and what it allows us to achieve.
You can read the article here: https://vda.li/en/docs/freeipa-debug-privsep/
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org
github.com/freeipa/freeipa
git fetch ghfreeipa pull/724/head:pr724
git checkout pr724
I acked this PR on github but it looks like email hook is broken. There
was no patch attached to this email.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://w
that a (chain) of trust for them most likely does
not end at our own CA, we should be OK with OCSP for them at startup and
not marking them as trusted peers.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
-rename-my-hosts/
and http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
to understand what nightmare you are inflicting yourself into. ;)
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
On pe, 24 maalis 2017, Martin Babinsky wrote:
On Thu, Mar 23, 2017 at 04:46:20PM +0200, Alexander Bokovoy wrote:
On to, 23 maalis 2017, Simo Sorce wrote:
On Thu, 2017-03-23 at 16:08 +0200, Alexander Bokovoy wrote:
> On to, 23 maalis 2017, Martin Babinsky wrote:
> >Hi List,
> >
&
On to, 23 maalis 2017, Simo Sorce wrote:
On Thu, 2017-03-23 at 16:08 +0200, Alexander Bokovoy wrote:
On to, 23 maalis 2017, Martin Babinsky wrote:
>Hi List,
>
>TL;DR we have to handle FAST channer establishment when KDC is not issued
>PKINIT keypair
>
>I have spent
ded KDC
certificate if we were upgraded and provided with explicit certificates
This is certainly doable and primary benefit is that we wouldn't need to
have any fallbacks anymore. We would always use Anonymous PKINIT within
the IPA framework and be done with it.
--
/ Alexander Bokovoy
--
Man
d -- but I have no solution for FILE: ccaches.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
actually add an explicit statement for trust to AD not
currently supporting FIPS 140-2 mode.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
On pe, 10 maalis 2017, Sumit Bose wrote:
On Fri, Mar 10, 2017 at 01:39:27PM +0200, Alexander Bokovoy wrote:
On pe, 10 maalis 2017, Sumit Bose wrote:
> On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote:
> > On pe, 10 maalis 2017, Sumit Bose wrote:
On pe, 10 maalis 2017, Sumit Bose wrote:
On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote:
On pe, 10 maalis 2017, Sumit Bose wrote:
> Hi,
>
> with the recent addition of PKINIT support there is now a second method
> available to Smartcard authentication b
to define it as a part of a certificate
matching rule, would we be able to deny using a matching certificate for
local authentication in case only PKINIT is allowed?
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa
There is no build for Fedora 25.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
d like to solve this quickly so that I can finish the design and
start implementation.
I was thinking that we can use acronyms here to make it less of a
mouthful and also more easily recognizable:
My idea is:
- ipaNameQualificationData -> ipaFQDNPolicies
- ipaNameQualificationDomainList -> i
e out of
the empty list.
I'm confused. I don't want to make this distinction between a missing
attribute and an empty one. You appear to be following the same path.
What we are arguing about then?
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www
ldn't end up in the same place, though, but this is something
to handle on SSSD side.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
On ke, 01 maalis 2017, Jan Cholasta wrote:
On 1.3.2017 14:05, Alexander Bokovoy wrote:
On ke, 01 maalis 2017, Jan Cholasta wrote:
On 1.3.2017 13:39, Martin Babinsky wrote:
Alexander,
thank you for your comments. Replies inline:
On 02/28/2017 01:48 PM, Alexander Bokovoy wrote:
On ti, 28
On ke, 01 maalis 2017, Martin Babinsky wrote:
Alexander,
thank you for your comments. Replies inline:
On 02/28/2017 01:48 PM, Alexander Bokovoy wrote:
On ti, 28 helmi 2017, Martin Babinsky wrote:
Hello list,
I have put together a draft of design page describing server-side
implementation
On ke, 01 maalis 2017, David Kupka wrote:
On Tue, Feb 28, 2017 at 02:48:02PM +0200, Alexander Bokovoy wrote:
On ti, 28 helmi 2017, Martin Babinsky wrote:
> Hello list,
>
> I have put together a draft of design page describing server-side
> implementation of user short name ->
https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers,-domains,-sites,-and-ous
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http:
y can move ipa_smb_conf_exists() to ipapython or ipalib.
It only needs to read a config file and check a signature. Signature could be
moved to constants. Then ipa_smb_conf_exists() can be imported in both
upgrade tool and in adtrustinstance.
Want to make a PR?
