Re: [Freeipa-devel] URI in HBAC - design page

2016-03-24 Thread Adam Young
On 03/24/2016 05:43 AM, Jan Pazdziora wrote: On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: I created a design page for the feature: http://www.freeipa.org/page/URI-based-HBAC-design I try to put separate areas of concerns into separate emails to make it easy to keep

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-12 Thread Adam Young
On 06/12/2015 03:40 PM, Nathaniel McCallum wrote: It doesn't apply again. On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote: On 2015-05-27 15:16, Christian Heimes wrote: Hello, here is my first patch for FreeIPA. The patch integrates python -kdcproxy for MS-KKDCP support (aka

Re: [Freeipa-devel] Community Portal Milestone

2015-06-12 Thread Adam Young
On 06/12/2015 03:34 PM, Drew Erny wrote: Hey, all, What fields, exactly, should a self-service user be able to enter? Thanks, Drew Erny Start with the minimum: First and Last name, email address. The userid is automatically assigned based on their name, and their is a high likelyhood

Re: [Freeipa-devel] WebUI documentation

2015-06-11 Thread Adam Young
On 06/11/2015 01:58 PM, Drew Erny wrote: I'm looking for documentation that provides a broader overview of the way the WebUI fits together and works. I have the source, of course, and I've been through Petr Voborni's documentation found at https://pvoborni.fedorapeople.org/doc/. That

Re: [Freeipa-devel] Community Portal Milestone

2015-06-09 Thread Adam Young
On 06/09/2015 06:34 PM, Simo Sorce wrote: On Tue, 2015-06-09 at 16:15 -0400, Drew Erny wrote: Hey, Freeipa, same thread new subtopic. So, I was bouncing some ideas around with another developer (ayoung) and I think I have a pretty good idea for self-service user registration. The idea is that

Re: [Freeipa-devel] Community Portal Milestone

2015-06-09 Thread Adam Young
On 06/09/2015 04:44 PM, Alexander Bokovoy wrote: On Tue, 09 Jun 2015, Drew Erny wrote: Hey, Freeipa, same thread new subtopic. So, I was bouncing some ideas around with another developer (ayoung) and I think I have a pretty good idea for self-service user registration. The idea is that I

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-29 Thread Adam Young
On 05/28/2015 01:29 AM, Jan Cholasta wrote: Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a): On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote: ipa config-mod

Re: [Freeipa-devel] Suggestion for the A part of IPA

2015-04-28 Thread Adam Young
On 04/28/2015 11:58 AM, Innes, Duncan wrote: Folks, The A part of IPA has always been of great interest to me. Our current IPA infrastructure works well at the I P parts, giving us great failover abilities and connectivity through hardware firewalls without punching too many holes. Whilst

Re: [Freeipa-devel] Use sessions for mod_auth_gssapi ?

2015-03-30 Thread Adam Young
On 03/30/2015 11:52 AM, Simo Sorce wrote: Since we now merged in a change from mod_auth_kerb to mod_auth_gssapi I was wondering if we want to press further and emable by default the use of native mod_auth_gssapi sessions ? The old mod_auth_kerb didn't have this feature so, in order to have

Re: [Freeipa-devel] SSH Public Key - Centralized Solution

2015-01-05 Thread Adam Young
On 01/05/2015 04:47 AM, Petr Vobornik wrote: Enforcing these restrictions could be solved by a 389 plugin but that requires more work (from my POV). Agreed. I don't think it can be properly done without the 389 plugin. ___ Freeipa-devel mailing

Re: [Freeipa-devel] SSH Public Key - Centralized Solution

2014-12-23 Thread Adam Young
On 12/22/2014 08:40 PM, Prashant Bapat wrote: Hi, We are planning to roll out FreeIPA for our AWS infrastructure to be the central authentication service. Initially we plan to use the SSH publi keys, user and group management by FreeIPA. We are looking at rolling out the SSS on clients a

Re: [Freeipa-devel] Features for F22

2014-12-12 Thread Adam Young
On 12/12/2014 07:33 AM, Joe Brockmeier wrote: On 12/12/2014 03:15 AM, Kushal Das wrote: It is time again to start discussion on the new features we want to work for Fedora 22 release. The release schedule can be found at [1]. Please reply to this thread with the ideas you think will fit to

Re: [Freeipa-devel] Client-side command in the IPA framework

2014-03-01 Thread Adam Young
On 02/28/2014 10:21 AM, Petr Viktorin wrote: On 02/28/2014 04:15 PM, Alexander Bokovoy wrote: On Fri, 28 Feb 2014, Nathaniel McCallum wrote: On Fri, 2014-02-28 at 16:43 +0200, Alexander Bokovoy wrote: On Fri, 28 Feb 2014, Nathaniel McCallum wrote: On Fri, 2014-02-28 at 10:47 +0100, Petr

