[Freeipa-devel] MD5 certificate fingerprints removal

Hello, Since we're trying to make FreeIPA work in FIPS we got to the point where we need to do something with MD5 fingerprints in the cert plugin. Eventually we came to a realization that it'd be best to get rid of them as a whole. These are counted by the framework and are not stored

Re: [Freeipa-devel] MD5 certificate fingerprints removal

On 02/22/2017 12:28 AM, Fraser Tweedale wrote: On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: On 02/21/2017 04:24 PM, Tomas Krizek wrote: On 02/21/2017 03:23 PM, Rob Crittenden wrote: Standa Laznicka wrote: Hello, Since we're trying to make FreeIPA work in FIPS we got

Re: [Freeipa-devel] MD5 certificate fingerprints removal

, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: On 02/21/2017 04:24 PM, Tomas Krizek wrote: On 02/21/2017 03:23 PM, Rob Crittenden wrote: Standa Laznicka wrote: Hello, Since we're trying to make FreeIPA work in FIPS we got to the point where we need to do something with MD5

Re: [Freeipa-devel] MD5 certificate fingerprints removal

On 02/21/2017 04:24 PM, Tomas Krizek wrote: On 02/21/2017 03:23 PM, Rob Crittenden wrote: Standa Laznicka wrote: Hello, Since we're trying to make FreeIPA work in FIPS we got to the point where we need to do something with MD5 fingerprints in the cert plugin. Eventually we came

[Freeipa-devel] Password generation in FreeIPA Python modules

Hello, Please don't use any ad-hoc cruft when generating passwords throughout IPA if not really really necessary. We have a nice refreshed password generator `ipapython.ipautil.ipa_generate_password()` default config of which does the work for you. It also by default generates passwords

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/19/2016 04:06 PM, Martin Basti wrote: On 19.08.2016 12:37, Pavel Vomacka wrote: On 08/16/2016 08:21 AM, Stanislav Laznicka wrote: On 08/12/2016 06:48 PM, Petr Spacek wrote: On 11.8.2016 12:34, Stanislav Laznicka wrote: Hello, I updated the design of the Time-Based HBAC Policies

Re: [Freeipa-devel] FreeIPA: upgrading from priv-separation to git-master

On 03/01/2017 12:01 PM, Standa Laznicka wrote: Hello, Please note that https://github.com/freeipa/freeipa/pull/367 was pushed today. What this means for you is that your IPA installations won't work if you had privilege separation patches applied and try to upgrade your instances to current

[Freeipa-devel] FreeIPA: upgrading from priv-separation to git-master

Hello, Please note that https://github.com/freeipa/freeipa/pull/367 was pushed today. What this means for you is that your IPA installations won't work if you had privilege separation patches applied and try to upgrade your instances to current master. This is because privilege separation

[Freeipa-devel] Certmonger uses different "Subject" representation based on storage

Hello, Please note that when you make a request for a certificate to certmonger, it uses different representation of the "Subject" that you provide to it, based on the storage you aim for (LDAP representation when storing to NSS DB, X509 representation when storing to a file). This issue

Re: [Freeipa-devel] [WIP][PATCH] Time-Based HBAC Policies

On 05/06/2016 12:28 PM, Stanislav Laznicka wrote: Hello, The time rules for FreeIPA effort is now to be found on Github. I forked FreeIPA and SSSD repos and added the current state of work there. https://github.com/stlaz/freeipa/tree/timerules

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/31/2016 12:57 PM, Petr Spacek wrote: On 31.8.2016 12:42, Standa Laznicka wrote: On 08/30/2016 03:34 PM, Simo Sorce wrote: On Tue, 2016-08-30 at 08:47 +0200, Standa Laznicka wrote: On 08/26/2016 05:37 PM, Simo Sorce wrote: On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: On Fri

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 09/01/2016 01:26 PM, Standa Laznicka wrote: On 08/31/2016 12:57 PM, Petr Spacek wrote: On 31.8.2016 12:42, Standa Laznicka wrote: On 08/30/2016 03:34 PM, Simo Sorce wrote: On Tue, 2016-08-30 at 08:47 +0200, Standa Laznicka wrote: On 08/26/2016 05:37 PM, Simo Sorce wrote: On Fri, 2016-08

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 09/01/2016 02:14 PM, Petr Spacek wrote: On 1.9.2016 14:09, Standa Laznicka wrote: On 09/01/2016 01:26 PM, Standa Laznicka wrote: On 08/31/2016 12:57 PM, Petr Spacek wrote: On 31.8.2016 12:42, Standa Laznicka wrote: On 08/30/2016 03:34 PM, Simo Sorce wrote: On Tue, 2016-08-30 at 08:47

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 09/01/2016 03:06 PM, Simo Sorce wrote: On Thu, 2016-09-01 at 14:09 +0200, Standa Laznicka wrote: The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule upon addition of a time rule to a certain HBAC rule. Honestly I am against this. If you really want the two objects

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 09/01/2016 05:18 PM, Simo Sorce wrote: On Thu, 2016-09-01 at 16:35 +0200, Standa Laznicka wrote: On 09/01/2016 03:06 PM, Simo Sorce wrote: On Thu, 2016-09-01 at 14:09 +0200, Standa Laznicka wrote: The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule upon addition of a time

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/26/2016 05:37 PM, Simo Sorce wrote: On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote: On Fri, 26 Aug 2016, Simo Sorce wrote: On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: I miss "why" part of "To be able to handle

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/30/2016 03:34 PM, Simo Sorce wrote: On Tue, 2016-08-30 at 08:47 +0200, Standa Laznicka wrote: On 08/26/2016 05:37 PM, Simo Sorce wrote: On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote: On Fri, 26 Aug 2016, Simo Sorce wrote

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/30/2016 09:23 AM, Alexander Bokovoy wrote: On Tue, 30 Aug 2016, Jan Cholasta wrote: On 30.8.2016 08:47, Standa Laznicka wrote: On 08/26/2016 05:37 PM, Simo Sorce wrote: On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/30/2016 09:34 AM, Standa Laznicka wrote: On 08/30/2016 09:23 AM, Alexander Bokovoy wrote: On Tue, 30 Aug 2016, Jan Cholasta wrote: On 30.8.2016 08:47, Standa Laznicka wrote: On 08/26/2016 05:37 PM, Simo Sorce wrote: On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: On Fri, 2016-08

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 09/03/2016 06:25 PM, Jan Pazdziora wrote: On Thu, Sep 01, 2016 at 11:18:45AM -0400, Simo Sorce wrote: The thing is we (and admins) will be stuck with old client s for a loong time, so we need to make it clear to them what works for what. We need to allow admins to create rules that work for

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 09/09/2016 02:58 PM, Simo Sorce wrote: On Fri, 2016-09-09 at 13:14 +0200, Standa Laznicka wrote: On 09/03/2016 06:25 PM, Jan Pazdziora wrote: On Thu, Sep 01, 2016 at 11:18:45AM -0400, Simo Sorce wrote: The thing is we (and admins) will be stuck with old client s for a loong time, so we

Re: [Freeipa-devel] [PATCH 0058] Make get_entries not ignore its size_limit argument

On 10/07/2016 08:31 AM, Jan Cholasta wrote: On 17.8.2016 13:47, Stanislav Laznicka wrote: On 08/11/2016 02:59 PM, Stanislav Laznicka wrote: On 08/11/2016 07:49 AM, Jan Cholasta wrote: On 2.8.2016 13:47, Stanislav Laznicka wrote: On 07/19/2016 09:20 AM, Jan Cholasta wrote: Hi, On 14.7.2016

Re: [Freeipa-devel] [PATCH 0060] Add --force-join option to ipa-replica-install

On 09/23/2016 08:50 AM, Jan Cholasta wrote: On 25.8.2016 15:31, Martin Basti wrote: On 10.08.2016 07:53, Stanislav Laznicka wrote: On 08/10/2016 07:31 AM, Jan Cholasta wrote: On 9.8.2016 18:52, Petr Vobornik wrote: On 08/09/2016 04:18 PM, Martin Basti wrote: On 09.08.2016 16:07,

Re: [Freeipa-devel] pylint: remove unused variables

On 09/23/2016 07:28 AM, Jan Cholasta wrote: On 22.9.2016 16:39, Martin Basti wrote: Hello all, In 4.5, I would like to remove all unused variables from code and enable pylint check. Due to big amount of unused variables in the code this will be longterm effort. Why this?: * better code

Re: [Freeipa-devel] pylint: remove unused variables

On 09/23/2016 02:11 PM, Martin Basti wrote: On 23.09.2016 14:12, Jan Cholasta wrote: On 23.9.2016 13:23, Standa Laznicka wrote: On 09/23/2016 07:28 AM, Jan Cholasta wrote: On 22.9.2016 16:39, Martin Basti wrote: Hello all, In 4.5, I would like to remove all unused variables from code

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/26/2016 12:27 PM, Jan Cholasta wrote: On 26.8.2016 12:21, Martin Basti wrote: On 26.08.2016 12:13, Jan Cholasta wrote: On 26.8.2016 11:55, Martin Basti wrote: On 26.08.2016 11:43, Jan Cholasta wrote: Hi, On 11.8.2016 12:34, Stanislav Laznicka wrote: Hello, I updated the design of

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

On 08/26/2016 12:39 PM, Martin Basti wrote: On 26.08.2016 12:37, Petr Vobornik wrote: On 08/26/2016 12:23 PM, Martin Basti wrote: On 26.08.2016 12:20, Alexander Bokovoy wrote: On Fri, 26 Aug 2016, Jan Cholasta wrote: On 26.8.2016 11:55, Martin Basti wrote: On 26.08.2016 11:43, Jan

[Freeipa-devel] [PATCH 0065] Fix ugly quit during external CA installation

https://fedorahosted.org/freeipa/ticket/6230 From 33d25d76d71ede4b4d4ac3f57663132ac4c6decb Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 23 Aug 2016 13:43:24 +0200 Subject: [PATCH] Make installer quit more nicely on external CA installation

Re: [Freeipa-devel] [Freeipa-users] ipalib authentication

On 11/24/2016 04:27 PM, Adam Bishop wrote: I'm writing a bit of code using ipalib directly, I'm a little stuck on authentication though. It works fine if grab a Kerberos ticket with kinit then run the code interactively, but I'd like to run this as a daemon which makes maintaining a ticket

Re: [Freeipa-devel] [PATCH 0058] Make get_entries not ignore its size_limit argument

On 10/10/2016 07:53 AM, Jan Cholasta wrote: On 7.10.2016 12:23, Standa Laznicka wrote: On 10/07/2016 08:31 AM, Jan Cholasta wrote: On 17.8.2016 13:47, Stanislav Laznicka wrote: On 08/11/2016 02:59 PM, Stanislav Laznicka wrote: On 08/11/2016 07:49 AM, Jan Cholasta wrote: On 2.8.2016 13:47

Re: [Freeipa-devel] Travis CI unexpected PEP8 errors

On 12/14/2016 02:53 AM, Ben Lipton wrote: Hi all, I'm pretty sure this is unrelated to the CI issues discussed in other threads recently, but they reminded me that I've been having this odd issue. https://travis-ci.org/freeipa/freeipa/jobs/183756995 is the most recent run on my pull

[Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

Hello, I started a design page for FreeIPA on FIPS-enabled systems: https://www.freeipa.org/page/V4/FreeIPA-on-FIPS Me and Tomáš are still investigating what of all things will need to change in order to have FreeIPA on FIPS-enabled RHEL. So far I managed to install and run patched FreeIPA

[Freeipa-devel] Changed SSH public key fingerprint to SHA256

Hello list, In PR https://github.com/freeipa/freeipa/pull/385 we changed the hashing algorithm for SSH public key fingerprints which are printed for hosts/users in their respective show commands. These fingerprints are not stored anywhere and are calculated during runtime on demand. We did

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

On 12/19/2016 03:07 PM, John Dennis wrote: On 12/19/2016 03:12 AM, Standa Laznicka wrote: On 12/16/2016 03:23 PM, Rob Crittenden wrote: Standa Laznicka wrote: Hello, I started a design page for FreeIPA on FIPS-enabled systems: https://www.freeipa.org/page/V4/FreeIPA-on-FIPS Me and Tomáš

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

On 12/16/2016 03:23 PM, Rob Crittenden wrote: Standa Laznicka wrote: Hello, I started a design page for FreeIPA on FIPS-enabled systems: https://www.freeipa.org/page/V4/FreeIPA-on-FIPS Me and Tomáš are still investigating what of all things will need to change in order to have FreeIPA on FIPS

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

On 03/14/2017 08:42 PM, Rob Crittenden wrote: Standa Laznicka wrote: On 03/14/2017 04:21 PM, Rob Crittenden wrote: Standa Laznicka wrote: On 03/14/2017 03:14 PM, Martin Basti wrote: On 14.03.2017 14:56, Luc de Louw wrote: My 3 cents... "Please note that FIPS 140-2 support may not

Re: [Freeipa-devel] Pagure issue template

On 04/21/2017 08:12 AM, Abhijeet Kasurde wrote: +1 On 20/04/17 9:36 PM, Petr Vobornik wrote: Hi all, I'd like to improve quality of bug reports and RFEs. A possibility I see is to create and issue template [1]. Sounds like a good idea! Please see my comments. What do you think of the

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

On 03/14/2017 03:14 PM, Martin Basti wrote: On 14.03.2017 14:56, Luc de Louw wrote: My 3 cents... "Please note that FIPS 140-2 support may not work on some platforms" -> Does is work in Fedora? Should be worth mention it so people are more encouraged to test it in Fedora before its getting to

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

On 03/14/2017 04:21 PM, Rob Crittenden wrote: Standa Laznicka wrote: On 03/14/2017 03:14 PM, Martin Basti wrote: On 14.03.2017 14:56, Luc de Louw wrote: My 3 cents... "Please note that FIPS 140-2 support may not work on some platforms" -> Does is work in Fedora? Should be

[Freeipa-devel] gssproxy-0.6.2-2 broken

Hello, Current gssproxy in Fedora 25 "updates" repository (gssproxy-0.6.2-2) is broken. For a freshly-installed IPA server, the infamous error "ipa: ERROR: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598845123): No credentials cache found" will

Re: [Freeipa-devel] Don't work with Pagure right now

On 05/12/2017 08:36 AM, Standa Laznicka wrote: Hello, This morning I found out that "https://pagure.io/freeipa/; resolves to a different project, originally https://pagure.io/freeIPA/. I pointed the problem to the developer of the system, we'll see what he can do about it, but for now,

[Freeipa-devel] Don't work with Pagure right now

Hello, This morning I found out that "https://pagure.io/freeipa/; resolves to a different project, originally https://pagure.io/freeIPA/. I pointed the problem to the developer of the system, we'll see what he can do about it, but for now, we're missing about 200 issues. Please, don't open

Re: [Freeipa-devel] "blocker" tag for pull request

On 04/28/2017 02:41 PM, Martin Bašti wrote: On 28.04.2017 14:17, Tomas Krizek wrote: On 04/28/2017 10:15 AM, Petr Vobornik wrote: Hi all, I created "blocker" tag for FreeIPA Git Hub PRs. It is should be used to mark PRs which solves test blocker or other functional blockers - e.g. blocks