[Freeipa-devel] new developer; development environment

2014-04-30 Thread Fraser Tweedale
Hi all, Fraser Tweedale, brand new Red Hatter, working in the Brisbane office on FreeIPA/Dogtag, and needing the wisdom of seasoned IPA developers on how best to set things up. In particular, is it common to be developing in VMs, and if so, do the various components (DS, Dogtag, IPA etc) under

[Freeipa-devel] minimum python version

2014-05-05 Thread Fraser Tweedale
Hi all, What's are the versions of Python that must be supported in the freeipa codebase? And do older branches have to support earlier versions? Any Python language features that should be avoided, by policy? Forward-portability considerations? I look forward to your responses and will write

[Freeipa-devel] faster ways to build/test dogtag?

2014-05-27 Thread Fraser Tweedale
Hi all, I've been working on a fix for a profile issue (https://fedorahosted.org/freeipa/ticket/2915). Unfortunately I find the scripts/compose_pki_core_packages - yum install - test cycle frustratingly slow on idm.lab.bos. Is there a quicker way to build and test the software - particularly as

Re: [Freeipa-devel] [PATCH] 6 - Dogtag DRM -IPA plugin

2014-05-28 Thread Fraser Tweedale
On Tue, May 27, 2014 at 05:57:40PM -0400, Ade Lee wrote: There have been a couple of changes in the Dogtag interface, that require some changes in the IPA patches. Also, I had to add back a function in order to rebase to the latest IPA code. Most are the patches are as before, attached to

[Freeipa-devel] running out of entropy during ipa-server-install

2014-05-28 Thread Fraser Tweedale
Hi all, Today I hit the WARNING: Your system is running out of entropy, you may experience long delays message while testing Ade's ipa-server-install changes. I got a lot more entropy a lot faster by installing haveged(8), and I blogged about it here:

Re: [Freeipa-devel] running out of entropy during ipa-server-install

2014-05-28 Thread Fraser Tweedale
On Wed, May 28, 2014 at 01:38:05PM +0200, Martin Kosek wrote: On 05/28/2014 12:08 PM, Petr Viktorin wrote: On 05/28/2014 09:06 AM, Fraser Tweedale wrote: Hi all, Today I hit the WARNING: Your system is running out of entropy, you may experience long delays message while testing Ade's

Re: [Freeipa-devel] [PATCH] 6 - Dogtag DRM -IPA plugin

2014-05-28 Thread Fraser Tweedale
On Wed, May 28, 2014 at 03:53:01PM +0200, Petr Viktorin wrote: On 05/28/2014 08:48 AM, Fraser Tweedale wrote: On Tue, May 27, 2014 at 05:57:40PM -0400, Ade Lee wrote: There have been a couple of changes in the Dogtag interface, that require some changes in the IPA patches. Also, I had to add

Re: [Freeipa-devel] faster ways to build/test dogtag?

2014-06-10 Thread Fraser Tweedale
On Tue, May 27, 2014 at 12:20:46PM +0200, Martin Kosek wrote: On 05/27/2014 09:00 AM, Fraser Tweedale wrote: Hi all, I've been working on a fix for a profile issue (https://fedorahosted.org/freeipa/ticket/2915). Unfortunately I find the scripts/compose_pki_core_packages - yum install

[Freeipa-devel] user certificates

2014-06-11 Thread Fraser Tweedale
Hi all, Use cases are emerging for user certificates in FreeIPA. Some include: - VPN certificates. A user logs into an IPA domain. They are not connected to a wired network so a background service (SSSD or other) acquires a short-lived client certificate for connecting to the company

Re: [Freeipa-devel] user certificates

2014-06-11 Thread Fraser Tweedale
On Wed, Jun 11, 2014 at 08:55:20AM -0400, John Dennis wrote: On 06/11/2014 04:02 AM, Fraser Tweedale wrote: There are other use cases for user certificates, e.g. client authentication for HTTP or other network services. Perhaps you know of others - in which case let us know. 802.11

Re: [Freeipa-devel] [PATCHES] 0581-0582 ipalib.config: Only convert numeric values to float

2014-06-15 Thread Fraser Tweedale
On Fri, Jun 13, 2014 at 02:12:41PM +0200, Petr Viktorin wrote: First patch: minor fix in env loading Second patch: When api.env is loaded, strings that look like floats get auto-converted to floats. This is wrong, as the conversion can lose precision, which matters for the new

Re: [Freeipa-devel] [PATCH] 680-682 webui: validation reporting improvements

2014-06-27 Thread Fraser Tweedale
On Wed, Jun 25, 2014 at 06:58:52PM +0200, Petr Vobornik wrote: Patch 618 fixes a bug. Patches 680 and 681 were implemented along with it. They address pspacek's usability rant :). [PATCH] 680 webui: show notification instead of modal dialog on validation error [PATCH] 681 webui: fix

Re: [Freeipa-devel] [PATCH] 680-682 webui: validation reporting improvements

2014-06-29 Thread Fraser Tweedale
On Fri, Jun 27, 2014 at 10:54:39AM +0200, Petr Vobornik wrote: On 27.6.2014 09:48, Fraser Tweedale wrote: On Wed, Jun 25, 2014 at 06:58:52PM +0200, Petr Vobornik wrote: Patch 618 fixes a bug. Patches 680 and 681 were implemented along with it. They address pspacek's usability rant

Re: [Freeipa-devel] [PATCH] 692 webui: capitalize labels of undo and undo all buttons

2014-06-30 Thread Fraser Tweedale
On Fri, Jun 27, 2014 at 02:11:47PM +0200, Petr Vobornik wrote: Make the label of these buttons consistent with other buttons which have capital first letters. -- Petr Vobornik From 7214242fb0c5accc45b6af476a8ff7e7b1a7883f Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com

Re: [Freeipa-devel] [PATCH] 692 webui: capitalize labels of undo and undo all buttons

2014-07-01 Thread Fraser Tweedale
On Mon, Jun 30, 2014 at 10:54:28AM +0200, Petr Vobornik wrote: On 30.6.2014 09:13, Fraser Tweedale wrote: On Fri, Jun 27, 2014 at 02:11:47PM +0200, Petr Vobornik wrote: Make the label of these buttons consistent with other buttons which have capital first letters. -- Petr Vobornik From

Re: [Freeipa-devel] [PATCH] 694 webui: new navigation structure

2014-07-03 Thread Fraser Tweedale
On Wed, Jul 02, 2014 at 04:14:13PM +0200, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/4418 according to latest proposal:http://www.redhat.com/archives/freeipa-devel/2014-June/msg00839.html -- Petr Vobornik Haven't run the webui tests but lines up with the proposal and

Re: [Freeipa-devel] [PATCH] 0009 Detect and configure all usable IP addresses.

2014-08-27 Thread Fraser Tweedale
On Wed, Aug 27, 2014 at 03:17:37PM +0200, Martin Kosek wrote: On 08/27/2014 02:24 PM, David Kupka wrote: ... 2) do not use map(), FreeIPA doesn't like it Well, it is not that FreeIPA does not like it, it is just more Pythonic to use list comprehension and not functional languages remnants

Re: [Freeipa-devel] [PATCH] 755 webui-ci: case-insensitive record check

2014-09-24 Thread Fraser Tweedale
On Wed, Sep 24, 2014 at 09:16:52AM -0500, Endi Sukma Dewata wrote: On 9/24/2014 8:26 AM, Petr Vobornik wrote: On 24.9.2014 04:43, Endi Sukma Dewata wrote: On 9/22/2014 9:49 AM, Petr Vobornik wrote: [PATCH] webui-ci: case-insensitive record check Indirect association are no longer lower

Re: [Freeipa-devel] [PATCH] 755 webui-ci: case-insensitive record check

2014-09-25 Thread Fraser Tweedale
On Thu, Sep 25, 2014 at 09:44:03AM +0200, Petr Viktorin wrote: On 09/25/2014 03:30 AM, Fraser Tweedale wrote: On Wed, Sep 24, 2014 at 09:16:52AM -0500, Endi Sukma Dewata wrote: On 9/24/2014 8:26 AM, Petr Vobornik wrote: On 24.9.2014 04:43, Endi Sukma Dewata wrote: On 9/22/2014 9:49 AM, Petr

Re: [Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install

2014-09-28 Thread Fraser Tweedale
On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote: On Fri, 26 Sep 2014 13:54:34 +0200 Martin Kosek mko...@redhat.com wrote: I tested the patch (it works fine with Dogtag 10), but I got very confused. What CA option are we setting? Signing algorithm or Key Algorithm? I

[Freeipa-devel] Dogtag lightweight sub-CAs; updated design

2014-10-06 Thread Fraser Tweedale
Hi all, The Dogtag lightweight sub-CAs design has undergone major revision and expansion ahead of beginning the implementation (I plan to begin later this week). This feature will provide an API for admins to create sub-CAs for separate security domains and augment the existing API so that

Re: [Freeipa-devel] Dogtag lightweight sub-CAs; updated design

2014-10-12 Thread Fraser Tweedale
On Tue, Oct 07, 2014 at 01:47:05PM +0200, Martin Kosek wrote: On 10/07/2014 05:31 AM, Fraser Tweedale wrote: Hi all, The Dogtag lightweight sub-CAs design has undergone major revision and expansion ahead of beginning the implementation (I plan to begin later this week). This feature

Re: [Freeipa-devel] Dogtag lightweight sub-CAs; updated design

2014-10-13 Thread Fraser Tweedale
On Tue, Oct 07, 2014 at 09:40:12AM -0400, Simo Sorce wrote: On Tue, 07 Oct 2014 09:29:33 -0400 Rob Crittenden rcrit...@redhat.com wrote: Simo Sorce wrote: On Tue, 07 Oct 2014 13:47:05 +0200 Martin Kosek mko...@redhat.com wrote: On 10/07/2014 05:31 AM, Fraser Tweedale wrote

Re: [Freeipa-devel] [Pki-devel] Dogtag 10.2.0 is now in Debian

2014-10-18 Thread Fraser Tweedale
On Sat, Oct 18, 2014 at 06:42:38PM +0300, Timo Aaltonen wrote: On 18.10.2014 18:39, Timo Aaltonen wrote: Hi! I'm happy to announce that Dogtag (version 10.2.0) has finally entered Debian unstable repository this week. Assuming there won't be any nasty surprises, the next

[Freeipa-devel] Meaning of Needs UI design field in Trac?

2014-11-23 Thread Fraser Tweedale
Hi all, The precise meaning and usage of the Needs UI design field in Trac is not clear to me. It has five values: - blank - Not needed - Review - Consult - Design What is the purpose of this field and the meanings of the different values? And a more general question: is there a resource

Re: [Freeipa-devel] Meaning of Needs UI design field in Trac?

