[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, I can't reproduce the bug anymore with the latest update. Pylint found one trivial issue: ``` ipaserver/install/server/upgrade.py:83:

[Freeipa-devel] [freeipa PR#394][opened] Add fix for ipa plugins command

URL: https://github.com/freeipa/freeipa/pull/394 Author: Akasurde Title: #394: Add fix for ipa plugins command Action: opened PR body: """ Fix adds count of plugins loaded to return dict Fixes https://fedorahosted.org/freeipa/ticket/6513 Signed-off-by: Abhijeet Kasurde

[Freeipa-devel] [freeipa PR#377][comment] dogtaginstance: track server certificate with our renew agent

URL: https://github.com/freeipa/freeipa/pull/377 Title: #377: dogtaginstance: track server certificate with our renew agent abbra commented: """ Looks very good to me. ACK from my side. """ See the full comment at https://github.com/freeipa/freeipa/pull/377#issuecomment-272106955 -- Manage

Re: [Freeipa-devel] CSR autogeneration next steps

On 11.1.2017 00:38, Ben Lipton wrote: On 01/10/2017 01:58 AM, Jan Cholasta wrote: On 19.12.2016 21:59, Ben Lipton wrote: On 12/15/2016 11:11 PM, Ben Lipton wrote: On 12/12/2016 03:52 AM, Jan Cholasta wrote: On 5.12.2016 16:48, Ben Lipton wrote: Hi Jan, thanks for the comments. On

[Freeipa-devel] [freeipa PR#391][opened] ipapython: Add dependencies on version.py

URL: https://github.com/freeipa/freeipa/pull/391 Author: tiran Title: #391: ipapython: Add dependencies on version.py Action: opened PR body: """ install-exec and bdist_wheel also depend on version.py. Let's ensure that version.py is correctly generated when installing or building packages.

[Freeipa-devel] [freeipa PR#385][+pushed] Generate sha256 ssh pubkey fingerprints for hosts

URL: https://github.com/freeipa/freeipa/pull/385 Title: #385: Generate sha256 ssh pubkey fingerprints for hosts Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#385][comment] Generate sha256 ssh pubkey fingerprints for hosts

URL: https://github.com/freeipa/freeipa/pull/385 Title: #385: Generate sha256 ssh pubkey fingerprints for hosts mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/721105c53de6fbc0abc7799ec7f48920e02089bd """ See the full comment at

[Freeipa-devel] [freeipa PR#385][closed] Generate sha256 ssh pubkey fingerprints for hosts

URL: https://github.com/freeipa/freeipa/pull/385 Author: stlaz Title: #385: Generate sha256 ssh pubkey fingerprints for hosts Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/385/head:pr385 git checkout pr385 --

[Freeipa-devel] [freeipa PR#377][comment] dogtaginstance: track server certificate with our renew agent

URL: https://github.com/freeipa/freeipa/pull/377 Title: #377: dogtaginstance: track server certificate with our renew agent stlaz commented: """ Works fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/377#issuecomment-272137913 -- Manage your subscription for the

[Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation

URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation mbasti-rh commented: """ Needs rebase ``` Applying: Unaccessible variable self.attrs in Tracker Patch failed at 0001 Unaccessible variable self.attrs in Tracker The copy of the patch that

[Freeipa-devel] [freeipa PR#374][comment] pytest: set rules to find test files and functions

URL: https://github.com/freeipa/freeipa/pull/374 Title: #374: pytest: set rules to find test files and functions mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/68cb4d2b0f6b28f20513371e46b279d80c0b3070 """ See the full comment at

[Freeipa-devel] [freeipa PR#374][closed] pytest: set rules to find test files and functions

URL: https://github.com/freeipa/freeipa/pull/374 Author: tiran Title: #374: pytest: set rules to find test files and functions Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/374/head:pr374 git checkout pr374 --

[Freeipa-devel] [freeipa PR#374][+pushed] pytest: set rules to find test files and functions

URL: https://github.com/freeipa/freeipa/pull/374 Title: #374: pytest: set rules to find test files and functions Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#179][synchronized] Fix for handling CalledProcessError in authconfig

URL: https://github.com/freeipa/freeipa/pull/179 Author: Akasurde Title: #179: Fix for handling CalledProcessError in authconfig Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/179/head:pr179 git checkout

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ Not sure if it's this PR or not, but `ipa-server-install` *sometimes* fails with: ``` [11/22]: setting up ssl [error] NetworkError: cannot connect to

[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values

URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values mbasti-rh commented: """ This PR still needs rebase, it is not possible to apply patch without 3way merge, please pull the latest master and do rebase, we merge only patches

[Freeipa-devel] [freeipa PR#383][comment] Remove duplicated step from DS install

URL: https://github.com/freeipa/freeipa/pull/383 Title: #383: Remove duplicated step from DS install mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/083b4241d287a731e2cf7fed5c61b30da52a8e37 """ See the full comment at

[Freeipa-devel] [freeipa PR#383][+pushed] Remove duplicated step from DS install

URL: https://github.com/freeipa/freeipa/pull/383 Title: #383: Remove duplicated step from DS install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA tiran commented: """ Let's not make @stlaz jump through more bike-shedding hoops. How about we let him finish this PR, and then address TLS versions, ciphers and other simplifications in another PR? """ See

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA tiran commented: """ @rcritten I wonder if we need to support any version except TLS 1.2 at all. Are there any versions of FreeIPA stack that do not have TLS 1.2 support? """ See the full comment at

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

On 2016-12-19 15:07, John Dennis wrote: > I'm not a big fan of NSS, it has it's issues. As the author of the > Python binding I'm quite aware of all the nasty behaviors NSS has and > needs to be worked around. I wouldn't be sad to see it go but OpenSSL > has it's own issues too. If you remove NSS

