[Freeipa-users] Fwd: packages for Fedora 14
-- Forwarded message -- From: Stephen Ingram Date: Fri, Apr 8, 2011 at 2:02 PM Subject: Re: [Freeipa-users] packages for Fedora 14 To: d...@redhat.com I installed the rc2 version and used the f14-testing repo to accommodate. Would this work for v2 or has dogtag been revved again? Steve On Fri, Apr 8, 2011 at 1:56 PM, Dmitri Pal wrote: > On 04/08/2011 04:51 PM, Stephen Ingram wrote: >> Will ipa-v2 packages be released for Fedora 14 since Fedora 15 final >> is not yet available? > > The issue with F14 is that it still has an older version of the > Certificate System (Dogtag). > We can't release as there will be collisions but the upstream bits are > installable on Fedora 14. > >> Steve >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] packages for Fedora 14
On 04/08/2011 04:51 PM, Stephen Ingram wrote: > Will ipa-v2 packages be released for Fedora 14 since Fedora 15 final > is not yet available? The issue with F14 is that it still has an older version of the Certificate System (Dogtag). We can't release as there will be collisions but the upstream bits are installable on Fedora 14. > Steve > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] packages for Fedora 14
Will ipa-v2 packages be released for Fedora 14 since Fedora 15 final is not yet available? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 6.1 beta
On 04/08/2011 06:26 AM, Dmitri Pal wrote: On 04/08/2011 02:38 AM, Sigbjorn Lie wrote: Hi Kevin, Please disregards Steven Jones' ranting, this was not the kind of feedback I was looking for. Ok, I do like the wider options for channels in Red Hat, but this bring me to my next question: Will there be an extra charge for this add on channel, or will this be included in the base subscription? If $answer = yes { Why does Red Hat think they can charge more for a feature that is included in it's competitors base license for the equivalent product? } Else if $answer = no { Great! :) } Rgds, Siggi I will leave to Kevin to describe details but in a nutshell the replication and or synchronization with AD (same channel) is not free. Red Hat worked out a competitive pricing model for this product and some of the cost is attached to the replication bits. There aren't many more details to fill in because the final pricing decisions have not been, erm... finalised. As Dmitri said, we have been working on models to ensure the pricing is competitive and flexible. One additional parameter that we have to take into consideration are the pricing models for other Red Hat offerings such as virtualization, systems management and middleware offerings. We want an easy to understand pricing model that provides the best value for our customers. Just to reiterate, the upstream community supported packages remain freely available in both binary and source form. Cheers, Kev ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Auto membership plugin
On 04/08/2011 11:49 AM, JR Aquino wrote: > Is there any way to capture a description associated with the regex -> group > mapping? > > I was thinking that after time, it would be important to look back on rules > and know why they were put there. > > Particularly in the case of regex, since it may not be completely obvious by > looking back at alphabet soup. > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > The more I think about current design the more I want to normalize things. I would rather instead of: dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition autoMemberScope: dc=example,dc=com autoMemberFilter: objectclass=ipaHost autoMemberExclusiveRegex: cn=webservers,cn=hostgroups,dc=example,dc=com:fqdn=^www5\.example\.com autoMemberInclusiveRegex: cn=webservers,cn=hostgroups,dc=example,dc=com:fqdn=^www[1-9]+\.example\.com autoMemberInclusiveRegex: cn=webservers,cn=hostgroups,dc=example,dc=com:fqdn=^web[1-9]+\.example\.com autoMemberInclusiveRegex: cn=mailservers,cn=hostgroups,dc=example,dc=com:fqdn=^mail[1-9]+\.example\.com autoMemberDefaultGroup: cn=orphans,cn=hostgroups,dc=example,dc=com autoMemberGroupingAttr: member:dn Have something like: dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition objectclass: cnContainer autoMemberScope: dc=example,dc=com autoMemberFilter: objectclass=ipaHost autoMemberRegexRule: cn=Webserver Inclusion Rule,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config autoMemberRegexRule: cn=Mailserver Inclusion Rule,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config autoMemberRegexRule: cn=Desktop exclusion Rule,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config autoMemberDefaultGroup: cn=orphans,cn=hostgroups,dc=example,dc=com autoMemberGroupingAttr: member:dn dn: cn=Webserver Inclusion Rule,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinitionRegexRule cn: Webserver Inclusion Rule description: Rule contains regular expression to include webserver hosts into the webserver group. include: yes <- include or exclude memberGroup: cn=webservers,cn=hostgroups,dc=example,dc=com arrtibuteToMath: fgdn expressionToMatch: ^www[1-9]+\.example\.com Or something along those lines... -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Auto membership plugin
Is there any way to capture a description associated with the regex -> group mapping? I was thinking that after time, it would be important to look back on rules and know why they were put there. Particularly in the case of regex, since it may not be completely obvious by looking back at alphabet soup. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 6.1 beta
On Fri, Apr 08, 2011 at 09:26:42AM -0400, Dmitri Pal wrote: > I will leave to Kevin to describe details but in a nutshell the > replication and or synchronization with AD (same channel) is not free. > Red Hat worked out a competitive pricing model for this product and some > of the cost is attached to the replication bits. /me thinks this looks great. I've been afraid IPA would turn out too expensive.. Being an part of standard RHEL hopefully means that the tiny replication feature woun't be prohibitly expensive :-) -jf ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 6.1 beta
On 04/08/2011 02:38 AM, Sigbjorn Lie wrote: > Hi Kevin, > > Please disregards Steven Jones' ranting, this was not the kind of feedback I > was looking for. > > Ok, I do like the wider options for channels in Red Hat, but this bring me to > my next question: > Will there be an extra charge for this add on channel, or will this be > included in the base > subscription? > > If $answer = yes { Why does Red Hat think they can charge more for a feature > that is included in > it's competitors base license for the equivalent product? } > > Else if $answer = no { Great! :) } > > > > Rgds, > Siggi I will leave to Kevin to describe details but in a nutshell the replication and or synchronization with AD (same channel) is not free. Red Hat worked out a competitive pricing model for this product and some of the cost is attached to the replication bits. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Client join
Hello Rob Thanks for the srpm. Sorry but I just had time now to compile and test it. While installing and testing ipa-client-install, I found a small installation dependency problem in the spec. To install the rpm the package nss-tools should be required. This provides /usr/bin/certutil which is executed by the ipa-client-install while joining the realm and getting the certificate. You eventually can add this additional installation dependency to the spec file. Thanks Roland - Ursprüngliche Mail - Von: "Rob Crittenden" An: "Roland Käser" CC: freeipa-users@redhat.com Gesendet: Freitag, 1. April 2011 16:54:24 Betreff: Re: [Freeipa-users] IPA Client join Roland Kaeser wrote: > Hello > >> The next update will be in 6.1. I can probably cobble together a srpm >> that would work on 6.0 until 6.1 is released if you'd like. > > Is there a definitive release date for 6.1? I would like to have srpm for > 6.0, if possible, to start building up my pilot. > Thanks Attached is a srpm that updates the OIDs. I did a very brief smoke-test and was able to join a 6.0 client to a F-15 server. The tarball is still alpha 3. rob > > Roland > > > - Ursprüngliche Mail - > Von: "Rob Crittenden" > An: "Roland Käser" > CC: freeipa-users@redhat.com > Gesendet: Donnerstag, 31. März 2011 20:46:27 > Betreff: Re: [Freeipa-users] IPA Client join > > Roland Kaeser wrote: >> Hello >> >>> Will there be an update to the ipa-client package in RHEL 6.0, or do we >>> have to wait for RHEL 6.1? > > The next update will be in 6.1. I can probably cobble together a srpm > that would work on 6.0 until 6.1 is released if you'd like. > >> >> So which is the software stack to use for my pilot and the later production >> environment? >> I wouldn't like to use Fedora in company production environments. I would be >> really prefer to use RHEL6/6.1 >> I also checked the latest avialable fedora 15 version. I only can find a >> alpha version iso from february, 28. >> >> I would really like to have a software stack which works with freeipa >> (client/server) and afs-server. > > Yeah, this is a bit of a grey area right now. IPA does a lot of cat > herding and keeping all the various versions of the packages we require > in sync is very tedious. > > For a pilot I think you'd be fine using Fedora 14 though I would > recommend doing some amount of re-testing in F-15 once it is released. > We've done 80% of our development in F-14 and it works very well. The > dogtag project built F-14 packages for us as a favor. They don't want to > support deployments of it because they've done zero testing of their own > on F-14. You'd need to build the packages yourself though, we haven't > pushed this to F-14 because of the dogtag issue. mock should be able to > build it fairly painlessly. > > What I've done for my F-15 installations is to install F-14 and then > upgrade to Fedora-15 from there. It has been fairly painless. The GA IPA > release is in the stable repo of F-15 now. > > regards > > rob > >> >> >> - Ursprüngliche Mail - >> Von: "Sigbjorn Lie" >> An: "Rob Crittenden" >> CC: "Roland Käser", >> freeipa-users@redhat.com >> Gesendet: Donnerstag, 31. März 2011 16:14:34 >> Betreff: Re: [Freeipa-users] IPA Client join >> >>> >>> In rc2 we had to make a change to the OID used for some operations >>> because they were duplicated. The OID for the ipa-getkeytab operation was >>> one of them, so older >>> clients don't work with newer servers. IIRC the EL6 ipa-client was based on >>> the alpha 3 release. >>> >>> I attached a patch that gives the general idea of what needs to change. >>> It was originally for the EL 5 branch but it may work with few changes >>> in EL6. >>> >> >> Will there be an update to the ipa-client package in RHEL 6.0, or do we have >> to wait for RHEL 6.1? >> >> >> Rgds, >> Siggi >> >> >> > > -- InterSoft Networks Roland Käser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 -- Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 6.1 beta
On Fri, April 8, 2011 09:48, Natxo Asenjo wrote: > On Fri, Apr 8, 2011 at 8:38 AM, Sigbjorn Lie wrote: > > >> Ok, I do like the wider options for channels in Red Hat, but this bring me >> to my next question: >> Will there be an extra charge for this add on channel, or will this be >> included in the base >> subscription? >> >> If $answer = yes { Why does Red Hat think they can charge more for a feature >> that is included >> in it's competitors base license for the equivalent product? } > > does Microsoft include a synchronization plugin to RHDS? They do have a > synchronization package > between different servers (sql and possibly other ldap servers) into AD, but > iirc not free (sorry, > I forgot its > name, I saw it in the pile of cd/dvds we get from MS just in case we bite and > use it :-) ). > > The synchronization between RHDS and Windows AD is as far as I see it, > just like the one from 389 directory server: > http://directory.fedoraproject.org/wiki/Howto:WindowsSync ; if there > is a supported module for freeipa, then great. Otherwise, one can always try > to get it working on > its own. > > Or am I absolutely wrong about this? > -- Hi, Sync between Windows and IPA is included. I am asking about the replication between IPA servers. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 6.1 beta
On Fri, Apr 8, 2011 at 8:38 AM, Sigbjorn Lie wrote: > Ok, I do like the wider options for channels in Red Hat, but this bring me to > my next question: > Will there be an extra charge for this add on channel, or will this be > included in the base > subscription? > > If $answer = yes { Why does Red Hat think they can charge more for a feature > that is included in > it's competitors base license for the equivalent product? } does Microsoft include a synchronization plugin to RHDS? They do have a synchronization package between different servers (sql and possibly other ldap servers) into AD, but iirc not free (sorry, I forgot its name, I saw it in the pile of cd/dvds we get from MS just in case we bite and use it :-) ). The synchronization between RHDS and Windows AD is as far as I see it, just like the one from 389 directory server: http://directory.fedoraproject.org/wiki/Howto:WindowsSync ; if there is a supported module for freeipa, then great. Otherwise, one can always try to get it working on its own. Or am I absolutely wrong about this? -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users