2014-11-24 Thread Fraser Tweedale
On Mon, Nov 24, 2014 at 09:23:50AM +0100, Martin Kosek wrote: On 11/24/2014 08:39 AM, Fraser Tweedale wrote: Hi all, The precise meaning and usage of the Needs UI design field in Trac is not clear to me. It has five values: - blank - Not needed - Review - Consult - Design

Re: [Freeipa-devel] Meaning of Needs UI design field in Trac?

2014-11-25 Thread Fraser Tweedale
On Tue, Nov 25, 2014 at 10:13:59AM +1000, Fraser Tweedale wrote: On Mon, Nov 24, 2014 at 09:23:50AM +0100, Martin Kosek wrote: On 11/24/2014 08:39 AM, Fraser Tweedale wrote: Hi all, The precise meaning and usage of the Needs UI design field in Trac is not clear to me. It has five

Re: [Freeipa-devel] [PATCH 0020] show the exception message raised by dogtag._parse_ca_status during install

2015-03-25 Thread Fraser Tweedale
On Wed, Mar 25, 2015 at 12:09:09PM +0100, Martin Babinsky wrote: This should be patch 20 I think. I must make some cleanup in my patch numbers. https://fedorahosted.org/freeipa/ticket/4885 -- Martin^3 Babinsky ACK From 7e0f8b4d65f6c3f8c7d14f154aa5ef80bb064c4c Mon Sep 17 00:00:00 2001

Re: [Freeipa-devel] design review: Certificate Profiles

2015-04-27 Thread Fraser Tweedale
On Fri, Apr 17, 2015 at 02:08:29PM +0200, Martin Kosek wrote: On 04/16/2015 10:03 AM, Fraser Tweedale wrote: Hi everyone, Please review my Certificate Profiles design proposal: http://www.freeipa.org/page/V4/Certificate_Profiles Let me know what is unclear, what needs expansion, and what

Re: [Freeipa-devel] User Certificates in 4.2 - design and questions

2015-05-04 Thread Fraser Tweedale
On Mon, May 04, 2015 at 10:50:15AM +0200, Martin Kosek wrote: Hello, Please let me promote the design for one of the major FreeIPA 4.2 features, the (user) certificates and Smart Card integration: http://www.freeipa.org/page/V4/User_Certificates The design went through couple interim

Re: [Freeipa-devel] User Certificates in 4.2 - design and questions

2015-05-05 Thread Fraser Tweedale
On Tue, May 05, 2015 at 08:38:28AM +0200, Martin Kosek wrote: On 05/04/2015 09:23 PM, Simo Sorce wrote: On Mon, 2015-05-04 at 16:41 +0200, Martin Kosek wrote: On 05/04/2015 03:01 PM, Fraser Tweedale wrote: On Mon, May 04, 2015 at 10:50:15AM +0200, Martin Kosek wrote: Hello, Please let

Re: [Freeipa-devel] [PATCHES 0001-0005] Profile management commands

2015-05-05 Thread Fraser Tweedale
On Mon, May 04, 2015 at 06:35:45PM +0200, Martin Basti wrote: On 04/05/15 15:36, Fraser Tweedale wrote: Hello, Please review the first cut of the 'certprofile' command and other changes associated with the Certificate Profiles feature[1]. Custom profiles can't be used yet because 'cert

Re: [Freeipa-devel] [PATCHES 0001-0005] Profile management commands

2015-05-13 Thread Fraser Tweedale
Hi Jan, thanks for review. Comments inline. On Wed, May 13, 2015 at 10:06:04AM +0200, Jan Cholasta wrote: Hi, Dne 5.5.2015 v 10:38 Martin Basti napsal(a): On 05/05/15 08:29, Fraser Tweedale wrote: On Mon, May 04, 2015 at 06:35:45PM +0200, Martin Basti wrote: On 04/05/15 15:36, Fraser

[Freeipa-devel] [PATCHES 0001-0007] Profile management

2015-05-15 Thread Fraser Tweedale
Martin Basti napsal(a): On 13/05/15 10:06, Jan Cholasta wrote: Hi, Dne 5.5.2015 v 10:38 Martin Basti napsal(a): On 05/05/15 08:29, Fraser Tweedale wrote: On Mon, May 04, 2015 at 06:35:45PM +0200, Martin Basti wrote: On 04/05/15 15:36, Fraser Tweedale wrote: Hello, Please review the first

Re: [Freeipa-devel] Revoking user/service/host certificates

2015-05-18 Thread Fraser Tweedale
On Mon, May 18, 2015 at 11:51:41AM +0200, Martin Kosek wrote: Hi Fraser (and list), Recently, we have proposed 2 new policies for treating user/host/service certificates based on the per-profile policy: a) If certificate is stored in userCertificate attribute b) If the certificate is

Re: [Freeipa-devel] [PATCHES 0001-0005] Profile management commands

2015-05-13 Thread Fraser Tweedale
On Wed, May 13, 2015 at 01:19:49PM +0200, Jan Cholasta wrote: Dne 13.5.2015 v 11:41 Fraser Tweedale napsal(a): Hi Jan, thanks for review. Comments inline. On Wed, May 13, 2015 at 10:06:04AM +0200, Jan Cholasta wrote: 12) IMO the profile backend should be merged in to the ra backend. I don't

Re: [Freeipa-devel] [PATCHES 0001-0007] Profile management

2015-05-19 Thread Fraser Tweedale
On Tue, May 19, 2015 at 10:52:49AM +0200, Jan Cholasta wrote: Dne 15.5.2015 v 14:27 Martin Basti napsal(a): On 15/05/15 10:24, Fraser Tweedale wrote: Please find attached latest patches including new patches: - 0006 enable LDAP-based profiles in Dogtag on upgrade - 0007 import included

[Freeipa-devel] design review: Certificate Profiles

2015-04-16 Thread Fraser Tweedale
Hi everyone, Please review my Certificate Profiles design proposal: http://www.freeipa.org/page/V4/Certificate_Profiles Let me know what is unclear, what needs expansion, and what is plain wrong :) The schema for storing multiple certificates for a principal is still being discussed but I

Re: [Freeipa-devel] design review: Certificate Profiles

2015-04-17 Thread Fraser Tweedale
On Fri, Apr 17, 2015 at 07:26:55AM +0200, David Kupka wrote: On 04/16/2015 10:03 AM, Fraser Tweedale wrote: Hi everyone, Please review my Certificate Profiles design proposal: http://www.freeipa.org/page/V4/Certificate_Profiles Let me know what is unclear, what needs expansion, and what

Re: [Freeipa-devel] design review: Certificate Profiles

2015-04-17 Thread Fraser Tweedale
On Fri, Apr 17, 2015 at 10:03:45AM +0200, Jan Cholasta wrote: Dne 17.4.2015 v 09:45 Fraser Tweedale napsal(a): On Fri, Apr 17, 2015 at 07:26:55AM +0200, David Kupka wrote: On 04/16/2015 10:03 AM, Fraser Tweedale wrote: Hi everyone, Please review my Certificate Profiles design proposal

Re: [Freeipa-devel] design review: Certificate Profiles

2015-04-18 Thread Fraser Tweedale
On Fri, Apr 17, 2015 at 02:56:28PM -0400, Simo Sorce wrote: On Fri, 2015-04-17 at 14:08 +0200, Martin Kosek wrote: On 04/16/2015 10:03 AM, Fraser Tweedale wrote: Hi everyone, Please review my Certificate Profiles design proposal: http://www.freeipa.org/page/V4/Certificate_Profiles

Re: [Freeipa-devel] design review: Certificate Profiles

2015-04-18 Thread Fraser Tweedale
On Fri, Apr 17, 2015 at 02:21:16PM +0200, Milan Kubik wrote: On 04/16/2015 10:03 AM, Fraser Tweedale wrote: Hi everyone, Please review my Certificate Profiles design proposal: http://www.freeipa.org/page/V4/Certificate_Profiles Let me know what is unclear, what needs expansion, and what

[Freeipa-devel] IPAUpgrade.create_instance causing ipa-server-install failure

2015-05-19 Thread Fraser Tweedale
I am experiencing ipa-server-install failure which seems to be caused by IPAUpgrade.__start_nowait() (upgradeinstance.py:174). It is claimed that the LDAP connection will wait for the (Unix) socket but it does not - instead it fails to connect. Did something chance recently that would cause the

Re: [Freeipa-devel] [PATCHES 0001-0007] Profile management

2015-05-19 Thread Fraser Tweedale
On Wed, May 20, 2015 at 07:40:44AM +0200, Jan Cholasta wrote: Dne 19.5.2015 v 13:50 Fraser Tweedale napsal(a): On Tue, May 19, 2015 at 10:52:49AM +0200, Jan Cholasta wrote: Dne 15.5.2015 v 14:27 Martin Basti napsal(a): On 15/05/15 10:24, Fraser Tweedale wrote: Please find attached latest

Re: [Freeipa-devel] [UPSTREAM_FAILURES] Latest changes affect freeipa builds and client configuration

2015-05-19 Thread Fraser Tweedale
On Tue, May 19, 2015 at 05:42:15PM +0200, Martin Babinsky wrote: Hello Oleg, On 05/19/2015 05:21 PM, Oleg Fayans wrote: Dear colleagues I would like to notify you, that: 1. some of the recent changes in the upstream repo have broken the freeipa-client configuration. The symptoms are as

Re: [Freeipa-devel] [PATCHES 0001-0007] Profile management

2015-05-20 Thread Fraser Tweedale
On Tue, May 19, 2015 at 10:52:49AM +0200, Jan Cholasta wrote: Dne 15.5.2015 v 14:27 Martin Basti napsal(a): On 15/05/15 10:24, Fraser Tweedale wrote: Please find attached latest patches including new patches: - 0006 enable LDAP-based profiles in Dogtag on upgrade - 0007 import included

Re: [Freeipa-devel] TypeError at ipa-server-uninstall

2015-06-02 Thread Fraser Tweedale
On Tue, Jun 02, 2015 at 10:37:43AM +0200, Oleg Fayans wrote: Hi all, I've just caught a TypeError while performing the ipa-server-install --uninstall on replicas running the latest ipa code (without today's patches from Ludwig, though). Martin Basti's PATCH 0262 (not yet pushed) fixes this

