Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added

On 03/27/2014 03:37 PM, Misnyovszki Adam wrote: On Wed, 26 Mar 2014 13:15:55 +0100 Petr Viktorin wrote: [...] Looks great! I'm just concerned about the error returned when the task takes too long: $ ipa automember-rebuild --type group ipa: ERROR: LDAP timeout I don't think it's su

[Freeipa-devel] Random Certificate Serial Numbers

Hi Rob, Ade and others, In the past, Rob was investigating enabling random certificate serial numbers for FreeIPA PKI [1]. We also have a ticket [2] planned to enable it for 4.0. Can we simply switch it on for PKI with pkispawn attribute: [CA] pki_random_serial_numbers_enable=True or is there a

Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer

On 03/03/2014 08:16 PM, Tomas Babej wrote: > The updated patch addresses all the mentioned issues. > > Also enables systemd's specific domainname service instead of relying > ypbind being present on the system. > > Please note that nisdomainname is not configured on boot time at the > moment. The

[Freeipa-devel] global account lockout

Hi, please review the following feature design. It introduces a global account lockout, while trying to keep the replication traffic minimal. In my opinion for a real global account lockout the basic lockout attributes have to be replicated otherwise the benefit is minimal: an attacker could

Re: [Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects

On 04/03/2014 12:09 PM, Petr Viktorin wrote: > Hello, > This adds read permissions to read HBAC rules, services, and service groups. > > Read access is given to all authenticated users. So far looked OK in my tests. What about the ACIs like the following one? (targetattr = "*")(version 3.0; acl

Re: [Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects

On 04/07/2014 01:28 PM, Martin Kosek wrote: On 04/03/2014 12:09 PM, Petr Viktorin wrote: Hello, This adds read permissions to read HBAC rules, services, and service groups. Read access is given to all authenticated users. So far looked OK in my tests. What about the ACIs like the following on

Re: [Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects

On 04/03/2014 12:09 PM, Petr Viktorin wrote: > Hello, > This adds read permissions to read Sudo commands, command groups, rules. > > Read access is given to all authenticated users. Looks good. What about "ou=sudoers"? I think we should also allow it in this patch for authenticated users. This is

Re: [Freeipa-devel] Ipa-server-install Firewall Support

Simo Sorce wrote: On Fri, 2014-04-04 at 09:59 +0200, Petr Spacek wrote: On 4.4.2014 09:17, Martin Kosek wrote: On 04/04/2014 09:04 AM, Justin Brown wrote: I would actually do it the opposite way and open the ports after the FreeIPA server is fully configured. After all, I do not think we want

Re: [Freeipa-devel] questions regarding ldap schema for pkcs11

Simo Sorce wrote: On Fri, 2014-04-04 at 13:19 +0200, Petr Spacek wrote: On 4.4.2014 10:20, Ludwig Krispenz wrote: In the review discussion for the ldap schema for pkcs11 there was one topic, which we wanted to get the opinion from a broader audience before making a final decision. I'll add my

[Freeipa-devel] [PATCH 0002] Use job prefix in install-built-rpms

Hi, this patch fixes the issue with using freeipa specific rpms when defining custom jobs. Tomas -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org >From fa75dd96908346d354c40fb6587fdf9b7b11870d Mon Sep 17 00:00:00 2001 From

Re: [Freeipa-devel] [PATCH 0002] Use job prefix in install-built-rpms

On 04/07/2014 04:08 PM, Tomas Babej wrote: Hi, this patch fixes the issue with using freeipa specific rpms when defining custom jobs. Tomas Thanks! Pushed to https://github.com/encukou/freeipa-ci.git as 01778989306e19e53b98d4acc72772631a8bb9dd -- Petr³ ___

Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers

On 04/03/2014 01:34 PM, Petr Viktorin wrote: > Hello, > This adds anonymous read access to containers, as discussed in this thread: > https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html > > Additionally access is granted for $SUFFIX itself with targetfilter > "(objectclass=domai

Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers

On Mon, 2014-04-07 at 16:43 +0200, Martin Kosek wrote: > On 04/03/2014 01:34 PM, Petr Viktorin wrote: > > Hello, > > This adds anonymous read access to containers, as discussed in this thread: > > https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html > > > > Additionally access is

Re: [Freeipa-devel] global account lockout

Ludwig Krispenz wrote: Hi, please review the following feature design. It introduces a global account lockout, while trying to keep the replication traffic minimal. In my opinion for a real global account lockout the basic lockout attributes have to be replicated otherwise the benefit is minimal

Re: [Freeipa-devel] global account lockout

On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote: > Ludwig Krispenz wrote: > > Hi, > > > > please review the following feature design. It introduces a global > > account lockout, while trying to keep the replication traffic minimal. > > In my opinion for a real global account lockout the bas

Re: [Freeipa-devel] global account lockout

On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote: > On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote: > > Ludwig Krispenz wrote: > > > Hi, > > > > > > please review the following feature design. It introduces a global > > > account lockout, while trying to keep the replication traffic min

Re: [Freeipa-devel] global account lockout

On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote: > On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote: > > On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote: > > > Ludwig Krispenz wrote: > > > > Hi, > > > > > > > > please review the following feature design. It introduces a global > > >

Re: [Freeipa-devel] global account lockout

On 04/07/2014 10:13 AM, Simo Sorce wrote: On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote: On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote: On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote: Ludwig Krispenz wrote: Hi, please review the following feature design. It introduces a

Re: [Freeipa-devel] [PATCHES] 241-253 CA certificate renewal

Rob Crittenden wrote: Jan Cholasta wrote: Hi, the attached patches implement automatic CA certificate renewal as well as the initial version of the CA certificate management tool. Requires my patches 172-196. In order to test, you must install current git version of certmonger (see

Re: [Freeipa-devel] global account lockout

On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote: > On 04/07/2014 10:13 AM, Simo Sorce wrote: > > On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote: > >> On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote: > >>> On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote: > Ludwig Krispe

Re: [Freeipa-devel] global account lockout

On 04/07/2014 12:31 PM, Simo Sorce wrote: On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote: On 04/07/2014 10:13 AM, Simo Sorce wrote: On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote: On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote: On Mon, 2014-04-07 at 11:26 -0400, Rob Critten

Re: [Freeipa-devel] global account lockout

On 04/07/2014 02:31 PM, Simo Sorce wrote: On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote: On 04/07/2014 10:13 AM, Simo Sorce wrote: On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote: On Mon, 2014-04-07 at 12:01 -0400, Simo Sorce wrote: On Mon, 2014-04-07 at 11:26 -0400, Rob Critten

Re: [Freeipa-devel] [PATCH] Add DRM to IPA

On 04/04/2014 02:50 PM, Ade Lee wrote: This patch adds the capability of installing a Dogtag DRM to an IPA instance. With this patch, when ipa-server-install is run, a Dogtag CA and a Dogtag DRM are created. The DRM shares the same tomcat instance and DS instance as the Dogt

Re: [Freeipa-devel] [PATCH] Add DRM to IPA

Dmitri Pal wrote: On 04/04/2014 02:50 PM, Ade Lee wrote: This patch adds the capability of installing a Dogtag DRM to an IPA instance. With this patch, when ipa-server-install is run, a Dogtag CA and a Dogtag DRM are created. The DRM shares the same tomcat instance and DS i

Re: [Freeipa-devel] global account lockout

On Mon, 2014-04-07 at 14:47 -0400, Dmitri Pal wrote: > On 04/07/2014 02:31 PM, Simo Sorce wrote: > > On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote: > >> On 04/07/2014 10:13 AM, Simo Sorce wrote: > >>> On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote: > On Mon, 2014-04-07 at 12:01

Re: [Freeipa-devel] global account lockout

On 04/07/2014 01:00 PM, Simo Sorce wrote: On Mon, 2014-04-07 at 14:47 -0400, Dmitri Pal wrote: On 04/07/2014 02:31 PM, Simo Sorce wrote: On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote: On 04/07/2014 10:13 AM, Simo Sorce wrote: On Mon, 2014-04-07 at 12:10 -0400, Simo Sorce wrote: On

Re: [Freeipa-devel] [PATCH] Add DRM to IPA

Ade Lee wrote: This patch adds the capability of installing a Dogtag DRM to an IPA instance. With this patch, when ipa-server-install is run, a Dogtag CA and a Dogtag DRM are created. The DRM shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, th

Re: [Freeipa-devel] global account lockout

Rich Megginson wrote: On 04/07/2014 01:00 PM, Simo Sorce wrote: On Mon, 2014-04-07 at 14:47 -0400, Dmitri Pal wrote: On 04/07/2014 02:31 PM, Simo Sorce wrote: On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote: On 04/07/2014 10:13 AM, Simo Sorce wrote: On Mon, 2014-04-07 at 12:10 -0400,

Re: [Freeipa-devel] global account lockout

On Mon, 2014-04-07 at 14:28 -0600, Rich Megginson wrote: > On 04/07/2014 01:00 PM, Simo Sorce wrote: > > On Mon, 2014-04-07 at 14:47 -0400, Dmitri Pal wrote: > >> On 04/07/2014 02:31 PM, Simo Sorce wrote: > >>> On Mon, 2014-04-07 at 10:22 -0600, Rich Megginson wrote: > On 04/07/2014 10:13 AM,

Re: [Freeipa-devel] Ipa-server-install Firewall Support

On 04/07/2014 09:00 AM, Rob Crittenden wrote: Simo Sorce wrote: On Fri, 2014-04-04 at 09:59 +0200, Petr Spacek wrote: On 4.4.2014 09:17, Martin Kosek wrote: On 04/04/2014 09:04 AM, Justin Brown wrote: I would actually do it the opposite way and open the ports after the FreeIPA server is fully

Re: [Freeipa-devel] Random Certificate Serial Numbers

On 04/07/2014 03:48 AM, Martin Kosek wrote: Hi Rob, Ade and others, In the past, Rob was investigating enabling random certificate serial numbers for FreeIPA PKI [1]. We also have a ticket [2] planned to enable it for 4.0. Can we simply switch it on for PKI with pkispawn attribute: [CA] pki_ra

Re: [Freeipa-devel] [PATCH] Add DRM to IPA

On 04/07/2014 10:40 PM, Rob Crittenden wrote: > Ade Lee wrote: >> This patch adds the capability of installing a Dogtag DRM >> to an IPA instance. With this patch, when ipa-server-install >> is run, a Dogtag CA and a Dogtag DRM are created. The DRM >> shares the same tomcat in