[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA pvoborni commented: """ We need to develop something like this, but right now it is not the best time for it. First we need to stabilize 4.5.1 (seems that's almost done). Then focus on testing - current test coverage + on pull request CI. When this is ready we can focus on python3 porting and existing PRs including this one. The reason is that I'm hesitant implementing this to not introduce other regressions because it touches more areas than it seems. For the parts above: - +1 for denying uninstall on successful install - there is actually a path from CA less to CA so we need to think about it as well """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-301756039 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][+postponed] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA Label: +postponed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup
URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvoborni commented: """ Ok, when one field is not usuable because IP address or network address are also valid DNS zones, then the proper way is to follow patternfly design for this kind of workflows: http://www.patternfly.org/pattern-library/forms-and-controls/progressive-disclosure/ """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301408101 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup
URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvoborni commented: """ I'm not completely sure that the approach suggested in bug report is correct. That is why I suggested alternative in https://bugzilla.redhat.com/show_bug.cgi?id=1419834#c2 So before implementing it a small conversation could have happen to agree on the approach. """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301081271 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN
URL: https://github.com/freeipa/freeipa/pull/773 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN pvoborni commented: """ I don't think it makes sense to spend time on configuration of warning - that is larger change (ldap attr, schema, api...) and as such out of scope of 4.5. Simple warning is IMO good, but it should be worded in a sense that SAN is not always needed. Probably mention in what general use cases it is needed e.g. web services/pages. """ See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300491247 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN
URL: https://github.com/freeipa/freeipa/pull/773 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN pvoborni commented: """ AFAIK, there was not an agreement not implementing this, otherwise the ticket would be closed. The ticket #6663 was created to warn until the change in profiles is implemented(#4970). It was mentioned yesterday on IPA meeting that we want to warn - when discussing: https://bugzilla.redhat.com/show_bug.cgi?id=1445345 and https://bugzilla.redhat.com/show_bug.cgi?id=1445927 """ See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300401288 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA pvoborni commented: """ Let's first clarify the problem to solve. If I understand @rcritten right, the problem is that if ipa-ca-install fail then one must reinstall the whole replica because the failed installation left a garbage and subsequent installer is not able to handle the garbage. Uninstallation of successful CA installation is not the intend, right? If so then it seems to me that both of you are in agreement. And I would add that I completely agree with CA uninstall not being a goal because it would add just another use case to support with a benefit I don't see. So if goal is repeatable ipa-ca-install then let's not talk about creating a CA uninstaller but rather about CA cleanup and let's hide/remove the `--uninstall` option and figure out how it should behave - i.e. let it be internal. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300097665 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host
URL: https://github.com/freeipa/freeipa/pull/761
Title: #761: Fixing adding authenticator indicators to host
pvoborni commented:
"""
I'd fix it on all places in host-mod:
```
885 raise errors.ACIError(info=msg)
886 obj_classes = entry_attrs_old['objectclass']
887: if 'krbprincipalaux' not in obj_classes:
888 obj_classes.append('krbprincipalaux')
889 entry_attrs['objectclass'] = obj_classes
...
921 _entry_attrs = ldap.get_entry(dn, ['objectclass'])
922 obj_classes = _entry_attrs['objectclass']
923: if 'ieee802device' not in obj_classes:
924 obj_classes.append('ieee802device')
925 entry_attrs['objectclass'] = obj_classes
...
941 _entry_attrs = ldap.get_entry(dn, ['objectclass'])
942 obj_classes = entry_attrs['objectclass'] =
_entry_attrs['objectclass']
943: if 'ipasshhost' not in obj_classes:
944 obj_classes.append('ipasshhost')
```
so that the plugin would be consistent. Rest of framework can be fixed other
time.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/761#issuecomment-299172235
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys pvoborni commented: """ What is this PR waiting for? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298530908 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/748
Title: #748: restore: restart/reload gssproxy after restore
pvoborni commented:
"""
Should work:
```
def debian_service_class_factory(name, api=None):
if name == 'dirsrv':
return redhat_services.RedHatDirectoryService(name, api)
if name == 'domainname':
return DebianNoService(name, api)
if name == 'ipa':
return redhat_services.RedHatIPAService(name, api)
if name == 'messagebus':
return DebianNoService(name, api)
if name == 'ntpd':
return DebianSysvService("ntp", api)
return DebianService(name, api)
```
so it's `DebianService`
```
class DebianService(redhat_services.RedHatService):
system_units = debian_system_units
```
then
```
class RedHatService(base_services.SystemdService):
```
I.e. it is not `DebianSysvService`
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/748#issuecomment-297987349
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#738][+rejected] restore: restart gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#738][closed] restore: restart gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/738 Author: pvoborni Title: #738: restore: restart gssproxy after restore Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/738/head:pr738 git checkout pr738 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#738][comment] restore: restart gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore pvoborni commented: """ PR #748 obsoletes this one - this PR was created badly and so I cannot force update it. New one uses reload-or-restart """ See the full comment at https://github.com/freeipa/freeipa/pull/738#issuecomment-297962651 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore pvoborni commented: """ Obsoletes PR #738 """ See the full comment at https://github.com/freeipa/freeipa/pull/748#issuecomment-297962322 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#748][opened] restore: restart/reload gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/748
Author: pvoborni
Title: #748: restore: restart/reload gssproxy after restore
Action: opened
PR body:
"""
So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works
https://pagure.io/freeipa/issue/6902
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/748/head:pr748
git checkout pr748
From d49d50c8af896425f5c63950edde08bd88dbb46f Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Wed, 26 Apr 2017 18:47:53 +0200
Subject: [PATCH] restore: restart/reload gssproxy after restore
So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works
https://pagure.io/freeipa/issue/6902
---
ipaplatform/base/services.py | 21 ++---
ipaserver/install/ipa_restore.py | 3 +++
2 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 068b972..fca6298 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -154,6 +154,10 @@ def stop(self, instance_name="", capture_output=True,
return
+def reload_or_restart(self, instance_name="", capture_output=True,
+ wait=True):
+return
+
def restart(self, instance_name="", capture_output=True, wait=True):
return
@@ -298,14 +302,25 @@ def start(self, instance_name="", capture_output=True, wait=True):
instance_name,
update_service_list=update_service_list)
-def restart(self, instance_name="", capture_output=True, wait=True):
-ipautil.run([paths.SYSTEMCTL, "restart",
- self.service_instance(instance_name)],
+def _restart_base(self, instance_name, operation, capture_output=True,
+ wait=False):
+
+ipautil.run([paths.SYSTEMCTL, operation,
+self.service_instance(instance_name)],
skip_output=not capture_output)
if wait and self.is_running(instance_name):
self.wait_for_open_ports(self.service_instance(instance_name))
+def reload_or_restart(self, instance_name="", capture_output=True,
+ wait=True):
+self._restart_base(instance_name, "reload-or-restart",
+ capture_output, wait)
+
+def restart(self, instance_name="", capture_output=True, wait=True):
+self._restart_base(instance_name, "restart",
+ capture_output, wait)
+
def is_running(self, instance_name="", wait=True):
instance = self.service_instance(instance_name, 'is-active')
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 378c013..96fc493 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -401,6 +401,9 @@ def run(self):
services.knownservices.pki_tomcatd.enable()
services.knownservices.pki_tomcatd.disable()
+self.log.info('Restarting GSS-proxy')
+gssproxy = services.service('gssproxy', api)
+gssproxy.reload_or_restart()
self.log.info('Starting IPA services')
run(['ipactl', 'start'])
self.log.info('Restarting SSSD')
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][-ack] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][-pushed] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd Label: -pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][+blocker] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes Label: +blocker -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][+blocker] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install Label: +blocker -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#737][+blocker] Vault: Explicitly default to 3DES CBC
URL: https://github.com/freeipa/freeipa/pull/737 Title: #737: Vault: Explicitly default to 3DES CBC Label: +blocker -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#735][comment] automount install: do not wait for sssd restart on uninstallation
URL: https://github.com/freeipa/freeipa/pull/735 Title: #735: automount install: do not wait for sssd restart on uninstallation pvoborni commented: """ The error message was reverted to original (I was fixing the comment below and wondered why it was not fixed, now I know). """ See the full comment at https://github.com/freeipa/freeipa/pull/735#issuecomment-297633491 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#735][synchronized] automount install: do not wait for sssd restart on uninstallation
URL: https://github.com/freeipa/freeipa/pull/735
Author: pvoborni
Title: #735: automount install: do not wait for sssd restart on uninstallation
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/735/head:pr735
git checkout pr735
From 6aad7fdf6bea409c61e437f73fe8b13f98fbd8d4 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Tue, 25 Apr 2017 18:19:21 +0200
Subject: [PATCH] automount install: fix checking of SSSD functionality on
uninstall
Change in 2d4d1a9dc0ef2bbe86751768d6e6b009a52c0dc9 no longer initializes
api in `ipa-client-automount --uninstallation` Which caused error in
wait_for_sssd which gets realm from initialized API.
