Re: [Freeipa-devel] Checking OCSP and CRL during certificate login

2017-04-12 Thread Rob Crittenden
Pavel Vomacka wrote: > > > On 04/11/2017 03:24 PM, Rob Crittenden wrote: >> Pavel Vomacka wrote: >>> Hello, >>> >>> With the recent addition of certificate mapping and certificate login >>> support into WebUI, we need to handle also re

Re: [Freeipa-devel] Checking OCSP and CRL during certificate login

2017-04-11 Thread Rob Crittenden
Pavel Vomacka wrote: > Hello, > > With the recent addition of certificate mapping and certificate login > support into WebUI, we need to handle also revoking of certificates > which are used for login. There is ticket which requests this > functionality: https://pagure.io/freeipa/issue/6370 > >

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Rob Crittenden
Standa Laznicka wrote: > On 03/14/2017 04:21 PM, Rob Crittenden wrote: >> Standa Laznicka wrote: >>> On 03/14/2017 03:14 PM, Martin Basti wrote: >>>> On 14.03.2017 14:56, Luc de Louw wrote: >>>>> My 3 cents... >>>>> >>>&

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Rob Crittenden
Standa Laznicka wrote: > On 03/14/2017 03:14 PM, Martin Basti wrote: >> On 14.03.2017 14:56, Luc de Louw wrote: >>> My 3 cents... >>> >>> "Please note that FIPS 140-2 support may not work on some platforms" >>> >>> -> Does is work in Fedora? Should be worth mention it so people are >>> more

Re: [Freeipa-devel] [DISCUSSION] checking *lint at configure time

2017-03-06 Thread Rob Crittenden
Tomas Krizek wrote: > On 03/03/2017 09:22 PM, Rob Crittenden wrote: >> Lukas Slebodnik wrote: >>> On (03/03/17 17:07), Lukas Slebodnik wrote: >>>> ehlo, >>>> >>>> This is a small continuation fo discussin from pull request >>>>

Re: [Freeipa-devel] [DISCUSSION] checking *lint at configure time

2017-03-03 Thread Rob Crittenden
Lukas Slebodnik wrote: > On (03/03/17 17:07), Lukas Slebodnik wrote: >> ehlo, >> >> This is a small continuation fo discussin from pull request >> "Make pylint and jsl optional" #502[1] >> >> Pylint and jslint are already optional because some downstream distributions >> does not have such

[Freeipa-devel] python-pyasn1 updated in F-25/rawhide

2017-02-27 Thread Rob Crittenden
Rawhide has an updated python-pyasn1, v0.2,3, and F-25 will soon have it in updates-testing. It worked in my limited testing in IPA. It is primarily a performance release but includes some fixes from 0.2.2 which I never pushed into Fedora. rob -- Manage your subscription for the Freeipa-devel

Re: [Freeipa-devel] MD5 certificate fingerprints removal

2017-02-21 Thread Rob Crittenden
Standa Laznicka wrote: > Hello, > > Since we're trying to make FreeIPA work in FIPS we got to the point > where we need to do something with MD5 fingerprints in the cert plugin. > Eventually we came to a realization that it'd be best to get rid of them > as a whole. These are counted by the

[Freeipa-devel] python-pyasn1 updated in rawhide and updates-testing for F-25

2017-02-06 Thread Rob Crittenden
I updated the Fedora pyasn1 package to the latest release, 0.2.1. I did some very basic testing against IPA 4.2 and it worked ok. The build is already up in rawhide and is on the way to updates-testing in Bohdi. It would be great to get some karma on it. I have auto-push turned off so it won't go

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

2017-01-13 Thread Rob Crittenden
Tomas Krizek wrote: > On 01/12/2017 04:17 PM, Rob Crittenden wrote: >> Tomas Krizek wrote: >>> On 12/19/2016 04:41 PM, Standa Laznicka wrote: >>>> On 12/19/2016 03:07 PM, John Dennis wrote: >>>>> On 12/19/2016 03:12 AM, Standa Laznicka wrote: >&g

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

2017-01-12 Thread Rob Crittenden
Tomas Krizek wrote: > On 12/19/2016 04:41 PM, Standa Laznicka wrote: >> On 12/19/2016 03:07 PM, John Dennis wrote: >>> On 12/19/2016 03:12 AM, Standa Laznicka wrote: >>>> On 12/16/2016 03:23 PM, Rob Crittenden wrote: >>>>> Standa Laznicka wrote: >&g

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

2016-12-16 Thread Rob Crittenden
Standa Laznicka wrote: > Hello, > > I started a design page for FreeIPA on FIPS-enabled systems: > https://www.freeipa.org/page/V4/FreeIPA-on-FIPS > > Me and Tomáš are still investigating what of all things will need to > change in order to have FreeIPA on FIPS-enabled RHEL. So far I managed >

