Re: [Freeipa-users] Account Expiration

2013-03-25 Thread Dmitri Pal 
On 03/25/2013 08:27 AM, Simo Sorce wrote:
> On Mon, 2013-03-25 at 10:42 +0100, Petr Vobornik wrote:
>> On 03/24/2013 05:50 PM, Dmitri Pal wrote:
>>> On 03/23/2013 03:58 AM, James James wrote:
 Hi Petr
 Can you (or somebody else ) give me some hints to use a calendar
 widget in the UI ?
>>> In the past we said that there is no calendar widget mature enough to
>>> meet our requirements.
>>> Has this changed? Is there a good widget to use now?
>>>
 Thanks.
>> I believe that jQuery UI datepicker can be used. It's already included 
>> in jQuery UI lib which is shipped with FreeIPA.
>>
>> It can't be used right away though. It will require to incorporate it 
>> into FreeIPA Web UI's widget system. That means inherit from 
>> text_widget, override create method and probably do some format 
>> conversion in update and save methods. Register the new widget to widget 
>> repository. Then,  one has to modify spec of appropriate facets to use it.
>>
>> HTH
> Should we open a ticket with this RFE ?
>
> Simo.
>
Yes.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-03-25 Thread Simo Sorce 
On Mon, 2013-03-25 at 10:42 +0100, Petr Vobornik wrote:
> On 03/24/2013 05:50 PM, Dmitri Pal wrote:
> > On 03/23/2013 03:58 AM, James James wrote:
> >> Hi Petr
> >> Can you (or somebody else ) give me some hints to use a calendar
> >> widget in the UI ?
> >
> > In the past we said that there is no calendar widget mature enough to
> > meet our requirements.
> > Has this changed? Is there a good widget to use now?
> >
> >>
> >> Thanks.
> 
> I believe that jQuery UI datepicker can be used. It's already included 
> in jQuery UI lib which is shipped with FreeIPA.
> 
> It can't be used right away though. It will require to incorporate it 
> into FreeIPA Web UI's widget system. That means inherit from 
> text_widget, override create method and probably do some format 
> conversion in update and save methods. Register the new widget to widget 
> repository. Then,  one has to modify spec of appropriate facets to use it.
> 
> HTH

Should we open a ticket with this RFE ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-03-25 Thread Petr Vobornik 

On 03/24/2013 05:50 PM, Dmitri Pal wrote:

On 03/23/2013 03:58 AM, James James wrote:

Hi Petr
Can you (or somebody else ) give me some hints to use a calendar
widget in the UI ?


In the past we said that there is no calendar widget mature enough to
meet our requirements.
Has this changed? Is there a good widget to use now?



Thanks.


I believe that jQuery UI datepicker can be used. It's already included 
in jQuery UI lib which is shipped with FreeIPA.


It can't be used right away though. It will require to incorporate it 
into FreeIPA Web UI's widget system. That means inherit from 
text_widget, override create method and probably do some format 
conversion in update and save methods. Register the new widget to widget 
repository. Then,  one has to modify spec of appropriate facets to use it.


HTH




2013/2/7 Petr Vobornik mailto:pvobo...@redhat.com>>

 On 02/07/2013 08:45 AM, Martin Kosek wrote:

 On 02/07/2013 08:31 AM, James James wrote:

 Thanks Rob. I have one more question. Is it possible to
 add a field in the ui,
 and get the field's value in a custom add user hook script  ?

 James


 Theoretically it's possible but it requires quite good knowledge
 of Web UI code. It's easier to modify user page source codes. For
 simple edit (just textbox, no calendar widget) it may be just one
 line of code (in WebUI, server plugin will require more work).



 I know that Petr Vobornik is already working in better
 extensibility of the UI,
 but that would be available in future releases. Petr, do you
 have any advice
 for James for current release?



 2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com> >>

  James James wrote:

  Can somebody gives me some help to set
 krbPrincipalExpiration from the
  freeipa ui ?


  You can't set this in the web UI.


 Note: You will be able to set it in the CLI/UI when ticket
 https://fedorahosted.org/freeipa/ticket/3306
 is fixed.


  You can do it from the command line using ldapmodify
 with:

  $ ldapmodify -x -D 'cn=Directory Manager' -W
  Enter LDAP Password:
  dn: uid=tuser1,cn=users,cn=__accounts,dc=example,dc=com
  changetype: modify
  replace: krbPasswordExpiration
  krbPasswordExpiration: 20200508032114Z

  ^D


 This would change password expiration attribute. So for
 account expiration, you
 would just need to replace krbPasswordExpiration modification
 above with
 krbPrincipalExpiration.

 Martin


 --
 Petr Vobornik




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




--
Petr Vobornik

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-03-24 Thread Dmitri Pal 
On 03/23/2013 03:58 AM, James James wrote:
> Hi Petr
> Can you (or somebody else ) give me some hints to use a calendar
> widget in the UI ?

In the past we said that there is no calendar widget mature enough to
meet our requirements.
Has this changed? Is there a good widget to use now?

>
> Thanks.
>
>
> 2013/2/7 Petr Vobornik mailto:pvobo...@redhat.com>>
>
> On 02/07/2013 08:45 AM, Martin Kosek wrote:
>
> On 02/07/2013 08:31 AM, James James wrote:
>
> Thanks Rob. I have one more question. Is it possible to
> add a field in the ui,
> and get the field's value in a custom add user hook script  ?
>
> James
>
>
> Theoretically it's possible but it requires quite good knowledge
> of Web UI code. It's easier to modify user page source codes. For
> simple edit (just textbox, no calendar widget) it may be just one
> line of code (in WebUI, server plugin will require more work).
>
>
>
> I know that Petr Vobornik is already working in better
> extensibility of the UI,
> but that would be available in future releases. Petr, do you
> have any advice
> for James for current release?
>
>
>
> 2013/2/7 Rob Crittenden    >>
>
>  James James wrote:
>
>  Can somebody gives me some help to set
> krbPrincipalExpiration from the
>  freeipa ui ?
>
>
>  You can't set this in the web UI.
>
>
> Note: You will be able to set it in the CLI/UI when ticket
> https://fedorahosted.org/freeipa/ticket/3306
> is fixed.
>
>
>  You can do it from the command line using ldapmodify
> with:
>
>  $ ldapmodify -x -D 'cn=Directory Manager' -W
>  Enter LDAP Password:
>  dn: uid=tuser1,cn=users,cn=__accounts,dc=example,dc=com
>  changetype: modify
>  replace: krbPasswordExpiration
>  krbPasswordExpiration: 20200508032114Z
>
>  ^D
>
>
> This would change password expiration attribute. So for
> account expiration, you
> would just need to replace krbPasswordExpiration modification
> above with
> krbPrincipalExpiration.
>
> Martin
>
>
> -- 
> Petr Vobornik
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-03-23 Thread James James 
Hi Petr
Can you (or somebody else ) give me some hints to use a calendar widget in
the UI ?

Thanks.


2013/2/7 Petr Vobornik 

> On 02/07/2013 08:45 AM, Martin Kosek wrote:
>
>> On 02/07/2013 08:31 AM, James James wrote:
>>
>>> Thanks Rob. I have one more question. Is it possible to add a field in
>>> the ui,
>>> and get the field's value in a custom add user hook script  ?
>>>
>>> James
>>>
>>
> Theoretically it's possible but it requires quite good knowledge of Web UI
> code. It's easier to modify user page source codes. For simple edit (just
> textbox, no calendar widget) it may be just one line of code (in WebUI,
> server plugin will require more work).
>
>
>
>> I know that Petr Vobornik is already working in better extensibility of
>> the UI,
>> but that would be available in future releases. Petr, do you have any
>> advice
>> for James for current release?
>>
>>
>>>
>>> 2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com
>>> >>
>>>
>>>  James James wrote:
>>>
>>>  Can somebody gives me some help to set krbPrincipalExpiration
>>> from the
>>>  freeipa ui ?
>>>
>>>
>>>  You can't set this in the web UI.
>>>
>>
>> Note: You will be able to set it in the CLI/UI when ticket
>> https://fedorahosted.org/**freeipa/ticket/3306
>> is fixed.
>>
>>
>>>  You can do it from the command line using ldapmodify with:
>>>
>>>  $ ldapmodify -x -D 'cn=Directory Manager' -W
>>>  Enter LDAP Password:
>>>  dn: uid=tuser1,cn=users,cn=__**accounts,dc=example,dc=com
>>>  changetype: modify
>>>  replace: krbPasswordExpiration
>>>  krbPasswordExpiration: 20200508032114Z
>>>
>>>  ^D
>>>
>>
>> This would change password expiration attribute. So for account
>> expiration, you
>> would just need to replace krbPasswordExpiration modification above with
>> krbPrincipalExpiration.
>>
>> Martin
>>
>>
> --
> Petr Vobornik
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-13 Thread Rob Crittenden 

James James wrote:

What is the IIRC docs ?


IIRC == If I Recall Correctly.

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#pwd-expiration

rob




2013/2/13 Rob Crittenden mailto:rcrit...@redhat.com>>

Petr Spacek wrote:

On 12.2.2013 20:21, John Dennis wrote:

On 02/12/2013 01:40 PM, Rob Crittenden wrote:

Is it possible to ipa to send a email to user when
his account is about
to expire (the current date is near
krbprincipalexpiration date) ?


Not currently. In 3.0+ we will provide a notice when one
logs into the
WebUI but that's it.

We can't be sure that an MTA is properly configured on
the IPA server at
install time so we have punted on this for a while. We
don't want to get
into the business of picking and configuring one. This
is one of those
things that seems really easy but gets complicated the
deeper you dig
into it. We're open to suggestions/patches.


Yeah, I don't think we want to be in the business of
installing and
configuring an MTA. However, we should be able to detect if
one is
available
and use it if it is. I think it would be reasonable to
restrict it to
LMTP
with a Unix domain socket (most MTA's support this). Then
our config
would
have a LMTP domain socket pathname, if that pathname exists
and we can
connect
to it we use, if not we fallback to not generating any mail.


