On Tue, Jul 19, 2016 at 08:50:34AM +0200, Jan Cholasta wrote:
> Hi,
>
> On 14.7.2016 13:44, Fraser Tweedale wrote:
> > Hi all,
> >
> > The attached patch includes SANs in cert-show output. If you have
> > certs with esoteric altnames (especially any that ar
From 6a2ab7165c0ae600402c1c2794f2b10c9e38da05 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Fri, 22 Jul 2016 13:07:09 +1000
Subject: [PATCH] cert-request: allow directoryName in SAN extension
Allow directoryName in SAN extension if the value matches the
subject principal's DN in the IPA directory.
Fi
The attached patch fixes a kerberos.Principal-related regression.
Thanks,
Fraser
From c3d4bee34f4a1aa6afafee07851e8b5557860331 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Thu, 28 Jul 2016 10:55:45 +1000
Subject: [PATCH] caacl: fix regression in rule instantiation
The Principal refactor
On Thu, Jul 28, 2016 at 09:56:30AM +0200, Martin Babinsky wrote:
> On 07/28/2016 03:31 AM, Fraser Tweedale wrote:
> > The attached patch fixes a kerberos.Principal-related regression.
> >
> > Thanks,
> > Fraser
> >
> Hi Fraser,
>
> The ticket you linke
On Fri, Jul 29, 2016 at 11:13:16AM -0400, Ben Lipton wrote:
>
> On 07/29/2016 09:39 AM, Petr Spacek wrote:
> > On 27.7.2016 19:06, Ben Lipton wrote:
> > > Hi all,
> > >
> > > I think the automatic CSR generation feature
> > > (https://fedorahosted.org/freeipa/ticket/4899,
> > > http://www.freeipa
On Wed, Aug 03, 2016 at 02:17:30PM +0200, Martin Basti wrote:
> Hello all,
>
>
> update resteasy-*-3.0.17 from updates-testing prevents IPA (PKI CA) to be
> installed on f24,
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
> instance: Command '/usr/sbin/pkispawn
icket/6178
Thanks,
Fraser
From 6d3a153a954ab09022af6073ae9ea68668716618 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Mon, 8 Aug 2016 14:27:20 +1000
Subject: [PATCH] Add options to write lightweight CA cert or chain to file
Administrators need a way to retrieve the certificate or certificate
c
On Mon, Aug 08, 2016 at 08:54:05AM +0200, Jan Cholasta wrote:
> Hi,
>
> On 8.8.2016 06:34, Fraser Tweedale wrote:
> > Please review the attached patch with adds --certificate-out and
> > --certificate-chain-out options to `ca-show' command.
> >
> > Note
On Mon, Aug 08, 2016 at 10:49:27AM +0200, Jan Cholasta wrote:
> On 8.8.2016 09:06, Fraser Tweedale wrote:
> > On Mon, Aug 08, 2016 at 08:54:05AM +0200, Jan Cholasta wrote:
> > > Hi,
> > >
> > > On 8.8.2016 06:34, Fraser Tweedale wrote:
> > >
declared by the
> param (unicode or ipapython.kerberos.Principal or
> ipapython.dnsutil.DNSName).