This patch initializes the API in a way that it doesn't download schema
on uninstallation and on installation it uses host keytab for it so it
no longer requires user's Kerberos credentials.
Also fix call of xxx_service_class_factory which requires api as param.
https://pagure.io/freeipa/issue/6861
---
client/ipa-client-automount | 16 ++--
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/client/ipa-client-automount b/client/ipa-client-automount
index 18914bd..2b1d8b9 100755
--- a/client/ipa-client-automount
+++ b/client/ipa-client-automount
@@ -193,7 +193,7 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options):
sssdconfig.write(paths.SSSD_CONF)
statestore.backup_state('autofs', 'sssd', True)
-sssd = services.service('sssd')
+sssd = services.service('sssd', api)
sssd.restart()
print("Restarting sssd, waiting for it to become available.")
wait_for_sssd()
@@ -281,7 +281,7 @@ def uninstall(fstore, statestore):
break
sssdconfig.save_domain(domain)
sssdconfig.write(paths.SSSD_CONF)
-sssd = services.service('sssd')
+sssd = services.service('sssd', api)
sssd.restart()
wait_for_sssd()
except Exception as e:
@@ -379,9 +379,6 @@ def main():
paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=options.debug,
filemode='a', console_format='%(message)s')
-if options.uninstall:
-return uninstall(fstore, statestore)
-
cfg = dict(
context='cli_installer',
confdir=paths.ETC_IPA,
@@ -390,8 +387,11 @@ def main():
verbose=0,
)
+# Bootstrap API early so that env object is available
api.bootstrap(**cfg)
-api.finalize()
+
+if options.uninstall:
+return uninstall(fstore, statestore)
ca_cert_path = None
if os.path.exists(paths.IPA_CA_CRT):
@@ -449,6 +449,10 @@ def main():
os.environ['KRB5CCNAME'] = ccache_name
except gssapi.exceptions.GSSError as e:
sys.exit("Failed to obtain host TGT: %s" % e)
+
+# Finalize API when TGT obtained using host keytab exists
+api.finalize()
+
# Now we have a TGT, connect to IPA
try:
api.Backend.rpcclient.connect()
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#738][opened] restore: restart gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/738
Author: pvoborni
Title: #738: restore: restart gssproxy after restore
Action: opened
PR body:
"""
So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works
https://pagure.io/freeipa/issue/6902
@simo5 btw, what is the proper name of gssproxy? Is it GSSAPI proxy, gss-proxy
or gssproxy?
Note: if this patch is wrong, feel free to take over and abolish this PR.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/738/head:pr738
git checkout pr738
From 501c5523c1d26f1bf9336cd3b2fea74b9b9531ce Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Wed, 26 Apr 2017 18:47:53 +0200
Subject: [PATCH] restore: restart gssproxy after restore
So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works
https://pagure.io/freeipa/issue/6902
---
ipaserver/install/ipa_restore.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 378c013..91ced97 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -401,6 +401,9 @@ def run(self):
services.knownservices.pki_tomcatd.enable()
services.knownservices.pki_tomcatd.disable()
+self.log.info('Restarting GSSAPI proxy')
+gssproxy = services.service('gssproxy', api)
+gssproxy.restart()
self.log.info('Starting IPA services')
run(['ipactl', 'start'])
self.log.info('Restarting SSSD')
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#737][comment] Vault: Explicitly default to 3DES CBC
URL: https://github.com/freeipa/freeipa/pull/737 Title: #737: Vault: Explicitly default to 3DES CBC pvoborni commented: """ Should go to 4.4.5 unless pki-core-10.4.0-1 is removed from f25. Blocking new Dogtag update in 4.4 doesn't seem right to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/737#issuecomment-297468723 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#735][comment] automount install: do not wait for sssd restart on uninstallation
URL: https://github.com/freeipa/freeipa/pull/735 Title: #735: automount install: do not wait for sssd restart on uninstallation pvoborni commented: """ Thanks Rob, this reason for the wait didn't occurred to me. New patch changes api initialization so that it works for both install and uninstall even without user's Kerberos credentials and with cleared cache, """ See the full comment at https://github.com/freeipa/freeipa/pull/735#issuecomment-297458891 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#735][synchronized] automount install: do not wait for sssd restart on uninstallation
URL: https://github.com/freeipa/freeipa/pull/735
Author: pvoborni
Title: #735: automount install: do not wait for sssd restart on uninstallation
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/735/head:pr735
git checkout pr735
From 96471aee6a166e24ebd46047fb21d7b2a059c577 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Tue, 25 Apr 2017 18:19:21 +0200
Subject: [PATCH] automount install: fix checking of SSSD functionality on
uninstall
Change in 2d4d1a9dc0ef2bbe86751768d6e6b009a52c0dc9 no longer initializes
api in `ipa-client-automount --uninstallation` Which caused error in
wait_for_sssd which gets realm from initialized API.
This patch initializes the API in a way that it doesn't download schema
on uninstallation and on installation it uses host keytab for it so it
no longer requires user's Kerberos credentials.
Also fix call of xxx_service_class_factory which requires api as param.
https://pagure.io/freeipa/issue/6861
---
client/ipa-client-automount | 18 +++---
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/client/ipa-client-automount b/client/ipa-client-automount
index 18914bd..6d639d3 100755
--- a/client/ipa-client-automount
+++ b/client/ipa-client-automount
@@ -193,7 +193,7 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options):
sssdconfig.write(paths.SSSD_CONF)
statestore.backup_state('autofs', 'sssd', True)
-sssd = services.service('sssd')
+sssd = services.service('sssd', api)
sssd.restart()
print("Restarting sssd, waiting for it to become available.")
wait_for_sssd()
@@ -281,7 +281,7 @@ def uninstall(fstore, statestore):
break
sssdconfig.save_domain(domain)
sssdconfig.write(paths.SSSD_CONF)
-sssd = services.service('sssd')
+sssd = services.service('sssd', api)
sssd.restart()
wait_for_sssd()
except Exception as e:
@@ -379,9 +379,6 @@ def main():
paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=options.debug,
filemode='a', console_format='%(message)s')
-if options.uninstall:
-return uninstall(fstore, statestore)
-
cfg = dict(
context='cli_installer',
confdir=paths.ETC_IPA,
@@ -390,8 +387,11 @@ def main():
verbose=0,
)
+# Bootstrap API early so that env object is available
api.bootstrap(**cfg)
-api.finalize()
+
+if options.uninstall:
+return uninstall(fstore, statestore)
ca_cert_path = None
if os.path.exists(paths.IPA_CA_CRT):
@@ -448,7 +448,11 @@ def main():
kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name)
os.environ['KRB5CCNAME'] = ccache_name
except gssapi.exceptions.GSSError as e:
-sys.exit("Failed to obtain host TGT: %s" % e)
+sys.exit("Failed to obtained host TGT: %s" % e)
+
+# Finalize API when TGT obtained using host keytab exists
+api.finalize()
+
# Now we have a TGT, connect to IPA
try:
api.Backend.rpcclient.connect()
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#735][synchronized] automount install: do not wait for sssd restart on uninstallation
URL: https://github.com/freeipa/freeipa/pull/735
Author: pvoborni
Title: #735: automount install: do not wait for sssd restart on uninstallation
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/735/head:pr735
git checkout pr735
From 769c520574e690cfba4f1484bbd838be0176d5a1 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Tue, 25 Apr 2017 18:19:21 +0200
Subject: [PATCH] automount install: fix checking of SSSD functionality on
uninstall
Change in 2d4d1a9dc0ef2bbe86751768d6e6b009a52c0dc9 no longer initializes
api in `ipa-client-automount --uninstallation` Which caused error in
wait_for_sssd which gets realm from initialized API.
This patch initializes the API in a way that it doesn't download schema
on uninstallation and on installation it uses host keytab for it so it
no longer requires user's Kerberos credentials.
Also fix call of xxx_service_class_factory which requires api as param.
https://pagure.io/freeipa/issue/6861
---
client/ipa-client-automount | 18 +++---
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/client/ipa-client-automount b/client/ipa-client-automount
index 18914bd..c1a6b2c 100755
--- a/client/ipa-client-automount
+++ b/client/ipa-client-automount
@@ -193,7 +193,7 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options):
sssdconfig.write(paths.SSSD_CONF)
statestore.backup_state('autofs', 'sssd', True)
-sssd = services.service('sssd')
+sssd = services.service('sssd', api)
sssd.restart()
print("Restarting sssd, waiting for it to become available.")
wait_for_sssd()
@@ -281,7 +281,7 @@ def uninstall(fstore, statestore):
break
sssdconfig.save_domain(domain)
sssdconfig.write(paths.SSSD_CONF)
-sssd = services.service('sssd')
+sssd = services.service('sssd', api)
sssd.restart()
wait_for_sssd()
except Exception as e:
@@ -379,9 +379,6 @@ def main():
paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=options.debug,
filemode='a', console_format='%(message)s')
-if options.uninstall:
-return uninstall(fstore, statestore)
-
cfg = dict(
context='cli_installer',
confdir=paths.ETC_IPA,
@@ -390,8 +387,11 @@ def main():
verbose=0,
)
+# Bootstrap API early so that env object is available
api.bootstrap(**cfg)
-api.finalize()
+
+if options.uninstall:
+return uninstall(fstore, statestore)
ca_cert_path = None
if os.path.exists(paths.IPA_CA_CRT):
@@ -448,7 +448,11 @@ def main():
kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name)
os.environ['KRB5CCNAME'] = ccache_name
except gssapi.exceptions.GSSError as e:
-sys.exit("Failed to obtain host TGT: %s" % e)
+sys.exit("Failed to obtained host TGT: %s" % e)
+
+# Finilize api when TGT obtain using host keytab exists
+api.finalize()
+
# Now we have a TGT, connect to IPA
try:
api.Backend.rpcclient.connect()
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#735][opened] automount install: do not wait for sssd restart on uninstallation
URL: https://github.com/freeipa/freeipa/pull/735
Author: pvoborni
Title: #735: automount install: do not wait for sssd restart on uninstallation
Action: opened
PR body:
"""
Change in 2d4d1a9dc0ef2bbe86751768d6e6b009a52c0dc9 no longer initializes
api in `ipa-client-automount --uninstallation` Which caused error in
wait_for_sssd which gets realm from initialized API.
In my opinion, there is no reason to check working sssd after uninstallation by
running
id command. If anything depends on running sssd then it should do the check.
Also fix call of xxx_service_class_factory which requires api as param.
https://pagure.io/freeipa/issue/6861
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/735/head:pr735
git checkout pr735
From 76651c3b6bf696e1db752f6db424a87bfa1ed9b5 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Tue, 25 Apr 2017 18:19:21 +0200
Subject: [PATCH] automount install: do not wait for sssd restart on
uninstallation
Change in 2d4d1a9dc0ef2bbe86751768d6e6b009a52c0dc9 no longer initializes
api in `ipa-client-automount --uninstallation` Which caused error in
wait_for_sssd which gets realm from initialized API.
In my opinion, there is no reason to check working sssd after uninstallation by running
id command. If anything depends on running sssd then it should do the check.
Also fix call of xxx_service_class_factory which requires api as param.
https://pagure.io/freeipa/issue/6861
---
client/ipa-client-automount | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/client/ipa-client-automount b/client/ipa-client-automount
index 18914bd..622abcf 100755
--- a/client/ipa-client-automount
+++ b/client/ipa-client-automount
@@ -193,7 +193,7 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options):
sssdconfig.write(paths.SSSD_CONF)
statestore.backup_state('autofs', 'sssd', True)
-sssd = services.service('sssd')
+sssd = services.service('sssd', api)
sssd.restart()
print("Restarting sssd, waiting for it to become available.")
wait_for_sssd()
@@ -281,9 +281,8 @@ def uninstall(fstore, statestore):
break
sssdconfig.save_domain(domain)
sssdconfig.write(paths.SSSD_CONF)
-sssd = services.service('sssd')
+sssd = services.service('sssd', api)
sssd.restart()
-wait_for_sssd()
except Exception as e:
print('Unable to restore SSSD configuration: %s' % str(e))
root_logger.debug('Unable to restore SSSD configuration: %s' % str(e))
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#734][opened] kerberos session: use CA cert with full cert chain for obtaining cookie
URL: https://github.com/freeipa/freeipa/pull/734
Author: pvoborni
Title: #734: kerberos session: use CA cert with full cert chain for obtaining
cookie
Action: opened
PR body:
"""
Http request performed in finalize_kerberos_acquisition doesn't use
CA certificate/certificate store with full certificate chain of IPA server.
So it might happen that in case that IPA is installed with externally signed
CA certificate, the call can fail because of certificate validation
and e.g. prevent session acquisition.
If it will fail for sure is not known - the use case was not discovered,
but it is faster and safer to fix preemptively.
https://pagure.io/freeipa/issue/6876
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/734/head:pr734
git checkout pr734
From 39562bdd5bbaec74f643ccc13555cf75d95fe0e2 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Tue, 25 Apr 2017 17:19:36 +0200
Subject: [PATCH] kerberos session: use CA cert with full cert chain for
obtaining cookie
Http request performed in finalize_kerberos_acquisition doesn't use
CA certificate/certificate store with full certificate chain of IPA server.
So it might happen that in case that IPA is installed with externally signed
CA certificate, the call can fail because of certificate validation
and e.g. prevent session acquisition.
