Re: [Freeipa-devel] [PATCH] 0481 permission-find: Cache the root entry for legacy permissions

2014-03-11 Thread Martin Kosek
On 03/10/2014 12:05 PM, Petr Viktorin wrote: On 03/07/2014 04:45 PM, Martin Kosek wrote: On 02/28/2014 03:51 PM, Petr Viktorin wrote: Hello, This reduces LDAP searches in permission-find when there are legacy permissions. The root entry (which contains all legacy permission ACIs) is only

Re: [Freeipa-devel] DNSSEC: upgrade path to Vault

2014-03-11 Thread Petr Spacek
On 10.3.2014 12:08, Martin Kosek wrote: On 03/10/2014 11:49 AM, Petr Spacek wrote: On 7.3.2014 17:33, Dmitri Pal wrote: I do not think it is the right architectural approach to try to fix a specific use case with one off solution while we already know that we need a key storage. I would rather

Re: [Freeipa-devel] DNSSEC: upgrade path to Vault

2014-03-11 Thread Martin Kosek
On 03/11/2014 11:33 AM, Petr Spacek wrote: On 10.3.2014 12:08, Martin Kosek wrote: On 03/10/2014 11:49 AM, Petr Spacek wrote: On 7.3.2014 17:33, Dmitri Pal wrote: I do not think it is the right architectural approach to try to fix a specific use case with one off solution while we already

Re: [Freeipa-devel] DNSSEC: upgrade path to Vault

2014-03-11 Thread Petr Spacek
On 11.3.2014 12:21, Martin Kosek wrote: On 03/11/2014 11:33 AM, Petr Spacek wrote: On 10.3.2014 12:08, Martin Kosek wrote: On 03/10/2014 11:49 AM, Petr Spacek wrote: On 7.3.2014 17:33, Dmitri Pal wrote: I do not think it is the right architectural approach to try to fix a specific use case

Re: [Freeipa-devel] [PATCH 0044] Periodically refresh global ipa-kdb configuration

2014-03-11 Thread Jan Pazdziora
On Mon, Feb 24, 2014 at 02:26:27PM -0500, Nathaniel McCallum wrote: Before this patch, ipa-kdb would load global configuration on startup and never update it. This means that if global configuration is changed, the KDC never receives the new configuration until it is restarted. This patch

Re: [Freeipa-devel] [PATCH 0044] Periodically refresh global ipa-kdb configuration

2014-03-11 Thread Alexander Bokovoy
On Tue, 11 Mar 2014, Jan Pazdziora wrote: On Mon, Feb 24, 2014 at 02:26:27PM -0500, Nathaniel McCallum wrote: Before this patch, ipa-kdb would load global configuration on startup and never update it. This means that if global configuration is changed, the KDC never receives the new

Re: [Freeipa-devel] [PATCH] 0471 permission_add: Remove permission entry if adding the ACI fails

2014-03-11 Thread Jan Pazdziora
On Fri, Feb 21, 2014 at 03:30:22PM +0100, Petr Viktorin wrote: Hello, A permission object was not removed in permission-add when adding the ACI failed. Here is a fix. https://fedorahosted.org/freeipa/ticket/4187 Earlier we agreed that patch authors should bug the reviewer. I guess now

[Freeipa-devel] [PATCH] 0148: ipa-sam: when deleting subtree, deal with possible LDAP errors

2014-03-11 Thread Alexander Bokovoy
Hi, after discussing with Petr Spacek, following patch fixes ticket 4224. -- / Alexander Bokovoy From 83803494757e078c3a2850ddbb5eb886fd067dd1 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 11 Mar 2014 16:28:12 +0200 Subject: [PATCH 3/3] ipa-sam: when deleting

Re: [Freeipa-devel] [PATCH] 0148: ipa-sam: when deleting subtree, deal with possible LDAP errors

2014-03-11 Thread Petr Spacek
On 11.3.2014 15:32, Alexander Bokovoy wrote: after discussing with Petr Spacek, following patch fixes ticket 4224. Code seems okay but I didn't do functional test. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 0471 permission_add: Remove permission entry if adding the ACI fails

2014-03-11 Thread Petr Viktorin
On 03/11/2014 03:08 PM, Jan Pazdziora wrote: On Fri, Feb 21, 2014 at 03:30:22PM +0100, Petr Viktorin wrote: Hello, A permission object was not removed in permission-add when adding the ACI failed. Here is a fix. https://fedorahosted.org/freeipa/ticket/4187 Earlier we agreed that patch

Re: [Freeipa-devel] [PATCH 0044] Periodically refresh global ipa-kdb configuration

2014-03-11 Thread Simo Sorce
On Tue, 2014-03-11 at 16:05 +0200, Alexander Bokovoy wrote: On Tue, 11 Mar 2014, Jan Pazdziora wrote: On Mon, Feb 24, 2014 at 02:26:27PM -0500, Nathaniel McCallum wrote: Before this patch, ipa-kdb would load global configuration on startup and never update it. This means that if global

Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope

2014-03-11 Thread Massimiliano Perrone
Hi guys, I hope to explain in a few words what we are doing with ConnID and IPA. Comments in-line. On 03/10/2014 10:57 PM, Dmitri Pal wrote: On 03/10/2014 03:14 PM, Petr Viktorin wrote: On 03/10/2014 07:17 PM, Dmitri Pal wrote: On 03/10/2014 08:24 AM, Petr Viktorin wrote: On 03/07/2014

[Freeipa-devel] [PATCH] 460 ipa-replica-install never checks for 7389 port

2014-03-11 Thread Martin Kosek
When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would

Re: [Freeipa-devel] [PATCH] 0471 permission_add: Remove permission entry if adding the ACI fails

2014-03-11 Thread Petr Spacek
On 11.3.2014 16:09, Petr Viktorin wrote: On 03/11/2014 03:08 PM, Jan Pazdziora wrote: On Fri, Feb 21, 2014 at 03:30:22PM +0100, Petr Viktorin wrote: Hello, A permission object was not removed in permission-add when adding the ACI failed. Here is a fix.

