception that was returned.
Also made the label we use for failures to be sin
Simo Sorce wrote:
By using the special salt type and generating a random salt we can
rename user's principal name without invalidating their password.
This works only if pre-authentication is required, but that's how we
configure our server anyway.
This patch does not disallow "normal" salts,
Simo Sorce wrote:
While reviewing the logging macros I realized that the log target was
wrong for the LOG_TRACE and LOG_FATAL functions.
I also took the liberty of simplifying the macros by removing
unnecessary do {} while(0) loops given the final version didn't require
more then one function in
Adam Young wrote:
On 10/26/2010 01:59 PM, Rob Crittenden wrote:
Remove group nesting from the HBAC service groups.
ticket https://fedorahosted.org/freeipa/ticket/389
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https
Adam Young wrote:
On 10/26/2010 02:34 PM, Rob Crittenden wrote:
Don't allow managed groups to have group password policy.
UPG cannot have members and we use memberOf in class of service to
determine which policy to apply.
ticket https://fedorahosted.org/freeipa/ticket/160
Adam Young wrote:
On 10/28/2010 02:43 PM, Rob Crittenden wrote:
Return reason for failure when updating group membership fails.
We used to return a list of dns that failed to be added. We now return
a list of tuples instead. The tuple looks like (dn, reason) where
reason is the exception that
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
https://fedorahosted.org/freeipa/ticket/244
If I understand the code correctly, --all is not really a parameter that
affects only output, it also causes all attributes to be retrieved from
the server, so I have adjusted the descr
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://fedorahosted.org/freeipa/ticket/328
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkzK4kkACgkQHsardTLnvCU99gCeI2BHpKd14eLS0Jtt9S
Simo Sorce wrote:
On Mon, 25 Oct 2010 18:05:46 -0400
Rob Crittenden wrote:
Use kerberos password policy.
This lets the KDC count password failures and can lock out accounts
for a period of time. This only works for KDC>= 1.8.
There currently is no way to unlock a locked account acros
Make sure a detached group has the default list of objectclasses.
ipaUniqueId is handled by the new uuid plugin.
https://fedorahosted.org/freeipa/ticket/250
rob
>From f34b8f2110a2afb7da81cb0b5780fc7ade75aa68 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Mon, 1 Nov 2010 12:05:53 -0
Dmitri Pal wrote:
Are we using the right one?
https://bugzilla.redhat.com/show_bug.cgi?id=643045
We use the schema from RFC 2307bis.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
https://fedorahosted.org/freeipa/ticket/154
The second patch removes the /ipatest section that has been commented
out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore :-)
Migration doesn't seem to be working.
JR Aquino wrote:
./lite-server.py -d
ipa: DEBUG: importing all plugin modules in '/usr/src/freeipa/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/src/freeipa/ipalib/plugins/automount.py'
ipa: ERROR: could
JR Aquino wrote:
Patches for sudocmd attribute change and support for sudorule cmdCategory.
ack, pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
David O'Brien wrote:
Jan Zelený wrote:
"David O'Brien" wrote:
Jan Zelený wrote:
There was a single reference, so I removed it and rephrased the
sentence
a little.
https://fedorahosted.org/freeipa/ticket/330
Jan
nack
"...and starting IPA\-provided service ipa_kpasswd." is grammatically
inc
Jan Zelený wrote:
All ipa-* commands except for ipa-fix-CVE-2008-3274 were added to SEE
ALSO section of ipa(1).
https://fedorahosted.org/freeipa/ticket/329
Jan
ack, pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://ww
Jan Zelený wrote:
I tried one other solution, but this approach was recommended to me by Pavel.
It seems to be working fine. If you don't agree with the concept (detection per
request), I can present you the original one.
https://fedorahosted.org/freeipa/ticket/252
Jan
nack. I think we need
Adam Young wrote:
Joint effort between me and Rob in getting this to work.
I've tested it with the following data:
[ayo...@ipa freeipa]$ cat ../bulk_request.json
{"method":"bulk","params":[[
{"method":"json_metadata","params":[[],{}]},
{"method":"user_find","params":[[],{"whoami":" true","all":
Break out an ACI into components so it is easier to see what it does.
This will be needed for UI support.
I also filled more supported types and made the List parameter perform
validation.
rob
>From d3f91cf238daf76e908f37b7a591612c6f986aa0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
D
Dmitri Pal wrote:
JR Aquino wrote:
./lite-server.py -d
ipa: DEBUG: importing all plugin modules in '/usr/src/freeipa/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/src/freeipa/ipalib/plugins/automount.py'
Add gdm, gdm-password and kdm as default hbac services.
ticket https://fedorahosted.org/freeipa/ticket/307
rob
>From 5c5e32b138bacd7e23596e20329fd5c1af9920f7 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Wed, 3 Nov 2010 11:49:51 -0400
Subject: [PATCH] Add additional default HBAC lo
Adam Young wrote:
On 11/03/2010 11:32 AM, Rob Crittenden wrote:
Break out an ACI into components so it is easier to see what it does.
This will be needed for UI support.
I also filled more supported types and made the List parameter perform
validation.
rob
This tool was designed to fix CVE-2008-3274. This configuration is
default now in V2 so this isn't needed now.
https://fedorahosted.org/freeipa/ticket/331
rob
>From 576594158d15546242b18151697cef37dfa551ad Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Wed, 3 Nov 2010 13:47:
some operational attributes.
ticket 392
rob
>From 8c8edd2638c3eafd9cfea86b52acfba6fb689e00 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Wed, 3 Nov 2010 15:31:46 -0400
Subject: [PATCH] user-enable/disable improvements
Always display the account enable/disable status.
Don't ignore the ex
Pushed this fix under the 1-liner rule. We had the wrong attribute in an
aci.
diff --git a/install/updates/40-delegation.update
b/install/updates/40-delegation.update
index da17358..d51e213 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -241,7
This makes --rights available to all _mod commands.
https://fedorahosted.org/freeipa/ticket/437
rob
>From 9cde99f1b872fa12d9d6cbbc1970e5907cca21b2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Thu, 4 Nov 2010 10:44:49 -0400
Subject: [PATCH] Add the --rights option to the LDAPUpdate b
Adam Young wrote:
On 11/03/2010 12:55 PM, Endi Sukma Dewata wrote:
On 11/3/2010 8:53 AM, Adam Young wrote:
Still NACK. I have tested this again. It looks like the UI does not
send the --rights parameter which is required to get the
attributelevelrights. With this patch even the admin can't edit
Pushed this under the one-liner rule. My domain was hardcoded in a
couple of acis.
rob
diff --git a/install/updates/40-delegation.update
b/install/updates/40-delegation.update
index d51e213..085cd1f 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@
Nalin Dahyabhai wrote:
It looks like we missed the userCategory and hostCategory stuff when we
did the original pass at configuring the nis server and schema compat
plugins for netgroups. Here's a proposed change which should empty the
right fields when we have one or the other set to "ALL".
W
The netgroup plugin was missing the usercategory and hostcategory
associations. This adds them and fixes displaying membership in
netgroup_show.
rob
>From a0f98fb52922ec97947e7df9bc4dd32523e1a3a5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Thu, 4 Nov 2010 15:19:14 -0400
Subj
=config, so it failed.
ticket https://fedorahosted.org/freeipa/ticket/414
rob
>From 98c033712ec27c5692246cb6f2d1d91087b98fa5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Thu, 4 Nov 2010 15:23:25 -0400
Subject: [PATCH] Fix NotFound exception in ipa-nis-manage.
The signature of ldap2.get_en
Rename 60sudo.ldif to 60ipasudo.ldif. We are overwriting a file of the
same name from the default 389-ds schema.
rob
>From 25cfcbc6c627f87a910da829cb237b4cd8f42d18 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Thu, 4 Nov 2010 15:53:31 -0400
Subject: [PATCH] Rename 60sudo.ldif
There was a corner case where the value of --ip-address was never
verified if you were also setting up DNS.
Added this bit of information to the man page too.
ticket 399
rob
>From a006ecb181c2ae88d3fa5d25c428e11d8b5c0590 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Thu, 4 Nov 2010
Add a couple of examples in ipa-replica-install.1 in an effort to
clarify where one does a re-init.
rob
>From 5481e4db106b7768c88acbf353632298e659457d Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Thu, 4 Nov 2010 17:36:51 -0400
Subject: [PATCH] Add some examples to ipa-replica-instal
Adam Young wrote:
Renamed the plugin to 'batch' which is a better name than bulk. Added
the example to the docs, put a header on it, and removed the changes to
internal.py
This will blow up if args ends up being empty so we'll need to address
that at some point. This particular error I think
Adam Young wrote:
REbased, got the links for add and removed chacked as well, and set
defautl to 'rsc'
ack
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Adam Young wrote:
On 11/05/2010 02:29 PM, Adam Young wrote:
REbased, got the links for add and removed chacked as well, and set
defautl to 'rsc'
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-d
rob
>From e1f262397353f37a525a0a3d7d2a8405da1d7db2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Fri, 5 Nov 2010 15:16:53 -0400
Subject: [PATCH] Revoke a host's certificate (if any) when it is deleted or disabled.
Disable any services when its host is disabled.
This also adds d
uninstall but stopping
them all first is cleaner. Its how I've been uninstalling for months now
anything (ipactl stop && ipa-server-install --uninstall -U).
ticket https://fedorahosted.org/freeipa/ticket/349
rob
>From a0a63a231f44570f2f7de09e69c0edd5b2f339d6 Mon Sep 17 00:00:0
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/04/2010 08:21 PM, Rob Crittenden wrote:
The netgroup plugin was missing the usercategory and hostcategory
associations. This adds them and fixes displaying membership in
netgroup_show.
rob
The code looks OK and works
17 00:00:00 2001
From: Rob Crittenden
Date: Mon, 8 Nov 2010 14:09:04 -0500
Subject: [PATCH] Use PATH in env when running commands to find binaries.
Fedora 14 moved the kerberos binaries from /usr/kerberos/[s]bin to
/usr/[s]bin. Pass PATH to the environment in ipautil.run() so we can
work universa
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/03/2010 06:52 PM, Rob Crittenden wrote:
This tool was designed to fix CVE-2008-3274. This configuration is
default now in V2 so this isn't needed now.
https://fedorahosted.org/freeipa/ticket/331
rob
Ack
push
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/03/2010 04:52 PM, Rob Crittenden wrote:
Add gdm, gdm-password and kdm as default hbac services.
ticket https://fedorahosted.org/freeipa/ticket/307
rob
Ack
pushed to master
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Uses a new subclass IPAOptionParser in scripts instead of OptionParser
from the standard python library. IPAOptionParser uses its own IPAOption
class to store options, which adds a new 'sensitive' attribute.
https://fedorahosted.
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/29/2010 08:45 PM, Rob Crittenden wrote:
Jakub Hrozek wrote:
https://fedorahosted.org/freeipa/ticket/244
If I understand the code correctly, --all is not really a parameter that
affects only output, it also causes all
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/08/2010 07:52 PM, Rob Crittenden wrote:
So we don't have to change the type later. It is expected that at some
point these will have additional values.
rob
OK, that's what I thought, but I wanted to have this
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
(resending to the list, I accidentally replied to Rob only before..)
On 11/02/2010 04:24 AM, Rob Crittenden wrote:
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
https://fedorahosted.org/freeipa/ticket/154
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/04/2010 10:00 PM, Rob Crittenden wrote:
There was a corner case where the value of --ip-address was never
verified if you were also setting up DNS.
Added this bit of information to the man page too.
ticket 399
rob
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/08/2010 09:12 PM, Jakub Hrozek wrote:
This patch is fine as-is so I'll give you a choice:
1. You can update this patch and log those things that will be queried
if not provided on the CLI.
I'd prefer this option. The patc
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/04/2010 10:38 PM, Rob Crittenden wrote:
Add a couple of examples in ipa-replica-install.1 in an effort to
clarify where one does a re-init.
rob
Ack
pushed to master
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/04/2010 08:28 PM, Rob Crittenden wrote:
ipa-nis-manage was broken because of a signature change to
ldap2.getentry(). Two new arguments were added before normalize and a
call to this in ipa-nis-manage was relying on
Rob Crittenden wrote:
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
(resending to the list, I accidentally replied to Rob only before..)
On 11/02/2010 04:24 AM, Rob Crittenden wrote:
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
https
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/04/2010 08:56 PM, Rob Crittenden wrote:
Rename 60sudo.ldif to 60ipasudo.ldif. We are overwriting a file of the
same name from the default 389-ds schema.
rob
Ack
pushed to master
This will let one host do things on behalf of another host (request a
keytab, certificate, etc).
ticket https://fedorahosted.org/freeipa/ticket/280
rob
>From 9e9ae1b890c324f05af71540763631a6e91c2a06 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 9 Nov 2010 13:57:02 -0500
Subj
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Instead of print and return, use sys.exit() to quit scripts with an
error message and a non zero return code.
https://fedorahosted.org/freeipa/ticket/425
This isn't applying for me. Can you try to rebase it?
thanks
rob
Pavel Zůna wrote:
Ticket #452
Pavel
ack, pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Simo Sorce wrote:
This patch configures IPA to use the currently strongest available
enctype for the master key.
Fixes #456
Simo.
ack
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Rob Crittenden wrote:
Simo Sorce wrote:
This patch configures IPA to use the currently strongest available
enctype for the master key.
Fixes #456
Simo.
ack
pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https
The pwpolicy plugin wasn't returning effective rights. I fixed that and
it will also return the rights for cospriority if showing a group.
rob
>From 624ee8daeb26c420722d11e6f37af315e4922847 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 9 Nov 2010 16:05:54 -0500
Subject: [PA
Simo Sorce wrote:
The uuid plugin was misbehaving in the replication case returning access denied
on replication operations. This patch makes the plugin ignore replication for
all operations but changes in the configuration of the plugin itself.
Fixes bug #468
Simo.
ack, pushed to master
rom 9bb5fbc682bf290b81e5b86efcaf28d5970550b6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Wed, 10 Nov 2010 16:21:19 -0500
Subject: [PATCH] Reduce the number of attributes a host is allowed to write.
The list of attributes that a host bound as itself could write was
overly broad.
A host can now only update
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/09/2010 07:26 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
(resending to the list, I accidentally replied to Rob only before..)
On 11/02/2010 04:24
Don't include internal commands in `ipa help commands` output.
https://fedorahosted.org/freeipa/ticket/463
rob
>From 149433420ef701e61ef0cc00be632370dc8e771f Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Wed, 10 Nov 2010 16:51:00 -0500
Subject: [PATCH] Don't include INTERNA
Simo Sorce wrote:
On Tue, 09 Nov 2010 14:00:00 -0500
Rob Crittenden wrote:
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-host --hosts=test2 test
"""
I do not want to nack, but looking at this command in isolation I am
quite co
Increase default username length to 32 and max for users and groups to 255.
rob
>From ef7ffde7c06d20a4c4645325e638dc0924899d82 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Wed, 10 Nov 2010 17:30:01 -0500
Subject: [PATCH] Increase # of chars in users and groups to 255 and default usern
Jan Zelený wrote:
Rob Crittenden wrote:
Jan Zelený wrote:
I tried one other solution, but this approach was recommended to me by
Pavel. It seems to be working fine. If you don't agree with the concept
(detection per request), I can present you the original one.
https://fedorahoste
Jan Zelený wrote:
Jan Zelený wrote:
Now each plugin can define its topic as a 2-tuple, where the first
item is the name of topic it belongs to and the second item is
a description of such topic. Topic descriptions must be the same
for all modules belonging to the topic.
By using this topics, i
To all freeipa-interest, freeipa-users and freeipa-devel list members,
The FreeIPA project team is pleased to announce the availability of the
Alpha 5 release of freeIPA 2.0 server [1]. Binaries are available for
F-12, F-13 and F-14.
This alpha is a bug fix release over the previous alpha and
Jakub Hrozek wrote:
On Wed, Nov 10, 2010 at 04:53:02PM -0500, Rob Crittenden wrote:
Don't include internal commands in `ipa help commands` output.
https://fedorahosted.org/freeipa/ticket/463
rob
With this patch, commands like "cos*" or "batch" don't show up wit
Jakub Hrozek wrote:
On Wed, Nov 10, 2010 at 05:33:31PM -0500, Rob Crittenden wrote:
Increase default username length to 32 and max for users and groups to 255.
rob
Adding users with usernames longer than 8 characters works OK until the
limit of 32 at which point I got:
ipa: ERROR: invalid
Jakub Hrozek wrote:
On Mon, Nov 08, 2010 at 11:10:06AM -0500, Rob Crittenden wrote:
Use a different user for the dogtag DS instance. This prevents an
error during uninstall of trying to remove the dirsrv user when the
dogtag DS instance is removed.
I also added a ipactl stop to the beginning
Jakub Hrozek wrote:
On Wed, Nov 10, 2010 at 04:25:18PM -0500, Rob Crittenden wrote:
The list of attributes that a host bound as itself could write was
overly broad.
A host can now only update its description, information about itself
such as OS release, etc, its certificate, password and
Rob Crittenden wrote:
Jakub Hrozek wrote:
On Wed, Nov 10, 2010 at 04:25:18PM -0500, Rob Crittenden wrote:
The list of attributes that a host bound as itself could write was
overly broad.
A host can now only update its description, information about itself
such as OS release, etc, its
Rob Crittenden wrote:
Fix for IPA v1.2.2 bug https://bugzilla.redhat.com/show_bug.cgi?id=650725
The problem is in Fedora 14 the kerberos binaries were moved so our
tools all fail. This makes the run() call more generic by using PATH to
find binaries.
rob
Reviewed in bug, pushed to ipa-1-2
Password policy needs to update the class of service priority in another
entry. Include the CoS attribute when reporting rights.
rob
>From 624ee8daeb26c420722d11e6f37af315e4922847 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 9 Nov 2010 16:05:54 -0500
Subject: [PATCH] Fix return
1601 - 1700 of 4169 matches
Mail list logo