Re: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates

2015-06-02 Thread Fraser Tweedale
On Mon, Jun 01, 2015 at 02:50:45PM +0200, Martin Basti wrote: On 01/06/15 06:40, Fraser Tweedale wrote: New version of patch; ``{host,service}-show --out=FILE`` now writes all certs to FILE. Rebased on latest master. Thanks, Fraser On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser

Re: [Freeipa-devel] [PATCH 0262] Installer FIX: remove temporal ccache

2015-06-02 Thread Fraser Tweedale
On Mon, Jun 01, 2015 at 04:47:46PM +0200, Martin Basti wrote: On 01/06/15 16:14, Rob Crittenden wrote: Martin Basti wrote: Fixes an issue caused by the latest installer patches pushed to master. Patch attached. The use of globals makes my skin crawl a bit, but since you're making

[Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes

2015-06-05 Thread Fraser Tweedale
Patches 16 and 17 fix regressions in the default profile. Patch 18 fixes the `ipa-replica-install --setup-ca' breakage. Cheers, Fraser From bc2b1d729c50dc1ae88a5e5709f655ea2f5ecd66 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Thu, 4 Jun 2015 22:49:01 -0400 Subject

Re: [Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes

2015-06-05 Thread Fraser Tweedale
On Fri, Jun 05, 2015 at 01:00:14PM +0200, Martin Basti wrote: On 05/06/15 11:47, Fraser Tweedale wrote: Patches 16 and 17 fix regressions in the default profile. Patch 18 fixes the `ipa-replica-install --setup-ca' breakage. Cheers, Fraser NACK, sorry ./make-lint

Re: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates

2015-06-03 Thread Fraser Tweedale
On Wed, Jun 03, 2015 at 01:55:47PM +0200, Milan Kubik wrote: On 06/03/2015 01:17 PM, Martin Basti wrote: On 02/06/15 16:03, Jan Cholasta wrote: Dne 2.6.2015 v 12:36 Martin Basti napsal(a): On 02/06/15 11:42, Fraser Tweedale wrote: On Mon, Jun 01, 2015 at 02:50:45PM +0200, Martin Basti wrote

Re: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs

2015-06-09 Thread Fraser Tweedale
On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote: On 09/06/15 08:58, Fraser Tweedale wrote: On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote: On 06/08/2015 03:31 AM, Fraser Tweedale wrote: New patches attached. Comments inline. Thanks Fraser! ... 5) Missing

Re: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs

2015-06-07 Thread Fraser Tweedale
there is an error in HBAC ipa plugin, I will send fix) Removed. Thanks for reviewing! Fraser From c8ca3e613487fa8f14ded1533588872205bbe1de Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Mon, 25 May 2015 08:39:07 -0400 Subject: [PATCH 12/13] Add CA ACL plugin Implement the caacl

[Freeipa-devel] [PATCH] 0020..0022 pki-related upgrade fixes

2015-06-19 Thread Fraser Tweedale
] https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ [2] https://ftweedal.fedorapeople.org/pki-core-10.2.5-0.2.fc21.src.rpm Thanks, Fraser From 00848315ad19a9acdc132904c143c8951e028e67 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Fri, 19 Jun 2015 01:37:26 -0400 Subject

Re: [Freeipa-devel] [PATCH] 0020..0022 pki-related upgrade fixes

2015-06-19 Thread Fraser Tweedale
On Fri, Jun 19, 2015 at 09:38:01AM +0200, Martin Kosek wrote: On 06/19/2015 09:28 AM, Fraser Tweedale wrote: The attached patches fix upgrade issues when pki is also updated from pre 10.2.4. pki dependency is bumped to 10.2.5 - the official builds should be done Friday (US time

Re: [Freeipa-devel] Need to figure out how to make a schema change

2015-06-18 Thread Fraser Tweedale
On Thu, Jun 18, 2015 at 11:02:03AM -0700, Nathan Kinder wrote: On 06/18/2015 10:45 AM, Ade Lee wrote: In order for IPA to use some new functionality in Profile Management and Sub CAs, we need to add some additional schema to the Dogtag LDAP instance. Fraser has written a Dogtag

Re: [Freeipa-devel] [PATCH 0003] Fix for a typo in certprofile mod command.

2015-06-19 Thread Fraser Tweedale
On Fri, Jun 19, 2015 at 12:04:43PM +0200, Milan Kubik wrote: Patch attached. Milan ACK -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update

2015-06-11 Thread Fraser Tweedale
On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote: On 06/04/2015 04:03 PM, Petr Vobornik wrote: - ipa-replica-prepare works - old IPA server was upgraded to today's master (with Cert profiles patches) - ipa-replica-prepare fails with: Log: ipa: DEBUG: approved_usage = SSL

Re: [Freeipa-devel] FreeIPA 4.2 Alpha preparations

2015-06-16 Thread Fraser Tweedale
On Tue, Jun 16, 2015 at 05:10:00PM +0200, Martin Kosek wrote: On 06/12/2015 11:34 AM, Martin Kosek wrote: Hello all, As discussed in the last 2 weeks, we are getting close to the 4.2 finish line and releasing FreeIPA 4.2 Alpha 1. We already have most of the major RFEs complete, some

[Freeipa-devel] update on freeipa 4.2 pki issues

2015-06-16 Thread Fraser Tweedale
I fixed several issues which broke Dogtag upgrades involving particular versions; these will be in the next release. I haven't yet gotten to to the reported failure running ipa-replica-upgrade on a replica (but I haven't forgotten about it either.) This is the only issue affecting *fresh