Re: [Freeipa-devel] Web services in freeIPA

2014-02-10 Thread Adam Young
On 02/07/2014 04:33 AM, Alexandre Santos wrote: Hi Martin, I´ve tried your example and i get this error: curl -v \ -H Content-Type:application/json \ -H Accept:applicaton/json\ --negotiate -u : \ --delegation always \ --cacert /etc/ipa/ca.crt \

Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope

2014-02-03 Thread Adam Young
On 01/31/2014 05:03 AM, Martin Kosek wrote: On 01/31/2014 10:45 AM, Francesco Chicchiriccò wrote: On 30/01/2014 19:25, Dmitri Pal wrote: On 01/30/2014 11:35 AM, Francesco Chicchiriccò wrote: ... To call into IPA you can use ipa ... command line or use out API from python client. Since you

Re: [Freeipa-devel] ANNOUNCE: kdcproxy 0.1.1 released

2014-01-24 Thread Adam Young
Nicely done. What is the relationship to this and the Code Robby wrote last summer? I assume it was the basis for this effort? On 01/21/2014 05:19 PM, Nathaniel McCallum wrote: kdcproxy contains a WSGI module for proxying KDC requests over HTTP by following the MS-KKDCP protocol. It aims

Re: [Freeipa-devel] Building FreeIPA on Debian Unstable

2013-12-06 Thread Adam Young
And...that was pretty much as far as I got. with the updated repo + updates from the ppa the build succeeds but tests fail, and those are harder for me to parse. Full build log at http://pastebin.com/G40VMENn Your first error is: Failure: ImportError (No module named samba) ... ERROR

Re: [Freeipa-devel] [PATCH] Fix python setup tools license tags

2013-12-05 Thread Adam Young
it ? There were Red Hat¹ contributors only so far: $ for file in install/ui/{src/freeipa/aci.js,test/aci_tests.js,test/widget_tests.js}; do git log --follow --raw $file; done | grep ^Author: | sort | uniq Author: Adam Young ayo...@redhat.com Author: Endi S. Dewata edew...@redhat.com Author: Endi

[Freeipa-devel] Building FreeIPA on Debian Unstable

2013-10-31 Thread Adam Young
I'm about to take off for a week, and want to make sure that I don't lose the momentum I've put in so far. I spent agood portion of yesterday and today trying to get a Debian build going, and I think that this is worth sharing with the larger team. Since FreeIPA has been RPM focused thus

Re: [Freeipa-devel] DNS views in FreeIPA again

2013-10-04 Thread Adam Young
On 10/01/2013 04:45 AM, Petr Spacek wrote: On 23.9.2013 19:06, Dmitri Pal wrote: On 09/23/2013 10:25 AM, Petr Spacek wrote: On 20.9.2013 19:29, Dmitri Pal wrote: 5) Met with James (the blogger) and the community guy who created puppet scripts for IPA. He was trying to convince me that we

Re: [Freeipa-devel] [SSSD] FreeIPA on Debian

2013-09-03 Thread Adam Young
As a possible approach to getting things started, would it be possible to use Alien and a JEOS install to get the FreeIPA server running on a Debian system, and then work on converting over the dependencies one at a time? It seems like there are likely to be a series of Debian vs Fedora

[Freeipa-devel] FreeIPA and Dogtag support for User Certificates in OpenStack Keystone

2013-08-26 Thread Adam Young
Keystone needs signing certificates for Signing PKI tokens. In addition, CERN has a developed an approach that allows user to authenticate to Keystone via X509 for batch jobs. This requires Client Certs. Both of these use cases are easily supported by Dogtag, but not exposed via FreeIPA

Re: [Freeipa-devel] Dojo and Web UI in 3.2

2012-11-07 Thread Adam Young
also wrote there short reviews of various JavaScript frameworks. https://etherpad.openstack.org/webui-idm On 11/01/2012 03:01 PM, Adam Young wrote: On 11/01/2012 09:25 AM, Petr Vobornik wrote: On 10/31/2012 11:13 PM, Dmitri Pal wrote: On 10/30/2012 01:20 PM, Petr Vobornik wrote: On 10/30

Re: [Freeipa-devel] Dojo and Web UI in 3.2

2012-11-01 Thread Adam Young
On 11/01/2012 09:25 AM, Petr Vobornik wrote: On 10/31/2012 11:13 PM, Dmitri Pal wrote: On 10/30/2012 01:20 PM, Petr Vobornik wrote: On 10/30/2012 06:48 AM, Endi Sukma Dewata wrote: On 10/29/2012 4:27 AM, Petr Vobornik wrote: Hi, I would like to make a bigger change in Web UI. Basically I

