Top posting FTW! (sorry)
Excellent news Adam, this is awesome!
Simo.
On Fri, 2017-04-28 at 17:07 -0700, Adam Williamson wrote:
> Hi folks! I thought this might be of interest to the FreeIPA
> community,
> so I thought I'd write it up here in case anyone missed it elsewhere.
>
> I work on the Fe
On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote:
> On 04/27/2017 02:19 PM, Christian Heimes wrote:
> > On 2017-04-27 14:00, Martin Bašti wrote:
> > > I would like to discuss consequences of adding kdc URI records:
> > >
> > > 1. basically all ipa clients enrolled using autodiscovery will
>
On Thu, 2017-04-27 at 10:42 +0200, MartinBasti wrote:
> URL: https://github.com/freeipa/freeipa/pull/723
> Title: #723: Store GSSAPI session key in /var/run/httpd
>
> Label: +ack
Guys I explained in the bug[1] that this is wrong, why was this acked
and pushed ?
Besides how does this even work
ough "CERT" is probably not a good example, installer is. On
> > the other hand, "userstory" is a tag I will myself never use on purpose.
> >>
> >> 2. Also, Having a bot in place which will enforce or atleast suggest
> >> reporter to modify bug r
t;
> > Sources:
> >
> > https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery
> >
> > https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt
> >
> >
> >
> >
> > Thank you
> >
>
> I found out that wiki
On Fri, 2017-03-24 at 11:52 +0100, Martin Babinsky wrote:
> On Fri, Mar 24, 2017 at 10:53:49AM +0200, Alexander Bokovoy wrote:
> >On pe, 24 maalis 2017, Martin Babinsky wrote:
> >> On Thu, Mar 23, 2017 at 04:46:20PM +0200, Alexander Bokovoy wrote:
> >> > On to, 23
On Thu, 2017-03-23 at 16:08 +0200, Alexander Bokovoy wrote:
> On to, 23 maalis 2017, Martin Babinsky wrote:
> >Hi List,
> >
> >TL;DR we have to handle FAST channer establishment when KDC is not issued
> >PKINIT keypair
> >
> >I have spent some time studying and fixing bugs/regressions caused by
>
On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote:
> On 03/06/2017 01:48 PM, Simo Sorce wrote:
> > On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote:
> >> On 03/02/2017 02:54 PM, Simo Sorce wrote:
> >>> On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky
On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote:
> On 03/02/2017 02:54 PM, Simo Sorce wrote:
> > On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote:
> >> In this case it would probably be a good idea to think about "forward
> >> compatibility&q
tclasses. In this way we may the just extend whathever object we
> desire to carry the override in an easy and clean way.
I agree.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeip
On Wed, 2017-03-01 at 17:29 +0100, Martin Basti wrote:
>
> On 01.03.2017 17:04, Simo Sorce wrote:
> > On Wed, 2017-03-01 at 16:47 +0100, Martin Babinsky wrote:
> >> On 03/01/2017 04:32 PM, Simo Sorce wrote:
> >>> On Wed, 2017-03-01 at 16:17 +0100, Martin Babinsky
On Wed, 2017-03-01 at 16:47 +0100, Martin Babinsky wrote:
> On 03/01/2017 04:32 PM, Simo Sorce wrote:
> > On Wed, 2017-03-01 at 16:17 +0100, Martin Babinsky wrote:
> >> On 03/01/2017 03:42 PM, Simo Sorce wrote:
> >>> On Tue, 2017-02-28 at 13:29 +0100, Martin Bab
On Wed, 2017-03-01 at 16:17 +0100, Martin Babinsky wrote:
> On 03/01/2017 03:42 PM, Simo Sorce wrote:
> > On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote:
> >> Hello list,
> >>
> >> I have put together a draft of design page describing server-side
&g
ly hosts in that IDView would get this. Or a new object could be
created that has members, the former has the advantage of being already
in place and SSSD already downloads that data, the latter allows to
target an even smaller set of hosts unrelated to previous ID views
settings.
Simo.
--
in applying some specified rules in IPA itself ?
As explained, there is no such concept in Unix/Linux to start with, but
maybe you mean that you want to check credentials of 2 different users
to allow privileged login, like root login ?
