Re: [Freeipa-devel] [PATCH] 1091 Don't double-encode CA cert

2013-03-07 Thread Martin Kosek
On 03/06/2013 10:57 PM, Rob Crittenden wrote: When the CA cert was added via the update plugin we were double-encoding it. We just need to store the DER value. See the ticket for reproduction details. rob This works fine. The certificate is now stored correctly in the attribute and it

Re: [Freeipa-devel] [PATCH] 0007 Web UI: Realm Domains page

2013-03-07 Thread Petr Vobornik
On 03/06/2013 08:26 PM, Ana Krivokapic wrote: On 03/06/2013 10:40 AM, Petr Vobornik wrote: On 03/05/2013 05:52 PM, Ana Krivokapic wrote: On 02/27/2013 05:10 PM, Petr Vobornik wrote: On 02/27/2013 04:20 PM, Ana Krivokapic wrote: Add support for Realm Domains to web UI.

Re: [Freeipa-devel] [PATCH] 1088 Recover DNA ranges when deleting a master

2013-03-07 Thread Petr Viktorin
On 03/06/2013 09:52 PM, Rob Crittenden wrote: Petr Viktorin wrote: [...] On new installs, the ACI on cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config is added before the entry itself. I didn't test everything as I didn't get the access. It shouldn't make a

[Freeipa-devel] [PATCHES] 116-119 Make LDAP schema retrieval optional

2013-03-07 Thread Jan Cholasta
Hi, these patches add flags to LDAPClient and IPAdmin constructors which can be used to disable schema retrieval and decoding of attributes. This should make interacting with AD easier (see http://www.redhat.com/archives/freeipa-devel/2013-March/msg00076.html). Honza -- Jan Cholasta From

[Freeipa-devel] Custom SSL certificates

2013-03-07 Thread Petr Viktorin
Hi, I'm investigating https://fedorahosted.org/freeipa/ticket/3363 (fix --http_pkcs12 friends). I can't find documentation on these options, and from the code I can't figure out enough about how they are/were supposed to work. Is it the case that they were last used/tested before IPA started

[Freeipa-devel] [PATCH] 381 Preserve order of servers in ipa-client-install

2013-03-07 Thread Martin Kosek
When multiple servers are passed via --server option, ipadiscovery module changed its order. Make sure that we preserve it. Also make sure that user is always warned when a tested server is not available as then the server will be excluded from the fixed server list.

Re: [Freeipa-devel] [PATCH] 0007 Web UI: Realm Domains page

2013-03-07 Thread Ana Krivokapic
On 03/07/2013 12:41 PM, Petr Vobornik wrote: On 03/06/2013 08:26 PM, Ana Krivokapic wrote: On 03/06/2013 10:40 AM, Petr Vobornik wrote: On 03/05/2013 05:52 PM, Ana Krivokapic wrote: On 02/27/2013 05:10 PM, Petr Vobornik wrote: On 02/27/2013 04:20 PM, Ana Krivokapic wrote: Add support for

Re: [Freeipa-devel] [PATCH] 255 Added Web UI support for service PAC type option: NONE

2013-03-07 Thread Petr Vobornik
On 02/14/2013 04:56 PM, Endi Sukma Dewata wrote: On 2/14/2013 6:30 AM, Petr Vobornik wrote: If they are mutually exclusive, they probably should be separated using radio buttons like this: PAC: ( ) None (o) Type: [x] MS-PAC [ ] PAD You missed one option:

Re: [Freeipa-devel] [PATCHES] 116-119 Make LDAP schema retrieval optional

2013-03-07 Thread Petr Viktorin
On 03/07/2013 01:43 PM, Jan Cholasta wrote: Hi, these patches add flags to LDAPClient and IPAdmin constructors which can be used to disable schema retrieval and decoding of attributes. This should make interacting with AD easier (see

Re: [Freeipa-devel] [PATCH] 381 Preserve order of servers in ipa-client-install

2013-03-07 Thread Petr Viktorin
On 03/07/2013 02:00 PM, Martin Kosek wrote: When multiple servers are passed via --server option, ipadiscovery module changed its order. Make sure that we preserve it. Also make sure that user is always warned when a tested server is not available as then the server will be excluded from the

Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

2013-03-07 Thread Tomas Babej
On 03/06/2013 01:30 PM, Petr Spacek wrote: On 6.3.2013 13:04, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org/page/V3/Client_install_using_keytab I added Security

Re: [Freeipa-devel] Custom SSL certificates

2013-03-07 Thread Rob Crittenden
Petr Viktorin wrote: Hi, I'm investigating https://fedorahosted.org/freeipa/ticket/3363 (fix --http_pkcs12 friends). I can't find documentation on these options, and from the code I can't figure out enough about how they are/were supposed to work. Is it the case that they were last used/tested

[Freeipa-devel] [PATCH] 382 Do not hide idrange-add errors when adding trust

2013-03-07 Thread Martin Kosek
We catched all errors that could be raised by idrange-add command and just raised an uncomprehensible ValidationError. This could hide a real underlying problem and make the debugging harder. We should rather just let the command raise the real error (which will be already a PublicError).

Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

2013-03-07 Thread Petr Viktorin
Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org/page/V3/Client_install_using_keytab Please

Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

2013-03-07 Thread Tomas Babej
On 03/07/2013 04:12 PM, Petr Viktorin wrote: Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document.

Re: [Freeipa-devel] [PATCHES] 116-119 Make LDAP schema retrieval optional

2013-03-07 Thread Jan Cholasta
On 7.3.2013 14:53, Petr Viktorin wrote: On 03/07/2013 01:43 PM, Jan Cholasta wrote: Hi, these patches add flags to LDAPClient and IPAdmin constructors which can be used to disable schema retrieval and decoding of attributes. This should make interacting with AD easier (see

Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

2013-03-07 Thread Petr Viktorin
On 03/07/2013 04:27 PM, Tomas Babej wrote: On 03/07/2013 04:12 PM, Petr Viktorin wrote: Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it

Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

2013-03-07 Thread Tomas Babej
On Thu 07 Mar 2013 04:54:02 PM CET, Petr Viktorin wrote: On 03/07/2013 04:27 PM, Tomas Babej wrote: On 03/07/2013 04:12 PM, Petr Viktorin wrote: Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks!

Re: [Freeipa-devel] [PATCH] 0007 Web UI: Realm Domains page

2013-03-07 Thread Petr Vobornik
On 03/07/2013 02:19 PM, Ana Krivokapic wrote: On 03/07/2013 12:41 PM, Petr Vobornik wrote: On 03/06/2013 08:26 PM, Ana Krivokapic wrote: On 03/06/2013 10:40 AM, Petr Vobornik wrote: On 03/05/2013 05:52 PM, Ana Krivokapic wrote: On 02/27/2013 05:10 PM, Petr Vobornik wrote: On 02/27/2013

Re: [Freeipa-devel] [PATCHES] 0191-0195 Use ipaldap in the client installer password migration

2013-03-07 Thread Jan Cholasta
On 6.3.2013 16:29, Petr Viktorin wrote: Hello, These patches move ipaldap to ipapython, and make the client installer use it. Also password migration web-app is made to use ipaldap; they both called a shared a utility function that is converted to use ipaldap. This should fix

Re: [Freeipa-devel] [PATCHES] 116-119 Make LDAP schema retrieval optional

2013-03-07 Thread Petr Viktorin
On 03/07/2013 04:33 PM, Jan Cholasta wrote: On 7.3.2013 14:53, Petr Viktorin wrote: On 03/07/2013 01:43 PM, Jan Cholasta wrote: Hi, these patches add flags to LDAPClient and IPAdmin constructors which can be used to disable schema retrieval and decoding of attributes. This should make

Re: [Freeipa-devel] [PATCHES] 0191-0195 Use ipaldap in the client installer password migration

2013-03-07 Thread Rob Crittenden
Jan Cholasta wrote: On 6.3.2013 16:29, Petr Viktorin wrote: Hello, These patches move ipaldap to ipapython, and make the client installer use it. Also password migration web-app is made to use ipaldap; they both called a shared a utility function that is converted to use ipaldap. This should

