On 09/03/2014 07:55 AM, Alexander Bokovoy wrote:
Switching to freeipa-devel@ since it is an important issue.
On Tue, 02 Sep 2014, Rob Crittenden wrote:
Chris Whittle wrote:
If I do this
ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D
uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com -w
On 09/03/2014 10:17 AM, Martin Kosek wrote:
[...]
Exposing the same data anonymously over compat tree when it is available
only for authenticated users over primary tree isn't secure.
If you check
cn=users,cn=Schema Compatibility,cn=plugins,cn=config
you would see that we only allow attributes
On 02/09/14 17:46, Petr Spacek wrote:
On 25.8.2014 14:52, Martin Basti wrote:
Patches attached.
Ticket: https://fedorahosted.org/freeipa/ticket/4149
There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause
the named
service is stopped after deleting zone.
Bug ticket:
This fixes https://fedorahosted.org/freeipa/ticket/4522. The API is
already tested and the attribute is available in the UI.
Pushed as one-liner to:
ipa-4-0: 1044d09333114058bf38df501acc12708329af73
ipa-4-1: c01c61618d5e768fde0376b2f46b4887308f7a86
master:
On 09/03/2014 12:17 PM, Petr Viktorin wrote:
This fixes https://fedorahosted.org/freeipa/ticket/4522. The API is already
tested and the attribute is available in the UI.
Pushed as one-liner to:
ipa-4-0: 1044d09333114058bf38df501acc12708329af73
ipa-4-1:
On 09/02/2014 05:46 PM, Petr Spacek wrote:
On 25.8.2014 14:52, Martin Basti wrote:
Patches attached.
Ticket: https://fedorahosted.org/freeipa/ticket/4149
There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named
service is stopped after deleting zone.
Bug ticket:
On 09/02/2014 05:38 PM, Petr Spacek wrote:
On 21.8.2014 19:21, Martin Basti wrote:
During work on DNSSEC we found a wrong validation of NS records
Patch 0113 fixes an error in tests caused by bind-dyndb-ldap bug
https://fedorahosted.org/bind-dyndb-ldap/ticket/123
Patches attached.
On 09/03/2014 10:45 AM, Petr Viktorin wrote:
On 09/03/2014 10:17 AM, Martin Kosek wrote:
[...]
Exposing the same data anonymously over compat tree when it is available
only for authenticated users over primary tree isn't secure.
If you check
cn=users,cn=Schema
On 09/03/2014 12:32 PM, Petr Viktorin wrote:
On 09/03/2014 10:45 AM, Petr Viktorin wrote:
On 09/03/2014 10:17 AM, Martin Kosek wrote:
[...]
Exposing the same data anonymously over compat tree when it is available
only for authenticated users over primary tree isn't secure.
If you check
On 09/02/2014 01:56 PM, Jan Cholasta wrote:
Dne 29.8.2014 v 14:34 David Kupka napsal(a):
Hope, I've addressed all the issues (except 9 and 11, inline). Let's go
for another round :-)
On 08/27/2014 11:05 AM, Jan Cholasta wrote:
Hi,
Dne 25.8.2014 v 15:39 David Kupka napsal(a):
On 08/19/2014
On Wed, 03 Sep 2014, Petr Viktorin wrote:
On 09/03/2014 10:17 AM, Martin Kosek wrote:
[...]
Exposing the same data anonymously over compat tree when it is available
only for authenticated users over primary tree isn't secure.
If you check
cn=users,cn=Schema Compatibility,cn=plugins,cn=config
On 09/03/2014 12:26 PM, Martin Kosek wrote:
On 09/03/2014 12:17 PM, Petr Viktorin wrote:
This fixes https://fedorahosted.org/freeipa/ticket/4522. The API is already
tested and the attribute is available in the UI.
Pushed as one-liner to:
ipa-4-0: 1044d09333114058bf38df501acc12708329af73
On 09/03/2014 12:37 PM, David Kupka wrote:
On 09/02/2014 01:56 PM, Jan Cholasta wrote:
Dne 29.8.2014 v 14:34 David Kupka napsal(a):
Hope, I've addressed all the issues (except 9 and 11, inline). Let's go
for another round :-)
On 08/27/2014 11:05 AM, Jan Cholasta wrote:
Hi,
Dne 25.8.2014 v
On 03/09/14 12:27, Martin Kosek wrote:
On 09/02/2014 05:46 PM, Petr Spacek wrote:
On 25.8.2014 14:52, Martin Basti wrote:
Patches attached.
