On 06/23/2015 08:58 PM, Nathaniel McCallum wrote:
On Jun 23, 2015, at 2:55 PM, Simo Sorce wrote:
On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote:
+WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
+ process-group=kdcproxy application-group=kdcproxy
+WSGIScri
> On Jun 23, 2015, at 2:55 PM, Simo Sorce wrote:
>
> On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote:
>> +WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
>> + process-group=kdcproxy application-group=kdcproxy
>> +WSGIScriptAlias /KdcProxy
>> /usr/lib/python2.
On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote:
> +WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
> + process-group=kdcproxy application-group=kdcproxy
> +WSGIScriptAlias /KdcProxy
> /usr/lib/python2.7/site-packages/kdcproxy/__init__.py
I find sticking an app
I’m sold. ACK
Simo, speak now or forever hold your peace (or patch it later).
> On Jun 23, 2015, at 2:20 PM, Christian Heimes wrote:
>
> On 2015-06-23 19:55, Nathaniel McCallum wrote:
>> The behavior I'm worried about here is this:
>> 1. Admin installs or updates FreeIPA (w/ kdcproxy)
>> 2. Ad
On 2015-06-23 19:55, Nathaniel McCallum wrote:
> The behavior I'm worried about here is this:
> 1. Admin installs or updates FreeIPA (w/ kdcproxy)
> 2. Admin disables kdcproxy
> 3. Admin updates to the next version
>
> After step #3, is kdcproxy enabled or disabled? I don't have a clear answer
>
The behavior I'm worried about here is this:
1. Admin installs or updates FreeIPA (w/ kdcproxy)
2. Admin disables kdcproxy
3. Admin updates to the next version
After step #3, is kdcproxy enabled or disabled? I don't have a clear answer to
this (or at least I'm not seeing it).
Other than this, I'
On 2015-06-23 17:35, Nathaniel McCallum wrote:
> typo: is_kdcprox_configured
>
> You need to update the commit message (don't do changes since last patch).
>
> Also, I'm pretty sure this is the case, but the code in
> ipaserver/install/httpinstance.py only executes during initial installation,
typo: is_kdcprox_configured
You need to update the commit message (don't do changes since last patch).
Also, I'm pretty sure this is the case, but the code in
ipaserver/install/httpinstance.py only executes during initial installation,
right?
- Original Message -
> This is hopefully th
This is hopefully the final patch. I've tested a fresh installation and
upgrade from 4.2 alpha 1.
Christian
From f503bb15304edea863ba1bad91657b1f880f0e4b Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 23 Jun 2015 17:01:00 +0200
Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP)
A
On 2015-06-23 16:55, Nathaniel McCallum wrote:
>
>
> - Original Message -
>> Ah, got it!
>>
>> What's the simplest way to download and test the new package on my VM?
>
> Download the package from koji.
> http://koji.fedoraproject.org/koji/packageinfo?packageID=19292
Ah, that's much sim
On 23.6.2015 15:16, Christian Heimes wrote:
> On 2015-06-23 15:14, Nathaniel McCallum wrote:
>> On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote:
>>> On 2015-06-23 14:58, Nathaniel McCallum wrote:
I agree. One other small nitpick is that the python-kdcproxy
dependency
is st
- Original Message -
> Ah, got it!
>
> What's the simplest way to download and test the new package on my VM?
Download the package from koji.
http://koji.fedoraproject.org/koji/packageinfo?packageID=19292
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.red
On 2015-06-23 11:37, Christian Heimes wrote:
> Hi,
>
> I've created a new patch that implements the KDC switch as a
> ExecStartPre hook in httpd.service.
My patch has a bug. Apache's SetEnv doesn't set an operating system env
var. The information is only available as WSGI env var.
I'm going to s
On 2015-06-23 14:56, Simo Sorce wrote:
> Why are you using "#!/usr/bin/env python2.7" ?
> We do not use this idiom, as it breaks in some cases, at most in some
> sources that are v2 only we use "#!/usr/bin/python2", please change it.
Force of habit. I'm used to use /usr/bin/env in my own packages.
On 2015-06-23 15:14, Nathaniel McCallum wrote:
> On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote:
>> On 2015-06-23 14:58, Nathaniel McCallum wrote:
>>> I agree. One other small nitpick is that the python-kdcproxy
>>> dependency
>>> is still wrong. Please make it depend on 0.3. 0.3 is alr
On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote:
> On 2015-06-23 14:58, Nathaniel McCallum wrote:
> > I agree. One other small nitpick is that the python-kdcproxy
> > dependency
> > is still wrong. Please make it depend on 0.3. 0.3 is already in
> > RHEL
> > and Fedora. The only remaini
On 2015-06-23 14:58, Nathaniel McCallum wrote:
> I agree. One other small nitpick is that the python-kdcproxy dependency
> is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL
> and Fedora. The only remaining step here is to push python-kdcproxy in
> the same update as the next Free
On Tue, 2015-06-23 at 08:56 -0400, Simo Sorce wrote:
> On Tue, 2015-06-23 at 11:37 +0200, Christian Heimes wrote:
> > Hi,
> >
> > I've created a new patch that implements the KDC switch as a
> > ExecStartPre hook in httpd.service.
> >
> > Testing:
> > If you are doing an upgrade of an existing in
On Tue, 2015-06-23 at 11:37 +0200, Christian Heimes wrote:
> Hi,
>
> I've created a new patch that implements the KDC switch as a
> ExecStartPre hook in httpd.service.
>
> Testing:
> If you are doing an upgrade of an existing installation, then you have
> to run ipa-server-update first. The updat
Hi,
I've created a new patch that implements the KDC switch as a
ExecStartPre hook in httpd.service.
Testing:
If you are doing an upgrade of an existing installation, then you have
to run ipa-server-update first. The update creates the config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf from a templ
On 2015-06-22 16:22, Nathaniel McCallum wrote:
> On Mon, 2015-06-22 at 10:10 -0400, Simo Sorce wrote:
>> On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote:
>>> I'd still prefer a user mapping to managing a keytab. This patch is
>>> just way too complex for what it does.
>>
>> User mappin
On Mon, 2015-06-22 at 10:10 -0400, Simo Sorce wrote:
> On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote:
> > I'd still prefer a user mapping to managing a keytab. This patch is
> > just way too complex for what it does.
>
> User mapping ?
EXTERNAL bind
> > - Original Message
On 2015-06-22 16:01, Nathaniel McCallum wrote:
> I'd still prefer a user mapping to managing a keytab. This patch is just way
> too complex for what it does.
I don't get what you mean with 'user mapping'. Are you referring to
EXTERNAL bind over ldapi?
signature.asc
Description: OpenPGP digital
On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote:
> I'd still prefer a user mapping to managing a keytab. This patch is just way
> too complex for what it does.
User mapping ?
> - Original Message -
> > I brought up your suggestion in today's IPA devel meeting. Simo
> > explai
I'd still prefer a user mapping to managing a keytab. This patch is just way
too complex for what it does.
- Original Message -
> I brought up your suggestion in today's IPA devel meeting. Simo
> explained that anonymous binding might not be available. Some customers
> disable it on their
On 2015-06-17 18:09, Nathaniel McCallum wrote:
> * There is a new permission: Read IPA Masters KDC Proxy. Is this
> necessary. Can't the config be world-readable and admin writable? There
> is no extra security in hiding this attribute. This also completely
> removes the need for a keytab since ano
On Wed, 2015-06-17 at 21:21 +0200, Christian Heimes wrote:
> On 2015-06-17 18:09, Nathaniel McCallum wrote:
> > On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote:
> >> On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
> >>> It doesn't apply again.
> >>>
> >>> On Tue, 2015-06-09 at 15:55 +0200, Ch
On 2015-06-17 18:09, Nathaniel McCallum wrote:
> On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote:
>> On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
>>> It doesn't apply again.
>>>
>>> On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
On 2015-05-27 15:16, Christian Heimes wrote:
On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote:
> On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
> > It doesn't apply again.
> >
> > On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
> > > On 2015-05-27 15:16, Christian Heimes wrote:
> > > > Hello,
> > > >
> > > > here is my firs
On 2015-06-12 23:58, Adam Young wrote:
> So...I've been spoiled a bit by Gerrit. Here is what I just did to get
> them to apply:
>
>
> cd freeipa
> git clean -xdf .
> #use the -3 to do 3 way merge
> git am -3
> ~/Documents/freeipa/patches/cheimes/freeipa-cheimes-0001-3-Provide-Kerberos-over-HTT
On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
It doesn't apply again.
On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
On 2015-05-27 15:16, Christian Heimes wrote:
Hello,
here is my first patch for FreeIPA. The patch integrates python
-kdcproxy
for MS-KKDCP support (aka Kerberos
It doesn't apply again.
On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
> On 2015-05-27 15:16, Christian Heimes wrote:
> > Hello,
> >
> > here is my first patch for FreeIPA. The patch integrates python
> > -kdcproxy
> > for MS-KKDCP support (aka Kerberos over HTTPS).
> >
> > https://w
On 2015-05-27 15:16, Christian Heimes wrote:
> Hello,
>
> here is my first patch for FreeIPA. The patch integrates python-kdcproxy
> for MS-KKDCP support (aka Kerberos over HTTPS).
>
> https://www.freeipa.org/page/V4/KDC_Proxy
>
> Ticket: https://fedorahosted.org/freeipa/ticket/4801
freeipa-che
Changes since patch 1:
- Further simplify krb ticket code
Simo has pointed out that KRB5_CLIENT_KTNAME and MEMORY ccache are
sufficient for the GSSAPI.
http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation
- switch is now in ipaConfigString=kdcProxyEnabled of
cn=KDC,cn=$FQDN,cn=masters
Hello,
here is my first patch for FreeIPA. The patch integrates python-kdcproxy
for MS-KKDCP support (aka Kerberos over HTTPS).
https://www.freeipa.org/page/V4/KDC_Proxy
Ticket: https://fedorahosted.org/freeipa/ticket/4801
Christian
From 49ad74834ef9036d0678dceb4020784fef389446 Mon Sep 17 00:00
35 matches
Mail list logo