--
/ Alexander Bokovoy
--
Manage you
On to, 09 helmi 2017, Fraser Tweedale wrote:
On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote:
On ke, 08 helmi 2017, Martin Kosek wrote:
> Hi Fraser and the list,
>
> I recently was in a conversation about integrating OpenShift with FreeIPA. One
> of the gap
alternative names can be added to a wildcard certificate request
- all Kerberos principal / hostname checks are skipped.
- actual ACL check is done by CA ACL.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
be
re-attempted and will succeed once all masters are upgraded.
I'd prefer an option number one. Using an IPA-specific auth instance
would allow us to be more flexible in manipulating the properties of it
in future without worrying to break older setups.
--
/ Alexander Bokovoy
--
Manage y
tin
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing lis
user area. This arrangement
makes the smart card inaccessible. We could use the KRA to store the PIN.
This is just a process, not a technical solution. Someone needs to
communicate PIN separate to the smartcard to a new hire anyway.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel ma
combination.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
raised the questions about authentication above. Florence
volunteered to experiment with it to see if SSL certificate
authentication would be possible. It is not, so we can unify the API
behind both user and stageuser.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com
ible using putty ..
No, as I said, it is not designed in the SSH protocol
P.S. Answer to the list, not personally.
Cheers,
____
From: Alexander Bokovoy <aboko...@redhat.com>
Sent: Monday, December 19, 2016 9:06:51 AM
To: Oucema Bellagha
Cc: freeipa-devel@redhat
ickey,publickey,publickey"
would require three different public keys to authenticate.
However, there is nothing in SSH protocol that would enforce different
people to be involved at the client side.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.
public ones but also the privately
used by the Samba itself.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
On ma, 12 joulu 2016, Alexander Bokovoy wrote:
On ma, 12 joulu 2016, Christian Heimes wrote:
On 2016-12-12 09:54, Alexander Bokovoy wrote:
On ma, 12 joulu 2016, Christian Heimes wrote:
Hi Simo,
I'm wondering if we need to change kdcproxy for anon pkinit. What kind
of Kerberos requests
are not filtered.
Anonymous principal as configured in FreeIPA can only be used to obtain
a TGT, nothing else.
See https://tools.ietf.org/html/rfc6112 for a spec definition.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman
On ke, 30 marras 2016, Rob Crittenden wrote:
David Kupka wrote:
On 29/11/16 18:10, Alexander Bokovoy wrote:
Still, bug reports and users' complaints is the only external measure we
have. There are close to nothing in complaints about NTP functionality,
other than requests to support chronyd
than requests to support chronyd and a better discover of existing
NTP setups. I don't think that requires dramatic action like removal of
NTP support at all.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa
eep client-only build for bootstrapping new
distros. For example, nothing prevents us to have a FreeBSD support for
client side but I don't think there will be any effort of porting the
whole server side there.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing l
On ti, 01 marras 2016, Martin Babinsky wrote:
On 10/31/2016 05:23 PM, Alexander Bokovoy wrote:
See description. This is a regression since FreeIPA 4.4.0.
Hi Alexander,
Please link upstream ticket[1] to the commit message, not BZ.
I have put on my Travis hat and found:
1.) pep8 error
See description. This is a regression since FreeIPA 4.4.0.
--
/ Alexander Bokovoy
From ce6dcc38fe4b1772941b281880ab156d7ae0db7c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 31 Oct 2016 18:17:35 +0200
Subject: [PATCH 2/2] trustdomain-del: fix the w
. I just broke my test
install ;)
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
.
Note that CI integration is currently broken so travis says your commits failed
the checks.
"""
Done, and the CI seem happy ?
Yes, thank you. I acked the request.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/
On to, 13 loka 2016, Sumit Bose wrote:
On Tue, Sep 06, 2016 at 01:18:14PM +0300, Alexander Bokovoy wrote:
Hi,
Now that FreeIPA 4.4.1 is out, I've pushed to github my prototype for
FleetCommander integration: https://github.com/abbra/freeipa-desktop-profile/
You can read the design page:
https
On ke, 12 loka 2016, David Kupka wrote:
On 11/10/16 16:27, Alexander Bokovoy wrote:
On ti, 11 loka 2016, Petr Vobornik wrote:
On 10/11/2016 03:50 PM, Alexander Bokovoy wrote:
On ti, 11 loka 2016, Petr Vobornik wrote:
Hi List,
we discussed locally a proposal about creating a feature branch
on the freeipa-users@ to understand why we implemented
it this way.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
document for implementing the HBAC and Sudo Rules for external
group.