Re: [Freeipa-devel] [PATCHES] 116-119 Make LDAP schema retrieval optional

2013-03-07 Thread Jan Cholasta
On 7.3.2013 17:59, Petr Viktorin wrote: On 03/07/2013 04:33 PM, Jan Cholasta wrote: On 7.3.2013 14:53, Petr Viktorin wrote: On 03/07/2013 01:43 PM, Jan Cholasta wrote: Hi, these patches add flags to LDAPClient and IPAdmin constructors which can be used to disable schema retrieval and

Re: [Freeipa-devel] [PATCHES] 0191-0195 Use ipaldap in the client installer password migration

2013-03-07 Thread Petr Viktorin
On 03/07/2013 06:01 PM, Rob Crittenden wrote: Jan Cholasta wrote: On 6.3.2013 16:29, Petr Viktorin wrote: Hello, These patches move ipaldap to ipapython, and make the client installer use it. Also password migration web-app is made to use ipaldap; they both called a shared a utility function

Re: [Freeipa-devel] [PATCHES] 94-99 Read and use per-service PAC type

2013-03-07 Thread Sumit Bose
On Wed, Mar 06, 2013 at 05:33:43PM +0100, Sumit Bose wrote: On Wed, Mar 06, 2013 at 08:51:47AM -0500, Simo Sorce wrote: On Wed, 2013-03-06 at 14:49 +0100, Martin Kosek wrote: On 03/06/2013 10:41 AM, Sumit Bose wrote: On Tue, Mar 05, 2013 at 05:13:58PM +0100, Martin Kosek wrote: On

Re: [Freeipa-devel] [PATCH] 0007 Web UI: Realm Domains page

2013-03-07 Thread Petr Vobornik
On 03/07/2013 05:32 PM, Petr Vobornik wrote: On 03/07/2013 02:19 PM, Ana Krivokapic wrote: On 03/07/2013 12:41 PM, Petr Vobornik wrote: On 03/06/2013 08:26 PM, Ana Krivokapic wrote: On 03/06/2013 10:40 AM, Petr Vobornik wrote: On 03/05/2013 05:52 PM, Ana Krivokapic wrote: On 02/27/2013

Re: [Freeipa-devel] [PATCHES] 0191-0195 Use ipaldap in the client installer password migration

2013-03-07 Thread Rob Crittenden
Petr Viktorin wrote: On 03/07/2013 06:01 PM, Rob Crittenden wrote: Jan Cholasta wrote: On 6.3.2013 16:29, Petr Viktorin wrote: Hello, These patches move ipaldap to ipapython, and make the client installer use it. Also password migration web-app is made to use ipaldap; they both called a

Re: [Freeipa-devel] [PATCH] 1088 Recover DNA ranges when deleting a master

2013-03-07 Thread Rob Crittenden
Petr Viktorin wrote: On 03/06/2013 09:52 PM, Rob Crittenden wrote: Petr Viktorin wrote: [...] On new installs, the ACI on cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config is added before the entry itself. I didn't test everything as I didn't get the access. It

[Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-07 Thread Rob Crittenden
Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags There is a bit of hand waving going on around how the flags are actually set inside the KDB plugin since I'm not at all

Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

2013-03-07 Thread Rob Crittenden
Petr Viktorin wrote: On 03/07/2013 04:27 PM, Tomas Babej wrote: On 03/07/2013 04:12 PM, Petr Viktorin wrote: Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below.

Re: [Freeipa-devel] [PATCH 0038] Perform secondary rid range overlap check for local ranges

2013-03-07 Thread Rob Crittenden
Tomas Babej wrote: Hi, Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges.

Re: [Freeipa-devel] [PATCH] 376-377 Use tkey-gssapi-keytab in named.conf

2013-03-07 Thread Rob Crittenden
Martin Kosek wrote: Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential and tkey-domain and replace them with tkey-gssapi-keytab which avoids unnecessary Kerberos checks on BIND startup and can cause issues when KDC is not available. Both new and current IPA installations

[Freeipa-devel] Failed push to github

2013-03-07 Thread Nathaniel McCallum
I tried to push my branch of FreeIPA to github and it failed with the following message. I don't know if anything can be done to fix it, but I figured I'd mention it. error: object 0b36ce6dcbfc8d7e6cda632e06a09c369428a2db:invalid author/committer line - bad date fatal: Error in object error: