[Freeipa-devel] Re: ipalib.x509.IPACertificate can't subclass cryptography.x509.Certificate

Wolfgang Eder via FreeIPA-devel wrote: > I am using FreeIPA 4.12.2 with python3-cryptography 44.0.1 on Python 3.12.8. > > The ipa-client-install command fails on me, and I have tracked down the > reason. > A simple way to reproduce: > import ipalib.x509 > . gives a warning about TripleD

[Freeipa-devel] Re: ipa-replica-install fails with the error "RuntimeError: Certificate issuance failed (CA_UNREACHABLE)"

Kao via FreeIPA-devel wrote: > Issue： > > I'm deploying FreeIPA replica on azure VM，using Rocky 9.3 on both Master and > client(replica) VM, and borh version of FreeIPA is 4.11.0. This two vm is in > the same virtual network > > master and client deployment is fine, but when installing replica

[Freeipa-devel] Re: user_mod [OptionError]: Unknown option: description

Hillar Aarelaid via FreeIPA-devel wrote: > Hi > > I'm not exactly sure when it was removed, but in IPA version 4.10.1, the > "description" option in user_mod api call was still available. > Its removal has caused a lot of issues for us. :( > Is there any specific reason why it was removed? > Is

[Freeipa-devel] Re: HBAC rule not being enforced for sudo

Oliver Kiddle via FreeIPA-devel wrote: > Using FreeIPA on RHEL 9, I have sudo rules and an HBAC rule. The HBAC > rules are there to disable all access to certain accounts on some > machines. Testing with: > ipa hbactest --service=sudo-i --user=user --host=host > I get the expected "Access grant

[Freeipa-devel] Re: On MIN_DOMAIN_LEVEL and MAX_DOMAIN_LEVEL

Mauricio Tavares via FreeIPA-devel wrote: > On Thu, May 9, 2024 at 12:25 AM Alexander Bokovoy wrote: >> >> On Срд, 08 мая 2024, Mauricio Tavares via FreeIPA-devel wrote: >>> constants.py[1] defines both constants (OK, their values are defined a >>> few lines up but you get the drift). Can I ASSum

[Freeipa-devel] Re: FreeIPA Installation Issues

Mauricio Tavares via FreeIPA-devel wrote: >> Veera K via FreeIPA-devel wrote: >> >> >> You didn't include an attachment. >> >> I don't know the current status of Ubuntu as an IPA server but in the >> past it has not worked well. There are a lot of moving parts in IPA and >> there is basically one m

[Freeipa-devel] Re: FreeIPA Installation Issues

Veera K via FreeIPA-devel wrote: > Hi Team, > > During the FreeIPA installation on Linux, particularly on Linux and Ubuntu, > I've faced numerous hurdles and made significant observations. Despite > configuring the URL for FreeIPA LDAP setup, we've encountered difficulties > accessing it. Even

[Freeipa-devel] Re: API schema

Yann Soubeyrand via FreeIPA-devel wrote: > Hello, > > I’m still interested in helping fix the API schema returned by the > API, l, but I’d need some guidance (see my previous mail for the > details) ;-) I'm not sure that any of the output parameters define the type being returned. I believe all S

[Freeipa-devel] Re: Cannot restart ipa.service and krb5kdc.service after reboot

Vu Nguyen via FreeIPA-devel wrote: > After 7days, I tried to log in freeipa webUI and got this "Login failed due > to an unknown reason" message. So I rebooted my machine. After that I cannot > connect to freeipa webUI. Then I check ipa.service and got some errors > related to krb5 like "Failed

[Freeipa-devel] Re: debian/ubuntu client support

sv savage via FreeIPA-devel wrote: > I have tried to compile FreeIPA inDebian, but there are enough > differences in existing libraries to make it very painful. But using > Ubuntu/Debian as a client should be straight forward. both distros > support SSSD but there is no doc describing how-to. I do

[Freeipa-devel] certmonger 0.79.18 upstream release

For those that follow certmonger, I did an upstream release today, 0.79.18. This will go into rawhide first. Fedora 37 and 38 will follow. - Rename DBus service and conf files to match canonical name - Add missing .TP tags in getcert-resubmit man page - migrated to SPDX license - Include owner and

[Freeipa-devel] Re: additional info: nsslapd-maxdescriptors: invalid value "65536", maximum file descriptors must range from 1 to 8192 (the current process limit). Server will use a setting of 8192.

