[Freeipa-devel] [freeipa PR#36] Fix tests for forward zones (opened)

2016-08-29 Thread pspacek
pspacek's pull request #36: "Fix tests for forward zones" was opened PR body: """ """ See the full pull-request at https://github.com/freeipa/freeipa/pull/36 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/36/head:pr36 git

[Freeipa-devel] [freeipa PR#22] otptoken: Convert ipatokenotpkey on server (closed)

2016-08-29 Thread jcholast
dkupka's pull request #22: "otptoken: Convert ipatokenotpkey on server" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/22 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/22/head:pr22 git

[Freeipa-devel] [freeipa PR#31] WebUI: add support for sub-CAs while revoking certificates and removing certificate hold (opened)

2016-08-29 Thread pvomacka
pvomacka's pull request #31: "WebUI: add support for sub-CAs while revoking certificates and removing certificate hold" was opened PR body: """ Revocation dialog has new field for setting a CA and these patches also fix showing details of certificates issued by sub-CAs.

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Petr Spacek
On 26.8.2016 17:40, Simo Sorce wrote: > On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote: >> Ie we could set both "allow" and "allow_with_time" on an object for >> cases where the admin wants to enforce the time part only o newer >> client >> but otherwise apply the rule to any client. > > I

[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (comment)

2016-08-29 Thread lslebodn
lslebodn commented on a pull request """ > This PR is not intended to fix a failing test, but fix their execution and > error checking. The negative tests for sudorule in master and ipa-4-3 (both > with sssd-1.14.1-1.fc24, see jenkins jobs for master [1] and ipa-4-3 [2]) > return following

[Freeipa-devel] [freeipa PR#22] otptoken: Convert ipatokenotpkey on server (+ack)

2016-08-29 Thread jcholast
dkupka's pull request #22: "otptoken: Convert ipatokenotpkey on server" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/22 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Jan Pazdziora
On Fri, Aug 26, 2016 at 10:39:53AM -0400, Simo Sorce wrote: > On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: > > > > How do you want to enforce HBAC rule that have set time from 10 to 14 > > everyday? With the same objectclass old clients will allow this HBAC > > for > > all day. Isn't

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)

2016-08-29 Thread jcholast
jcholast commented on a pull request """ LDAPS is not enabled during replica promotion because of this condition in DS setup: https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dsinstance.py#L391 Maybe we can remove the condition rather than add `ds.enable_ssl()`? """ See the

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Jan Cholasta
On 26.8.2016 16:39, Simo Sorce wrote: On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: I miss "why" part of "To be able to handle backward compatibility with ease, a new object called ipaHBACRulev2 is introduced. " in the design page. If the reason is the above - old client's should

[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (comment)

2016-08-29 Thread lslebodn
lslebodn commented on a pull request """ The sudo test in master (ipatests/test_integration/test_sudo.py) is the same as in 4.3 branch. And it passed for me on fedora 24 with latest ipa-4.3. I tested with sssd-1.13.4-4 (stable version in fedora) and sssd-1.14.1-1.fc24 (version in updates

[Freeipa-devel] [freeipa PR#22] otptoken: Convert ipatokenotpkey on server (synchronize)

2016-08-29 Thread dkupka
dkupka's pull request #22: "otptoken: Convert ipatokenotpkey on server" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/22 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/22/head:pr22 git

[Freeipa-devel] [freeipa PR#14] Tests: Failing intree tests (+ack)

2016-08-29 Thread mbasti-rh
mirielka's pull request #14: "Tests: Failing intree tests" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/14 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to

[Freeipa-devel] [freeipa PR#26] Don't ignore --ignore-last-of-role for last CA (comment)

2016-08-29 Thread ofayans
ofayans commented on a pull request """ QA ACK. With these changes the issue is gone """ See the full comment at https://github.com/freeipa/freeipa/pull/26#issuecomment-243101582 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#32] Test for caacl-add-service (opened)

2016-08-29 Thread gkaihorodova
gkaihorodova's pull request #32: "Test for caacl-add-service" was opened PR body: """ Test for caacl-add-service: incorrect error message when service does not exists https://fedorahosted.org/freeipa/ticket/6171 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/32 ... or

[Freeipa-devel] [freeipa PR#26] Don't ignore --ignore-last-of-role for last CA (comment)

2016-08-29 Thread mbasti-rh
mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f0487946cd760a97d92aac12d98cf8bb748576a2 """ See the full comment at https://github.com/freeipa/freeipa/pull/26#issuecomment-243102220 -- Manage your subscription for the Freeipa-devel