Ticket: https://fedorahosted.org/freeipa/ticket/4149
There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named
service is stopped
On 09/03/2014 12:39 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Petr Viktorin wrote:
On 09/03/2014 10:17 AM, Martin Kosek wrote:
[...]
Exposing the same data anonymously over compat tree when it is available
only for authenticated users over primary tree isn't secure.
If you check
On 09/03/2014 12:43 PM, Petr Viktorin wrote:
On 09/03/2014 12:26 PM, Martin Kosek wrote:
On 09/03/2014 12:17 PM, Petr Viktorin wrote:
This fixes https://fedorahosted.org/freeipa/ticket/4522. The API is already
tested and the attribute is available in the UI.
Pushed as one-liner to:
ipa-4-0:
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 12:39 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Petr Viktorin wrote:
On 09/03/2014 10:17 AM, Martin Kosek wrote:
[...]
Exposing the same data anonymously over compat tree when it is available
only for authenticated users over
On 2.9.2014 17:22, Nathaniel McCallum wrote:
On Tue, 2014-09-02 at 13:49 +0200, Petr Vobornik wrote:
On 28.8.2014 20:14, Nathaniel McCallum wrote:
On Tue, 2014-08-19 at 16:46 -0400, Nathaniel McCallum wrote:
Also, remove the attempt to load the objectClasses when absent. This
never makes
Hello,
This adds managed read permissions to the compat tree.
For users it grants anonymous access; authenticated users can read
groups, hosts and netgroups.
I'm unsure if this is what we want to do for groups, but Read Group
Membership is only granted to authenticated users by default, and
On 09/03/2014 01:02 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 12:39 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Petr Viktorin wrote:
On 09/03/2014 10:17 AM, Martin Kosek wrote:
[...]
Exposing the same data anonymously over compat tree when it
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 01:02 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 12:39 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Petr Viktorin wrote:
On 09/03/2014 10:17 AM, Martin Kosek wrote:
[...]
Exposing the same
Dne 3.9.2014 v 12:45 Martin Kosek napsal(a):
On 09/03/2014 12:37 PM, David Kupka wrote:
On 09/02/2014 01:56 PM, Jan Cholasta wrote:
Dne 29.8.2014 v 14:34 David Kupka napsal(a):
Hope, I've addressed all the issues (except 9 and 11, inline). Let's go
for another round :-)
On 08/27/2014 11:05
On 02/09/14 18:54, Petr Spacek wrote:
Hello,
Always use task associated with ISC event instead of global inst-task.
This is necessary to prevent random crashes like:
REQUIRE(task-state == task_state_running) failed
https://fedorahosted.org/bind-dyndb-ldap/ticket/138
On 09/03/2014 01:27 PM, Petr Viktorin wrote:
Hello,
This adds managed read permissions to the compat tree.
For users it grants anonymous access; authenticated users can read
groups, hosts and netgroups.
I'm unsure if this is what we want to do for groups, but Read Group
Membership is only
On 09/03/2014 02:04 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 01:02 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 12:39 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Petr Viktorin wrote:
On 09/03/2014 10:17
On 09/03/2014 02:07 PM, Jan Cholasta wrote:
Dne 3.9.2014 v 12:45 Martin Kosek napsal(a):
On 09/03/2014 12:37 PM, David Kupka wrote:
On 09/02/2014 01:56 PM, Jan Cholasta wrote:
Dne 29.8.2014 v 14:34 David Kupka napsal(a):
Hope, I've addressed all the issues (except 9 and 11, inline). Let's go
On 02/09/14 17:33, Petr Spacek wrote:
On 21.8.2014 10:58, Martin Basti wrote:
On 21/08/14 08:43, Petr Spacek wrote:
On 20.8.2014 17:37, Martin Basti wrote:
+# dissallowed wildcard (RFC 4592)
+no_wildcard_rtypes = ['CNAME', 'DNAME', 'DS', 'NS']
NACK
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 02:04 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 01:02 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 12:39 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014,
On 09/03/2014 02:27 PM, Petr Viktorin wrote:
On 09/03/2014 01:27 PM, Petr Viktorin wrote:
Hello,
This adds managed read permissions to the compat tree.
For users it grants anonymous access; authenticated users can read
groups, hosts and netgroups.
I'm unsure if this is what we want to do for
Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 02:04 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 01:02 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 12:39 PM, Alexander Bokovoy
On Tue, Sep 02, 2014 at 10:18:12AM +0200, Jan Cholasta wrote:
Dne 27.8.2014 v 16:49 David Kupka napsal(a):
On 08/27/2014 11:22 AM, Jan Cholasta wrote:
Dne 26.8.2014 v 15:55 Rob Crittenden napsal(a):
David Kupka wrote:
On 08/26/2014 03:08 PM, Jan Cholasta wrote:
Hi,
Dne 26.8.2014 v 13:01
On Wed, Sep 03, 2014 at 02:34:44PM +0200, Martin Kosek wrote:
On 09/03/2014 02:07 PM, Jan Cholasta wrote:
I was about to ask the same. Another option is to ask Nalin to update
certmonger in F20.
CCing Nalin. What is your take on this, do you plan to release it to F20.
AFAIK, it is just
On Wed, 03 Sep 2014, Rob Crittenden wrote:
ipa-advise would then need to refer to some common system account +
it's
password it would bind with. Should we file RFE? Is this a right move?
Yes, we need to file RFE and make recommendations to always have
BINDDN/BINDPW or
Dne 3.9.2014 v 15:29 Nalin Dahyabhai napsal(a):
On Tue, Sep 02, 2014 at 10:18:12AM +0200, Jan Cholasta wrote:
Dne 27.8.2014 v 16:49 David Kupka napsal(a):
On 08/27/2014 11:22 AM, Jan Cholasta wrote:
Dne 26.8.2014 v 15:55 Rob Crittenden napsal(a):
David Kupka wrote:
On 08/26/2014 03:08 PM,
Hi,
Dne 2.9.2014 v 16:51 David Kupka napsal(a):
Ok, the patch no longer depends on 0009. The reason is that 0012 is
going to ipa-4.0 and 0009 to ipa-4.1.
On 09/02/2014 12:13 PM, David Kupka wrote:
This patch depends on freeipa-dkupka-0009 as it modifies the same part
of code.
Hi,
Makes sure that any new sources added are not already present
in the entry.
https://fedorahosted.org/freeipa/ticket/4508
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
From 6cd6f5d523e11a70cd51788dd669cbd2e628eab6
Dne 3.9.2014 v 12:37 David Kupka napsal(a):
On 09/02/2014 01:56 PM, Jan Cholasta wrote:
Dne 29.8.2014 v 14:34 David Kupka napsal(a):
Hope, I've addressed all the issues (except 9 and 11, inline). Let's go
for another round :-)
On 08/27/2014 11:05 AM, Jan Cholasta wrote:
Hi,
Dne 25.8.2014 v
On 09/03/2014 03:43 PM, Jan Cholasta wrote:
Hi,
Dne 2.9.2014 v 16:51 David Kupka napsal(a):
Ok, the patch no longer depends on 0009. The reason is that 0012 is
going to ipa-4.0 and 0009 to ipa-4.1.
On 09/02/2014 12:13 PM, David Kupka wrote:
This patch depends on freeipa-dkupka-0009 as it
On 09/03/2014 03:41 PM, Jan Cholasta wrote:
Dne 3.9.2014 v 15:29 Nalin Dahyabhai napsal(a):
On Tue, Sep 02, 2014 at 10:18:12AM +0200, Jan Cholasta wrote:
Dne 27.8.2014 v 16:49 David Kupka napsal(a):
On 08/27/2014 11:22 AM, Jan Cholasta wrote:
Dne 26.8.2014 v 15:55 Rob Crittenden napsal(a):
On 09/03/2014 04:05 PM, Jan Cholasta wrote:
Dne 3.9.2014 v 12:37 David Kupka napsal(a):
On 09/02/2014 01:56 PM, Jan Cholasta wrote:
Dne 29.8.2014 v 14:34 David Kupka napsal(a):
Hope, I've addressed all the issues (except 9 and 11, inline). Let's go
for another round :-)
On 08/27/2014 11:05
On Wed, Sep 03, 2014 at 04:25:00PM +0200, Martin Kosek wrote:
On 09/03/2014 03:41 PM, Jan Cholasta wrote:
ldap_uri is set only on servers, on clients you should use server (we
should probably un-deprecate it). You could use host as a fallback, but it
will only work on servers, as it points
On 02/09/14 17:16, Petr Spacek wrote:
On 20.8.2014 19:26, Martin Basti wrote:
Part of DNSSEC
Patches attached.
NACK
# ipa dnsrecord-add ipa.example. ds '--ds-rec=1 2 3 4'
ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an
NS record (RFC 4529, section 4.6)
RFC number is
Dne 3.9.2014 v 16:25 David Kupka napsal(a):
On 09/03/2014 04:05 PM, Jan Cholasta wrote:
Dne 3.9.2014 v 12:37 David Kupka napsal(a):
On 09/02/2014 01:56 PM, Jan Cholasta wrote:
Dne 29.8.2014 v 14:34 David Kupka napsal(a):
Hope, I've addressed all the issues (except 9 and 11, inline).
Let's go
On 09/03/2014 04:33 PM, Nalin Dahyabhai wrote:
On Wed, Sep 03, 2014 at 04:25:00PM +0200, Martin Kosek wrote:
On 09/03/2014 03:41 PM, Jan Cholasta wrote:
ldap_uri is set only on servers, on clients you should use server (we
should probably un-deprecate it). You could use host as a fallback, but
On 03/09/14 12:30, Martin Kosek wrote:
On 09/02/2014 05:38 PM, Petr Spacek wrote:
On 21.8.2014 19:21, Martin Basti wrote:
During work on DNSSEC we found a wrong validation of NS records
Patch 0113 fixes an error in tests caused by bind-dyndb-ldap bug
On Wed, 2014-09-03 at 13:27 +0200, Petr Viktorin wrote:
Hello,
This adds managed read permissions to the compat tree.
For users it grants anonymous access; authenticated users can read
groups, hosts and netgroups.
I'm unsure if this is what we want to do for groups, but Read Group
On 07/28/2014 03:03 PM, Petr Viktorin wrote:
On 07/15/2014 09:13 AM, Tomas Babej wrote:
Hi,
With 389 DS 1.3.3 upwards we can leverage the
nsslapd-return-default-opattr
attribute to enumerate the list of attributes that should be returned
even if not specified explicitly. Use the behaviour
On 09/03/2014 03:53 PM, Tomas Babej wrote:
Hi,
Makes sure that any new sources added are not already present
in the entry.
https://fedorahosted.org/freeipa/ticket/4508
It works fine, ACK.
I do have some comments, but 4.0.x is a stabilization release, so they'd
probably be better in a 4.1
On 09/03/2014 04:51 PM, Simo Sorce wrote:
On Wed, 2014-09-03 at 13:27 +0200, Petr Viktorin wrote:
Hello,
This adds managed read permissions to the compat tree.
For users it grants anonymous access; authenticated users can read
groups, hosts and netgroups.
I'm unsure if this is what we want to
Hi,
Dne 27.8.2014 v 13:56 David Kupka napsal(a):
Usually it isn't wise to allow something like this. But in environment
with broken DNS (described in ticket) there is probably not many
alternatives.
https://fedorahosted.org/freeipa/ticket/
1) I think you can log realm in search() as part
On 09/03/2014 03:15 PM, Petr Viktorin wrote:
On 09/03/2014 02:27 PM, Petr Viktorin wrote:
On 09/03/2014 01:27 PM, Petr Viktorin wrote:
Hello,
This adds managed read permissions to the compat tree.
For users it grants anonymous access; authenticated users can read
groups, hosts and
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/4166.
Honza
--
Jan Cholasta
From cdf6dcd447b762c47bf1f46a53a0127e265e6983 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 3 Sep 2014 15:04:35 +0200
Subject: [PATCH] Backup CS.cfg before modifying it
No longer request and install a cert for the IPA client machine.
rob
From 0468e18bb949e9dd8fc60c5f20581c1aea72be29 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 3 Sep 2014 15:14:45 -0400
Subject: [PATCH] No longer generate a machine certificate on client installs
On 8/22/2014 3:31 AM, Petr Vobornik wrote:
On 12.8.2014 17:59, Endi Sukma Dewata wrote:
On 8/5/2014 6:31 AM, Petr Vobornik wrote:
ticket: https://fedorahosted.org/freeipa/ticket/4402
snip (ACK of 720, 721) but patch 720 was replaced by a new version
ACK.
[PATCH] 724 webui: display fields
On 9/2/2014 10:15 AM, Petr Vobornik wrote:
DNS zone 'Add and Edit' failed because of new DNS name encoding.
This patch makes sure that keys are extracted properly.
https://fedorahosted.org/freeipa/ticket/4520
ACK.
--
Endi S. Dewata
___
On 8/21/2014 11:06 AM, Petr Vobornik wrote:
based on:
http://www.redhat.com/archives/freeipa-devel/2014-August/msg00073.html
- bounce url param was renamed from 'redirect' to 'url'
- support for 'delay' param added
Behavior:
- Continue to next page link is shown if 'url' is present
- page is
On 8/22/2014 6:51 AM, Petr Vobornik wrote:
Errors should reflect only a result of last operation.
https://fedorahosted.org/freeipa/ticket/4470
Fixes issue found by Endi:
Try logging in with an incorrect password/OTP. After you get a login
error click Sync OTP Token. Once the sync is
57 matches
Mail list logo