>
I now pass the value to the constructor of whatever type the
parameter uses:
attr_value = self.params[attr_name].type(name_formatted)
obj.setdefault(attr_name, []).append(att
On Mon, Aug 15, 2016 at 02:08:54PM +0200, Jan Cholasta wrote:
> On 19.7.2016 12:05, Jan Cholasta wrote:
> > On 19.7.2016 11:54, Fraser Tweedale wrote:
> > > On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote:
> > > > Hi,
> > > >
> &g
On Mon, Aug 15, 2016 at 07:48:22AM +0200, Jan Cholasta wrote:
> On 12.8.2016 18:57, Petr Spacek wrote:
> > On 12.8.2016 11:33, Jan Cholasta wrote:
> > > On 4.8.2016 18:18, Petr Vobornik wrote:
> > > > On 07/22/2016 07:13 AM, Fraser Tweedale wrote:
> > > >
On Mon, Aug 15, 2016 at 02:52:46PM +0200, Petr Spacek wrote:
> On 2.8.2016 05:57, Fraser Tweedale wrote:
> >> > Hah! This is what I get for thinking I know what the output has to look
> >> > like, and not testing all the way through to requesting the cert. I'
On Mon, Aug 15, 2016 at 03:31:20PM +0200, Petr Spacek wrote:
> On 15.8.2016 15:16, Fraser Tweedale wrote:
> > On Mon, Aug 15, 2016 at 02:52:46PM +0200, Petr Spacek wrote:
> >> On 2.8.2016 05:57, Fraser Tweedale wrote:
> >>>>> Hah! This is what I get for thinkin
On Mon, Aug 15, 2016 at 03:58:40PM +0200, Petr Spacek wrote:
> On 15.8.2016 15:54, Fraser Tweedale wrote:
> > On Mon, Aug 15, 2016 at 03:31:20PM +0200, Petr Spacek wrote:
> >> On 15.8.2016 15:16, Fraser Tweedale wrote:
> >>> On Mon, Aug 15, 2016 at 02:52:46PM +0200
On Mon, Aug 15, 2016 at 08:19:33AM +0200, Jan Cholasta wrote:
> On 9.8.2016 16:47, Fraser Tweedale wrote:
> > On Mon, Aug 08, 2016 at 10:49:27AM +0200, Jan Cholasta wrote:
> > > On 8.8.2016 09:06, Fraser Tweedale wrote:
> > > > On Mon, Aug 08, 2016 at 08:54:
On Tue, Aug 16, 2016 at 08:10:08AM +0200, Jan Cholasta wrote:
> On 16.8.2016 07:24, Fraser Tweedale wrote:
> > On Mon, Aug 15, 2016 at 08:19:33AM +0200, Jan Cholasta wrote:
> > > On 9.8.2016 16:47, Fraser Tweedale wrote:
> > > > On Mon, Aug 08, 2016 at 10:49:
On Tue, Aug 16, 2016 at 08:10:08AM +0200, Jan Cholasta wrote:
> On 16.8.2016 07:24, Fraser Tweedale wrote:
> > On Mon, Aug 15, 2016 at 08:19:33AM +0200, Jan Cholasta wrote:
> > > On 9.8.2016 16:47, Fraser Tweedale wrote:
> > > > On Mon, Aug 08, 2016 at 10:49:
On Mon, Aug 15, 2016 at 10:54:25PM +1000, Fraser Tweedale wrote:
> On Mon, Aug 15, 2016 at 02:08:54PM +0200, Jan Cholasta wrote:
> > On 19.7.2016 12:05, Jan Cholasta wrote:
> > > On 19.7.2016 11:54, Fraser Tweedale wrote:
> > > > On Tue, Jul 19, 2016 at 09:36:
This patch fixes CVE-2016-5404. Versions for master, ipa-4-3 and
ipa-4-2 branches are attached.
Thanks,
Fraser
From 61590c223aa51668b3f661fc91bc35f2dfae8ae6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Thu, 30 Jun 2016 10:21:01 +1000
Subject: [PATCH] cert-revoke: fix permission check
Bump for review.
On Mon, Aug 15, 2016 at 05:15:16PM +1000, Fraser Tweedale wrote:
> Thanks for reviews. Rebased and updated patches attached (and one
> new patch). No substantive changes to 92..94. Patch order is:
>
> 92-2, 93-2, 94-2, 98, 90-3
>
> Other comments i
Bump for review.
On Wed, Aug 17, 2016 at 12:09:39AM +1000, Fraser Tweedale wrote:
> On Tue, Aug 16, 2016 at 08:10:08AM +0200, Jan Cholasta wrote:
> > On 16.8.2016 07:24, Fraser Tweedale wrote:
> > > On Mon, Aug 15, 2016 at 08:19:33AM +0200, Jan Cholasta wrote:
> > >
On Fri, Aug 19, 2016 at 08:09:33PM +1000, Fraser Tweedale wrote:
> On Mon, Aug 15, 2016 at 10:54:25PM +1000, Fraser Tweedale wrote:
> > On Mon, Aug 15, 2016 at 02:08:54PM +0200, Jan Cholasta wrote:
> > > On 19.7.2016 12:05, Jan Cholasta wrote:
> > > > On 19.7.201
#6019 requires adding tracking requests for existing lightweight CAs
as part of replica installation. ipa-certupdate has logic to do
this.
Before I go ahead and implement, there are a few approaches I want
to mention and seek feedback from team members before I commit to
one.
1. invoke ipa-certu
On Mon, Aug 22, 2016 at 10:00:57AM +0200, Jan Cholasta wrote:
> Hi,
>
> On 22.8.2016 09:37, Fraser Tweedale wrote:
> > #6019 requires adding tracking requests for existing lightweight CAs
> > as part of replica installation. ipa-certupdate has logic to do
> > this.
>
Hi folks,
Please review attached patch which fixes
https://fedorahosted.org/freeipa/ticket/6019.
Thanks,
Fraser
From 558ec02053154b472b0505e6c2279095f296cb9c Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Tue, 23 Aug 2016 16:14:30 +1000
Subject: [PATCH] Track lightweight CAs on replica
Thanks for review; rebased and updated patch attached. Only 0090
has substantive changes.
Cheers,
Fraser
On Mon, Aug 22, 2016 at 09:22:08AM +0200, Jan Cholasta wrote:
> On 19.8.2016 13:11, Fraser Tweedale wrote:
> > Bump for review.
> >
> > On Mon, Aug 15, 2016 at 05:
will also address
https://fedorahosted.org/freeipa/ticket/3473, in part).
Thanks,
Fraser
From 1d99777c2145d33278d2b1d8a4e8a2d1341c8e4d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Thu, 25 Aug 2016 17:00:01 +1000
Subject: [PATCH] Add ca-disable and ca-enable commands
We soon plan to revoke
p for testing :)
Thanks,
Fraser
From 97501fad9bfe64af076a8c1a65bd732ac265b940 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Fri, 26 Aug 2016 08:59:10 +1000
Subject: [PATCH 102/105] Allow Dogtag RestClient to perform requests without
logging in
Currently the Dogtag RestClient '_ssl
Hi all,
Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221.
It depends on Honza's PR #20
https://github.com/freeipa/freeipa/pull/20.
Thanks,
Fraser
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to
On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote:
> Hi all,
>
> Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221.
> It depends on Honza's PR #20
> https://github.com/freeipa/freeipa/pull/20.
>
> Thanks,
> Fraser
>
It does
On Fri, Aug 26, 2016 at 10:41:37AM +0200, Jan Cholasta wrote:
> Hi,
>
> On 22.7.2016 07:18, Fraser Tweedale wrote:
> > While I was poking around SAN-processing code, I decided to
> > implement a small enhancement: allowing the subject principal's DN
> >
On Thu, Sep 01, 2016 at 07:37:53PM +0200, Tomas Krizek wrote:
> On 09/01/2016 03:58 PM, Florence Blanc-Renaud wrote:
> > Hi,
> >
> > please find attached a patch for ipa-certupdate in CA-less deployment.
> > https://fedorahosted.org/freeipa/ticket/6288
> >
> > Flo.
> >
> >
> >
> The patch is m
On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote:
> Hi,
>
> On 26.8.2016 07:42, Fraser Tweedale wrote:
> > On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote:
> > > Hi all,
> > >
> > > Attached patch fixes https://fedorahosted.or
On Mon, Sep 05, 2016 at 11:59:11PM +1000, Fraser Tweedale wrote:
> On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote:
> > Hi,
> >
> > On 26.8.2016 07:42, Fraser Tweedale wrote:
> > > On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser
On Fri, Aug 26, 2016 at 10:28:58AM +0200, Jan Cholasta wrote:
> On 19.8.2016 13:11, Fraser Tweedale wrote:
> > Bump for review.
> >
> > On Wed, Aug 17, 2016 at 12:09:39AM +1000, Fraser Tweedale wrote:
> > > On Tue, Aug 16, 2016 at 08:10:08AM +0200, Jan Cholasta wro
On Tue, Aug 30, 2016 at 08:48:58AM +0200, Jan Cholasta wrote:
> On 29.8.2016 07:57, Fraser Tweedale wrote:
> > On Fri, Aug 26, 2016 at 10:41:37AM +0200, Jan Cholasta wrote:
> > > Hi,
> > >
> > > On 22.7.2016 07:18, Fraser Tweedale wrote:
> > > >
On Mon, Aug 29, 2016 at 06:39:58PM +0200, Martin Babinsky wrote:
> On 08/23/2016 08:40 AM, Fraser Tweedale wrote:
> > Hi folks,
> >
> > Please review attached patch which fixes
> > https://fedorahosted.org/freeipa/ticket/6019.
> >
> > Thanks,
> > F
On Tue, Aug 30, 2016 at 10:23:10AM +0200, Martin Babinsky wrote:
> On 08/30/2016 10:09 AM, Jan Cholasta wrote:
> > Hi,
> >
> > On 30.8.2016 09:56, Martin Babinsky wrote:
> > > On 08/25/2016 10:25 AM, Fraser Tweedale wrote:
> > > > Hi team,
> > >
On Tue, Aug 30, 2016 at 10:54:32AM +0200, Martin Babinsky wrote:
> On 08/26/2016 04:19 AM, Fraser Tweedale wrote:
> > The attached patches add better handling of cert-request failure due
> > to target CA being disabled (#6260). To do this, rather than go and
> > do extra w
On Tue, Sep 06, 2016 at 10:19:14AM +0200, Jan Cholasta wrote:
> On 5.9.2016 17:30, Fraser Tweedale wrote:
> > On Mon, Sep 05, 2016 at 11:59:11PM +1000, Fraser Tweedale wrote:
> > > On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote:
> > > > Hi,
> > >
On Wed, Sep 07, 2016 at 08:32:42AM +0200, Jan Cholasta wrote:
> On 6.9.2016 19:36, Fraser Tweedale wrote:
> > On Tue, Sep 06, 2016 at 10:19:14AM +0200, Jan Cholasta wrote:
> > > On 5.9.2016 17:30, Fraser Tweedale wrote:
> > > > On Mon, Sep 05, 2016 at 11:59:11P
On Wed, Sep 07, 2016 at 10:39:59AM +0200, Jan Cholasta wrote:
> On 7.9.2016 10:28, Fraser Tweedale wrote:
> > On Wed, Sep 07, 2016 at 08:32:42AM +0200, Jan Cholasta wrote:
> > > On 6.9.2016 19:36, Fraser Tweedale wrote:
> > > > On Tue, Sep 06, 2016 at 10:19:
Attached patch fixes https://fedorahosted.org/freeipa/ticket/6305
Thanks,
Fraser
From d4d7e77795f96a4970058e61d99c70522689b22d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Wed, 7 Sep 2016 19:00:18 +1000
Subject: [PATCH] Fix cert revocation when removing all certs via
host/service-mod
The attached patch fixes regression in cert-request:
https://fedorahosted.org/freeipa/ticket/6309
Thanks,
Fraser
From b27eef53ee36b7cae70206c37dea6aaa3bcfc940 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Thu, 8 Sep 2016 11:56:16 +1000
Subject: [PATCH] cert-request: raise error when
On Thu, Sep 08, 2016 at 01:15:03PM +0200, Martin Babinsky wrote:
> On 09/08/2016 04:00 AM, Fraser Tweedale wrote:
> > The attached patch fixes regression in cert-request:
> > https://fedorahosted.org/freeipa/ticket/6309
> >
> > Thanks,
> > Fraser
> >
Bump for review.
Rebased patches attached (there was a trivial conflict in imports).
Thanks,
Fraser
On Tue, Sep 06, 2016 at 02:05:06AM +1000, Fraser Tweedale wrote:
> On Fri, Aug 26, 2016 at 10:28:58AM +0200, Jan Cholasta wrote:
> > On 19.8.2016 13:11, Fraser Tweedale wrote:
>
Bump for review.
On Wed, Sep 07, 2016 at 04:06:25PM +0700, Fraser Tweedale wrote:
> Attached patch fixes https://fedorahosted.org/freeipa/ticket/6305
>
> Thanks,
> Fraser
> From d4d7e77795f96a4970058e61d99c70522689b22d Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale
> Dat
On Fri, Sep 23, 2016 at 08:51:02AM +0200, Jan Cholasta wrote:
> On 25.8.2016 12:08, Jan Cholasta wrote:
> > On 22.8.2016 07:00, Fraser Tweedale wrote:
> > > On Fri, Aug 19, 2016 at 08:09:33PM +1000, Fraser Tweedale wrote:
> > > > On Mon, Aug 15, 2016 at 10:54:25P
On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote:
> Question, do we need search-and-replace at all (or at this
> stage)? Most of the interesting values from the SAN should be
> directly map-able to LDAP attributes. And processing the string
> representation of might be tricky as discuss
On Fri, Oct 07, 2016 at 09:35:00AM +0300, Alexander Bokovoy wrote:
> On pe, 07 loka 2016, Fraser Tweedale wrote:
> > On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote:
> >
> > > Question, do we need search-and-replace at all (or at this
> > > stage)? Mo
Patches have been reborn as
https://github.com/freeipa/freeipa/pull/177.
Brief commentary inline. If any further issues, let us continue
discussion at GitHub.
Thanks,
Fraser
On Thu, Oct 06, 2016 at 10:02:55AM +0200, Jan Cholasta wrote:
> On 23.9.2016 05:29, Fraser Tweedale wrote:
> >
On Tue, Nov 08, 2016 at 10:29:29AM +0800, 郑磊 wrote:
> Hello everyone,
>
> I have successfully set up the FreeIPA environment on Ubuntu when selinux is
> disable. But when selinux is enable, there is a configuring ipa-otpd error
> occurred.
>
> The ipaserver-install.log shows following informat
Hi,
I can no longer create or edit pages on the FreeIPA wiki. Could
someone who administers the wiki help out? (Please follow up
off-list.)
Thanks,
Fraser
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIP
(This is a tangential discussion, but...)
On Mon, Dec 12, 2016 at 09:52:02AM +0100, Jan Cholasta wrote:
> IMO profile ID should default to caIPAserviceCert on the client as well.
>
NACK. Default profile (although fixed at the present time) should
be considered server-side policy. If we eventual
On Mon, Dec 12, 2016 at 02:04:37PM +0100, Jan Cholasta wrote:
> On 12.12.2016 13:49, Fraser Tweedale wrote:
> > (This is a tangential discussion, but...)
> >
> > On Mon, Dec 12, 2016 at 09:52:02AM +0100, Jan Cholasta wrote:
> > > IMO profile ID should default to caI
Hi all,
The CI failures caused by one of my recent commits have me baffled.
It is exactly this commit[1] at which the problems begin. I cannot
see anything in the commit to point a finger at. In-tree tests run
fine.
[1]
https://github.com/freeipa/freeipa/commit/32b1743e5fb318b226a602ec8d9a4b6e
On Tue, Dec 13, 2016 at 09:41:40AM +0100, Martin Babinsky wrote:
> Hi list,
>
> https://github.com/freeipa/freeipa/pull/177 was recently merged despite
> causing nearly half of the tests in our Travis CI gating to fail. This broke
> Travis CI for all other PR that were rebased after this merge, ca
On Tue, Dec 13, 2016 at 01:11:37PM +0100, Martin Babinsky wrote:
> On 12/13/2016 01:07 PM, Fraser Tweedale wrote:
> > On Tue, Dec 13, 2016 at 09:41:40AM +0100, Martin Babinsky wrote:
> > > Hi list,
> > >
> > > https://github.com/freeipa/freeipa/pull/177 was r
Hi all,
Although it has been discussed before and met with some skepticism,
here is a POC that exporting test runner output to, e.g. a pastebin,
does work:
- experimental commit: https://github.com/freeipa/freeipa/pull/370
- example paste: https://paste.fedoraproject.org/520085/
(it is gzipped
On Thu, Jan 05, 2017 at 08:53:14AM +0100, Martin Babinsky wrote:
> On 01/05/2017 08:06 AM, Fraser Tweedale wrote:
> > Hi all,
> >
> > Although it has been discussed before and met with some skepticism,
> > here is a POC that exporting test runner output to, e.g
On Thu, Jan 05, 2017 at 09:38:03AM +0100, Tomas Krizek wrote:
> On 01/05/2017 09:25 AM, Fraser Tweedale wrote:
> > On Thu, Jan 05, 2017 at 08:53:14AM +0100, Martin Babinsky wrote:
> >> On 01/05/2017 08:06 AM, Fraser Tweedale wrote:
> >>> Hi all,
> >>>
&
Hi comrades,
I have written up the high-level details of the FreeIPA->Dogtag
GSS-API authentication design. The goal is improve security by
removing an egregious privilege separation violation: the RA Agent
cert.
There is a fair bit of work still to do on the Dogtag side but
things are shaping u
On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote:
> Hi Fraser,
>
> I have some rather inane comments. I guess Jan cholasta will do a more
> thorough review of your design. See below:
>
> On 01/06/2017 09:08 AM, Fraser Tweedale wrote:
> > Hi comrades,
> &
In ca_add.pre_callback, we have:
if not ldap.can_add(dn[1:]):
raise ACIError(...)
`can_add' uses the GetEffectiveRights control to see what rights the
user has.
When a user with the 'System: Add CA' permission attempts to add a
CA, the above ACIError gets raised. This is definitely a bu
Related to design:
http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
Currently there are some operations that hit the CA that involve a
number of privileged operations against the CA, but for which there
is only one associated IPA permission. Deleting a CA is a good
example (but it is
On Mon, Feb 06, 2017 at 10:37:34AM +0200, Alexander Bokovoy wrote:
> On ma, 06 helmi 2017, Jan Cholasta wrote:
> > On 11.1.2017 02:09, Fraser Tweedale wrote:
> > > On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote:
> > > > Hi Fraser,
> > > >
On Mon, Feb 06, 2017 at 10:24:31AM +0100, Jan Cholasta wrote:
> On 17.1.2017 08:57, David Kupka wrote:
> > On 13/01/17 08:07, Fraser Tweedale wrote:
> > > Related to design:
> > > http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> > >
> > >
On Wed, Feb 08, 2017 at 08:02:18AM +0100, Jan Cholasta wrote:
> On 8.2.2017 07:29, Fraser Tweedale wrote:
> > On Mon, Feb 06, 2017 at 10:24:31AM +0100, Jan Cholasta wrote:
> > > On 17.1.2017 08:57, David Kupka wrote:
> > > > On 13/01/17 08:07, Fraser Tweedale wrot
On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote:
> On ke, 08 helmi 2017, Martin Kosek wrote:
> > Hi Fraser and the list,
> >
> > I recently was in a conversation about integrating OpenShift with FreeIPA.
> > One
> > of the gaps was around generating a wildcard certificate by Fre
On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote:
> On 02/09/2017 02:12 AM, Fraser Tweedale wrote:
> > On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote:
> >> On ke, 08 helmi 2017, Martin Kosek wrote:
> >>> Hi Fraser and the list,
&
On Fri, Feb 10, 2017 at 09:23:10AM +0100, Martin Kosek wrote:
> On 02/09/2017 10:44 PM, Fraser Tweedale wrote:
> > On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote:
> >> On 02/09/2017 02:12 AM, Fraser Tweedale wrote:
> >>> On Wed, Feb 08, 2017 at 10:19
On Fri, Feb 10, 2017 at 11:48:39AM +0100, Martin Kosek wrote:
> On 02/10/2017 10:37 AM, Fraser Tweedale wrote:
> > On Fri, Feb 10, 2017 at 09:23:10AM +0100, Martin Kosek wrote:
> >> On 02/09/2017 10:44 PM, Fraser Tweedale wrote:
> >>> On Thu, Feb 09, 2017 at 08:37:
On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote:
> On 02/21/2017 04:24 PM, Tomas Krizek wrote:
> > On 02/21/2017 03:23 PM, Rob Crittenden wrote:
> > > Standa Laznicka wrote:
> > > > Hello,
> > > >
> > > > Since we're trying to make FreeIPA work in FIPS we got to the point
> > > > w
On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote:
> On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote:
> > Hi,
> >
> > related to the Certificate Identity Mapping feature, a new CLI will be
> > needed to find all the users matching a given certificate.
