Re: [Freeipa-devel] [PATCH 0291, 0292] Limit max age of replication changelog

2015-07-22 Thread Martin Basti
On 20/07/15 19:04, Mark Reynolds wrote: On 07/20/2015 12:50 PM, Martin Basti wrote: On 20/07/15 17:48, Petr Vobornik wrote: On 07/20/2015 05:24 PM, Rob Crittenden wrote: Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5086 Patch attached. Is this going to be a shock on

Re: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install

2015-07-22 Thread German Parente
Hi Martin, imho, nsslapd-db-locks is an advanced parameter and should be set by customer at RHDS level, not at replica creation. The problem we have had at customer site is that the default was not enough to do the replication total update. So, replica creation was failing and we couldn't

Re: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install

2015-07-22 Thread Martin Basti
On 22/07/15 17:13, German Parente wrote: Hi Martin, imho, nsslapd-db-locks is an advanced parameter and should be set by customer at RHDS level, not at replica creation. The problem we have had at customer site is that the default was not enough to do the replication total update. So,

Re: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins

2015-07-22 Thread Martin Basti
On 22/07/15 15:19, Oleg Fayans wrote: Hi Martin, Fixed. On 07/22/2015 09:26 AM, Martin Basti wrote: On 22/07/15 09:23, Oleg Fayans wrote: Hi Martin, Patch updated. Thank you for the review! On 07/21/2015 05:45 PM, Martin Basti wrote: On 20/07/15 14:07, Oleg Fayans wrote: Hi Martin,

Re: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install

2015-07-22 Thread Petr Vobornik
On 07/22/2015 04:54 PM, Martin Basti wrote: On 22/07/15 16:52, Ludwig Krispenz wrote: On 07/22/2015 03:56 PM, Martin Basti wrote: Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the

[Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy

2015-07-22 Thread Nathaniel McCallum
Related: CVE-2015-5159From b9595d34e36d967d57c0f72f26fca40b913c6d5e Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Wed, 22 Jul 2015 14:18:16 -0400 Subject: [PATCH] Limit request sizes to /KdcProxy Related: CVE-2015-5159 --- install/conf/ipa-kdc-proxy.conf.template

Re: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy

2015-07-22 Thread Christian Heimes
On 2015-07-22 20:23, Nathaniel McCallum wrote: Related: CVE-2015-5159 https://bugzilla.redhat.com/show_bug.cgi?id=1245200 The patch prevents a flood attack but I consider more a workaround than a solution. I'll update kdcproxy tomorrow. Christian signature.asc Description: OpenPGP digital

Re: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy

2015-07-22 Thread Nathaniel McCallum
On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote: On 2015-07-22 20:23, Nathaniel McCallum wrote: Related: CVE-2015-5159 https://bugzilla.redhat.com/show_bug.cgi?id=1245200 The patch prevents a flood attack but I consider more a workaround than a solution. I'll update kdcproxy

Re: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy

2015-07-22 Thread Christian Heimes
On 2015-07-22 20:38, Nathaniel McCallum wrote: On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote: On 2015-07-22 20:23, Nathaniel McCallum wrote: Related: CVE-2015-5159 https://bugzilla.redhat.com/show_bug.cgi?id=1245200 The patch prevents a flood attack but I consider more a

Re: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy

2015-07-22 Thread Nathaniel McCallum
On Wed, 2015-07-22 at 14:38 -0400, Nathaniel McCallum wrote: On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote: On 2015-07-22 20:23, Nathaniel McCallum wrote: Related: CVE-2015-5159 https://bugzilla.redhat.com/show_bug.cgi?id=1245200 The patch prevents a flood attack but I

Re: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy

2015-07-22 Thread Nathaniel McCallum
On Wed, 2015-07-22 at 20:47 +0200, Christian Heimes wrote: On 2015-07-22 20:38, Nathaniel McCallum wrote: On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote: On 2015-07-22 20:23, Nathaniel McCallum wrote: Related: CVE-2015-5159

Re: [Freeipa-devel] [PATCH 0349] tests: test_cert: Services can have multiple certificates

2015-07-22 Thread Martin Babinsky
On 07/21/2015 06:03 PM, Tomas Babej wrote: Hi, Old certificates of the services are no longer removed and revoked after new ones have been issued. Check that both old and new certificates are present. Tomas ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel

Re: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins

2015-07-22 Thread Martin Basti
On 22/07/15 09:23, Oleg Fayans wrote: Hi Martin, Patch updated. Thank you for the review! On 07/21/2015 05:45 PM, Martin Basti wrote: On 20/07/15 14:07, Oleg Fayans wrote: Hi Martin, Updated. On 07/20/2015 12:46 PM, Martin Basti wrote: On 20/07/15 11:57, Oleg Fayans wrote: +

Re: [Freeipa-devel] [PATCH 0342] idviews: Check for the Default Trust View only if applying

2015-07-22 Thread Tomas Babej
On 07/22/2015 09:04 AM, Martin Basti wrote: On 21/07/15 12:47, Tomas Babej wrote: Hi, Currently, the code wrongly validates the idview-unapply command. Move check for the forbidden application of the Default Trust View into the correct logical branch.

Re: [Freeipa-devel] [PATCH 0345] tests: realmdomains_plugin: Add explanatory comment

2015-07-22 Thread Tomas Babej
On 07/22/2015 09:07 AM, Martin Basti wrote: On 21/07/15 18:02, Tomas Babej wrote: Hi, The realmdomains_mod command will fail if the testing environment is configured improperly and the IPA domain's NS/SOA records are not resolvable. This can easily happen if the machine's DNS server is not

Re: [Freeipa-devel] [PATCH 0342] idviews: Check for the Default Trust View only if applying

2015-07-22 Thread Martin Basti
On 21/07/15 12:47, Tomas Babej wrote: Hi, Currently, the code wrongly validates the idview-unapply command. Move check for the forbidden application of the Default Trust View into the correct logical branch. https://fedorahosted.org/freeipa/ticket/4969 Tomas ACK -- Martin Basti --

Re: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins

2015-07-22 Thread Oleg Fayans
Hi Martin, Patch updated. Thank you for the review! On 07/21/2015 05:45 PM, Martin Basti wrote: On 20/07/15 14:07, Oleg Fayans wrote: Hi Martin, Updated. On 07/20/2015 12:46 PM, Martin Basti wrote: On 20/07/15 11:57, Oleg Fayans wrote: +pwfile = api.env.dot_ipa + os.sep + .dmpw +

Re: [Freeipa-devel] [PATCH] otptoken: use ipapython.nsslib instead of Python's ssl module

2015-07-22 Thread Martin Basti
On 07/07/15 18:40, Christian Heimes wrote: Hello, the patch removes the dependency on Python's ssl module and python-backports-ssl_match_hostname. https://fedorahosted.org/freeipa/ticket/5068 Open question - Is paths.IPA_NSSDB_DIR the correct NSSDB? Should be. Christian

Re: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert

2015-07-22 Thread Martin Basti
On 13/07/15 17:55, Martin Basti wrote: On 08/07/15 16:09, Gabe Alford wrote: Thanks, Martin. Update patch attached. I was getting an 'No newline at the end of file' in my environment hence an extra '\n' at the end. Please let me know if you see the same thing. Thanks, Gabe On Wed, Jul 1,

Re: [Freeipa-devel] [PATCH 0344] tests: service_plugin: Make sure the cert is decoded from

2015-07-22 Thread Tomas Babej
On 07/22/2015 08:40 AM, Martin Babinsky wrote: On 07/21/2015 06:01 PM, Tomas Babej wrote: Hi, this patch fixes an issue in tests where the certificate was not decoded from base64 representation. Tomas ACK Pushed to: master: 12395a94f38f4db23e356a6f7d96629155c02532 ipa-4-2:

Re: [Freeipa-devel] [PATCH 0347] tests: vault_plugin: Skip tests if KRA not available

2015-07-22 Thread Martin Babinsky
On 07/21/2015 06:03 PM, Tomas Babej wrote: Hi, the vault tests should be skipped in case the KRA is not available on the machine. Tomas ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0345] tests: realmdomains_plugin: Add explanatory comment

2015-07-22 Thread Martin Basti
On 21/07/15 18:02, Tomas Babej wrote: Hi, The realmdomains_mod command will fail if the testing environment is configured improperly and the IPA domain's NS/SOA records are not resolvable. This can easily happen if the machine's DNS server is not configured to the IPA server. Leave a

Re: [Freeipa-devel] [PATCH 0347] tests: vault_plugin: Skip tests if KRA not available

2015-07-22 Thread Tomas Babej
On 07/22/2015 08:41 AM, Martin Babinsky wrote: On 07/21/2015 06:03 PM, Tomas Babej wrote: Hi, the vault tests should be skipped in case the KRA is not available on the machine. Tomas ACK Pushed to: master: 8eb26e9230e43eb2683778b8d667c6c7e632ec36 ipa-4-2:

Re: [Freeipa-devel] [PATCH 0346] tests: Version is currently generated during command call

2015-07-22 Thread Tomas Babej
On 07/22/2015 08:56 AM, Martin Basti wrote: On 21/07/15 18:02, Tomas Babej wrote: Hi, In the previous versions, version in the response was generated as part of the process_keyword_arguments method. This is no longer true, and so the explicit check for it should be removed. Tomas ACK

Re: [Freeipa-devel] [PATCH 0349] tests: test_cert: Services can have multiple certificates

2015-07-22 Thread Tomas Babej
On 07/22/2015 08:44 AM, Martin Babinsky wrote: On 07/21/2015 06:03 PM, Tomas Babej wrote: Hi, Old certificates of the services are no longer removed and revoked after new ones have been issued. Check that both old and new certificates are present. Tomas ACK Pushed to: master:

Re: [Freeipa-devel] [PATCH 0348] tests: test_rpc: Create connection for the current thread

2015-07-22 Thread Tomas Babej
On 07/22/2015 09:09 AM, Martin Basti wrote: On 21/07/15 18:03, Tomas Babej wrote: Hi, Both context.xmlclient and context.xmlclient_id need to be created in order to successfully call the Command.forward method. Tomas ACK -- Martin Basti Pushed to: master:

[Freeipa-devel] [PATCH 0350] dcerpc: Fix UnboundLocalError for ccache_name

2015-07-22 Thread Tomas Babej
Hi, this fixes a UnboudLocalError in DomainValidator.__search_in_dc. Alexander gave an ACK over IRC. Pushed to: master: cf59981cc2c6bb13c286188aa27cb10a49ff4a5e ipa-4-2: fe3fa23e5f34219fda7cba182de50b5bd8074fb7 From 5e97322f3896001dca0b0060ff9bd7e8de47da4e Mon Sep 17 00:00:00 2001 From: Tomas

[Freeipa-devel] [PATCH 0015] mod_auth_gssapi: Remove ntlmssp support and restrict, mechanism to krb5

2015-07-22 Thread Christian Heimes
By default mod_auth_gssapi allows all locally available mechanisms. If the gssntlmssp package is installed, it also offers ntlmssp. This has the annoying side effect that some browser will pop up a username/password request dialog if no Krb5 credentials are available. The patch restricts the

Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi

2015-07-22 Thread Simo Sorce
Comments inline. - Original Message - From: Michael Simacek msima...@redhat.com To: freeipa-devel@redhat.com Sent: Tuesday, July 21, 2015 8:02:26 AM Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi Hi, This is a first part of my effort to

Re: [Freeipa-devel] [PATCH 0015] mod_auth_gssapi: Remove ntlmssp support and restrict, mechanism to krb5

2015-07-22 Thread Simo Sorce
- Original Message - From: Christian Heimes chei...@redhat.com To: freeipa-devel freeipa-devel@redhat.com Sent: Wednesday, July 22, 2015 9:32:59 AM Subject: [Freeipa-devel] [PATCH 0015] mod_auth_gssapi: Remove ntlmssp support and restrict, mechanism to krb5 By default

[Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install

2015-07-22 Thread Martin Basti
Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the option --db-locks to installer (maybe as hidden option) 2) Configure the nsslapd-db-locks to higher value as default (what is the

Re: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins

2015-07-22 Thread Oleg Fayans
Hi Martin, Fixed. On 07/22/2015 09:26 AM, Martin Basti wrote: On 22/07/15 09:23, Oleg Fayans wrote: Hi Martin, Patch updated. Thank you for the review! On 07/21/2015 05:45 PM, Martin Basti wrote: On 20/07/15 14:07, Oleg Fayans wrote: Hi Martin, Updated. On 07/20/2015 12:46 PM, Martin

Re: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request

2015-07-22 Thread Simo Sorce
- Original Message - From: Sumit Bose sb...@redhat.com To: freeipa-devel freeipa-devel@redhat.com Sent: Tuesday, July 21, 2015 7:41:14 AM Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request Hi, this patch is my suggestion to solve

Re: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install

2015-07-22 Thread Jan Cholasta
Dne 22.7.2015 v 15:56 Martin Basti napsal(a): Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the option --db-locks to installer (maybe as hidden option) 2) Configure the

Re: [Freeipa-devel] [PATCH 0344] tests: service_plugin: Make sure the cert is decoded from

2015-07-22 Thread Martin Babinsky
On 07/21/2015 06:01 PM, Tomas Babej wrote: Hi, this patch fixes an issue in tests where the certificate was not decoded from base64 representation. Tomas ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [PATCH 0346] tests: Version is currently generated during command call

2015-07-22 Thread Martin Basti
On 21/07/15 18:02, Tomas Babej wrote: Hi, In the previous versions, version in the response was generated as part of the process_keyword_arguments method. This is no longer true, and so the explicit check for it should be removed. Tomas ACK -- Martin Basti -- Manage your subscription for

Re: [Freeipa-devel] [PATCH 0348] tests: test_rpc: Create connection for the current thread

2015-07-22 Thread Martin Basti
On 21/07/15 18:03, Tomas Babej wrote: Hi, Both context.xmlclient and context.xmlclient_id need to be created in order to successfully call the Command.forward method. Tomas ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [PATCH] 905 webui: add Kerberos configuration instructions for Chrome

2015-07-22 Thread Petr Vobornik
* IE section moved at the end * Chrome section added * FF and IE icons removed https://fedorahosted.org/freeipa/ticket/823 -- Petr Vobornik From c3f96c2ab6395aa64b29137b34bc0a4a639f3965 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 17 Jul 2015 15:57:30 +0200

Re: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy

2015-07-22 Thread Alexander Bokovoy
On Wed, 22 Jul 2015, Christian Heimes wrote: On 2015-07-22 20:38, Nathaniel McCallum wrote: On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote: On 2015-07-22 20:23, Nathaniel McCallum wrote: Related: CVE-2015-5159 https://bugzilla.redhat.com/show_bug.cgi?id=1245200 The patch

Re: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install

2015-07-22 Thread Ludwig Krispenz
On 07/22/2015 03:56 PM, Martin Basti wrote: Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the option --db-locks to installer (maybe as hidden option) 2) Configure the

Re: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install

2015-07-22 Thread Martin Basti
On 22/07/15 16:52, Ludwig Krispenz wrote: On 07/22/2015 03:56 PM, Martin Basti wrote: Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the option --db-locks to installer (maybe as