Re: [Freeipa-devel] python kerberos problems (forms based auth)

2012-02-21 Thread Adam Young
I got so frustrated with kerberos options for Python I started writing a new MIT Kerberos Python binding in my spare time. It's pythonic, meaning it supports all the basic python operations you expect such as genuine classes that encapsulate a genuine Kerberos object, properties, iteration,

Re: [Freeipa-devel] [ui-devel-tool] Updating and creating Web UI .json files

2012-01-13 Thread Adam Young
On 01/13/2012 11:09 AM, Petr Vobornik wrote: I have created a helper tool (script) for updating install/ui/test/data/*.json files which are used for offline presentation of FreeIPA Web UI. So I'm sharing it as it might be useful for others. Main purpose: * updating ipa_init*.json files

Re: [Freeipa-devel] Translation to French for freeipa completed

2012-01-04 Thread Adam Young
On 01/02/2012 11:41 AM, Jérôme Fenal wrote: Hi all, I'm glad to announce that the French translation for FreeIPA software has been completed, as on Transifex, except for 21 strings related to entitlement.py. Given the recent developments, I'm not sure it is 100% up to date with current

Re: [Freeipa-devel] session authentication URI issues

2011-12-22 Thread Adam Young
On 12/21/2011 02:07 PM, John Dennis wrote: For your holiday reading pleasure :-) Happy holidays to all. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel To answer a couple questions are

Re: [Freeipa-devel] [PATCH] 0294 remove delegation from browser config

2011-12-22 Thread Adam Young
On 12/21/2011 10:18 AM, Simo Sorce wrote: On Wed, 2011-12-21 at 17:16 +0200, Alexander Bokovoy wrote: On Wed, 21 Dec 2011, Petr Vobornik wrote: On 12/20/2011 10:06 PM, Adam Young wrote: Hold this patch until all of the S4U2 code is pushed, otherwise it will break the WebUI assuming

[Freeipa-devel] [PATCH] 0294 remove delegation from browser config

2011-12-20 Thread Adam Young
Hold this patch until all of the S4U2 code is pushed, otherwise it will break the WebUI From 90a087720f939e61a1f4fdf99e4a100161e1c5c8 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Tue, 20 Dec 2011 11:58:01 -0500 Subject: [PATCH] Remove delegation from browser config

Re: [Freeipa-devel] Merging dogtag and ipa databases

2011-12-19 Thread Adam Young
On 12/19/2011 03:52 PM, Simo Sorce wrote: On Mon, 2011-12-19 at 11:49 -0500, Dmitri Pal wrote: On 12/19/2011 11:11 AM, Ade Lee wrote: Hi all, Based on conversations with Adam, Simo and Rob, here are some thoughts on $subject: http://pki.fedoraproject.org/wiki/Merging_IPA_and_Dogtag_Databases

Re: [Freeipa-devel] Multitenancy in FreeIPA

2011-12-16 Thread Adam Young
On 12/15/2011 07:09 PM, Dmitri Pal wrote: On 12/15/2011 12:24 PM, Adam Young wrote: When updating IPA, schema changes need to be applied to each of the the tenant trees. API Each of the RPCs need to allow an optional parameter tenant. Members of the original domain with an approapriate

[Freeipa-devel] Multitenancy in FreeIPA

2011-12-15 Thread Adam Young
This is a first attempt to write up an approach for multitenancy in IPA. Please provide feedback. I've attached the document as well, as that should be easier to read. Description Multi-tenancy is an aspect of Identity Management (IdM) where multiple parties use the same resource without

Re: [Freeipa-devel] Multitenancy in FreeIPA

2011-12-15 Thread Adam Young
The directory will no longer be world readable. Instead, ACIs will limit the users ability to read only the subtree in which they are enrolled. LDAP operations will require an authenticated bind. When updating IPA, schema changes need to be applied to each of the the tenant trees. API

Re: [Freeipa-devel] [PATCH] 051 Search facets show translated boolean values

2011-12-05 Thread Adam Young
On 12/05/2011 12:27 PM, Endi Sukma Dewata wrote: On 12/5/2011 9:37 AM, Petr Vobornik wrote: Created format method for getting translated messages for boolean values - IPA.boolean_column_format. Used in hosts, sudo rules, hbac rules. https://fedorahosted.org/freeipa/ticket/2027 The patch