roy liang via FreeIPA-devel wrote: > my freeipa 4.3 > May I ask, this parameter cannot be increased, this limit refers to where the > limit?Can the system see if it can reach 262140, or is there another > configuration limit in the service? > apt list | grep 389-ds > 389-ds/xenial,xenial 1.3.4.9-

[Freeipa-devel] Re: ipa radius proxy

Giuseppe Calo wrote: > Hi Rob. > > I have installed and confgured freeradius, then I configured a radius > client and one user radius. I checked for selinux and firewall, all it > is ok. Rddtest works well on radius client. Radius client is freeipa > server. On freeipa server I add radius server s

[Freeipa-devel] Re: ipa radius proxy

Giuseppe Calo via FreeIPA-devel wrote: > Hi all, I installed simple freeradius (not enabled particular module),I > configured radisu client, one simple user (only password) and added > RADIUS-proxy in FreeIPA, but my RADIUS-server do not get requests from remote > client. But test-util "radtest"

[Freeipa-devel] Re: [Freeipa-users] Re: FreeIPA 4.10.0

It is largely the same as 4.9 with the notable exception of random serial number support (see release notes for full details). RSN requires PKI 11.2.0 or higher and F36 has 11.1.0 with no current plans to rebase, so it didn't seem worth it to build 4.10.0 there. rob Dirk Streubel via FreeIPA-use

[Freeipa-devel] Re: [Freeipa-users] FreeIPA 4.10.0

The Fedora rawhide build of 4.10.0 is done and should land in repositories soon. The major feature of 4.10.0 is support for Random Serial Numbers which request dogtag 11.2.0 which is only in rawhide. Builds for other Fedora releases are not planned. rob Antonio Torres via FreeIPA-users wrote: > T

[Freeipa-devel] Re: Framework execute callback feedback

Rob Crittenden via FreeIPA-devel wrote: > Alexander Bokovoy wrote: >> On ti, 13 huhti 2021, Rob Crittenden via FreeIPA-devel wrote: >>> Currently the framework has four types of methods: >>> >>> - pre_callback: called before any real work is done. Usually

[Freeipa-devel] LDAP caching patch

Just a heads-up, I'm going to merge the LDAP caching patch later today, PR https://github.com/freeipa/freeipa/pull/5681 Caching is enabled by default and some metrics will be visible in the Apache log when the server is in debug mode, like: ipa: DEBUG: FINAL: Hits 1 Misses 3 Size 2 There is a ve

[Freeipa-devel] Re: Azure test failures

Endi Dewata wrote: > Hi, > > The stack trace says that the AJP port (8009) is > already in use. The ports are part of Tomcat (i.e. > app server) initialization, not CA (i.e. web app) > initialization, that's why the error appears in > systemd journal instead of CA debug log. Which > PKI version ar

[Freeipa-devel] Azure test failures

Looks a lot of IPA PRs have been failing the last few days due to one or more tests in Azure failing. I cherry-picked a few and they all look like CA startup failures during server installation, replication creation, ipa-ca-install, etc. In the one test I did a deeper dive into the CA debug log th

[Freeipa-devel] Re: Framework execute callback feedback

Alexander Bokovoy wrote: > On ti, 13 huhti 2021, Rob Crittenden via FreeIPA-devel wrote: >> Currently the framework has four types of methods: >> >> - pre_callback: called before any real work is done. Usually used to >> tune up incoming options >> - execute: d

[Freeipa-devel] Framework execute callback feedback

Currently the framework has four types of methods: - pre_callback: called before any real work is done. Usually used to tune up incoming options - execute: does the brute work. For most CRUD plugins this is all done in baseldap.py in the LDAP* classes - post_callback: supposed to be data cleanup f

[Freeipa-devel] Re: A question from Russian translator

Juliette Tux via FreeIPA-devel wrote: > Hello, > My name is Julia Dronova, I do Russian translations. Could some of you, > gentlemen, kindly clarify the meaning of the following: > "With those two attributes a range object can reserve the Posix IDs starting > with base-id up to but not including ba

[Freeipa-devel] Re: ldap principal left after uninstall

Alexander Bokovoy via FreeIPA-devel wrote: > On ke, 10 maalis 2021, Rob Crittenden via FreeIPA-devel wrote: >> I don't know if this is something odd with my setup so before >> investigating I thought I'd ask. >> >> I was testing an upgrade change so I ins

