, getter would always give out PyBool.
Please split the patch into two -- compatibility fixes and API improvements.
Thanks in advance,
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman
, my fault as I haven't mention it:
str(true) == 'True'
str(false) == 'False'
so they should be acceptable as well. You have them explicitly denied in
the unit tests. Do we have any particular reason not to allow them?
This is minor comment, other than that patches look good!
--
/ Alexander
On 13.07.2011 12:56, Jakub Hrozek wrote:
On 07/13/2011 11:09 AM, Alexander Bokovoy wrote:
Now, there is one concern -- admittedly, my fault as I haven't mention it:
str(true) == 'True'
str(false) == 'False'
so they should be acceptable as well. You have them explicitly denied in
the unit
was completely
missing.
ACK to both as well.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
a negative test
of casefolding I to dotless i that is valid but only if we knew that
the language was Turkish.
ACK.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
On 28.07.2011 16:36, Alexander Bokovoy wrote:
On 27.07.2011 23:32, Stephen Gallagher wrote:
This patch adds a new build requirement on SSSD: libunistring.
ACK.
There is also need to update spec file.
Ignore this comment, I missed update to spec somehow.
--
/ Alexander Bokovoy
ACK.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
On 08.08.2011 15:43, Jakub Hrozek wrote:
On Mon, Aug 08, 2011 at 06:02:45AM -0400, Alexander Bokovoy wrote:
Hi,
seems OK but could you also add similar treatment for etc_shells? There are
few rare cases when out of memory situations could make nctx-etc_shells
NULL.
We handle OOM when
so it's maintained properly.
Correct. ACK.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
successful test.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
out of alpha-numeric space.
I'd suggest replacing dots with underscores.
File name is irrelevant to libkrb5 after it was read as part of
includedir processing, and files are only written by the SSSD.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
On Tue, 29 Jan 2013, Jakub Hrozek wrote:
On Tue, Jan 29, 2013 at 10:50:02PM +0200, Alexander Bokovoy wrote:
And here I'm coming to grave error in the SSSD code: the name of
explicit mapping file contains non-filtered domain name, which contains
dot. krb5.conf manual page states that includedir
Hi Tuomas,
On Fri, 03 May 2013, Tuomas Kuosmanen wrote:
I was being asked by Alexander Bokovoy to do a new logo to represent
SSSD. I gave it some cycles. Here are two ideas that came to my mind,
please let me know if you like them?
http://www.tigert.com/designspace/sssd-logoideas.png
, in Russian version a group with RID 498, enterprise read-only
domain controllers is actually Контроллеры домена предприятия — только
чтение.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https
On Fri, 03 May 2013, Jakub Hrozek wrote:
On Fri, May 03, 2013 at 04:46:58PM +0300, Alexander Bokovoy wrote:
On Thu, 02 May 2013, Sumit Bose wrote:
On Thu, May 02, 2013 at 07:23:11PM +0200, Jakub Hrozek wrote:
On Thu, May 02, 2013 at 04:07:57PM +0200, Sumit Bose wrote:
Hi,
this is the second
by winbindd, we cannot open a
separate schannel as that would make first one obsolete.
So this means IPA would need to resort to fetch TDOs from Global
Catalog, essentially re-creating work that SSSD is putting into 1.11.
--
/ Alexander Bokovoy
___
sssd
On Fri, 19 Jul 2013, Lukas Slebodnik wrote:
On (19/07/13 16:29), Alexander Bokovoy wrote:
Hi!
Apparently, getgrouplist(3) call is not available in Python older than
Python 3.3. So I agreed with Jakub to have it bound to pysss Python
module. We need this call to obtain list of groups trusted
On Fri, 19 Jul 2013, Jakub Hrozek wrote:
On Fri, Jul 19, 2013 at 04:29:37PM +0300, Alexander Bokovoy wrote:
Hi!
Apparently, getgrouplist(3) call is not available in Python older than
Python 3.3. So I agreed with Jakub to have it bound to pysss Python
module. We need this call to obtain list
On Mon, 22 Jul 2013, Jakub Hrozek wrote:
On Fri, Jul 19, 2013 at 07:15:34PM +0300, Alexander Bokovoy wrote:
On Fri, 19 Jul 2013, Jakub Hrozek wrote:
On Fri, Jul 19, 2013 at 04:29:37PM +0300, Alexander Bokovoy wrote:
Hi!
Apparently, getgrouplist(3) call is not available in Python older than
...@ad.lan)
('administra...@ad.lan', 'group policy creator own...@ad.lan', 'enterprise
adm...@ad.lan', 'domain adm...@ad.lan', 'schema adm...@ad.lan', 'denied rodc
password replication gr...@ad.lan')
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd
this into released versions in Fedora 19 and Fedora 20
ASAP since this crash bug is important to fix before release and we are in
Beta release now with F20?
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https
better...
Read through sssd-krb5(5) manual page:
krb5_renewable_lifetime
krb5_renew_interval
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
com.redhat.oddjob_mkhomedir
was not provided by any .service files
Could not chdir to home directory /home/foo.com/allowed_user: No such file or
directory
Any ideas?
systemctl enable oddjobd
Nobody enables the service.
--
/ Alexander Bokovoy
___
sssd-devel
. It avoids
looking into anything
but SSS_PAM_ENV_ITEM message.
--
/ Alexander Bokovoy
From 0aaea4153403d94ad2ff074b3b00a8b919900301 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy a...@samba.org
Date: Tue, 24 Dec 2013 13:01:46 +0200
Subject: [PATCH] FAST: when parsing krb5_child response, make sure
Hi,
thanks to Alexey Shabalin (ALT Linux Team), following patch makes sure
SSSD will compile against MIT Kerberos with headers installed in a
subdirectory of /usr/include (/usr/include/krb5 in ALT Linux).
Please apply.
--
/ Alexander Bokovoy
From 09893453dadca3488185142b6fef0df455fdbe69 Mon
On Wed, 05 Feb 2014, Lukas Slebodnik wrote:
On (05/02/14 15:31), Alexander Bokovoy wrote:
Hi,
thanks to Alexey Shabalin (ALT Linux Team), following patch makes sure
SSSD will compile against MIT Kerberos with headers installed in a
subdirectory of /usr/include (/usr/include/krb5 in ALT Linux
as required for the PAM
account facility (to enforce HBAC rules) but still allow local users
to log in.
jhrozek suggested posting the patch here for review, so thanks in
advance for looking it over!
No patch was attached to your email, could you please send it again?
--
/ Alexander Bokovoy
is attached.
ACK. Works fine for me. I've built a repo to test all of the two-factor
feature:
http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https
(ipa_opts-auth,
+ KRB5_REALM));
if (value == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, Cannot set %s!\n,
ipa_opts-auth[KRB5_FAST_PRINCIPAL].opt_name);
ACK.
--
/ Alexander Bokovoy
not work in WebUI...
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Sun, 23 Mar 2014, Alexander Bokovoy wrote:
On Sat, 22 Mar 2014, Jakub Hrozek wrote:
On Fri, 2014-03-21 at 16:00 +0100, Jakub Hrozek wrote:
On Tue, Mar 18, 2014 at 08:09:45PM +0100, Jakub Hrozek wrote:
On Tue, Mar 18, 2014 at 06:20:41PM +0100, Jakub Hrozek wrote:
On Tue, Mar 18, 2014
Samba too.
Not sure it is worth creating a separate library since it would still
depend on a struct dom_sid from samba.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo
,
ret, sss_strerror(ret));
goto done;
}
-if (res res-count == 0) {
+if ((res res-count == 0) || (msg msg-num_elements == 0)) {
ret = ENOENT;
goto done;
}
--
1.8.5.3
--
/ Alexander Bokovoy
___
sssd
On Tue, 20 May 2014, Jakub Hrozek wrote:
On Tue, May 13, 2014 at 02:25:49PM +0300, Alexander Bokovoy wrote:
On Tue, 13 May 2014, Pavel Reichl wrote:
Hello,
Alexander has prepared attached patches, but he was not able to post
them himself as he is currently having bad connection.
Note that you
you change the
if (kerr != 0) {
return EINVAL;
}
to
if (kerr != 0) {
return 0;
}
here?
Unfortunately, since tracing code is not available outside internals of
libkrb5, we cannot inject TRACE_MSPAC_VERIFY_FAIL(kcontext, kerr); here.
--
/ Alexander Bokovoy
with a structured list.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
, we should
allow another plugin or auth_to_local rule to apply.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Tue, 12 Aug 2014, Jakub Hrozek wrote:
On Tue, Aug 12, 2014 at 03:30:02PM +0300, Alexander Bokovoy wrote:
On Mon, 28 Jul 2014, Simo Sorce wrote:
On Tue, 2014-07-22 at 14:55 +0200, Sumit Bose wrote:
Hi,
these two patches implement the MIT Kerberos localauth plugin for SSSD.
Since it uses
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
this.
ACK.
This is required for transitive forest trusts and also required for
being a member in AD forest. There is no exact requirement to always
have hierarchical realm relationships.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel
: 1740bb50-6105-11e4-8e75-545200f9718b
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
can also add a third one, like I proposed above -- to allow
per-RPC flag that gives a hint from client to the server about use of
cached gids in case of server.manage-gids option is set on the server
side.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
: Applications/System
License: GPLv3+
Conflicts: sssd %{version}-%{release}
Requires: cyrus-sasl-gssapi
PreReq: sssd-common = %{version}-%{release}
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https
/DesignDocs/OneWayTrusts?action=diffversion=9old_version=8
I'll do one more change after we agree on how should we protect against
loops in fetching keytabs (flag vs. check keytab contents).
I think the design is sensible.
--
/ Alexander Bokovoy
___
sssd-devel
On Mon, 27 Apr 2015, Simo Sorce wrote:
On Mon, 2015-04-27 at 15:04 +0300, Alexander Bokovoy wrote:
On Mon, 27 Apr 2015, Jakub Hrozek wrote:
On Sun, Apr 26, 2015 at 06:17:21PM -0400, Simo Sorce wrote:
Very nice writeup!
A few comments..
On Sun, 2015-04-26 at 21:22 +0200, Jakub Hrozek wrote
(keys are
compared) and there is an explicit note that krb5 calls don't
hurt because the keytab is owned by the sssd user already.
I'll file the per-task tickets now.
ACK. Do you need FreeIPA tickets too? Just file them as well.
--
/ Alexander Bokovoy
', that emails pull request
to
a specified list.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
,
sss_krb5_realm_has_proxy() should be called with the matching option.
sss_krb5_realm_has_proxy() looks good to me. IMHO it's fine to just
check kdc for https for now.
I agree.
I would start with this patchset and then improve on it sequentially.
--
/ Alexander Bokovoy
with two additional trivial patches that make the debug messages
a bit less noisy and useful.
Sorry for the spam, but one of the debug messages had a wrong level.
ACK for all three patches.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel
identifiers it declares is the remainder
of the declaration and the entire loop, including the other two
expressions (6.8.5.3 of C11 standard, C99 had similar sentence).
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https
announcement
of FreeIPA 4.2.1 release.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Wed, 30 Sep 2015, Jakub Hrozek wrote:
Hi,
while documenting the security options I realized man sssd.conf doesn't
include the krb5 and proxy access control modules. I hope I worded the
sentence about krb5 correctly.
ACK
--
/ Alexander Bokovoy
On Wed, 30 Sep 2015, Jakub Hrozek wrote:
Hi,
while working on the hardening wiki page, I realized the
pam_trusted_users option can be improved. Please see the attached patch.
ACK, this is much better explanation than it was before.
--
/ Alexander Bokovoy
+type = SSS_ID_TYPE_NOT_SPECIFIED;
+}
}
switch (type) {
With this change 'type' variable will become undefined if wbcSidToString()
failed.
Perhaps, it could be set to 'type = SSS_ID_TYPE_NOT_SPECIFIED;' at the
beginning of the for() loop?
-
On Mon, 06 Jun 2016, Sumit Bose wrote:
On Sun, Jun 05, 2016 at 10:36:51PM +0300, Alexander Bokovoy wrote:
On Fri, 03 Jun 2016, Sumit Bose wrote:
> Hi,
>
> this patch fixes an issue in SSSD's implementation of libwbclient.
> wbcSidsToUnixIds() translates a list of SID
On Wed, 10 Feb 2016, Pavel Reichl wrote:
On 02/10/2016 11:46 AM, Alexander Bokovoy wrote:
On Wed, 10 Feb 2016, Pavel Reichl wrote:
On 02/10/2016 11:06 AM, Alexander Bokovoy wrote:
On Wed, 10 Feb 2016, Pavel Reichl wrote:
since getting those values requires to parse the string it would
On Wed, 10 Feb 2016, Sumit Bose wrote:
On Wed, Feb 10, 2016 at 10:45:39AM +0200, Alexander Bokovoy wrote:
On Wed, 10 Feb 2016, Alexander Bokovoy wrote:
>On Mon, 08 Feb 2016, Sumit Bose wrote:
>>On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote:
>>>
>>>
essage format? And if yes, is sending
an email to doch...@microsoft.com sufficient or this there a more
elaborate process?
I'll check with Edgar on why this piece is still missing from MS-ADTS
five years after. ;)
--
/ Alexander Bokovoy
___
sssd-devel mailing
text error, data 775, v23f0
As I said, you should not rely on the information being available to you
as it might be disabled completely by the AD administrators in
ndsHeuristics attribute.
What are you going to do when ulHideDSID flag is set to 1?
--
/ Alexand
On Wed, 10 Feb 2016, Pavel Reichl wrote:
On 02/10/2016 11:06 AM, Alexander Bokovoy wrote:
On Wed, 10 Feb 2016, Pavel Reichl wrote:
since getting those values requires to parse the string it would be nice
to get some official details about the string.
Well, the string content after DSID
On Wed, 10 Feb 2016, Sumit Bose wrote:
On Wed, Feb 10, 2016 at 11:38:34AM +0200, Alexander Bokovoy wrote:
On Wed, 10 Feb 2016, Sumit Bose wrote:
>On Wed, Feb 10, 2016 at 10:45:39AM +0200, Alexander Bokovoy wrote:
>>On Wed, 10 Feb 2016, Alexander Bokovoy wrote:
>>>On Mon, 08 Fe
On Wed, 10 Feb 2016, Alexander Bokovoy wrote:
On Mon, 08 Feb 2016, Sumit Bose wrote:
On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote:
On 02/05/2016 03:16 PM, Lukas Slebodnik wrote:
The ticket is about "SSSD should be about to display message to the user when
the ac
- Original Message -
>
>
> On 02/10/2016 02:34 PM, Alexander Bokovoy wrote:
> > On Wed, 10 Feb 2016, Pavel Reichl wrote:
> >>
> >>
> >> On 02/10/2016 11:46 AM, Alexander Bokovoy wrote:
> >>> On Wed, 10 Feb 2016, Pavel Reichl wrote:
d if you want to do Smartcard authentication
and SSSD is not running as root.
Then I would suggest to put these files into a sub-package and make that
sub-package to depend on polkit.
Current situation is definitely a blocker as almost all interactive installs of
Fedora have polkit whether via
On Thu, 28 Jan 2016, Lukas Slebodnik wrote:
On (26/01/16 11:10), Alexander Bokovoy wrote:
On Tue, 26 Jan 2016, Lukas Slebodnik wrote:
On (26/01/16 10:44), Alexander Bokovoy wrote:
On Tue, 26 Jan 2016, Sumit Bose wrote:
On Tue, Jan 26, 2016 at 09:09:06AM +0100, Lukas Slebodnik wrote:
On (25
a webservice
users and groups will have stored in LDAP just a name of profile/configuration.
So sssd would provide names of profiel instead of compicated structured
configration in tesxt (json, yaml, xml ...)
As I mentioned erarlier such appoach was discussed with GNOME team and
integration with
fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
:
https://fedoraproject.org/wiki/EPEL:Packaging#Prepping_BuildRoot_For_.25install
ACK.
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
On Tue, 26 Jan 2016, Lukas Slebodnik wrote:
On (26/01/16 10:44), Alexander Bokovoy wrote:
On Tue, 26 Jan 2016, Sumit Bose wrote:
On Tue, Jan 26, 2016 at 09:09:06AM +0100, Lukas Slebodnik wrote:
On (25/01/16 18:40), Sumit Bose wrote:
On Mon, Jan 25, 2016 at 06:24:54PM +0100, Lukas Slebodnik
ntation though.
LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
--
/ Alexander Bokovoy
___
sssd-devel mailing list
sssd-devel@lists.fe
a GPO that has a smaller link order
associated with an SOM has higher GPO precedence than a
GPO that has a higher link order associated with the same SOM.
Non-enforced ones are sorted by the scope.
See MS-GPOL 2.2.2 (last note), 3.2.1.4, and 3.2.5.2
--
/ Alexander Bokovoy
__
ariant to
handle more complex DN mapping use cases, e.g. where there are
multiple occurrences of a single attribute type, a particular fixed
RDN must be matched, etc.
w.r.t. SAN mapping, I concur that search/replace is probably not
needed.
How all these syntax extensions are going t
ke it asks
for a 'desktop profile global settings' kind of object...
What else could be defined in such an object?
--
/ Alexander Bokovoy
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sss
lient side, make sure to use strrchr()
to search '@' from end of the string. This way you can handle multiple
'@' in a string as only the last one will be a real separator.
--
/ Alexander Bokovoy
___
sssd-devel mailing list -- sssd-devel@lists.fedora
On ti, 18 huhti 2017, Jakub Hrozek wrote:
On Tue, Apr 18, 2017 at 08:52:50PM +0300, Alexander Bokovoy wrote:
On ti, 18 huhti 2017, Justin Stephenson wrote:
> Hello,
>
> I was working on a fix for BZ # 1433835(IPA clients fails to retrieve
> groups with @-sign in the group name
to define it as a part of a certificate
matching rule, would we be able to deny using a matching certificate for
local authentication in case only PKINIT is allowed?
--
/ Alexander Bokovoy
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
On pe, 10 maalis 2017, Sumit Bose wrote:
On Fri, Mar 10, 2017 at 01:39:27PM +0200, Alexander Bokovoy wrote:
On pe, 10 maalis 2017, Sumit Bose wrote:
> On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote:
> > On pe, 10 maalis 2017, Sumit Bose wrote:
On pe, 10 maalis 2017, Sumit Bose wrote:
On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote:
On pe, 10 maalis 2017, Sumit Bose wrote:
> Hi,
>
> with the recent addition of PKINIT support there is now a second method
> available to Smartcard authentication b
iling list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
--
/ Alexander Bokovoy
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sss
RHEL's sssd a
bit).
If you want to keep being close to RHEL code base, just use RHEL sssd
source rpm for rebuild. CentOS package repo is a handy way to see that:
https://git.centos.org/summary/?r=rpms/sssd, I think CentOS has no own
patches to SSSD.
--
/ Alexander Bokovoy
e an inherent issue.
Yep. I guess the whole story is about extending SSSD cache handling to
support storing multiple hosts' HBAC rules details.
--
/ Alexander Bokovoy
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
On ke, 28 kesä 2017, Howard Johnson wrote:
Cheers for the feedback.
