On 03/10/2014 12:05 PM, Petr Viktorin wrote:
> On 03/07/2014 04:45 PM, Martin Kosek wrote:
>> On 02/28/2014 03:51 PM, Petr Viktorin wrote:
>>> Hello,
>>> This reduces LDAP searches in permission-find when there are legacy
>>> permissions. The root entry (which contains all legacy permission ACIs) i
On 10.3.2014 12:08, Martin Kosek wrote:
On 03/10/2014 11:49 AM, Petr Spacek wrote:
On 7.3.2014 17:33, Dmitri Pal wrote:
I do not think it is the right architectural approach to try to fix a specific
use case with one off solution while we already know that we need a key storage.
I would rather
On 03/11/2014 11:33 AM, Petr Spacek wrote:
> On 10.3.2014 12:08, Martin Kosek wrote:
>> On 03/10/2014 11:49 AM, Petr Spacek wrote:
>>> On 7.3.2014 17:33, Dmitri Pal wrote:
I do not think it is the right architectural approach to try to fix a
specific
use case with one off solution w
On 11.3.2014 12:21, Martin Kosek wrote:
On 03/11/2014 11:33 AM, Petr Spacek wrote:
On 10.3.2014 12:08, Martin Kosek wrote:
On 03/10/2014 11:49 AM, Petr Spacek wrote:
On 7.3.2014 17:33, Dmitri Pal wrote:
I do not think it is the right architectural approach to try to fix a specific
use case wi
On Mon, Feb 24, 2014 at 02:26:27PM -0500, Nathaniel McCallum wrote:
> Before this patch, ipa-kdb would load global configuration on startup
> and never update it. This means that if global configuration is changed,
> the KDC never receives the new configuration until it is restarted.
>
> This patc
On Tue, 11 Mar 2014, Jan Pazdziora wrote:
On Mon, Feb 24, 2014 at 02:26:27PM -0500, Nathaniel McCallum wrote:
Before this patch, ipa-kdb would load global configuration on startup
and never update it. This means that if global configuration is changed,
the KDC never receives the new configuratio
On Fri, Feb 21, 2014 at 03:30:22PM +0100, Petr Viktorin wrote:
> Hello,
> A permission object was not removed in permission-add when adding
> the ACI failed. Here is a fix.
>
> https://fedorahosted.org/freeipa/ticket/4187
>
>
> Earlier we agreed that patch authors should bug the reviewer. I
> gu
Hi,
after discussing with Petr Spacek, following patch fixes ticket 4224.
--
/ Alexander Bokovoy
>From 83803494757e078c3a2850ddbb5eb886fd067dd1 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Tue, 11 Mar 2014 16:28:12 +0200
Subject: [PATCH 3/3] ipa-sam: when deleting subtree make sure to
On 11.3.2014 15:32, Alexander Bokovoy wrote:
after discussing with Petr Spacek, following patch fixes ticket 4224.
Code seems okay but I didn't do functional test.
--
Petr^2 Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.
On 03/11/2014 03:08 PM, Jan Pazdziora wrote:
On Fri, Feb 21, 2014 at 03:30:22PM +0100, Petr Viktorin wrote:
Hello,
A permission object was not removed in permission-add when adding
the ACI failed. Here is a fix.
https://fedorahosted.org/freeipa/ticket/4187
Earlier we agreed that patch authors
On Tue, 2014-03-11 at 16:05 +0200, Alexander Bokovoy wrote:
> On Tue, 11 Mar 2014, Jan Pazdziora wrote:
> >On Mon, Feb 24, 2014 at 02:26:27PM -0500, Nathaniel McCallum wrote:
> >> Before this patch, ipa-kdb would load global configuration on startup
> >> and never update it. This means that if glob
Hi guys,
I hope to explain in a few words what we are doing with ConnID and IPA.
Comments in-line.
On 03/10/2014 10:57 PM, Dmitri Pal wrote:
On 03/10/2014 03:14 PM, Petr Viktorin wrote:
On 03/10/2014 07:17 PM, Dmitri Pal wrote:
On 03/10/2014 08:24 AM, Petr Viktorin wrote:
On 03/07/2014 04:3
When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
firewall, installation would s
On 11.3.2014 16:09, Petr Viktorin wrote:
On 03/11/2014 03:08 PM, Jan Pazdziora wrote:
On Fri, Feb 21, 2014 at 03:30:22PM +0100, Petr Viktorin wrote:
Hello,
A permission object was not removed in permission-add when adding
the ACI failed. Here is a fix.
https://fedorahosted.org/freeipa/ticket/4
On 03/07/2014 10:21 AM, Alexander Bokovoy wrote:
> On Fri, 07 Mar 2014, Martin Kosek wrote:
>> When string is not terminated, queries with corrupted base may be sent
>> to LDAP:
>>
>> ... cn=ipa1.example.com,cn=masters...
>>
>> https://fedorahosted.org/freeipa/ticket/4214
>>
>> --
>> Martin Kosek
On 03/11/2014 04:33 PM, Martin Kosek wrote:
When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port woul
On Tuesday, March 11, 2014 04:55:52 PM Martin Kosek wrote:
> On 03/07/2014 10:21 AM, Alexander Bokovoy wrote:
> > On Fri, 07 Mar 2014, Martin Kosek wrote:
> >> When string is not terminated, queries with corrupted base may be sent
> >> to LDAP:
> >>
> >> ... cn=ipa1.example.com,cn=masters...
> >>
On 03/11/2014 04:59 PM, Petr Viktorin wrote:
> On 03/11/2014 04:33 PM, Martin Kosek wrote:
>> When creating replica from a Dogtag 9 based IPA server, the port 7389
>> which is required for the installation is never checked by
>> ipa-replica-conncheck even though it knows that it is being installed
Hi,
Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls
to the
directory service for gid/uid<->sid resolution.
Additionally, this patch further reduces number of queries by:
- fast fail on uidNumber=0 which doesn't exist in FreeIPA,
- return fallback group correctly when lo
On 03/11/2014 07:53 AM, Petr Spacek wrote:
On 11.3.2014 12:21, Martin Kosek wrote:
On 03/11/2014 11:33 AM, Petr Spacek wrote:
On 10.3.2014 12:08, Martin Kosek wrote:
On 03/10/2014 11:49 AM, Petr Spacek wrote:
On 7.3.2014 17:33, Dmitri Pal wrote:
I do not think it is the right architectural ap
On 03/11/2014 11:29 AM, Massimiliano Perrone wrote:
Hi guys,
I hope to explain in a few words what we are doing with ConnID and
IPA. Comments in-line.
On 03/10/2014 10:57 PM, Dmitri Pal wrote:
On 03/10/2014 03:14 PM, Petr Viktorin wrote:
On 03/10/2014 07:17 PM, Dmitri Pal wrote:
On 03/10/20
On Tue, 2014-03-11 at 11:33 +0100, Petr Spacek wrote:
> Yesterday we have agreed that DNSSEC support is not going to depend on Vault
> from the beginning and that we can migrate to Vault later.
>
> Here I'm proposing safe upgrade path from non-vault to Vault solution.
>
> After all, it seems rel
On Tue, 2014-03-11 at 14:40 -0400, Simo Sorce wrote:
> The *only* thing we really need to do IMO is that if a DNS server
> finds
> out it's key for a zone are expired then it shuts down itself and
> makes
> itself unavailable so clients will start falling over to another DNS
> server and the admin
On 03/11/2014 07:40 PM, Simo Sorce wrote:
On Tue, 2014-03-11 at 11:33 +0100, Petr Spacek wrote:
Yesterday we have agreed that DNSSEC support is not going to depend on Vault
...
- walk through cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example and check if there
are any other replicas with DNSSECKeyImp
On Tue, Mar 11, 2014 at 07:09:42PM +0200, Alexander Bokovoy wrote:
> Hi,
>
>
> Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls
> to the
> directory service for gid/uid<->sid resolution.
>
> Additionally, this patch further reduces number of queries by:
> - fast fail on ui
On Tue, 11 Mar 2014, Sumit Bose wrote:
On Tue, Mar 11, 2014 at 07:09:42PM +0200, Alexander Bokovoy wrote:
Hi,
Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls
to the
directory service for gid/uid<->sid resolution.
Additionally, this patch further reduces number of querie
26 matches
Mail list logo