Petr Viktorin wrote:
On 02/28/2014 12:41 PM, Martin Kosek wrote:
On 02/28/2014 10:47 AM, Petr Viktorin wrote:
On 02/27/2014 10:18 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
[...]
Ok, so try to summarize this long-running thread, I'll rename the
subpackage to freeipa-server-foreman-smartproxy to make it clearer
what
it is/does. Right now it requires manual configuration so having the
package installed should have no negative impacts (other than
potentially pulling in additional dependencies).
I'll leave it in smartproxy for now, it's just cleaner and better
integrates with ipatests IMHO.
Foreman supports SSL client auth which is great, by cherrypy does not
yet. There is a pull request to add this,
https://bitbucket.org/cherrypy/cherrypy/pull-request/15/added-support-for-client-certificate/activity
. Foreman otherwise supports no other authentication method, so we're
blocked with this. The certs for this would initially come out of
Foreman/puppet.
I'll submit a new patch with an updated spec but I think otherwise
I've
addressed the isuses Petr has raised. This thread has taken a lot of
turns so it is very possible I missed something though :-)
Updated patch based on feedback from Foreman team. I added a new URI,
/features, which Foreman uses to determine what capabilities a proxy
has.
rob
My review is blocked because 389-ds doesn't install on Rawhide due to
https://fedorahosted.org/389/ticket/47700
Noriko, do you know of a Rawhide build that includes your fix?
Guys, if this patch still makes our master branch incompatible with
F20, then
it is a NACK from me. All developers run on F20, our CI runs on F20
and I do
not think we can afford loosing that and forcing everyone to
permanently switch
to rawhide - it is too unstable.
IMO the Requires and BuildRequires most be set so that RPMs are
buildable and
installable on F20. The only acceptable exception is when only
freeipa-server-foreman-smartprox cannot be installed on F20, but
otherwise
everything else need to work.
Thanks,
Martin
Okay, it's not a BuildRequires; IPA doesn't build because of a lint
failure: ipalib/util.py - Module 'kerberos' has no
'authGSSClientInquireCred' member
I guess the new get_current_principal needs to be kept out of ipalib
until we move to f21. Until then we can have a lint exception; after
then we need to remove it, and add BuildRequires so lint passes.
The other option is to locally rebuild python-kerberos from rawhide in
F-20. Simo was a bit reluctant to put it into F-20 with the patch I
added for authenticate_gss_client_inquire_cred(). We can also work on
convincing him it is low risk.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel