[Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig

https://fedorahosted.org/freeipa/ticket/4569 -- David Kupka From a1363fa49a35115cfa15d51d7ae5c298828efc37 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Tue, 30 Sep 2014 08:41:49 -0400 Subject: [PATCH] Stop dogtag when updating its configuration in ipa-upgradeconfig. Modifying CS.cfg when dog

Re: [Freeipa-devel] [PATCH] 348 Remove misleading authorization error message in cert-request with --add

On 10/07/2014 06:48 PM, Jan Cholasta wrote: > Hi, > > the attached patch fixes . > > The error message is now the generic ACI error message, e.g. "Insufficient > access: Insufficient 'add' privilege to add the entry > 'krbprincipalname=something/someh

Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig

Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? Also I don't think it's a good idea to backup CS.cfg when dogtag is still runnin

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On 10/07/2014 08:48 PM, Nathaniel McCallum wrote: > On Tue, 2014-10-07 at 10:52 -0700, Noriko Hosoi wrote: >> On 2014/10/07 10:48, Nathaniel McCallum wrote: >>> On Tue, 2014-10-07 at 18:54 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: > Attached is the

Re: [Freeipa-devel] [PATCH 0034] Missing requires on python-dns

Hello, this is going to be a little bit more interesting. RHEL/CentOS version of FreeIPA depends on python-dns >= 1.11.1-2 but Fedora version should depend on >= 1.12.0. RHEL contains Git snapshot which is newer than 1.11.1 but is still not complete 1.12.0. Fedora contains 'proper' 1.11.1 ve

Re: [Freeipa-devel] [PATCH] 0021 Fix example usage in ipa man page.

On 10/08/2014 08:36 AM, Alexander Bokovoy wrote: > On Wed, 08 Oct 2014, David Kupka wrote: >> On 10/08/2014 08:19 AM, David Kupka wrote: >>> On 10/08/2014 08:02 AM, Alexander Bokovoy wrote: On Wed, 08 Oct 2014, David Kupka wrote: > https://fedorahosted.org/freeipa/ticket/4587 > -- >>>

[Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host

Hi, the attached patches fix . Honza -- Jan Cholasta >From 001f7bbc7010f106986f19d5040b272a13aa8ba8 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 8 Oct 2014 10:27:25 +0200 Subject: [PATCH 1/2] Fix certmonger.request_cert https://fedorahos

Re: [Freeipa-devel] [PATCH 0034] Missing requires on python-dns

On 07/10/14 19:34, Gabe Alford wrote: Done. Update patch to use python-dns >= 1.11.1 On Tue, Oct 7, 2014 at 11:26 AM, Martin Basti > wrote: On 07/10/14 15:58, Gabe Alford wrote: Forgot to add patch. On Tue, Oct 7, 2014 at 7:58 AM, Gabe Alford mailto:

[Freeipa-devel] [PATCH] 351 Support MS CA as the external CA in ipa-server-install and ipa-ca-install

Hi, the attached patch fixes . Note that this requires pki-core 10.2.0-3. Honza -- Jan Cholasta >From acb1995aa55fbe46adcf1a995b29f3a4d3280de5 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 8 Oct 2014 10:51:31 +0200 Subject: [PATCH] Suppor

[Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code

Hi, the attached patch fixes . Honza -- Jan Cholasta >From d1f307cef0b72c8052dd9277d20814236cb19f79 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 7 Oct 2014 16:46:15 +0200 Subject: [PATCH] Fix certmonger configuration in installer code ht

Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig

On 10/08/2014 09:29 AM, Jan Cholasta wrote: Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? I didn't noticed that it is already s

Re: [Freeipa-devel] [PATCH] 351 Support MS CA as the external CA in ipa-server-install and ipa-ca-install

On 10/08/2014 11:53 AM, Jan Cholasta wrote: > Hi, > > the attached patch fixes . > > Note that this requires pki-core 10.2.0-3. > > Honza The approach looks OK, but I would like to be better in naming documentation: +cert_group.add_option("--ex

Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code

Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a): Hi, the attached patch fixes . Honza Forgot to delete a line in dogtaginstance.py (thanks to David for noticing). Updated patch attached. -- Jan Cholasta >From f2edb5ddf291d1f14c13e155412f5154d491c8

[Freeipa-devel] [PATCH] 353 Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install

Hi, the attached patch provides an additional fix for . Honza -- Jan Cholasta >From d0f77421f74b026de15966075e7687ff0350ed54 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 8 Oct 2014 12:18:06 +0200 Subject: [PATCH] Allow specifying signin

Re: [Freeipa-devel] [PATCH] 351 Support MS CA as the external CA in ipa-server-install and ipa-ca-install

Dne 8.10.2014 v 12:49 Martin Kosek napsal(a): On 10/08/2014 11:53 AM, Jan Cholasta wrote: Hi, the attached patch fixes . Note that this requires pki-core 10.2.0-3. Honza The approach looks OK, but I would like to be better in naming documentatio

[Freeipa-devel] [PATCH] 0002 Ignore irrelevant subtrees in schema compat plugin

Please review attached patch for ticket: https://fedorahosted.org/freeipa/ticket/4586 This reduces the number of internal searches and contention for database locks. Together with DS fix for https://fedorahosted.org/389/ticket/47918 the issues reported in 4586 did no longer occur. From 1e871d2

[Freeipa-devel] [PATCH] 0655 Add additional backup & restore checks

This adds basic checks that PAM, DNS, and Kerberos are working before & after the backup&restore (in addition to DS, CA & IPA CLI that were there before). -- Petr³ From e9495d4c023eb99a19493c3cfbd7c259e12929f5 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Sep 2014 10:11:49 +0200

[Freeipa-devel] [PATCH 0133] Fix ipactl service ordering

IPA sorts service order alphabetically, this patch modify ipactl to use integers. How to reproduce: set attribute ipaConfigString: startOrder 150 DN: cn=HTTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com then run #ipactl restart httpd service should start as last service, but i

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work

Re: [Freeipa-devel] [PATCH] 761 keytab manipulation permission management

On 1.10.2014 18:15, Petr Vobornik wrote: Hello list, Patch for: https://fedorahosted.org/freeipa/ticket/4419 New revisions of 761 and 763 with updated API and ACIs: ipa host-allow-operation HOSTNAME retrieve-keytab --users=STR --groups STR ipa host-disallow-operation HOSTNAME retrieve-keyt

Re: [Freeipa-devel] [PATCH] 764 webui: management of keytab permissions

On 3.10.2014 16:12, Petr Vobornik wrote: On 1.10.2014 18:15, Petr Vobornik wrote: Hello list, Patch for: https://fedorahosted.org/freeipa/ticket/4419 Web UI for 4419. Depends on patch 761 (parent thread). New version which works with 761-2. The content was moved to details facet (based o

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: > On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: > > Attached is the latest patch. I believe this includes all of our > > discussions up until this point. However, a few bits of additional > > information are needed. > > > > First, I have

Re: [Freeipa-devel] [PATCH] 0159-0160 Support ID views in compat tree

On Tue, 07 Oct 2014, Ludwig Krispenz wrote: Hi Alex, I have a question regarding cbdata.target. It is/was a reference to the pblock used to generate a new dn, but now in idview_replace_target_dn(&cbdata.target,...) it can be newly allocated and should be freed, so I think there should be a re

Re: [Freeipa-devel] [PATCH 0133] Fix ipactl service ordering

On 08/10/14 16:59, Martin Basti wrote: IPA sorts service order alphabetically, this patch modify ipactl to use integers. How to reproduce: set attribute ipaConfigString: startOrder 150 DN: cn=HTTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com then run #ipactl restart httpd ser

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On 10/08/2014 07:30 PM, Nathaniel McCallum wrote: On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional inform

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On 10/08/2014 01:45 PM, thierry bordaz wrote: On 10/08/2014 07:30 PM, Nathaniel McCallum wrote: On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On Wed, 2014-10-08 at 21:45 +0200, thierry bordaz wrote: > On 10/08/2014 07:30 PM, Nathaniel McCallum wrote: > > On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: > >> On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: > >>> Attached is the latest patch. I believe this includes all of our > >

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On Wed, 2014-10-08 at 13:53 -0600, Rich Megginson wrote: > On 10/08/2014 01:45 PM, thierry bordaz wrote: > > On 10/08/2014 07:30 PM, Nathaniel McCallum wrote: > >> On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: > >>> On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: > Attached is the

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On Wed, 08 Oct 2014 15:53:39 -0400 Nathaniel McCallum wrote: > As I understand my code, all servers will have csnD. Some servers will > have valueB and others will have valueD, but valueB == valueD. > > We *never* discard a CSN. We only discard the counter/watermark mods > in the replication ope

[Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

The background of this email is this bug: https://fedorahosted.org/freeipa/ticket/4456 Attached are two patches which solve this issue for admin users (not very helpful, I know). They depend on this fix in 389: https://fedorahosted.org/389/ticket/47920 There are two outstanding issues: 1. 389 do

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On Wed, 2014-10-08 at 17:19 -0400, Simo Sorce wrote: > On Wed, 08 Oct 2014 15:53:39 -0400 > Nathaniel McCallum wrote: > > > As I understand my code, all servers will have csnD. Some servers will > > have valueB and others will have valueD, but valueB == valueD. > > > > We *never* discard a CSN.

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On Wed, 2014-10-08 at 17:19 -0400, Simo Sorce wrote: > On Wed, 08 Oct 2014 15:53:39 -0400 > Nathaniel McCallum wrote: > > > As I understand my code, all servers will have csnD. Some servers will > > have valueB and others will have valueD, but valueB == valueD. > > > > We *never* discard a CSN.

Re: [Freeipa-devel] [PATCH] 351 Support MS CA as the external CA in ipa-server-install and ipa-ca-install

On 10/08/2014 01:46 PM, Jan Cholasta wrote: > Dne 8.10.2014 v 12:49 Martin Kosek napsal(a): >> On 10/08/2014 11:53 AM, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patch fixes . >>> >>> Note that this requires pki-core 10.2.0-3. >>> >>> Honza >> >>