[Freeipa-devel] [freeipa PR#26] Don't ignore --ignore-last-of-role for last CA (closed)

2016-08-29 Thread mbasti-rh
stlaz's pull request #26: "Don't ignore --ignore-last-of-role for last CA" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/26 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/26/head:pr26 git

[Freeipa-devel] [freeipa PR#26] Don't ignore --ignore-last-of-role for last CA (+pushed)

2016-08-29 Thread mbasti-rh
stlaz's pull request #26: "Don't ignore --ignore-last-of-role for last CA" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/26 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (comment)

2016-08-29 Thread lslebodn
lslebodn commented on a pull request """ I forgot to mention that it isn't necessary to it for all cases. maybe separate/new test might cover such test-case. """ See the full comment at https://github.com/freeipa/freeipa/pull/27#issuecomment-243083657 -- Manage your subscription for the

[Freeipa-devel] [freeipa PR#14] Tests: Failing intree tests (comment)

2016-08-29 Thread mbasti-rh
mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/3c32af55b646819fa8938d9a6efa6c3189525c37 https://fedorahosted.org/freeipa/changeset/774e4e479db637840cc2441778b5486d4c3b91d3

[Freeipa-devel] [freeipa PR#14] Tests: Failing intree tests (closed)

2016-08-29 Thread mbasti-rh
mirielka's pull request #14: "Tests: Failing intree tests" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/14 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/14/head:pr14 git checkout pr14 --

[Freeipa-devel] [freeipa PR#14] Tests: Failing intree tests (+pushed)

2016-08-29 Thread mbasti-rh
mirielka's pull request #14: "Tests: Failing intree tests" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/14 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to

[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (comment)

2016-08-29 Thread mirielka
mirielka commented on a pull request """ Yes, I also though about not running e.g. `su -c "sudo -l" testuser` but `su -c "sudo -l -n" testuser` - it would report error `sudo: a password is required` instead of the previously pasted message that doesn't say that much... """ See the full comment

[Freeipa-devel] [freeipa PR#26] Don't ignore --ignore-last-of-role for last CA (+ack)

2016-08-29 Thread ofayans
stlaz's pull request #26: "Don't ignore --ignore-last-of-role for last CA" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/26 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Simo Sorce
On Mon, 2016-08-29 at 11:15 +0200, Jan Pazdziora wrote: > On Fri, Aug 26, 2016 at 10:39:53AM -0400, Simo Sorce wrote: > > On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: > > > > > > How do you want to enforce HBAC rule that have set time from 10 to 14 > > > everyday? With the same

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (synchronize)

2016-08-29 Thread tomaskrizek
tomaskrizek's pull request #29: "Enable LDAPS in replica promotion" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/29 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/29/head:pr29 git

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)

2016-08-29 Thread tomaskrizek
tomaskrizek commented on a pull request """ @jcholast I'm not certain that enabling the LDAPS before replica promotion finishes won't have some unintended side effects. """ See the full comment at https://github.com/freeipa/freeipa/pull/29#issuecomment-243152442 -- Manage your subscription

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)

2016-08-29 Thread simo5
simo5 commented on a pull request """ That said we should probably enable_ssl righ tafter we get the cert and restart DS, and not in replicainstall.py """ See the full comment at https://github.com/freeipa/freeipa/pull/29#issuecomment-243156343 -- Manage your subscription for the

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Simo Sorce
On Mon, 2016-08-29 at 16:35 +0200, Petr Spacek wrote: > On 29.8.2016 16:34, Simo Sorce wrote: > > On Mon, 2016-08-29 at 09:13 +0200, Petr Spacek wrote: > >> On 26.8.2016 17:40, Simo Sorce wrote: > >>> On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote: > Ie we could set both "allow" and

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)

2016-08-29 Thread tomaskrizek
tomaskrizek commented on a pull request """ @jcholast I'm not certain that enabling the LDAPS before replication finishes won't have some unintended side effects. """ See the full comment at https://github.com/freeipa/freeipa/pull/29#issuecomment-243152442 -- Manage your subscription for the

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)

2016-08-29 Thread simo5
simo5 commented on a pull request """ @jcholast we can't enable ssl there as the cert is not available yet, look a few lines later: https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dsinstance.py#L397 """ See the full comment at

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (synchronize)

2016-08-29 Thread tomaskrizek
tomaskrizek's pull request #29: "Enable LDAPS in replica promotion" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/29 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/29/head:pr29 git

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)

2016-08-29 Thread tomaskrizek
tomaskrizek commented on a pull request """ I've updated the PR based on the comments, please review. """ See the full comment at https://github.com/freeipa/freeipa/pull/29#issuecomment-243164916 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (comment)

2016-08-29 Thread simo5
simo5 commented on a pull request """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/29#issuecomment-243174342 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#20] cert: include CA name in cert command output (synchronize)

2016-08-29 Thread jcholast
jcholast's pull request #20: "cert: include CA name in cert command output" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/20 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/20/head:pr20

[Freeipa-devel] [freeipa PR#34] dns: prompt for missing record parts in CLI (opened)

2016-08-29 Thread jcholast
jcholast's pull request #34: " dns: prompt for missing record parts in CLI" was opened PR body: """ Fix the code which determines if a record part is required and thus should be prompted not to wrongfully consider all record parts to be optional. Add a client-side fallback of the

[Freeipa-devel] [freeipa PR#35] rpcserver: assume version 1 for unversioned command calls (opened)

2016-08-29 Thread jcholast
jcholast's pull request #35: "rpcserver: assume version 1 for unversioned command calls" was opened PR body: """ When a command is called on the server over RPC without its version specified, assume version 1 instead of the highest known version. This ensures backward compatibility with old

[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (synchronize)

2016-08-29 Thread mirielka
mirielka's pull request #27: "[master, ipa-4-3] Tests: Fix integration sudo tests setup and checks" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/27 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch

[Freeipa-devel] [freeipa PR#34] dns: prompt for missing record parts in CLI (comment)

2016-08-29 Thread mbasti-rh
mbasti-rh commented on a pull request """ I really don't like to move definitions how to split params from classes to single function ``` def split_rrparam(name, value): ``` It doesn't look safe for me or easy to understand and maintain. When I want to add new DNS type, I have to check 3

[Freeipa-devel] [freeipa PR#20] cert: include CA name in cert command output (comment)

2016-08-29 Thread mbasti-rh
mbasti-rh commented on a pull request """ test_xmlrpc/test_cert_plugin.py F.F 2 same internal errors: ``` [Mon Aug 29 14:57:07.951307 2016] [wsgi:error] [pid 66778] ipa: ERROR: non-public: KeyError: ipapython.dn.DN('CN=SMIME CA,O=test industries Inc.') [Mon

[Freeipa-devel] [freeipa PR#34] dns: prompt for missing record parts in CLI (comment)

2016-08-29 Thread jcholast
jcholast commented on a pull request """ I'm afraid this can't be easily fixed due to the manner in which the dns plugin is implemented. I'm open to suggestions if you have any. """ See the full comment at https://github.com/freeipa/freeipa/pull/34#issuecomment-243114929 -- Manage your

[Freeipa-devel] [freeipa PR#29] Enable LDAPS in replica promotion (synchronize)

2016-08-29 Thread tomaskrizek
tomaskrizek's pull request #29: "Enable LDAPS in replica promotion" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/29 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/29/head:pr29 git

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Simo Sorce
On Mon, 2016-08-29 at 08:29 +0200, Jan Cholasta wrote: > On 26.8.2016 16:39, Simo Sorce wrote: > > On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: > >>> I miss "why" part of "To be able to handle backward compatibility > >> with > >>> ease, a new object called ipaHBACRulev2 is introduced. "

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Simo Sorce
On Mon, 2016-08-29 at 09:13 +0200, Petr Spacek wrote: > On 26.8.2016 17:40, Simo Sorce wrote: > > On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote: > >> Ie we could set both "allow" and "allow_with_time" on an object for > >> cases where the admin wants to enforce the time part only o newer >

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Petr Spacek
On 29.8.2016 16:34, Simo Sorce wrote: > On Mon, 2016-08-29 at 09:13 +0200, Petr Spacek wrote: >> On 26.8.2016 17:40, Simo Sorce wrote: >>> On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote: Ie we could set both "allow" and "allow_with_time" on an object for cases where the admin wants

Re: [Freeipa-devel] [PATCH] 0100 Track lightweight CAs on replica installation

2016-08-29 Thread Martin Babinsky
On 08/23/2016 08:40 AM, Fraser Tweedale wrote: Hi folks, Please review attached patch which fixes https://fedorahosted.org/freeipa/ticket/6019. Thanks, Fraser Hi Fraser, I have couple of comments: 1.) -for entry in lwcas: -