[Freeipa-devel] [freeipa PR#633][opened] Support 8192-bit RSA keys in default cert profile
URL: https://github.com/freeipa/freeipa/pull/633 Author: frasertweedale Title: #633: Support 8192-bit RSA keys in default cert profile Action: opened PR body: """ Update the caIPAserviceCert profile to accept 8192-bit RSA keys. Affects new installs only, because there is not yet a facility to update included profiles. Fixes: https://pagure.io/freeipa/issue/6319 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/633/head:pr633 git checkout pr633 From 7fdab4eda952daff8e31874497eaac2aaf6976b8 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 22 Mar 2017 15:06:16 +1100 Subject: [PATCH] Support 8192-bit RSA keys in default cert profile Update the caIPAserviceCert profile to accept 8192-bit RSA keys. Affects new installs only, because there is not yet a facility to update included profiles. Fixes: https://pagure.io/freeipa/issue/6319 --- install/share/profiles/caIPAserviceCert.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/share/profiles/caIPAserviceCert.cfg b/install/share/profiles/caIPAserviceCert.cfg index 6c5102f..1efd206 100644 --- a/install/share/profiles/caIPAserviceCert.cfg +++ b/install/share/profiles/caIPAserviceCert.cfg @@ -32,7 +32,7 @@ policyset.serverCertSet.2.default.params.startTime=0 policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl policyset.serverCertSet.3.constraint.name=Key Constraint policyset.serverCertSet.3.constraint.params.keyType=RSA -policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,8192 policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl policyset.serverCertSet.3.default.name=Key Default policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#632][opened] ipa-sam: create the gidNumber attribute in the trusted domain entry
URL: https://github.com/freeipa/freeipa/pull/632
Author: flo-renaud
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain
entry
Action: opened
PR body:
"""
When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.
Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
_netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client VM-AD machine account dom-ad.example.com.
https://pagure.io/freeipa/issue/6660
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/632/head:pr632
git checkout pr632
From 4e431ebfcf7a3a03a0a9e30db5db9106c349bdc0 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Tue, 21 Mar 2017 17:33:20 +0100
Subject: [PATCH] ipa-sam: create the gidNumber attribute in the trusted domain
entry
When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.
Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.
https://pagure.io/freeipa/issue/6660
---
daemons/ipa-sam/ipa_sam.c | 26 ++
1 file changed, 26 insertions(+)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 4c1fda5..c483ee4 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2419,6 +2419,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
if (entry == NULL || sid == NULL) {
smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR);
+ smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+ LDAP_ATTRIBUTE_GIDNUMBER, IPA_MAGIC_ID_STR);
}
if (td->netbios_name != NULL) {
@@ -2823,12 +2825,18 @@ static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
}
+static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx,
+struct ldapsam_privates *ldap_state,
+LDAPMessage *entry,
+struct dom_sid **_group_sid);
+
static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
LDAPMessage *entry,
struct ldapsam_privates *ldap_state)
{
NTSTATUS status;
struct dom_sid *u_sid;
+ struct dom_sid *g_sid;
char *name;
char *trustpw = NULL;
char *trustpw_utf8 = NULL;
@@ -2839,6 +2847,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
bool res;
char *sid_str;
enum idmap_error_code err;
+ TALLOC_CTX *tmp_ctx;
if (!pdb_set_acct_ctrl(user, ACB_DOMTRUST | ACB_TRUSTED_FOR_DELEGATION,
PDB_SET)) {
@@ -2884,6 +2893,23 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
}
talloc_free(u_sid);
+ tmp_ctx= talloc_init("init_sam_from_td");
+ if (!tmp_ctx) {
+ return false;
+ }
+
+ if (ipasam_get_primary_group_sid(tmp_ctx, ldap_state, entry, &g_sid)
+ != 0) {
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ if (!pdb_set_group_sid(user, g_sid, PDB_SET)) {
+ talloc_free(tmp_ctx);
+ return false;
+ }
+ talloc_free(tmp_ctx);
+
status = get_trust_pwd(user, &td->trust_auth_incoming, &trustpw, NULL);
if (!NT_STATUS_IS_OK(status)) {
return false;
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#626][comment] Move helper code for integration plugin
URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin apophys commented: """ Thanks for the update """ See the full comment at https://github.com/freeipa/freeipa/pull/626#issuecomment-288140640 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#626][+ack] Move helper code for integration plugin
URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#631][opened] Upgrade: configure PKINIT after adding anonymous principal
URL: https://github.com/freeipa/freeipa/pull/631 Author: martbab Title: #631: Upgrade: configure PKINIT after adding anonymous principal Action: opened PR body: """ In order to set up PKINIT, the anonymous principal must already be created, otherwise the upgrade with fail when trying out anonymous PKINIT. Switch the order of steps so that this issue does not occur. https://pagure.io/freeipa/issue/6792 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/631/head:pr631 git checkout pr631 From 87de4c95ea00ce5864a509a6f5ce085378f62fda Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 21 Mar 2017 17:03:35 +0100 Subject: [PATCH] Upgrade: configure PKINIT after adding anonymous principal In order to set up PKINIT, the anonymous principal must already be created, otherwise the upgrade with fail when trying out anonymous PKINIT. Switch the order of steps so that this issue does not occur. https://pagure.io/freeipa/issue/6792 --- ipaserver/install/server/upgrade.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 1706079..be07d78 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1809,9 +1809,9 @@ def upgrade_configuration(): KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) -setup_pkinit(krb) enable_anonymous_principal(krb) http.request_anon_keytab() +setup_pkinit(krb) if not ds_running: ds.stop(ds_serverid) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#608][comment] tasks: run `systemctl daemon-reload` after httpd.service.d updates
URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates martbab commented: """ If you need the fix in ipa-4-4 you need to file a rebased PR against that branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/608#issuecomment-288119146 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#608][closed] tasks: run `systemctl daemon-reload` after httpd.service.d updates
URL: https://github.com/freeipa/freeipa/pull/608 Author: HonzaCholasta Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/608/head:pr608 git checkout pr608 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#608][comment] tasks: run `systemctl daemon-reload` after httpd.service.d updates
URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates martbab commented: """ master: * 3de09709cc33f1d26f2d605bac82110fe73dde03 tasks: run `systemctl daemon-reload` after httpd.service.d updates ipa-4-5: * 62c41219acdd0e82201168aea5cb22879c655742 tasks: run `systemctl daemon-reload` after httpd.service.d updates """ See the full comment at https://github.com/freeipa/freeipa/pull/608#issuecomment-288118924 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#608][+pushed] tasks: run `systemctl daemon-reload` after httpd.service.d updates
URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#608][+ack] tasks: run `systemctl daemon-reload` after httpd.service.d updates
URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#608][comment] tasks: run `systemctl daemon-reload` after httpd.service.d updates
URL: https://github.com/freeipa/freeipa/pull/608 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates martbab commented: """ @HonzaCholasta I was not able to reproduce it any more so I guess that it was transient error. If I encounter it again I will file a separate ticket. """ See the full comment at https://github.com/freeipa/freeipa/pull/608#issuecomment-288118393 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py HonzaCholasta commented: """ @redhatrises, do not handle the format yourself, use the `DateTime` param type. Note that you will need to extend it to correctly interpret the "now" value. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-288101283 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py redhatrises commented: """ @HonzaCholasta that's an interesting idea. Most of the time, a password reset is forced immediately, but that does provide more flexibility. I assume that the datetime input should match the `2017-03-21T07:58:05Z` format? """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-288063972 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#620][comment] [WIP] Fixing 6549
URL: https://github.com/freeipa/freeipa/pull/620 Title: #620: [WIP] Fixing 6549 felipevolpone commented: """ @HonzaCholasta @tomaskrizek please, check if it looks good to you. thank you for helping me guys :+1: """ See the full comment at https://github.com/freeipa/freeipa/pull/620#issuecomment-288060962 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#620][synchronized] [WIP] Fixing 6549
URL: https://github.com/freeipa/freeipa/pull/620 Author: felipevolpone Title: #620: [WIP] Fixing 6549 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/620/head:pr620 git checkout pr620 From 473e95bcf41fbe78d61d89cef66733874cb86508 Mon Sep 17 00:00:00 2001 From: felipe Date: Tue, 21 Mar 2017 09:05:56 -0300 Subject: [PATCH] Fixing replica install: fix ldap connection in domlvl 0 Now, at the domain level 0, the replica install always uses Directory Manager credentials to create the LDAP connection. Since ACIs permitting hosts to manage their own services were added in 4.2 release, the old master denies this operations. https://pagure.io/freeipa/issue/6549 --- ipaserver/install/server/replicainstall.py | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index b4463fd..f489e69 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1391,7 +1391,16 @@ def install(installer): dsinstance.create_ds_user() try: -conn.connect(ccache=ccache) +if promote: +conn.connect(ccache=ccache) +else: +# dmlvl 0 replica install should always use DM credentials +# to create remote LDAP connection. Since ACIs permitting hosts +# to manage their own services were added in 4.2 release, +# the master denies this operations. +conn.connect(bind_dn=ipaldap.DIRMAN_DN, cacert=cafile, + bind_pw=config.dirman_password) + # Update and istall updated CA file cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#628][comment] WebUI: Remove offline version of WebUI
URL: https://github.com/freeipa/freeipa/pull/628 Title: #628: WebUI: Remove offline version of WebUI pvomacka commented: """ Self-NACK, build fails. """ See the full comment at https://github.com/freeipa/freeipa/pull/628#issuecomment-288046245 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][closed] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching HonzaCholasta commented: """ ipa-4-5: * 62d39385e20b3e1b059466f37cc06383331e Add options to allow ticket caching """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-288045834 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][+pushed] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][-pushed] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching Label: -pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching HonzaCholasta commented: """ @martbab, the ticket says 4.5.1, but this was not pushed to ipa-4-5. """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-288045552 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][reopened] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#630][+pushed] ipapython.ipautil.nolog_replace: Do not replace empty value
URL: https://github.com/freeipa/freeipa/pull/630 Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#630][closed] ipapython.ipautil.nolog_replace: Do not replace empty value
URL: https://github.com/freeipa/freeipa/pull/630 Author: dkupka Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/630/head:pr630 git checkout pr630 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#630][comment] ipapython.ipautil.nolog_replace: Do not replace empty value
URL: https://github.com/freeipa/freeipa/pull/630 Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value pvomacka commented: """ ipa-4-5: * 8f0c7df198f8dd6ae742b099b3258c2383007c30 ipapython.ipautil.nolog_replace: Do not replace empty value master: * 4297ad6db0d4f39d82fd155323163df92b2b7894 ipapython.ipautil.nolog_replace: Do not replace empty value ipa-4-4: * 40e1eb695d648a03f45e9c8d6687cb3d8a99fd6d ipapython.ipautil.nolog_replace: Do not replace empty value """ See the full comment at https://github.com/freeipa/freeipa/pull/630#issuecomment-288012307 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#630][+ack] ipapython.ipautil.nolog_replace: Do not replace empty value
URL: https://github.com/freeipa/freeipa/pull/630 Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py HonzaCholasta commented: """ I have given this some thought over the night - maybe we should make the option more generic and allow the user to specify the expiration time rather than special case it for "now" time, i.e. `--password-expiration=2017-03-21T07:58:05Z` to expire the password at a specific time, `--password-expiration=now` to expire the password now, just like `--force-password-reset` does. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-287992866 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
