[Freeipa-devel] Packaging FreeIPA Foreman smartproxy

2014-06-18 Thread Martin Kosek
Hello all, As 4.0 release is slowly approaching I was more thinking about smartproxy package (freeipa-server-foreman-smartproxy). It is currently part of upstream git repo and if nothing changes, it would be part of FreeIPA 4.0 core packages. However, I do not see the Foreman smartproxy as the re

Re: [Freeipa-devel] Packaging FreeIPA Foreman smartproxy

2014-06-18 Thread Petr Spacek
On 18.6.2014 09:33, Martin Kosek wrote: 1) Request a separate repo for foreman proxy on fedorahosted, like "freeipa-foreman.git" move the plugin there and build&branch&tag it asynchronously. This is IMO the cleanest solution. I agree. -- Petr^2 Spacek __

Re: [Freeipa-devel] [PATCHES 187-201] Improvements and coverage for sudorule plugin

2014-06-18 Thread Petr Viktorin
On 06/17/2014 12:25 PM, Tomas Babej wrote: On 05/26/2014 06:20 PM, Petr Viktorin wrote: On 05/20/2014 06:15 PM, Tomas Babej wrote: Hi, the following set of patches fixes: https://fedorahosted.org/freeipa/ticket/4274 https://fedorahosted.org/freeipa/ticket/4263 https://fedorahosted.org/freeip

Re: [Freeipa-devel] [PATCHES 202-222] Ipaplatform refactoring

2014-06-18 Thread Petr Viktorin
On 06/17/2014 02:15 PM, Tomas Babej wrote: On 06/17/2014 12:03 PM, Timo Aaltonen wrote: On 17.06.2014 11:16, Martin Kosek wrote: Attached is a new version of patch 226, and a new patch 228, which moves the paths from installers to the paths module. In patch 226, there's another "certificat

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

2014-06-18 Thread thierry bordaz
On 06/17/2014 09:42 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 21:36 +0200, thierry bordaz wrote: On 06/17/2014 09:29 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 15:23 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa s

[Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread Martin Kosek
On 06/17/2014 05:59 PM, thierry bordaz wrote: > On 06/16/2014 03:04 PM, Rob Crittenden wrote: ... >Thanks for your precise feedback and sorry for my late answer. >So if I try to consolidate my understandings, the workflow would be: > > 1. Staging (container: cn=staged >users,cn

Re: [Freeipa-devel] [PATCH 0227] sudorule: Allow unsetting sudoorder

2014-06-18 Thread Martin Kosek
On 06/17/2014 12:27 PM, Tomas Babej wrote: > Hi, > > After setting sudoorder, you are unable to unset it, since the > check for uniqueness of order of sudorules is applied incorrectly. > > Fix the behaviour and cover it in the test suite. > > https://fedorahosted.org/freeipa/ticket/4360 ACK. Pu

[Freeipa-devel] [PATCH] 667 webui-ci: adjust tests to dns changes

2014-06-18 Thread Petr Vobornik
All DNS Zone names must be fully qualified. -- Petr Vobornik From c5b7d6c24224c999d17a9676627ead7af63a2ea5 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Tue, 10 Jun 2014 19:04:49 +0200 Subject: [PATCH] webui-ci: adjust tests to dns changes All DNS Zone names must be fully qualified. --- ip

[Freeipa-devel] [PATCH] 668 webui: fix field's default value

2014-06-18 Thread Petr Vobornik
Fields with default value, such as DNS Zone's idnsforwardpolicy, were marked as dirty when no value was loaded and when default value of input control was other than empty. Fixes regression in DNS Zone details facet - facet is always dirty. -- Petr Vobornik From 74d02bbb69433d07851d9c991383de6b33

[Freeipa-devel] [PATCH] 0589 Do not fail if there are multiple nsDS5ReplicaId values in cn=replication, cn=etc

2014-06-18 Thread Petr Viktorin
https://fedorahosted.org/freeipa/ticket/4375 -- PetrĀ³ From 64315b437a486332b3f9d7fe839c1ac19c58ffb4 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 12 Jun 2014 18:07:40 +0200 Subject: [PATCH] Do not fail if there are multiple nsDS5ReplicaId values in cn=replication,cn=etc On systems in

Re: [Freeipa-devel] [PATCHES 0066-0067] Upgrade procedure for forwardzones

2014-06-18 Thread Martin Basti
On Fri, 2014-06-13 at 10:28 +0200, Martin Basti wrote: > Patches attached, require patches mbasti 0052-0055. > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patches attached. PE

Re: [Freeipa-devel] [PATCHES 0066-0067] Upgrade procedure for forwardzones

2014-06-18 Thread Martin Basti
On Wed, 2014-06-18 at 13:44 +0200, Martin Basti wrote: > On Fri, 2014-06-13 at 10:28 +0200, Martin Basti wrote: > > Patches attached, require patches mbasti 0052-0055. > > ___ > > Freeipa-devel mailing list > > Freeipa-devel@redhat.com > > https://www.red

Re: [Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed

2014-06-18 Thread Martin Kosek
On 06/16/2014 05:43 PM, Petr Viktorin wrote: > On 06/13/2014 05:25 PM, Petr Viktorin wrote: >> >> With the first patch, old SYSTEM permissions can be replaced. The "Read >> DNS Entries" did not have an associated ACI, but was rather rolled into >> a single ACI with the managedBy rule used for per-z

[Freeipa-devel] [PATCH 0069] Missing dependency in BUILD.txt

2014-06-18 Thread Martin Basti
Patch attached -- Martin^2 Basti >From 097e2d582cfedf1e8de5015a7a9f3c4fb919e9c4 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 6 Jun 2014 18:02:11 +0200 Subject: [PATCH] Missing dependency in BUILD.txt --- BUILD.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a

Re: [Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile

2014-06-18 Thread Jan Cholasta
On 16.6.2014 16:08, Martin Kosek wrote: On 06/16/2014 02:57 PM, Jan Cholasta wrote: On 16.6.2014 13:31, Martin Kosek wrote: On 06/11/2014 02:59 PM, Jan Cholasta wrote: On 11.6.2014 13:29, Martin Kosek wrote: On 06/11/2014 10:58 AM, Jan Cholasta wrote: On 10.6.2014 09:55, Martin Kosek wrote:

Re: [Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed

2014-06-18 Thread Petr Viktorin
On 06/18/2014 02:05 PM, Martin Kosek wrote: On 06/16/2014 05:43 PM, Petr Viktorin wrote: On 06/13/2014 05:25 PM, Petr Viktorin wrote: With the first patch, old SYSTEM permissions can be replaced. The "Read DNS Entries" did not have an associated ACI, but was rather rolled into a single ACI wit

Re: [Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed

2014-06-18 Thread Martin Kosek
On 06/18/2014 02:20 PM, Petr Viktorin wrote: > On 06/18/2014 02:05 PM, Martin Kosek wrote: >> On 06/16/2014 05:43 PM, Petr Viktorin wrote: >>> On 06/13/2014 05:25 PM, Petr Viktorin wrote: With the first patch, old SYSTEM permissions can be replaced. The "Read DNS Entries" did not hav

Re: [Freeipa-devel] [PATCH] 6 - Dogtag DRM -IPA plugin

2014-06-18 Thread Ade Lee
I have not addressed Rob's comments here yet, but will do so in a later patch. We are most likely a couple weeks or so away from landing these patches and we can work on rejiggering/squashing them then. To help folks review the patches without getting merge issues, and so that I don't have to wor

Re: [Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed

2014-06-18 Thread Petr Viktorin
On 06/18/2014 02:23 PM, Martin Kosek wrote: On 06/18/2014 02:20 PM, Petr Viktorin wrote: On 06/18/2014 02:05 PM, Martin Kosek wrote: [...] 583.2: OK 584.2: 1) Typo in description: Convewrt the existing default permissions. Thanks for the catch, I'll fix it before pushing. 2) What would

Re: [Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed

2014-06-18 Thread Petr Viktorin
On 06/18/2014 02:23 PM, Martin Kosek wrote: On 06/18/2014 02:20 PM, Petr Viktorin wrote: On 06/18/2014 02:05 PM, Martin Kosek wrote: [...] 583.2: OK 584.2: 1) Typo in description: Convewrt the existing default permissions. Thanks for the catch, I'll fix it before pushing. 2) What would

Re: [Freeipa-devel] [PATCHES] 0585-0587 Convert Password Policy & COSTemplate default permissions to managed

2014-06-18 Thread Martin Kosek
On 06/13/2014 06:03 PM, Petr Viktorin wrote: > The first patch is preparation. > > As for the second two, this is how the bulk of the transition will look. Works fine, also tested with unit test. When testing it, I found one error: # ipa pwpolicy-add ipausers --maxlife 90 --minlife 1 --priority

Re: [Freeipa-devel] [PATCHES] 0585-0587 Convert Password Policy & COSTemplate default permissions to managed

2014-06-18 Thread Petr Viktorin
On 06/18/2014 02:48 PM, Martin Kosek wrote: On 06/13/2014 06:03 PM, Petr Viktorin wrote: The first patch is preparation. As for the second two, this is how the bulk of the transition will look. Works fine, also tested with unit test. When testing it, I found one error: # ipa pwpolicy-add ipa

Re: [Freeipa-devel] [PATCHES] 0578-0579 Convert Host default permissions to managed

2014-06-18 Thread Petr Viktorin
On 06/11/2014 06:39 PM, Petr Viktorin wrote: Patch 0578 does the conversion Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides permissions needed for automatic enrollment (from http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser) Rebasing to current m

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread thierry bordaz
On 06/18/2014 12:47 PM, Martin Kosek wrote: On 06/17/2014 05:59 PM, thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: ... Thanks for your precise feedback and sorry for my late answer. So if I try to consolidate my understandings, the workflow would be: 1. Stagi

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread Simo Sorce
On Wed, 2014-06-18 at 12:47 +0200, Martin Kosek wrote: > On 06/17/2014 05:59 PM, thierry bordaz wrote: > > On 06/16/2014 03:04 PM, Rob Crittenden wrote: > ... > >Thanks for your precise feedback and sorry for my late answer. > >So if I try to consolidate my understandings, the workflow woul

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

2014-06-18 Thread Simo Sorce
On Wed, 2014-06-18 at 11:39 +0200, thierry bordaz wrote: > On 06/17/2014 09:42 PM, Simo Sorce wrote: > > On Tue, 2014-06-17 at 21:36 +0200, thierry bordaz wrote: > >> On 06/17/2014 09:29 PM, Simo Sorce wrote: > >>> On Tue, 2014-06-17 at 15:23 -0400, Rob Crittenden wrote: > Simo Sorce wrote: >

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread Simo Sorce
On Wed, 2014-06-18 at 15:22 +0200, thierry bordaz wrote: > On 06/18/2014 12:47 PM, Martin Kosek wrote: > > On 06/17/2014 05:59 PM, thierry bordaz wrote: > >> On 06/16/2014 03:04 PM, Rob Crittenden wrote: > > ... > >> Thanks for your precise feedback and sorry for my late answer. > >> So if

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread thierry bordaz
On 06/18/2014 03:40 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 15:22 +0200, thierry bordaz wrote: On 06/18/2014 12:47 PM, Martin Kosek wrote: On 06/17/2014 05:59 PM, thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: ... Thanks for your precise feedback and sorry for m

[Freeipa-devel] [PATCH] 302 Do not corrupt sshd_config in client install when trailing newline is missing

2014-06-18 Thread Jan Cholasta
Hi, the attached patch fixes . Honza -- Jan Cholasta >From c933fa17a556ccc7ce142f81c6d6aaac15d0931d Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 18 Jun 2014 15:26:17 +0200 Subject: [PATCH] Do not corrupt sshd_config in client install when

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread thierry bordaz
On 06/18/2014 03:31 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 12:47 +0200, Martin Kosek wrote: On 06/17/2014 05:59 PM, thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: ... Thanks for your precise feedback and sorry for my late answer. So if I try to consolidate my

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread Simo Sorce
On Wed, 2014-06-18 at 15:55 +0200, thierry bordaz wrote: > On 06/18/2014 03:40 PM, Simo Sorce wrote: > > On Wed, 2014-06-18 at 15:22 +0200, thierry bordaz wrote: > >> On 06/18/2014 12:47 PM, Martin Kosek wrote: > >>> On 06/17/2014 05:59 PM, thierry bordaz wrote: > On 06/16/2014 03:04 PM, Rob C

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread Simo Sorce
On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz wrote: > On 06/18/2014 03:31 PM, Simo Sorce wrote: > > On Wed, 2014-06-18 at 12:47 +0200, Martin Kosek wrote: > >> On 06/17/2014 05:59 PM, thierry bordaz wrote: > >>> On 06/16/2014 03:04 PM, Rob Crittenden wrote: > >> ... > >>> Thanks for your p

[Freeipa-devel] [PATCH 0070] Normalization check only for IDNA domains

2014-06-18 Thread Martin Basti
Due to compability with older versions, only IDNA domains should be checked Patch attached. -- Martin^2 Basti >From fd329148639ce5b5707f37d1b450597f3ca4bcb7 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 18 Jun 2014 15:58:17 +0200 Subject: [PATCH] Check normalization only for IDNA domains

[Freeipa-devel] [PATCH 0229] dsinstance: Detect dynamic plugin support and restart server

2014-06-18 Thread Tomas Babej
Hi, With 389-ds-base 1.3.3. comes the dynamic plugin support. We need to restart the server right after modifying the schema, as the plugins will be enabled at the point they are added (and not at the next server restart). Properly handle both situations in the installer. https://fedorahosted.or

[Freeipa-devel] [PATCH 0019] Clarify LDAPClient docstrings about get_entry, get_entries and find_entrie

2014-06-18 Thread Petr Spacek
Hello, Clarify LDAPClient docstrings about get_entry, get_entries and find_entries. BTW what is the purpose of size_limit in LDAPClient.get_entry()? def get_entry(self, dn, attrs_list=None, time_limit=None, size_limit=None) -- Petr^2 Spacek From 0b6e1940f05b02c1aae0f390239b79396

Re: [Freeipa-devel] [PATCHES] 0578-0579 Convert Host default permissions to managed

2014-06-18 Thread Martin Kosek
On 06/11/2014 06:39 PM, Petr Viktorin wrote: > Patch 0578 does the conversion > > Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides > permissions needed for automatic enrollment (from > http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser) 1) Inconsisten

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread thierry bordaz
On 06/18/2014 04:45 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz wrote: On 06/18/2014 03:31 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 12:47 +0200, Martin Kosek wrote: On 06/17/2014 05:59 PM, thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: ...

Re: [Freeipa-devel] User life-cycle: nsAccountLock

2014-06-18 Thread Simo Sorce
On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote: > On 06/18/2014 04:45 PM, Simo Sorce wrote: > > On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz wrote: > >> On 06/18/2014 03:31 PM, Simo Sorce wrote: > >>> On Wed, 2014-06-18 at 12:47 +0200, Martin Kosek wrote: > On 06/17/2014 05:59 PM

Re: [Freeipa-devel] DNSSEC key metadata handling

2014-06-18 Thread Petr Spacek
On 13.6.2014 18:43, Petr Spacek wrote: On 12.6.2014 17:49, Petr Spacek wrote: On 12.6.2014 17:19, Simo Sorce wrote: On Thu, 2014-06-12 at 17:08 +0200, Petr Spacek wrote: Hello list, I have realized that we need to store certain DNSSEC metadata for every (zone,key,replica) triplet. It is neces

Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing

2014-06-18 Thread Simo Sorce
On Wed, 2014-06-18 at 17:34 -0400, Nathaniel McCallum wrote: > On Tue, 2014-05-13 at 12:38 -0400, Nathaniel McCallum wrote: > > This patch adds support for importing tokens using RFC 6030 key > > container files. This includes decryption support. For sysadmin sanity, > > any tokens which fail to ad

Re: [Freeipa-devel] [PATCH 0044] Periodically refresh global ipa-kdb configuration

2014-06-18 Thread Nathaniel McCallum
On Wed, 2014-06-04 at 18:47 +0300, Alexander Bokovoy wrote: > On Thu, 01 May 2014, Nathaniel McCallum wrote: > >On Tue, 2014-03-11 at 11:09 -0400, Simo Sorce wrote: > >> On Tue, 2014-03-11 at 16:05 +0200, Alexander Bokovoy wrote: > >> > On Tue, 11 Mar 2014, Jan Pazdziora wrote: > >> > >On Mon, Feb