Re: [Freeipa-devel] [PATCH] 0004 User life cycle: support of MODRDN to a new superior

On 04/08/2015 03:33 PM, Jan Cholasta wrote: Dne 8.4.2015 v 15:00 thierry bordaz napsal(a): On 04/08/2015 08:34 AM, Jan Cholasta wrote: Hi, Dne 1.4.2015 v 17:40 thierry bordaz napsal(a): Hello, In user life cycle, Active entries are moved to Delete container and Delete entries can

Re: [Freeipa-devel] Designing better API compatibility

On 04/09/2015 09:16 AM, Jan Cholasta wrote: Dne 8.4.2015 v 16:44 Martin Kosek napsal(a): On 03/20/2015 05:00 PM, Petr Vobornik wrote: On 03/20/2015 04:16 PM, Petr Spacek wrote: On 20.3.2015 15:51, Nathaniel McCallum wrote: On Fri, 2015-03-20 at 09:58 -0400, Simo Sorce wrote: On Fri,

[Freeipa-devel] Proposal: reverse stance on installing CA on new masters

Right now when a new master is installed it is not configured with a CA unless one passes in --setup-ca (or afterward runs ipa-ca-install). Over and over we've seen people who have multiple masters and a single CA, in some cases that CA machine is gone, leaving the realm with no CA at all. I

Re: [Freeipa-devel] Designing better API compatibility

On 04/09/2015 09:35 AM, Martin Kosek wrote: On 04/09/2015 09:16 AM, Jan Cholasta wrote: Dne 8.4.2015 v 16:44 Martin Kosek napsal(a): On 03/20/2015 05:00 PM, Petr Vobornik wrote: On 03/20/2015 04:16 PM, Petr Spacek wrote: On 20.3.2015 15:51, Nathaniel McCallum wrote: On Fri, 2015-03-20 at

Re: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters

On Thu, 2015-04-09 at 16:52 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Thu, 2015-04-09 at 15:42 -0400, Rob Crittenden wrote: Petr Vobornik wrote: On 04/09/2015 04:05 PM, Rob Crittenden wrote: Right now when a new master is installed it is not configured with a CA unless one

Re: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters

On Thu, 2015-04-09 at 15:42 -0400, Rob Crittenden wrote: Petr Vobornik wrote: On 04/09/2015 04:05 PM, Rob Crittenden wrote: Right now when a new master is installed it is not configured with a CA unless one passes in --setup-ca (or afterward runs ipa-ca-install). Over and over we've

Re: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so

On 04/09/2015 02:28 PM, Jan Cholasta wrote: Let's say you now introduce --no-cr flag. What if we decide to change the default to False? How would you then change the option/API? You would have to add --cr flag. That was the point - some clients would send ct flag, some no_cr and there would

Re: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters

Simo Sorce wrote: On Thu, 2015-04-09 at 15:42 -0400, Rob Crittenden wrote: Petr Vobornik wrote: On 04/09/2015 04:05 PM, Rob Crittenden wrote: Right now when a new master is installed it is not configured with a CA unless one passes in --setup-ca (or afterward runs ipa-ca-install). Over and

Re: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters

Petr Vobornik wrote: On 04/09/2015 04:05 PM, Rob Crittenden wrote: Right now when a new master is installed it is not configured with a CA unless one passes in --setup-ca (or afterward runs ipa-ca-install). Over and over we've seen people who have multiple masters and a single CA, in some

Re: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so

Dne 9.4.2015 v 12:42 Martin Kosek napsal(a): On 04/09/2015 12:30 PM, Jan Cholasta wrote: Dne 8.4.2015 v 22:52 Martin Kosek napsal(a): On 04/08/2015 06:03 PM, Nathaniel McCallum wrote: On Wed, 2015-04-08 at 17:53 +0200, Martin Basti wrote: On 08/04/15 17:46, Luc de Louw wrote: On 04/08/2015

Re: [Freeipa-devel] [PATCH] 811 performance: faster DN implementation

On 04/02/2015 11:54 AM, Petr Viktorin wrote: On 03/31/2015 12:11 PM, Petr Vobornik wrote: The only different thing is a lack of utf-8 encoded str support(as input). I don't know how much important the support is. I don't think that support is too important (assuming IPA doesn't use it!).

Re: [Freeipa-devel] [PATCH] 809 speed up convert_attribute_members

On 04/02/2015 09:47 AM, Jan Cholasta wrote: Hi, Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a): A workaround to avoid usage of slow LDAPEntry._sync_attr #4946. I originally wanted to avoid DN processing as well but we can't do that because of DNs which are encoded - e.g. contains '+' or ','.

Re: [Freeipa-devel] [PATCH 408-423] ldap: Remove IPASimpleLDAPObject

On 04/08/2015 03:18 PM, Jan Cholasta wrote: Hi, the attached patches remove IPASimpleLDAPObject from ipaldap. As a result, the one and only IPA LDAP API is the LDAPClient API. This is definitely an improvement :) 0408: ACK (woohoo!) 0409: ACK 0410: I quite like the new __init__ signature,

Re: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so

Dne 8.4.2015 v 22:52 Martin Kosek napsal(a): On 04/08/2015 06:03 PM, Nathaniel McCallum wrote: On Wed, 2015-04-08 at 17:53 +0200, Martin Basti wrote: On 08/04/15 17:46, Luc de Louw wrote: On 04/08/2015 05:14 PM, Martin Basti wrote: On 08/04/15 17:12, Luc de Louw wrote: On 04/08/2015 05:05

Re: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so

On 04/09/2015 12:30 PM, Jan Cholasta wrote: Dne 8.4.2015 v 22:52 Martin Kosek napsal(a): On 04/08/2015 06:03 PM, Nathaniel McCallum wrote: On Wed, 2015-04-08 at 17:53 +0200, Martin Basti wrote: On 08/04/15 17:46, Luc de Louw wrote: On 04/08/2015 05:14 PM, Martin Basti wrote: On 08/04/15

Re: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters

On 04/09/2015 04:05 PM, Rob Crittenden wrote: Right now when a new master is installed it is not configured with a CA unless one passes in --setup-ca (or afterward runs ipa-ca-install). Over and over we've seen people who have multiple masters and a single CA, in some cases that CA machine is

Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code

On Thu, 2015-04-09 at 15:38 +0200, Jan Cholasta wrote: Dne 9.4.2015 v 14:41 Simo Sorce napsal(a): On Wed, 2015-03-25 at 11:52 +0100, Martin Babinsky wrote: On 03/23/2015 03:13 PM, Simo Sorce wrote: On Mon, 2015-03-23 at 14:22 +0100, Petr Spacek wrote: On 23.3.2015 14:08, Simo Sorce wrote:

Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code

Dne 9.4.2015 v 14:41 Simo Sorce napsal(a): On Wed, 2015-03-25 at 11:52 +0100, Martin Babinsky wrote: On 03/23/2015 03:13 PM, Simo Sorce wrote: On Mon, 2015-03-23 at 14:22 +0100, Petr Spacek wrote: On 23.3.2015 14:08, Simo Sorce wrote: On Mon, 2015-03-23 at 12:48 +0100, Martin Babinsky wrote:

Re: [Freeipa-devel] Designing better API compatibility

Dne 8.4.2015 v 16:44 Martin Kosek napsal(a): On 03/20/2015 05:00 PM, Petr Vobornik wrote: On 03/20/2015 04:16 PM, Petr Spacek wrote: On 20.3.2015 15:51, Nathaniel McCallum wrote: On Fri, 2015-03-20 at 09:58 -0400, Simo Sorce wrote: On Fri, 2015-03-20 at 14:38 +0100, Martin Kosek wrote:

Re: [Freeipa-devel] Designing better API compatibility

Dne 9.4.2015 v 09:45 Petr Vobornik napsal(a): On 04/09/2015 09:35 AM, Martin Kosek wrote: On 04/09/2015 09:16 AM, Jan Cholasta wrote: Dne 8.4.2015 v 16:44 Martin Kosek napsal(a): On 03/20/2015 05:00 PM, Petr Vobornik wrote: On 03/20/2015 04:16 PM, Petr Spacek wrote: On 20.3.2015 15:51,

Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code

On Wed, 2015-03-25 at 11:52 +0100, Martin Babinsky wrote: On 03/23/2015 03:13 PM, Simo Sorce wrote: On Mon, 2015-03-23 at 14:22 +0100, Petr Spacek wrote: On 23.3.2015 14:08, Simo Sorce wrote: On Mon, 2015-03-23 at 12:48 +0100, Martin Babinsky wrote: On 03/17/2015 06:00 PM, Simo Sorce

Re: [Freeipa-devel] [PATCH] 810 speed up indirect member processing

On 04/08/2015 10:21 AM, Jan Cholasta wrote: Hi, Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a): the old implementation tried to get all entries which are member of group. That means also user. User can't have any members therefore this costly processing was unnecessary. New implementation