Re: [Freeipa-devel] Reading Attributes from LDAP Client

2016-12-07 Thread Rob Crittenden
Chad Cravens wrote: > Hello: > > We are working with RedHat IDM and I'm trying to understand how > Permissions and Roles are represented/stored in the LDAP Directory > Server. What we would like to do is create roles in the web GUI and > programmatically retrieve the Roles and Permissions, as

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-30 Thread Rob Crittenden
David Kupka wrote: > On 29/11/16 18:10, Alexander Bokovoy wrote: >> Still, bug reports and users' complaints is the only external measure we >> have. There are close to nothing in complaints about NTP functionality, >> other than requests to support chronyd and a better discover of existing >> NTP

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-29 Thread Rob Crittenden
Petr Spacek wrote: > On 29.11.2016 09:11, Jan Cholasta wrote: >> On 28.11.2016 20:57, Rob Crittenden wrote: >>> David Kupka wrote: >>>> On 22/11/16 23:15, Gabe Alford wrote: >>>>> I would say that it is worth keeping in FreeIPA. I know myself a

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-28 Thread Rob Crittenden
David Kupka wrote: > On 22/11/16 23:15, Gabe Alford wrote: >> I would say that it is worth keeping in FreeIPA. I know myself and some >> customers use its functionality by having the clients sync to the IPA >> servers and have the servers sync to the NTP source. This way if the NTP >> source ever

Re: [Freeipa-devel] client-only FreeIPA build

2016-11-22 Thread Rob Crittenden
Lukas Slebodnik wrote: > On (22/11/16 16:29), Petr Spacek wrote: >> On 22.11.2016 16:27, Jan Cholasta wrote: >>> Hi, >>> >>> On 22.11.2016 16:04, Petr Spacek wrote: Hello, the recent changes with regard to http://www.freeipa.org/page/V4/Integration_Improvements beg a

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-11 Thread Rob Crittenden
Martin Basti wrote: > > > On 11.11.2016 15:25, Christian Heimes wrote: >> Hello, >> >> I have released the first version of a new design document. It describes >> how I'm going to improve integration of FreeIPA's client libraries >> (ipalib, ipapython, ipaclient, ipaplatform) for third party

Re: [Freeipa-devel] Is checks/check-ra.py still useful?

2016-11-02 Thread Rob Crittenden
Petr Spacek wrote: > Hi, > > when working on build system refactoring, I've noticed file > checks/check-ra.py. > > README follows: >> This directory is for integration tests that require a live backend (LDAP, >> Certificate Server, etc.). It's named "checks" so nose wont discover tests >> here.

Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates

2016-10-17 Thread Rob Crittenden
Jan Cholasta wrote: Hi, On 13.10.2016 18:52, Sumit Bose wrote: = Issuer specific matching = Although the MIT Kerberos rules allow to select the issuer of a certificate there are use cases where a more specific selection is needed. E.g. if there are some default matching rules for all

Re: [Freeipa-devel] Heimdal Kerberos support for client

2016-10-12 Thread Rob Crittenden
Petr Spacek wrote: Hello list, I just noticed that client/configure.ac contains some checks to detect and support Heimdal Kerberos libraries. Was it tested? Does it work? Can I drop it? :-) Wow, that's some old code. Only Simo would know if it was ever tested or ever worked. I suppose

Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates

2016-10-06 Thread Rob Crittenden
Sumit Bose wrote: On Thu, Oct 06, 2016 at 10:33:48AM -0400, Rob Crittenden wrote: Sumit Bose wrote: Hi, Wow, this is really great. Hi Rob, thank you for the feedback. I think I'd pre-plan to support different configuration per issuer subject, with one named default. It shouldn't

Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates

2016-10-06 Thread Rob Crittenden
Sumit Bose wrote: Hi, I've started to write a SSSD design page about enhancing the current mapping of certificates to users and how to select/match a suitable certificate if multiple certificates are on a Smartcard. My currently thoughts and idea and be found at

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

2016-08-25 Thread Rob Crittenden
Ben Lipton wrote: On 08/23/2016 03:54 AM, Jan Cholasta wrote: On 8.8.2016 22:23, Ben Lipton wrote: On 07/25/2016 07:45 AM, Jan Cholasta wrote: On 25.7.2016 13:11, Alexander Bokovoy wrote: On Mon, 25 Jul 2016, Jan Cholasta wrote: On 20.7.2016 16:05, Ben Lipton wrote: Hi, Thanks very much

Re: [Freeipa-devel] certmonger "failed to verify signature on server response" after receiving valid certificate

2016-08-22 Thread Rob Crittenden
Marx, Peter wrote: I’m testing with certmonger 0.78.6 (patched for the GETCACertChain bug) against two EJBCA servers. For verification I a use a second SCEP client called jSCEP. I started certmonger in debug mode with “/usr/libexec/certmonger/certmonger-session -n -d 15” The CA file in

Re: [Freeipa-devel] certmonger proxy configuration not possible ?

2016-08-03 Thread Rob Crittenden
Marx, Peter wrote: Hi, i have to access an external PKI server with SCEP protocol through our corporate proxy. On command line I can set the proxy and trigger a CSR with the scep-submit helper successfully. What are you setting, environment variables I assume? But same operation with

Re: [Freeipa-devel] certmonger EST RFC7030 support possible ?

2016-07-29 Thread Rob Crittenden
Marx, Peter wrote: Hi, we are using certmonger with SCEP. But SCEP does not support Elliptic curve keys, only RSA. The successor protocol EST (Enrollment over Secure Transport) would support ECC. Is a EST helper for certmonger/getcert on the roadmap ? No. I added a ticket to track it,

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

2016-07-25 Thread Rob Crittenden
Simo Sorce wrote: On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote: But maybe I'm not seeing the proper priorities here. Perhaps it's more of a problem because clients are easier to update with bugfixes than the server? Or maybe the preference for the client is for scalability

Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-07-25 Thread Rob Crittenden
Simo Sorce wrote: On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote: Simo Sorce wrote: As described in #232 start restricting the use of the setkeytab operation to just the computers objects. I haven't tested this with older RHEL/CentOS machines that actully use the setkeytab operation

Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-07-25 Thread Rob Crittenden
Simo Sorce wrote: As described in #232 start restricting the use of the setkeytab operation to just the computers objects. I haven't tested this with older RHEL/CentOS machines that actully use the setkeytab operation as I do not have such an old VM handy right now. Meanwhile I'd like to know

Re: [Freeipa-devel] CA-less installs: passive certmonger - watch-and-warn mode

2016-07-08 Thread Rob Crittenden
Petr Spacek wrote: On 8.7.2016 15:31, Rob Crittenden wrote: Petr Spacek wrote: Hi, our docs https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-determine-ca claim

Re: [Freeipa-devel] CA-less installs: passive certmonger - watch-and-warn mode

2016-07-08 Thread Rob Crittenden
Petr Spacek wrote: Hi, our docs https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-determine-ca claim this: "The certmonger service is not used to track certificates. Therefore, it

Re: [Freeipa-devel] Proposed patch to resolve #828866 [RFE] enhance --subject option for ipa-server-install

2016-07-07 Thread Rob Crittenden
Sebastian Hetze wrote: Hi * attached you find a patch that adds new options --subject_cn and --subject_mail to ipa-server-install that make the CA cert subject CN customizable. This patch has been tested by a customer in a PoC. However, i assume additional testing in different environments is

Re: [Freeipa-devel] [PATCH 0017] Added fix for correct IPA backup file name

2016-07-07 Thread Rob Crittenden
Abhijeet Kasurde wrote: Hi Florence, On 07/07/2016 03:30 PM, Florence Blanc-Renaud wrote: On 07/07/2016 10:58 AM, Abhijeet Kasurde wrote: Hi All, Please review the patch. Fixes : https://fedorahosted.org/freeipa/ticket/6031 -- Thanks, Abhijeet Kasurde IRC: akasurde

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-27 Thread Rob Crittenden
Florence Blanc-Renaud wrote: Hi all, thanks for your suggestions. Updated patch attached. Flo. The invocation in ipactl should say server, not client. Otherwise LGTM (untested). rob -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-27 Thread Rob Crittenden
Gabe Alford wrote: On Mon, Jun 27, 2016 at 12:38 AM, Florence Blanc-Renaud > wrote: Hi, this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client installation in a FIPS-140 mode It prevents installation of FreeIPA

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-27 Thread Rob Crittenden
Petr Spacek wrote: On 27.6.2016 08:38, Florence Blanc-Renaud wrote: Hi, this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client installation in a FIPS-140 mode It prevents installation of FreeIPA if the host is fips-enabled. https://fedorahosted.org/freeipa/ticket/5761

Re: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid

2016-06-09 Thread Rob Crittenden
Fraser Tweedale wrote: On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote: On 09.06.2016 15:03, Martin Basti wrote: On 09.06.2016 15:02, Stanislav Laznicka wrote: On 06/09/2016 02:51 PM, Rob Crittenden wrote: Stanislav Laznicka wrote: Hello, Please see the attached patch

Re: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid

2016-06-09 Thread Rob Crittenden
Stanislav Laznicka wrote: On 06/09/2016 02:51 PM, Rob Crittenden wrote: Stanislav Laznicka wrote: Hello, Please see the attached patch of https://fedorahosted.org/freeipa/ticket/5797. Standa Just wondering out loud but should usercertificate be excluded from the output

Re: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid

2016-06-09 Thread Rob Crittenden
Stanislav Laznicka wrote: Hello, Please see the attached patch of https://fedorahosted.org/freeipa/ticket/5797. Standa Just wondering out loud but should usercertificate be excluded from the output if it is unparsable? Is there any value in showing that a bogus value is in there? rob

Re: [Freeipa-devel] Provisioning throughput

2016-05-25 Thread Rob Crittenden
thierry bordaz wrote: On 05/25/2016 08:49 PM, Rob Crittenden wrote: thierry bordaz wrote: Hello, Thanks for all the feedbacks. I updated the design accordingly and with additional tests results (http://www.freeipa.org/page/V4/Performance_Improvements#Proposed_improvements) Several

Re: [Freeipa-devel] Provisioning throughput

2016-05-25 Thread Rob Crittenden
thierry bordaz wrote: Hello, Thanks for all the feedbacks. I updated the design accordingly and with additional tests results (http://www.freeipa.org/page/V4/Performance_Improvements#Proposed_improvements) Several improvements can be done, in particular in DS plugins (memberof, retroCL), but

Re: [Freeipa-devel] [PATCH 0463] Performance: do not download password attributes in host/find-user command

2016-05-13 Thread Rob Crittenden
Martin Basti wrote: On 12.05.2016 19:48, Rob Crittenden wrote: Martin Basti wrote: On 22.04.2016 13:21, David Kupka wrote: On 22/04/16 10:58, Martin Basti wrote: On 21.04.2016 09:17, Martin Basti wrote: On 20.04.2016 16:57, Martin Basti wrote: https://fedorahosted.org/freeipa

Re: [Freeipa-devel] [PATCH 0463] Performance: do not download password attributes in host/find-user command

2016-05-12 Thread Rob Crittenden
Martin Basti wrote: On 22.04.2016 13:21, David Kupka wrote: On 22/04/16 10:58, Martin Basti wrote: On 21.04.2016 09:17, Martin Basti wrote: On 20.04.2016 16:57, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5281 Patch attached. selfNACK Updated patch attached.

Re: [Freeipa-devel] LDAP attributes with incompatible names?

2016-05-09 Thread Rob Crittenden
Jeffery Harrell wrote: Hi. I’m trying to find a way to expose via the Python plugin API some non-default LDAP attributes that have hyphens in their names — e.g, "apple-user-homeurl”. Obviously I can’t create a Param with that name. Is there a customary way to handle this kind of situation, or do

Re: [Freeipa-devel] Improving bug reporting

2016-05-04 Thread Rob Crittenden
Lukas Slebodnik wrote: On (04/05/16 12:56), Alexander Bokovoy wrote: I'm sorry but it was a TL;DR mail without any useful information to the topic. The topic is "Improving bug reporting". I do not care much how downstreams handle bug reports. I like David proposal with template. But I do not

Re: [Freeipa-devel] [PATCH] 0001 provide more information for "ipa cert-revoke -h"

2016-05-03 Thread Rob Crittenden
Gabe Alford wrote: Hello, Thank you for your patch as well. >-doc=_('Reason for revoking the certificate (0-10)'), >+doc=_('Reason for revoking the certificate (0-10). See RFC 5280 (paragraph 5.3.1) for reason details'), Rather than just specifying the RFC with the

Re: [Freeipa-devel] [PATCH] Added warning to user for Internet Explorer

2016-04-27 Thread Rob Crittenden
Abhijeet Kasurde wrote: Updated patch attached. On 04/26/2016 09:07 PM, Rob Crittenden wrote: Internet Explorer is no longer a supported browser. ACK -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA

Re: [Freeipa-devel] [PATCH] Added warning to user for Internet Explorer

2016-04-26 Thread Rob Crittenden
Pavel Vomacka wrote: On 04/25/2016 01:00 PM, Abhijeet Kasurde wrote: Hi All, Please review the attached patch. Thanks, Abhijeet Kasurde Hi, thank you for the patch, ACK. I would add an "a" and change it to "Internet Explorer is no longer a supported browser." rob -- Manage your

Re: [Freeipa-devel] [PATCH] 957 ipa-client-install: fix typo in nslcd service name

2016-04-21 Thread Rob Crittenden
Lukas Slebodnik wrote: On (21/04/16 16:42), Rob Crittenden wrote: Lukas Slebodnik wrote: On (21/04/16 19:25), Petr Vobornik wrote: related but does not implement https://fedorahosted.org/freeipa/ticket/5806 -- Petr Vobornik From b9b8716ec9ba5a5cdbed1f6cdedf7cff8878f08f Mon Sep 17 00:00:00

Re: [Freeipa-devel] [PATCH] 957 ipa-client-install: fix typo in nslcd service name

2016-04-21 Thread Rob Crittenden
Lukas Slebodnik wrote: On (21/04/16 19:25), Petr Vobornik wrote: related but does not implement https://fedorahosted.org/freeipa/ticket/5806 -- Petr Vobornik From b9b8716ec9ba5a5cdbed1f6cdedf7cff8878f08f Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Thu, 21 Apr

Re: [Freeipa-devel] V4/RFC 2818 review

2016-04-19 Thread Rob Crittenden
Christian Heimes wrote: Hi Fraser, and now to the review of your design doc for RFC 2818-compliant subject alternative names in certs, http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance 1) RFC 2818 vs. RFC 6125 First I like to address a more general topic. Your design mentions

Re: [Freeipa-devel] [WIP PATCH] server-del: perform full master removal in managed topology

2016-04-13 Thread Rob Crittenden
Martin Babinsky wrote: This is a WIP patch which moves the `ipa-replica-manage del` subcommand to the 'server-del' API method and exposes it as CLI command[1]. A CI test suite is also included. There are some issues with the patch I would like to discuss in more detail on the list: 1.) In the

Re: [Freeipa-devel] [PATCH 0406] admintool: Remove the option to override the log file

2016-04-01 Thread Rob Crittenden
Tomas Babej wrote: Hi, This option has been rarely used, and can be replaced by proper shell output redirection. https://fedorahosted.org/freeipa/ticket/5385 Should the ticket be re-opened? I'm not opposed to removing it I guess, but how can you know it is rarely used? Nobody has provided

Re: [Freeipa-devel] [TEST][patch-0032] Added a kdestroy call to clean ccache

2016-03-31 Thread Rob Crittenden
Oleg Fayans wrote: Hi, The updated patch is included On 03/30/2016 08:50 PM, Robbie Harwood wrote: Rob Crittenden <rcrit...@redhat.com> writes: Would it be more robust to call kdestroy -A or is that just overkill in this case? I believe it would be superior to call `kdestroy -A

Re: [Freeipa-devel] [TEST][patch-0032] Added a kdestroy call to clean ccache

2016-03-30 Thread Rob Crittenden
Would it be more robust to call kdestroy -A or is that just overkill in this case? rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Instructions to build ipa under RHEL

2016-03-29 Thread Rob Crittenden
Lukas Slebodnik wrote: On (29/03/16 10:16), Oleg Fayans wrote: Hi team, Is there any kind of $subj available? Like, which repos to enable, etc. I'm raising the topic because I was unable to install a number of build-time dependencies to build the official 4.3.1 packages under RHEL-7.2 (I need

Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer

2016-03-24 Thread Rob Crittenden
Jan Cholasta wrote: On 18.3.2016 15:12, Martin Babinsky wrote: On 03/17/2016 05:36 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 Patch attached. Hi Martin, Nitpick attack: Please fix the commit message: "File httpd.service was created by RPM, what causes that httpd

Re: [Freeipa-devel] URI in HBAC - design page

2016-03-24 Thread Rob Crittenden
Adam Young wrote: On 03/24/2016 05:43 AM, Jan Pazdziora wrote: On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: I created a design page for the feature: http://www.freeipa.org/page/URI-based-HBAC-design I try to put separate areas of concerns into separate emails to make it

Re: [Freeipa-devel] URI in HBAC - design page

2016-03-23 Thread Rob Crittenden
LukᚠHellebrandt wrote: I created a design page for the feature: http://www.freeipa.org/page/URI-based-HBAC-design Can you make the ticket reference a link? Is it expected that a full URI will be used, including protocol? Your early examples are http://path/to/somewhere and later you

Re: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded

2016-03-22 Thread Rob Crittenden
Martin Babinsky wrote: On 03/21/2016 12:25 PM, Jan Cholasta wrote: On 21.3.2016 10:17, Petr Spacek wrote: On 18.3.2016 13:49, Rob Crittenden wrote: Martin Babinsky wrote: These patches implement behavior agreed upon during discussion of https://fedorahosted.org/freeipa/ticket/5677 However

Re: [Freeipa-devel] [PATCH 550] certdb: never use the -r option of certutil

2016-03-19 Thread Rob Crittenden
Martin Basti wrote: On 15.03.2016 07:26, David Kupka wrote: On 14/03/16 09:29, Jan Cholasta wrote: Hi, the attached patch fixes and . Honza Hi, thanks for the patch. I haven't found any

Re: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded

2016-03-19 Thread Rob Crittenden
Martin Babinsky wrote: These patches implement behavior agreed upon during discussion of https://fedorahosted.org/freeipa/ticket/5677 However I'm not sure if we want to push them into 4-3 branch (the ticket is triaged into 4.3.2 milestone) since they modify the framework behavior quite a bit.