If it will fail for sure is not known - the use case was not discovered,
but it is faster and safer to fix preemptively.
https://pagure.io/freeipa/issue/6876
---
ipaserver/rpcserver.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 77ed7e1..6eed815 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -602,7 +602,8 @@ def finalize_kerberos_acquisition(self, who, ccache_name, environ, start_respons
try:
target = self.api.env.host
r = requests.get('http://{0}/ipa/session/cookie'.format(target),
- auth=NegotiateAuth(target, ccache_name))
+ auth=NegotiateAuth(target, ccache_name),
+ verify=paths.IPA_CA_CRT)
session_cookie = r.cookies.get("ipa_session")
if not session_cookie:
raise ValueError('No session cookie found')
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes pvoborni commented: """ IMO this can be put to 4.5.1 (ipa-4-5 branch) but in order to do it, according to FreeIPA devel processes, it needs to be attached (have a ticket link in commit message) to opened issue in 4.5.1 milestone. Otherwise it will go only to master branch (future 4.6). If this fixes 6850, then it can be reopended for it. Otherwise please [open a new issue](https://pagure.io/freeipa/new_issue) with reasoning. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-295209903 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#682][comment] ipserver/dcerpc: unify error processing
URL: https://github.com/freeipa/freeipa/pull/682 Title: #682: ipserver/dcerpc: unify error processing pvoborni commented: """ A ticket was created for this PR: https://pagure.io/freeipa/issue/6859 """ See the full comment at https://github.com/freeipa/freeipa/pull/682#issuecomment-292910558 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys pvoborni commented: """ Shouldn't the ticket number be: https://pagure.io/freeipa/issue/6838 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-291553067 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#659][+ack] WebUI: Allow to add certs to certmapping with CERT LINES around
URL: https://github.com/freeipa/freeipa/pull/659 Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#659][comment] WebUI: Allow to add certs to certmapping with CERT LINES around
URL: https://github.com/freeipa/freeipa/pull/659 Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around pvoborni commented: """ Code LGTM, ACK give that it works for @flo-renaud """ See the full comment at https://github.com/freeipa/freeipa/pull/659#issuecomment-289511086 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#651][+ack] WebUI: Fix showing vault in selfservice view
URL: https://github.com/freeipa/freeipa/pull/651 Title: #651: WebUI: Fix showing vault in selfservice view Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#651][comment] WebUI: Fix showing vault in selfservice view
URL: https://github.com/freeipa/freeipa/pull/651 Title: #651: WebUI: Fix showing vault in selfservice view pvoborni commented: """ Works fine. ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/651#issuecomment-288990983 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#470][comment] WebUI: Size limit warning on details pages fixed
URL: https://github.com/freeipa/freeipa/pull/470 Title: #470: WebUI: Size limit warning on details pages fixed pvoborni commented: """ Code looks good and works fine, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/470#issuecomment-288965483 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#470][+ack] WebUI: Size limit warning on details pages fixed
URL: https://github.com/freeipa/freeipa/pull/470 Title: #470: WebUI: Size limit warning on details pages fixed Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#639][+ack] WebUI: Login for AD Users
URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#639][comment] WebUI: Login for AD Users
URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users pvoborni commented: """ The code changes looks good to me. ACK given that it works fine (@abbra 's comment). """ See the full comment at https://github.com/freeipa/freeipa/pull/639#issuecomment-288961590 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#626][comment] Move helper code for integration plugin
URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin pvoborni commented: """ From the PR description it is not clear what problem it solves or if it solves a problem. "doesn't play nice " is vague. " Certain aspects of pytest are not available right away. For example pytest.config is generated after configuration stage but before discovery stage." Is a description of reality, not a problem. In other word. Why is this needed? And I'm not implying it is not needed, just the PR comment doesn't explain it. """ See the full comment at https://github.com/freeipa/freeipa/pull/626#issuecomment-287730758 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional
URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional pvoborni commented: """ If it improves messages then I assume so provided that in won't be controversial in other aspects. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286729103 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional
URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional pvoborni commented: """ There was no result in the upstream discussion. My personal opinion is that one way or the other can work. They are for different use cases. I tend to prefer the "be easier for developer" approach. That said, preferred method for downstreams needs to be documented ideally in BUILD.txt. In any case spending so much time discussing so minor change is a waste of time. I'd push it. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-286727867 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#577][comment] WebUI: Add support for AD users short name resolution
URL: https://github.com/freeipa/freeipa/pull/577 Title: #577: WebUI: Add support for AD users short name resolution pvoborni commented: """ ACK if backend won't change """ See the full comment at https://github.com/freeipa/freeipa/pull/577#issuecomment-286373214 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#566][synchronized] webui: do not warn about CAs if there is only one master
URL: https://github.com/freeipa/freeipa/pull/566
Author: pvoborni
Title: #566: webui: do not warn about CAs if there is only one master
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/566/head:pr566
git checkout pr566
From cee2b37c31643cf520665a495d0cb6965540bee8 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Thu, 9 Mar 2017 20:06:25 +0100
Subject: [PATCH] webui: do not warn about CAs if there is only one master
Web UI showed pop-up dialog which recommends to install additional CA in
topology section when only 1 CA existed even if there was only one master.
Though behind the pop-up is to prevent situation, where multiple replicas
are installed but neither with --setup-ca option and thus risking to loose
CA when original master is lost.
The warning was displayed also if only one IPA server exists. It is unnecessary
to annoy admin only about CA because the entire IPA is not duplicated.
Therefore the pop-up is now shown only one IPA server exists.
https://pagure.io/freeipa/issue/6598
---
install/ui/src/freeipa/topology.js | 4
1 file changed, 4 insertions(+)
diff --git a/install/ui/src/freeipa/topology.js b/install/ui/src/freeipa/topology.js
index c33adba..ae94f98 100644
--- a/install/ui/src/freeipa/topology.js
+++ b/install/ui/src/freeipa/topology.js
@@ -497,6 +497,10 @@ topology.servers_search_facet = function(spec, no_init) {
on_success(data, text_status, xhr);
var result = data.result.results;
+
+// Do not show warning if there is only one master
+if (result.length <= 1) return;
+
var counter = 0;
for (var i=0, l=result.length; i<l; i++) {
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#565][synchronized] permissions: add permissions for reading and modifying external group members
URL: https://github.com/freeipa/freeipa/pull/565
Author: pvoborni
Title: #565: permissions: add permissions for reading and modifying external
group members
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/565/head:pr565
git checkout pr565
From 1a80b146b0b371dffeafefaafddb93ce05732b88 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Thu, 23 Jun 2016 17:42:17 +0200
Subject: [PATCH] permissions: add permissions for read and mod of external
group members
Issue: "User Administrator" role cannot add users to an External Group.
https://fedorahosted.org/freeipa/ticket/5504
---
ACI.txt| 4
ipaserver/plugins/group.py | 17 +
2 files changed, 21 insertions(+)
diff --git a/ACI.txt b/ACI.txt
index a36d460..5e84d05 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -95,9 +95,13 @@ aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecor
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Add Groups";allow (add) groupdn = "ldap:///cn=System: Add Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "ipaexternalmember")(targetfilter = "(objectclass=ipaexternalgroup)")(version 3.0;acl "permission:System: Modify External Group Membership";allow (write) groupdn = "ldap:///cn=System: Modify External Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "member")(targetfilter = "(&(!(cn=admins))(objectclass=ipausergroup))")(version 3.0;acl "permission:System: Modify Group Membership";allow (write) groupdn = "ldap:///cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description || gidnumber || ipauniqueid || mepmanagedby || objectclass")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=groups,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "ipaexternalmember")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read External Group Membership";allow (compare,read,search) userdn = "ldap:///all;;)
dn: dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass")(target = "ldap:///cn=groups,cn=compat,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read Group Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone;;)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py
index 67a264a..218da3c 100644
--- a/ipaserver/plugins/group.py
+++ b/ipaserver/plugins/group.py
@@ -194,6 +194,13 @@ class group(LDAPObject):
'member', 'memberof', 'memberuid', 'memberuser', 'memberhost',
},
},
+'System: Read External Group Membership': {
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'ipaexternalmember',
+},
+},
'System: Add Groups': {
'ipapermright': {'add'},
'replaces': [
@@ -216,6 +223,16 @@ class group(LDAPObject):
'Group Administrators', 'Modify Group membership'
},
},
+'System: Modify External Group Membership': {
+'ipapermright': {'write'},
+'ipapermtargetfilter': [
+'(objectclass=ipaexternalgroup)',
+],
+'ipapermdefaultattr': {'ipaexternalmember'},
+'default_privileges': {
+'Group Administrators', 'Modify Group membership'
+},
+},
'System: Modify Groups': {
'ipapermright': {'write'},
'ipapermdefaultattr': {
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server
URL: https://github.com/freeipa/freeipa/pull/553 Title: #553: Add check for removing last KRA server pvoborni commented: """ Fix for 6598 in #566 """ See the full comment at https://github.com/freeipa/freeipa/pull/553#issuecomment-285450624 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#566][comment] webui: do not warn about CAs if there is only one master
URL: https://github.com/freeipa/freeipa/pull/566 Title: #566: webui: do not warn about CAs if there is only one master pvoborni commented: """ Written in a way that it can be then easily extended with KRA check. """ See the full comment at https://github.com/freeipa/freeipa/pull/566#issuecomment-285449877 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#566][opened] webui: do not warn about CAs if there is only one master
URL: https://github.com/freeipa/freeipa/pull/566
Author: pvoborni
Title: #566: webui: do not warn about CAs if there is only one master
Action: opened
PR body:
"""
Web UI showed pop-up dialog which recommends to install additional CA in
topology section when only 1 CA existed even if there was only one master.
Though behind the pop-up is to prevent situation, where multiple replicas
are installed but neither with --setup-ca option and thus risking to loose
CA when original master is lost.
The warning was displayed also if only one IPA server exists. It is unnecessary
to annoy admin only about CA because the entire IPA is not duplicated.
Therefore the pop-up is now shown only one IPA server exists.
https://pagure.io/freeipa/issue/6598
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/566/head:pr566
git checkout pr566
From b66d97e2b572f6e185caa1b0daf098f6528f9a38 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Thu, 9 Mar 2017 20:06:25 +0100
Subject: [PATCH] webui: do not warn about CAs if there is only one master
Web UI showed pop-up dialog which recommends to install additional CA in
topology section when only 1 CA existed even if there was only one master.
Though behind the pop-up is to prevent situation, where multiple replicas
are installed but neither with --setup-ca option and thus risking to loose
CA when original master is lost.
The warning was displayed also if only one IPA server exists. It is unnecessary
to annoy admin only about CA because the entire IPA is not duplicated.
Therefore the pop-up is now shown only one IPA server exists.
https://pagure.io/freeipa/issue/6598
---
install/ui/src/freeipa/topology.js | 3 +++
1 file changed, 3 insertions(+)
diff --git a/install/ui/src/freeipa/topology.js b/install/ui/src/freeipa/topology.js
index c33adba..df4b06d 100644
--- a/install/ui/src/freeipa/topology.js
+++ b/install/ui/src/freeipa/topology.js
@@ -507,6 +507,9 @@ topology.servers_search_facet = function(spec, no_init) {
}
}
+// Do not show warning if there is only one master
+if (result.length <= 1) return;
+
// Create dialog and show it only when there is only one CA server
if (counter != 1) return;
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#565][opened] permissions: add permissions for reading and modifying external group members
URL: https://github.com/freeipa/freeipa/pull/565
Author: pvoborni
Title: #565: permissions: add permissions for reading and modifying external
group members
Action: opened
PR body:
"""
Issue: "User Administrator" role cannot add users to an External Group.
https://fedorahosted.org/freeipa/ticket/5504
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/565/head:pr565
git checkout pr565
From 77c0b6ced4428f8e82f7546086a56b91b22fbf0b Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Thu, 23 Jun 2016 17:42:17 +0200
Subject: [PATCH] permissions: add permissions for read and mod of external
group members
Issue: "User Administrator" role cannot add users to an External Group.
https://fedorahosted.org/freeipa/ticket/5504
---
ipaserver/plugins/group.py | 17 +
1 file changed, 17 insertions(+)
diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py
index 67a264a..218da3c 100644
--- a/ipaserver/plugins/group.py
+++ b/ipaserver/plugins/group.py
@@ -194,6 +194,13 @@ class group(LDAPObject):
'member', 'memberof', 'memberuid', 'memberuser', 'memberhost',
},
},
+'System: Read External Group Membership': {
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'ipaexternalmember',
+},
+},
'System: Add Groups': {
'ipapermright': {'add'},
'replaces': [
@@ -216,6 +223,16 @@ class group(LDAPObject):
'Group Administrators', 'Modify Group membership'
},
},
+'System: Modify External Group Membership': {
+'ipapermright': {'write'},
+'ipapermtargetfilter': [
+'(objectclass=ipaexternalgroup)',
+],
+'ipapermdefaultattr': {'ipaexternalmember'},
+'default_privileges': {
+'Group Administrators', 'Modify Group membership'
+},
+},
'System: Modify Groups': {
'ipapermright': {'write'},
'ipapermdefaultattr': {
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls
URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls pvoborni commented: """ OK, so this pr remove `--uninstall` from `ipa-kra-install`. Did it work in the past? Or it always broke the installation? AFAIK this workflow was not really tested. If answers are "No, Yes, Yes" then I'm OK with the PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/556#issuecomment-285354949 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls
URL: https://github.com/freeipa/freeipa/pull/556 Title: #556: Don't allow standalone KRA uninstalls pvoborni commented: """ OK, so this pr remove `--uninstall` from `ipa-kra-install`. Did it work in the past? Or it always broke the installation? AFAIK this workflow was not really tested. If answers are "No, Yes, Yes" then I'm OK with the PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/556#issuecomment-285354949 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#549][+ack] WebUI: certmap match
URL: https://github.com/freeipa/freeipa/pull/549 Title: #549: WebUI: certmap match Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#310][comment] WIP: CLI testing
URL: https://github.com/freeipa/freeipa/pull/310 Title: #310: WIP: CLI testing pvoborni commented: """ Marking as postponed. We cannot expect the changes to be addressed by @mirielka any time soon. And CLI testing might need design discussion. """ See the full comment at https://github.com/freeipa/freeipa/pull/310#issuecomment-285045089 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#310][+postponed] WIP: CLI testing
URL: https://github.com/freeipa/freeipa/pull/310 Title: #310: WIP: CLI testing Label: +postponed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#331][comment] WebUI: don't change casing of Auth Indicators values
URL: https://github.com/freeipa/freeipa/pull/331 Title: #331: WebUI: don't change casing of Auth Indicators values pvoborni commented: """ ACK but I've find out that the change is not enough because of existing bug. See pr #554 """ See the full comment at https://github.com/freeipa/freeipa/pull/331#issuecomment-285043268 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#331][+ack] WebUI: don't change casing of Auth Indicators values
URL: https://github.com/freeipa/freeipa/pull/331 Title: #331: WebUI: don't change casing of Auth Indicators values Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#554][opened] webui: fixes normalization of value in attributes widget
URL: https://github.com/freeipa/freeipa/pull/554
Author: pvoborni
Title: #554: webui: fixes normalization of value in attributes widget
Action: opened
PR body:
"""
Fix is in checkboxes widget but the only affected one is attributes widget.
Reproduction:
1. Add permission with attribute with uppercase character
$ ipa permission-add aa_test --type=stageuser --attrs=businessCategory
--right=read
2. Check if it is correctly displayed in Web UI
Actual result:
- businesscategory is not checked
Expected result:
- businesscategory is checked
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/554/head:pr554
git checkout pr554
From 9fbbc727bfc15e7dc509099bfaca3651d6decb49 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Wed, 8 Mar 2017 14:34:20 +0100
Subject: [PATCH] webui: fixes normalization of value in attributes widget
Fix is in checkboxes widget but the only affected one is attributes widget.