Or is this something else ?
It'd be nice if you can de
EQ, TGS-REQ
> and AP-REQ+KRB-PRV. Responses are not filtered.
No changes needed, we only use AS and TGS request types.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Cont
On Fri, 2016-12-09 at 08:31 +0100, Martin Basti wrote:
>
> On 08.12.2016 22:47, Simo Sorce wrote:
> > On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote:
> >> URL: https://github.com/freeipa/freeipa/pull/314
> >> Author: simo5
> >> Title: #314: RFC: priv
: http://www.freeipa.org/page/Contribute/Code
There seem to be a bug in the mailing list posting script when someone
edits a PR description, I see the original text here but not the new
text!
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
nc then people
just stop caring and do not move to production.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
On Fri, 2016-11-25 at 10:34 -0500, Simo Sorce wrote:
> On Tue, 2016-11-22 at 15:05 +0100, Jan Cholasta wrote:
> > On 22.11.2016 13:06, Petr Spacek wrote:
> > > On 22.11.2016 12:15, David Kupka wrote:
> > >> Hello everyone!
> > >>
> > &
emons werre in flux in some distributions and IETF
had efforts to provide some more standardized way to provide packet
signatures (we were planning to use the GSS based signature format
developed by Microsoft and used in AD).
When we get back to signing packets we may have to get back in the
business
that CI integration is currently broken so travis says your commits
> failed the checks.
> """
Done, and the CI seem happy ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.co
le big task at once when it is finishes and tested.
>
> One dev could probably have a branch on personal fork of FreeIPA on
> GitHub which would work as the feature branch. Other team members would
> create pull requests against it.
Exactly.
> In such case we would loose mail notif
e in future.
>
> Before we touch IP address/domain name logic, we need to agree how it should
> behave.
>
> What is the purpose of --ip-address option?
> a) Specify IP addresses used in DNS.
> ab) What checks should be performed on it?
> b) To bind deamons only to specific IP addresses instead of all interfaces?
>
> I have seen requests for both. We need to decide what is the intended behavior
> and design it before making further changes. The spaghetti code is too
> intertwined for making any non-systematic changes.
>
> --
> Petr^2 Spacek
>
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
microsoft.com/en-us/library/bb905527.aspx
NOTE: Please look at the small paragraph named "Smart card logon across
forests", we definitely want to think about this problem as well from
the get-go and not try to retrofit something later on.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New Y
gt; To remedy this problem, we pass error events along the same path as
> read events. Should the actual read fail, we exit.
LGTM
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
On Fri, 2016-09-09 at 13:14 +0200, Standa Laznicka wrote:
> On 09/03/2016 06:25 PM, Jan Pazdziora wrote:
> > On Thu, Sep 01, 2016 at 11:18:45AM -0400, Simo Sorce wrote:
> >> The thing is we (and admins) will be stuck with old client s for a loong
> >> time, so we need to
ng
> the older clients to ignore the objects you want them to ignore if you
> want them not to ignore some.
Yes there is, hostgroups again, you see, it works both ways :-)
> But all and all thank you for the explanation with the example, it
> made some of your previous points more cl
On Thu, 2016-09-01 at 16:35 +0200, Standa Laznicka wrote:
> On 09/01/2016 03:06 PM, Simo Sorce wrote:
> > On Thu, 2016-09-01 at 14:09 +0200, Standa Laznicka wrote:
> >> The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule
> >> upon
> >> addition o
es dynamically.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
On Tue, 2016-08-30 at 08:47 +0200, Standa Laznicka wrote:
> On 08/26/2016 05:37 PM, Simo Sorce wrote:
> > On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote:
> >> On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote:
> >>> On Fri, 26 Aug 2016, Simo Sorce wrote
On Mon, 2016-08-29 at 16:35 +0200, Petr Spacek wrote:
> On 29.8.2016 16:34, Simo Sorce wrote:
> > On Mon, 2016-08-29 at 09:13 +0200, Petr Spacek wrote:
> >> On 26.8.2016 17:40, Simo Sorce wrote:
> >>> On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote:
> >
On Mon, 2016-08-29 at 11:15 +0200, Jan Pazdziora wrote:
> On Fri, Aug 26, 2016 at 10:39:53AM -0400, Simo Sorce wrote:
> > On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote:
> > >
> > > How do you want to enforce HBAC rule that have set time from 10 to 14
&g
On Mon, 2016-08-29 at 09:13 +0200, Petr Spacek wrote:
> On 26.8.2016 17:40, Simo Sorce wrote:
> > On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote:
> >> Ie we could set both "allow" and "allow_with_time" on an object for
> >> cases where the ad
On Mon, 2016-08-29 at 08:29 +0200, Jan Cholasta wrote:
> On 26.8.2016 16:39, Simo Sorce wrote:
> > On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote:
> >>> I miss "why" part of "To be able to handle backward compatibility
> >> with
> >>&
On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote:
> Ie we could set both "allow" and "allow_with_time" on an object for
> cases where the admin wants to enforce the time part only o newer
> client
> but otherwise apply the rule to any client.