Re: [Freeipa-devel] [PATCH 550] certdb: never use the -r option of certutil

2016-03-14 Thread Rob Crittenden
Jan Cholasta wrote: > Hi, > > the attached patch fixes > and . > IMHO you should file a bug against nss as well. rob -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs

2016-03-11 Thread Rob Crittenden
Martin Kosek wrote: > On 03/11/2016 09:55 AM, Jan Cholasta wrote: >> On 11.3.2016 09:33, Martin Kosek wrote: >>> On 03/08/2016 07:07 PM, Martin Basti wrote: On 08.03.2016 16:37, Martin Basti wrote: > > > On 08.03.2016 16:31, Martin Basti wrote: >>

Re: [Freeipa-devel] [PATCH 0067-0069] Various IPA log fixes

2016-03-10 Thread Rob Crittenden
Gabe Alford wrote: > Hello, > > Attached patches fix the following tickets related to IPA log files: > > https://fedorahosted.org/freeipa/ticket/5724 > https://fedorahosted.org/freeipa/ticket/5726 > https://fedorahosted.org/freeipa/ticket/5727 > > Patch 0067 should be applied first, and patch

Re: [Freeipa-devel] host-del & client uninstall: additional discussion related to DNS needed

2016-03-04 Thread Rob Crittenden
Petr Spacek wrote: > On 3.3.2016 18:15, Martin Basti wrote: >> >> >> On 03.03.2016 17:36, Petr Vobornik wrote: >>> On 03/03/2016 03:52 PM, Martin Basti wrote: Hello all, related tickets: https://fedorahosted.org/freeipa/ticket/5676

Re: [Freeipa-devel] [PATCH 0428] SPEC: do not execute upgrade when ipa server is not installed

2016-03-01 Thread Rob Crittenden
Martin Basti wrote: > > > On 01.03.2016 20:13, Rob Crittenden wrote: >> Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5704 >>> >>> Patch attached. >>> >>> >> Would it be safer to integrate this into ipa-upgrade i

Re: [Freeipa-devel] [PATCH 0428] SPEC: do not execute upgrade when ipa server is not installed

2016-03-01 Thread Rob Crittenden
Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5704 > > Patch attached. > > Would it be safer to integrate this into ipa-upgrade itself? You'd just need to return 0 for the case where IPA isn't installed. rob -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

2016-02-24 Thread Rob Crittenden
David Kupka wrote: > On 23/02/16 16:41, Rob Crittenden wrote: >> David Kupka wrote: >>> On 23/02/16 10:14, Martin Kosek wrote: >>>> On 02/23/2016 09:47 AM, David Kupka wrote: >>>>> On 22/02/16 16:15, Martin Kosek wrote: >>>>>> On 02/2

Re: [Freeipa-devel] [PATCH 0420] Set BuildRequires to pylint 1.4

2016-02-23 Thread Rob Crittenden
Lukas Slebodnik wrote: > On (23/02/16 17:09), Martin Basti wrote: >> We cannot guarantee that versions older than 1.4 will work with freeipa code. >> >> Patch attached. > >>From a59e72a0b87231c0f2e0d737057550dd532feed7 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date:

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

2016-02-23 Thread Rob Crittenden
David Kupka wrote: > On 23/02/16 10:14, Martin Kosek wrote: >> On 02/23/2016 09:47 AM, David Kupka wrote: >>> On 22/02/16 16:15, Martin Kosek wrote: On 02/22/2016 04:04 PM, Jan Cholasta wrote: > On 22.2.2016 15:56, David Kupka wrote: >> On 22/02/16 07:28, Jan Cholasta wrote: >>>

Re: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI

2016-01-21 Thread Rob Crittenden
Martin Babinsky wrote: > On 01/21/2016 01:37 PM, thierry bordaz wrote: > 6.) > > +while attempt != MAX_WAIT: > +try: > +entries = conn.get_entries(sharedcfgdn, > scope=ldap.SCOPE_ONELEVEL, filter='dnaHostname=%s' % self.fqdn) > +break > +

Re: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs

2016-01-14 Thread Rob Crittenden
Stanislav Laznicka wrote: > Please see the rebased patches attached. > > On 01/13/2016 02:01 PM, Martin Basti wrote: >> >> >> On 18.12.2015 12:46, Stanislav Laznicka wrote: >>> Hi, >>> >>> Attached are the patches for auto-find and clean of dangling >>> (cs)ruvs. Currently, the cleaning of an RUV

Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica

2016-01-13 Thread Rob Crittenden
Martin Babinsky wrote: > fixes https://fedorahosted.org/freeipa/ticket/5584 > > In order to ensure consistent behavior with ipa-client-install, I opted > to reuse the configure_openldap_conf() function and restoring the config > from client sysrestore before modifying it. > > If you think this

Re: [Freeipa-devel] FreeIPA and modern requirements on certificates

2016-01-08 Thread Rob Crittenden
Alexander Bokovoy wrote: > On Fri, 08 Jan 2016, Martin Kosek wrote: >> On 01/08/2016 02:17 PM, Fraser Tweedale wrote: >>> On Fri, Jan 08, 2016 at 02:02:07PM +0100, Martin Kosek wrote: On 01/08/2016 01:56 PM, Fraser Tweedale wrote: > On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek

Re: [Freeipa-devel] [PATCHES] 0753-0759

2016-01-07 Thread Rob Crittenden
Petr Viktorin wrote: > On 01/06/2016 03:47 PM, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> Hello, >>> >>> Patches 0753-0757 fix remaining warnings from `pylint --py3k`, except >>> "no-absolute-import" (which seems redundant to me) an

Re: [Freeipa-devel] [PATCHES] 0753-0759

2016-01-06 Thread Rob Crittenden
Petr Viktorin wrote: > Hello, > > Patches 0753-0757 fix remaining warnings from `pylint --py3k`, except > "no-absolute-import" (which seems redundant to me) and the ones in > contrib/RHEL4. > > As for contrib/RHEL4, I found a mail [0] from 2013 saying it hasn't been > used for a long time and

Re: [Freeipa-devel] certmonger everywhere

2016-01-06 Thread Rob Crittenden
Jan Cholasta wrote: > On 4.1.2016 19:57, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 16.12.2015 01:40, Fraser Tweedale wrote: >>> >>> I'm not proposing to change cert-request to a client side command - I'm >>> proposing to change t

Re: [Freeipa-devel] certmonger everywhere

2016-01-04 Thread Rob Crittenden
Jan Cholasta wrote: > On 16.12.2015 01:40, Fraser Tweedale wrote: > > I'm not proposing to change cert-request to a client side command - I'm > proposing to change the way cert-request is handled *on the server*. > This way we can keep all the configuration on the server and make > changes to it

Re: [Freeipa-devel] patch acceptance criteria

2015-12-08 Thread Rob Crittenden
Petr Spacek wrote: > On 4.12.2015 14:42, Rob Crittenden wrote: >> Lukas Slebodnik wrote: >>>> On (03/12/15 09:59), Rob Crittenden wrote: >>>>>> Lukas Slebodnik wrote: >>>>>>>> On (02/12/15 13:14), Rob Crittenden wrote: >>

Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2015-12-07 Thread Rob Crittenden
Fraser Tweedale wrote: > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote: >> On 12/07/2015 06:26 AM, Fraser Tweedale wrote: >>> The attached patch fixes >>> https://fedorahosted.org/freeipa/ticket/4970. >>> >>> Note that the problem is addressed by adding the appropriate request >>>

Re: [Freeipa-devel] patch acceptance criteria

2015-12-04 Thread Rob Crittenden
Lukas Slebodnik wrote: > On (03/12/15 09:59), Rob Crittenden wrote: >> Lukas Slebodnik wrote: >>> On (02/12/15 13:14), Rob Crittenden wrote: >>>> Is it still mandatory that tests pass the unit tests before acceptance? >>> Unit test could be executed as part

Re: [Freeipa-devel] [PATCH 0111] prevent crashes of server uninstall check caused by failed, 5 LDAP connections

2015-12-04 Thread Rob Crittenden
Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5409 Should it also warn about the potential loss of the DNSSEC master? rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

2015-12-04 Thread Rob Crittenden
Martin Kosek wrote: > On 12/04/2015 07:17 PM, Tomas Babej wrote: >> Hi, >> >> Avoids failing in the later stages during the ipa-client-install >> command. >> >> Tomas > > Is this change needed? Wouldn't it be better to update > ipa-client-install or ipa-replica-install to not require the --domain

Re: [Freeipa-devel] patch acceptance criteria

2015-12-03 Thread Rob Crittenden
Martin Kosek wrote: > On 12/03/2015 09:08 AM, Petr Spacek wrote: >> On 2.12.2015 19:14, Rob Crittenden wrote: >>> Is it still mandatory that tests pass the unit tests before acceptance? >>> I've seen a number of cases over the past couple of months where a >>&

Re: [Freeipa-devel] patch acceptance criteria

2015-12-03 Thread Rob Crittenden
Lukas Slebodnik wrote: > On (02/12/15 13:14), Rob Crittenden wrote: >> Is it still mandatory that tests pass the unit tests before acceptance? > Unit test could be executed as part of "%check" phase in spec files. > I recently added C-base unit tests there. > > I

Re: [Freeipa-devel] patch acceptance criteria

2015-12-03 Thread Rob Crittenden
Petr Spacek wrote: > On 3.12.2015 15:34, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On 12/03/2015 09:08 AM, Petr Spacek wrote: >>>> On 2.12.2015 19:14, Rob Crittenden wrote: >>>>> Is it still mandatory that tests pass the unit tests before accep

Re: [Freeipa-devel] patch acceptance criteria

2015-12-03 Thread Rob Crittenden
Petr Spacek wrote: > On 3.12.2015 16:07, Rob Crittenden wrote: >> Petr Spacek wrote: >>> On 3.12.2015 15:34, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On 12/03/2015 09:08 AM, Petr Spacek wrote: >>>>>> On 2.12.2015 19:14,