[Freeipa-devel] [freeipa PR#392][synchronized] Fix coverity issue

URL: https://github.com/freeipa/freeipa/pull/392 Author: tomaskrizek Title: #392: Fix coverity issue Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/392/head:pr392 git checkout pr392 From

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ @rcritten `tls_version_min/max` could have been set to "ssl2" just as well as "ssl3" but perhaps it's for the best to remove them. I will try to do the certmonger part and will remove

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

Tomas Krizek wrote: > On 12/19/2016 04:41 PM, Standa Laznicka wrote: >> On 12/19/2016 03:07 PM, John Dennis wrote: >>> On 12/19/2016 03:12 AM, Standa Laznicka wrote: On 12/16/2016 03:23 PM, Rob Crittenden wrote: > Standa Laznicka wrote: >> Hello, >> >> I started a design page

[Freeipa-devel] [freeipa PR#377][+ack] dogtaginstance: track server certificate with our renew agent

URL: https://github.com/freeipa/freeipa/pull/377 Title: #377: dogtaginstance: track server certificate with our renew agent Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#377][comment] dogtaginstance: track server certificate with our renew agent

URL: https://github.com/freeipa/freeipa/pull/377 Title: #377: dogtaginstance: track server certificate with our renew agent stlaz commented: """ I made a patch that makes is_renewal_master and set_renewal_master classmethods on @tiran recommendation. Feel free to push it along or leave it,

[Freeipa-devel] Changed SSH public key fingerprint to SHA256

Hello list, In PR https://github.com/freeipa/freeipa/pull/385 we changed the hashing algorithm for SSH public key fingerprints which are printed for hosts/users in their respective show commands. These fingerprints are not stored anywhere and are calculated during runtime on demand. We did

[Freeipa-devel] [freeipa PR#391][+ack] ipapython: Add dependencies on version.py

URL: https://github.com/freeipa/freeipa/pull/391 Title: #391: ipapython: Add dependencies on version.py Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Thanks @HonzaCholasta I already fixed the service thing but didn't push as I started getting another error on install, buit before I fix that I am working on

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA rcritten commented: """ Wait, you added support for SSLv2? Please remove it, it isn't needed even for backwards compatibility and would not be considered a regression. """ See the full comment at

[Freeipa-devel] [freeipa PR#392][opened] Fix coverity issue

URL: https://github.com/freeipa/freeipa/pull/392 Author: tomaskrizek Title: #392: Fix coverity issue Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/392/head:pr392 git checkout pr392 From

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ @rcritten I spoke to the NSS people who assured me it's the intended behavior. But thanks for the remainder, I will open a Bugzilla for that as well, I was considering it before

[Freeipa-devel] [freeipa PR#392][comment] Fix coverity issue

URL: https://github.com/freeipa/freeipa/pull/392 Title: #392: Fix coverity issue mbasti-rh commented: """ Could be commit message more descriptive or at least any? """ See the full comment at https://github.com/freeipa/freeipa/pull/392#issuecomment-272158709 -- Manage your subscription for

[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values

URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values gkaihorodova commented: """ @mbasti-rh done. hope now it's fine """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-272172666 -- Manage

[Freeipa-devel] GetEffectiveRights and add ACIs

In ca_add.pre_callback, we have: if not ldap.can_add(dn[1:]): raise ACIError(...) `can_add' uses the GetEffectiveRights control to see what rights the user has. When a user with the 'System: Add CA' permission attempts to add a CA, the above ACIError gets raised. This is definitely a

[Freeipa-devel] [freeipa PR#395][opened] Configure PKI ajp redirection to use "localhost" instead of "::1"

URL: https://github.com/freeipa/freeipa/pull/395 Author: flo-renaud Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" Action: opened PR body: """ When ipa-server-install configures PKI, it provides a configuration file with the parameter pki_ajp_host set to ::1.

[Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag

Related to design: http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication Currently there are some operations that hit the CA that involve a number of privileged operations against the CA, but for which there is only one associated IPA permission. Deleting a CA is a good example (but it is

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA rcritten commented: """ SSLv2 should not be supported, period. Not that it would work anyway because most SSL libs have completely removed this support, but it is just a terrible idea to even try and allow

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

On to, 12 tammi 2017, Christian Heimes wrote: On 2016-12-19 15:07, John Dennis wrote: I'm not a big fan of NSS, it has it's issues. As the author of the Python binding I'm quite aware of all the nasty behaviors NSS has and needs to be worked around. I wouldn't be sad to see it go but OpenSSL

[Freeipa-devel] [freeipa PR#382][synchronized] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

URL: https://github.com/freeipa/freeipa/pull/382 Author: mbasti-rh Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps) Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa

[Freeipa-devel] [freeipa PR#393][opened] [WIP] Py3 allow to run wsgi

URL: https://github.com/freeipa/freeipa/pull/393 Author: mbasti-rh Title: #393: [WIP] Py3 allow to run wsgi Action: opened PR body: """ With these patches we can run commands with server running on py3 Note: to use py3 install module `python3-mod_wsgi` that enables py3 wsgi automatically

[Freeipa-devel] [freeipa PR#393][edited] [WIP] Py3 allow to run wsgi

URL: https://github.com/freeipa/freeipa/pull/393 Author: mbasti-rh Title: #393: [WIP] Py3 allow to run wsgi Action: edited Changed field: body Original value: """ With these patches we can run commands with server running on py3 Note: to use py3 install module `python3-mod_wsgi` that

[Freeipa-devel] [freeipa PR#393][synchronized] [WIP] Py3 allow to run wsgi

URL: https://github.com/freeipa/freeipa/pull/393 Author: mbasti-rh Title: #393: [WIP] Py3 allow to run wsgi Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/393/head:pr393 git checkout pr393 From