That was the original design, however I was told that this is not
something people will be interested in. Thanks for you data point but to
change it we probably need couple more data points and comments.
I would be very interested as to why there was resistance or a thought that
people would
One was performance, memberOf isn't free.
The second was complexity. Lets say you define command R and assign it
to command groups A, B and C. The admin of group B needs to tweak the
command a bit so he modifies R. This could have a negative impact on
command groups A and C.
So for
Looks like there was a typo in the hostMask. The others were correct.
-attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'hostMask' DESC 'IP mask to
identify a subnet.' EQUALITY caseIgnoreIA5Match ORDERING caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
objectClass: sudoRole
objectClass: top
cn: role1
sudoUser: johnny
sudoHost: ALL
sudoCommand: ALL
sudoCommand: !/bin/sh
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jr Aquino | Information Security Specialist
Citrix Online Division
May be I misunderstood how things
...@citrixonline.com
so spake JR Aquino (JR.Aquino):
Todd, if you have a moment, could you weigh in on this?
We are trying to clarify as to whether Sudo is a first match and stop, or if
it will search the whole directory for rules that match and then make a calcu
lated decision.
When using /etc
a system that is only functional if our user base subscribes to ALL
of our software components.
~
Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117
T: +1 805.690.3478
jr.aqu
On Sep 30, 2010, at 9:37 AM, Sumit Bose wrote:
I agree, I only made the suggestion about the IPA server, because I
think that this feature is a bug in the current sudo code base, an
annoying bug at best and a serious security issue at worst.
It is both a bug and a security concern... one that
btw. I cannot reproduce your issue where a command is denied where only
user and host is matching, can you give an example where this is
happening? Thanks
I retract my previous statement and stand corrected:
I have run a test and verified on Redhat Enterprise 5.5 that Sudo is behaving
as we
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede
any Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to SUDO
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede
any Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to SUDO
./lite-server.py -d
ipa: DEBUG: importing all plugin modules in '/usr/src/freeipa/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/src/freeipa/ipalib/plugins/automount.py'
ipa: ERROR: could not load plugin
Patches for sudocmd attribute change and support for sudorule cmdCategory.
0001-Added-fixes-to-adjust-for-sudocmd-attribute-for-sudo.patch
Description: 0001-Added-fixes-to-adjust-for-sudocmd-attribute-for-sudo.patch
___
Freeipa-devel mailing list
./lite-server.py -d
ipa: DEBUG: importing all plugin modules in '/usr/src/freeipa/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/src/freeipa/ipalib/plugins/automount.py'
ipa: ERROR: could not load plugin
This issue is resolved.
A full uninstall and reinstall properly fixed the dependency issue.
On 11/3/10 8:33 AM, Dmitri Pal d...@redhat.com wrote:
JR Aquino wrote:
./lite-server.py -d
ipa: DEBUG: importing all plugin modules in
'/usr/src/freeipa/ipalib/plugins'...
ipa: DEBUG: importing plugin
On 11/18/10 8:16 AM, Nalin Dahyabhai na...@redhat.com wrote:
snipit
ToDo's:
* Get sudo compat to translate usergroup/posix group's such that it can
prepend a %groupname - notice that it is not fully qualified dn.
If memberUser can point to either a user or a group, and we read a
Progress!
Ok, here is the latest data from the lab.
The compat translation is almost there!!!
* The sudoers container has correctly been moved out to the top of the
tree. I think it only needs 1 small final edit, the sudo ldap default is
to look for: ou=sudoers, rather than what is currently
If this proposal looks reasonable I will open a ticket.
JR will you be able to provide a patch that does all of this since this
is not exactly what we originally planned?
Your premise makes a lot of sense.
This is very promising news Dmitri.
Let me consider how I would accommodate the patch,
On 11/24/10 11:19 AM, Dmitri Pal d...@redhat.com wrote:
Hello,
It is well known that with IPA we want to try to move people from the
netgroups to host groups but many companies currently use netgroups as
hostgroups. To simplify migration I suggest that we by default always
create a managed
Hello,
Please review the attached patch.
It is meant to address:
https://fedorahosted.org/freeipa/ticket/543
This patch adds support for the default behavior of
adding/deleting/modifing an ipaNetgroup anytime an ipaHostgroup is
added/deleted/modified.
As requested by the ticket, the cli does
This patch is for ticket:
https://fedorahosted.org/freeipa/ticket/570
This patch Addresses items:
1. The UI needs a rule status with values active inactive. The CLI doesn't
have this attribute. HBAC has ipaenabledflag attribute which can be managed
using hbac-enable/disable operations.
2.
PM, JR Aquino wrote:
This patch Addresses items:
1. The UI needs a rule status with values active inactive. The CLI
doesn't have this attribute. HBAC has ipaenabledflag attribute which can
be managed using hbac-enable/disable operations.
2. The UI needs a user category for the Who section
I just had a chance to revisit this.
It appears that the host piece still doesn't work quite right.
This time, I am missing the sudoHost translation entirely.
dn:
ipaUniqueID=e52c8e06-0315-11e0-b2dd-8a3d259cb0b9,cn=sudorules,dc=example,dc
=com
objectClass: ipaassociation
objectClass:
The error handling refers to lde as a typo... When the exception occurs
due to a database error, it gets captured as: dbe.
This is a One line bug fix for compat and nis tools
freeipa-jaquino-0004-dbe-instead-of-lde.patch
Description: freeipa-jaquino-0004-dbe-instead-of-lde.patch
This is what I see when I manually add the ipaSudoRule entry to my test
server:
dn: cn=devel,cn=sudoers,dc=example,dc=com
objectClass: sudoRole
sudoUser: %ops
sudoHost: auth4.ops.expertcity.com
sudoCommand: /usr/bin/less
cn: devel
That's assuming the group and host entries you're using
On 12/9/10 10:03 AM, Dmitri Pal d...@redhat.com wrote:
Nalin Dahyabhai wrote:
On Wed, Dec 08, 2010 at 11:12:34PM +, JR Aquino wrote:
I guess the piece that is still missing then is:
Instead of:
sudoHost: hostname.com
It should be:
sudoHost: +production - which is the group
On 12/9/10 11:59 AM, Dmitri Pal d...@redhat.com wrote:
http://www.freeipa.org/page/SUDO_Schema_Design#Why_we_must_support_netgrou
ps_in_the_SUDO_rules.3F
Last paragraph of the section. Also see last open question and answer to
it on the page :-)
However... read further...
Ah Ha!
I just talked
These 2 patches address all of the items within
(https://fedorahosted.org/freeipa/ticket/543)
Included are:
* ldif for the hostgroup -to- netgroup Managed Entry Plugin
* dsinstance modifications to correctly install the ldif
* management script (ipa-host-net-manage)
* man page for documentation
)
Thank you.
On 12/9/10 4:11 PM, JR Aquino jr.aqu...@citrix.com wrote:
These 2 patches address all of the items within
(https://fedorahosted.org/freeipa/ticket/543)
Included are:
* ldif for the hostgroup -to- netgroup Managed Entry Plugin
* dsinstance modifications to correctly install the ldif
On 12/10/10 12:49 PM, Rob Crittenden rcrit...@redhat.com wrote:
nack, found a couple of minor issues:
- The patch doesn't apply against the master branch (probably from
Simo's recent changes there)
- looks like you copied the man page from ipa-ldap-updater, needs a few
more updates (though kudos
Attached are patches to address:
(https://fedorahosted.org/freeipa/ticket/570)
5) -The UI needs separate run-as-user and run-as-group categories for
the As Whom section. The UI also needs a way to manage the list of
users/groups for the run-as-user, and the list of groups for the
run-as-group.
Attached is the patch to provide cli support for external hosts and users.
This is accomplished similarly to the netgroup plugin.
If the plugin is input with a hostname/user that does not exist in the
directory, the plugin will then assume that the User had intended for these
objects to be
There was a typo for the manpage, this is a one liner to fix.
-.\ A man page for ipa-ldap-updater
+.\ A man page for ipa-compat-manage
freeipa-jraquino-0010-Fix-to-man-page-for-ipa-compat-manage.patch
Description: freeipa-jraquino-0010-Fix-to-man-page-for-ipa-compat-manage.patch
Thanks!
Testing now.
