Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command

On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check

Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command

On 08/20/2015 05:21 PM, Martin Basti wrote: On 08/20/2015 11:27 AM, Jan Cholasta wrote: On 19.8.2015 10:57, Jan Cholasta wrote: On 19.8.2015 10:47, thierry bordaz wrote: On 08/19/2015 10:34 AM, Jan Cholasta wrote: On 19.8.2015 09:39, thierry bordaz wrote: Hi, It worked like a charm. I

Re: [Freeipa-devel] [PATCH 0060] raise an error when trying to preserve an already preserved user

On 08/19/2015 06:28 PM, Martin Babinsky wrote: On 08/19/2015 02:54 PM, Martin Babinsky wrote: this patch prevents https://fedorahosted.org/freeipa/ticket/5234 from happening. Actually, we (myself, mbasti, jcholast) found out that `user-del --preserve` could use some more usability

Re: [Freeipa-devel] [PATCH 0060] raise an error when trying to preserve an already preserved user

On 08/19/2015 06:28 PM, Martin Babinsky wrote: On 08/19/2015 02:54 PM, Martin Babinsky wrote: this patch prevents https://fedorahosted.org/freeipa/ticket/5234 from happening. Actually, we (myself, mbasti, jcholast) found out that `user-del --preserve` could use some more usability

Re: [Freeipa-devel] [PATCH 0060] raise an error when trying to preserve an already preserved user

On 08/20/2015 11:05 AM, thierry bordaz wrote: On 08/19/2015 06:28 PM, Martin Babinsky wrote: On 08/19/2015 02:54 PM, Martin Babinsky wrote: this patch prevents https://fedorahosted.org/freeipa/ticket/5234 from happening. Actually, we (myself, mbasti, jcholast) found out that `user-del

Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command

On 08/18/2015 04:04 PM, Martin Basti wrote: On 08/18/2015 03:49 PM, thierry bordaz wrote: On 08/18/2015 03:06 PM, Martin Basti wrote: On 08/18/2015 11:32 AM, thierry bordaz wrote: On 08/18/2015 10:02 AM, Martin Basti wrote: On 08/18/2015 09:59 AM, thierry bordaz wrote: On 08/18/2015

Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command

On 08/18/2015 03:06 PM, Martin Basti wrote: On 08/18/2015 11:32 AM, thierry bordaz wrote: On 08/18/2015 10:02 AM, Martin Basti wrote: On 08/18/2015 09:59 AM, thierry bordaz wrote: On 08/18/2015 09:55 AM, Martin Basti wrote: On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015

Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command

On 08/18/2015 04:13 PM, thierry bordaz wrote: On 08/18/2015 04:04 PM, Martin Basti wrote: On 08/18/2015 03:49 PM, thierry bordaz wrote: On 08/18/2015 03:06 PM, Martin Basti wrote: On 08/18/2015 11:32 AM, thierry bordaz wrote: On 08/18/2015 10:02 AM, Martin Basti wrote: On 08/18/2015

Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command

all first letters in uppercase as others. Updated merged patch attached. On 08/18/2015 05:34 PM, thierry bordaz wrote: On 08/18/2015 04:13 PM, thierry bordaz wrote: On 08/18/2015 04:04 PM, Martin Basti wrote: On 08/18/2015 03:49 PM, thierry bordaz wrote: On 08/18/2015 03:06 PM, Martin Basti

Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command

On 08/19/2015 10:34 AM, Jan Cholasta wrote: On 19.8.2015 09:39, thierry bordaz wrote: Hi, It worked like a charm. I had a problem to commit it because of the VERSION stuff that changed. Except that (changing VERSION), the fix looks good to me thanks thierry On 08/18/2015 07:21 PM, Martin

Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command

On 08/20/2015 05:21 PM, Martin Basti wrote: On 08/20/2015 11:27 AM, Jan Cholasta wrote: On 19.8.2015 10:57, Jan Cholasta wrote: On 19.8.2015 10:47, thierry bordaz wrote: On 08/19/2015 10:34 AM, Jan Cholasta wrote: On 19.8.2015 09:39, thierry bordaz wrote: Hi, It worked like a charm. I

Re: [Freeipa-devel] [PATCH 0016] clear start attr from segment after initialization

On 06/22/2015 11:35 AM, Ludwig Krispenz wrote: fix for ticket #5065, removing start - after online init copmpleted - additionally check after startup Hi Ludwig, The fix looks good to me. I have just a clarification regarding ipa_topo_util_reset_init. It resets 'nsds5BeginReplicaRefresh' at

Re: [Freeipa-devel] [PATCH 0016] clear start attr from segment after initialization

On 06/30/2015 12:05 PM, Ludwig Krispenz wrote: new patch with comments attached On 06/30/2015 10:43 AM, thierry bordaz wrote: On 06/30/2015 09:19 AM, Ludwig Krispenz wrote: On 06/26/2015 02:14 PM, thierry bordaz wrote: On 06/22/2015 11:35 AM, Ludwig Krispenz wrote: fix for ticket #5065

Re: [Freeipa-devel] Replace stageuser-add --from-delete with user-undel --to-staged

On 08/05/2015 11:27 AM, Martin Basti wrote: - Original Message - From: thierry bordaz tbor...@redhat.com To: Jan Cholasta jchol...@redhat.com Cc: freeipa-devel@redhat.com Sent: Monday, August 3, 2015 5:34:02 PM Subject: Re: [Freeipa-devel] Replace stageuser-add --from-delete with user

Re: [Freeipa-devel] Replace stageuser-add --from-delete with user-undel --to-staged

On 08/05/2015 12:13 PM, Jan Cholasta wrote: Dne 5.8.2015 v 11:55 thierry bordaz napsal(a): On 08/05/2015 11:27 AM, Martin Basti wrote: - Original Message - From: thierry bordaz tbor...@redhat.com To: Jan Cholasta jchol...@redhat.com Cc: freeipa-devel@redhat.com Sent: Monday, August 3

Re: [Freeipa-devel] Replace stageuser-add --from-delete with user-undel --to-staged

On 08/11/2015 09:32 AM, Martin Basti wrote: On 11/08/15 09:17, Jan Cholasta wrote: On 5.8.2015 12:34, thierry bordaz wrote: On 08/05/2015 12:13 PM, Jan Cholasta wrote: Dne 5.8.2015 v 11:55 thierry bordaz napsal(a): On 08/05/2015 11:27 AM, Martin Basti wrote: - Original Message

Re: [Freeipa-devel] [PATCH 0002] TEST: Stageuser plugin

On 08/04/2015 01:37 PM, Lenka Doudova wrote: Dne 30.7.2015 v 16:10 Martin Basti napsal(a): On 30/07/15 16:09, Martin Basti wrote: On 29/07/15 16:10, Martin Basti wrote: On 29/07/15 15:29, Lenka Doudova wrote: Hi, thanks a lot for the comments, will work on it tomorrow. Lenka Dne

Re: [Freeipa-devel] [PATCH 0019] handle cleanRUV in the topology plugin

: Hi Thierry, hope this addresses your concerns Ludwig On 10/23/2015 11:24 AM, thierry bordaz wrote: On 10/23/2015 11:00 AM, thierry bordaz wrote: On 10/12/2015 01:17 PM, Ludwig Krispenz wrote: On 10/12/2015 12:44 PM, Martin Basti wrote: On 23.07.2015 10:46, Ludwig Krispenz wrote

Re: [Freeipa-devel] [PATCH 0019] handle cleanRUV in the topology plugin

On 10/23/2015 03:38 PM, Ludwig Krispenz wrote: On 10/23/2015 03:19 PM, thierry bordaz wrote: Hi Ludwig, Thanks for the patch. Yes it is looking good to me. Just a minor change about the message logged (if case of failure to add the cleanallruv task), you may recommend to the administrator

Re: [Freeipa-devel] [PATCH 0019] handle cleanRUV in the topology plugin

On 10/23/2015 11:00 AM, thierry bordaz wrote: On 10/12/2015 01:17 PM, Ludwig Krispenz wrote: On 10/12/2015 12:44 PM, Martin Basti wrote: On 23.07.2015 10:46, Ludwig Krispenz wrote: The attached patch moves the cleaning of the RUV into the topology plugin. I encountered a problem when

Re: [Freeipa-devel] [PATCH 0019] handle cleanRUV in the topology plugin

On 10/23/2015 12:39 PM, Ludwig Krispenz wrote: On 10/23/2015 11:24 AM, thierry bordaz wrote: On 10/23/2015 11:00 AM, thierry bordaz wrote: On 10/12/2015 01:17 PM, Ludwig Krispenz wrote: On 10/12/2015 12:44 PM, Martin Basti wrote: On 23.07.2015 10:46, Ludwig Krispenz wrote: The attached

Re: [Freeipa-devel] [PATCH 0020-0021] some topology plugin fixes

On 10/23/2015 10:44 AM, Ludwig Krispenz wrote: Hi, the attached two patches address issues I found when testing ca management in the topology plugin Thanks for review, Ludwig Hi Ludwig, Patch 20 is good to me. I have one remark, you call ipa_topo_cfg_host_find with lock flag. So that the

Re: [Freeipa-devel] [PATCH 0020-0021] some topology plugin fixes

On 10/30/2015 09:57 AM, Ludwig Krispenz wrote: On 10/29/2015 01:28 PM, thierry bordaz wrote: On 10/23/2015 10:44 AM, Ludwig Krispenz wrote: Hi, the attached two patches address issues I found when testing ca management in the topology plugin Thanks for review, Ludwig Hi Ludwig, Patch

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

On 10/08/2015 11:03 AM, David Kupka wrote: On 07/10/15 17:32, thierry bordaz wrote: On 10/07/2015 05:29 PM, Simo Sorce wrote: On 07/10/15 11:06, thierry bordaz wrote: On 10/07/2015 03:10 PM, David Kupka wrote: On 06/10/15 17:52, Jakub Hrozek wrote: On Tue, Oct 06, 2015 at 08:32:29AM -0400

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

On 10/07/2015 05:29 PM, Simo Sorce wrote: On 07/10/15 11:06, thierry bordaz wrote: On 10/07/2015 03:10 PM, David Kupka wrote: On 06/10/15 17:52, Jakub Hrozek wrote: On Tue, Oct 06, 2015 at 08:32:29AM -0400, Simo Sorce wrote: On 06/10/15 08:04, David Kupka wrote: On 06/10/15 13:35, Simo

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

On 10/07/2015 03:10 PM, David Kupka wrote: On 06/10/15 17:52, Jakub Hrozek wrote: On Tue, Oct 06, 2015 at 08:32:29AM -0400, Simo Sorce wrote: On 06/10/15 08:04, David Kupka wrote: On 06/10/15 13:35, Simo Sorce wrote: On 06/10/15 03:51, thierry bordaz wrote: On 10/06/2015 07:19 AM, David

Re: [Freeipa-devel] fixing Kerberos principal aliases handling in IPA

On 09/03/2015 04:03 PM, David Kupka wrote: On 02/09/15 14:27, Simo Sorce wrote: On Wed, 2015-09-02 at 08:11 +0200, David Kupka wrote: On 01/09/15 16:53, Simo Sorce wrote: On Tue, 2015-09-01 at 16:39 +0200, Martin Babinsky wrote: Hi list, I own the following ticket

Re: [Freeipa-devel] fixing Kerberos principal aliases handling in IPA

On 09/07/2015 09:47 PM, Simo Sorce wrote: On Mon, 2015-09-07 at 09:20 +0200, David Kupka wrote: On 04/09/15 12:49, thierry bordaz wrote: On 09/03/2015 04:03 PM, David Kupka wrote: On 02/09/15 14:27, Simo Sorce wrote: On Wed, 2015-09-02 at 08:11 +0200, David Kupka wrote: On 01/09/15 16:53

Re: [Freeipa-devel] [PATCH 487] ldap: Make ldap2 connection management thread-safe again

On 09/02/2015 03:16 PM, Jan Cholasta wrote: On 2.9.2015 14:51, Martin Basti wrote: On 09/02/2015 02:32 PM, Jan Cholasta wrote: Hi, the attached patch fixes . Honza This patch needs a big rebase to ipa-4-2 branch Patch attached.

[Freeipa-devel] [PATCH] script for provisioning

Hello, A performance bottleneck during provisioning was described http://www.freeipa.org/page/V4/Performance_Improvements#typical_provisioning:_ldapadd_entries.2C_migrate-ds... I wrote the attached script that is following http://www.freeipa.org/page/V4/Performance_Improvements#Algorithm

Re: [Freeipa-devel] [PATCH 0041] Increase nsslapd-db-locks

On 06/06/2016 07:23 PM, Martin Basti wrote: On 03.06.2016 13:38, Stanislav Laznicka wrote: Hello, The attached patch implements solution to https://fedorahosted.org/freeipa/ticket/5914. The patch is rather hacky as nsslapd-db-locks requires to be modified when DS is not running

Re: [Freeipa-devel] ipapwd_extop vs password_extop

On 06/06/2016 07:12 PM, Alexander Bokovoy wrote: On Mon, 06 Jun 2016, thierry bordaz wrote: On 06/06/2016 11:07 AM, Alexander Bokovoy wrote: On Mon, 06 Jun 2016, thierry bordaz wrote: Hello, In DS it is possible to register callbacks for extended op. For https://www.ietf.org/rfc

Re: [Freeipa-devel] [PATCH] script for provisioning

On 06/05/2016 10:45 AM, Martin Basti wrote: On 03.06.2016 17:49, thierry bordaz wrote: Hello, A performance bottleneck during provisioning was described http://www.freeipa.org/page/V4/Performance_Improvements#typical_provisioning:_ldapadd_entries.2C_migrate-ds... I wrote the attached

[Freeipa-devel] ipapwd_extop vs password_extop

Hello, In DS it is possible to register callbacks for extended op. For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), there is a default callback that is implemented in DS core server. Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' that also

Re: [Freeipa-devel] ipapwd_extop vs password_extop

On 06/07/2016 01:20 PM, Alexander Bokovoy wrote: On Tue, 07 Jun 2016, thierry bordaz wrote: On 06/06/2016 07:12 PM, Alexander Bokovoy wrote: On Mon, 06 Jun 2016, thierry bordaz wrote: On 06/06/2016 11:07 AM, Alexander Bokovoy wrote: On Mon, 06 Jun 2016, thierry bordaz wrote: Hello

Re: [Freeipa-devel] ipapwd_extop vs password_extop

On 06/06/2016 11:07 AM, Alexander Bokovoy wrote: On Mon, 06 Jun 2016, thierry bordaz wrote: Hello, In DS it is possible to register callbacks for extended op. For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), there is a default callback that is implemented in DS core

Re: [Freeipa-devel] ipapwd_extop vs password_extop

On 06/07/2016 03:47 PM, Alexander Bokovoy wrote: On Tue, 07 Jun 2016, thierry bordaz wrote: Well here we have IPA password extop that receives a 'compat' entry. This compat entry does not exist except in slapi-nis that can do the mapping to the real entry. What I was thinking of was some

Re: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host

On 06/10/2016 05:56 PM, Ludwig Krispenz wrote: On 06/10/2016 05:41 PM, thierry bordaz wrote: On 06/10/2016 05:23 PM, Ludwig Krispenz wrote: On 06/10/2016 04:44 PM, thierry bordaz wrote: Hi Ludwig, I agree with you there is no path to add a host with an empty hostname. You fix looks

Re: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host

On 06/10/2016 05:23 PM, Ludwig Krispenz wrote: On 06/10/2016 04:44 PM, thierry bordaz wrote: Hi Ludwig, I agree with you there is no path to add a host with an empty hostname. You fix looks valid but I would prefer a log in FATAL rather in PLUGIN. yes, of course that was my intention, copy

Re: [Freeipa-devel] Provisioning throughput

PM, Ludwig Krispenz wrote: On 05/12/2016 03:45 PM, Ludwig Krispenz wrote: On 05/12/2016 02:16 PM, Petr Vobornik wrote: On 05/10/2016 05:50 PM, thierry bordaz wrote: On 05/05/2016 03:44 PM, Petr Vobornik wrote: On 05/04/2016 02:20 PM, thierry bordaz wrote: Hello, I have been doing some test

Re: [Freeipa-devel] Provisioning throughput

On 05/25/2016 08:49 PM, Rob Crittenden wrote: thierry bordaz wrote: Hello, Thanks for all the feedbacks. I updated the design accordingly and with additional tests results (http://www.freeipa.org/page/V4/Performance_Improvements#Proposed_improvements) Several improvements can be done

Re: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree

On 06/13/2016 05:06 PM, Alexander Bokovoy wrote: On Mon, 13 Jun 2016, thierry bordaz wrote: From fff11869d8cf3dfe98471e018c10926fc23b13da Mon Sep 17 00:00:00 2001 From: Thierry Bordaz <tbor...@redhat.com> Date: Fri, 10 Jun 2016 15:34:40 +0200 Subject: [PATCH] ipapwd_extop shou

[Freeipa-devel] [PATCH] 0019 ipapwd_extop should take precedence over default DS plugin

This is the fix for https://fedorahosted.org/freeipa/ticket/5944 >From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz <tbor...@redhat.com> Date: Wed, 8 Jun 2016 14:03:42 +0200 Subject: [PATCH] Make sure ipapwd_extop takes preced

Re: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host

The fix is good for me. ACK thanks thierry On 06/13/2016 10:04 AM, Ludwig Krispenz wrote: revised patch (v2) attached: changed log level fixed order of statements in freeing host list On 06/10/2016 05:56 PM, Ludwig Krispenz wrote: On 06/10/2016 05:41 PM, thierry bordaz wrote: On 06/10

[Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree

w Uses a target_DN set by the pre-extop callback, instead of the one defined in the LDAP ber req So this review is about the 3rd item. thanks thierry >From fff11869d8cf3dfe98471e018c10926fc23b13da Mon Sep 17 00:00:00 2001 From: Thierry Bordaz <tbor...@redhat.com> Date: Fri, 10 Jun 2

[Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry

tb1 has different passwd/krbkeys than in step 4 ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbP

Re: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry

Thanks Alexander for the review. You are right I forgot to remove those lines during the cleanup. thanks thierry On 06/15/2016 05:54 PM, Alexander Bokovoy wrote: On Wed, 15 Jun 2016, thierry bordaz wrote: From 6cd06b9004f8ab72e13c26742d11ee31d30bbc79 Mon Sep 17 00:00:00 2001 From: Thierry

Re: [Freeipa-devel] [PATCH 0038] Reduced time for IO blocking of DS

On 06/02/2016 09:48 AM, Martin Basti wrote: On 31.05.2016 17:10, Stanislav Laznicka wrote: Hello, This is a fix to https://fedorahosted.org/freeipa/ticket/5383. From the comments I am not sure if nsslapd-idletimeout should be reduced as well. If so, could you please propose a value that

Re: [Freeipa-devel] Provisioning throughput

On 05/25/2016 09:31 PM, Rob Crittenden wrote: thierry bordaz wrote: On 05/25/2016 08:49 PM, Rob Crittenden wrote: thierry bordaz wrote: Hello, Thanks for all the feedbacks. I updated the design accordingly and with additional tests results (http://www.freeipa.org/page/V4

Re: [Freeipa-devel] Provisioning throughput

On 05/26/2016 09:32 AM, Alexander Bokovoy wrote: On Wed, 25 May 2016, Rob Crittenden wrote: thierry bordaz wrote: On 05/25/2016 08:49 PM, Rob Crittenden wrote: thierry bordaz wrote: Hello, Thanks for all the feedbacks. I updated the design accordingly and with additional tests

Re: [Freeipa-devel] Provisioning throughput

On 05/26/2016 12:23 PM, Alexander Bokovoy wrote: On Thu, 26 May 2016, thierry bordaz wrote: The limitation would be to run the provisioning on IPA master. During provisioning, membership attribute will be invalid (memberof not computed). Is it acceptable that IPA master contains invalid

Re: [Freeipa-devel] Provisioning throughput

On 05/26/2016 11:12 AM, Alexander Bokovoy wrote: On Thu, 26 May 2016, thierry bordaz wrote: On 05/25/2016 09:31 PM, Rob Crittenden wrote: thierry bordaz wrote: On 05/25/2016 08:49 PM, Rob Crittenden wrote: thierry bordaz wrote: Hello, Thanks for all the feedbacks. I updated

Re: [Freeipa-devel] Provisioning throughput

On 05/26/2016 11:26 AM, Martin Basti wrote: On 26.05.2016 11:24, thierry bordaz wrote: On 05/26/2016 11:12 AM, Alexander Bokovoy wrote: On Thu, 26 May 2016, thierry bordaz wrote: On 05/25/2016 09:31 PM, Rob Crittenden wrote: thierry bordaz wrote: On 05/25/2016 08:49 PM, Rob

Re: [Freeipa-devel] Provisioning throughput

On 05/31/2016 02:02 PM, Petr Vobornik wrote: On 05/04/2016 02:20 PM, thierry bordaz wrote: Hello, I have been doing some tests/measures using https://github.com/freeipa/freeipa-tools/blob/master/create-test-data.py. The tool creates a set of typical users/hosts/groups

[Freeipa-devel] provisioning and RetroCL/Content_Sync

Hello, The subject of provisioning was discussed https://www.redhat.com/archives/freeipa-devel/2016-May/msg00065.html. The documentation of the provisioning procedure is still going on but reviewing it I have a doubt about RetroCL/Content_Sync. Provisioning will be done with high

Re: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree

On 06/20/2016 08:27 PM, Alexander Bokovoy wrote: On Tue, 14 Jun 2016, thierry bordaz wrote: From ac6c0617f618fc609df93dc18ec25255484b533d Mon Sep 17 00:00:00 2001 From: Thierry Bordaz <tbor...@redhat.com> Date: Fri, 10 Jun 2016 15:34:40 +0200 Subject: [PATCH] ipapwd_extop should use TAR

[Freeipa-devel] [PATCH] 0022 Topology plugins sigsev/heap corruption when adding a managed host

https://fedorahosted.org/freeipa/ticket/5977 >From e84b475fd863b3dff0af6bcf3b2cb3840bcca1e6 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 22 Jun 2016 16:36:15 +0200 Subject: [PATCH] Topology plugins sigsev/heap corruption when adding a managed

Re: [Freeipa-devel] beware of 389-ds-base-1.3.5.4-1.fc24.x86_64: weird filter/ACI evaluation

On 06/16/2016 10:50 AM, Petr Spacek wrote: On 16.6.2016 10:47, thierry bordaz wrote: On 06/16/2016 06:55 AM, Petr Spacek wrote: Hello, TL;DR version: Upgrade to 389-ds-base-1.3.5.6-1.fc24. I was facing weird filter/ACI evaluation with 389 DS 389-ds-base-1.3.5.4-1.fc24.x86_64. Here is full

Re: [Freeipa-devel] beware of 389-ds-base-1.3.5.4-1.fc24.x86_64: weird filter/ACI evaluation

On 06/16/2016 06:55 AM, Petr Spacek wrote: Hello, TL;DR version: Upgrade to 389-ds-base-1.3.5.6-1.fc24. I was facing weird filter/ACI evaluation with 389 DS 389-ds-base-1.3.5.4-1.fc24.x86_64. Here is full story (written before I realized that DS is old one ...): Test First, let's try

Re: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin

The version DS 1.3.5.6 is now available. Here is the second version of the patch taking into account lower precedence for Schema Compat On 06/13/2016 06:01 PM, Alexander Bokovoy wrote: On Mon, 13 Jun 2016, thierry bordaz wrote: On 06/13/2016 04:57 PM, Alexander Bokovoy wrote: On Mon, 13

Re: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI

On 01/21/2016 05:04 PM, Martin Babinsky wrote: On 01/21/2016 01:37 PM, thierry bordaz wrote: Hi Thierry, I have couple of comments to your patch: 1.) there is a number of PEP8 errors in the patch (http://paste.fedoraproject.org/313246/33893701), please fix them. See http

Re: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI

On 02/25/2016 12:03 PM, Martin Babinsky wrote: On 02/24/2016 04:30 PM, thierry bordaz wrote: On 01/21/2016 05:04 PM, Martin Babinsky wrote: On 01/21/2016 01:37 PM, thierry bordaz wrote: Hi Thierry, I have couple of comments to your patch: 1.) there is a number of PEP8 errors

Re: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI

On 02/25/2016 01:56 PM, Martin Babinsky wrote: On 02/25/2016 12:17 PM, thierry bordaz wrote: On 02/25/2016 12:03 PM, Martin Babinsky wrote: On 02/24/2016 04:30 PM, thierry bordaz wrote: On 01/21/2016 05:04 PM, Martin Babinsky wrote: On 01/21/2016 01:37 PM, thierry bordaz wrote: Hi

Re: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI

On 02/25/2016 12:03 PM, Martin Babinsky wrote: On 02/24/2016 04:30 PM, thierry bordaz wrote: On 01/21/2016 05:04 PM, Martin Babinsky wrote: On 01/21/2016 01:37 PM, thierry bordaz wrote: Hi Thierry, I have couple of comments to your patch: 1.) there is a number of PEP8 errors

Re: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI

On 02/26/2016 05:48 PM, Martin Babinsky wrote: On 02/26/2016 04:24 PM, thierry bordaz wrote: On 02/25/2016 07:17 PM, thierry bordaz wrote: On 02/25/2016 12:03 PM, Martin Babinsky wrote: On 02/24/2016 04:30 PM, thierry bordaz wrote: On 01/21/2016 05:04 PM, Martin Babinsky wrote: On 01/21

Re: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI

On 02/25/2016 07:17 PM, thierry bordaz wrote: On 02/25/2016 12:03 PM, Martin Babinsky wrote: On 02/24/2016 04:30 PM, thierry bordaz wrote: On 01/21/2016 05:04 PM, Martin Babinsky wrote: On 01/21/2016 01:37 PM, thierry bordaz wrote: Hi Thierry, I have couple of comments to your patch: 1

Re: [Freeipa-devel] [PATCH 0022] topology plugin prevents deletes but does not prevent moddn

Hi, The fix look good. Just a question, the target entry is checked with ipa_topo_check_entry_type. Is it equivalent to call ipa_topo_is_entry_managed ? thanks thierry On 01/21/2016 09:11 AM, Ludwig Krispenz wrote: On 01/20/2016 05:45 PM, Martin Basti wrote: On 11.12.2015 13:56, Ludwig

Re: [Freeipa-devel] [PATCH 0022] topology plugin prevents deletes but does not prevent moddn

On 01/21/2016 11:26 AM, Ludwig Krispenz wrote: On 01/21/2016 11:21 AM, thierry bordaz wrote: On 01/21/2016 10:48 AM, Ludwig Krispenz wrote: On 01/21/2016 10:30 AM, thierry bordaz wrote: Hi, The fix look good. Just a question, the target entry is checked with ipa_topo_check_entry_type

Re: [Freeipa-devel] [PATCH 0022] topology plugin prevents deletes but does not prevent moddn

On 01/21/2016 10:48 AM, Ludwig Krispenz wrote: On 01/21/2016 10:30 AM, thierry bordaz wrote: Hi, The fix look good. Just a question, the target entry is checked with ipa_topo_check_entry_type. Is it equivalent to call ipa_topo_is_entry_managed ? no, ipa_topo_check_entry_type() just

Re: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI

On 01/21/2016 03:46 PM, Martin Kosek wrote: On 01/21/2016 01:37 PM, thierry bordaz wrote: Thanks! Couple comments: I miss ticket number of description. Thanks Martin for looking at it. Ouch... the ticket number is https://fedorahosted.org/freeipa/ticket/4026 Does this patch mean that all

Re: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI

On 01/21/2016 04:23 PM, Martin Kosek wrote: On 01/21/2016 04:22 PM, thierry bordaz wrote: On 01/21/2016 03:46 PM, Martin Kosek wrote: On 01/21/2016 01:37 PM, thierry bordaz wrote: Thanks! Couple comments: I miss ticket number of description. Thanks Martin for looking at it. Ouch

Re: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI

On 01/21/2016 05:38 PM, Martin Babinsky wrote: On 01/21/2016 05:22 PM, Rob Crittenden wrote: Martin Babinsky wrote: On 01/21/2016 01:37 PM, thierry bordaz wrote: 6.) +while attempt != MAX_WAIT: +try: +entries = conn.get_entries(sharedcfgdn, scope

Re: [Freeipa-devel] [DESIGN] Kerberos principal alias handling

On 04/11/2016 04:51 PM, Simo Sorce wrote: On Mon, 2016-04-11 at 16:29 +0200, thierry bordaz wrote: On 04/08/2016 05:10 PM, Martin Babinsky wrote: Hi list, I have put together a draft [1] outlining the effort to reimplement the handling of Kerberos principals in both backend and frontend

Re: [Freeipa-devel] [DESIGN] Kerberos principal alias handling

On 04/08/2016 05:10 PM, Martin Babinsky wrote: Hi list, I have put together a draft [1] outlining the effort to reimplement the handling of Kerberos principals in both backend and frontend layers of FreeIPA so that we may have multiple aliases per user, host or service and thus implement

[Freeipa-devel] [PATCH] 0018 DS deadlock when memberof scopes topology plugin updates

https://fedorahosted.org/freeipa/ticket/5637 >From 8da23a1249fe53c4c430869c2bd4646970680672 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz <tbor...@redhat.com> Date: Thu, 17 Mar 2016 12:09:42 +0100 Subject: [PATCH] DS deadlock when memberof scopes topology plugin updates Topology p

Re: [Freeipa-devel] Provisioning throughput

PM, thierry bordaz wrote: On 05/05/2016 03:44 PM, Petr Vobornik wrote: On 05/04/2016 02:20 PM, thierry bordaz wrote: Hello, I have been doing some tests/measures using https://github.com/freeipa/freeipa-tools/blob/master/create-test-data.py. The tool creates a set of typical

[Freeipa-devel] Provisioning throughput

Hello, I have been doing some tests/measures using https://github.com/freeipa/freeipa-tools/blob/master/create-test-data.py. The tool creates a set of typical users/hosts/groups... to import with a ldapadd. I wrote down some finding in

Re: [Freeipa-devel] Provisioning throughput

On 05/05/2016 03:44 PM, Petr Vobornik wrote: On 05/04/2016 02:20 PM, thierry bordaz wrote: Hello, I have been doing some tests/measures using https://github.com/freeipa/freeipa-tools/blob/master/create-test-data.py. The tool creates a set of typical users/hosts/groups

Re: [Freeipa-devel] Provisioning throughput

On 05/05/2016 03:44 PM, Petr Vobornik wrote: On 05/04/2016 02:20 PM, thierry bordaz wrote: Hello, I have been doing some tests/measures using https://github.com/freeipa/freeipa-tools/blob/master/create-test-data.py. The tool creates a set of typical users/hosts/groups

Re: [Freeipa-devel] [PATCH 0195] Create indexes for krbCanonicalName attribute

On 07/22/2016 03:43 PM, Martin Babinsky wrote: On 07/22/2016 02:37 PM, thierry bordaz wrote: Hi Martin, The patch looks good. Just a question krbPrincipalName is caseExactIA5Match but is also indexed caseIgnoreIA5Match. Do you think it would be need for krbCanonicalName as well ? thanks

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On 08/10/2016 04:37 PM, thierry bordaz wrote: On 08/10/2016 12:51 PM, Alexander Bokovoy wrote: On Wed, 10 Aug 2016, Alexander Bokovoy wrote: On Wed, 10 Aug 2016, thierry bordaz wrote: On 08/09/2016 01:38 PM, Alexander Bokovoy wrote: On Tue, 09 Aug 2016, thierry bordaz wrote: On 08

Re: [Freeipa-devel] [PATCH] 0024 memory leak in ipapwd plugin

On 08/10/2016 11:24 AM, Alexander Bokovoy wrote: On Wed, 10 Aug 2016, thierry bordaz wrote: From 13bb55f9d97f82062f5b496d4164acb562afc7a0 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz <tbor...@redhat.com> Date: Tue, 9 Aug 2016 16:46:25 +0200 Subject: [PATCH] ipa-pwd-extop memor

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On 08/10/2016 12:51 PM, Alexander Bokovoy wrote: On Wed, 10 Aug 2016, Alexander Bokovoy wrote: On Wed, 10 Aug 2016, thierry bordaz wrote: On 08/09/2016 01:38 PM, Alexander Bokovoy wrote: On Tue, 09 Aug 2016, thierry bordaz wrote: On 08/09/2016 12:49 PM, Martin Basti wrote

Re: [Freeipa-devel] [PATCH] 0024 memory leak in ipapwd plugin

On 08/10/2016 07:19 PM, Alexander Bokovoy wrote: On Wed, 10 Aug 2016, thierry bordaz wrote: On 08/10/2016 11:24 AM, Alexander Bokovoy wrote: On Wed, 10 Aug 2016, thierry bordaz wrote: From 13bb55f9d97f82062f5b496d4164acb562afc7a0 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz <t

[Freeipa-devel] [PATCH] 0024 memory leak in ipapwd plugin

>From 13bb55f9d97f82062f5b496d4164acb562afc7a0 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz <tbor...@redhat.com> Date: Tue, 9 Aug 2016 16:46:25 +0200 Subject: [PATCH] ipa-pwd-extop memory leak during passord update During an extend op password update, there is a test if the user is

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On 08/09/2016 01:38 PM, Alexander Bokovoy wrote: On Tue, 09 Aug 2016, thierry bordaz wrote: On 08/09/2016 12:49 PM, Martin Basti wrote: On 08.08.2016 17:30, thierry bordaz wrote: On 08/08/2016 05:20 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, thierry bordaz wrote: On 08/08

Re: [Freeipa-devel] [PATCH] 0023 Bug in the ipapwd plugin

On 07/13/2016 10:02 PM, Lukas Slebodnik wrote: On (13/07/16 16:50), thierry bordaz wrote: https://fedorahosted.org/freeipa/ticket/6030 >From 4efedc5e674db92f9f7c160429df543422ed8afb Mon Sep 17 00:00:00 2001 From: Thierry Bordaz <tbor...@redhat.com> Date: Wed, 13 Jul 2016 15:34

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On 08/08/2016 05:20 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, thierry bordaz wrote: On 08/08/2016 04:20 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, thierry bordaz wrote: On 08/08/2016 10:56 AM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Lukas Slebodnik wrote: On (08

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On 08/08/2016 04:20 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, thierry bordaz wrote: On 08/08/2016 10:56 AM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Lukas Slebodnik wrote: On (08/08/16 11:35), Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Martin Basti wrote: On 08.08.2016

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On 08/09/2016 12:49 PM, Martin Basti wrote: On 08.08.2016 17:30, thierry bordaz wrote: On 08/08/2016 05:20 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, thierry bordaz wrote: On 08/08/2016 04:20 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, thierry bordaz wrote: On 08/08

Re: [Freeipa-devel] [PATCH] ipa_pwd_extop: Fix warning declaration shadows previous

On 08/05/2016 02:16 PM, Lukas Slebodnik wrote: ehlo, attached patches fixes few compiler warnings in ipa-extop. Sorry for not following naming convention for patches. But I do not remeber my numer and you will use github/pagure anyway. LS Hi Lukas,

Re: [Freeipa-devel] [PATCH] ipa_pwd_extop: Fix warning declaration shadows previous

On 08/08/2016 01:56 PM, Lukas Slebodnik wrote: On (08/08/16 13:30), thierry bordaz wrote: On 08/05/2016 02:16 PM, Lukas Slebodnik wrote: ehlo, attached patches fixes few compiler warnings in ipa-extop. Sorry for not following naming convention for patches. But I do not remeber my numer

Re: [Freeipa-devel] [PATCH 0196] baseldap: Fix MidairCollision instantiation during entry modification

On 08/05/2016 01:33 PM, thierry bordaz wrote: On 07/26/2016 05:22 PM, Alexander Bokovoy wrote: On Tue, 26 Jul 2016, Martin Babinsky wrote: Fix for https://fedorahosted.org/freeipa/ticket/6097 Since this issue was found during investigation of other ticket[1], you can test

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On 08/08/2016 10:56 AM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Lukas Slebodnik wrote: On (08/08/16 11:35), Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Martin Basti wrote: On 08.08.2016 09:34, Alexander Bokovoy wrote: > When SSSD resolves AD users on behalf of slapi-nis, it can

Re: [Freeipa-devel] [PATCH 0195] Create indexes for krbCanonicalName attribute

Hi Martin, The patch looks good. Just a question krbPrincipalName is caseExactIA5Match but is also indexed caseIgnoreIA5Match. Do you think it would be need for krbCanonicalName as well ? thanks thierry On 07/22/2016 01:27 PM, Martin Babinsky wrote:

Re: [Freeipa-devel] [PATCH] pwpolicy: Do not expire passwords when maxlife is set to 0 (infinity).

On 07/01/2016 10:46 AM, David Kupka wrote: Hello Thierry! Thanks for looking into it. I will try to answer your questions and comments inline. On 01/07/16 10:26, thierry bordaz wrote: Hi David, The patch looks good but being not familiar with that code, my comments may be absolutely

Re: [Freeipa-devel] [PATCH] pwpolicy: Do not expire passwords when maxlife is set to 0 (infinity).

Hi David, The patch looks good but being not familiar with that code, my comments may be absolutely wrong In ipadb_get_pwd_expiration, if it is not 'self' we set '*export=mod_time'. If for some reason 'mod_time==0', it has now a specific meaning 'not expiring' . Does it match the comment '*

Re: [Freeipa-devel] [PATCH] pwpolicy: Do not expire passwords when maxlife is set to 0 (infinity).

On 07/01/2016 11:31 AM, David Kupka wrote: On 01/07/16 11:22, thierry bordaz wrote: On 07/01/2016 10:46 AM, David Kupka wrote: Hello Thierry! Thanks for looking into it. I will try to answer your questions and comments inline. On 01/07/16 10:26, thierry bordaz wrote: Hi David

Re: [Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

On 08/23/2016 12:41 PM, Petr Vobornik wrote: On 08/10/2016 05:27 PM, thierry bordaz wrote: On 08/10/2016 04:37 PM, thierry bordaz wrote: On 08/10/2016 12:51 PM, Alexander Bokovoy wrote: On Wed, 10 Aug 2016, Alexander Bokovoy wrote: On Wed, 10 Aug 2016, thierry bordaz wrote: On 08/09

Re: [Freeipa-devel] GetEffectiveRights and add ACIs

provide GER a bit of information eg objectclass of the new entry, so that the existing aci would be selected. Maybe can_add can be extended. Ludwig On 01/13/2017 09:12 AM, thierry bordaz wrote: Hi Fraser, I failed to reproduce you test case, I mean the aci granted the add right to a group

<    1   2   3   4   >