Re: [Freeipa-devel] Tomcat Realms and Directory Server

2011-12-02 Thread Adam Young
wants to talk to the PKI server directly, and provide an exception for IPA to do the work it needs for requesting certificates On the Tomcat side, we would still do JNDI LDAP for getting the Subjects,just using the principal forwarded from AJP. On Tue, 2011-11-08 at 13:10 -0500, Adam

Re: [Freeipa-devel] [PATCH] 32-47 #2040, #1515 Refactor UI widgets

2011-12-01 Thread Adam Young
On 12/01/2011 10:02 AM, Petr Vobornik wrote: Attaching patch for unit tests. Couple of widget tests still fail. They raise couple questions: 1) Should widget expect that array of values like ['value'] will be always passed to update(values) method or the update method should also work with

Re: [Freeipa-devel] Activation and password reset webapp UI

2011-11-29 Thread Adam Young
On 11/29/2011 08:57 PM, Ryan Thomson wrote: Hi Endi, Thanks for reviewing the patch. Looks like I have some work to do. 1-2) I have to admit I didn't even try building with these patches. I was pretty sure install/Makefile.am would need modification to install it but I didn't know if

[Freeipa-devel] Putting the A in IPA

2011-11-18 Thread Adam Young
So the crazy systemd folks are at it again: https://docs.google.com/document/pub?id=1IC9yOXj7j6cdLLxWEBAGRL6wl97tFxgjLUEHIX3MSTspli=1 This is a re implementation of logging much the way the systmd was a reimplementation of init. Assume that it is going to get implemented, does this give

Re: [Freeipa-devel] [PATCH] 312 Refactored permission target section.

2011-11-14 Thread Adam Young
On 11/14/2011 11:27 AM, Endi Sukma Dewata wrote: The permission target section has been modified to use widgets to create the target selection and handle multiple fields. Ticket #2098 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 313 Removed develop.js.

2011-11-14 Thread Adam Young
On 11/14/2011 04:35 PM, Endi Sukma Dewata wrote: On 11/14/2011 10:37 AM, Endi Sukma Dewata wrote: The develop.js is no longer necessary because the code in it has been merged into the main code. An empty extension.js has been added to provide a place for UI customization. Ticket #2099

Re: [Freeipa-devel] Ticket #1976 - Tab color groups

2011-11-10 Thread Adam Young
I like. On 11/10/2011 03:00 PM, Kyle Baker wrote: Attached a mockup which shows each tab in a color set. This offers a quick visual reference as to the tab groupings. Also I have shown settings to the right as this is inconsistent amongst the different sections of the tool. Setting should

Re: [Freeipa-devel] Ticket #1976 - Tab color groups

2011-11-10 Thread Adam Young
On 11/10/2011 04:23 PM, Endi Sukma Dewata wrote: On 11/10/2011 2:00 PM, Kyle Baker wrote: Attached a mockup which shows each tab in a color set. This offers a quick visual reference as to the tab groupings. The colored tab looks good. What are the color settings? Suppose we have more than 3

Re: [Freeipa-devel] LDAPS for the IPA LDAP server?

2011-11-08 Thread Adam Young
On 11/08/2011 08:43 AM, Rob Crittenden wrote: Stephen Gallagher wrote: On Mon, 2011-11-07 at 21:24 -0500, Adam Young wrote: I noticed that the PKI Directory server has a secure port set but the IPA DS instance does not: PKI nsslapd-secureport: 7390 Why doesn IPA set up ldapson port 636

[Freeipa-devel] Tomcat Realms and Directory Server

2011-11-08 Thread Adam Young
One issue I have been looking at recently is how to integrate PKI and IPA at the auth level while keeping a clean separation. We can extract the authentication from the servlet code, so it is purely a matter of configuring the Tomcat instance Realm. I wrote up a Proof of concept for just

[Freeipa-devel] LDAPS for the IPA LDAP server?

2011-11-07 Thread Adam Young
I noticed that the PKI Directory server has a secure port set but the IPA DS instance does not: PKI nsslapd-secureport: 7390 Why doesn IPA set up ldapson port 636? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 307 Added extensible UI framework.