On 12/15/10 2:49 PM, Nalin Dahyabhai na...@redhat.com wrote:
On Wed, Dec 15, 2010 at 09:29:53PM +, JR Aquino wrote:
Thank you very much Nalin, at first glance these patches appear to solve
what we are after.
However, it looks like the master has drifted a little
Perfect!
All tests check out clean!
One final piece I think needs a quick one liner:
From: http://www.gratisoft.us/sudo/sudoers.ldap.man.html
--The sudoers configuration is contained in the ou=SUDOers LDAP
container.--
Currently the plugin creates 'cn=sudoers' as opposed to 'ou=sudoers'.
Fix for ticket #653
https://fedorahosted.org/freeipa/ticket/653
The managed netgroup was missing the ipaObject objectclass and the
nisDomain attribute when created from a hostgroup.
Please review and ack.
binqcaDq7V9XM.bin
Description:
.
All tools are best used by their intended design. If the only tool you
have is a Hammer, you may approach all of your problems as if they are
nails.
~~
Jr Aquino
Information Security Specialist
Citrix Online
GCIH, CCNA
There was a typo in the example for cli usage of sudocmd
This is a 1 liner patch to correct the usage syntax and addresses ticket
#704:
https://fedorahosted.org/freeipa/ticket/704
-JR
freeipa-jraquino-0012-fixed-typo-for-description-usage.patch
Description:
Attached is the patch to fix the following:
(Per ticket 570: https://fedorahosted.org/freeipa/ticket/570 Issue #5)
* Runas users to support groups
* Runas users to support external users
* runasgroup to support external groups
* compat fix to account for the runas users to support %groups
*
Attached is a patch to fix the sudo compat plugin.
Ticket# 742: https://fedorahosted.org/freeipa/ticket/742
The sudo compat plugin should allow for the presence of:
Command Category: ALL
AND
sudoCommand: !/usr/bin/less
Currently the plugin is set to overwrite any other sudoCommand attribute
in
Correction to patch.
The previous patch inherited a line for patch #13
This has been corrected in the attached patch.
On 1/10/11 3:11 PM, JR Aquino jr.aqu...@citrix.com wrote:
Attached is a patch to fix the sudo compat plugin.
Ticket# 742: https://fedorahosted.org/freeipa/ticket/742
The sudo
ACK.
Please push.
On 1/14/11 3:03 PM, Simo Sorce sso...@redhat.com wrote:
On Fri, 14 Jan 2011 17:33:31 -0500
Dmitri Pal d...@redhat.com wrote:
Simo Sorce wrote:
Put all sudo data except the legacy ou=SUDOers into the cn=sudo
subtree.
Ticket: #773
Simo.
Does it include the
Just tested. I do see a performance increase of ~30%
Without the Patch
time ipa user-find
--
1 user matched
--
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Account activation status: False
Member of groups:
On 1/18/11 4:02 PM, Simo Sorce sso...@redhat.com wrote:
We need to use authenticated lda binds in init scripts as otherwise
starting components fails when the option to restrict anonymous access
to ldap is set.
In order to do that we need to also start the KDC unconditionally, so
it has been
I think it is safe to give up member. It is necessary for nss_ldap and
nis.
If we remove member and add the role container I think that should cover
the low hanging fruit that discloses authorization data.
On 1/19/11 3:28 PM, Simo Sorce sso...@redhat.com wrote:
On Wed, 19 Jan 2011 17:51:56
On 1/19/11 3:31 PM, Simo Sorce sso...@redhat.com wrote:
In order for ipactl to function even when anonymous access is disabled
we need to authenticate.
Use sASL/EXTERNAL to let root get access as a very low privileged
special user.
Ticket #795
This patch is a replacement of 0061 where I was
NACK.
Please retest this... I'm not sure how it is related, but I receive an
error during the make rpm process:
Traceback (most recent call last):
File ./makeapi, line 27, in module
from ipalib import *
File
/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/__init__.py
,
On 1/20/11 10:11 AM, Rob Crittenden rcrit...@redhat.com wrote:
JR Aquino wrote:
NACK.
Please retest this... I'm not sure how it is related, but I receive an
error during the make rpm process:
Traceback (most recent call last):
File ./makeapi, line 27, inmodule
from ipalib import
I have been working with the project for a while now and it has dawned on me
that the FreeIPA ipalib plugins, don't really have a syslog library that they
output with.
So far I've really just been troubleshooting and getting around with:
/var/log/httpd/access_log
/var/log/httpd/error_log
On 1/28/11 10:43 AM, Dmitri Pal d...@redhat.com wrote
JR,
Thank you for bringing it up.
I think it would be beneficial to have something for logging.
I agree as it is a PCI Requirement.
I am not
sure that this is exactly it.
You are correct. More discussion is necessary to capture the minimum
From: Dmitri Pal d...@redhat.commailto:d...@redhat.com
Organization: Red Hat
Reply-To: d...@redhat.commailto:d...@redhat.com
Date: Sat, 29 Jan 2011 11:25:17 -0500
To: freeipa-devel@redhat.commailto:freeipa-devel@redhat.com
Subject: [Freeipa-devel] SUDO community changed SUDO schema!!!
On 1/29/11 9:30 AM, JR Aquino jr.aqu...@citrix.com wrote:
From: Dmitri Pal d...@redhat.commailto:d...@redhat.com
Organization: Red Hat
Reply-To: d...@redhat.commailto:d...@redhat.com
Date: Sat, 29 Jan 2011 11:25:17 -0500
To: freeipa-devel@redhat.commailto:freeipa-devel@redhat.com
Subject
On 1/29/11 3:40 PM, Dmitri Pal d...@redhat.com wrote:
On 01/29/2011 12:37 PM, JR Aquino wrote:
On 1/29/11 9:30 AM, JR Aquino jr.aqu...@citrix.com wrote:
From: Dmitri Pal d...@redhat.commailto:d...@redhat.com
Organization: Red Hat
Reply-To: d...@redhat.commailto:d...@redhat.com
Date: Sat, 29
On 1/30/11 8:53 PM, Dmitri Pal d...@redhat.com wrote:
...
The main concern about the solution is the following scenario.
1) IPA releases as is without support of the order attribute.
2) Some time passes and new version of SUDO gets released into some
distros we care about
3) Support for ordered
On 2/11/11 2:26 PM, Rob Crittenden rcrit...@redhat.com wrote:
If neither verbose nor debug were set (and they aren't by default) then
we logged absolutely nothing about framework requests. This adds a
default of who, what, result in the Apache error log.
This is a first-step for ticket 873 just
During the ipa-client-install, when prompted for the principal password, it is
possible to start typing and have the password echoed back.
This patch corrects this behavior and addresses bug #959
https://fedorahosted.org/freeipa/ticket/959
binegPaWpIOK0.bin
Description:
On 2/10/11 2:42 AM, Pavel Zuna pz...@redhat.com wrote:
On 02/08/2011 01:06 PM, Pavel Zuna wrote:
The patch also corrects exception handling in some of the tools.
Fix #874
Pavel
Updated patch attached. Forgot to rename an identifier in exception
handling.
Pavel
Patch 16-1 submitted to exit if no password is given.
On 2/14/11 12:06 PM, Rob Crittenden rcrit...@redhat.com wrote:
JR Aquino wrote:
During the ipa-client-install, when prompted for the principal
password, it is possible to start typing and have the password echoed
back.
This patch corrects
On 2/15/11 2:06 AM, Jan Zelený jzel...@redhat.com wrote:
https://fedorahosted.org/freeipa/ticket/915
Jan
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
ACK
I don't know how I missed that!
This patch provides ipa netgroup-find a default filter which prevents the
displaying of mepManageEntry Netgroups by default.
It also introduces a —private flag similar to the group.py to allow for
displaying them if necessary.
freeipa-jraquino-0017-Managed-netgroups-should-be-invisible.patch
This patch addresses the need to utilize TLS when using the ipa-client-install
tool.
It addresses ticket:
https://fedorahosted.org/freeipa/ticket/974
binh94MJnFPEx.bin
Description: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client-install.patch
Removed whitespace from patch and added API.txt changes to reflect the
--private option added to netgroup
On 2/15/11 12:45 PM, JR Aquino jr.aqu...@citrix.com wrote:
This patch provides ipa netgroup-find a default filter which prevents the
displaying of mepManageEntry Netgroups by default
This patch fixes the netgroup plugin's behavior of adding duplicate entries
when the managed entry plugin creates a netgroup with a mepManagedEntry
This problem is documented in ticket:
https://fedorahosted.org/freeipa/ticket/963
As noted by Endi for issue #3 in the History:
3. Just out of
deprecated in favor of TLS as
defined in RFC2830.
On 2/17/11 2:01 AM, Jan Zelený jzel...@redhat.com wrote:
JR Aquino jr.aqu...@citrix.com wrote:
This patch addresses the need to utilize TLS when using the
ipa-client-install tool. It addresses ticket:
https://fedorahosted.org/freeipa/ticket/974
Nack
On 2/17/11 3:23 AM, Jan Zelený jzel...@redhat.com wrote:
JR Aquino jr.aqu...@citrix.com wrote:
This patch fixes the netgroup plugin's behavior of adding duplicate
entries
when the managed entry plugin creates a netgroup with a mepManagedEntry
This problem is documented in ticket:
https
On 2/17/11 11:02 AM, Rob Crittenden rcrit...@redhat.com wrote:
Make managed netgroups (those created as a result of creating a
hostgroup) should be immutable. This aci will deny writes to a managed
netgroup.
ticket 962
rob
___
Freeipa-devel mailing
On 2/17/11 9:46 AM, Jan Zeleny jzel...@redhat.com wrote:
JR Aquino jr.aqu...@citrix.com wrote:
Lets try now. Attached is the corrected patch.
There were several spots in ipa-client-install where the server could be
defined and it was getting missed.
I have omitted any change to ipa-client
On Feb 17, 2011, at 8:38 PM, Adam Young ayo...@redhat.com wrote:
I tried to follow the steps to setup Sudo on a client here:
https://fedoraproject.org/wiki/QA:Testcase_freeipav2_sudo
Of course, since my serve wasn't example.com, I had to modify the LDAP
fitlers. I got something wrong.
On Feb 18, 2011, at 5:01 AM, Simo Sorce sso...@redhat.com wrote:
On Fri, 18 Feb 2011 05:06:34 +
JR Aquino jr.aqu...@citrix.com wrote:
On Feb 17, 2011, at 8:38 PM, Adam Young ayo...@redhat.com wrote:
I tried to follow the steps to setup Sudo on a client here:
https://fedoraproject.org
On 2/18/11 5:49 AM, Simo Sorce sso...@redhat.com wrote:
On Fri, 18 Feb 2011 13:18:36 +
JR Aquino jr.aqu...@citrix.com wrote:
I'm afraid not Simo.
As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA
are protected. There is a deliberate default aci which prevents
On 2/17/11 2:20 PM, Rob Crittenden rcrit...@redhat.com wrote:
JR Aquino wrote:
On 2/17/11 11:02 AM, Rob Crittendenrcrit...@redhat.com wrote:
Make managed netgroups (those created as a result of creating a
hostgroup) should be immutable. This aci will deny writes to a managed
netgroup
On 2/19/11 7:33 AM, Simo Sorce sso...@redhat.com wrote:
On Fri, 18 Feb 2011 23:09:21 -0500
Adam Young ayo...@redhat.com wrote:
Here's a rough hack. It follows the steps in the test script. I
tested it out and it works.
Truly a hack :)
More specifically:
The script looks like it will
On 2/21/11 10:46 AM, Jan Zeleny jzel...@redhat.com wrote:
Rob Crittenden rcrit...@redhat.com wrote:
JR Aquino wrote:
On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote:
JR Aquinojr.aqu...@citrix.com wrote:
Lets try now. Attached is the corrected patch.
There were several spots
On 2/21/11 11:18 AM, JR Aquino jr.aqu...@citrix.com wrote:
On 2/21/11 10:46 AM, Jan Zeleny jzel...@redhat.com wrote:
Rob Crittenden rcrit...@redhat.com wrote:
JR Aquino wrote:
On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote:
JR Aquinojr.aqu...@citrix.com wrote:
Lets try now
On 2/15/11 6:19 AM, Pavel Zuna pz...@redhat.com wrote:
On 02/14/2011 04:56 PM, JR Aquino wrote:
On 2/10/11 2:42 AM, Pavel Zunapz...@redhat.com wrote:
On 02/08/2011 01:06 PM, Pavel Zuna wrote:
The patch also corrects exception handling in some of the tools.