Reproduction:
1. Add permission with attribute with uppercase character
$ ipa permission-add aa_test --type=stageuser --attrs=businessCategory --right=read
2. Check if it is correctly displayed in Web UI
Actual result:
- businesscategory is not checked
Expected result:
- businesscategory is checked
---
install/ui/src/freeipa/widget.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 17b1376..bdcb896 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -2626,7 +2626,7 @@ IPA.custom_checkboxes_widget = function(spec) {
that.populate();
that.append();
that.owb_create(that.container);
-that.owb_update(values);
+that.owb_update(that.values);
};
/**
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#300][+ack] WebUI: Add support for custom table pagination size
URL: https://github.com/freeipa/freeipa/pull/300 Title: #300: WebUI: Add support for custom table pagination size Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#400][+ack] WebUI: Certificate Mapping
URL: https://github.com/freeipa/freeipa/pull/400 Title: #400: WebUI: Certificate Mapping Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#533][+ack] WebUI: Change structure of Identity submenu
URL: https://github.com/freeipa/freeipa/pull/533 Title: #533: WebUI: Change structure of Identity submenu Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#520][synchronized] Change README to use Markdown
URL: https://github.com/freeipa/freeipa/pull/520 Author: pvoborni Title: #520: Change README to use Markdown Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/520/head:pr520 git checkout pr520 From cad3bc057967b8d14529960d955c05183b00a279 Mon Sep 17 00:00:00 2001 From: Petr Vobornik <pvobo...@redhat.com> Date: Tue, 28 Feb 2017 19:04:03 +0100 Subject: [PATCH] Change README to use Markdown So that it will be nicely formatted on FreeIPA Pagure landing page. https://pagure.io/freeipa Some links were updated as other projects also moved to Pagure.io. --- Makefile.am | 1 + README | 92 - README.md | 73 + freeipa.spec.in | 32 ++-- 4 files changed, 90 insertions(+), 108 deletions(-) delete mode 100644 README create mode 100644 README.md diff --git a/Makefile.am b/Makefile.am index a35d18f..c00ac2e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -40,6 +40,7 @@ EXTRA_DIST = .mailmap \ API.txt \ BUILD.txt \ config.rpath \ + README.md \ Contributors.txt \ COPYING.openssl \ contrib \ diff --git a/README b/README deleted file mode 100644 index ad5b081..000 --- a/README +++ /dev/null @@ -1,92 +0,0 @@ - - IPA Server - - Overview - - - FreeIPA allows Linux administrators to centrally manage identity, - authentication and access control aspects of Linux and UNIX systems - by providing simple to install and use command line and web based - managment tools. - FreeIPA is built on top of well known Open Source components and standard - protocols with a very strong focus on ease of management and automation - of installation and configuration tasks. - FreeIPA can seamlessly integrate into an Active Directory environment via - cross-realm Kerberos trust or user synchronization. - - Benefits - - - FreeIPA: - * Allows all your users to access all the machines with the same credentials -and security settings - * Allows users to access personal files transparently from any machine in -an authenticated and secure way - * Uses an advanced grouping mechanism to restrict network access to services -and files only to specific users - * Allows central management of security mechanisms like passwords, -SSH Public Keys, SUDO rules, Keytabs, Access Control Rules - * Enables delegation of selected administrative tasks to other power users - * Integrates into Active Directory environments - - Components - -- - - The FreeIPA project provides unified installation and management - tools for the following components: - - * LDAP Server - based on the 389 project (LDAP) -http://directory.fedoraproject.org/wiki/Main_Page - - * KDC - based on MIT Kerberos implementation -http://k5wiki.kerberos.org/wiki/Main_Page - - * PKI based on Dogtag project -http://pki.fedoraproject.org/wiki/PKI_Main_Page - - * Samba libraries for Active Directory integration -http://www.samba.org/ - - * DNS Server based on BIND and the Bind-DynDB-LDAP plugin -https://www.isc.org/software/bind -https://fedorahosted.org/bind-dyndb-ldap - - - Project Website - --- - - Releases, announcements and other information can be found on the IPA - server project page at <http://www.freeipa.org/>. - - Documentation - - - - The most up-to-date documentation can be found at - <http://freeipa.org/page/Documentation>. - - Quick Start - --- - - To get started quickly, start here: - <http://www.freeipa.org/page/Quick_Start_Guide> - - Licensing - - - - Please see the file called COPYING. - - Contacts - - - * If you want to be informed about new code releases, bug fixes, - security fixes, general news and information about the IPA server - subscribe to the freeipa-announce mailing list at - <https://www.redhat.com/mailman/listinfo/freeipa-interest/>. - - * If you have a bug report please submit it at: - <https://bugzilla.redhat.com> - - * If you want to participate in actively developing IPA please - subscribe to the freeipa-devel mailing list at - <https://www.redhat.com/mailman/listinfo/freeipa-devel/> or join - us in IRC at irc://irc.freenode.net/freeipa diff --git a/README.md b/README.md new file mode 100644 index 000..9608453 --- /dev/null +++ b/README.md @@ -0,0 +1,73 @@ +# FreeIPA Server + +FreeIPA allows Linux administrators to centrally manage identity, +authentication and access control aspects of Linux and UNIX systems +by providing simple to install and use command line and web based +managment tools. + +FreeIPA is built on top of well known Open Source components and standard +protocols with a very strong
[Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional
URL: https://github.com/freeipa/freeipa/pull/502 Title: #502: Make pylint and jsl optional pvoborni commented: """ +1 Reasoning for not skipping linters was that reviewer or patch author can forget to run those. This problem was solved by travis checks. """ See the full comment at https://github.com/freeipa/freeipa/pull/502#issuecomment-283412804 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#520][synchronized] Change README to use Markdown
URL: https://github.com/freeipa/freeipa/pull/520 Author: pvoborni Title: #520: Change README to use Markdown Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/520/head:pr520 git checkout pr520 From 3e883734d6d58b483fa33b1a8dac0a435a52f37a Mon Sep 17 00:00:00 2001 From: Petr Vobornik <pvobo...@redhat.com> Date: Tue, 28 Feb 2017 19:04:03 +0100 Subject: [PATCH] Change README to use Markdown So that it will be nicely formatted on FreeIPA Pagure landing page. https://pagure.io/freeipa Some links were updated as other projects also moved to Pagure.io. --- README| 92 --- README.md | 73 ++ 2 files changed, 73 insertions(+), 92 deletions(-) delete mode 100644 README create mode 100644 README.md diff --git a/README b/README deleted file mode 100644 index ad5b081..000 --- a/README +++ /dev/null @@ -1,92 +0,0 @@ - - IPA Server - - Overview - - - FreeIPA allows Linux administrators to centrally manage identity, - authentication and access control aspects of Linux and UNIX systems - by providing simple to install and use command line and web based - managment tools. - FreeIPA is built on top of well known Open Source components and standard - protocols with a very strong focus on ease of management and automation - of installation and configuration tasks. - FreeIPA can seamlessly integrate into an Active Directory environment via - cross-realm Kerberos trust or user synchronization. - - Benefits - - - FreeIPA: - * Allows all your users to access all the machines with the same credentials -and security settings - * Allows users to access personal files transparently from any machine in -an authenticated and secure way - * Uses an advanced grouping mechanism to restrict network access to services -and files only to specific users - * Allows central management of security mechanisms like passwords, -SSH Public Keys, SUDO rules, Keytabs, Access Control Rules - * Enables delegation of selected administrative tasks to other power users - * Integrates into Active Directory environments - - Components - -- - - The FreeIPA project provides unified installation and management - tools for the following components: - - * LDAP Server - based on the 389 project (LDAP) -http://directory.fedoraproject.org/wiki/Main_Page - - * KDC - based on MIT Kerberos implementation -http://k5wiki.kerberos.org/wiki/Main_Page - - * PKI based on Dogtag project -http://pki.fedoraproject.org/wiki/PKI_Main_Page - - * Samba libraries for Active Directory integration -http://www.samba.org/ - - * DNS Server based on BIND and the Bind-DynDB-LDAP plugin -https://www.isc.org/software/bind -https://fedorahosted.org/bind-dyndb-ldap - - - Project Website - --- - - Releases, announcements and other information can be found on the IPA - server project page at <http://www.freeipa.org/>. - - Documentation - - - - The most up-to-date documentation can be found at - <http://freeipa.org/page/Documentation>. - - Quick Start - --- - - To get started quickly, start here: - <http://www.freeipa.org/page/Quick_Start_Guide> - - Licensing - - - - Please see the file called COPYING. - - Contacts - - - * If you want to be informed about new code releases, bug fixes, - security fixes, general news and information about the IPA server - subscribe to the freeipa-announce mailing list at - <https://www.redhat.com/mailman/listinfo/freeipa-interest/>. - - * If you have a bug report please submit it at: - <https://bugzilla.redhat.com> - - * If you want to participate in actively developing IPA please - subscribe to the freeipa-devel mailing list at - <https://www.redhat.com/mailman/listinfo/freeipa-devel/> or join - us in IRC at irc://irc.freenode.net/freeipa diff --git a/README.md b/README.md new file mode 100644 index 000..9608453 --- /dev/null +++ b/README.md @@ -0,0 +1,73 @@ +# FreeIPA Server + +FreeIPA allows Linux administrators to centrally manage identity, +authentication and access control aspects of Linux and UNIX systems +by providing simple to install and use command line and web based +managment tools. + +FreeIPA is built on top of well known Open Source components and standard +protocols with a very strong focus on ease of management and automation +of installation and configuration tasks. + +FreeIPA can seamlessly integrate into an Active Directory environment via +cross-realm Kerberos trust or user synchronization. + +## Benefits + +FreeIPA: + +* Allows all your users to access all the machines with the same credentials + and security settings +* Allows users to ac