[Freeipa-devel] patch acceptance criteria

2015-12-02 Thread Rob Crittenden
Is it still mandatory that tests pass the unit tests before acceptance? I've seen a number of cases over the past couple of months where a change goes through then shortly afterward a patch to fix the tests. IMHO this should be caught in advance. Things slip through and goodness knows I've acked

Re: [Freeipa-devel] [PATCH] Add option to disable setkeytab extended operations

2015-11-25 Thread Rob Crittenden
Jan Cholasta wrote: > On 24.11.2015 22:17, Simo Sorce wrote: >> On Tue, 2015-11-24 at 14:57 -0500, Simo Sorce wrote: >>> On Tue, 2015-11-24 at 14:42 -0500, Simo Sorce wrote: Since some time we use the getkeytab operation to fetch keytabs on newer clients. According to bug #232

Re: [Freeipa-devel] [PATCH 0104] do not disconnect when using existing connection to check default CA ACLs

2015-11-25 Thread Rob Crittenden
Martin Babinsky wrote: > On 11/25/2015 09:56 AM, Jan Cholasta wrote: >> On 25.11.2015 09:28, Martin Babinsky wrote: >>> On 11/25/2015 07:21 AM, Jan Cholasta wrote: On 25.11.2015 05:56, Fraser Tweedale wrote: > On Tue, Nov 24, 2015 at 05:38:45PM +0100, Jan Cholasta wrote: >> On

Re: [Freeipa-devel] [PATCH] Allow ipa-getkeytab to find server name from config file

2015-11-24 Thread Rob Crittenden
Petr Spacek wrote: > On 24.11.2015 07:32, Jan Cholasta wrote: >> On 23.11.2015 21:18, Simo Sorce wrote: >>> Fixes #2203 by reading the server name from /etc/ipa/default.conf if not >>> provided on the command line. >>> >>> Simo. >> >> Just a thought: it would be nice if we had libipaconfig and

Re: [Freeipa-devel] [PATCH 0386] private_ccache: Harden the removal of KRB5CCNAME env variable

2015-11-23 Thread Rob Crittenden
Tomas Babej wrote: > > > On 11/23/2015 01:50 PM, Jan Cholasta wrote: >> On 23.11.2015 13:40, Tomas Babej wrote: >>> >>> >>> On 11/23/2015 01:31 PM, Jan Cholasta wrote: On 23.11.2015 13:28, Tomas Babej wrote: > > > On 11/23/2015 01:11 PM, Jan Cholasta wrote: >> On 23.11.2015

Re: [Freeipa-devel] Caching ldap limits for whole connection (performance)

2015-11-18 Thread Rob Crittenden
Martin Basti wrote: > > > On 18.11.2015 17:34, Martin Basti wrote: >> >> >> On 18.11.2015 14:25, Petr Vobornik wrote: >>> On 11/17/2015 10:37 AM, Martin Basti wrote: >>>> >>>> >>>> On 16.11.2015 20:18, Rob Crittenden w

Re: [Freeipa-devel] Caching ldap limits for whole connection (performance)

2015-11-16 Thread Rob Crittenden
Martin Basti wrote: On 16.11.2015 18:57, Martin Basti wrote: How does this code work (IMO it doesn't), ldap2.py def find_entries(self, filter=None, attrs_list=None, base_dn=None, scope=_ldap.SCOPE_SUBTREE, time_limit=None, size_limit=None,

Re: [Freeipa-devel] [PATCH 506] cert renewal: make renewal of ipaCert atomic

2015-11-10 Thread Rob Crittenden
Jan Cholasta wrote: > On 9.11.2015 16:51, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> Hi, >>> >>> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5436>. >>> >>> Honza >>> >>> &

Re: [Freeipa-devel] [PATCH 506] cert renewal: make renewal of ipaCert atomic

2015-11-09 Thread Rob Crittenden
Jan Cholasta wrote: > Hi, > > the attached patch fixes . > > Honza > > > There be a note in renew_ra_cert that the lock is obtained in advance by renew_ra_cert_pre. It looks like it will silently fail if the lock cannot be acquired. Is that

Re: [Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands

2015-10-30 Thread Rob Crittenden
Martin Basti wrote: > > > On 30.10.2015 14:49, Martin Babinsky wrote: >> On 10/30/2015 02:09 PM, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5405 >>> >>> >>> Patch attached >>> >>> >> Hi Martin, >> >> NACK since I'm not a big fan of having (nearly) the same function >>

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

2015-10-13 Thread Rob Crittenden
Alexander Bokovoy wrote: > On Tue, 13 Oct 2015, Martin Basti wrote: >> >> >> On 13.10.2015 10:04, Petr Spacek wrote: >>> On 13.10.2015 09:34, Martin Babinsky wrote: On 10/13/2015 09:17 AM, Petr Spacek wrote: > On 12.10.2015 13:38, Martin Babinsky wrote: >> each service possessing

  1   2   3   4   5   6   7   8   9   10   >