Re: [Freeipa-devel] [PATCH] 0008 Fixes different behaviour of permission-mod and show.

2012-08-27 Thread Tomas Babej
On 08/23/2012 02:46 PM, Rob Crittenden wrote: Tomas Babej wrote: On 08/22/2012 05:15 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Both commands now produce the same output regarding the attributelevelrights. https://fedorahosted.org/freeipa/ticket/2875 I think some unit tests would be

[Freeipa-devel] [PATCH 0009] Improves deletion of PTR records in ipa host-del.

2012-08-28 Thread Tomas Babej
Hi, Command ipa host-del with --updatedns now can deal both with hosts which zones are in FQDN form with or without a trailing dot. https://fedorahosted.org/freeipa/ticket/2809 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www

Re: [Freeipa-devel] [PATCH 0009] Improves deletion of PTR records in ipa host-del.

2012-08-28 Thread Tomas Babej
On 08/28/2012 02:11 PM, Tomas Babej wrote: Hi, Command ipa host-del with --updatedns now can deal both with hosts which zones are in FQDN form with or without a trailing dot. https://fedorahosted.org/freeipa/ticket/2809 Tomas ___ Freeipa-devel

[Freeipa-devel] [PATCH 0006] Improves sssd.conf handling during ipa-client uninstall

2012-08-29 Thread Tomas Babej
0 Tomas >From fac8d676d2e727977a8a52bdd2990eb2839b54c4 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Fri, 17 Aug 2012 08:56:45 -0400 Subject: [PATCH] Improves sssd.conf handling during ipa-client uninstall The sssd.conf file is no longer left behind in case sssd was not configured before the installation. However, the

[Freeipa-devel] [PATCH 0010] Sort policies numerically in pwpolicy-find

2012-08-31 Thread Tomas Babej
Hi, this is a fairly simple one-liner. https://fedorahosted.org/freeipa/ticket/3039 Tomas >From fd68588f8fbd28c942042fe8fb55bc3bef90e345 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Fri, 31 Aug 2012 05:29:32 -0400 Subject: [PATCH] Sort policies numerically in pwpolicy-find ht

Re: [Freeipa-devel] [PATCH 0010] Sort policies numerically in pwpolicy-find

2012-08-31 Thread Tomas Babej
On 08/31/2012 07:08 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, this is a fairly simple one-liner. https://fedorahosted.org/freeipa/ticket/3039 Tomas Looks good. Can you add a unit test so we don't have a regression on this? thanks rob I tweaked one of the existing unit

[Freeipa-devel] [PATCH 0011] Make sure selinuxusemap behaves consistently to HBAC rule

2012-09-03 Thread Tomas Babej
>From 8cfde7e9fde521608557b6767ad91dee1901b45f Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 3 Sep 2012 10:49:53 -0400 Subject: [PATCH] Make sure selinuxusemap behaves consistently to HBAC rule Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allow

[Freeipa-devel] [PATCH 0012] Change slapi_mods_init in ipa_winsync_pre_ad_mod_user_mods_cb

2012-09-04 Thread Tomas Babej
Hi, https://fedorahosted.org/freeipa/ticket/2953 Tomas. >From 37765df5653f1c2ef8d4c6382b28269d48ab112a Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 4 Sep 2012 09:20:10 -0400 Subject: [PATCH] Change slapi_mods_init in ipa_winsync_pre_ad_mod_user_mods_cb https://fedorahosted.

[Freeipa-devel] [PATCH 0013] Remove user-unfriendly "u" character from error messages

2012-09-05 Thread Tomas Babej
Hi, User-unfriendly errors were caused by re-raising errors from external python module netaddr. https://fedorahosted.org/freeipa/ticket/2588 Tomas >From 34f3da391a8e070b29640b0ecdfed6db81b86ce2 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 5 Sep 2012 09:03:18 -0400 Subject: [PA

Re: [Freeipa-devel] [PATCH 0013] Remove user-unfriendly "u" character from error messages

2012-09-05 Thread Tomas Babej
On 09/05/2012 03:42 PM, Petr Viktorin wrote: On 09/05/2012 03:19 PM, Tomas Babej wrote: Hi, User-unfriendly errors were caused by re-raising errors from external python module netaddr. https://fedorahosted.org/freeipa/ticket/2588 Tomas

Re: [Freeipa-devel] [PATCH 0011] Make sure selinuxusemap behaves consistently to HBAC rule

2012-09-06 Thread Tomas Babej
On 09/05/2012 01:56 PM, Martin Kosek wrote: On 09/03/2012 05:12 PM, Tomas Babej wrote: Hi, Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allowing user/host category or user/host members and HBAC rule being set at the same time. Also adds a bunch of unit

Re: [Freeipa-devel] [PATCH 0011] Make sure selinuxusemap behaves consistently to HBAC rule

2012-09-12 Thread Tomas Babej
On 09/11/2012 01:14 PM, Martin Kosek wrote: On 09/06/2012 01:13 PM, Tomas Babej wrote: On 09/05/2012 01:56 PM, Martin Kosek wrote: On 09/03/2012 05:12 PM, Tomas Babej wrote: Hi, Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allowing user/host category

Re: [Freeipa-devel] [PATCH 0006] Improves sssd.conf handling during ipa-client uninstall

2012-09-18 Thread Tomas Babej
On 09/12/2012 05:29 PM, Martin Kosek wrote: On 08/29/2012 02:54 PM, Tomas Babej wrote: On 08/27/2012 04:55 PM, Martin Kosek wrote: On 08/27/2012 03:37 PM, Jakub Hrozek wrote: On Mon, Aug 27, 2012 at 02:57:44PM +0200, Martin Kosek wrote: I think that the right behavior of SSSD conf uninstall

Re: [Freeipa-devel] [PATCH 0006] Improves sssd.conf handling during ipa-client uninstall

2012-09-20 Thread Tomas Babej
On 09/20/2012 02:42 PM, Martin Kosek wrote: On 09/18/2012 11:21 AM, Tomas Babej wrote: On 09/12/2012 05:29 PM, Martin Kosek wrote: On 08/29/2012 02:54 PM, Tomas Babej wrote: On 08/27/2012 04:55 PM, Martin Kosek wrote: On 08/27/2012 03:37 PM, Jakub Hrozek wrote: On Mon, Aug 27, 2012 at 02:57

[Freeipa-devel] [PATCH 0014] Improve user addition to default group in host-add

2012-09-25 Thread Tomas Babej
cases. https://fedorahosted.org/freeipa/ticket/3097 Tomas >From 931d947b27c3e84c09f075c799e04f0ac723ab60 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 25 Sep 2012 06:20:49 -0400 Subject: [PATCH] Improve user addition to default group in host-add On adding new user, host-add tries to make

[Freeipa-devel] [PATCH 0015] Restrict admins group modifications

2012-09-25 Thread Tomas Babej
Hi, Group-mod command no longer allows --rename and/or --external changes made to the admins group. In such cases, ProtectedEntryError is being raised. https://fedorahosted.org/freeipa/ticket/3098 Tomas >From 667031a12f7c2bc0b95573afc0a7cf572d64cb43 Mon Sep 17 00:00:00 2001 From: Tomas Ba

Re: [Freeipa-devel] [PATCH 0015] Restrict admins group modifications

2012-09-25 Thread Tomas Babej
On 09/25/2012 02:31 PM, Martin Kosek wrote: On 09/25/2012 02:22 PM, Tomas Babej wrote: Hi, Group-mod command no longer allows --rename and/or --external changes made to the admins group. In such cases, ProtectedEntryError is being raised. https://fedorahosted.org/freeipa/ticket/3098 Tomas

[Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install

2012-09-26 Thread Tomas Babej
001 From: Tomas Babej Date: Wed, 26 Sep 2012 08:52:50 -0400 Subject: [PATCH] Adds port to connection error message in ipa-client-install Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/tic

Re: [Freeipa-devel] [PATCH 0014] Improve user addition to default group in host-add

2012-09-26 Thread Tomas Babej
On 09/25/2012 12:37 PM, Tomas Babej wrote: Hi, On adding new user, host-add tries to make it a member of default user group. This, however, can raise AlreadyGroupMember when the user is already member of this group due to automember rule or default group configured. This patch makes sure

Re: [Freeipa-devel] [PATCH 0014] Improve user addition to default group in host-add

2012-10-01 Thread Tomas Babej
On 09/26/2012 04:12 PM, Martin Kosek wrote: On 09/26/2012 03:23 PM, Tomas Babej wrote: On 09/25/2012 12:37 PM, Tomas Babej wrote: Hi, On adding new user, host-add tries to make it a member of default user group. This, however, can raise AlreadyGroupMember when the user is already member of

Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install

2012-10-01 Thread Tomas Babej
On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. I think we

Re: [Freeipa-devel] [PATCH 0015] Restrict admins group modifications

2012-10-02 Thread Tomas Babej
On 09/26/2012 05:44 PM, Martin Kosek wrote: On 09/25/2012 02:59 PM, Tomas Babej wrote: On 09/25/2012 02:31 PM, Martin Kosek wrote: On 09/25/2012 02:22 PM, Tomas Babej wrote: Hi, Group-mod command no longer allows --rename and/or --external changes made to the admins group. In such cases

[Freeipa-devel] [PATCH 0017] Improve error message in ipa-replica-manage

2012-10-02 Thread Tomas Babej
001 From: Tomas Babej Date: Tue, 2 Oct 2012 09:15:33 -0400 Subject: [PATCH] Improve error message in ipa-replica-manage When executing ipa-replica-manage connect to an unknown or irrelevant master, we now print a sensible error message informing the user about this possiblity as well. ht

Re: [Freeipa-devel] [PATCH 0015] Restrict admins group modifications

2012-10-03 Thread Tomas Babej
On 10/03/2012 09:18 AM, Martin Kosek wrote: On 10/02/2012 02:33 PM, Tomas Babej wrote: On 09/26/2012 05:44 PM, Martin Kosek wrote: On 09/25/2012 02:59 PM, Tomas Babej wrote: On 09/25/2012 02:31 PM, Martin Kosek wrote: On 09/25/2012 02:22 PM, Tomas Babej wrote: Hi, Group-mod command no

Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install

2012-10-03 Thread Tomas Babej
On 10/02/2012 08:48 PM, Rob Crittenden wrote: Tomas Babej wrote: On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa

Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install

2012-10-03 Thread Tomas Babej
On 10/03/2012 03:31 PM, Tomas Babej wrote: On 10/02/2012 08:48 PM, Rob Crittenden wrote: Tomas Babej wrote: On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory

Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install

2012-10-04 Thread Tomas Babej
On 10/03/2012 07:27 PM, Rob Crittenden wrote: Tomas Babej wrote: On 10/03/2012 03:31 PM, Tomas Babej wrote: On 10/02/2012 08:48 PM, Rob Crittenden wrote: Tomas Babej wrote: On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Connection error message in ipa-client-install

Re: [Freeipa-devel] [PATCH 0017] Improve error message in ipa-replica-manage

2012-10-05 Thread Tomas Babej
On 10/02/2012 03:55 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, When executing ipa-replica-manage connect to an unknown or irrelevant master, we now print a sensible error message informing the user about this possiblity as well. https://fedorahosted.org/freeipa/ticket/3105 Tomas I

Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install

2012-10-10 Thread Tomas Babej
On 10/04/2012 11:06 AM, Tomas Babej wrote: On 10/03/2012 07:27 PM, Rob Crittenden wrote: Tomas Babej wrote: On 10/03/2012 03:31 PM, Tomas Babej wrote: On 10/02/2012 08:48 PM, Rob Crittenden wrote: Tomas Babej wrote: On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi

[Freeipa-devel] [PATCH 0018] Make service naming in ipa-server-install consistent

2012-10-11 Thread Tomas Babej
produced by this patch attached. https://fedorahosted.org/freeipa/ticket/3059 Tomas >From 8614544d08b1b2b4e85156bebbe629215fb14915 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 11 Oct 2012 03:32:17 -0400 Subject: [PATCH] Make service naming in ipa-server-install consistent Forces m

Re: [Freeipa-devel] [PATCH 0018] Make service naming in ipa-server-install consistent

2012-10-11 Thread Tomas Babej
On 10/11/2012 12:32 PM, Martin Kosek wrote: On 10/11/2012 12:26 PM, Tomas Babej wrote: Hi, This patch forces more consistency into ipa-server-install output. All descriptions of services that are not instances of SimpleServiceInstance are now in the following format: () Furthermore

[Freeipa-devel] [PATCH 0019] Forbid overlapping primary and secondary rid ranges

2012-10-16 Thread Tomas Babej
://fedorahosted.org/freeipa/ticket/3086 Tomas >From a46a8d0aa4e64e105a53a177b6a12cf28e56620e Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 15 Oct 2012 06:28:16 -0400 Subject: [PATCH] Forbid overlapping primary and secondary rid ranges Commands ipa idrange-add / idrange-mod no longer allows

Re: [Freeipa-devel] [PATCH 0019] Forbid overlapping primary and secondary rid ranges

2012-10-17 Thread Tomas Babej
On 10/17/2012 11:14 AM, Sumit Bose wrote: On Tue, Oct 16, 2012 at 02:26:24PM +0200, Tomas Babej wrote: Hi, commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another

Re: [Freeipa-devel] [PATCH 0019] Forbid overlapping primary and secondary rid ranges

2012-10-17 Thread Tomas Babej
On 10/17/2012 02:34 PM, Sumit Bose wrote: On Wed, Oct 17, 2012 at 12:59:52PM +0200, Tomas Babej wrote: On 10/17/2012 11:14 AM, Sumit Bose wrote: On Tue, Oct 16, 2012 at 02:26:24PM +0200, Tomas Babej wrote: Hi, commands ipa idrange-add / idrange-mod no longer allows the user to enter primary

[Freeipa-devel] [PATCH 0020] Refactoring of default.conf man page

2012-10-17 Thread Tomas Babej
ases execution time. The rest of the patch is just sorting options lexicographically. Tomas >From 0ad81fd6cfca017631c705465f940a9b461a52ce Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 17 Oct 2012 08:27:26 -0400 Subject: [PATCH] Refactoring of default.conf man page Description fo

Re: [Freeipa-devel] [PATCH 0019] Forbid overlapping primary and secondary rid ranges

2012-10-17 Thread Tomas Babej
On 10/17/2012 08:12 PM, Sumit Bose wrote: On Wed, Oct 17, 2012 at 03:29:11PM +0200, Tomas Babej wrote: On 10/17/2012 02:34 PM, Sumit Bose wrote: On Wed, Oct 17, 2012 at 12:59:52PM +0200, Tomas Babej wrote: On 10/17/2012 11:14 AM, Sumit Bose wrote: On Tue, Oct 16, 2012 at 02:26:24PM +0200

Re: [Freeipa-devel] [PATCH 0018] Make service naming in ipa-server-install consistent

2012-10-19 Thread Tomas Babej
On 10/18/2012 11:27 AM, Martin Kosek wrote: On 10/11/2012 05:11 PM, Tomas Babej wrote: On 10/11/2012 12:32 PM, Martin Kosek wrote: On 10/11/2012 12:26 PM, Tomas Babej wrote: Hi, This patch forces more consistency into ipa-server-install output. All descriptions of services that are not

Re: [Freeipa-devel] [PATCH 0018] Make service naming in ipa-server-install consistent

2012-10-19 Thread Tomas Babej
On 10/19/2012 01:44 PM, Martin Kosek wrote: On 10/19/2012 01:26 PM, Tomas Babej wrote: On 10/18/2012 11:27 AM, Martin Kosek wrote: On 10/11/2012 05:11 PM, Tomas Babej wrote: On 10/11/2012 12:32 PM, Martin Kosek wrote: On 10/11/2012 12:26 PM, Tomas Babej wrote: Hi, This patch forces more

Re: [Freeipa-devel] [PATCH 0020] Refactoring of default.conf man page

2012-10-22 Thread Tomas Babej
On 10/18/2012 05:14 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Description for the 'server' and 'wait_for_attr' option has been added. Option 'server' has been marked as deprecated, as it is not used anywhere in IPA code. All the options have been sor

Re: [Freeipa-devel] [PATCH 0017] Improve error message in ipa-replica-manage

2012-10-22 Thread Tomas Babej
On 10/19/2012 09:55 AM, Petr Viktorin wrote: On 10/18/2012 08:01 PM, Rob Crittenden wrote: Tomas Babej wrote: On 10/02/2012 03:55 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, When executing ipa-replica-manage connect to an unknown or irrelevant master, we now print a sensible error

Re: [Freeipa-devel] [PATCH 0018] Make service naming in ipa-server-install consistent

2012-10-22 Thread Tomas Babej
On 10/19/2012 03:16 PM, Martin Kosek wrote: On 10/19/2012 02:49 PM, Tomas Babej wrote: On 10/19/2012 01:44 PM, Martin Kosek wrote: On 10/19/2012 01:26 PM, Tomas Babej wrote: On 10/18/2012 11:27 AM, Martin Kosek wrote: On 10/11/2012 05:11 PM, Tomas Babej wrote: On 10/11/2012 12:32 PM, Martin

Re: [Freeipa-devel] [PATCH 0017] Improve error message in ipa-replica-manage

2012-10-25 Thread Tomas Babej
On 10/24/2012 04:40 AM, Rob Crittenden wrote: Tomas Babej wrote: On 10/19/2012 09:55 AM, Petr Viktorin wrote: On 10/18/2012 08:01 PM, Rob Crittenden wrote: Tomas Babej wrote: On 10/02/2012 03:55 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, When executing ipa-replica-manage connect to

Re: [Freeipa-devel] [PATCH 0017] Improve error message in ipa-replica-manage

2012-10-25 Thread Tomas Babej
On 10/25/2012 12:40 PM, Tomas Babej wrote: On 10/24/2012 04:40 AM, Rob Crittenden wrote: Tomas Babej wrote: On 10/19/2012 09:55 AM, Petr Viktorin wrote: On 10/18/2012 08:01 PM, Rob Crittenden wrote: Tomas Babej wrote: On 10/02/2012 03:55 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi

[Freeipa-devel] --setattr for attributes that are handled via command options

2012-10-26 Thread Tomas Babej
In many ipa commands you are usually able to mess things up using --setattr for attributes that are handled by command options. using --setattr=attributename=: - I am able to set the attribute to None using --setattr=attributename=value: - I am often able to bypass validation in pre_callbac

[Freeipa-devel] [PATCH 0021] Forbid overlapping rid ranges for the same id range

2012-10-26 Thread Tomas Babej
993 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Fri, 26 Oct 2012 07:43:05 -0400 Subject: [PATCH] Forbid overlapping rid ranges for the same id range Creating an id range with overlapping primary and secondary rid range using idrange-add or idrange-mod command now raises ValidationError. Unit te

[Freeipa-devel] [PATCH 0022] Relax restriction for leading/trailing whitespaces in *-find commands

2012-10-30 Thread Tomas Babej
Hi, All *-find commands now enable leading/trailing whitespaces in the search phrase. Behaviour has been implemented directly into crud.Search class. https://fedorahosted.org/freeipa/ticket/2981 Tomas >From 6b7f3d99a9592e2f8e1155e12d743a60453f7e83 Mon Sep 17 00:00:00 2001 From: Tomas Ba

Re: [Freeipa-devel] [PATCH 0022] Relax restriction for leading/trailing whitespaces in *-find commands

2012-10-31 Thread Tomas Babej
On 10/31/2012 12:15 PM, Martin Kosek wrote: On 10/31/2012 10:16 AM, Martin Kosek wrote: On 10/30/2012 03:08 PM, Tomas Babej wrote: Hi, All *-find commands now enable leading/trailing whitespaces in the search phrase. Behaviour has been implemented directly into crud.Search class. https

[Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms

2012-11-15 Thread Tomas Babej
user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252 Tomas >From c7d1f0208be8a577bf4b6f5ea274829dcfdfbdf1 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 15 Nov 2012 05:21:16 -0500 Subject: [PATCH] Add detection for users from trusted/invalid realms W

Re: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms

2012-11-15 Thread Tomas Babej
On 11/15/2012 12:41 PM, Petr Vobornik wrote: On 11/15/2012 11:54 AM, Tomas Babej wrote: Hi, This is server part of #3252. When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with

Re: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms

2012-11-15 Thread Tomas Babej
On 11/15/2012 03:10 PM, Simo Sorce wrote: On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote: On 11/15/2012 11:54 AM, Tomas Babej wrote: Hi, This is server part of #3252. When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted

Re: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms

2012-11-15 Thread Tomas Babej
On 11/15/2012 04:14 PM, Simo Sorce wrote: On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote: On 11/15/2012 03:10 PM, Simo Sorce wrote: On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote: On 11/15/2012 11:54 AM, Tomas Babej wrote: Hi, This is server part of #3252. When user from

[Freeipa-devel] [PATCH 0024] Make options checks in idrange-add/mod consistent

2012-12-11 Thread Tomas Babej
and rid_base must be used together if dom_rid is not set cat Unit test for third check has been added. http://fedorahosted.org/freeipa/ticket/3170 Tomas >From 980ecec7721b53f50318d602dce146e5efc29815 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 5 Dec 2012 08:29:55 -0500 Subj

[Freeipa-devel] [PATCH 0025] Add trusted domain range objectclass to idrange-mod

2012-12-11 Thread Tomas Babej
objectclass ipatrustedaddomainrange being added. This patch fixes the issue. Tomas >From 9e72a92e942d0fe357ae82cf65a1a94ab03fa0e5 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 5 Dec 2012 11:19:57 -0500 Subject: [PATCH] Add trusted domain range objectclass to idrange-mod When modifing the idra

Re: [Freeipa-devel] [PATCH 0021] Forbid overlapping rid ranges for the same id range

2012-12-13 Thread Tomas Babej
On 12/12/2012 04:32 PM, Martin Kosek wrote: On 10/26/2012 03:43 PM, Tomas Babej wrote: Hi, creating an id range with overlapping primary and secondary rid range using idrange-add or idrange-mod command now raises ValidationError. Unit tests have been added to test_range_plugin.py. https

Re: [Freeipa-devel] [PATCH 0021] Forbid overlapping rid ranges for the same id range

2012-12-14 Thread Tomas Babej
On 12/13/2012 02:48 PM, Martin Kosek wrote: On 12/13/2012 11:52 AM, Tomas Babej wrote: On 12/12/2012 04:32 PM, Martin Kosek wrote: On 10/26/2012 03:43 PM, Tomas Babej wrote: Hi, creating an id range with overlapping primary and secondary rid range using idrange-add or idrange-mod command now

Re: [Freeipa-devel] [PATCH 0021] Forbid overlapping rid ranges for the same id range

2012-12-14 Thread Tomas Babej
On 12/14/2012 01:59 PM, Alexander Bokovoy wrote: On Fri, 14 Dec 2012, Tomas Babej wrote: On 12/13/2012 02:48 PM, Martin Kosek wrote: On 12/13/2012 11:52 AM, Tomas Babej wrote: On 12/12/2012 04:32 PM, Martin Kosek wrote: On 10/26/2012 03:43 PM, Tomas Babej wrote: Hi, creating an id range

[Freeipa-devel] [PATCHES 0024-0025] Improvements to idrange.py

2012-12-21 Thread Tomas Babej
Hi, Sending updated and rebased versions of patches 0024 and 0025. Tomas >From 6d4903a1c5e255929cdbce2a67d79c6e44b1 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Fri, 21 Dec 2012 05:34:37 -0500 Subject: [PATCH] Make options checks in idrange-add/mod consistent Both now enforce

[Freeipa-devel] [PATCH 0026] Prevent integer overflow when setting krbPasswordExpiration

2013-01-14 Thread Tomas Babej
password policy was changed (#3114) or new users not being able to log in at all (#3312). https://fedorahosted.org/freeipa/ticket/3312 https://fedorahosted.org/freeipa/ticket/3114 Tomas >From 58e10e269b2cf1b789094d09207844cbc4f56f99 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 14 Jan 2

Re: [Freeipa-devel] [PATCH 0026] Prevent integer overflow when setting krbPasswordExpiration

2013-01-16 Thread Tomas Babej
, Tomas Babej wrote: Hi, Since in Kerberos V5 are used 32-bit unix timestamps, setting maxlife in pwpolicy to values such as days would cause integer overflow in krbPasswordExpiration attribute. This would result into unpredictable behaviour such as users not being able to log in after password

Re: [Freeipa-devel] [PATCH 0026] Prevent integer overflow when setting krbPasswordExpiration

2013-01-16 Thread Tomas Babej
On 01/16/2013 02:47 PM, Simo Sorce wrote: On Wed, 2013-01-16 at 12:52 +0100, Tomas Babej wrote: On 01/15/2013 11:55 PM, Simo Sorce wrote: On Tue, 2013-01-15 at 17:36 -0500, Dmitri Pal wrote: On 01/15/2013 03:59 PM, Simo Sorce wrote: On Tue, 2013-01-15 at 15:53 -0500, Rob Crittenden wrote

Re: [Freeipa-devel] [PATCH 0026] Prevent integer overflow when setting krbPasswordExpiration

2013-01-16 Thread Tomas Babej
On 01/16/2013 06:01 PM, Simo Sorce wrote: On Wed, 2013-01-16 at 17:57 +0100, Tomas Babej wrote: On 01/16/2013 02:47 PM, Simo Sorce wrote: On Wed, 2013-01-16 at 12:52 +0100, Tomas Babej wrote: On 01/15/2013 11:55 PM, Simo Sorce wrote: On Tue, 2013-01-15 at 17:36 -0500, Dmitri Pal wrote: On

Re: [Freeipa-devel] [PATCH 0026] Prevent integer overflow when setting krbPasswordExpiration

2013-01-16 Thread Tomas Babej
On 01/16/2013 06:57 PM, Simo Sorce wrote: On Wed, 2013-01-16 at 18:32 +0100, Tomas Babej wrote: They all use ipadb_ldap_attr_to_time_t() to get their values, so the following addition to the patch should be sufficient. It will break dates for other users of the function that do not need to

Re: [Freeipa-devel] [PATCH 0026] Prevent integer overflow when setting krbPasswordExpiration

2013-01-17 Thread Tomas Babej
On 01/17/2013 01:56 AM, Dmitri Pal wrote: On 01/16/2013 12:32 PM, Tomas Babej wrote: On 01/16/2013 06:01 PM, Simo Sorce wrote: On Wed, 2013-01-16 at 17:57 +0100, Tomas Babej wrote: On 01/16/2013 02:47 PM, Simo Sorce wrote: On Wed, 2013-01-16 at 12:52 +0100, Tomas Babej wrote: On 01/15/2013

Re: [Freeipa-devel] [PATCH 0026] Prevent integer overflow when setting krbPasswordExpiration

2013-01-22 Thread Tomas Babej
On 01/17/2013 05:18 PM, Simo Sorce wrote: On Thu, 2013-01-17 at 15:29 +0100, Tomas Babej wrote: On 01/17/2013 01:56 AM, Dmitri Pal wrote: On 01/16/2013 12:32 PM, Tomas Babej wrote: On 01/16/2013 06:01 PM, Simo Sorce wrote: On Wed, 2013-01-16 at 17:57 +0100, Tomas Babej wrote: On 01/16/2013

Re: [Freeipa-devel] [PATCH 0026] Prevent integer overflow when setting krbPasswordExpiration

2013-01-23 Thread Tomas Babej
On 01/22/2013 07:39 PM, Dmitri Pal wrote: On 01/22/2013 10:57 AM, Simo Sorce wrote: On Tue, 2013-01-22 at 15:50 +0100, Tomas Babej wrote: Here I bring the updated version of the patch. Please note, that I *added* a flag attribute to ipadb_ldap_attr_to_krb5_timestamp function, that controls

[Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts

2013-01-30 Thread Tomas Babej
rom f038bb7b79d5a048e9c9ae7fd7391edabb6ac3ac Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 24 Jan 2013 15:37:21 -0500 Subject: [PATCH] Add checks for SElinux in install scripts The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on cli

Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts

2013-01-30 Thread Tomas Babej
On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package

[Freeipa-devel] [PATCH 0028] Prevent backtrace in ipa-replica-prepare

2013-01-31 Thread Tomas Babej
Hi, This was a regression due to change from DatabaseError to NetworkError when LDAP server is down. https://fedorahosted.org/freeipa/ticket/2939 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/fr

Re: [Freeipa-devel] [PATCH 0028] Prevent backtrace in ipa-replica-prepare

2013-01-31 Thread Tomas Babej
On 01/31/2013 12:03 PM, Tomas Babej wrote: Hi, This was a regression due to change from DatabaseError to NetworkError when LDAP server is down. https://fedorahosted.org/freeipa/ticket/2939 Tomas ___ Freeipa-devel mailing list Freeipa-devel

[Freeipa-devel] [PATCH 0029] Fix a typo in ipa-adtrust-install help

2013-01-31 Thread Tomas Babej
Hi, this is a fix for a benign typo in ipa-adtrust-install --help description. Tomas >From 785cd2df77874c524a36eab24257cdaff14a374b Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 31 Jan 2013 07:58:48 -0500 Subject: [PATCH] Fix a typo in ipa-adtrust-install help "Add SIDs for

Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts

2013-01-31 Thread Tomas Babej
On 01/30/2013 05:58 PM, Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not

Re: [Freeipa-devel] [PATCH 0028] Prevent backtrace in ipa-replica-prepare

2013-02-03 Thread Tomas Babej
On Fri 01 Feb 2013 08:03:37 PM CET, Rob Crittenden wrote: Martin Kosek wrote: On 01/31/2013 12:05 PM, Tomas Babej wrote: On 01/31/2013 12:03 PM, Tomas Babej wrote: Hi, This was a regression due to change from DatabaseError to NetworkError when LDAP server is down. https://fedorahosted.org

[Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod

2013-02-04 Thread Tomas Babej
manually is shown. https://fedorahosted.org/freeipa/ticket/3133 Tomas >From 72f8802953edaaf5b9f7c34a38601fbccd681c8e Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 4 Feb 2013 08:33:53 -0500 Subject: [PATCH] Add option to specify SID using domain name to idrange-add/mod When adding/modifying

Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts

2013-02-04 Thread Tomas Babej
On 02/04/2013 04:21 PM, Rob Crittenden wrote: Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs

[Freeipa-devel] [PATCHES 0031-0032] Improve HBAC rule handling in selinuxusermap-add/mod/find

