On 03/10/2014 12:05 PM, Petr Viktorin wrote:
On 03/07/2014 04:45 PM, Martin Kosek wrote:
On 02/28/2014 03:51 PM, Petr Viktorin wrote:
Hello,
This reduces LDAP searches in permission-find when there are legacy
permissions. The root entry (which contains all legacy permission ACIs) is
only
On 10.3.2014 12:08, Martin Kosek wrote:
On 03/10/2014 11:49 AM, Petr Spacek wrote:
On 7.3.2014 17:33, Dmitri Pal wrote:
I do not think it is the right architectural approach to try to fix a specific
use case with one off solution while we already know that we need a key storage.
I would rather
On 03/11/2014 11:33 AM, Petr Spacek wrote:
On 10.3.2014 12:08, Martin Kosek wrote:
On 03/10/2014 11:49 AM, Petr Spacek wrote:
On 7.3.2014 17:33, Dmitri Pal wrote:
I do not think it is the right architectural approach to try to fix a
specific
use case with one off solution while we already
On 11.3.2014 12:21, Martin Kosek wrote:
On 03/11/2014 11:33 AM, Petr Spacek wrote:
On 10.3.2014 12:08, Martin Kosek wrote:
On 03/10/2014 11:49 AM, Petr Spacek wrote:
On 7.3.2014 17:33, Dmitri Pal wrote:
I do not think it is the right architectural approach to try to fix a specific
use case
On Mon, Feb 24, 2014 at 02:26:27PM -0500, Nathaniel McCallum wrote:
Before this patch, ipa-kdb would load global configuration on startup
and never update it. This means that if global configuration is changed,
the KDC never receives the new configuration until it is restarted.
This patch
On Tue, 11 Mar 2014, Jan Pazdziora wrote:
On Mon, Feb 24, 2014 at 02:26:27PM -0500, Nathaniel McCallum wrote:
Before this patch, ipa-kdb would load global configuration on startup
and never update it. This means that if global configuration is changed,
the KDC never receives the new
On Fri, Feb 21, 2014 at 03:30:22PM +0100, Petr Viktorin wrote:
Hello,
A permission object was not removed in permission-add when adding
the ACI failed. Here is a fix.
https://fedorahosted.org/freeipa/ticket/4187
Earlier we agreed that patch authors should bug the reviewer. I
guess now
Hi,
after discussing with Petr Spacek, following patch fixes ticket 4224.
--
/ Alexander Bokovoy
From 83803494757e078c3a2850ddbb5eb886fd067dd1 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Tue, 11 Mar 2014 16:28:12 +0200
Subject: [PATCH 3/3] ipa-sam: when deleting
On 11.3.2014 15:32, Alexander Bokovoy wrote:
after discussing with Petr Spacek, following patch fixes ticket 4224.
Code seems okay but I didn't do functional test.
--
Petr^2 Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
On 03/11/2014 03:08 PM, Jan Pazdziora wrote:
On Fri, Feb 21, 2014 at 03:30:22PM +0100, Petr Viktorin wrote:
Hello,
A permission object was not removed in permission-add when adding
the ACI failed. Here is a fix.
https://fedorahosted.org/freeipa/ticket/4187
Earlier we agreed that patch
On Tue, 2014-03-11 at 16:05 +0200, Alexander Bokovoy wrote:
On Tue, 11 Mar 2014, Jan Pazdziora wrote:
On Mon, Feb 24, 2014 at 02:26:27PM -0500, Nathaniel McCallum wrote:
Before this patch, ipa-kdb would load global configuration on startup
and never update it. This means that if global
Hi guys,
I hope to explain in a few words what we are doing with ConnID and IPA.
Comments in-line.
On 03/10/2014 10:57 PM, Dmitri Pal wrote:
On 03/10/2014 03:14 PM, Petr Viktorin wrote:
On 03/10/2014 07:17 PM, Dmitri Pal wrote:
On 03/10/2014 08:24 AM, Petr Viktorin wrote:
On 03/07/2014
When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
firewall, installation would
On 11.3.2014 16:09, Petr Viktorin wrote:
On 03/11/2014 03:08 PM, Jan Pazdziora wrote:
On Fri, Feb 21, 2014 at 03:30:22PM +0100, Petr Viktorin wrote:
Hello,
A permission object was not removed in permission-add when adding
the ACI failed. Here is a fix.
On 03/07/2014 10:21 AM, Alexander Bokovoy wrote:
On Fri, 07 Mar 2014, Martin Kosek wrote:
When string is not terminated, queries with corrupted base may be sent
to LDAP:
... cn=ipa1.example.comgarbage,cn=masters...
https://fedorahosted.org/freeipa/ticket/4214
--
Martin Kosek
On 03/11/2014 04:33 PM, Martin Kosek wrote:
When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port
On Tuesday, March 11, 2014 04:55:52 PM Martin Kosek wrote:
On 03/07/2014 10:21 AM, Alexander Bokovoy wrote:
On Fri, 07 Mar 2014, Martin Kosek wrote:
When string is not terminated, queries with corrupted base may be sent
to LDAP:
... cn=ipa1.example.comgarbage,cn=masters...
On 03/11/2014 04:59 PM, Petr Viktorin wrote:
On 03/11/2014 04:33 PM, Martin Kosek wrote:
When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from
Hi,
Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls
to the
directory service for gid/uid-sid resolution.
Additionally, this patch further reduces number of queries by:
- fast fail on uidNumber=0 which doesn't exist in FreeIPA,
- return fallback group correctly when
On 03/11/2014 07:53 AM, Petr Spacek wrote:
On 11.3.2014 12:21, Martin Kosek wrote:
On 03/11/2014 11:33 AM, Petr Spacek wrote:
On 10.3.2014 12:08, Martin Kosek wrote:
On 03/10/2014 11:49 AM, Petr Spacek wrote:
On 7.3.2014 17:33, Dmitri Pal wrote:
I do not think it is the right architectural
On 03/11/2014 11:29 AM, Massimiliano Perrone wrote:
Hi guys,
I hope to explain in a few words what we are doing with ConnID and
IPA. Comments in-line.
On 03/10/2014 10:57 PM, Dmitri Pal wrote:
On 03/10/2014 03:14 PM, Petr Viktorin wrote:
On 03/10/2014 07:17 PM, Dmitri Pal wrote:
On
On Tue, 2014-03-11 at 11:33 +0100, Petr Spacek wrote:
Yesterday we have agreed that DNSSEC support is not going to depend on Vault
from the beginning and that we can migrate to Vault later.
Here I'm proposing safe upgrade path from non-vault to Vault solution.
After all, it seems
On Tue, 2014-03-11 at 14:40 -0400, Simo Sorce wrote:
The *only* thing we really need to do IMO is that if a DNS server
finds
out it's key for a zone are expired then it shuts down itself and
makes
itself unavailable so clients will start falling over to another DNS
server and the admin will
On 03/11/2014 07:40 PM, Simo Sorce wrote:
On Tue, 2014-03-11 at 11:33 +0100, Petr Spacek wrote:
Yesterday we have agreed that DNSSEC support is not going to depend on Vault
...
- walk through cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example and check if there
are any other replicas with
24 matches
Mail list logo