In meanwhile, it should be relatively simple to code script
which does
ldapsearch from time to time and sends some e-mails. This script
doesn't
have to run on the same server as IPA, only access to LDAP and
some MTA
is required.


Yes, that is our current recommendation. There is a sample query in
the docs IIRC.

rob


_
Freeipa-users mailing list
Freeipa-users@redhat.com 
https://www.redhat.com/__mailman/listinfo/freeipa-users





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-13 Thread James James 
thanks for your code. :)


2013/2/13 Jan-Frode Myklebust 

> On Wed, Feb 13, 2013 at 09:29:42AM +0100, Petr Spacek wrote:
> > >
> > >Yeah, I don't think we want to be in the business of installing and
> > >configuring an MTA. However, we should be able to detect if one is
> available
> > >and use it if it is. I think it would be reasonable to restrict it to
> LMTP
> > >with a Unix domain socket (most MTA's support this). Then our config
> would
> > >have a LMTP domain socket pathname, if that pathname exists and we can
> connect
> > >to it we use, if not we fallback to not generating any mail.
> >
> > In meanwhile, it should be relatively simple to code script which
> > does ldapsearch from time to time and sends some e-mails. This
> > script doesn't have to run on the same server as IPA, only access to
> > LDAP and some MTA is required.
>
> Crude, but a start:
>
> 
> #! /bin/bash
> ldapsearch -z 500 -x -h ipa1.example.net -b
> cn=users,cn=accounts,dc=example,dc=net "(krbPasswordExpiration<=$(date
> +%Y%m%d --date='+1 week')00Z)" mail |grep ^mail|cut -d: -f2 |while read
> mail
> do
> echo password expires in less than a week | mail -s "Password
> expires" $mail
> done
> 
>
>
>
>   -jf
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-13 Thread James James 
What is the IIRC docs ?


2013/2/13 Rob Crittenden 

> Petr Spacek wrote:
>
>> On 12.2.2013 20:21, John Dennis wrote:
>>
>>> On 02/12/2013 01:40 PM, Rob Crittenden wrote:
>>>
 Is it possible to ipa to send a email to user when his account is about
> to expire (the current date is near krbprincipalexpiration date) ?
>

 Not currently. In 3.0+ we will provide a notice when one logs into the
 WebUI but that's it.

 We can't be sure that an MTA is properly configured on the IPA server at
 install time so we have punted on this for a while. We don't want to get
 into the business of picking and configuring one. This is one of those
 things that seems really easy but gets complicated the deeper you dig
 into it. We're open to suggestions/patches.

>>>
>>> Yeah, I don't think we want to be in the business of installing and
>>> configuring an MTA. However, we should be able to detect if one is
>>> available
>>> and use it if it is. I think it would be reasonable to restrict it to
>>> LMTP
>>> with a Unix domain socket (most MTA's support this). Then our config
>>> would
>>> have a LMTP domain socket pathname, if that pathname exists and we can
>>> connect
>>> to it we use, if not we fallback to not generating any mail.
>>>
>>
>> In meanwhile, it should be relatively simple to code script which does
>> ldapsearch from time to time and sends some e-mails. This script doesn't
>> have to run on the same server as IPA, only access to LDAP and some MTA
>> is required.
>>
>>
> Yes, that is our current recommendation. There is a sample query in the
> docs IIRC.
>
> rob
>
>
> __**_
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-13 Thread Jan-Frode Myklebust 
On Wed, Feb 13, 2013 at 09:29:42AM +0100, Petr Spacek wrote:
> >
> >Yeah, I don't think we want to be in the business of installing and
> >configuring an MTA. However, we should be able to detect if one is available
> >and use it if it is. I think it would be reasonable to restrict it to LMTP
> >with a Unix domain socket (most MTA's support this). Then our config would
> >have a LMTP domain socket pathname, if that pathname exists and we can 
> >connect
> >to it we use, if not we fallback to not generating any mail.
> 
> In meanwhile, it should be relatively simple to code script which
> does ldapsearch from time to time and sends some e-mails. This
> script doesn't have to run on the same server as IPA, only access to
> LDAP and some MTA is required.

Crude, but a start:


#! /bin/bash
ldapsearch -z 500 -x -h ipa1.example.net -b 
cn=users,cn=accounts,dc=example,dc=net "(krbPasswordExpiration<=$(date +%Y%m%d 
--date='+1 week')00Z)" mail |grep ^mail|cut -d: -f2 |while read mail
do
echo password expires in less than a week | mail -s "Password expires" 
$mail
done




  -jf

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-13 Thread Steven Jones 
Hi,

Isnt Postfix the RHEL default now?  So is it that hard to do a 
Postfix-ipa-config.rpm?

Its something we want as well, so I'll do a RFE, RH support will love me more 
I'm sure

;]

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 14 February 2013 2:56 a.m.
To: Petr Spacek
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Account Expiration

Petr Spacek wrote:
> On 12.2.2013 20:21, John Dennis wrote:
>> On 02/12/2013 01:40 PM, Rob Crittenden wrote:
>>>> Is it possible to ipa to send a email to user when his account is about
>>>> to expire (the current date is near krbprincipalexpiration date) ?
>>>
>>> Not currently. In 3.0+ we will provide a notice when one logs into the
>>> WebUI but that's it.
>>>
>>> We can't be sure that an MTA is properly configured on the IPA server at
>>> install time so we have punted on this for a while. We don't want to get
>>> into the business of picking and configuring one. This is one of those
>>> things that seems really easy but gets complicated the deeper you dig
>>> into it. We're open to suggestions/patches.
>>
>> Yeah, I don't think we want to be in the business of installing and
>> configuring an MTA. However, we should be able to detect if one is
>> available
>> and use it if it is. I think it would be reasonable to restrict it to
>> LMTP
>> with a Unix domain socket (most MTA's support this). Then our config
>> would
>> have a LMTP domain socket pathname, if that pathname exists and we can
>> connect
>> to it we use, if not we fallback to not generating any mail.
>
> In meanwhile, it should be relatively simple to code script which does
> ldapsearch from time to time and sends some e-mails. This script doesn't
> have to run on the same server as IPA, only access to LDAP and some MTA
> is required.
>

Yes, that is our current recommendation. There is a sample query in the
docs IIRC.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-13 Thread Rob Crittenden 

Petr Spacek wrote:

On 12.2.2013 20:21, John Dennis wrote:

On 02/12/2013 01:40 PM, Rob Crittenden wrote:

Is it possible to ipa to send a email to user when his account is about
to expire (the current date is near krbprincipalexpiration date) ?


Not currently. In 3.0+ we will provide a notice when one logs into the
WebUI but that's it.

We can't be sure that an MTA is properly configured on the IPA server at
install time so we have punted on this for a while. We don't want to get
into the business of picking and configuring one. This is one of those
things that seems really easy but gets complicated the deeper you dig
into it. We're open to suggestions/patches.


Yeah, I don't think we want to be in the business of installing and
configuring an MTA. However, we should be able to detect if one is
available
and use it if it is. I think it would be reasonable to restrict it to
LMTP
with a Unix domain socket (most MTA's support this). Then our config
would
have a LMTP domain socket pathname, if that pathname exists and we can
connect
to it we use, if not we fallback to not generating any mail.


In meanwhile, it should be relatively simple to code script which does
ldapsearch from time to time and sends some e-mails. This script doesn't
have to run on the same server as IPA, only access to LDAP and some MTA
is required.



Yes, that is our current recommendation. There is a sample query in the 
docs IIRC.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-13 Thread James James 
It's a good idea. I will try that.



2013/2/13 Petr Spacek 

> On 12.2.2013 20:21, John Dennis wrote:
>
>> On 02/12/2013 01:40 PM, Rob Crittenden wrote:
>>
>>> Is it possible to ipa to send a email to user when his account is about
 to expire (the current date is near krbprincipalexpiration date) ?

>>>
>>> Not currently. In 3.0+ we will provide a notice when one logs into the
>>> WebUI but that's it.
>>>
>>> We can't be sure that an MTA is properly configured on the IPA server at
>>> install time so we have punted on this for a while. We don't want to get
>>> into the business of picking and configuring one. This is one of those
>>> things that seems really easy but gets complicated the deeper you dig
>>> into it. We're open to suggestions/patches.
>>>
>>
>> Yeah, I don't think we want to be in the business of installing and
>> configuring an MTA. However, we should be able to detect if one is
>> available
>> and use it if it is. I think it would be reasonable to restrict it to LMTP
>> with a Unix domain socket (most MTA's support this). Then our config would
>> have a LMTP domain socket pathname, if that pathname exists and we can
>> connect
>> to it we use, if not we fallback to not generating any mail.
>>
>
> In meanwhile, it should be relatively simple to code script which does
> ldapsearch from time to time and sends some e-mails. This script doesn't
> have to run on the same server as IPA, only access to LDAP and some MTA is
> required.
>
> --
> Petr^2 Spacek
>
>
> __**_
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-13 Thread Petr Spacek 

On 12.2.2013 20:21, John Dennis wrote:

On 02/12/2013 01:40 PM, Rob Crittenden wrote:

Is it possible to ipa to send a email to user when his account is about
to expire (the current date is near krbprincipalexpiration date) ?


Not currently. In 3.0+ we will provide a notice when one logs into the
WebUI but that's it.

We can't be sure that an MTA is properly configured on the IPA server at
install time so we have punted on this for a while. We don't want to get
into the business of picking and configuring one. This is one of those
things that seems really easy but gets complicated the deeper you dig
into it. We're open to suggestions/patches.


Yeah, I don't think we want to be in the business of installing and
configuring an MTA. However, we should be able to detect if one is available
and use it if it is. I think it would be reasonable to restrict it to LMTP
with a Unix domain socket (most MTA's support this). Then our config would
have a LMTP domain socket pathname, if that pathname exists and we can connect
to it we use, if not we fallback to not generating any mail.


In meanwhile, it should be relatively simple to code script which does 
ldapsearch from time to time and sends some e-mails. This script doesn't have 
to run on the same server as IPA, only access to LDAP and some MTA is required.


--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-12 Thread James James 
Thanks  guys for your answers.


2013/2/12 John Dennis 

> On 02/12/2013 01:40 PM, Rob Crittenden wrote:
>
>> Is it possible to ipa to send a email to user when his account is about
>>> to expire (the current date is near krbprincipalexpiration date) ?
>>>
>>
>> Not currently. In 3.0+ we will provide a notice when one logs into the
>> WebUI but that's it.
>>
>> We can't be sure that an MTA is properly configured on the IPA server at
>> install time so we have punted on this for a while. We don't want to get
>> into the business of picking and configuring one. This is one of those
>> things that seems really easy but gets complicated the deeper you dig
>> into it. We're open to suggestions/patches.
>>
>
> Yeah, I don't think we want to be in the business of installing and
> configuring an MTA. However, we should be able to detect if one is
> available and use it if it is. I think it would be reasonable to restrict
> it to LMTP with a Unix domain socket (most MTA's support this). Then our
> config would have a LMTP domain socket pathname, if that pathname exists
> and we can connect to it we use, if not we fallback to not generating any
> mail.
>
> --
> John Dennis 
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-12 Thread John Dennis 

On 02/12/2013 01:40 PM, Rob Crittenden wrote:

Is it possible to ipa to send a email to user when his account is about
to expire (the current date is near krbprincipalexpiration date) ?


Not currently. In 3.0+ we will provide a notice when one logs into the
WebUI but that's it.

We can't be sure that an MTA is properly configured on the IPA server at
install time so we have punted on this for a while. We don't want to get
into the business of picking and configuring one. This is one of those
things that seems really easy but gets complicated the deeper you dig
into it. We're open to suggestions/patches.


Yeah, I don't think we want to be in the business of installing and 
configuring an MTA. However, we should be able to detect if one is 
available and use it if it is. I think it would be reasonable to 
restrict it to LMTP with a Unix domain socket (most MTA's support this). 
Then our config would have a LMTP domain socket pathname, if that 
pathname exists and we can connect to it we use, if not we fallback to 
not generating any mail.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-12 Thread Rob Crittenden 

James James wrote:

Can you tell me how update my ipa's files once when ticket
https://fedorahosted.org/freeipa/ticket/3306 will be fixed ?

Should I have to do 'yum update ipa*'  ?


Once it gets fixed upstream and packaged into a release, yes, that is 
what you would do.



Is it possible to ipa to send a email to user when his account is about
to expire (the current date is near krbprincipalexpiration date) ?


Not currently. In 3.0+ we will provide a notice when one logs into the 
WebUI but that's it.


We can't be sure that an MTA is properly configured on the IPA server at 
install time so we have punted on this for a while. We don't want to get 
into the business of picking and configuring one. This is one of those 
things that seems really easy but gets complicated the deeper you dig 
into it. We're open to suggestions/patches.


regards

rob




2013/2/7 Martin Kosek mailto:mko...@redhat.com>>

On 02/07/2013 08:31 AM, James James wrote:
 > Thanks Rob. I have one more question. Is it possible to add a
field in the ui,
 > and get the field's value in a custom add user hook script  ?
 >
 > James

I know that Petr Vobornik is already working in better extensibility
of the UI,
but that would be available in future releases. Petr, do you have
any advice
for James for current release?

 >
 >
 > 2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com> >>
 >
 > James James wrote:
 >
 > Can somebody gives me some help to set
krbPrincipalExpiration from the
 > freeipa ui ?
 >
 >
 > You can't set this in the web UI.

Note: You will be able to set it in the CLI/UI when ticket
https://fedorahosted.org/freeipa/ticket/3306
is fixed.

 >
 > You can do it from the command line using ldapmodify with:
 >
 > $ ldapmodify -x -D 'cn=Directory Manager' -W
 > Enter LDAP Password:
 > dn: uid=tuser1,cn=users,cn=__accounts,dc=example,dc=com
 > changetype: modify
 > replace: krbPasswordExpiration
 > krbPasswordExpiration: 20200508032114Z
 >
 > ^D

This would change password expiration attribute. So for account
expiration, you
would just need to replace krbPasswordExpiration modification above with
krbPrincipalExpiration.

Martin




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-12 Thread James James 
Can you tell me how update my ipa's files once when ticket
https://fedorahosted.org/freeipa/ticket/3306 will be fixed ?

Should I have to do 'yum update ipa*'  ?

Is it possible to ipa to send a email to user when his account is about to
expire (the current date is near krbprincipalexpiration date) ?


2013/2/7 Martin Kosek 

> On 02/07/2013 08:31 AM, James James wrote:
> > Thanks Rob. I have one more question. Is it possible to add a field in
> the ui,
> > and get the field's value in a custom add user hook script  ?
> >
> > James
>
> I know that Petr Vobornik is already working in better extensibility of
> the UI,
> but that would be available in future releases. Petr, do you have any
> advice
> for James for current release?
>
> >
> >
> > 2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com
> >>
> >
> > James James wrote:
> >
> > Can somebody gives me some help to set krbPrincipalExpiration
> from the
> > freeipa ui ?
> >
> >
> > You can't set this in the web UI.
>
> Note: You will be able to set it in the CLI/UI when ticket
> https://fedorahosted.org/freeipa/ticket/3306
> is fixed.
>
> >
> > You can do it from the command line using ldapmodify with:
> >
> > $ ldapmodify -x -D 'cn=Directory Manager' -W
> > Enter LDAP Password:
> > dn: uid=tuser1,cn=users,cn=__accounts,dc=example,dc=com
> > changetype: modify
> > replace: krbPasswordExpiration
> > krbPasswordExpiration: 20200508032114Z
> >
> > ^D
>
> This would change password expiration attribute. So for account
> expiration, you
> would just need to replace krbPasswordExpiration modification above with
> krbPrincipalExpiration.
>
> Martin
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-07 Thread James James 
ok thanks.



2013/2/7 Petr Vobornik 

> On 02/07/2013 08:45 AM, Martin Kosek wrote:
>
>> On 02/07/2013 08:31 AM, James James wrote:
>>
>>> Thanks Rob. I have one more question. Is it possible to add a field in
>>> the ui,
>>> and get the field's value in a custom add user hook script  ?
>>>
>>> James
>>>
>>
> Theoretically it's possible but it requires quite good knowledge of Web UI
> code. It's easier to modify user page source codes. For simple edit (just
> textbox, no calendar widget) it may be just one line of code (in WebUI,
> server plugin will require more work).
>
>
>
>> I know that Petr Vobornik is already working in better extensibility of
>> the UI,
>> but that would be available in future releases. Petr, do you have any
>> advice
>> for James for current release?
>>
>>
>>>
>>> 2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com
>>> >>
>>>
>>>  James James wrote:
>>>
>>>  Can somebody gives me some help to set krbPrincipalExpiration
>>> from the
>>>  freeipa ui ?
>>>
>>>
>>>  You can't set this in the web UI.
>>>
>>
>> Note: You will be able to set it in the CLI/UI when ticket
>> https://fedorahosted.org/**freeipa/ticket/3306
>> is fixed.
>>
>>
>>>  You can do it from the command line using ldapmodify with:
>>>
>>>  $ ldapmodify -x -D 'cn=Directory Manager' -W
>>>  Enter LDAP Password:
>>>  dn: uid=tuser1,cn=users,cn=__**accounts,dc=example,dc=com
>>>  changetype: modify
>>>  replace: krbPasswordExpiration
>>>  krbPasswordExpiration: 20200508032114Z
>>>
>>>  ^D
>>>
>>
>> This would change password expiration attribute. So for account
>> expiration, you
>> would just need to replace krbPasswordExpiration modification above with
>> krbPrincipalExpiration.
>>
>> Martin
>>
>>
> --
> Petr Vobornik
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-07 Thread Petr Vobornik 

On 02/07/2013 08:45 AM, Martin Kosek wrote:

On 02/07/2013 08:31 AM, James James wrote:

Thanks Rob. I have one more question. Is it possible to add a field in the ui,
and get the field's value in a custom add user hook script  ?

James


Theoretically it's possible but it requires quite good knowledge of Web 
UI code. It's easier to modify user page source codes. For simple edit 
(just textbox, no calendar widget) it may be just one line of code (in 
WebUI, server plugin will require more work).




I know that Petr Vobornik is already working in better extensibility of the UI,
but that would be available in future releases. Petr, do you have any advice
for James for current release?




2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com>>

 James James wrote:

 Can somebody gives me some help to set krbPrincipalExpiration from the
 freeipa ui ?


 You can't set this in the web UI.


Note: You will be able to set it in the CLI/UI when ticket
https://fedorahosted.org/freeipa/ticket/3306
is fixed.



 You can do it from the command line using ldapmodify with:

 $ ldapmodify -x -D 'cn=Directory Manager' -W
 Enter LDAP Password:
 dn: uid=tuser1,cn=users,cn=__accounts,dc=example,dc=com
 changetype: modify
 replace: krbPasswordExpiration
 krbPasswordExpiration: 20200508032114Z

 ^D


This would change password expiration attribute. So for account expiration, you
would just need to replace krbPasswordExpiration modification above with
krbPrincipalExpiration.

Martin



--
Petr Vobornik

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-07 Thread Simo Sorce 
On Thu, 2013-02-07 at 08:31 +0100, James James wrote:
> Thanks Rob. I have one more question. Is it possible to add a field in
> the ui, and get the field's value in a custom add user hook script  ?
> 

It wouldn't be useful as you would not have permission to change it
anyways.

If you want to consistently have a different expiration time you should
change the password policy.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-06 Thread Martin Kosek 
On 02/07/2013 08:31 AM, James James wrote:
> Thanks Rob. I have one more question. Is it possible to add a field in the ui,
> and get the field's value in a custom add user hook script  ?
> 
> James

I know that Petr Vobornik is already working in better extensibility of the UI,
but that would be available in future releases. Petr, do you have any advice
for James for current release?

> 
> 
> 2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com>>
> 
> James James wrote:
> 
> Can somebody gives me some help to set krbPrincipalExpiration from the
> freeipa ui ?
> 
> 
> You can't set this in the web UI.

Note: You will be able to set it in the CLI/UI when ticket
https://fedorahosted.org/freeipa/ticket/3306
is fixed.

> 
> You can do it from the command line using ldapmodify with:
> 
> $ ldapmodify -x -D 'cn=Directory Manager' -W
> Enter LDAP Password:
> dn: uid=tuser1,cn=users,cn=__accounts,dc=example,dc=com
> changetype: modify
> replace: krbPasswordExpiration
> krbPasswordExpiration: 20200508032114Z
> 
> ^D

This would change password expiration attribute. So for account expiration, you
would just need to replace krbPasswordExpiration modification above with
krbPrincipalExpiration.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-06 Thread James James 
Thanks Rob. I have one more question. Is it possible to add a field in the
ui, and get the field's value in a custom add user hook script  ?

James


2013/2/7 Rob Crittenden 

> James James wrote:
>
>> Can somebody gives me some help to set krbPrincipalExpiration from the
>> freeipa ui ?
>>
>
> You can't set this in the web UI.
>
> You can do it from the command line using ldapmodify with:
>
> $ ldapmodify -x -D 'cn=Directory Manager' -W
> Enter LDAP Password:
> dn: uid=tuser1,cn=users,cn=**accounts,dc=example,dc=com
> changetype: modify
> replace: krbPasswordExpiration
> krbPasswordExpiration: 20200508032114Z
>
> ^D
>
> rob
>
>>
>> Many thanks
>>
>>
>> 2013/1/28 James James mailto:jre...@gmail.com>>
>>
>>
>> Hi Martin,
>> thanks a lot for your answer. The krbPrincipalExpiration should do
>> the job.
>>
>> Regards.
>>
>>
>> 2013/1/28 Martin Kosek mailto:mko...@redhat.com>>
>>
>>
>> On 01/28/2013 12:14 PM, James James wrote:
>>  > Hi, in 389-ds there is a nice plugin I love,  it's account
>> policy. You can set
>>  > account expiration date and the account will be inactive at
>> this day.
>>  >
>>  >
>> http://directory.**fedoraproject.org/wiki/**
>> Account_Policy_Design#**Detailed_Design_of_Account_**Expiration
>>  >
>>  > Is there a way to have this feature with freeipa ?
>>  >
>>  > Regards.
>>  >
>>  >
>>  > James
>>  >
>>
>> Hello James,
>>
>> FreeIPA user plugin does not support this feature, you would
>> need to hack it in
>> the plugin yourselves (patches welcome :-).
>>
>> Generally, you should be able to set account expiration to
>> krbPrincipalExpiration attribute of the user account and it
>> should just work.
>> You can also check few tickets we have already few tickets filed
>> for better
>> handling of this attribute:
>>
>> 
>> https://fedorahosted.org/**freeipa/ticket/3062
>> [RFE] Allow admins to change expiration attribute for the accounts
>>
>> 
>> https://fedorahosted.org/**freeipa/ticket/3305
>> KrbPrincipalExpiration should be checked in pre-bind op
>>
>> 
>> https://fedorahosted.org/**freeipa/ticket/3306
>> [RFE] Expose the krbPrincipalExpiration attribute for editing in
>> the IPA CLI /
>> WEBUI
>>
>>
>> Anyway, if you want a support for this particular plugin, you
>> can file an RFE
>> to Trac/Bugzilla  which we will further process.
>>
>> HTH,
>> Martin
>>
>>
>>
>>
>>
>> __**_
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users
>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-06 Thread Rob Crittenden 

James James wrote:

Can somebody gives me some help to set krbPrincipalExpiration from the
freeipa ui ?


You can't set this in the web UI.

You can do it from the command line using ldapmodify with:

$ ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 20200508032114Z

^D

rob


Many thanks


2013/1/28 James James mailto:jre...@gmail.com>>

Hi Martin,
thanks a lot for your answer. The krbPrincipalExpiration should do
the job.

Regards.


2013/1/28 Martin Kosek mailto:mko...@redhat.com>>

On 01/28/2013 12:14 PM, James James wrote:
 > Hi, in 389-ds there is a nice plugin I love,  it's account
policy. You can set
 > account expiration date and the account will be inactive at
this day.
 >
 >

http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration
 >
 > Is there a way to have this feature with freeipa ?
 >
 > Regards.
 >
 >
 > James
 >

Hello James,

FreeIPA user plugin does not support this feature, you would
need to hack it in
the plugin yourselves (patches welcome :-).