Re: [Freeipa-devel] [PATCH] 459 Avoid passing non-terminated string to is_master_host

2014-03-11 Thread Martin Kosek
On 03/07/2014 10:21 AM, Alexander Bokovoy wrote: On Fri, 07 Mar 2014, Martin Kosek wrote: When string is not terminated, queries with corrupted base may be sent to LDAP: ... cn=ipa1.example.comgarbage,cn=masters... https://fedorahosted.org/freeipa/ticket/4214 -- Martin Kosek

Re: [Freeipa-devel] [PATCH] 460 ipa-replica-install never checks for 7389 port

2014-03-11 Thread Petr Viktorin
On 03/11/2014 04:33 PM, Martin Kosek wrote: When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port

Re: [Freeipa-devel] [PATCH] 459 Avoid passing non-terminated string to is_master_host

2014-03-11 Thread Anthony Messina
On Tuesday, March 11, 2014 04:55:52 PM Martin Kosek wrote: On 03/07/2014 10:21 AM, Alexander Bokovoy wrote: On Fri, 07 Mar 2014, Martin Kosek wrote: When string is not terminated, queries with corrupted base may be sent to LDAP: ... cn=ipa1.example.comgarbage,cn=masters...

Re: [Freeipa-devel] [PATCH] 460 ipa-replica-install never checks for 7389 port

2014-03-11 Thread Martin Kosek
On 03/11/2014 04:59 PM, Petr Viktorin wrote: On 03/11/2014 04:33 PM, Martin Kosek wrote: When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from

[Freeipa-devel] [PATCH] 0149: ipa-sam: ipa-sam: cache gid to sid and uid to sid requests in idmap cache

2014-03-11 Thread Alexander Bokovoy
Hi, Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the directory service for gid/uid-sid resolution. Additionally, this patch further reduces number of queries by: - fast fail on uidNumber=0 which doesn't exist in FreeIPA, - return fallback group correctly when

Re: [Freeipa-devel] DNSSEC: upgrade path to Vault

2014-03-11 Thread Dmitri Pal
On 03/11/2014 07:53 AM, Petr Spacek wrote: On 11.3.2014 12:21, Martin Kosek wrote: On 03/11/2014 11:33 AM, Petr Spacek wrote: On 10.3.2014 12:08, Martin Kosek wrote: On 03/10/2014 11:49 AM, Petr Spacek wrote: On 7.3.2014 17:33, Dmitri Pal wrote: I do not think it is the right architectural

Re: [Freeipa-devel] FreeIPA ConnId connector for usage with Apache Syncope

2014-03-11 Thread Dmitri Pal
On 03/11/2014 11:29 AM, Massimiliano Perrone wrote: Hi guys, I hope to explain in a few words what we are doing with ConnID and IPA. Comments in-line. On 03/10/2014 10:57 PM, Dmitri Pal wrote: On 03/10/2014 03:14 PM, Petr Viktorin wrote: On 03/10/2014 07:17 PM, Dmitri Pal wrote: On

Re: [Freeipa-devel] DNSSEC: upgrade path to Vault

2014-03-11 Thread Simo Sorce
On Tue, 2014-03-11 at 11:33 +0100, Petr Spacek wrote: Yesterday we have agreed that DNSSEC support is not going to depend on Vault from the beginning and that we can migrate to Vault later. Here I'm proposing safe upgrade path from non-vault to Vault solution. After all, it seems

Re: [Freeipa-devel] DNSSEC: upgrade path to Vault

2014-03-11 Thread Simo Sorce
On Tue, 2014-03-11 at 14:40 -0400, Simo Sorce wrote: The *only* thing we really need to do IMO is that if a DNS server finds out it's key for a zone are expired then it shuts down itself and makes itself unavailable so clients will start falling over to another DNS server and the admin will

Re: [Freeipa-devel] DNSSEC: upgrade path to Vault

2014-03-11 Thread Martin Kosek
On 03/11/2014 07:40 PM, Simo Sorce wrote: On Tue, 2014-03-11 at 11:33 +0100, Petr Spacek wrote: Yesterday we have agreed that DNSSEC support is not going to depend on Vault ... - walk through cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example and check if there are any other replicas with

Re: [Freeipa-devel] [PATCH] 0149: ipa-sam: ipa-sam: cache gid to sid and uid to sid requests in idmap cache

2014-03-11 Thread Sumit Bose
On Tue, Mar 11, 2014 at 07:09:42PM +0200, Alexander Bokovoy wrote: Hi, Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the directory service for gid/uid-sid resolution. Additionally, this patch further reduces number of queries by: - fast fail on uidNumber=0

Re: [Freeipa-devel] [PATCH] 0149: ipa-sam: ipa-sam: cache gid to sid and uid to sid requests in idmap cache

2014-03-11 Thread Alexander Bokovoy
On Tue, 11 Mar 2014, Sumit Bose wrote: On Tue, Mar 11, 2014 at 07:09:42PM +0200, Alexander Bokovoy wrote: Hi, Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the directory service for gid/uid-sid resolution. Additionally, this patch further reduces number of queries