[Freeipa-devel] Announcing bind-dyndb-ldap version 2.6

2013-03-27 Thread Petr Spacek
The FreeIPA team is proud to announce bind-dyndb-ldap version 2.6. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/. The new version has also been built for Fedora 18 and is on its way to updates-testing:

Re: [Freeipa-devel] [PATCH] 391-395 Fedora 19 build and install fixes

2013-03-27 Thread Tomas Babej
On Tue 26 Mar 2013 06:49:59 PM CET, Martin Kosek wrote: On 03/26/2013 06:32 PM, Tomas Babej wrote: On 03/26/2013 05:38 PM, Martin Kosek wrote: On 03/21/2013 11:59 AM, Martin Kosek wrote: This set of patches (details in commit messages) allow build and installation of FreeIPA in Fedora 19. I

Re: [Freeipa-devel] [PATCH] 0100 Enumerate UPN suffixes in ipasam

2013-03-27 Thread Sumit Bose
On Mon, Mar 25, 2013 at 08:07:44PM +0200, Alexander Bokovoy wrote: Hi, following patch allows to enumerate UPN suffixes associated with IPA domain and make them available to AD domain we trust. The patch relies on PASSDB API expansion I'm working on and as such requires Samba built with

Re: [Freeipa-devel] [PATCH] 0100 Enumerate UPN suffixes in ipasam

2013-03-27 Thread Alexander Bokovoy
Hi, On Wed, 27 Mar 2013, Sumit Bose wrote: Additionally, you can request Windows to update list of name suffixes via UI. Here is how it looks in Windows 2012 Server: http://abbra.fedorapeople.org/.paste/win2012-multiple-suffixes.png Part of ticket https://fedorahosted.org/freeipa/ticket/2848

Re: [Freeipa-devel] [PATCH] 0100 Enumerate UPN suffixes in ipasam

2013-03-27 Thread Sumit Bose
On Wed, Mar 27, 2013 at 12:53:18PM +0200, Alexander Bokovoy wrote: Hi, On Wed, 27 Mar 2013, Sumit Bose wrote: Additionally, you can request Windows to update list of name suffixes via UI. Here is how it looks in Windows 2012 Server:

Re: [Freeipa-devel] [PATCH] 0010 Add mkhomedir option to ipa-server-install and ipa-replica-install

2013-03-27 Thread Ana Krivokapic
On 03/27/2013 12:15 PM, Tomas Babej wrote: On 03/26/2013 07:45 PM, Ana Krivokapic wrote: Add the option to create home directories for users on their first login to ipa-server-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3515

Re: [Freeipa-devel] [PATCH] 0010 Add mkhomedir option to ipa-server-install and ipa-replica-install

2013-03-27 Thread Tomas Babej
On Wed 27 Mar 2013 01:54:49 PM CET, Ana Krivokapic wrote: On 03/27/2013 12:15 PM, Tomas Babej wrote: On 03/26/2013 07:45 PM, Ana Krivokapic wrote: Add the option to create home directories for users on their first login to ipa-server-install and ipa-replica-install.

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

2013-03-27 Thread Martin Kosek
On 03/26/2013 03:05 PM, Jan Cholasta wrote: On 25.3.2013 16:21, Martin Kosek wrote: On 03/25/2013 02:41 PM, Martin Kosek wrote: I checked what you have already and this is what I found: 1) Internal error if I try to remove krbticketflags via *attr functions: # ipa service-add foo/`hostname`

Re: [Freeipa-devel] [RFE] CA-less install

2013-03-27 Thread Jan Cholasta
Hi, On 22.3.2013 13:10, Petr Viktorin wrote: The design page for CA-less installation with user-provided SSL certs is available at http://freeipa.org/page/V3/CA-less_install. I've also copied it to this mail. Does it answer all your questions? I have gone through the whole discussion, RFE

Re: [Freeipa-devel] git versions for rpms in makefile

2013-03-27 Thread John Dennis
On 03/26/2013 10:41 PM, Orion Poplawski wrote: On 03/26/2013 07:36 PM, Simo Sorce wrote: On Tue, 2013-03-26 at 19:14 -0400, Rob Crittenden wrote: Orion Poplawski wrote: This patch uses the Fedora standard for git versioning (version-#.gittag) when making rpms. I'm afraid I haven't been able

