[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-02-06 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 abbra commented: """ I split the tables into separate ones and also made independent #if/#endif blocks for them. Finally, I added a spec file guard to force using 1.15-5 or

[Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1

2017-02-06 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Author: abbra Title: #410: ipa-kdb: support KDB DAL version 6.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/410/head:pr410 git checkout pr410 From

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-02-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 abbra commented: """ @simo5 @frozencemetery unfortunately, the provide of "krb5-kdb-version = 6.1" is on krb5-libs, not on krb5-devel, so I cannot do a buildrequ

[Freeipa-devel] [freeipa PR#447][comment] AD trust installer modularization: prelude

2017-02-08 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/447 Title: #447: AD trust installer modularization: prelude abbra commented: """ LGTM -- I haven't run the code but read through it. """ See the full comment at https://github.com/freeipa/freeipa/pull/447#issuecom

[Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1

2017-02-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Author: abbra Title: #410: ipa-kdb: support KDB DAL version 6.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/410/head:pr410 git checkout pr410 From

[Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1

2017-02-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Author: abbra Title: #410: ipa-kdb: support KDB DAL version 6.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/410/head:pr410 git checkout pr410 From

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-02-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 abbra commented: """ Updated the spec file and the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-27810815

[Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command

2017-01-23 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/403 Title: #403: Add new ipa passwd-generate command abbra commented: """ @redhatrises, could you please explain more why you need this command as it is? FreeIPA allows to have multiple password policies. If you want to gene

[Freeipa-devel] [freeipa PR#410][opened] ipa-kdb: support KDB DAL version 6.1

2017-01-23 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Author: abbra Title: #410: ipa-kdb: support KDB DAL version 6.1 Action: opened PR body: """ DAL version 6.0 removed support for a callback to free principal. This broke KDB drivers which had complex e_data structure withi

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 abbra commented: """ Thanks for the suggestions. I've updated the configure check to explicitly warn when both .free_principal and .free_principal_e_data are missing. DAL

[Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Author: abbra Title: #410: ipa-kdb: support KDB DAL version 6.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/410/head:pr410 git checkout pr410 From

[Freeipa-devel] [freeipa PR#473][+ack] Fix session/cookie related issues introduced with the privilege separation patches

2017-02-16 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/473 Title: #473: Fix session/cookie related issues introduced with the privilege separation patches Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to

[Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy

2017-02-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy abbra commented: """ LGTM. Thank you finding and fixing this issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/508#issuecomment-28246785

[Freeipa-devel] [freeipa PR#508][+ack] Fix ipa.service unit re. gssproxy

2017-02-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command

2017-02-14 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/403 Title: #403: Add new ipa passwd-generate command abbra commented: """ Sorry for another delay too. We have discussed this proposal again and would like to have an ipa-advise implementation instead of IPA CLI command. There are m

[Freeipa-devel] [freeipa PR#466][opened] pkinit: make sure to have proper dictionary for Kerberos instance on upgrade

2017-02-15 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/466 Author: abbra Title: #466: pkinit: make sure to have proper dictionary for Kerberos instance on upgrade Action: opened PR body: """ When running PKINIT upgrade we need to make sure full substitution dictionary is in pla

[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder

2017-02-13 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder abbra commented: """ Right, as long as ipa CLI is capable to print formatted debug output, that's enough. """ See the full comment at https://github.com/freeipa

[Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1

2017-02-12 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Author: abbra Title: #410: ipa-kdb: support KDB DAL version 6.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/410/head:pr410 git checkout pr410 From

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-02-12 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 abbra commented: """ I've rebased against master and added responses to inline comments in the PR. """ See the full comment at https://github.com/freeipa/freeipa/p

[Freeipa-devel] [freeipa PR#458][comment] Enable Bytes and deprecation warnings

2017-02-10 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/458 Title: #458: Enable Bytes and deprecation warnings abbra commented: """ Thanks. LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/458#issuecomment-278949308 -- Manage your subscription for

[Freeipa-devel] [freeipa PR#473][comment] Fix session/cookie related issues introduced with the privilege separation patches

2017-02-16 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/473 Title: #473: Fix session/cookie related issues introduced with the privilege separation patches abbra commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/473#issuecom

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 abbra commented: """ @simo5 spec dependencies are separate from the code -- the spec will not help on Debian, for example. We need both the spec dependencies and the proper che

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 abbra commented: """ No, no minor DAL version. That's why I had to resort to structure member checks in autoconf. """ See the full comment at https://githu

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-17 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop abbra commented: """ Yes, when namespaced /tmp is used, unit file does not have any view into that. """ See the full comment at https://github.com/freeipa

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-17 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop abbra commented: """ @tiran we do use PrivateTmp already. This is not about PrivateTmp, though, because we don't store credentials caches in a private tmp. "&quo

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-02-28 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card abbra commented: """ One thing I don't like is that SELinux policy requirements aren't mentioned. To allow ipaapi user to talk to SSSD dbus interface, you have t

[Freeipa-devel] [freeipa PR#526][+ack] server install: do not attempt to issue PKINIT cert in CA-less

2017-03-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: do not attempt to issue PKINIT cert in CA-less Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#526][comment] server install: do not attempt to issue PKINIT cert in CA-less

2017-03-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: do not attempt to issue PKINIT cert in CA-less abbra commented: """ ACK for the patch. However, I'm not claiming that CA does not need to be trusted. What I'm saying is that for Anonymous PKINIT's u

[Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones

2017-02-27 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones abbra commented: """ If you can differentiate how the installer is being run, then for composite installer always run add_sids. """ See the full comment

[Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy

2017-02-27 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy abbra commented: """ Good point. I think we shouldn't restart ourselves as we anyway are listening on all interfaces with 0.0.0.0. """ See the full comment at http

[Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones

2017-02-27 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones abbra commented: """ Unless you specified --add-sids to ipa-adtrust-install (or `add_sids=True` in ADTrustInstance.setup() call), no task would be run. 'Activating sidgen t

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

2017-02-28 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands abbra commented: """ nsaccountlock is an operational attribute, not a normal one. I don't like it being created all the time. You have to request it explici

[Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options

2017-03-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options abbra commented: """ An idea behind the original solution was to always produce PKINIT certificate by certmonger in case of CA-less install to be able to have a

[Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options

2017-03-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options abbra commented: """ This was, perhaps, missed in the original commit, though. The idea was that in CA-less mode we change request to use Local CA. "&quo

[Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options

2017-03-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options abbra commented: """ No, you are wrong. Certmonger has own local self-signed CA in all installs: # getcert list-cas CA 'local':

[Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options

2017-03-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options abbra commented: """ This PR does not handle upgrade case which is what Local CA considers. We don't need other systems trust the certificate and we don't need

[Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (comment)

2016-09-02 Thread abbra
abbra commented on a pull request """ ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/46#issuecomment-244375727 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-dev

[Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (+ack)

2016-09-02 Thread abbra
martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/46 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (comment)

2016-09-01 Thread abbra
abbra commented on a pull request """ The change is incomplete: we need also to handle oddjobd helper because it directly calls to dcerpc.fetch_domains() with explicitly set trusted domain name. """ See the full comment at https://github.com/freeipa/freeipa/

[Freeipa-devel] [freeipa PR#37] cert: add missing param values to cert-find output (+ack)

2016-08-30 Thread abbra
jcholast's pull request #37: "cert: add missing param values to cert-find output" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/37 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#37] cert: add missing param values to cert-find output (comment)

2016-08-30 Thread abbra
abbra commented on a pull request """ LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/37#issuecomment-243346328 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-dev

[Freeipa-devel] [freeipa PR#40] do not use trusted forest name to construct domain admin principal (comment)

2016-08-31 Thread abbra
abbra commented on a pull request """ NACK. This is wrong. In the case of external trust to a child domain we cannot run netr_DsRGetForestTrustInformation() against the child domain, regardless what credentials we have. Instead, we should run this request against the forest ro

[Freeipa-devel] [freeipa PR#40] do not use trusted forest name to construct domain admin principal (comment)

2016-08-31 Thread abbra
abbra commented on a pull request """ Apologies. This is indeed a minor issue which is correctly fixed, so ACK for this one. Note, though, this will not help with the actual query because regardless of what credentials were used, AD DC of a child domain behaves wrongly in Windows

[Freeipa-devel] [freeipa PR#40] do not use trusted forest name to construct domain admin principal (+ack)

2016-08-31 Thread abbra
martbab's pull request #40: "do not use trusted forest name to construct domain admin principal" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/40 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (comment)

2016-09-09 Thread abbra
abbra commented on a pull request """ Thanks. Looks good. I'll work on upgrade next week and will do actual testing. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-245906612 -- Manage your subscription for the Fre

[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (+ack)

2016-09-14 Thread abbra
martbab's pull request #80: "ipa passwd: use correct normalizer for user principals" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/80 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (comment)

2016-09-14 Thread abbra
abbra commented on a pull request """ Looks good, thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/80#issuecomment-246931189 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freei

[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (comment)

2016-09-14 Thread abbra
abbra commented on a pull request """ LGTM. We discussed the placement of populate_remote_domain() but decided to keep it there. """ See the full comment at https://github.com/freeipa/freeipa/pull/79#issuecomment-246935619 -- Manage your subscription for the Fre

[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (+ack)

2016-09-14 Thread abbra
martbab's pull request #79: "trust-fetch-domains: contact forest DCs when fetching trust domain info" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/79 -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (comment)

2016-09-15 Thread abbra
abbra commented on a pull request """ Update plugins are higher level of abstraction. They use ipaserver.install.ldapupdate.LDAPUpdate which provides both .update() and .update_from_dict() methods. Update plugins can produce dictionaries. With the change in this pull request

[Freeipa-devel] [freeipa PR#82] Fix regexp in user/group name (comment)

2016-09-16 Thread abbra
abbra commented on a pull request """ 'uid' in user object and 'cn' in group object have meaning in POSIX environments. 'cn' in other objects is not subject for strict limits. """ See the full comment at https://github.com/freeipa/freeipa/pull/82#issuecom

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-09-21 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ > As a side question is the separate profile needed due to some custom > extensions required for PKINIT certificate? yes, we don't want to al

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-09-21 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ Yes, we need to create a design page for PKINIT support. I'll make sure it is done. """ See the full comment at https://gith

[Freeipa-devel] [freeipa PR#84][comment] Fix update_from_dict function testing

2016-09-21 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/84 Title: #84: Fix update_from_dict function testing abbra commented: """ > This is not true, update plugins are supposed to return the dictionaries from > their execute method. See any of the update plugins in > ipaserver

[Freeipa-devel] [freeipa PR#82][comment] Fix regexp in user/group name

2016-09-20 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/82 Title: #82: Fix regexp in user/group name abbra commented: """ LGTM. Thanks for first fixing the regexp and then replacing it by a constant, this will help with backports. """ See the full comment at https://gith

[Freeipa-devel] [freeipa PR#82][+ack] Fix regexp in user/group name

2016-09-20 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/82 Title: #82: Fix regexp in user/group name Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#84][comment] Removed update_from_dict function from ldapupdate

2016-09-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/84 Title: #84: Removed update_from_dict function from ldapupdate abbra commented: """ LGTM. Thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-248869910 -- Manage your subs

[Freeipa-devel] [freeipa PR#84][+ack] Removed update_from_dict function from ldapupdate

2016-09-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/84 Title: #84: Removed update_from_dict function from ldapupdate Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#128][+ack] Properly handle LDAP socket closures in ipa-otpd

2016-09-30 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/128 Title: #128: Properly handle LDAP socket closures in ipa-otpd Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#128][comment] Properly handle LDAP socket closures in ipa-otpd

2016-09-30 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/128 Title: #128: Properly handle LDAP socket closures in ipa-otpd abbra commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/128#issuecomment-250819663 -- Manage your subscription

[Freeipa-devel] [freeipa PR#184][comment] Minor install script fixes

2016-10-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/184 Title: #184: Minor install script fixes abbra commented: """ ACK from my side if you would split the commit into two small ones, please. Note that CI integration is currently broken so travis says your commits failed the c

[Freeipa-devel] [freeipa PR#184][comment] Minor install script fixes

2016-10-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/184 Title: #184: Minor install script fixes abbra commented: """ ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/184#issuecomment-255816653 -- Manage your subscription for the Fre

[Freeipa-devel] [freeipa PR#184][+ack] Minor install script fixes

2016-10-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/184 Title: #184: Minor install script fixes Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#155][comment] Build system cleanup

2016-10-18 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/155 Title: #155: Build system cleanup abbra commented: """ I think all these fix commits are just fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/155#issuecomment-254426527 -- Manage you

[Freeipa-devel] [freeipa PR#184][comment] Minor install script fixes

2016-10-26 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/184 Title: #184: Minor install script fixes abbra commented: """ I'm fine with that (revert --debug commit). Either alternative (make Configurable be aware of the debug or do a refactoring of an installer) is roughly going into the

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-08 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ @simo5 I tried to run the branch as an upgrade against Fedora 25 version (4.4.2-1.fc25) and it failed at first because I was running in SEL

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-11 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ Thanks @simo5. Except SELinux changes this PR is ready to be accepted. TODO as separate pull requests: * SELinux policy needs to be updated to allow cert

[Freeipa-devel] [freeipa PR#62][+ack] Configure Anonymous PKINIT on server install

2016-12-11 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#326][opened] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: opened PR body: """ Samba 4.5 does not allow to specify access mode for the keytab (FILE: or WRFILE:) from external source

[Freeipa-devel] [freeipa PR#326][synchronized] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326

[Freeipa-devel] [freeipa PR#326][synchronized] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326

[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf abbra commented: """ Thanks, fixed it. """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecom

[Freeipa-devel] [freeipa PR#326][synchronized] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326

[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf abbra commented: """ Rebased to git master. """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecom

[Freeipa-devel] [freeipa PR#345][opened] ipa-kdb: search for password policies globally

2016-12-15 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/345 Author: abbra Title: #345: ipa-kdb: search for password policies globally Action: opened PR body: """ With the CoS templates now used to create additional password policies per object type that are placed under the object subtr

[Freeipa-devel] [freeipa PR#377][comment] dogtaginstance: track server certificate with our renew agent

2017-01-12 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/377 Title: #377: dogtaginstance: track server certificate with our renew agent abbra commented: """ Looks very good to me. ACK from my side. """ See the full comment at https://github.com/freeipa/freeipa/pull/377#iss

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ @simo5 https://github.com/abbra/freeipa/tree/kdc-pkinit can be used for rebase of this PR """ See the full comment at https://gith

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-02 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ Up to you. We can either resync yours or switch over to mine. I need to merge updater changes too before submitting it upstream, though. "&quo

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ @simo5 I did a rebase a while a go and maintain it rebased against the master. I'll submit a new PR with the rebase. """ See the full

[Freeipa-devel] [freeipa PR#345][comment] ipa-kdb: search for password policies globally

2016-12-16 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/345 Title: #345: ipa-kdb: search for password policies globally abbra commented: """ NACK to @simo5 concerns. We are not affected by slapi-nis on searches from KDC. """ See the full comment at https://githu

[Freeipa-devel] [freeipa PR#638][opened] ipalib/rpc.py: Fix session handling for KEYRING: ccaches

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/638 Author: abbra Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches Action: opened PR body: """ MIT Kerberos allows to store configuration entries in the ccache. Unfortunately, there are big differences betwe

[Freeipa-devel] [freeipa PR#637][comment] ldap2: use LDAP whoami operation to retrieve bind DN for current connection

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/637 Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection abbra commented: """ Removed try: finally: block, I agree that it is better to propagate error up the stack. """

[Freeipa-devel] [freeipa PR#637][synchronized] ldap2: use LDAP whoami operation to retrieve bind DN for current connection

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/637 Author: abbra Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/637

[Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules abbra commented: """ I like the idea but please address @HonzaCholasta comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecom

[Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/638 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches abbra commented: """ Yes, KCM will work. However, I wonder if we could use a different approach by storing cookie in a fake ticket with a proper lifetime se

[Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/638 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches abbra commented: """ Note: this is WIP, please test it against KEYRING: ccaches. """ See the full comment at https://github.com/freeipa

[Freeipa-devel] [freeipa PR#644][comment] extdom: improve certificate request

2017-03-23 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request abbra commented: """ LGTM. I read the code but since SSSD counterpart is currently on review, travis fails the build. """ See the full comment at https://githu

[Freeipa-devel] [freeipa PR#575][comment] IPA certauth plugin

2017-03-23 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/575 Title: #575: IPA certauth plugin abbra commented: """ The code LGTM. Once updated SSSD is added to freeipa-master copr, let's see what CI says. Authentication indicators' handling would need to be added in a separate PR onc

[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes

2017-03-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes abbra commented: """ @simo5, I think I found why it happened -- I actually had krbMaxTicketLife set for HTTP/... principal to 300 seconds. So I think your patches are goo

[Freeipa-devel] [freeipa PR#639][comment] WebUI: Login for AD Users

2017-03-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users abbra commented: """ LGTM and works just fine: ![](https://vda.li/images/freeipa-web-ui-login-ad-user.png) """ See the full comment at https://github.com/freeipa/freeipa/p

[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes

2017-03-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes abbra commented: """ I tested the whole patchset. It worked for me first time I've got cookie expired. However, it broke in ~10 minutes afterwards -- apparently, keyring c

[Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa

[Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet

2017-03-30 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet abbra commented: """ > @sumit-bose What happens when the shared library is missing? Does 32bit kinit > fail or work on a X86_64 system when 32bi

[Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa

[Freeipa-devel] [freeipa PR#629][comment] adtrust: make sure that runtime hostname result is consistent with the configuration

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/629 Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration abbra commented: """ Removed backslashes and also moved the check to be the first step when creating an instance. "&quo

[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires abbra commented: """ No, It will make downstream harder because RHEL downstream will only have 1.15.2 with patches on top of that version. I have a pull

[Freeipa-devel] [freeipa PR#669][opened] server: make sure we test for sss_nss_getlistbycert

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/669 Author: abbra Title: #669: server: make sure we test for sss_nss_getlistbycert Action: opened PR body: """ Fixes https://pagure.io/freeipa/issue/6828 """ To pull the PR as Git branch: git remote add ghfreeipa http

[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires abbra commented: """ I submitted https://github.com/freeipa/freeipa/pull/669 for that """ See the full comment at https://github.com/freeipa

[Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert abbra commented: """ On the systems where pkg-config is available, positive result from pkg-config check means headers are available because pkg-config

[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes

2017-03-27 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes abbra commented: """ LGTM to me. @simo5 explained that `expiry=...` substring is part of the actual cookie `mod_session` adds (it is timestamp in nanonseconds) -- Cookie clas

  1   2   >