Re: [Freeipa-devel] Testing Migration

2015-05-28 Thread Rob Crittenden
Drew Erny wrote: Hi, freeipa-devel, More newbie questions. I have what I believe to be a fix for Ticket #2547 (https://fedorahosted.org/freeipa/ticket/2547) written, but I need to test this fix. I need to migrate an LDAP database that is in the previously expected for (all users and groups

Re: [Freeipa-devel] Sudorules user validation help

2015-05-28 Thread Alexander Bokovoy
On Thu, 28 May 2015, Martin Kosek wrote: On 05/28/2015 04:27 PM, Drew Erny wrote: In the ticket, however, it's stated that if the user wants to use any combination of weird characters, they should be able to. Would it be better to just define a function like def validate_username(username,

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Martin Kosek
On 05/28/2015 05:53 PM, Ludwig Krispenz wrote: On 05/28/2015 05:35 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 17:18 +0200, Ludwig Krispenz wrote: On 05/28/2015 05:03 PM, Martin Kosek wrote: On 05/28/2015 04:59 PM, Ludwig Krispenz wrote: On 05/28/2015 04:46 PM, Simo Sorce wrote: On Thu,

[Freeipa-devel] Testing Migration

2015-05-28 Thread Drew Erny
Hi, freeipa-devel, More newbie questions. I have what I believe to be a fix for Ticket #2547 (https://fedorahosted.org/freeipa/ticket/2547) written, but I need to test this fix. I need to migrate an LDAP database that is in the previously expected for (all users and groups under 1 level) and

Re: [Freeipa-devel] Sudorules user validation help

2015-05-28 Thread Drew Erny
Ok, so should I write a regex that matches that broader pattern, and only allow sudorules users to be added that follow those broader restrictions? On 05/28/2015 02:09 PM, Alexander Bokovoy wrote: On Thu, 28 May 2015, Martin Kosek wrote: On 05/28/2015 04:27 PM, Drew Erny wrote: In the

Re: [Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

2015-05-28 Thread Fraser Tweedale
On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: On 28/05/15 11:48, Martin Basti wrote: On 27/05/15 16:04, Fraser Tweedale wrote: Hello all, Fresh certificate management patchset; Changelog: - Now depends on patch freeipa-ftweedal-0014 for correct cert-request behaviour with

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Fraser Tweedale
On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user / host certificates. No schema change is needed ('usercertificate' attribute is already multi-value). The revoke-previous-cert behaviour of

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Christian Heimes
On 2015-05-28 10:02, Jan Cholasta wrote: The python-kdcproxy package is a new dependency for the freeipa-server package. It will always get installed with the server. Why? None of the IPA core functionality depends on it, so it should be optional. Also the overall trend in IPA is to have

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Ludwig Krispenz
On 05/27/2015 01:04 PM, Martin Kosek wrote: On 05/26/2015 04:32 PM, Petr Spacek wrote: On 26.5.2015 16:16, Martin Kosek wrote: ... If you really want to avoid unforeseen issues rather go and get rid of major.minor logic we have in the topology plugin right now :-) Ludwig, I thought we

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Petr Spacek
On 28.5.2015 07:42, Jan Cholasta wrote: Dne 27.5.2015 v 15:54 Simo Sorce napsal(a): On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote: ipa config-mod --enable-kdcproxy=TRUE ipa

Re: [Freeipa-devel] [PATCH] 1112 Add service constraint delegation plugin

2015-05-28 Thread Petr Vobornik
On 05/27/2015 08:17 PM, Martin Basti wrote: On 27/05/15 19:27, Rob Crittenden wrote: Martin Basti wrote: Thank you. I haven't finished review yet, but I have few notes in case you will modify the patch. Please fix following issues: 3) There are many PEP8 errors, can you fix some of

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Jan Cholasta
Dne 26.5.2015 v 16:32 Petr Spacek napsal(a): On 26.5.2015 16:16, Martin Kosek wrote: On 05/26/2015 04:13 PM, thierry bordaz wrote: On 05/26/2015 02:12 PM, Petr Spacek wrote: Hello, it came to my mind that domain level for topology plugin should actually be number 2, not 1. We already used

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Petr Spacek
On 28.5.2015 08:55, Jan Cholasta wrote: Dne 26.5.2015 v 16:32 Petr Spacek napsal(a): On 26.5.2015 16:16, Martin Kosek wrote: On 05/26/2015 04:13 PM, thierry bordaz wrote: On 05/26/2015 02:12 PM, Petr Spacek wrote: Hello, it came to my mind that domain level for topology plugin should

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Christian Heimes
On 2015-05-28 07:32, Jan Cholasta wrote: Dne 27.5.2015 v 16:01 Christian Heimes napsal(a): On 2015-05-27 15:51, Nathaniel McCallum wrote: As I understand the problem, there is an assumption that an optional component has a distinct service to start and stop. That is not the case here. This is

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Martin Kosek
On 05/27/2015 06:12 PM, Martin Basti wrote: On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user / host certificates. No schema change is needed ('usercertificate' attribute is already multi-value). The revoke-previous-cert behaviour of host-mod and user-mod

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Jan Cholasta
Dne 28.5.2015 v 09:45 Christian Heimes napsal(a): On 2015-05-28 07:32, Jan Cholasta wrote: Dne 27.5.2015 v 16:01 Christian Heimes napsal(a): On 2015-05-27 15:51, Nathaniel McCallum wrote: As I understand the problem, there is an assumption that an optional component has a distinct service to

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Martin Kosek
On 05/28/2015 07:29 AM, Jan Cholasta wrote: Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a): On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote: ipa config-mod --enable-kdcproxy=TRUE

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Martin Kosek
On 05/28/2015 10:02 AM, Jan Cholasta wrote: Dne 28.5.2015 v 09:45 Christian Heimes napsal(a): On 2015-05-28 07:32, Jan Cholasta wrote: Dne 27.5.2015 v 16:01 Christian Heimes napsal(a): On 2015-05-27 15:51, Nathaniel McCallum wrote: As I understand the problem, there is an assumption that an

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Martin Kosek
On 05/27/2015 05:05 PM, Oleg Fayans wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: Hello all, As FreeIPA 4.2 deadlines are approaching us slowly, there is a concern that not all of the new replica install way (replication-package-less) based on Custodia would be done and finished

Re: [Freeipa-devel] [PATCH] 1112 Add service constraint delegation plugin

2015-05-28 Thread Jan Cholasta
Dne 27.5.2015 v 19:38 Rob Crittenden napsal(a): Petr Vobornik wrote: On 05/27/2015 05:46 PM, Alexander Bokovoy wrote: On Wed, 27 May 2015, Rob Crittenden wrote: Petr Vobornik wrote: On 05/20/2015 06:02 PM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Add a plugin to

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Fraser Tweedale
On Thu, May 28, 2015 at 10:40:22AM +0200, Martin Basti wrote: On 28/05/15 10:13, Fraser Tweedale wrote: On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user / host certificates. No schema change is

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Martin Basti
On 28/05/15 10:46, Martin Kosek wrote: On 05/27/2015 06:12 PM, Martin Basti wrote: On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user / host certificates. No schema change is needed ('usercertificate' attribute is already multi-value). The

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Martin Basti
On 28/05/15 11:17, Fraser Tweedale wrote: On Thu, May 28, 2015 at 10:40:22AM +0200, Martin Basti wrote: On 28/05/15 10:13, Fraser Tweedale wrote: On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Jan Cholasta
Dne 28.5.2015 v 12:53 Christian Heimes napsal(a): On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by default during upgrade/install, the new ACI and the per-replica standard configuration. API

Re: [Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

2015-05-28 Thread Petr Vobornik
On 05/28/2015 11:48 AM, Martin Basti wrote: On 27/05/15 16:04, Fraser Tweedale wrote: Hello all, Fresh certificate management patchset; Changelog: - Now depends on patch freeipa-ftweedal-0014 for correct cert-request behaviour with host and service principals. - Updated Dogtag dependency

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Alexander Bokovoy
On Thu, 28 May 2015, Petr Spacek wrote: On 28.5.2015 07:42, Jan Cholasta wrote: Dne 27.5.2015 v 15:54 Simo Sorce napsal(a): On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote: ipa

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Martin Kosek
On 05/28/2015 11:17 AM, Martin Basti wrote: On 28/05/15 10:46, Martin Kosek wrote: On 05/27/2015 06:12 PM, Martin Basti wrote: On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user / host certificates. No schema change is needed ('usercertificate' attribute is

[Freeipa-devel] [PATCHES 326-328] ID Views improvements

2015-05-28 Thread Tomas Babej
Hi, this couple of patches improves ID Views and ID overrides handling. See commit messages for details. Tomas From 8acc50c10d9886668a0147b46f311f9aa83294bb Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 27 May 2015 14:31:13 +0200 Subject: [PATCH] idviews: Set dcerpc

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Martin Basti
On 28/05/15 12:53, Christian Heimes wrote: On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by default during upgrade/install, the new ACI and the per-replica standard configuration. API CLI/UI

Re: [Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

2015-05-28 Thread Martin Basti
On 27/05/15 16:04, Fraser Tweedale wrote: Hello all, Fresh certificate management patchset; Changelog: - Now depends on patch freeipa-ftweedal-0014 for correct cert-request behaviour with host and service principals. - Updated Dogtag dependency to 10.2.4-1. Should should be in f22

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Martin Kosek
On 05/28/2015 12:27 PM, Alexander Bokovoy wrote: On Thu, 28 May 2015, Christian Heimes wrote: On 2015-05-28 12:10, Petr Spacek wrote: I see. My question is - if we go this way, what is then the reasonable subset configuration functionality realistic for FreeIPA 4.2 GA? (As we want this

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Petr Spacek
On 28.5.2015 11:59, Martin Kosek wrote: On 05/28/2015 11:12 AM, Alexander Bokovoy wrote: On Thu, 28 May 2015, Petr Spacek wrote: On 28.5.2015 07:42, Jan Cholasta wrote: Dne 27.5.2015 v 15:54 Simo Sorce napsal(a): On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: Dne 27.5.2015 v 15:43

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Alexander Bokovoy
On Thu, 28 May 2015, Christian Heimes wrote: On 2015-05-28 12:10, Petr Spacek wrote: I see. My question is - if we go this way, what is then the reasonable subset configuration functionality realistic for FreeIPA 4.2 GA? (As we want this feature in for 4.2). Is ipa-kdcproxy-manage doable? What

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Petr Spacek
On 28.5.2015 12:53, Christian Heimes wrote: On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by default during upgrade/install, the new ACI and the per-replica standard configuration. API

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Fraser Tweedale
Updated patch attached. Notably restores/adds revocation behaviour to host-mod and service-mod. Thanks, Fraser On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user / host certificates. No schema

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Jan Cholasta
Dne 28.5.2015 v 13:56 Christian Heimes napsal(a): On 2015-05-28 13:30, Jan Cholasta wrote: Dne 28.5.2015 v 12:53 Christian Heimes napsal(a): On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Martin Basti
On 28/05/15 14:06, Christian Heimes wrote: On 2015-05-28 13:29, Martin Basti wrote: On 28/05/15 12:53, Christian Heimes wrote: On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by default during

Re: [Freeipa-devel] [PATCH 0039] ipa-kdb: common function to get key encodings/salt types

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 14:43 +0200, Martin Babinsky wrote: A small improvement upon simo's fix for https://fedorahosted.org/freeipa/ticket/4914 -- Martin^3 Babinsky LGTM. Simo. -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Martin Kosek
On 05/28/2015 03:06 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 07:42 +0200, Jan Cholasta wrote: Dne 27.5.2015 v 15:54 Simo Sorce napsal(a): On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 12:14 +0300, Alexander Bokovoy wrote: On Thu, 28 May 2015, Martin Kosek wrote: On 05/28/2015 10:02 AM, Jan Cholasta wrote: Dne 28.5.2015 v 09:45 Christian Heimes napsal(a): On 2015-05-28 07:32, Jan Cholasta wrote: Dne 27.5.2015 v 16:01 Christian Heimes napsal(a): On

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Christian Heimes
On 2015-05-28 13:30, Jan Cholasta wrote: Dne 28.5.2015 v 12:53 Christian Heimes napsal(a): On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by default during upgrade/install, the new ACI and

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Martin Basti
On 28/05/15 14:29, Petr Spacek wrote: On 28.5.2015 12:06, Fraser Tweedale wrote: On Thu, May 28, 2015 at 11:52:25AM +0200, Martin Kosek wrote: On 05/28/2015 11:17 AM, Martin Basti wrote: On 28/05/15 10:46, Martin Kosek wrote: On 05/27/2015 06:12 PM, Martin Basti wrote: On 27/05/15 15:53,

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin Kosek wrote: On 05/28/2015 09:05 AM, Petr Spacek wrote: On 28.5.2015 08:55, Jan Cholasta wrote: Dne 26.5.2015 v 16:32 Petr Spacek napsal(a): On 26.5.2015 16:16, Martin Kosek wrote: On 05/26/2015 04:13 PM,

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Ludwig Krispenz
On 05/28/2015 03:52 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:39 +0200, Oleg Fayans wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin Kosek wrote: On 05/28/2015 09:05 AM, Petr Spacek wrote: On 28.5.2015

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 16:04 +0200, Martin Kosek wrote: On 05/28/2015 04:04 PM, Ludwig Krispenz wrote: On 05/28/2015 04:00 PM, Martin Kosek wrote: On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: On 05/28/2015 03:47 PM, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ...

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Oleg Fayans
Hi Simo, On 05/28/2015 03:52 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:39 +0200, Oleg Fayans wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin Kosek wrote: On 05/28/2015 09:05 AM, Petr Spacek wrote: On

Re: [Freeipa-devel] Sudorules user validation help

2015-05-28 Thread Drew Erny
In the ticket, however, it's stated that if the user wants to use any combination of weird characters, they should be able to. Would it be better to just define a function like def validate_username(username, ignore_pattern=False): and have it ignore all username validation? On 05/28/2015

[Freeipa-devel] KDC proxy implementation specs

2015-05-28 Thread Christian Heimes
Hello, thanks you for your input. The former thread has 58 messages in total. Since last Friday we have came to an agreement in most points. I like to some up our decisions and focus on some minor details. decisions - python-kdcproxy will be installed as a dependency of freeipa-server.

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Martin Kosek
On 05/28/2015 04:07 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 16:02 +0200, Martin Kosek wrote: On 05/28/2015 04:00 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... Domain Levels - Done, committed - Defaults to

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 16:02 +0200, Jan Cholasta wrote: f3010498af2a4b98512d219b8e09101176c172fe. This is perfect! Thanks a lot. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 16:23 +0200, Oleg Fayans wrote: Hi Simo, On 05/28/2015 03:52 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:39 +0200, Oleg Fayans wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin

Re: [Freeipa-devel] Sudorules user validation help

2015-05-28 Thread Drew Erny
OK, I see now what you mean by that. That is a simpler solution. I'll do it that way. On 05/28/2015 04:44 AM, Martin Kosek wrote: On 05/27/2015 08:41 PM, Drew Erny wrote: Hey, Freeipa-devel, I'm working on ticket #3226 (https://fedorahosted.org/freeipa/ticket/3226) I've identified the

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Martin Kosek
On 05/28/2015 02:29 PM, Petr Spacek wrote: On 28.5.2015 12:06, Fraser Tweedale wrote: On Thu, May 28, 2015 at 11:52:25AM +0200, Martin Kosek wrote: On 05/28/2015 11:17 AM, Martin Basti wrote: On 28/05/15 10:46, Martin Kosek wrote: On 05/27/2015 06:12 PM, Martin Basti wrote: On 27/05/15

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Martin Kosek
On 05/28/2015 04:00 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... Domain Levels - Done, committed - Defaults to Level 1, i.e. Topology plugin powered infra enabled With respect to related Simo's response in

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Jan Cholasta
Dne 28.5.2015 v 16:00 Simo Sorce napsal(a): On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... Domain Levels - Done, committed - Defaults to Level 1, i.e. Topology plugin powered infra enabled With respect to related Simo's response in

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Ludwig Krispenz
On 05/28/2015 04:04 PM, Martin Kosek wrote: On 05/28/2015 04:04 PM, Ludwig Krispenz wrote: On 05/28/2015 04:00 PM, Martin Kosek wrote: On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: On 05/28/2015 03:47 PM, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... Domain Levels -

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Ludwig Krispenz
On 05/28/2015 04:17 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 16:04 +0200, Martin Kosek wrote: On 05/28/2015 04:04 PM, Ludwig Krispenz wrote: On 05/28/2015 04:00 PM, Martin Kosek wrote: On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: On 05/28/2015 03:47 PM, Martin Kosek wrote: On

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 15:43 +0200, Martin Kosek wrote: On 05/28/2015 02:29 PM, Petr Spacek wrote: On 28.5.2015 12:06, Fraser Tweedale wrote: On Thu, May 28, 2015 at 11:52:25AM +0200, Martin Kosek wrote: On 05/28/2015 11:17 AM, Martin Basti wrote: On 28/05/15 10:46, Martin Kosek wrote:

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Ludwig Krispenz
On 05/28/2015 03:47 PM, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... Domain Levels - Done, committed - Defaults to Level 1, i.e. Topology plugin powered infra enabled With respect to related Simo's response in

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Petr Spacek
On 28.5.2015 15:43, Martin Kosek wrote: On 05/28/2015 02:29 PM, Petr Spacek wrote: On 28.5.2015 12:06, Fraser Tweedale wrote: On Thu, May 28, 2015 at 11:52:25AM +0200, Martin Kosek wrote: On 05/28/2015 11:17 AM, Martin Basti wrote: On 28/05/15 10:46, Martin Kosek wrote: On 05/27/2015 06:12

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... Domain Levels - Done, committed - Defaults to Level 1, i.e. Topology plugin powered infra enabled With respect to related Simo's response in

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Martin Kosek
On 05/28/2015 03:57 PM, Ludwig Krispenz wrote: On 05/28/2015 03:47 PM, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... Domain Levels - Done, committed - Defaults to Level 1, i.e. Topology plugin powered infra enabled With respect to related Simo's response in

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 16:02 +0200, Martin Kosek wrote: On 05/28/2015 04:00 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek wrote: ... Domain Levels - Done, committed - Defaults to Level 1, i.e. Topology plugin powered

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Martin Basti
On 28/05/15 16:29, Simo Sorce wrote: On Thu, 2015-05-28 at 16:23 +0200, Oleg Fayans wrote: Hi Simo, On 05/28/2015 03:52 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:39 +0200, Oleg Fayans wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote:

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin Kosek wrote: On 05/28/2015 09:05 AM, Petr Spacek wrote: On 28.5.2015 08:55, Jan Cholasta wrote: Dne

Re: [Freeipa-devel] KDC proxy implementation specs

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 10:48 -0400, Nathaniel McCallum wrote: On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote: Hello, thanks you for your input. The former thread has 58 messages in total. Since last Friday we have came to an agreement in most points. I like to some up

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 10:46 -0400, Simo Sorce wrote: On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin Kosek wrote: On 05/28/2015 09:05 AM, Petr Spacek

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 16:14 +0200, Martin Kosek wrote: On 05/28/2015 04:07 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 16:02 +0200, Martin Kosek wrote: On 05/28/2015 04:00 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote: On 05/27/2015 04:59 PM, Martin Kosek

Re: [Freeipa-devel] KDC proxy implementation specs

2015-05-28 Thread Christian Heimes
On 2015-05-28 16:53, Simo Sorce wrote: We can't have 2 different keytabs with the same principal name. If we need privilege separation we'll have to work on integrating GSS-Proxy and give the keytab only to GSS-Proxy leaving it off the hands of both the framework, the proxy, and apache itself.

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Ludwig Krispenz
On 05/28/2015 04:46 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin Kosek wrote: On 05/28/2015 09:05 AM, Petr Spacek wrote: On

Re: [Freeipa-devel] KDC proxy implementation specs

2015-05-28 Thread Christian Heimes
On 2015-05-28 16:48, Nathaniel McCallum wrote: An apache module would also provide similar benefits. I'm not sure I necessarily want to stick with python here if we're optimizing for performance. Another option would be to add it to the KDC itself and proxy through Apache like we do for

Re: [Freeipa-devel] Sudorules user validation help

2015-05-28 Thread Martin Kosek
On 05/28/2015 04:27 PM, Drew Erny wrote: In the ticket, however, it's stated that if the user wants to use any combination of weird characters, they should be able to. Would it be better to just define a function like def validate_username(username, ignore_pattern=False): and have it

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 16:59 +0200, Ludwig Krispenz wrote: On 05/28/2015 04:46 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin Kosek

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Ludwig Krispenz
On 05/28/2015 05:03 PM, Martin Kosek wrote: On 05/28/2015 04:59 PM, Ludwig Krispenz wrote: On 05/28/2015 04:46 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On

Re: [Freeipa-devel] New replica installation and topology - we need stable base

2015-05-28 Thread Martin Kosek
On 05/28/2015 04:57 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 16:14 +0200, Martin Kosek wrote: On 05/28/2015 04:07 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 16:02 +0200, Martin Kosek wrote: On 05/28/2015 04:00 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:47 +0200, Martin Kosek wrote:

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 16:40 +0200, Martin Basti wrote: On 28/05/15 16:29, Simo Sorce wrote: On Thu, 2015-05-28 at 16:23 +0200, Oleg Fayans wrote: Hi Simo, On 05/28/2015 03:52 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:39 +0200, Oleg Fayans wrote: On 05/28/2015 03:26 PM, Simo Sorce

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Martin Kosek
On 05/28/2015 04:59 PM, Ludwig Krispenz wrote: On 05/28/2015 04:46 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: On 05/28/2015 03:26 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:11 +0200, Petr Spacek wrote: On 28.5.2015 10:49, Martin Kosek wrote: On

Re: [Freeipa-devel] KDC proxy implementation specs

2015-05-28 Thread Nathaniel McCallum
On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote: Hello, thanks you for your input. The former thread has 58 messages in total. Since last Friday we have came to an agreement in most points. I like to some up our decisions and focus on some minor details. decisions -

Re: [Freeipa-devel] KDC proxy implementation specs

2015-05-28 Thread Nathaniel McCallum
On Thu, 2015-05-28 at 17:07 +0200, Christian Heimes wrote: On 2015-05-28 16:48, Nathaniel McCallum wrote: An apache module would also provide similar benefits. I'm not sure I necessarily want to stick with python here if we're optimizing for performance. Another option would be to add it

Re: [Freeipa-devel] KDC proxy implementation specs

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 17:00 +0200, Christian Heimes wrote: On 2015-05-28 16:53, Simo Sorce wrote: We can't have 2 different keytabs with the same principal name. If we need privilege separation we'll have to work on integrating GSS-Proxy and give the keytab only to GSS-Proxy leaving it off

Re: [Freeipa-devel] KDC proxy implementation specs

2015-05-28 Thread Christian Heimes
On 2015-05-28 17:10, Simo Sorce wrote: On Thu, 2015-05-28 at 17:00 +0200, Christian Heimes wrote: On 2015-05-28 16:53, Simo Sorce wrote: We can't have 2 different keytabs with the same principal name. If we need privilege separation we'll have to work on integrating GSS-Proxy and give the

Re: [Freeipa-devel] KDC proxy implementation specs

2015-05-28 Thread Rob Crittenden
Simo Sorce wrote: On Thu, 2015-05-28 at 17:00 +0200, Christian Heimes wrote: On 2015-05-28 16:53, Simo Sorce wrote: We can't have 2 different keytabs with the same principal name. If we need privilege separation we'll have to work on integrating GSS-Proxy and give the keytab only to GSS-Proxy

Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

2015-05-28 Thread Christian Heimes
On 2015-05-28 13:29, Martin Basti wrote: On 28/05/15 12:53, Christian Heimes wrote: On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by default during upgrade/install, the new ACI and the

Re: [Freeipa-devel] [PATCH 0377-0382] Synchronize changes from LDAP after reconnect

2015-05-28 Thread Matus Honek
Hi, functionality seems to work fine. I have not checked the code thoroughly. Kind of a test is attached (requires setting named's ldap connection appropriately). ACK Matúš Honěk - Original Message - From: Petr Spacek pspa...@redhat.com To: tho...@redhat.com, Matus Honek

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Ludwig Krispenz
On 05/28/2015 05:35 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 17:18 +0200, Ludwig Krispenz wrote: On 05/28/2015 05:03 PM, Martin Kosek wrote: On 05/28/2015 04:59 PM, Ludwig Krispenz wrote: On 05/28/2015 04:46 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote:

Re: [Freeipa-devel] KDC proxy implementation specs

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 17:13 +0200, Christian Heimes wrote: On 2015-05-28 17:10, Simo Sorce wrote: On Thu, 2015-05-28 at 17:00 +0200, Christian Heimes wrote: On 2015-05-28 16:53, Simo Sorce wrote: We can't have 2 different keytabs with the same principal name. If we need privilege

Re: [Freeipa-devel] Domain level for topology plugin = 2

2015-05-28 Thread Simo Sorce
On Thu, 2015-05-28 at 17:18 +0200, Ludwig Krispenz wrote: On 05/28/2015 05:03 PM, Martin Kosek wrote: On 05/28/2015 04:59 PM, Ludwig Krispenz wrote: On 05/28/2015 04:46 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 15:54 +0200, Ludwig Krispenz wrote: On 05/28/2015 03:26 PM, Simo Sorce