See above documentation and discussions on freeipa-users@ mailing list.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute
On ti, 11 loka 2016, Petr Vobornik wrote:
On 10/11/2016 03:50 PM, Alexander Bokovoy wrote:
On ti, 11 loka 2016, Petr Vobornik wrote:
Hi List,
we discussed locally a proposal about creating a feature branch for each
sub-team effort in our main git. Currently it would be for the 4 ongoing
, then that's just fine.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
ying one will enable
explicitly only one.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
; print sys.version_info.major'
2
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
esolving hostname *
> *ad1.ad.addomain.com <http://ad1.ad.addomain.com>.*
> *[4133] 1476067599.53762: Sending initial UDP request to dgram
> 192.168.20.100*
>
> NOT WORKING
> =
>
> =======
ariant to
handle more complex DN mapping use cases, e.g. where there are
multiple occurrences of a single attribute type, a particular fixed
RDN must be matched, etc.
w.r.t. SAN mapping, I concur that search/replace is probably not
needed.
How all these syntax extensions are going to handle multi-v
raise
self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
e.g. nothing that is relevant to the trace you provided.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
along the same path as
read events. Should the actual read fail, we exit.
Please add the bugzilla link.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page
find someone to assign to
it within the bigger team.
I would expect Oliver would go ahead and start testing your test plugin
right away.
Got it. Let's discuss on IRC (freenode, #freeipa or #sssd) whenever you
guys would have time any issues you'll encounter.
--
/ Alexander Bokovoy
--
Manage your
On Wed, 14 Sep 2016, Martin Basti wrote:
On 14.09.2016 17:53, Alexander Bokovoy wrote:
On Wed, 14 Sep 2016, Martin Basti wrote:
On 14.09.2016 17:41, Alexander Bokovoy wrote:
On Wed, 14 Sep 2016, Martin Basti wrote:
1)
I still don't see the reason why AD trust is needed. Default
trust ID
in that
one.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
and is disabled in the spec file as it breaks
loading the whole UI.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
work for existing FreeIPA
deployments due to lack upgrade for dangling symlinks of jaxrs-api.jar.
I filed a ticket https://fedorahosted.org/pki/ticket/2452. Please fix it
ASAP because we already have users in Fedora 24 complaining about broken
deployments after a mere 'dnf update'.
--
/ Alexander
Hi,
we have a plan to release FreeIPA 4.4.1 on Wednesday, Aug 31st.
I started preparing a release page:
http://www.freeipa.org/page/Releases/4.4.1
It has staggering 140+ closed tickets already.
Please help me with filling in enhancements and bug fixes sections.
--
/ Alexander Bokovoy
On Tue, 30 Aug 2016, Jan Cholasta wrote:
On 30.8.2016 08:47, Standa Laznicka wrote:
On 08/26/2016 05:37 PM, Simo Sorce wrote:
On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote:
On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote:
On Fri, 26 Aug 2016, Simo Sorce wrote:
On Fri, 2016
up by default? Add --force option to override the
behavior but default to not allow --hostcat=all. This would raise
awareness and make sure admins are actually applying these rules with
intention.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.
ems with older
clients not being able to use new rules even if they would lack time
component.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
On Thu, 25 Aug 2016, Jan Cholasta wrote:
Hi,
On 25.8.2016 11:27, Alexander Bokovoy wrote:
Hi,
attached patch moves ipa CLI to freeipa-client and obsoletes
freeipa-admintools
The Obsoletes (both) should be on version < 4.4.1 rather than
%{version}, as per Fedora packaging guidelines
@commandline 146 k
replacing freeipa-admintools.noarch 4.4.0.201608051228GIT590e30f-0.fc24
--
/ Alexander Bokovoy
From 8a22131718cf6fdbff380ff447b502d22c735f1a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Thu, 25 Aug 2016 11:59:34 +0300
S
. But did
not know how to check that entries with multiple uid values only
returns the first value.
Can we push 0213-1?
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http
On Mon, 22 Aug 2016, Abhijeet Kasurde wrote:
Hi All,
Please find the patch attached.
It's a minor spelling correction so, I have not created ticket for this.
ACK.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo
On Mon, 22 Aug 2016, Lenka Doudova wrote:
Hi,
due to implementation of [1] some ID views tests fail because they do
not recognize ipakrboktoauthasdelegate attribute. Providing fix for
this.
Ticket: https://fedorahosted.org/freeipa/ticket/6241
ACK.
--
/ Alexander Bokovoy
--
Manage your
On Fri, 19 Aug 2016, Martin Basti wrote:
On 19.08.2016 11:43, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Petr Vobornik wrote:
On 08/08/2016 12:26 PM, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Alexander Bokovoy wrote:
Hi!
Attached patch
On Mon, 08 Aug 2016, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Petr Vobornik wrote:
On 08/08/2016 12:26 PM, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Alexander Bokovoy wrote:
Hi!
Attached patch is what is needed to allow external plugins for FreeIPA
framework to be functional
On Wed, 17 Aug 2016, Martin Babinsky wrote:
On 08/08/2016 01:27 PM, Alexander Bokovoy wrote:
Hi!
Attached two patches attempt to fix some of the issues we see with child
domains.
SSSD only 'sees' users from child domains if there is an ID range for
each of them. However, after refactoring
On Thu, 11 Aug 2016, Petr Vobornik wrote:
On 08/11/2016 07:21 PM, Martin Basti wrote:
On 11.08.2016 18:57, Pavel Vomacka wrote:
On 08/11/2016 02:00 PM, Petr Vobornik wrote:
On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
On Thu, 11 Aug 2016, Jan Cholasta wrote:
On 4.8.2016 17:27, Jan
On Wed, 17 Aug 2016, Martin Babinsky wrote:
On 08/17/2016 12:41 PM, Alexander Bokovoy wrote:
On Wed, 17 Aug 2016, Martin Babinsky wrote:
On 08/15/2016 06:06 PM, Alexander Bokovoy wrote:
On Mon, 15 Aug 2016, Alexander Bokovoy wrote:
Hi!
Attached are trust-related patches.
0207 is a pre
On Wed, 17 Aug 2016, Petr Spacek wrote:
On 17.8.2016 12:41, Alexander Bokovoy wrote:
On Wed, 17 Aug 2016, Martin Babinsky wrote:
On 08/15/2016 06:06 PM, Alexander Bokovoy wrote:
On Mon, 15 Aug 2016, Alexander Bokovoy wrote:
Hi!
Attached are trust-related patches.
0207 is a pre-requisite. I
o_conflict(another_domain, cinfo)
+raise errors.TrustTopologyConflictSolved(
+target=self.info['dns_domain'],
+conflict=another_domain.info['dns_domain'])
"""
done.
Patch 218:
1.)
typo in the commit message:
""
On Wed, 17 Aug 2016, Martin Babinsky wrote:
On 08/17/2016 12:13 PM, Martin Babinsky wrote:
On 08/15/2016 06:06 PM, Alexander Bokovoy wrote:
On Mon, 15 Aug 2016, Alexander Bokovoy wrote:
Hi!
Attached are trust-related patches.
0207 is a pre-requisite. I did send it before, it is re
On Wed, 17 Aug 2016, Martin Babinsky wrote:
On 08/15/2016 06:06 PM, Alexander Bokovoy wrote:
On Mon, 15 Aug 2016, Alexander Bokovoy wrote:
Hi!
Attached are trust-related patches.
0207 is a pre-requisite. I did send it before, it is re-formatting of
the ipaserver/dcerpc.py to be close to PEP8
of Dogtag, and keep the CSR-generation approach
client-side only.
Comments welcome! Unless the changes are more complex than I
anticipate, I hope to have a prototype of this approach for review by
the end of this week.
The summary above looks fine.
--
/ Alexander Bokovoy
--
Manage your subscrip
login with password but can with Kerberos credentials, you
need to look into SSSD logs on the ilt-gif-ipa02.ipa.preprod.local host.
See https://fedorahosted.org/sssd/wiki/Troubleshooting
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/m
ssTime functionality --- that's why
ipaSELinuxUserMap object class carries accessTime attribute, to specify
the time when associated HBAC rule applies.
This is one more argument to re-use accessTime attribute.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel
On Mon, 15 Aug 2016, Alexander Bokovoy wrote:
Hi!
Attached are trust-related patches.
0207 is a pre-requisite. I did send it before, it is re-formatting of
the ipaserver/dcerpc.py to be close to PEP8 requirements.
0218 is an automated trust topology conflict resolver for DNS namespace
patches 0215-0216.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
sections
debug_level (integer)
Currently supported debug levels:
0, 0x0010: Fatal failures. Anything that would prevent SSSD
from starting up or causes it to cease running.
Default: 0
--
/ Alexander Bokovoy
--
Manage your
;
--
2.7.4
Good catch Alexander. Yes the comment contained a wrong cut/paste
ACK.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
On Thu, 11 Aug 2016, Jan Cholasta wrote:
On 4.8.2016 17:27, Jan Pazdziora wrote:
On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
Got it. One thing I would correct, though, -- don't use kadmin.local, we
do support setting ok_as_delegate on the service principals via IPA CLI
On Wed, 10 Aug 2016, thierry bordaz wrote:
On 08/10/2016 11:24 AM, Alexander Bokovoy wrote:
On Wed, 10 Aug 2016, thierry bordaz wrote:
From 13bb55f9d97f82062f5b496d4164acb562afc7a0 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbor...@redhat.com>
Date: Tue, 9 Aug 2016 16:46:25
On Wed, 10 Aug 2016, Alexander Bokovoy wrote:
On Wed, 10 Aug 2016, thierry bordaz wrote:
On 08/09/2016 01:38 PM, Alexander Bokovoy wrote:
On Tue, 09 Aug 2016, thierry bordaz wrote:
On 08/09/2016 12:49 PM, Martin Basti wrote:
On 08.08.2016 17:30, thierry bordaz wrote:
On 08/08/2016
t == 0) {
}
--
2.7.4
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
thread to thread and from response to response. ;)
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
utput_params():
+yield param
+
def _iter_output(self):
return self.api.Command.vault_retrieve_internal.output()
ACK.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribut
On Wed, 10 Aug 2016, thierry bordaz wrote:
On 08/09/2016 01:38 PM, Alexander Bokovoy wrote:
On Tue, 09 Aug 2016, thierry bordaz wrote:
On 08/09/2016 12:49 PM, Martin Basti wrote:
On 08.08.2016 17:30, thierry bordaz wrote:
On 08/08/2016 05:20 PM, Alexander Bokovoy wrote:
On Mon, 08
On Tue, 09 Aug 2016, Lukas Slebodnik wrote:
On (09/08/16 14:59), Alexander Bokovoy wrote:
On Fri, 05 Aug 2016, Lukas Slebodnik wrote:
ehlo,
attached patches fix a build of freeipa on fedora 25 and fedora rawhide.
IMHO, this change in krb5pac.h is an ABI change and samba guys should
also bump
ge your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
On Tue, 09 Aug 2016, thierry bordaz wrote:
On 08/09/2016 12:49 PM, Martin Basti wrote:
On 08.08.2016 17:30, thierry bordaz wrote:
On 08/08/2016 05:20 PM, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, thierry bordaz wrote:
On 08/08/2016 04:20 PM, Alexander Bokovoy wrote:
On Mon, 08
On Mon, 08 Aug 2016, thierry bordaz wrote:
On 08/08/2016 04:20 PM, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, thierry bordaz wrote:
On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Lukas Slebodnik wrote:
On (08/08/16 11:35), Alexander Bokovoy wrote:
On Mon, 08
On Mon, 08 Aug 2016, thierry bordaz wrote:
On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Lukas Slebodnik wrote:
On (08/08/16 11:35), Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Martin Basti wrote:
On 08.08.2016 09:34, Alexander Bokovoy wrote:
When SSSD resolves
eipa-blipton-0001-Silence-sshd-messages-during-install.patch).
Anyone against pushing it?
Given that newer OpenSSH version will silence it anyway, I'm OK with the
interim fix.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/lis
the forest
root domain. The simplified code enforces this logic.
--
/ Alexander Bokovoy
From 37e4ab4786aec94bfb057fa3146d4e18e30df391 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Sat, 6 Aug 2016 11:12:13 +0300
Subject: [PATCH 4/5] trust: make sure ID range is c
.
Right. This was my thinking too when I saw the patches.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
On Mon, 08 Aug 2016, Petr Vobornik wrote:
On 08/08/2016 12:26 PM, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Alexander Bokovoy wrote:
Hi!
Attached patch is what is needed to allow external plugins for FreeIPA
framework to be functional if they need to extend a schema.
The idea is that we
On Mon, 08 Aug 2016, Petr Spacek wrote:
On 8.8.2016 11:34, Alexander Bokovoy wrote:
Hi!
Attached patch is what is needed to allow external plugins for FreeIPA
framework to be functional if they need to extend a schema.
The idea is that we would have a separate directory as
/usr/share/ipa
1 - 100 of 1523 matches
Mail list logo