Re: [Freeipa-devel] [PATCH] 0019 Server upgrade: disconnect ldap2 before DS restart

2015-06-12 Thread Fraser Tweedale
On Fri, Jun 12, 2015 at 10:00:18PM +1000, Fraser Tweedale wrote: From eb1043521317e5759444caaedef1fd81eda55b47 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Fri, 12 Jun 2015 07:54:23 -0400 Subject: [PATCH] Server upgrade: disconnect ldap2 before DS restart

[Freeipa-devel] [PATCH] 0019 Server upgrade: disconnect ldap2 before DS restart

2015-06-12 Thread Fraser Tweedale
Attached patch fixes an upgrade issue from 4.1.4 to master. With this patch upgrade works, and ipa-replica-prepare works on upgraded server. Thanks, Fraser From eb1043521317e5759444caaedef1fd81eda55b47 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Fri, 12 Jun 2015 07

Re: [Freeipa-devel] [PATCH] 0019 Server upgrade: disconnect ldap2 before DS restart

2015-06-12 Thread Fraser Tweedale
On Fri, Jun 12, 2015 at 02:17:30PM +0200, Martin Basti wrote: On 12/06/15 14:12, Fraser Tweedale wrote: On Fri, Jun 12, 2015 at 10:00:18PM +1000, Fraser Tweedale wrote: From eb1043521317e5759444caaedef1fd81eda55b47 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Fri

Re: [Freeipa-devel] update on freeipa 4.2 pki issues

2015-06-17 Thread Fraser Tweedale
by Dogtag and is used only by the Dogtag directory tree (under DN o=ipa-ca). I will do an online update. Cheers, Fraser On 06/17/2015 07:52 AM, Martin Kosek wrote: On 06/16/2015 06:39 PM, Fraser Tweedale wrote: I fixed several issues which broke Dogtag upgrades involving particular versions

Re: [Freeipa-devel] FreeIPA 4.2 Alpha preparations

2015-06-17 Thread Fraser Tweedale
On Wed, Jun 17, 2015 at 07:55:10AM +0200, Martin Kosek wrote: On 06/16/2015 05:29 PM, Fraser Tweedale wrote: On Tue, Jun 16, 2015 at 05:10:00PM +0200, Martin Kosek wrote: On 06/12/2015 11:34 AM, Martin Kosek wrote: Hello all, As discussed in the last 2 weeks, we are getting close to the 4.2

Re: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update

2015-06-17 Thread Fraser Tweedale
On Fri, Jun 12, 2015 at 03:47:38PM +0200, Petr Vobornik wrote: On 06/12/2015 03:18 PM, Fraser Tweedale wrote: On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote: On 06/04/2015 04:03 PM, Petr Vobornik wrote: - ipa-replica-prepare works - old IPA server was upgraded to today's

Re: [Freeipa-devel] update on freeipa 4.2 pki issues

2015-06-17 Thread Fraser Tweedale
On Wed, Jun 17, 2015 at 01:43:03PM +0200, thierry bordaz wrote: On 06/17/2015 01:09 PM, Fraser Tweedale wrote: On Wed, Jun 17, 2015 at 12:28:33PM +0200, thierry bordaz wrote: Hello Fraser, The schema is propagated on all replica. So if you update the schema, the updates

Re: [Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs

2015-06-10 Thread Fraser Tweedale
On Wed, Jun 10, 2015 at 03:50:22PM +0200, Martin Basti wrote: On 10/06/15 13:57, Martin Kosek wrote: On 06/10/2015 01:50 PM, Jan Cholasta wrote: Dne 10.6.2015 v 13:44 Martin Basti napsal(a): On 10/06/15 06:40, Fraser Tweedale wrote: On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote

Re: [Freeipa-devel] with new cert profiles patches ipa-replica-prepare fails after update

2015-06-12 Thread Fraser Tweedale
On Thu, Jun 11, 2015 at 09:59:03AM +0200, Martin Babinsky wrote: On 06/04/2015 04:03 PM, Petr Vobornik wrote: - ipa-replica-prepare works - old IPA server was upgraded to today's master (with Cert profiles patches) - ipa-replica-prepare fails with: Log: ipa: DEBUG: approved_usage = SSL

Re: [Freeipa-devel] Yet another user certificates/Smart Card thread

2015-05-27 Thread Fraser Tweedale
On Tue, May 26, 2015 at 07:49:10AM +0200, Martin Kosek wrote: On 05/25/2015 04:40 PM, Jan Cholasta wrote: Dne 25.5.2015 v 16:26 Fraser Tweedale napsal(a): On Mon, May 25, 2015 at 03:56:46PM +0200, Martin Kosek wrote: On 05/25/2015 03:13 PM, Jan Cholasta wrote: Hi, Dne 25.5.2015 v 14:55

Re: [Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

2015-05-28 Thread Fraser Tweedale
On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: On 28/05/15 11:48, Martin Basti wrote: On 27/05/15 16:04, Fraser Tweedale wrote: Hello all, Fresh certificate management patchset; Changelog: - Now depends on patch freeipa-ftweedal-0014 for correct cert-request behaviour

Re: [Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates

2015-05-31 Thread Fraser Tweedale
New version of patch; ``{host,service}-show --out=FILE`` now writes all certs to FILE. Rebased on latest master. Thanks, Fraser On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote: Updated patch attached. Notably restores/adds revocation behaviour to host-mod and service-mod

Re: [Freeipa-devel] [PATCHES 0001-0013 v5.1] Profiles and CA ACLs

2015-06-01 Thread Fraser Tweedale
On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote: On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote: On 05/29/2015 11:21 AM, Martin Basti wrote: On 29/05/15 06:17, Fraser Tweedale wrote: On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: On 28/05/15 11

[Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-27 Thread Fraser Tweedale
333654797908ab6a71a84b51723bd1d5e59637d0 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Wed, 27 May 2015 08:02:08 -0400 Subject: [PATCH] Support multiple host and service certificates Update the framework to support multiple host and service certificates. host-mod now sets

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Fraser Tweedale
On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user / host certificates. No schema change is needed ('usercertificate' attribute is already multi-value). The revoke-previous-cert behaviour of host

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Fraser Tweedale
On Thu, May 28, 2015 at 10:40:22AM +0200, Martin Basti wrote: On 28/05/15 10:13, Fraser Tweedale wrote: On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user / host certificates. No schema change

Re: [Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

2015-05-28 Thread Fraser Tweedale
Updated patch attached. Notably restores/adds revocation behaviour to host-mod and service-mod. Thanks, Fraser On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote: On 27/05/15 15:53, Fraser Tweedale wrote: This patch adds supports for multiple user / host certificates. No schema

Re: [Freeipa-devel] [PATCH 0008-0009] use 1 as domain level to activate plugin, fix a crash when removing a replica

2015-06-02 Thread Fraser Tweedale
On Tue, Jun 02, 2015 at 10:04:55AM +0200, Ludwig Krispenz wrote: Hi, with the first patch the topo plugin no longer uses plugin version to compare to set domainlevel, always gets activated if dom level = 1 the second patch fixes a crash at replica removal Ludwig These patches fix the

[Freeipa-devel] [PATCH] 0026..0027 #5096 enforce caacl for SAN principals

2015-07-03 Thread Fraser Tweedale
The attached patches fix: - a bug that caused caacl false negatives for hosts principals - #5096 cert-request: enforce caacl for subjectAltName principals Thanks, Fraser From f6d7f8e58a7fcb09261ae18a8722f28da778779c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Fri, 3

Re: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features

2015-07-03 Thread Fraser Tweedale
On Thu, Jul 02, 2015 at 08:12:12PM +1000, Fraser Tweedale wrote: On Thu, Jul 02, 2015 at 11:23:49AM +0200, Jan Cholasta wrote: Hi, Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a): Attached patches fix a couple of important gaps in certprofile plugin: - Add --out option to export

Re: [Freeipa-devel] my remaining 4.2 tickets

2015-07-03 Thread Fraser Tweedale
On Fri, Jul 03, 2015 at 08:23:45AM +0200, Martin Kosek wrote: On 07/02/2015 05:58 PM, Jan Cholasta wrote: Hi, Dne 2.7.2015 v 17:18 Fraser Tweedale napsal(a): On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote: On 06/30/2015 03:03 PM, Fraser Tweedale wrote: #2915 ipa-getcert does

Re: [Freeipa-devel] CA ACL enforcement when authenticated as root

2015-07-03 Thread Fraser Tweedale
On Wed, Jul 01, 2015 at 04:06:11PM +1000, Fraser Tweedale wrote: Hi everyone, With the addition of CA ACLs, there are now two levels of permissions checked by the `cert-request' command: - LDAP permission checks. This check is performed against the bind principal; `admin' has

Re: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features

2015-07-02 Thread Fraser Tweedale
On Thu, Jul 02, 2015 at 11:23:49AM +0200, Jan Cholasta wrote: Hi, Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a): Attached patches fix a couple of important gaps in certprofile plugin: - Add --out option to export Dogtag profile data to file https://fedorahosted.org/freeipa/ticket

[Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features

2015-07-02 Thread Fraser Tweedale
From 095331fdc2f41ea544c4ab0b1247b7c1d1969393 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Thu, 2 Jul 2015 03:31:31 -0400 Subject: [PATCH 24/25] certprofile: add option to export profile config Add the `--out=FILENAME' option to `certprofile-show'. When given, it exports

[Freeipa-devel] caacl enforcement for subjectAltName principals

2015-07-02 Thread Fraser Tweedale
Hi all, cert-request ensures that any dNSName values in a CSR subjectAltName requestExtension have a corresponding service/host principal in FreeIPA and that their entries are writable by the bind principal. It currently DOES NOT enforce CA ACLs for these alternative principals, i.e. it does not

Re: [Freeipa-devel] my remaining 4.2 tickets

2015-07-02 Thread Fraser Tweedale
On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote: On 06/30/2015 03:03 PM, Fraser Tweedale wrote: Hi Martin, #4559 [RFE] Support lightweight sub-CAs Remaining work is not huge but may be more than can be done this week even with Christian's help; the largest

Re: [Freeipa-devel] Fix upgrade of HTTPInstance for KDC Proxy

2015-06-29 Thread Fraser Tweedale
On Mon, Jun 29, 2015 at 11:43:32AM +0200, Christian Heimes wrote: Hello, the attached patch makes sure that HTTPInstance has an admin_conn LDAP connection. Without the LDAP connection, HTTPInstance.enable_kdcproxy() fails. Christian ACK; upgrade from 4.1.4 to master+patch works. --

Re: [Freeipa-devel] Fix removal of ipa-kdc-proxy.conf symlink

2015-06-29 Thread Fraser Tweedale
On Mon, Jun 29, 2015 at 10:54:50AM +0200, Christian Heimes wrote: Hello, the attached patch fixes the first bug, that was reported by Fraser today. installutils.remove_file() uses os.path.exists() to check if the file still exists, which in turn uses stat(2). I have modified the function to

Re: [Freeipa-devel] [PATCH] 0020..0022 pki-related upgrade fixes

2015-06-29 Thread Fraser Tweedale
On Thu, Jun 25, 2015 at 11:23:01AM +0200, Martin Basti wrote: On 19/06/15 09:28, Fraser Tweedale wrote: The attached patches fix upgrade issues when pki is also updated from pre 10.2.4. pki dependency is bumped to 10.2.5 - the official builds should be done Friday (US time

[Freeipa-devel] [PATCH] 0023 Fix certprofile doc error

2015-06-29 Thread Fraser Tweedale
Attached patch fixes a small error in certprofile plugin documentation. Thanks, Fraser From 6de3a4fd9d3d250e09a75721ef7b7f0831c47ea6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Mon, 29 Jun 2015 10:28:25 -0400 Subject: [PATCH] certprofile: fix doc error --- ipalib

Re: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features

2015-07-04 Thread Fraser Tweedale
On Fri, Jul 03, 2015 at 10:34:07PM +1000, Fraser Tweedale wrote: On Thu, Jul 02, 2015 at 08:12:12PM +1000, Fraser Tweedale wrote: On Thu, Jul 02, 2015 at 11:23:49AM +0200, Jan Cholasta wrote: Hi, Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a): Attached patches fix a couple

Re: [Freeipa-devel] caacl enforcement for subjectAltName principals

2015-07-02 Thread Fraser Tweedale
On Thu, Jul 02, 2015 at 06:24:12PM +0200, Petr Spacek wrote: On 2.7.2015 16:33, Fraser Tweedale wrote: Hi all, cert-request ensures that any dNSName values in a CSR subjectAltName requestExtension have a corresponding service/host principal in FreeIPA and that their entries

[Freeipa-devel] my remaining 4.2 tickets

2015-06-30 Thread Fraser Tweedale
Hi Martin, #4559 [RFE] Support lightweight sub-CAs Remaining work is not huge but may be more than can be done this week even with Christian's help; the largest remaning concern being Custodia. As per discussion in team meeting, I'm going to liaise with Simo and determine a

[Freeipa-devel] CA ACL enforcement when authenticated as root

2015-07-01 Thread Fraser Tweedale
Hi everyone, With the addition of CA ACLs, there are now two levels of permissions checked by the `cert-request' command: - LDAP permission checks. This check is performed against the bind principal; `admin' has permission to write the userCertificate attribute of any principal. - CA ACLs:

Re: [Freeipa-devel] [PATCH 0254] Server Upgrade: Wait until DS is ready after restart

2015-05-25 Thread Fraser Tweedale
On Mon, May 25, 2015 at 08:13:35AM +0200, Jan Cholasta wrote: Dne 22.5.2015 v 15:53 Petr Vobornik napsal(a): On 05/21/2015 03:16 PM, Fraser Tweedale wrote: On Thu, May 21, 2015 at 01:38:43PM +0200, Martin Basti wrote: This patch should fix following traceback. 2015-05-20T03:50:41Z ERROR

[Freeipa-devel] using pyhbac for CA ACLs

2015-05-25 Thread Fraser Tweedale
Hi everyone, CA ACLs (the forthcoming `caacl' plugin) will be used to declare which users/hosts/services can get certificates from which CAs and profiles. For v4.2, we will enforce the ACLs in the framework; the plan is to move ACL enforcement to Dogtag in a future release

Re: [Freeipa-devel] using pyhbac for CA ACLs

2015-05-25 Thread Fraser Tweedale
On Mon, May 25, 2015 at 02:09:32PM +0300, Alexander Bokovoy wrote: On Mon, 25 May 2015, Fraser Tweedale wrote: Hi everyone, CA ACLs (the forthcoming `caacl' plugin) will be used to declare which users/hosts/services can get certificates from which CAs and profiles. For v4.2, we

Re: [Freeipa-devel] Yet another user certificates/Smart Card thread

2015-05-25 Thread Fraser Tweedale
On Mon, May 25, 2015 at 03:56:46PM +0200, Martin Kosek wrote: On 05/25/2015 03:13 PM, Jan Cholasta wrote: Hi, Dne 25.5.2015 v 14:55 Martin Babinsky napsal(a): Hello all, long post ahead! I became a proud owner of https://fedorahosted.org/freeipa/ticket/4238, and while Martin's

Re: [Freeipa-devel] [PATCH 0259] Server Upgrade: Wait until DS is ready after restart

2015-05-25 Thread Fraser Tweedale
On Mon, May 25, 2015 at 03:38:39PM +0200, Martin Basti wrote: On 25/05/15 13:57, Martin Basti wrote: On 25/05/15 09:20, Fraser Tweedale wrote: On Mon, May 25, 2015 at 08:13:35AM +0200, Jan Cholasta wrote: Dne 22.5.2015 v 15:53 Petr Vobornik napsal(a): On 05/21/2015 03:16 PM, Fraser Tweedale

  1   2   3   4   >