Re: [Freeipa-devel] [RFE] CA-less install

2013-03-27 Thread Petr Viktorin
On 03/27/2013 03:44 PM, Jan Cholasta wrote: Hi, On 22.3.2013 13:10, Petr Viktorin wrote: The design page for CA-less installation with user-provided SSL certs is available at http://freeipa.org/page/V3/CA-less_install. I've also copied it to this mail. Does it answer all your questions? I

Re: [Freeipa-devel] [RFE] CA-less install

2013-03-27 Thread John Dennis
On 03/27/2013 11:23 AM, Petr Viktorin wrote: I don't want to check the subject because this RFE was prompted by IPA's normal CA rejecting valid wildcart certs. Is there a reasonable way to ask NSS if it will trust the cert? Yes. NSS provides a variety of tools to test validation. Going just

Re: [Freeipa-devel] [PATCH] 271, 272 Added Web UI support for service PAC type option: NONE

2013-03-27 Thread Endi Sukma Dewata
On 3/26/2013 12:55 PM, Endi Sukma Dewata wrote: On 3/25/2013 6:46 AM, Petr Vobornik wrote: Reimplemented ^^ to match your proposal. Attaching as patches with new numbers (271,272) as they don't have much common with the original patch. The code looks good. Do you have a static/live demo site?

Re: [Freeipa-devel] [RFE] CA-less install

2013-03-27 Thread Rob Crittenden
Jan Cholasta wrote: On 27.3.2013 16:23, Petr Viktorin wrote: On 03/27/2013 03:44 PM, Jan Cholasta wrote: I have gone through the whole discussion, RFE page and your patches, and I still don't see why --root-ca-file is necessary. Walking the certificate chain from the server cert up to the root

Re: [Freeipa-devel] [RFE] CA-less install

2013-03-27 Thread Petr Viktorin
On 03/27/2013 04:40 PM, Jan Cholasta wrote: On 27.3.2013 16:23, Petr Viktorin wrote: On 03/27/2013 03:44 PM, Jan Cholasta wrote: I have gone through the whole discussion, RFE page and your patches, and I still don't see why --root-ca-file is necessary. Walking the certificate chain from the

Re: [Freeipa-devel] [RFE] CA-less install

2013-03-27 Thread Petr Viktorin
On 03/27/2013 05:09 PM, Rob Crittenden wrote: [...] Well, I don't like how PEM file duplicates an unnecessary amount of information (the whole certificate). Also, copy-pasting subject might be faster than exporting certificate in PEM and uploading it to the server... We're talking a one-time

Re: [Freeipa-devel] [RFE] CA-less install

2013-03-27 Thread Petr Viktorin
On 03/27/2013 04:40 PM, John Dennis wrote: On 03/27/2013 11:23 AM, Petr Viktorin wrote: I don't want to check the subject because this RFE was prompted by IPA's normal CA rejecting valid wildcart certs. Is there a reasonable way to ask NSS if it will trust the cert? Yes. NSS provides a

Re: [Freeipa-devel] [RFE] CA-less install

2013-03-27 Thread John Dennis
On 03/27/2013 12:42 PM, Petr Viktorin wrote: On 03/27/2013 05:09 PM, Rob Crittenden wrote: [...] Well, I don't like how PEM file duplicates an unnecessary amount of information (the whole certificate). Also, copy-pasting subject might be faster than exporting certificate in PEM and uploading it

Re: [Freeipa-devel] [RFE] CA-less install

2013-03-27 Thread John Dennis
On 03/27/2013 12:44 PM, Petr Viktorin wrote: On 03/27/2013 04:40 PM, John Dennis wrote: On 03/27/2013 11:23 AM, Petr Viktorin wrote: I don't want to check the subject because this RFE was prompted by IPA's normal CA rejecting valid wildcart certs. Is there a reasonable way to ask NSS if it

[Freeipa-devel] [PATCH] 110 Add support for cmocka C-Unit Test framework

2013-03-27 Thread Sumit Bose
Hi, this patch does not do anything really useful for now, it just adds configure checks. The related ticket https://fedorahosted.org/freeipa/ticket/3434 is in the current milestone but it can easily deferred to a later milestone if you do not have the time to review it. bye, Sumit From

Re: [Freeipa-devel] [RFE] CA-less install

2013-03-27 Thread Orion Poplawski
On 03/27/2013 10:42 AM, Petr Viktorin wrote: On 03/27/2013 05:09 PM, Rob Crittenden wrote: [...] Well, I don't like how PEM file duplicates an unnecessary amount of information (the whole certificate). Also, copy-pasting subject might be faster than exporting certificate in PEM and uploading it