> >
> > I propose to provide
On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote:
> On 02/22/2017 12:28 AM, Fraser Tweedale wrote:
> > On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote:
> >> On 02/21/2017 04:24 PM, Tomas Krizek wrote:
> >>> On 02/21/2017 03:23 PM, Rob C
On Wed, Feb 22, 2017 at 10:00:04AM -0500, Simo Sorce wrote:
> On Wed, 2017-02-22 at 10:59 +, Oucema Bellagha wrote:
> > I want to figure out a solution which allow user"a" to authenticate to
> > a host only when user"b" is accessing the host for security reasons.
> >
> >
> > Easy explanation:
On Wed, Feb 22, 2017 at 10:17:32AM +0100, Martin Kosek wrote:
> On 02/20/2017 06:03 AM, Fraser Tweedale wrote:
> > On Fri, Feb 10, 2017 at 11:48:39AM +0100, Martin Kosek wrote:
> >> On 02/10/2017 10:37 AM, Fraser Tweedale wrote:
> >>> On Fri, Feb 10, 2017 at 09:23:
On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote:
> Hello,
>
> DRAFT for FreeIPA 4.5.0 release notes is ready
> http://www.freeipa.org/page/Releases/4.5.0
>
> Please update/let me know what is missing, what is extra.
>
>
> Martin^2
>
I think we should add https://pagure.io/freeipa/
On Wed, Mar 15, 2017 at 09:13:35AM +0100, Martin Basti wrote:
>
>
> On 15.03.2017 00:49, Fraser Tweedale wrote:
> > On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote:
> >> Hello,
> >>
> >> DRAFT for FreeIPA 4.5.0 release notes is ready
>
On Wed, Sep 24, 2014 at 09:16:52AM -0500, Endi Sukma Dewata wrote:
> On 9/24/2014 8:26 AM, Petr Vobornik wrote:
> >On 24.9.2014 04:43, Endi Sukma Dewata wrote:
> >>On 9/22/2014 9:49 AM, Petr Vobornik wrote:
> >>>[PATCH] webui-ci: case-insensitive record check
> >>>
> >>>Indirect association are no
On Thu, Sep 25, 2014 at 09:44:03AM +0200, Petr Viktorin wrote:
> On 09/25/2014 03:30 AM, Fraser Tweedale wrote:
> >On Wed, Sep 24, 2014 at 09:16:52AM -0500, Endi Sukma Dewata wrote:
> >>On 9/24/2014 8:26 AM, Petr Vobornik wrote:
> >>>On 24.9.2014 04:43, Endi Sukma De
On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote:
> On Fri, 26 Sep 2014 13:54:34 +0200
> Martin Kosek wrote:
>
> > >> I tested the patch (it works fine with Dogtag 10), but I got very
> > >> confused.
> > >>
> > >> What CA option are we setting? Signing algorithm or Key Algorithm?
> > >
Hi all,
The Dogtag lightweight sub-CAs design has undergone major revision
and expansion ahead of beginning the implementation (I plan to begin
later this week). This feature will provide an API for admins to
create sub-CAs for separate security domains and augment the
existing API so that certif
On Tue, Oct 07, 2014 at 01:47:05PM +0200, Martin Kosek wrote:
> On 10/07/2014 05:31 AM, Fraser Tweedale wrote:
> > Hi all,
> >
> > The Dogtag lightweight sub-CAs design has undergone major revision
> > and expansion ahead of beginning the implementation (I plan t
On Tue, Oct 07, 2014 at 09:40:12AM -0400, Simo Sorce wrote:
> On Tue, 07 Oct 2014 09:29:33 -0400
> Rob Crittenden wrote:
>
> > Simo Sorce wrote:
> > > On Tue, 07 Oct 2014 13:47:05 +0200
> > > Martin Kosek wrote:
> > >
> > >> On 10/0
On Sat, Oct 18, 2014 at 06:42:38PM +0300, Timo Aaltonen wrote:
> On 18.10.2014 18:39, Timo Aaltonen wrote:
> >
> > Hi!
> >
> > I'm happy to announce that Dogtag (version 10.2.0) has finally entered
> > Debian unstable repository this week. Assuming there won't be any nasty
> > surprises, th
Hi all,
The precise meaning and usage of the "Needs UI design" field in Trac
is not clear to me. It has five values:
-
- Not needed
- Review
- Consult
- Design
What is the purpose of this field and the meanings of the different
values? And a more general question: is there a resource anywhere
On Mon, Nov 24, 2014 at 09:23:50AM +0100, Martin Kosek wrote:
> On 11/24/2014 08:39 AM, Fraser Tweedale wrote:
> > Hi all,
> >
> > The precise meaning and usage of the "Needs UI design" field in Trac
> > is not clear to me. It has five values:
>
On Tue, Nov 25, 2014 at 10:13:59AM +1000, Fraser Tweedale wrote:
> On Mon, Nov 24, 2014 at 09:23:50AM +0100, Martin Kosek wrote:
> > On 11/24/2014 08:39 AM, Fraser Tweedale wrote:
> > > Hi all,
> > >
> > > The precise meaning and usage of the "Needs UI de
On Wed, Mar 25, 2015 at 12:09:09PM +0100, Martin Babinsky wrote:
> This should be patch 20 I think. I must make some cleanup in my patch
> numbers.
>
> https://fedorahosted.org/freeipa/ticket/4885
>
> --
> Martin^3 Babinsky
ACK
> From 7e0f8b4d65f6c3f8c7d14f154aa5ef80bb064c4c Mon Sep 17 00:00:0
Hi all,
Fraser Tweedale, brand new Red Hatter, working in the Brisbane
office on FreeIPA/Dogtag, and needing the wisdom of seasoned IPA
developers on how best to set things up.
In particular, is it common to be developing in VMs, and if so, do
the various components (DS, Dogtag, IPA etc) under
Hi all,
What's are the versions of Python that must be supported in the
freeipa codebase? And do older branches have to support earlier
versions?
Any Python language features that should be avoided, by policy?
Forward-portability considerations?
I look forward to your responses and will write i
Hi all,
I've been working on a fix for a profile issue
(https://fedorahosted.org/freeipa/ticket/2915). Unfortunately I
find the scripts/compose_pki_core_packages -> yum install -> test
cycle frustratingly slow on idm.lab.bos. Is there a quicker way
to build and test the software - particularly a
On Tue, May 27, 2014 at 05:57:40PM -0400, Ade Lee wrote:
> There have been a couple of changes in the Dogtag interface, that
> require some changes in the IPA patches. Also, I had to add back a
> function in order to rebase to the latest IPA code.
>
> Most are the patches are as before, attached
Hi all,
Today I hit the "WARNING: Your system is running out of entropy, you
may experience long delays" message while testing Ade's
ipa-server-install changes.
I got a lot more entropy a lot faster by installing haveged(8), and
I blogged about it here:
http://blog-ftweedal.rhcloud.com/2014/05/mo
On Wed, May 28, 2014 at 01:38:05PM +0200, Martin Kosek wrote:
> On 05/28/2014 12:08 PM, Petr Viktorin wrote:
> > On 05/28/2014 09:06 AM, Fraser Tweedale wrote:
> >> Hi all,
> >>
> >> Today I hit the "WARNING: Your system is running out of entropy, you
>
On Wed, May 28, 2014 at 03:53:01PM +0200, Petr Viktorin wrote:
> On 05/28/2014 08:48 AM, Fraser Tweedale wrote:
> >On Tue, May 27, 2014 at 05:57:40PM -0400, Ade Lee wrote:
> >>There have been a couple of changes in the Dogtag interface, that
> >>require some changes i
nd
provide a starting place for discussions on workflow improvements.
Cheers,
Fraser
> --
> Endi S. Dewata
>
> On 5/27/2014 2:00 AM, Fraser Tweedale wrote:
> >Hi all,
> >
> >I've been working on a fix for a profile issue
> >(https://fedorahosted.org
On Tue, May 27, 2014 at 12:20:46PM +0200, Martin Kosek wrote:
> On 05/27/2014 09:00 AM, Fraser Tweedale wrote:
> > Hi all,
> >
> > I've been working on a fix for a profile issue
> > (https://fedorahosted.org/freeipa/ticket/2915). Unfortunately I
> > find
1 - 100 of 390 matches
Mail list logo