2011-11-04 Thread Adam Young
On 11/04/2011 12:10 PM, Petr Vobornik wrote: On 11/04/2011 04:37 AM, Endi Sukma Dewata wrote: The entity definitions have been converted into classes. The entity init() method will use the builder to construct the facets and dialogs. The UI can be customized by creating a subclass of the

Re: [Freeipa-devel] Unifying the PKI and IPA Directory Server instances

2011-11-03 Thread Adam Young
On 11/03/2011 12:56 AM, Simo Sorce wrote: On Wed, 2011-11-02 at 20:25 -0400, Adam Young wrote: On 11/02/2011 06:19 PM, Rob Crittenden wrote: Simo Sorce wrote: On Wed, 2011-11-02 at 16:44 -0400, Ade Lee wrote: On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote: [...] So, a user becomes

Re: [Freeipa-devel] Unifying the PKI and IPA Directory Server instances

2011-11-03 Thread Adam Young
On 11/03/2011 11:00 AM, Ade Lee wrote: On Thu, 2011-11-03 at 09:20 -0400, Adam Young wrote: On 11/03/2011 12:56 AM, Simo Sorce wrote: On Wed, 2011-11-02 at 20:25 -0400, Adam Young wrote: On 11/02/2011 06:19 PM, Rob Crittenden wrote: Simo Sorce wrote: On Wed, 2011-11-02 at 16:44 -0400, Ade

Re: [Freeipa-devel] Unifying the PKI and IPA Directory Server instances

2011-11-03 Thread Adam Young
On 11/03/2011 11:30 AM, Andrew Wnuk wrote: On 11/02/2011 03:19 PM, Rob Crittenden wrote: Simo Sorce wrote: On Wed, 2011-11-02 at 16:44 -0400, Ade Lee wrote: On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote: [...] So, a user becomes an agent on the ca by having a certificate in the user

Re: [Freeipa-devel] Nesting widgets

2011-11-02 Thread Adam Young
This sounds pretty good. I think it is the right approach. On 11/01/2011 09:11 PM, Endi Sukma Dewata wrote: So I decided to try to get an IP Address widget working. See the attached patch. It was fairly trivial. However, this widget is not really all that useful by itself. It would

Re: [Freeipa-devel] Unifying the PKI and IPA Directory Server instances

2011-11-02 Thread Adam Young
To clarify: there are two types of Data stored in the PKI CA DS instances. One is Users and groups (IdM), and the other is certificates and requests. The CA currently administers its own users: creates, add deletes, add privs and so forth. If we extract the IdM objects from the CA

Re: [Freeipa-devel] Unifying the PKI and IPA Directory Server instances

2011-11-02 Thread Adam Young
On 11/02/2011 06:19 PM, Rob Crittenden wrote: Simo Sorce wrote: On Wed, 2011-11-02 at 16:44 -0400, Ade Lee wrote: On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote: [...] So, a user becomes an agent on the ca by having a certificate in the user record and being a member of the relevant

[Freeipa-devel] Unifying the PKI and IPA Directory Server instances

2011-11-01 Thread Adam Young
We had a brief discussion on unifying the PKI and IPA Directory Server instances. Here are my notes from it. Please fill out the details and correct me if I've mis-stated anything below. Issues: 1. Both make changes to Config. One identified conflict is he configuration of the

Re: [Freeipa-devel] Unifying the PKI and IPA Directory Server instances

2011-11-01 Thread Adam Young
On 11/01/2011 12:12 PM, Adam Young wrote: We had a brief discussion on unifying the PKI and IPA Directory Server instances. Here are my notes from it. Please fill out the details and correct me if I've mis-stated anything below. Issues: 1. Both make changes to Config. One

[Freeipa-devel] [PATCH] 0293-Add-priority-to-pwpolicy-list

2011-11-01 Thread Adam Young
From e5ba2e46e50cac4f1fe7f86ad7dcee42518f985c Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Tue, 1 Nov 2011 12:51:05 -0400 Subject: [PATCH] Add priority to pwpolicy list First step to solving https://fedorahosted.org/freeipa/ticket/1977 --- install/ui/policy.js |2

Re: [Freeipa-devel] Extending the IPA-API

2011-10-31 Thread Adam Young
On 10/27/2011 08:40 PM, Endi Sukma Dewata wrote: On 10/27/2011 10:59 AM, Adam Young wrote: The web UI can implement a similar mechanism. We do not want end sites modifying the .js files shipped with the IPA server RPM, other wise, they could inject columns and fields there, but they would

Re: [Freeipa-devel] [PATCH] 028 Code cleanup of HBAC, Sudo rules

2011-10-28 Thread Adam Young
On 10/27/2011 08:55 PM, Endi Sukma Dewata wrote: On 10/27/2011 6:39 PM, Adam Young wrote: We might need to distinguish 2 different usages of 'entity'. The first one represents a collection of entries: Call that an instance. Entity is the term that is the analogue of Class Not sure I

[Freeipa-devel] Extending the IPA-API

2011-10-27 Thread Adam Young
We had a pretty good discussion about the apporach we are looking at to allow end sites to extend their IPA implementations without getting in the way of upgrades etc. Here are some of the things I took away from that meeting. We want to maintain the namespace as it is. A site might decide

