Re: [Freeipa-devel] [PATCH] move replication topology to shared tree

ctly touching cn=config and avoid the need for DM password is > one of the main reasons to do this work ... I'd just like to +1 / re-iterate this point... In addition, thank you for hacking on this and for posting this for early review. Cheers, James ___

Re: [Freeipa-devel] Ipa-server-install Firewall Support

Not sure where to jump in but I had one comment: Puppet-IPA [1] + Shorewall make a lovely pair :) Cheers, James [1] https://github.com/purpleidea/puppet-ipa On Mon, Apr 7, 2014 at 7:51 PM, Dmitri Pal wrote: > On 04/07/2014 09:00 AM, Rob Crittenden wrote: >> >> Simo Sorce wr

[Freeipa-devel] Consistent password hashing and lookups

/usr/bin/ldappasswd -Y EXTERNAL -s ` ${admin_password_exec}` -H ${ldapuri} uid=admin,cn=users,cn=accounts, ${suffix}" I also have the same question for the DM password, however I don't yet know how to set it. If someone has a script for that, I'd love that too! Thanks again! James

Re: [Freeipa-devel] Consistent password hashing and lookups

On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal wrote: > > This is scary. > This means that you expecting to have a hash being stored somewhere else > outside the DS. Haha, I agree! Actually, worse! I will have the plain text password stored somewhere outside the DS! Let me give you more background:

Re: [Freeipa-devel] Consistent password hashing and lookups

On Sun, May 11, 2014 at 9:02 PM, Dmitri Pal wrote: > On 05/11/2014 06:31 PM, James wrote: >> >> On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal wrote: >>> >>> This is scary. >>> This means that you expecting to have a hash being stored somewhere else >>

Re: [Freeipa-devel] Consistent password hashing and lookups

On Mon, 2014-05-12 at 16:25 -0400, Dmitri Pal wrote: > Yes and this was my point too. If you have root you do not need to > know > the old password. You can just reset the current one to what you want. I agree, with you. This isn't about functionality, it's about automating functionality. Puppet

Re: [Freeipa-devel] Consistent password hashing and lookups

On Mon, 2014-05-12 at 09:11 +0200, Martin Kosek wrote: > 1) Get fbar1;s b64 encoded password hash: > > # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun% > 2fslapd-EXAMPLE-COM.socket -b > 'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' userPassword This seems to work great. I used user 'admin'.

Re: [Freeipa-devel] Consistent password hashing and lookups

On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote: > Is there any other attribute to look at? > For example the timestamp when it was last set and base the update on > that rather than on matching password values? > There are some other solutions, but they are less elegant or don't work consist

Re: [Freeipa-devel] Consistent password hashing and lookups

On Mon, May 12, 2014 at 6:22 PM, Dmitri Pal wrote: > On 05/12/2014 06:07 PM, James wrote: >> >> On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote: >>> >>> Is there any other attribute to look at? >>> For example the timestamp when it was last set and

Re: [Freeipa-devel] Consistent password hashing and lookups

On Tue, May 13, 2014 at 10:36 AM, Dmitri Pal wrote: > This is their problem. Why would we aid them to do wrong things and make it > easier? > I really miss the point. Why it is all needed? > Why do you need to reset passwords in IPA through puppet? > What is the use case? Give me about a week and

[Freeipa-devel] Understanding FreeIPA replica internals

ss the whole cluster? Please point me to a doc that explains this FAQ stuff if possible. Sorry for the noise Thanks again, James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Understanding FreeIPA replica internals

On Fri, 2014-05-23 at 12:42 +0200, Martin Kosek wrote: > On 05/23/2014 07:01 AM, James wrote: > > I'm trying to understand some of the FreeIPA replication internals so > > that I can better know how to do this properly in Puppet without > > storing any secret informat

Re: [Freeipa-devel] Understanding FreeIPA replica internals

On Fri, 2014-05-23 at 09:28 -0400, Dmitri Pal wrote: > I guess the question is more: > If I am root is there any way to do the operation without providing > the > password but rather using something like LDAPI to drive the operation. > The issue is that if you use puppet there is no way to get the

Re: [Freeipa-devel] Understanding FreeIPA replica internals

rical with configuration management, my puppet-gluster module does this. Cheers, and thanks for reading. James signature.asc Description: This is a digitally signed message part ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Understanding FreeIPA replica internals

On Fri, May 23, 2014 at 7:49 PM, Simo Sorce wrote: > On Fri, 2014-05-23 at 17:16 -0400, James wrote: >> On Fri, 2014-05-23 at 15:44 +0200, Martin Kosek wrote: >> > One cannot easily improve ipa-replica-prepare to work through LDAPI as >> > we also >> > need

Re: [Freeipa-devel] Understanding FreeIPA replica internals

On Fri, 2014-05-23 at 22:50 -0400, Simo Sorce wrote: > No, but those need to be accessible to the user, I think you can > create > a meta-package that contains those password when you create the first > master, encrypted in a gpg file with private keys only stored in the > freeipa servers. I do som

[Freeipa-devel] ipa-server-install error

bin/cat` --admin-password=`/bin/cat '/var/lib/puppet/tmp/ipa/admin.password' | /bin/cat | /bin/cat | /bin/cat` --idstart=16777216 --no-ntp --unattended Thanks, James 2014-05-29T03:06:30Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2014-05-29

Re: [Freeipa-devel] ipa-server-install error

On Fri, May 30, 2014 at 2:00 AM, Martin Kosek wrote: > On 05/30/2014 06:14 AM, Dmitri Pal wrote: >> On 05/29/2014 01:44 AM, James wrote: >>> /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: >>> Invalid argument" >> Looks like and A

[Freeipa-devel] Multi-master replication with puppet

tion, this would ensure that the configuration management itself is HA. Without this type of functionality, then if the first ipa server isn't available, then config management will be blocked. I would appreciate any recommendations on how to convert a previou

Re: [Freeipa-devel] Move replication topology to the shared tree

hanging the algorithm would re-arrange the graph :) Hope this made sense. Cheers, James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Move replication topology to the shared tree

On Fri, 2014-06-06 at 09:03 -0400, Simo Sorce wrote: > On Fri, 2014-06-06 at 06:58 -0400, James wrote: > > On Mon, Jun 2, 2014 at 4:46 AM, Ludwig Krispenz wrote: > > > Ticket 4302 is a request for an enhancement: Move replication topology to > > > the shared tree >

Re: [Freeipa-devel] Multi-master replication with puppet

On Fri, 2014-06-06 at 08:51 -0400, Simo Sorce wrote: > On Fri, 2014-06-06 at 06:38 -0400, James wrote: > > Hi FreeIPA, > > > > *intro* > > > > As some of you might know, I'm currently working on deploying > > multi-master replicas with puppet. Si

Re: [Freeipa-devel] Multi-master replication with puppet

On Fri, 2014-06-06 at 14:03 +0200, Jan Pazdziora wrote: > On Fri, Jun 06, 2014 at 06:38:10AM -0400, James wrote: > > > > I've just announced the first sane implementation for secret handling > > in puppet. Since everyone does this wrong, I thought I'd do it

Re: [Freeipa-devel] Multi-master replication with puppet

On Fri, 2014-06-06 at 15:10 +0200, Jan Pazdziora wrote: > On Fri, Jun 06, 2014 at 08:51:39AM -0400, Simo Sorce wrote: > > > > Clearly puppet has root level access to the system so you do not (should > > not ?) care much about preventing access to these systems, the aim is to > > not inadvertently

Re: [Freeipa-devel] Multi-master replication with puppet

On Fri, 2014-06-06 at 14:43 -0400, Simo Sorce wrote: > On Fri, 2014-06-06 at 14:06 -0400, James wrote: > > On Fri, 2014-06-06 at 08:51 -0400, Simo Sorce wrote: > > > But let me ask a more important question, how do you distribute the > > > public keys securely ? Is i

Re: [Freeipa-devel] Multi-master replication with puppet

On Fri, Jun 6, 2014 at 6:22 PM, Rich Megginson wrote: > > grep nsslapd-rootpw /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif > > The pwdhash command can be used to create a hashed password. Ah, brilliant, this works great, thanks!! ___ Freeipa-devel mailing li

[Freeipa-devel] FYI: Cert for https://www.freeipa.org/ is invalid

I think it's kind of funny that the cert for: https://www.freeipa.org/ is invalid, particularly since this is a security product. In any case, feel free to forward to whoever maintains this in case someone thinks it matters. Cheers, James ___ Fr

[Freeipa-devel] Running ipa-replica-prepare on a replica

27;m currently using ipa-server v 3.0.0 Thanks, James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] RPM's of different ipa versions

? In particular, I'm interested in knowing if there are repos with rpm's for each version/os. (>=v.3.0.0 and Fedora/CentOS6+/RHEL6+) Thanks, James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] Correct firewall ports for multi-master replicas

is list changes based on which $args are used to install FreeIPA, let me know too. These will get inserted here (if you're curious): https://github.com/purpleidea/puppet-ipa/commit/31ede1a185f3d4bd5dd9848613e24a19f460f595#diff-e26063ec0e856ceac05cf5b4132f3330R61 Thanks! James signature.asc De

[Freeipa-devel] Storing/Looking up the creation time of a type

recent activity * and so on... An example of how this could be specifically useful is explained in my just published Puppet+FreeIPA article: https://ttboj.wordpress.com/2014/07/24/hybrid-management-of-freeipa-types-with-puppet/ Thank you again, James signature.asc Description: This is a

Re: [Freeipa-devel] Storing/Looking up the creation time of a type

On Thu, 2014-07-24 at 08:40 +0300, Alexander Bokovoy wrote: > On Thu, 24 Jul 2014, James wrote: > >Hi devel, > > > >It would be particularly useful if each FreeIPA entry (eg: user, host, > >service, etc...) had creation and last modified timestamps. Do these > >fie

Re: [Freeipa-devel] ipa-replica-manage and topology plugin

/puppet-ipa/commit/73712d1b051398c4193b081c3f35eddf679896e2 I define the topology shape algorithmic-ally (eg: ring, flat, star, etc...) and the replica make it happen :) Cheers, James > > Thanks, > Ludwig > > [1] http://www.freeipa.org/page/V4/Manage_replication_topology > &

[Freeipa-devel] Multi-OS FreeIPA in puppet-ipa

: https://github.com/purpleidea/puppet-ipa/tree/feat/yamldata I'll rebase this branch as new patches are added, and I'll usually keep it current against git master. Once someone ACK's that it is working against another OS or version, then I'll maintain it in git master. Thank

[Freeipa-devel] A puppet module for freeipa

Hi freeipa-devel, I just joined today, I'd like to introduce myself, I'm James. Hi. I am currently working on (among other things) a puppet module for freeipa. I've just published an initial release: https://github.com/purpleidea/puppet-ipa It only has a few resource types at th

[Freeipa-devel] A puppet module for freeipa

Hi freeipa-devel, I just joined today, I'd like to introduce myself, I'm James. Hi. I am currently working on (among other things) a puppet module for freeipa. I've just published an initial release: https://github.com/purpleidea/puppet-ipa It only has a few resource types at th

Re: [Freeipa-devel] A puppet module for freeipa

On Tue, 2013-06-18 at 11:16 -0400, Simo Sorce wrote: > On Tue, 2013-06-18 at 10:38 -0400, James wrote: > > Hi freeipa-devel, > > > > I just joined today, I'd like to introduce myself, I'm James. Hi. > > > > I am currently working on (among other things)

Re: [Freeipa-devel] [PATCH] 428 Hide delete button in multivalued widget if attr is not writable

't cause users to "search" for a button that doesn't exist... Cheers, James > > https://fedorahosted.org/freeipa/ticket/3799 > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/m

Re: [Freeipa-devel] [PATCH] 428 Hide delete button in multivalued widget if attr is not writable

On Fri, 2013-07-19 at 17:59 +0200, Petr Vobornik wrote: > Hello, > > Note: the button is actually in a form of a link I didn't notice this before. Sorry for the noise. James > > The approach you're proposing is often valid and a preferred one but > I > don

Re: [Freeipa-devel] [SSSD] FreeIPA on Debian

works" or at least mostly, feel free to ping me somehow. HTH, James [1] https://github.com/purpleidea/puppet-ipa ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [RFC] Improve FreeIPA usability in cloud environments

ge? How should we > handle the fact that internal and external names are different? Should we > use some sort of referral mechanism? > > > Cloud users, please speak now :-) Opinions are more than welcome! Some comments are given above.

Re: [Freeipa-devel] [RFC] Improve FreeIPA usability in cloud environments

On Mon, 2013-09-16 at 09:31 +0200, Petr Spacek wrote: > You are right, the scenario described by me doesn't require views. > Please see > reply from James in another part of this thread - his setup has shared > host > name (internal = external) but different IP addresse

Re: [Freeipa-devel] idempotent installer [from LinuxAlt 2013]

ect by Colin Walters already solves. Under the hood package installs are atomic. I don't know a lot of the technical details, but he might be a good person to ask. Cheers, James > Although to the end-user otopi can seem dense, complicated, and mysterious > (e.g., its weird .conf fi

Re: [Freeipa-devel] [PATCH] 463-530 First part of RCUE adoption

On Fri, Nov 15, 2013 at 8:26 AM, Petr Vobornik wrote: > Example is at: <http://pvoborni.fedorapeople.org/rcue/> And here I thought FreeIPA couldn't get any prettier... Nice work. +1 James ___ Freeipa-devel mailing list Freeipa-devel@re

Re: [Freeipa-devel] FreeIPA as external Puppet CA

ng too. Cheers, James On Wed, Dec 18, 2013 at 8:50 PM, Andrew Wnuk wrote: > I have been exploring the possibilities of using FreeIPA CA as an external > Puppet CA with the requirement that Puppet will stay unmodified. > Here are some notes: http://www.freeipa.org/page/IPA_as_external

[Freeipa-devel] [PATCH] Allow TTL to be configured during ipa-client-install

next couple of weeks. Kind regards, James 0001-Allow-TTL-to-be-configured-dring-ipa-client-install.patch Description: Binary data ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Allow TTL to be configured during ipa-client-install

based infrastructure when compared to a Windows one linked with AD thus much keen interest ;) Regards, James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Allow TTL to be configured during ipa-client-install

hs ago... The relevant ticket is https://fedorahosted.org/freeipa/ticket/3031 ... Regards, James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] Feature request: Web UI for IPA users to reset their own expired passwords

The currently assumption is that all IPA users can login into Unix/Linux machines to change their IPA password, or reset their expired password.   But this is not available all the time, so a more general alternative -- web UI -- will be more appreciated. The basic requirements are:  1, The web

[Freeipa-devel] I've done it by myself and it works -- Re: Feature request: Web UI for IPA users to reset their own expired passwords

I've coded it with python-kerberos and it works. Pretty rough though. --Gelen. From: Gelen James To: "freeipa-devel@redhat.com" Sent: Sunday, May 20, 2012 2:22 AM Subject: Feature request: Web UI for IPA users to reset their own expired p

Re: [Freeipa-devel] I've done it by myself and it works -- Re: Feature request: Web UI for IPA users to reset their own expired passwords

a prototype, it is not well-tested, nor DOS attack prove at all, so it could potentially harm or totally destroy someone's authentication system. :( Thanks. --Gelen From: Rob Crittenden To: Gelen James Cc: "freeipa-devel@redhat.com"

[Freeipa-devel] Wiki account request

can write up template apache configs and step by step details? Thanks, James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Set TTL during ipa-client-install for DNS records

t the TTL will be if he enables updates in SSSD. Until SSSD allows for the TTL to be set in sssd.conf (patch sent in and pending review for possible future inclusion) this patch will only affect the initial registration and not any ongoing changes. Comments would be most welcome! Kind regards,

[Freeipa-devel] [PATCH] 3031 Allow TTL to be configured during ipa-client-install

client DNS records and configures the value in sssd.conf so that ongoing changes to IP use the TTL as desired. Cheers, James Allow-TTL-to-be-configured-during-ipa-client-install.patch Description: Binary data ___ Freeipa-devel mailing list Freeipa-devel

Re: [Freeipa-devel] [PATCH] 3031 Allow TTL to be configured during ipa-client-install

nk to the ticket this refers to... so just to be clear it's for this one: https://fedorahosted.org/freeipa/ticket/3031 Cheers, James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] PKI-CA fails to start / CA Services IndexError:

Passing on recent event of CA.cfg being clobbered / corrupted / truncated by patching process (yum update) This took few hours to find for I did not expect this to happen to a file that normally would not be changed. The clobbered file, CA.cfg, was truncated by over 500 lines. Errors that shows on