Fix #874
Pavel
Updated patch
This patch addressees ticket #998
It adds:
* ldif to create a default sudo bind user: dn:
uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
* modifications to dsinstance.py to add the ldif
* modifications to dsinstance.py to add a call to
ipautil.ipa_generate_password() for an random password. It is
On 2/22/11 7:45 PM, JR Aquino jr.aqu...@citrix.com wrote:
This patch addressees ticket #998
It adds:
* ldif to create a default sudo bind user: dn:
uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
* modifications to dsinstance.py to add the ldif
* modifications to dsinstance.py to add a call
On 2/23/11 11:23 AM, Simo Sorce sso...@redhat.com wrote:
On Wed, 23 Feb 2011 13:50:37 -0500
Rob Crittenden rcrit...@redhat.com wrote:
JR Aquino wrote:
On 2/22/11 7:45 PM, JR Aquinojr.aqu...@citrix.com wrote:
This patch addressees ticket #998
It adds:
* ldif to create a default
On 2/25/11 5:58 AM, Pavel Zuna pz...@redhat.com wrote:
On 02/23/2011 11:53 PM, Simo Sorce wrote:
On Wed, 23 Feb 2011 23:41:33 +0100
Pavel Zůnapz...@redhat.com wrote:
On 2011-02-15 16:36, JR Aquino wrote:
On 2/15/11 6:52 AM, Simo Sorcesso...@redhat.com wrote:
On Tue, 15 Feb 2011 15:19
On 2/25/11 9:27 AM, Pavel Zůna pz...@redhat.com wrote:
On 2011-02-25 18:12, JR Aquino wrote:
On 2/25/11 5:58 AM, Pavel Zunapz...@redhat.com wrote:
On 02/23/2011 11:53 PM, Simo Sorce wrote:
On Wed, 23 Feb 2011 23:41:33 +0100
Pavel Zůnapz...@redhat.com wrote:
On 2011-02-15 16:36, JR
On Mar 15, 2011, at 11:05 AM, Pavel Zuna wrote:
On 03/14/2011 06:03 PM, Martin Kosek wrote:
I know this is a 2.1 ticket, but the patch is probably also a solution
of #1047 - a 2.0.5 bucket critical bug.
When Directory Server operation is run right after the server restart
the
The FreeIPA framework performs unescaped searches to enumerate group membership.
The following patch corrects this behavior.
-JR
binIXm2E6QDid.bin
Description: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch
___
The plugin architecture makes a great deal of calls to search for memberUser
and memberHost. These attributes are missing from the index and are greatly
slowing down the CLI and WebUI.
They should be added as Equality Indexes, as the searches that are performed
are meant for enumeration after
On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/30/2011 03:53 PM, JR Aquino wrote:
On Mar 30, 2011, at 12:05 PM, JR Aquino wrote:
The FreeIPA framework performs unescaped searches to enumerate group
membership
On Mar 30, 2011, at 3:03 PM, Rob Crittenden wrote:
JR Aquino wrote:
On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/30/2011 03:53 PM, JR Aquino wrote:
On Mar 30, 2011, at 12:05 PM, JR Aquino wrote:
The FreeIPA framework
Better formatting for the statistics:
-=-
Without patch
ipa hostgroup-find
...
-
Number of entries returned 52
-
real0m20.054s
user0m0.934s
sys 0m0.050s
-=-
With
On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote:
JR Aquino wrote:
The following patch Removes around 20 lines of code and provides a
substantial increase in performance for FreeIPA member/memberof verification
searches.
The current code base blindly searches static containers
To clarify, the high delay times in these stats are due to buffered logging
being turned off.
The ratio of performance increase is ~the same with buffered logging turned on;
e.g 1.9 seconds down to 1.5
On Mar 31, 2011, at 1:43 PM, JR Aquino jr.aqu...@citrix.com wrote:
Better formatting
On Mar 30, 2011, at 1:16 PM, JR Aquino wrote:
The plugin architecture makes a great deal of calls to search for memberUser
and memberHost. These attributes are missing from the index and are greatly
slowing down the CLI and WebUI.
They should be added as Equality Indexes, as the searches
On Mar 31, 2011, at 2:16 PM, JR Aquino wrote:
On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote:
JR Aquino wrote:
The following patch Removes around 20 lines of code and provides a
substantial increase in performance for FreeIPA member/memberof
verification searches.
The current code
On Apr 7, 2011, at 3:42 PM, JR Aquino wrote:
On Mar 31, 2011, at 2:16 PM, JR Aquino wrote:
On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote:
JR Aquino wrote:
The following patch Removes around 20 lines of code and provides a
substantial increase in performance for FreeIPA member
On Apr 7, 2011, at 4:04 PM, JR Aquino wrote:
On Apr 7, 2011, at 3:42 PM, JR Aquino wrote:
On Mar 31, 2011, at 2:16 PM, JR Aquino wrote:
On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote:
JR Aquino wrote:
The following patch Removes around 20 lines of code and provides a
substantial
Does this imply the use of ldap with tls now or just standard ldap?
There was a previous ticket that changed this and many other tools such that
they used ldapi to accommodate FreeIPA with a minssf set.
On Apr 8, 2011, at 7:24 AM, Rob Crittenden rcrit...@redhat.com wrote:
ipa-nis-manage was
On Apr 8, 2011, at 7:32 AM, Rob Crittenden wrote:
Martin Kosek wrote:
On Wed, 2011-03-30 at 10:46 -0400, Rob Crittenden wrote:
Rob Crittenden wrote:
This prevents an internal error when calculating direct vs indirect
membership.
ticket 1133
I accidentally included a change from another patch.
as root since we start/stop and
configure/unconfigure services.
ticket 1157
rob
freeipa-rcrit-767-nis.patch
JR Aquino wrote:
Does this imply the use of ldap with tls now or just standard ldap?
There was a previous ticket that changed this and many other tools such that
they used ldapi
On Apr 8, 2011, at 8:53 AM, Rob Crittenden rcrit...@redhat.com wrote:
JR Aquino wrote:
On Apr 8, 2011, at 8:03 AM, Rob Crittenden wrote:
On Apr 8, 2011, at 7:24 AM, Rob Crittendenrcrit...@redhat.com wrote:
ipa-nis-manage was failing because root has very limited capabilities
when
On Apr 8, 2011, at 8:56 AM, JR Aquino jr.aqu...@citrix.com wrote:
On Apr 8, 2011, at 8:53 AM, Rob Crittenden rcrit...@redhat.com wrote:
JR Aquino wrote:
On Apr 8, 2011, at 8:03 AM, Rob Crittenden wrote:
On Apr 8, 2011, at 7:24 AM, Rob Crittendenrcrit...@redhat.com wrote:
ipa-nis
On Apr 7, 2011, at 7:08 PM, JR Aquino wrote:
On Apr 7, 2011, at 4:04 PM, JR Aquino wrote:
On Apr 7, 2011, at 3:42 PM, JR Aquino wrote:
On Mar 31, 2011, at 2:16 PM, JR Aquino wrote:
On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote:
JR Aquino wrote:
The following patch Removes
Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify
the auditing of users for their indirect membership to their authorization
rights.
An Administrator should have the ability to quickly identify the rights a user
will have in the system.
For example. With the patch
On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:
Add HBAC Rule and Sudo Rule to users as indirect member attributes to
simplify the auditing of users for their indirect membership to their
authorization rights.
An Administrator should have the ability to quickly identify the rights a
user
On Apr 12, 2011, at 10:55 AM, Rob Crittenden wrote:
JR Aquino wrote:
On Apr 7, 2011, at 7:08 PM, JR Aquino wrote:
On Apr 7, 2011, at 4:04 PM, JR Aquino wrote:
On Apr 7, 2011, at 3:42 PM, JR Aquino wrote:
On Mar 31, 2011, at 2:16 PM, JR Aquino wrote:
On Mar 31, 2011, at 1:48 PM
1 - 100 of 193 matches
Mail list logo