I notice that SS
On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote:
> On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote:
> > On Fri, 26 Aug 2016, Simo Sorce wrote:
> > >On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote:
> > >> > I miss "why" part of &
On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote:
> On Fri, 26 Aug 2016, Simo Sorce wrote:
> >On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote:
> >> > I miss "why" part of "To be able to handle backward compatibility
> >> with
>
hard rule.
OTOH if an admin does not understand this difference, they may be
surprised to find out there are clients that do not honor it.
Perhaps we could find a way to set a flag on the rule such that when set
(and only when set) older clients get excluded by way of changing the
objectlass or some
ions needs more work, especially for non-standard
> > commands like timerule-test.
> >
> >>
> >> On the link below is a PROTOTYPE-patched FreeIPA that covers most of the
> >> CLI functionality (except for the creation of iCalendar strings from
> >> opt
On Tue, 2016-08-16 at 12:34 +0200, Martin Basti wrote:
>
> On 14.08.2016 10:59, Simo Sorce wrote:
> >
> > On Thu, 2016-08-11 at 14:51 +0200, Martin Basti wrote:
> > >
> > > On 05.08.2016 14:13, Lukas Slebodnik wrote:
> > > >
On Thu, 2016-08-11 at 14:51 +0200, Martin Basti wrote:
>
> On 05.08.2016 14:13, Lukas Slebodnik wrote:
> > On (05/08/16 12:43), Petr Vobornik wrote:
> >> On 07/28/2016 01:01 PM, Martin Basti wrote:
> >>>
> >>> On 25.07.2016 11:46, Simo Sorce wrot
On Fri, 2016-07-29 at 15:19 +0200, Martin Basti wrote:
>
> On 29.07.2016 15:12, Simo Sorce wrote:
> > On Fri, 2016-07-29 at 15:10 +0200, Martin Basti wrote:
> >> On 29.07.2016 14:42, Florence Blanc-Renaud wrote:
> >>> On 07/28/2016 10:56 AM, Martin B
ui => OK
> >
> >
> > But the patch produces new pep8 complaints:
> > ./ipaserver/plugins/migration.py:39:1: E402 module level import not at
> > top of file
>
> This is caused by old code, it should not prevent this patch to be
> acked. Imports are
On Mon, 2016-07-25 at 11:26 -0400, Simo Sorce wrote:
> On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote:
> > Simo Sorce wrote:
> > > On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
> > >> Simo Sorce wrote:
> > >>> As described in #2
On Mon, 2016-07-25 at 12:13 -0400, Ben Lipton wrote:
> On 07/25/2016 11:07 AM, Simo Sorce wrote:
> > On Mon, 2016-07-25 at 11:04 -0400, Simo Sorce wrote:
> >> On Mon, 2016-07-25 at 10:51 -0400, Ben Lipton wrote:
> >>> On 07/25/2016 05:07 AM, Simo Sorce wrote:
>
On Mon, 2016-07-25 at 12:09 -0400, Ben Lipton wrote:
> On 07/25/2016 12:03 PM, Simo Sorce wrote:
> > On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote:
> >>> But maybe I'm not seeing the proper priorities here. Perhaps it's
> >> more
> >>&g
at the client side.
I would definitely veto any scheme where the client must send the
private key to the server. I thought the server would generate the CSR,
but then it would be sent to the client for signing ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for
On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
> >> Simo Sorce wrote:
> >>> As described in #232 start restricting the use of the setkeytab
> >>> operation to
On Mon, 2016-07-25 at 11:04 -0400, Simo Sorce wrote:
> On Mon, 2016-07-25 at 10:51 -0400, Ben Lipton wrote:
> > On 07/25/2016 05:07 AM, Simo Sorce wrote:
> > > On Mon, 2016-07-25 at 10:50 +0200, Jan Cholasta wrote:
> > >> Anyway, my main grudge is that the
On Mon, 2016-07-25 at 10:51 -0400, Ben Lipton wrote:
> On 07/25/2016 05:07 AM, Simo Sorce wrote:
> > On Mon, 2016-07-25 at 10:50 +0200, Jan Cholasta wrote:
> >> Anyway, my main grudge is that the transformation rules shouldn't
> >> really
> >> be stored o
On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > As described in #232 start restricting the use of the setkeytab
> > operation to just the computers objects.
> >
> > I haven't tested this with older RHEL/CentOS machines that actully
agree with this approach.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 26afe94cea65ba50041592cf31f97b9e0502aeb0 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 25 Jul 2016 06:46:24 -0400
Subject: [PATCH] Restrict the old setkeytab operation
Allow it only to set computers keys by defaul
On Wed, 2016-07-20 at 15:17 +0200, David Kupka wrote:
> On 20/07/16 12:11, Simo Sorce wrote:
> > Attached patch introduces a helper function and avoids the questionable
> > replace+delete operations where possible (still employed in the
> > entry_to_mods function).
> >
t; to
> break all the clients).
W/o entering in specific +1 as a general comment on this.
If it can be done on the client, probably better be done there.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/m
On Wed, 2016-07-20 at 12:14 -0400, Ben Lipton wrote:
> On 07/20/2016 10:37 AM, Simo Sorce wrote:
> >
> > On Wed, 2016-07-20 at 10:17 -0400, Ben Lipton wrote:
> > >
> > > On 07/20/2016 06:27 AM, Simo Sorce wrote:
> > > >
> > >
On Wed, 2016-07-20 at 10:17 -0400, Ben Lipton wrote:
> On 07/20/2016 06:27 AM, Simo Sorce wrote:
> >
> > On Tue, 2016-07-19 at 16:20 -0400, Ben Lipton wrote:
> > >
> > > Hi,
> > >
> > > I have updated the design page
> > > http:
On Tue, 2016-07-19 at 16:20 -0400, Ben Lipton wrote:
> Hi,
>
> I have updated the design page
> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generati
> on/Mapping_Rules
> with my plan for implementing user-configurable rules for mapping
> IPA
> data into certificate requests. In
.From fec7ed2d2d7d8352d1a6a9cf5607476c9fd5d65f Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Tue, 19 Jul 2016 07:43:50 -0400
Subject: [PATCH] Simplify date manipulation in pwd plugin
Use a helper function to perform operations on dates in LDAP attributes.
Related to #2795
Signed-off-by: Simo Sorce
---
daemons/ipa-slapi-pl
On Tue, 2016-07-19 at 10:17 +0200, thierry bordaz wrote:
>
>
> On 07/13/2016 10:02 PM, Lukas Slebodnik wrote:
> > On (13/07/16 16:50), thierry bordaz wrote:
> >> https://fedorahosted.org/freeipa/ticket/6030
> >> >From 4efedc5e674db92f9f7c160429df543422ed8afb Mon Sep 17 00:00:00
> 2001
> >> From:
On Fri, 2016-07-15 at 14:29 +0200, Stanislav Laznicka wrote:
> On 07/15/2016 02:10 PM, Simo Sorce wrote:
> >
> > On Wed, 2016-05-18 at 15:28 +0200, Stanislav Laznicka wrote:
> > >
> > > On 05/18/2016 02:19 PM, Alexander Bokovoy wrote:
> > > >
&g
On Wed, 2016-05-18 at 15:28 +0200, Stanislav Laznicka wrote:
> On 05/18/2016 02:19 PM, Alexander Bokovoy wrote:
> >
> > On Wed, 18 May 2016, Stanislav Laznicka wrote:
> > >
> > > >
> > > > >
> > > > > when removal succeeds but addition fails for some reason?
> > > > > The
> > > > > operation i
On Wed, 2016-07-13 at 16:35 +0200, Martin Babinsky wrote:
> On 07/13/2016 04:28 PM, Simo Sorce wrote:
> >
> > On Wed, 2016-07-13 at 16:19 +0200, Martin Babinsky wrote:
> > >
> > > On 07/13/2016 03:08 PM, Simo Sorce wrote:
> > > >
> > > >
On Wed, 2016-07-13 at 16:19 +0200, Martin Babinsky wrote:
> On 07/13/2016 03:08 PM, Simo Sorce wrote:
> >
> > On Wed, 2016-07-13 at 14:37 +0200, Petr Vobornik wrote:
> > >
> > > On 07/12/2016 04:19 PM, Simo Sorce wrote:
> > > >
> > > >
&
On Wed, 2016-07-13 at 14:37 +0200, Petr Vobornik wrote:
> On 07/12/2016 04:19 PM, Simo Sorce wrote:
> >
> > On Tue, 2016-07-12 at 15:46 +0200, Martin Babinsky wrote:
> > >
> > > On 07/12/2016 02:00 PM, Martin Babinsky wrote:
> > > >
> > >
On Wed, 2016-07-13 at 13:53 +0200, Martin Babinsky wrote:
> On 07/12/2016 04:19 PM, Simo Sorce wrote:
> >
> > On Tue, 2016-07-12 at 15:46 +0200, Martin Babinsky wrote:
> > >
> > > On 07/12/2016 02:00 PM, Martin Babinsky wrote:
> > > >
> > >
On Tue, 2016-07-12 at 15:46 +0200, Martin Babinsky wrote:
> On 07/12/2016 02:00 PM, Martin Babinsky wrote:
> >
> > On 07/12/2016 01:05 PM, Alexander Bokovoy wrote:
> > >
> > > On Mon, 11 Jul 2016, Martin Babinsky wrote:
> > > >
> > > > From 185bde00a76459430d95ff207bf1fb3fe31e811a Mon Sep 17
> >
On Wed, 2016-06-22 at 18:36 +0200, Martin Babinsky wrote:
> On 06/22/2016 06:26 PM, Simo Sorce wrote:
> > On Wed, 2016-06-22 at 09:46 +0200, Martin Babinsky wrote:
> >> On 10/05/2015 03:00 PM, Martin Babinsky wrote:
> >>> These patches implement the plumbin
> plumbing for further work (API for alias handling etc.) is in place.
>
If the patches were all reviewed and tested I say push them.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
a file containing the configuration.
> * No escaping for special characters, multiline value support is patchy
> (not present at all in dinglibs). This will limit the ways to specify
>the recording notice presented to the users at the start of tlog-rec.
>
>
&
On Tue, 2016-05-24 at 16:32 +0300, Alexander Bokovoy wrote:
> On Tue, 24 May 2016, Simo Sorce wrote:
> >On Tue, 2016-05-24 at 10:44 +0300, Alexander Bokovoy wrote:
> >> >Alternative technical approach is to add aliases to an host's
> >> attribute and
> >
n a proper OID for OTP_REQUIRED_OID ?
@@ -446,6 +446,9 @@ IPA Extensions and Controls OIDs
2.16.840.1.113730.3.8.10.6 Token Resynchronization Control OID
+2.16.840.1.113730.3.8.10.7 Token Required Control OID
+Control to signal an OTP bind is required
+
pares appropriate
reference attributes on the main object, but it still is a manual
setting of "referrals" somewhere.
> I really do not like these ad-hoc hacks and I'm looking for a
> systematic solution.
Is this just for certs ? Or something else ?
Simo.