On 2017-06-28 12:14, Alexander Bokovoy wrote:
We are going to introduce a special type of groups where membership
reading would be limited to some conditions but this would not be
relevant to HBAC, at least from my current
to have HBAC rule checking as a
separate access provider that either uses the same schema as FreeIPA
does or supports a subset of it. This way you'd use existing SSSD
infrastructure and only would need to write a code to pull LDAP
representation of HBAC rules.
--
/ Alexander Bokovoy
On su, 30 huhti 2017, Alexey Kamenskiy wrote:
Thank you for your comment, please see below:
On Sun, Apr 30, 2017 at 3:51 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:
In FreeIPA HBAC rules we used to support source host access control.
However, it was disabled and deprecated. Whil
impossible to keep
information about the access control rules private.
Sure, this is not a single step attack but nothing is so easy either these
days.
--
/ Alexander Bokovoy
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe
proposals will be reviewed by a steering committee:
- Alexander Bokovoy (Samba Team, FreeIPA // Red Hat Inc.)
- Marcus Rückert (OpenSUSE Infrastructure // SUSE LINUX GmbH)
- Jakub Hrozek (SSSD // Red Hat Inc.)
- Timo Aaltonen (Debian, Ubuntu // Canonical)
Use the FOSDEM 'pentabarf' tool
isuse in a similar way as the negative cache. But if you
prefer I'll drop it.
I do not know that you can easily change it later, and I would rather
use file permissions than explicit checks, that would mean exposing a
"privileged" socket that only users that are part of a group of
"trusted" service can access, and this is clearly a lot more work,
which I am not advocating.
I am really torn on the need for this, it will make using this feature
really cumbersome as you have to explicitly modify a configuration file
and list specific users (groups ?), and this is to balance against a
vague chance of a user causing a local DoS/slowdown but not a lot more.
To me it sounds like a very big hammer for a very small fly.
Right now the only user for this is dirsrv on IPA masters. If you
throttle dirsrv plugins, you are denying SSSD clients from IPA clients
from getting actual results. Throttling, thus, would be a wrong measure
here.
--
/ Alexander Bokovoy
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
-021117223937311.lab.com systemd[1]:
Failed to start System Security Services Daemon.
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
--
/ Alexander Bokovoy
On pe, 03 marras 2017, Lukas Slebodnik wrote:
On (03/11/17 07:55), Alexander Bokovoy wrote:
On pe, 03 marras 2017, smfre...@gmail.com wrote:
I am expecting that RHEL7.5 still has problems with Samba and SSSD
library problems e.g. I see this comment indicating that RHEL 7.5 beta
sssd (even
on free software is very important. Even if your talk wasn't
chosen, I hope to see you and everyone else in Brussels at FOSDEM 2018!
On ma, 09 loka 2017, Alexander Bokovoy via samba-technical wrote:
> Welcome to Identity and Access Management developer room at FOSDEM 2018
> (Brussels, B
SSSD
and plugins in 389-ds for trust to AD feature in freeIPA few years ago.
We decided against using D-Bus API that time, too fragile to implement.
Current API proposal is direct evolution of existing code, to avoid
breaking things up.
--
/ Alexander Bokovoy
t 0700 for dirs, 0400 for profiles, owner
root/sssd_user for all subpaths?
Could you please explain?
Thank you in advance!
Fabiano, do you remember?
I think the original idea was that org.freedesktop.FleetCommanderClient
runs the settings merge process under actual user. That might have b
added an FAQ on some details for Kerberos part
in Entra ID here:
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-faqs
Have you already got to handle that TGT in a ccache that can be used by
a system Kerberos library?
--
/ Alexander Bokovoy
Sr
environments. The "Cloud" Kebreros thing you see in Entra
ID is part of it, so 'yes' for plans but no specific timeline is there
at the moment.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limite
, discovering all that information is crucial.
What is your interest in all this? Are you willing to help with
the development effort around OAuth2 authentication and identity
management?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited
that right now.
OK. Let us know when you are able to. ;)
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
such a
request to a domain controller. Hence, any topology where a
communication can only be done via use of DCE RPC calls will not work.
Use winbindd for that.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
97 matches
Mail list logo
