[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping dkupka commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-283297105 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping sumit-bose commented: """ Ok, sorry for the noise, I tested on a fresh install again and now it is working as expected. I guess I shouldn't have tried to update from an older version of your patch to a newer one. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281939524 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ Hi @sumit-bose , I am not able to reproduce this issue: `[root@vm-161 ~]# kinit -k [root@vm-161 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_h6XRpeK Default principal: host/vm-161.example@dom-161.example.com Valid starting Expires Service principal 02/22/2017 21:30:10 02/23/2017 21:30:10 krbtgt/dom-161.example@dom-161.example.com [root@vm-161 ~]# ldapsearch -H ldap://vm-161 '(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))' -Y GSSAPI -LLL SASL/GSSAPI authentication started SASL username: host/vm-161.example@dom-161.example.com SASL SSF: 56 SASL data security layer installed. dn: cn=rule1,cn=certmaprules,cn=certmap,dc=dom-161,dc=example,dc=com objectClass: ipacertmaprule objectClass: top cn: rule1 description: d1 ipaEnabledFlag: TRUE ` Do you have the ACI "permission:System: Read Certmap Rules" defined on dn: cn=certmaprules,cn=certmap,$BASEDN? It should grant access to ldap:///all """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281795345 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping sumit-bose commented: """ It looks like the ACis on the latest version do not allow hosts to access the rules. When I do 'kinit -k' on the IPA server or a client and call ldapsearch -H ldap://ipa-server.ipa.devel '(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))' -Y GSSAPI I do not get any results. When I call 'kinit admin' and use the same ldapsearch I get my rule returned. Can you confirm this or is my test system broken? """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281788601 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping HonzaCholasta commented: """ LGTM. @flo-renaud, don't forget to register the new OIDs. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281337299 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ PR updated with the check on domain in certmaprule-add/mod. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-280152942 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ @HonzaCholasta PR updated according to your comments. Thanks for the detailed review! """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-280034426 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ Hi @HonzaCholasta PR updated with `ipa user-add-certmapdata` using positional arg for CERTMAPDATA """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-279796224 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping HonzaCholasta commented: """ @flo-renaud, nevermind the `default_from` suggestion, I was wrong - if e.g. both `--certmapdata` and `--certificate` are specified, we want to use both, not throw away `--certificate`, which is exactly what would happen if `--certmapdata` had default derived from `--certificate`. One more issue, I think the `--certmapdata` option in `user-add-certmapdata` and friends should actually be a positional argument, as that would be more consistent with existing commands. The common pattern is that positional arguments are used to specify the literal value of the attribute (such as principal name in `user-add-principal`), but options need some preprocessing (such as conversion from UID to DN in `group-add-member`). Currently the only exception to this scheme is `user-add-cert` and friends, but that's only because the original intent was to add a certificate file positional argument, but it never happened. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-279713429 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ Hi @HonzaCholasta, PR updated with most of your comments, except the suggestion to use default_from. Please see my answer inline for this one. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-279689115 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping MartinBasti commented: """ I put some inline commets, @flo-renaud if you don't know where to register OIDs feel free to ping me """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-273428118 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code