--
Simo Sorce
t;alias" word here to just mean "host that have
multiple identities" like clusters/load ballancers/proxies etc... ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
On Wed, 2016-05-04 at 15:39 +0200, Martin Kosek wrote:
> On 05/02/2016 02:28 PM, David Kupka wrote:
> > https://fedorahosted.org/freeipa/ticket/2795
>
> That patch looks suspiciously short given the struggles I saw in
> http://www.redhat.com/archives/freeipa-devel/2015-June/msg00198.html
> :-)
>
>>! Command
> >>! Options
> >>|-
> >>| trust-add
> >>| --external=true/false
> >>|}
> >
> >We should also add 'external' param to output of trust_find and
> >trust_show + corresponding change in Web UI and CLI.
&
On Thu, 2016-04-21 at 17:39 +0200, Petr Spacek wrote:
> On 19.4.2016 19:17, Simo Sorce wrote:
> > On Tue, 2016-04-19 at 11:11 +0200, Petr Spacek wrote:
> >> On 18.4.2016 21:33, Simo Sorce wrote:
> >>> On Mon, 2016-04-18 at 17:44 +0200, Petr Spacek wrote:
> >&
On Tue, 2016-04-19 at 21:57 -0400, Simo Sorce wrote:
> On Wed, 2016-04-20 at 11:32 +1000, Fraser Tweedale wrote:
> > On Tue, Apr 19, 2016 at 07:48:27AM +0200, Jan Cholasta wrote:
> > > On 14.4.2016 08:56, Jan Cholasta wrote:
> > > >On 7.4.2016 16:17, Petr Spacek wr
>>>
> > >>>Now for next question: what should service principal name be? I
> > >>>think `dogtag/example@example.com' but am open to other
> > >>>suggestions, e.g. `pki/...'.
> > >>
> > >>Do you plan to attem
On Tue, 2016-04-19 at 11:11 +0200, Petr Spacek wrote:
> On 18.4.2016 21:33, Simo Sorce wrote:
> > On Mon, 2016-04-18 at 17:44 +0200, Petr Spacek wrote:
> >> * Find, filter and copy hand-made records from main tree into the
> >> _locations sub-trees. This means
On Tue, 2016-04-19 at 12:37 +0200, Martin Babinsky wrote:
> On 04/19/2016 10:11 AM, David Kupka wrote:
> > On 18/04/16 21:42, Simo Sorce wrote:
> >> On Wed, 2016-04-13 at 07:50 +0200, David Kupka wrote:
> >>> On 08/04/16 17:10, Martin Babinsky wrote:
> >&
On Thu, 2016-04-14 at 16:33 +1000, Fraser Tweedale wrote:
> On Wed, Apr 13, 2016 at 11:15:50AM +1000, Fraser Tweedale wrote:
> > On Tue, Apr 12, 2016 at 09:31:30AM -0400, Simo Sorce wrote:
> > > On Sat, 2016-04-09 at 10:11 +1000, Fraser Tweedale wrote:
> > > > On F
avior, but then we need to make it conditional and this all
starts to sound a lot like a new domain level.
OTOH only alias resolution fails on older KDCs, so that may be ok in
some cases.
Are there any strong opinions?
Should we make this change optional and activate it only when enough
features come u
s disabled by default and needs additional configuration
> anyway so simply upgrading should not break anything.
It is also useless this way.
> I'm eager to hear opinions and answers to questions above.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription
On Sat, 2016-04-09 at 10:11 +1000, Fraser Tweedale wrote:
> On Fri, Apr 08, 2016 at 10:47:19AM -0400, Simo Sorce wrote:
> > On Sat, 2016-04-09 at 00:23 +1000, Fraser Tweedale wrote:
> > > -name = gssapi.Name('
On Tue, 2016-04-12 at 21:26 +1000, Fraser Tweedale wrote:
> On Tue, Apr 12, 2016 at 12:55:50PM +0200, Jan Cholasta wrote:
> > Hi,
> >
> > On 12.4.2016 09:03, Fraser Tweedale wrote:
> > >Hi Simo and Honza et al,
> > >
> > >I have a design challenge pertaining to DNs for Custodia keys.
> > >DNs for
krbPrincipalName: user_TWO@
> krbPrincipalName: *user_**One*@
>
> So KDB, searching as case insentive
> "krbPrincipalName:caseIgnoreIA5Match:=USER_one@" will
> retrieve user_one and user_two ?
Yes, but it is an error to have the same alia
opulated => old and new replicas can work in the same topology.
> >
> Ok I will make this more clear.
Old attributes should not be populated, we are abandoning them because
they can't work, they will simply not be removed from the schema to
avoid constraints violations, but they will ra
On Sat, 2016-04-09 at 00:23 +1000, Fraser Tweedale wrote:
> -name = gssapi.Name('host@%s' % (self.client,),
>
> - gssapi.NameType.hostbased_service)
If you remove this then on a serve that has nfs keys in the keytab you
may end up acquiring the wrong credentials.
On Thu, 2016-04-07 at 16:43 +1000, Fraser Tweedale wrote:
> Hi team,
>
> I updated the Sub-CAs design page with more detail for the key
> replication[1]. This part of the design is nearly complete (a large
> patchset is in review over at pki-devel@) but there are various
> options about how to au
$ROLE)
I am not sure why we use enable/disable verbs here, why not a simple
add/remove ?
enable/disabled usually means you can add a role but keep it disabled,
or that you can keep a role installed and just disabled it, but that is
not really the case.
Also I would like to draw attention to one o
- Original Message -
> From: "Petr Vobornik"
> To: "Simo Sorce"
> Cc: "freeipa-devel"
> Sent: Wednesday, March 16, 2016 12:16:02 PM
> Subject: Re: [PATCH] 955 sessions: use unique mod_auth_gssapi ccaches
>
> On 03/10/2016 03:25 PM
On Fri, 2016-03-18 at 15:28 +0100, Petr Vobornik wrote:
> On 03/18/2016 02:59 PM, Simo Sorce wrote:
> > On Fri, 2016-03-18 at 14:44 +0100, Petr Vobornik wrote:
> >> On 03/18/2016 10:59 AM, Martin Kosek wrote:
> >>> On 03/18/2016 10:47 AM, Martin Babinsky wrote:
On Thu, 2016-03-10 at 19:20 +0100, Pavel Vomacka wrote:
>
> On 03/10/2016 07:02 PM, Simo Sorce wrote:
> > On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote:
> >> Hi,
> >>
> >> These two options allow preventing clickjacking attacks. They don't
On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote:
> Hi,
>
> These two options allow preventing clickjacking attacks. They don't
> allow open FreeIPA in frame, iframe or object element.
Will these apply to the whole server or just to /ipa ?
Simo.
--
Simo Sorce * Red Ha
quot;, I was
thinking about keeping a record of the expiration time (not sure where
yet), and then provide a cron job or a systemd timer to clean up all
expired stuff.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redha
On Tue, 2016-03-08 at 17:20 +0100, Martin Babinsky wrote:
> On 03/08/2016 05:00 PM, Simo Sorce wrote:
> > On Tue, 2016-03-08 at 16:51 +0100, Martin Babinsky wrote:
> >> On 03/08/2016 04:49 PM, Simo Sorce wrote:
> >>> On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky
On Tue, 2016-03-08 at 16:51 +0100, Martin Babinsky wrote:
> On 03/08/2016 04:49 PM, Simo Sorce wrote:
> > On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote:
> >> On 12/01/2015 10:08 PM, Simo Sorce wrote:
> >>> On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky
On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote:
> On 12/01/2015 10:08 PM, Simo Sorce wrote:
> > On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote:
> >> On 11/30/2015 07:42 PM, Simo Sorce wrote:
> >>> On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky
ciated name suffixes.
>
> There are actually two different approaches we discussed with Sumit
> -- one is to store TLNs as attributes of TDO, another is to create
> separate TDOs, building on the fact you noticed:
> >Btw trustdomain object has ipantflatname and ipanttrusteddomainsid
> >attributes as optional so it is possible to store it there assuming
> >modification of KDB driver.
> This is what I did already in the prototype:
> https://abbra.fedorapeople.org/.paste/0001-WIP-support-UPNs-for-trusted-domain-users.master.patch
>
> So we are sure that either way would work, the question is what would be
> more usable UX-wise.
How does Windows represent them ?
I'd try to stick to something close to what AD does to avoid pain if
later is found that the way Windows does things is necessary (or just
easier) to keep adding further options down the road.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
1 - 100 of 2285 matches
Mail list logo