Generally, you should be able to set account expiration to
krbPrincipalExpiration attribute of the user account and it
should just work.
You can also check few tickets we have already few tickets filed
for better
handling of this attribute:

https://fedorahosted.org/freeipa/ticket/3062
[RFE] Allow admins to change expiration attribute for the accounts

https://fedorahosted.org/freeipa/ticket/3305
KrbPrincipalExpiration should be checked in pre-bind op

https://fedorahosted.org/freeipa/ticket/3306
[RFE] Expose the krbPrincipalExpiration attribute for editing in
the IPA CLI /
WEBUI


Anyway, if you want a support for this particular plugin, you
can file an RFE
to Trac/Bugzilla  which we will further process.

HTH,
Martin





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-06 Thread James James 
Can somebody gives me some help to set krbPrincipalExpiration from the
freeipa ui ?

Many thanks


2013/1/28 James James 

> Hi Martin,
> thanks a lot for your answer. The krbPrincipalExpiration should do the job.
>
> Regards.
>
>
> 2013/1/28 Martin Kosek 
>
>> On 01/28/2013 12:14 PM, James James wrote:
>> > Hi, in 389-ds there is a nice plugin I love,  it's account policy. You
>> can set
>> > account expiration date and the account will be inactive at this day.
>> >
>> >
>> http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration
>> >
>> > Is there a way to have this feature with freeipa ?
>> >
>> > Regards.
>> >
>> >
>> > James
>> >
>>
>> Hello James,
>>
>> FreeIPA user plugin does not support this feature, you would need to hack
>> it in
>> the plugin yourselves (patches welcome :-).
>>
>> Generally, you should be able to set account expiration to
>> krbPrincipalExpiration attribute of the user account and it should just
>> work.
>> You can also check few tickets we have already few tickets filed for
>> better
>> handling of this attribute:
>>
>> https://fedorahosted.org/freeipa/ticket/3062
>> [RFE] Allow admins to change expiration attribute for the accounts
>>
>> https://fedorahosted.org/freeipa/ticket/3305
>> KrbPrincipalExpiration should be checked in pre-bind op
>>
>> https://fedorahosted.org/freeipa/ticket/3306
>> [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA
>> CLI /
>> WEBUI
>>
>>
>> Anyway, if you want a support for this particular plugin, you can file an
>> RFE
>> to Trac/Bugzilla  which we will further process.
>>
>> HTH,
>> Martin
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-01-28 Thread James James 
Hi Martin,
thanks a lot for your answer. The krbPrincipalExpiration should do the job.

Regards.


2013/1/28 Martin Kosek 

> On 01/28/2013 12:14 PM, James James wrote:
> > Hi, in 389-ds there is a nice plugin I love,  it's account policy. You
> can set
> > account expiration date and the account will be inactive at this day.
> >
> >
> http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration
> >
> > Is there a way to have this feature with freeipa ?
> >
> > Regards.
> >
> >
> > James
> >
>
> Hello James,
>
> FreeIPA user plugin does not support this feature, you would need to hack
> it in
> the plugin yourselves (patches welcome :-).
>
> Generally, you should be able to set account expiration to
> krbPrincipalExpiration attribute of the user account and it should just
> work.
> You can also check few tickets we have already few tickets filed for better
> handling of this attribute:
>
> https://fedorahosted.org/freeipa/ticket/3062
> [RFE] Allow admins to change expiration attribute for the accounts
>
> https://fedorahosted.org/freeipa/ticket/3305
> KrbPrincipalExpiration should be checked in pre-bind op
>
> https://fedorahosted.org/freeipa/ticket/3306
> [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA
> CLI /
> WEBUI
>
>
> Anyway, if you want a support for this particular plugin, you can file an
> RFE
> to Trac/Bugzilla  which we will further process.
>
> HTH,
> Martin
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-01-28 Thread Martin Kosek 
On 01/28/2013 12:14 PM, James James wrote:
> Hi, in 389-ds there is a nice plugin I love,  it's account policy. You can set
> account expiration date and the account will be inactive at this day.
> 
> http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration
> 
> Is there a way to have this feature with freeipa ?
> 
> Regards.
> 
> 
> James
> 

Hello James,

FreeIPA user plugin does not support this feature, you would need to hack it in
the plugin yourselves (patches welcome :-).

Generally, you should be able to set account expiration to
krbPrincipalExpiration attribute of the user account and it should just work.
You can also check few tickets we have already few tickets filed for better
handling of this attribute:

https://fedorahosted.org/freeipa/ticket/3062
[RFE] Allow admins to change expiration attribute for the accounts

https://fedorahosted.org/freeipa/ticket/3305
KrbPrincipalExpiration should be checked in pre-bind op

https://fedorahosted.org/freeipa/ticket/3306
[RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA CLI /
WEBUI


Anyway, if you want a support for this particular plugin, you can file an RFE
to Trac/Bugzilla  which we will further process.

HTH,
Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Account Expiration

2013-01-28 Thread James James 
Hi, in 389-ds there is a nice plugin I love,  it's account policy. You can
set account expiration date and the account will be inactive at this day.

http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration

Is there a way to have this feature with freeipa ?

Regards.


James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users