On 06/23/2015 08:58 PM, Nathaniel McCallum wrote:
On Jun 23, 2015, at 2:55 PM, Simo Sorce s...@redhat.com wrote:
On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote:
+WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
+ process-group=kdcproxy
On 23.6.2015 15:16, Christian Heimes wrote:
On 2015-06-23 15:14, Nathaniel McCallum wrote:
On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote:
On 2015-06-23 14:58, Nathaniel McCallum wrote:
I agree. One other small nitpick is that the python-kdcproxy
dependency
is still wrong. Please
On 2015-06-23 16:55, Nathaniel McCallum wrote:
- Original Message -
Ah, got it!
What's the simplest way to download and test the new package on my VM?
Download the package from koji.
http://koji.fedoraproject.org/koji/packageinfo?packageID=19292
Ah, that's much simpler than
On 2015-06-23 11:37, Christian Heimes wrote:
Hi,
I've created a new patch that implements the KDC switch as a
ExecStartPre hook in httpd.service.
My patch has a bug. Apache's SetEnv doesn't set an operating system env
var. The information is only available as WSGI env var.
I'm going to set
This is hopefully the final patch. I've tested a fresh installation and
upgrade from 4.2 alpha 1.
Christian
From f503bb15304edea863ba1bad91657b1f880f0e4b Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Tue, 23 Jun 2015 17:01:00 +0200
Subject: [PATCH] Provide Kerberos over
typo: is_kdcprox_configured
You need to update the commit message (don't do changes since last patch).
Also, I'm pretty sure this is the case, but the code in
ipaserver/install/httpinstance.py only executes during initial installation,
right?
- Original Message -
This is hopefully
- Original Message -
Ah, got it!
What's the simplest way to download and test the new package on my VM?
Download the package from koji.
http://koji.fedoraproject.org/koji/packageinfo?packageID=19292
--
Manage your subscription for the Freeipa-devel mailing list:
On Tue, 2015-06-23 at 08:56 -0400, Simo Sorce wrote:
On Tue, 2015-06-23 at 11:37 +0200, Christian Heimes wrote:
Hi,
I've created a new patch that implements the KDC switch as a
ExecStartPre hook in httpd.service.
Testing:
If you are doing an upgrade of an existing installation,
On 2015-06-23 14:58, Nathaniel McCallum wrote:
I agree. One other small nitpick is that the python-kdcproxy dependency
is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL
and Fedora. The only remaining step here is to push python-kdcproxy in
the same update as the next FreeIPA
On Tue, 2015-06-23 at 11:37 +0200, Christian Heimes wrote:
Hi,
I've created a new patch that implements the KDC switch as a
ExecStartPre hook in httpd.service.
Testing:
If you are doing an upgrade of an existing installation, then you have
to run ipa-server-update first. The update
On 2015-06-23 14:56, Simo Sorce wrote:
Why are you using #!/usr/bin/env python2.7 ?
We do not use this idiom, as it breaks in some cases, at most in some
sources that are v2 only we use #!/usr/bin/python2, please change it.
Force of habit. I'm used to use /usr/bin/env in my own packages.
On 2015-06-23 15:14, Nathaniel McCallum wrote:
On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote:
On 2015-06-23 14:58, Nathaniel McCallum wrote:
I agree. One other small nitpick is that the python-kdcproxy
dependency
is still wrong. Please make it depend on 0.3. 0.3 is already in
On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote:
On 2015-06-23 14:58, Nathaniel McCallum wrote:
I agree. One other small nitpick is that the python-kdcproxy
dependency
is still wrong. Please make it depend on 0.3. 0.3 is already in
RHEL
and Fedora. The only remaining step
On 2015-06-23 17:35, Nathaniel McCallum wrote:
typo: is_kdcprox_configured
You need to update the commit message (don't do changes since last patch).
Also, I'm pretty sure this is the case, but the code in
ipaserver/install/httpinstance.py only executes during initial installation,
The behavior I'm worried about here is this:
1. Admin installs or updates FreeIPA (w/ kdcproxy)
2. Admin disables kdcproxy
3. Admin updates to the next version
After step #3, is kdcproxy enabled or disabled? I don't have a clear answer to
this (or at least I'm not seeing it).
Other than this,
On Jun 23, 2015, at 2:55 PM, Simo Sorce s...@redhat.com wrote:
On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote:
+WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
+ process-group=kdcproxy application-group=kdcproxy
+WSGIScriptAlias /KdcProxy
On 2015-06-23 19:55, Nathaniel McCallum wrote:
The behavior I'm worried about here is this:
1. Admin installs or updates FreeIPA (w/ kdcproxy)
2. Admin disables kdcproxy
3. Admin updates to the next version
After step #3, is kdcproxy enabled or disabled? I don't have a clear answer
to
I’m sold. ACK
Simo, speak now or forever hold your peace (or patch it later).
On Jun 23, 2015, at 2:20 PM, Christian Heimes chei...@redhat.com wrote:
On 2015-06-23 19:55, Nathaniel McCallum wrote:
The behavior I'm worried about here is this:
1. Admin installs or updates FreeIPA (w/
On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote:
+WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
+ process-group=kdcproxy application-group=kdcproxy
+WSGIScriptAlias /KdcProxy
/usr/lib/python2.7/site-packages/kdcproxy/__init__.py
I find sticking an
Hi,
I've created a new patch that implements the KDC switch as a
ExecStartPre hook in httpd.service.
Testing:
If you are doing an upgrade of an existing installation, then you have
to run ipa-server-update first. The update creates the config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf from a
On 2015-06-22 16:22, Nathaniel McCallum wrote:
On Mon, 2015-06-22 at 10:10 -0400, Simo Sorce wrote:
On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote:
I'd still prefer a user mapping to managing a keytab. This patch is
just way too complex for what it does.
User mapping ?
On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote:
I'd still prefer a user mapping to managing a keytab. This patch is just way
too complex for what it does.
User mapping ?
- Original Message -
I brought up your suggestion in today's IPA devel meeting. Simo
explained
On 2015-06-17 18:09, Nathaniel McCallum wrote:
* There is a new permission: Read IPA Masters KDC Proxy. Is this
necessary. Can't the config be world-readable and admin writable? There
is no extra security in hiding this attribute. This also completely
removes the need for a keytab since
On Mon, 2015-06-22 at 10:10 -0400, Simo Sorce wrote:
On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote:
I'd still prefer a user mapping to managing a keytab. This patch is
just way too complex for what it does.
User mapping ?
EXTERNAL bind
- Original Message -
I
I'd still prefer a user mapping to managing a keytab. This patch is just way
too complex for what it does.
- Original Message -
I brought up your suggestion in today's IPA devel meeting. Simo
explained that anonymous binding might not be available. Some customers
disable it on their
On 2015-06-22 16:01, Nathaniel McCallum wrote:
I'd still prefer a user mapping to managing a keytab. This patch is just way
too complex for what it does.
I don't get what you mean with 'user mapping'. Are you referring to
EXTERNAL bind over ldapi?
signature.asc
Description: OpenPGP digital
On Wed, 2015-06-17 at 21:21 +0200, Christian Heimes wrote:
On 2015-06-17 18:09, Nathaniel McCallum wrote:
On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote:
On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
It doesn't apply again.
On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes
On 2015-06-17 18:09, Nathaniel McCallum wrote:
On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote:
On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
It doesn't apply again.
On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
On 2015-05-27 15:16, Christian Heimes wrote:
Hello,
here
On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote:
On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
It doesn't apply again.
On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
On 2015-05-27 15:16, Christian Heimes wrote:
Hello,
here is my first patch for FreeIPA.
On 2015-06-12 23:58, Adam Young wrote:
So...I've been spoiled a bit by Gerrit. Here is what I just did to get
them to apply:
cd freeipa
git clean -xdf .
#use the -3 to do 3 way merge
git am -3
On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
It doesn't apply again.
On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
On 2015-05-27 15:16, Christian Heimes wrote:
Hello,
here is my first patch for FreeIPA. The patch integrates python
-kdcproxy
for MS-KKDCP support (aka
It doesn't apply again.
On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
On 2015-05-27 15:16, Christian Heimes wrote:
Hello,
here is my first patch for FreeIPA. The patch integrates python
-kdcproxy
for MS-KKDCP support (aka Kerberos over HTTPS).
On 2015-05-27 15:16, Christian Heimes wrote:
Hello,
here is my first patch for FreeIPA. The patch integrates python-kdcproxy
for MS-KKDCP support (aka Kerberos over HTTPS).
https://www.freeipa.org/page/V4/KDC_Proxy
Ticket: https://fedorahosted.org/freeipa/ticket/4801
Changes since patch 1:
- Further simplify krb ticket code
Simo has pointed out that KRB5_CLIENT_KTNAME and MEMORY ccache are
sufficient for the GSSAPI.
http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation
- switch is now in ipaConfigString=kdcProxyEnabled of
34 matches
Mail list logo