2013-02-06 Thread Tomas Babej
detailed info. Tomas >From aa171a4e3bc5295cdf332215e1b2477c7512180a Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 6 Feb 2013 07:04:03 -0500 Subject: [PATCH 31/32] Improve HBAC rule handling in selinuxusermap-add/mod/find Pre-patch handling of HBAC rules in selinuxusermap commands tried

Re: [Freeipa-devel] [PATCHES 0031-0032] Improve HBAC rule handling in selinuxusermap-add/mod/find

2013-02-08 Thread Tomas Babej
On 02/06/2013 07:57 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, this pair of patches improves HBAC rule handling in selinuxusermap commands. Patch 0031 deals with: https://fedorahosted.org/freeipa/ticket/3349 Patch 0032 takes care of: https://fedorahosted.org/freeipa/ticket/3348 and is

Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod

2013-02-08 Thread Tomas Babej
On 02/08/2013 03:25 PM, Alexander Bokovoy wrote: On Mon, 04 Feb 2013, Tomas Babej wrote: Hi, When adding/modifying an ID range for a trusted domain, the newly added option --dom-name can be used. This looks up SID of the trusted domain in LDAP and therefore the user is not required to write it

[Freeipa-devel] [PATCH 0033] Prevent changing protected group's name using --setattr

2013-02-11 Thread Tomas Babej
001 From: Tomas Babej Date: Mon, 11 Feb 2013 10:19:53 +0100 Subject: [PATCH] Prevent changing protected group's name using --setattr The name of any protected group now cannot be changed by modifing the cn attribute using --setattr. Unit tests have been added to make sure there is no regression

[Freeipa-devel] [PATCH 0034] Deny LDAP binds for user accounts with expired principal

2013-02-12 Thread Tomas Babej
mandatory, if there is no value set, the check is passed. https://fedorahosted.org/freeipa/ticket/3305 Tomas >From a42f9a051d40b88ddbc72e0b16a2ac4128deaef7 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 11 Feb 2013 15:33:12 +0100 Subject: [PATCH] Deny LDAP binds for user accounts w

Re: [Freeipa-devel] [PATCH 0034] Deny LDAP binds for user accounts with expired principal

2013-02-12 Thread Tomas Babej
On 02/12/2013 05:50 PM, Tomas Babej wrote: Hi, This patch adds a check for krbprincipalexpiration attribute to pre_bind operation in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is denied and LDAP_INVALID_CREDENTIALS along with the error message is sent back to the client

Re: [Freeipa-devel] [PATCH 0034] Deny LDAP binds for user accounts with expired principal

2013-02-13 Thread Tomas Babej
On 02/12/2013 06:23 PM, Simo Sorce wrote: On Tue, 2013-02-12 at 18:03 +0100, Tomas Babej wrote: On 02/12/2013 05:50 PM, Tomas Babej wrote: Hi, This patch adds a check for krbprincipalexpiration attribute to pre_bind operation in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth

Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod

2013-02-14 Thread Tomas Babej
On 02/12/2013 06:58 PM, Petr Vobornik wrote: On 02/04/2013 05:23 PM, Tomas Babej wrote: Hi, When adding/modifying an ID range for a trusted domain, the newly added option --dom-name can be used. This looks up SID of the trusted domain in LDAP and therefore the user is not required to write it

Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod

2013-02-14 Thread Tomas Babej
On 02/12/2013 06:00 PM, Alexander Bokovoy wrote: On Fri, 08 Feb 2013, Tomas Babej wrote: On 02/08/2013 03:25 PM, Alexander Bokovoy wrote: On Mon, 04 Feb 2013, Tomas Babej wrote: Hi, When adding/modifying an ID range for a trusted domain, the newly added option --dom-name can be used. This

Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod

2013-02-15 Thread Tomas Babej
On 02/14/2013 05:37 PM, Alexander Bokovoy wrote: On Thu, 14 Feb 2013, Tomas Babej wrote: + Str('ipanttrusteddomainname?', + cli_name='dom_name', + flags=('no_search', 'virtual_attribute'), + label=_('Name of the trusted domain'), + ), New opti

Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod

2013-02-18 Thread Tomas Babej
On 02/18/2013 12:36 PM, Alexander Bokovoy wrote: On Fri, 15 Feb 2013, Tomas Babej wrote: On 02/14/2013 05:37 PM, Alexander Bokovoy wrote: On Thu, 14 Feb 2013, Tomas Babej wrote: + Str('ipanttrusteddomainname?', + cli_name='dom_name', + flags=('no_search', 'v

[Freeipa-devel] [PATCH 0035] Use default.conf as flag of IPA client being installed

2013-02-20 Thread Tomas Babej
will not install if something is backed up or default.conf file does exist (unless it's installation on master). https://fedorahosted.org/freeipa/ticket/3331 Tomas >From 6a81800dedab33881a4c3573efa80cac50c84d40 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 19 Feb 2013 17:59:

Re: [Freeipa-devel] [PATCHES 0024-0025] Improvements to idrange.py

2013-02-20 Thread Tomas Babej
On 12/21/2012 12:15 PM, Tomas Babej wrote: Hi, Sending updated and rebased versions of patches 0024 and 0025. Tomas Sending rebased version, these got quite rotten. Tomas >From f21b135d546678544ccf05efd587b46bba88e07a Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Fri, 21 Dec 2012

Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts

2013-02-20 Thread Tomas Babej
On Tue 19 Feb 2013 08:37:26 PM CET, Rob Crittenden wrote: Tomas Babej wrote: On 02/04/2013 04:21 PM, Rob Crittenden wrote: Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and

Re: [Freeipa-devel] [PATCHES 0031-0032] Improve HBAC rule handling in selinuxusermap-add/mod/find

2013-02-20 Thread Tomas Babej
On 02/19/2013 10:33 PM, Rob Crittenden wrote: Tomas Babej wrote: On 02/06/2013 07:57 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, this pair of patches improves HBAC rule handling in selinuxusermap commands. Patch 0031 deals with: https://fedorahosted.org/freeipa/ticket/3349 Patch 0032

Re: [Freeipa-devel] [PATCHES 0024-0025] Improvements to idrange.py

2013-02-20 Thread Tomas Babej
On Wed 20 Feb 2013 02:24:03 PM CET, Alexander Bokovoy wrote: On Wed, 20 Feb 2013, Tomas Babej wrote: On 12/21/2012 12:15 PM, Tomas Babej wrote: Hi, Sending updated and rebased versions of patches 0024 and 0025. Tomas Sending rebased version, these got quite rotten. Thanks for updating

Re: [Freeipa-devel] [PATCH 0035] Use default.conf as flag of IPA client being installed

2013-02-21 Thread Tomas Babej
On 02/21/2013 12:47 PM, Martin Kosek wrote: On 02/20/2013 10:31 AM, Tomas Babej wrote: Hi, When installing / uninstalling IPA client, the checks that determine whether IPA client is installed now take the existence of /etc/ipa/default.conf into consideration. The client will not uninstall

Re: [Freeipa-devel] [PATCH 0035] Use default.conf as flag of IPA client being installed

2013-02-21 Thread Tomas Babej
On 02/21/2013 01:50 PM, Martin Kosek wrote: On 02/21/2013 01:29 PM, Tomas Babej wrote: On 02/21/2013 12:47 PM, Martin Kosek wrote: On 02/20/2013 10:31 AM, Tomas Babej wrote: Hi, When installing / uninstalling IPA client, the checks that determine whether IPA client is installed now take the

Re: [Freeipa-devel] [PATCHES 0024-0025] Improvements to idrange.py

2013-02-22 Thread Tomas Babej
On 02/21/2013 02:22 PM, Martin Kosek wrote: On 02/20/2013 03:19 PM, Tomas Babej wrote: On Wed 20 Feb 2013 02:24:03 PM CET, Alexander Bokovoy wrote: On Wed, 20 Feb 2013, Tomas Babej wrote: On 12/21/2012 12:15 PM, Tomas Babej wrote: Hi, Sending updated and rebased versions of patches 0024 and

[Freeipa-devel] [PATCH 0036] Make sure appropriate exit status is returned in make-test

2013-02-22 Thread Tomas Babej
Hi, The make-test script now exits with code 1 in case that any of the test cases that were run failed. Can we push this without a ticket under one-liner rule? Tomas >From f4c6cad856be076d1c367edf2e9ced1b3c15b15a Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Sat, 23 Feb 2013 00:41:58 +0

Re: [Freeipa-devel] [PATCHES 0024-0025] Improvements to idrange.py

2013-02-25 Thread Tomas Babej
On Fri 22 Feb 2013 04:34:55 PM CET, Martin Kosek wrote: On 02/22/2013 03:01 PM, Tomas Babej wrote: On 02/21/2013 02:22 PM, Martin Kosek wrote: On 02/20/2013 03:19 PM, Tomas Babej wrote: On Wed 20 Feb 2013 02:24:03 PM CET, Alexander Bokovoy wrote: On Wed, 20 Feb 2013, Tomas Babej wrote: On

[Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

2013-03-04 Thread Tomas Babej
(enrolled using principal and reenrolled using keytab). Tomas >From e576009bb7a93daec1cbc4ef94785017f80b2756 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 26 Feb 2013 13:20:13 +0100 Subject: [PATCH] Add support for re-enrolling hosts using keytab A host that has been previously unenrolled

[Freeipa-devel] [PATCH 0038] Perform secondary rid range overlap check for local ranges

2013-03-05 Thread Tomas Babej
rom 1a18bc43b561a1bbcfa1f5da3c2f1d6482571d18 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 5 Mar 2013 09:17:20 +0100 Subject: [PATCH] Perform secondary rid range overlap check for local ranges only Any of the following checks: - overlap between primary RID range and secondary RID ra

Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

2013-03-06 Thread Tomas Babej
[...] I'm not a C expert but the ipa-join changes look fine. Thanks for the review, updated patches are attached. Tomas >From 56288351b8ab9dc8b3076a7f4b895601a047eecb Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 26 Feb 2013 13:20:13 +0100 Subject: [PATCH] Add support for re

Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

2013-03-07 Thread Tomas Babej
On 03/06/2013 01:30 PM, Petr Spacek wrote: On 6.3.2013 13:04, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org/page/V3/Client_install_using_keytab I added "Sec

Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

2013-03-07 Thread Tomas Babej
On 03/07/2013 04:12 PM, Petr Viktorin wrote: Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org

  1   2   3   4   5   6   7   8   9   10   >