[Freeipa-devel] [freeipa PR#520][opened] Change README to use Markdown
URL: https://github.com/freeipa/freeipa/pull/520 Author: pvoborni Title: #520: Change README to use Markdown Action: opened PR body: """ So that it will be nicely formatted on FreeIPA Pagure landing page. https://pagure.io/freeipa Some links were updated as other projects also moved to Pagure.io. Temporary preview on: https://pagure.io/pvoborni-test """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/520/head:pr520 git checkout pr520 From 773512bcacfac3b2847d952de81ede915eba841d Mon Sep 17 00:00:00 2001 From: Petr Vobornik <pvobo...@redhat.com> Date: Tue, 28 Feb 2017 19:04:03 +0100 Subject: [PATCH] Change README to use Markdown So that it will be nicely formatted on FreeIPA Pagure landing page. https://pagure.io/freeipa Some links were updated as other projects also moved to Pagure.io. --- README| 92 --- README.md | 74 ++ 2 files changed, 74 insertions(+), 92 deletions(-) delete mode 100644 README create mode 100644 README.md diff --git a/README b/README deleted file mode 100644 index ad5b081..000 --- a/README +++ /dev/null @@ -1,92 +0,0 @@ - - IPA Server - - Overview - - - FreeIPA allows Linux administrators to centrally manage identity, - authentication and access control aspects of Linux and UNIX systems - by providing simple to install and use command line and web based - managment tools. - FreeIPA is built on top of well known Open Source components and standard - protocols with a very strong focus on ease of management and automation - of installation and configuration tasks. - FreeIPA can seamlessly integrate into an Active Directory environment via - cross-realm Kerberos trust or user synchronization. - - Benefits - - - FreeIPA: - * Allows all your users to access all the machines with the same credentials -and security settings - * Allows users to access personal files transparently from any machine in -an authenticated and secure way - * Uses an advanced grouping mechanism to restrict network access to services -and files only to specific users - * Allows central management of security mechanisms like passwords, -SSH Public Keys, SUDO rules, Keytabs, Access Control Rules - * Enables delegation of selected administrative tasks to other power users - * Integrates into Active Directory environments - - Components - -- - - The FreeIPA project provides unified installation and management - tools for the following components: - - * LDAP Server - based on the 389 project (LDAP) -http://directory.fedoraproject.org/wiki/Main_Page - - * KDC - based on MIT Kerberos implementation -http://k5wiki.kerberos.org/wiki/Main_Page - - * PKI based on Dogtag project -http://pki.fedoraproject.org/wiki/PKI_Main_Page - - * Samba libraries for Active Directory integration -http://www.samba.org/ - - * DNS Server based on BIND and the Bind-DynDB-LDAP plugin -https://www.isc.org/software/bind -https://fedorahosted.org/bind-dyndb-ldap - - - Project Website - --- - - Releases, announcements and other information can be found on the IPA - server project page at <http://www.freeipa.org/>. - - Documentation - - - - The most up-to-date documentation can be found at - <http://freeipa.org/page/Documentation>. - - Quick Start - --- - - To get started quickly, start here: - <http://www.freeipa.org/page/Quick_Start_Guide> - - Licensing - - - - Please see the file called COPYING. - - Contacts - - - * If you want to be informed about new code releases, bug fixes, - security fixes, general news and information about the IPA server - subscribe to the freeipa-announce mailing list at - <https://www.redhat.com/mailman/listinfo/freeipa-interest/>. - - * If you have a bug report please submit it at: - <https://bugzilla.redhat.com> - - * If you want to participate in actively developing IPA please - subscribe to the freeipa-devel mailing list at - <https://www.redhat.com/mailman/listinfo/freeipa-devel/> or join - us in IRC at irc://irc.freenode.net/freeipa diff --git a/README.md b/README.md new file mode 100644 index 000..1cbb49e --- /dev/null +++ b/README.md @@ -0,0 +1,74 @@ +FreeIPA Server +== + +FreeIPA allows Linux administrators to centrally manage identity, +authentication and access control aspects of Linux and UNIX systems +by providing simple to install and use command line and web based +managment tools. + +FreeIPA is built on top of well known Open Source components and standard +protocols with a very strong focus on ease of management and automation +of installation and configuration tasks. + +FreeIPA
[Freeipa-devel] [freeipa PR#519][comment] WebUI: add sizelimit:0 to cert-find
URL: https://github.com/freeipa/freeipa/pull/519 Title: #519: WebUI: add sizelimit:0 to cert-find pvoborni commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/519#issuecomment-283096563 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#507][comment] Use https to get security domain from Dogtag
URL: https://github.com/freeipa/freeipa/pull/507 Title: #507: Use https to get security domain from Dogtag pvoborni commented: """ I.e. I want to know if something needs to be or should be backported. """ See the full comment at https://github.com/freeipa/freeipa/pull/507#issuecomment-282281077 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#507][comment] Use https to get security domain from Dogtag
URL: https://github.com/freeipa/freeipa/pull/507 Title: #507: Use https to get security domain from Dogtag pvoborni commented: """ What is a context of this patch? Is something broken only in master. Or also 4.4, Fedora, RHEL,...? """ See the full comment at https://github.com/freeipa/freeipa/pull/507#issuecomment-282280330 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#484][closed] FIPS: Remove pkispawn cruft
URL: https://github.com/freeipa/freeipa/pull/484 Author: stlaz Title: #484: FIPS: Remove pkispawn cruft Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/484/head:pr484 git checkout pr484 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft
URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft pvoborni commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/728a6bd4229ba170b2e94f216127b19d5d94e2ba https://fedorahosted.org/freeipa/changeset/a39effed7603d66acd238e3142f4df8081ff7bc8 """ See the full comment at https://github.com/freeipa/freeipa/pull/484#issuecomment-281997170 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#484][+pushed] FIPS: Remove pkispawn cruft
URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages pvoborni commented: """ Some distros like RHEL doesn't have python-wheel packaged. It can be disabled by downstream patch, but better would be to remove it or make it configurable. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281934554 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ Also I added section to FreeIPA wiki: http://www.freeipa.org/page/V4/Build_system_refactoring#Packager_-_client_only_build """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281692728 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][comment] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build pvoborni commented: """ #364 was pushed. """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281690828 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][closed] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Author: lslebodn Title: #494: Support client-only build Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/494/head:pr494 git checkout pr494 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#494][+rejected] Support client-only build
URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/70554938d4f9ba5b347cd4bc8001428e905198e4 https://fedorahosted.org/freeipa/changeset/41d7ae54fafc6deb602e1a990eaec37c6ae4880b https://fedorahosted.org/freeipa/changeset/20c1eb9844223d892da47da1ea10662d37953ff8 https://fedorahosted.org/freeipa/changeset/2747f2ad782c7640ecc6949098f0d43411182255 """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281689932 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][closed] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Author: tiran Title: #364: Client-only builds with --disable-server Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/364/head:pr364 git checkout pr364 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][+pushed] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#368][+ack] WebUI: fix incorrect behavior of ESC button on combobox
URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox
URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox pvoborni commented: """ ACK given that Martin did functional testing """ See the full comment at https://github.com/freeipa/freeipa/pull/368#issuecomment-280700948 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox
URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox pvoborni commented: """ Code LGTM, but I did not tests the behavior, so cannot give ACK now. """ See the full comment at https://github.com/freeipa/freeipa/pull/368#issuecomment-280628318 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#470][comment] WebUI: Size limit warning on details pages fixed
URL: https://github.com/freeipa/freeipa/pull/470 Title: #470: WebUI: Size limit warning on details pages fixed pvoborni commented: """ Would it be better to suppress the warning and use sensible size limit. I.e. the entity select doesn't need to show all entries. I'm afraid that it might have negative performance impact. """ See the full comment at https://github.com/freeipa/freeipa/pull/470#issuecomment-280627755 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ I still fail to see why we should care about `make dist` with `configure --disable-server` this is not a combination of options which should be used together, there is no point in it except theoretical exercise. > then I will need to send PR to fix client-only build and it will not install > ipatests with --disable-server. Why? """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280596786 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop pvoborni commented: """ And AFAIK b) is not supported. @martbab , does something indicate otherwise? """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280056255 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#331][comment] WebUI: don't change casing of Auth Indicators values
URL: https://github.com/freeipa/freeipa/pull/331 Title: #331: WebUI: don't change casing of Auth Indicators values pvoborni commented: """ LGTM (reading code). """ See the full comment at https://github.com/freeipa/freeipa/pull/331#issuecomment-279984562 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#215][closed] Add script to setup krb5 NFS exports
URL: https://github.com/freeipa/freeipa/pull/215 Author: jumitche Title: #215: Add script to setup krb5 NFS exports Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/215/head:pr215 git checkout pr215 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#215][+rejected] Add script to setup krb5 NFS exports
URL: https://github.com/freeipa/freeipa/pull/215 Title: #215: Add script to setup krb5 NFS exports Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports
URL: https://github.com/freeipa/freeipa/pull/215 Title: #215: Add script to setup krb5 NFS exports pvoborni commented: """ Justin, pasting here re-phrased mail I wrote you on Dec 5. This is a tool which integrates external host with FreeIPA. It is written in a way that it can exist completely outside of FreeIPA git repository. Thinking more about it. It might be actually better to write an Ansible module which would configure server as a NFS server and join it to FreeIPA realm. We will be working on better Ansible integration in very close future. Technical/maintenance side of the patch: tools merged in FreeIPA repository are then maintained by FreeIPA core team. Problem is that the tool is written in a way that it doesn't use any internal FreeIPA calls and thus reimplements IPA logic, it makes it hard to maintain. To make it easier to maintain it would be better to reuse IPA internal calls. But it doesn't make sense for you to spend time on rewriting it according to upstream rules nor it doesn't make sense for upstream developer to modify your code according to it (this would be faster for both sides then former review ping-pong). So it would be preferred to maintain it elsewhere. The proposal/general agreement on FreeIPA triage was: - move this script into separate git repo, e.g. on Git Hub. That way fixing the script doesn't have to rely on FreeIPA schedule. It might be your repo or maybe under FreeIPA org if you prefer it. - FreeIPA upstream will create wiki page where we will list similar contribution (like https://github.com/peterpakos/ipa_check_consistency/ ) and add it there so it would be discoverable - FreeIPA upstream will also make it discoverable from installed rpms - https://fedorahosted.org/freeipa/ticket/6536 - if the project receives high enough popularity - will be widely use it may be considered for rewrite and including it into IPA core What was not discuss but may be a good thing is to create integration travis tests in the separate repo which would test the script so it can be tested automatically. """ See the full comment at https://github.com/freeipa/freeipa/pull/215#issuecomment-279784708 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#23][+postponed] Time-Based HBAC Policies
URL: https://github.com/freeipa/freeipa/pull/23 Title: #23: Time-Based HBAC Policies Label: +postponed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages
URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages pvoborni commented: """ If there is reason it can be maintained in IPA, but what is the reason? """ See the full comment at https://github.com/freeipa/freeipa/pull/379#issuecomment-279768384 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing
URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing pvoborni commented: """ @tiran I have very vague idea how this is helpful. You have mentioned it during post-devconf "API meeting". But I no longer remember it and description of this PR is very general. In order to move all the pypi patches forward, we need to document(maybe design) the whole pypi workflow. This is not mentioned in http://www.freeipa.org/page/V4/Build_system_refactoring nor in http://www.freeipa.org/page/V4/Integration_Improvements I.e. how FreeIPA project will work/supply packages to PYPI and what are actually the requirements for these packages. What is expected to work and what not (like everything related to pyhbac). Right now I have no idea what are the missing blocker parts and what are just nice-to-have things. Also I don't really like the part that the patches use custom repo of python-nss. But I'm glad that you are working with @jdennis to improve it. @stlaz, with PR #367 what are the remaining usages of python-nss? Could we actually get rid of python-nss completely? """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-279767185 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages
URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages pvoborni commented: """ I thought that I understand why this PR is needed bud in fact I don't. Ticket #6484 is closed. Why is it attached to it? How will the pypi packaging change if ipacommands package is not there? Would it be used for anything? How it should be used? """ See the full comment at https://github.com/freeipa/freeipa/pull/379#issuecomment-279753967 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder pvoborni commented: """ As mention on meeting, if rpcserver prettyprints into output in debug mode then it is fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279466497 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder pvoborni commented: """ It's usually quicker to read raw response in browser than the folded "preview" because everything is visible and no clicking is required. Same for curl testing. But for curl I can imagine piping it to some tool. """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279370915 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder pvoborni commented: """ Is there a way(I did not read changes thoroughly) to enable sorting and indentation, e.g. for testing purposes? """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279365267 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ I still think that this use case needs to be documented in http://www.freeipa.org/page/V4/Build_system_refactoring#How_to_Use . IMHO `make dist` can fail with --disable-server. Use case for `make dist` is releasing and there is no point to do release without server bitw. But make sure to document it and test that `make dist` works without it ;) . """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278950622 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#423][comment] dns-update-system-records: add support for nsupdate output format
URL: https://github.com/freeipa/freeipa/pull/423 Title: #423: dns-update-system-records: add support for nsupdate output format pvoborni commented: """ I've added acceptance criteria and user story to the related FreeIPA ticket. I miss a "how to use part" - a specific example. This should be in FreeIPA.org wiki, e.g. in design page (rest of the design page can be copied user story and empty), but the how to use section with both auth methods is a critical part. """ See the full comment at https://github.com/freeipa/freeipa/pull/423#issuecomment-278354671 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#443][comment] Stronger check for DM password during server install
URL: https://github.com/freeipa/freeipa/pull/443 Title: #443: Stronger check for DM password during server install pvoborni commented: """ Function check_password_fips_nssdb_compatible looks like a great candidate for unit test. """ See the full comment at https://github.com/freeipa/freeipa/pull/443#issuecomment-278350912 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check
URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check pvoborni commented: """ @MartinBasti I'm not sure from your comment if you would like to provide a way to change non-FIPS server into a FIPS server or just brainstorming ways how it can be worked around. In any case this path is not a goal and actually should be discouraged. http://www.freeipa.org/page/V4/FreeIPA-on-FIPS#Design """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-277950210 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