Re: [Freeipa-devel] [PATCH] 028 Code cleanup of HBAC, Sudo rules

2011-10-27 Thread Adam Young
On 10/27/2011 05:51 PM, Endi Sukma Dewata wrote: On 10/27/2011 8:39 AM, Petr Vobornik wrote: But still I think it would be better to be able to get container (facet/dialog) for a widget. As you wrote, that.entity.get_facet() may not always be what we want. One possibility is to convert the

[Freeipa-devel] Keytab for talking to PKI CA from IPA

2011-10-24 Thread Adam Young
When setting up replication, it should not be necessary to cache any passwords, anywhere, until the replication agreemsnts are set up, and then, all caching should be using known secure mechanisms. The two main repositories we care about are the Directory Server instances managed by IPA and

[Freeipa-devel] Keytab for talking to PKI CA from IPA

2011-10-24 Thread Adam Young
When setting up replication, it should not be necessary to cache any passwords, anywhere, until the replication agreemsnts are set up, and then, all caching should be using known secure mechanisms. The two main repositories we care about are the Directory Server instances managed by IPA and

[Freeipa-devel] [PATHC] 0291-show-enrollment-time-for-host.patch

2011-10-21 Thread Adam Young
From c91971b54b322b1fcc0b8d269b09dc185addfc81 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Fri, 21 Oct 2011 16:11:23 -0400 Subject: [PATCH] show enrollment time for host --- install/ui/host.js |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/install

Re: [Freeipa-devel] [PATHC] 0291-show-enrollment-time-for-host.patch

2011-10-21 Thread Adam Young
On 10/21/2011 04:12 PM, Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel This is the better approach. If ACKing, please specify 290 or 291 From

Re: [Freeipa-devel] Nesting widgets

2011-10-19 Thread Adam Young
Reposting to bring this discussion back to life. We started having it on IRC. On 09/28/2011 08:38 PM, Adam Young wrote: So I decided to try to get an IP Address widget working. See the attached patch. It was fairly trivial. However, this widget is not really all that useful by itself

Re: [Freeipa-devel] [PATCH] 120 Improve DNS record data validation

2011-10-19 Thread Adam Young
On 10/19/2011 08:15 AM, Martin Kosek wrote: On Wed, 2011-09-07 at 15:18 +0200, Martin Kosek wrote: On Wed, 2011-09-07 at 15:05 +0200, Martin Kosek wrote: This is 3.0 Core Effort Backlog patch. The changes to API may look scary, but it should be OK, I just added validators and normalizers. I

Re: [Freeipa-devel] [PATCH] 023 Circular entity dependency

2011-10-18 Thread Adam Young
On 10/18/2011 02:25 PM, Endi Sukma Dewata wrote: On 10/18/2011 10:52 AM, Petr Vobornik wrote: 3. Another goal is to replace entity names used in spec (see other_entity nested_entity spec properties) with the actual entity objects. In this case it might be better to use the loops described

Re: [Freeipa-devel] change to interface used to provide certificates

2011-10-16 Thread Adam Young
On 10/14/2011 11:23 PM, John Dennis wrote: I've been fixing a bug in the web UI when we retrieve a certificate. The data that's displayed cannot be copied and used with any other certificate (i.e. x509) software, openssl and NSS being prime examples. The crux of the problem is it's not in a

Re: [Freeipa-devel] Handling certificates in JSON/XML-RPC

2011-10-14 Thread Adam Young
On 10/14/2011 09:28 AM, John Dennis wrote: [ I had a private email exchange with Rob concerning ticket 1201, we've had a long standing issue with how certificates are exchanged because in LDAP they are binary values. I told Rob I had a proof of concept working and Rob sent me a code snippet

[Freeipa-devel] Requirements for User Certificates in IPA

2011-10-13 Thread Adam Young
Each IPA user will have the ability to request a cryptographic certificate. The primary usage for user certificates is for authentication in cases where Kerberos is not an option: Across firewalls and cases where cross domain trust has not been established. There are a range of options for

[Freeipa-devel] [PATCH] 0290-rolegroup-to-role

2011-10-13 Thread Adam Young
From 73af7db2fafb33dcdf0ad22b6837e961dc92271f Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 13 Oct 2011 14:48:55 -0400 Subject: [PATCH] rolegroup to role Fixes the webui for the case wherea user is not admin but has a roile. In thatcase, the UI should show the full

Re: [Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade

2011-10-07 Thread Adam Young
On 10/06/2011 10:21 PM, Rob Crittenden wrote: Adam Young wrote: Not yet ready for prime time. I've tested the changes to updateinstance by hand, so I know they work. I'm having problems with the python import setup. RPM build fails with: install/tools/ipa-upgradeconfig:36: [F0401] Unable

Re: [Freeipa-devel] [PATCH] 021 Split Web UI initialization to several smaller calls

2011-10-07 Thread Adam Young
On 10/07/2011 11:55 AM, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/1933 based on ayoung-0286-split-metadata-call Web UI init method was modified to get initialization data in 3 calls. First call remains the same as before except that the json_metadata command was removed.

Re: [Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade

2011-10-07 Thread Adam Young
On 10/07/2011 02:42 PM, Rob Crittenden wrote: Adam Young wrote: On 10/06/2011 10:21 PM, Rob Crittenden wrote: Adam Young wrote: Not yet ready for prime time. I've tested the changes to updateinstance by hand, so I know they work. I'm having problems with the python import setup. RPM build

[Freeipa-devel] [PATCH] 0286-split-metadata-call

2011-10-06 Thread Adam Young
Even if ACKed, don't push this patch alone. It is part of some work that Petr V is going to be doing as part of fixing https://fedorahosted.org/freeipa/ticket/1933. From b5b93109a9035557770f0959e21f4310bac5b7ba Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 6 Oct 2011

[Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade

2011-10-06 Thread Adam Young
for http utils, I get an error at run time as well. That confuses me, as I am able to import installutils at runtime. From 84c7617d408ff55e409ed93c88c59ec073959f54 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 6 Oct 2011 20:37:57 -0400 Subject: [PATCH 287/288] Make nss_mod

Re: [Freeipa-devel] Mozilla Specific User Certificate Generation code:

2011-10-04 Thread Adam Young
On 10/04/2011 09:32 AM, Rob Crittenden wrote: Adam Young wrote: It is possible to generate a Certificate signing request from the browser, if we use Mozilla specific code. I've mildly hacked the Mozilla sample code to work with JQuery and to display the CSR to the screen, instead of sending

Re: [Freeipa-devel] [Pki-devel] [Fwd: script to proxy-ize a dogtag instance]

2011-09-28 Thread Adam Young
On 09/28/2011 11:46 AM, Ade Lee wrote: Cross posting to pki-devel. ___ Pki-devel mailing list pki-de...@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel Additional change: diff /etc/httpd/conf.d/nss.conf.orig /etc/httpd/conf.d/nss.conf

Re: [Freeipa-devel] [PATCH] 288 Disable enroll button if nothing selected.

2011-09-28 Thread Adam Young
On 09/28/2011 06:50 PM, Endi Sukma Dewata wrote: A new IPA.dialog_button class has been added to encapsulate the buttons in the dialog box so they can be managed more easily. The adder dialog has been modified to disable the enroll button if there is no entries selected. Ticket #1856

Re: [Freeipa-devel] [PATCH] 882 always require SSL in Kerberos block

2011-09-27 Thread Adam Young
On 09/26/2011 08:54 AM, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 2011-09-26 at 11:22 +0200, Martin Kosek wrote: On Mon, 2011-09-26 at 08:31 +0200, Martin Kosek wrote: On Sun, 2011-09-25 at 23:05 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-09-23 at 14:12 -0400, Rob

Re: [Freeipa-devel] [PATCH] 287 Updated color scheme.

2011-09-27 Thread Adam Young
On 09/27/2011 11:12 PM, Endi Sukma Dewata wrote: The UI background has been replaced with new images from UXD. Ticket #1842 Demo: http://edewata.fedorapeople.org/freeipa/install/ui/index.html ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] Structured DNS record API proposal - summary

2011-09-23 Thread Adam Young
On 09/23/2011 02:02 AM, Martin Kosek wrote: On Thu, 2011-09-22 at 22:05 -0400, Adam Young wrote: On 09/22/2011 08:31 PM, Endi Sukma Dewata wrote: OPEN QUESTION: should we implement these new commands also for discrete DNS records types to be consistent? I mean for example A, , CNAME, PTR

Re: [Freeipa-devel] Structured DNS record API proposal - summary

2011-09-23 Thread Adam Young
On 09/23/2011 02:02 AM, Martin Kosek wrote: On Thu, 2011-09-22 at 22:05 -0400, Adam Young wrote: On 09/22/2011 08:31 PM, Endi Sukma Dewata wrote: OPEN QUESTION: should we implement these new commands also for discrete DNS records types to be consistent? I mean for example A, , CNAME, PTR

Re: [Freeipa-devel] Structured DNS record API proposal - summary

2011-09-23 Thread Adam Young
On 09/23/2011 11:52 AM, Rob Crittenden wrote: Adam Young wrote: On 09/23/2011 02:02 AM, Martin Kosek wrote: On Thu, 2011-09-22 at 22:05 -0400, Adam Young wrote: On 09/22/2011 08:31 PM, Endi Sukma Dewata wrote: OPEN QUESTION: should we implement these new commands also for discrete DNS

Re: [Freeipa-devel] Upgrading a machine to use the proxy.

2011-09-15 Thread Adam Young
OK, here's something closer to releasable and written in Perl. This script will upgrade the proxy ports to 9444 by default, or allow you to override by setting the first parameter. enable_proxy_dogtag.pl Description: Perl program ___ Freeipa-devel

[Freeipa-devel] Upgrading a machine to use the proxy.

2011-09-13 Thread Adam Young
To convert an older build where the PKI system wasn't proxied: awk '{print $0} /Define an AJP 1.3 Connector on port/ {print Connector port=\9447\ protocol=\AJP/1.3\ redirectPort=\9444\ /} }' /etc/pki-ca/server.xml server.xml.new ; mv server.xml.new /etc/pki-ca/server.xml sed -e

Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

2011-09-05 Thread Adam Young
On 08/29/2011 05:58 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote: On 08/26/2011 08:57 PM, Adam Young wrote: On 08/26/2011 06:30 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08

Re: [Freeipa-devel] [PATCH] 263 Fixed problem with combobox using Sahi

2011-09-05 Thread Adam Young
On 09/01/2011 05:24 PM, Endi Sukma Dewata wrote: The IPA.combobox_widget has been temporarily fixed to support automation using Sahi. Ticket #1754 Pushed to master and ipa-2-1 under one-liner/trivial rule. ___ Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH] 852 remove more files in uninstaller

2011-08-26 Thread Adam Young
On 08/24/2011 10:58 AM, Rob Crittenden wrote: We were missing a few 389-ds files and directories. This removes everything but the logs. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

2011-08-26 Thread Adam Young
On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file

Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

2011-08-26 Thread Adam Young
On 08/26/2011 06:30 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses

Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

2011-08-26 Thread Adam Young
On 08/26/2011 08:57 PM, Adam Young wrote: On 08/26/2011 06:30 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08

Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

2011-08-25 Thread Adam Young
Uses the updated version of pkicreate which makes an ipa specific proxy config file. From 585eec7bf70f9785742f488334fc7aaa7a1cbdf6 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 17 Aug 2011 15:36:18 -0400 Subject: [PATCH] enable proxy for dogtag Dogtag is going

Re: [Freeipa-devel] [PATCH] 853 remove upgrade state when uninstalling

2011-08-25 Thread Adam Young
On 08/24/2011 11:38 AM, Rob Crittenden wrote: The upgrade process makes saves some information in the IPA sysrestore state. If any of this state remains after an uninstall then you will get an error during re-install. Theoretically all this state should be removed as part of the upgrade

Re: [Freeipa-devel] [PATCH] 852 remove more files in uninstaller

2011-08-25 Thread Adam Young
On 08/24/2011 10:58 AM, Rob Crittenden wrote: We were missing a few 389-ds files and directories. This removes everything but the logs. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 852 remove more files in uninstaller

2011-08-25 Thread Adam Young
On 08/25/2011 09:32 PM, Adam Young wrote: On 08/24/2011 10:58 AM, Rob Crittenden wrote: We were missing a few 389-ds files and directories. This removes everything but the logs. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https

Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

2011-08-24 Thread Adam Young
This version tells pkisilent to use the remote ports for cloning. From fb492c384c7979e93055f9a2e9b27a7856e8b45a Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 17 Aug 2011 15:36:18 -0400 Subject: [PATCH] enable proxy for dogtag Dogtag is going to be proxied through httpd

[Freeipa-devel] Proxy/Port work status

2011-08-24 Thread Adam Young
Had some success earlier today, but I seem to be unable to replicate it. I've been working with the full proxy.conf file lately,. and even that seems to be preventing a replica. It is quite possible that the problem is something on one of the two systems, as I've found that install/uninstall

Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

2011-08-23 Thread Adam Young
NACK. Replicate uses the install code, which grabs the local constants. Need to extend it to use the local constants for a base install, but the remote constants for the replica installs. On 08/19/2011 01:57 PM, Dmitri Pal wrote: On 08/19/2011 01:19 PM, Adam Young wrote: The complete

Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

2011-08-22 Thread Adam Young
the number of suburls of the PKI CA that the proxy exposes. This version exposes all of the. I think we need a very limited subset. I've created a replica --no-pki and successfully requested a certificate on it. On 08/19/2011 01:57 PM, Dmitri Pal wrote: On 08/19/2011 01:19 PM, Adam Young wrote

  1   2   3   4   5   6   7   8   9   10   >