[Freeipa-devel] ldap principal left after uninstall

I don't know if this is something odd with my setup so before investigating I thought I'd ask. I was testing an upgrade change so I installed one server and then added a replica with a CA. Doing this number of rounds of install/uninstall on the replica and it would frequently fail trying to get a

[Freeipa-devel] Re: IPA 3 - Certificates Expired

Mike Mercier via FreeIPA-devel wrote: > Hello, > > I have an old IPA 3 installation (master and two slaved) where the > certificates are failing to renew.  If I recall correctly, the original > installation for the CA used a self signed cert option. > > I am experiencing the following issues: > 1

[Freeipa-devel] Re: preparing FreeIPA 4.8.9 release

This looks fine to me. rob Alexander Bokovoy via FreeIPA-devel wrote: > Hi, > > it is time for another FreeIPA 4.8 release. My plan is to do a release > either tomorrow, Friday, August 7th, or early next week, depending how > fast the following pull requests would be acked and backported to ipa-

[Freeipa-devel] Re: Community Tool for System Account Management in LDAP

Noah Bliss via FreeIPA-devel wrote: > Hey all. > > I recently posted a tool (bash script) for creating/removing/etc system > accounts in LDAP. Quite simple but significantly more functional than working > with them all by hand. > > Would it be of value to the project to mention this tool's ex

[Freeipa-devel] Re: Azure tests failing

Stanislav Levin via FreeIPA-devel wrote: > certmonger 0.79.11 + FreeIPA-4.8.8 = oops It should be fixed now in Azure. I have an unreleased patch for certmonger in Fedora. Once things settle down I'll do another certmonger upstream release. rob > > > TestSelfExternalSelf.test_switch_back_to_sel

[Freeipa-devel] Re: Azure tests failing

François Cami wrote: > On Thu, Jul 2, 2020 at 5:16 AM Fraser Tweedale via FreeIPA-devel > wrote: >> >> On Wed, Jul 01, 2020 at 04:07:02PM -0400, Rob Crittenden via FreeIPA-devel >> wrote: >>> You may notice that your azure tests are failing with: >>>

[Freeipa-devel] Azure tests failing

You may notice that your azure tests are failing with: Bash exiting with code '1': GATING sudo_1_to_5 * Check for coredumps It is an updated certmonger that is dropping core. I pushed a fix in F31-rawhide so it should appear in the updates repo in a few hours I hope. rob

[Freeipa-devel] Re: ipaNTHash without winbind/samba

Michael Mercier via FreeIPA-devel wrote: > Hello, > > I would like to have the ipaNTHash stored in the IPA LDAP database > without having to use winbind or samba. I > installed ipa-server-*trust*-ad and did the basic setup.  In order to > now start IPA I now have to add the '--ignore-service-failu

[Freeipa-devel] Re: FreeIPA 4.8.4 release plan

Alexander Bokovoy via FreeIPA-devel wrote: Hi, I'm planning to cut FreeIPA 4.8.4 release tomorrow (around noon East coast timezone). Please look into outstanding PRs and review/push them before that. The release diff is rather small. I'm showing the log diff against 4.8.2 because 4.8.3 was a sec

[Freeipa-devel] Re: [Draft] 4.8.2 release notes

Alexander Bokovoy via FreeIPA-devel wrote: > Hi, > > below is the draft for the release notes for upcoming FreeIPA 4.8.2 > release. I'm intending to release it tomorrow, so please add your > comments today. Looks good. rob > > > {{ReleaseDate|2019-11-12}} > The FreeIPA team would like to anno

[Freeipa-devel] Re: Choosing DNS name for FreeIPA PR-CI, proposing ci.freeipa.org

Petr Vobornik via FreeIPA-devel wrote: > Hi list, > > we'll be migrating a FreeIPA wiki and planet to a different OpenShift. > With that FreeIPA PR-CI dashboard which is currently running at URL > https://pr-ci-dashboard-freeipa.b9ad.pro-us-east-1.openshiftapps.com > will be migrated as well. > >

[Freeipa-devel] Re: [PATCH] Fix UnboundLocalError in ipa-replica-manage

Theodor van Nahl via FreeIPA-devel wrote: > If ipa-replica-manage is unable to retrieve e.g. due to certificate > validity problem. An UnboundLocalError is thrown for `type1`. This fixes > the issue with a clean exit. > --- > install/tools/ipa-replica-manage.in | 1 + > 1 file changed, 1 insertion

[Freeipa-devel] Re: pytest 4+

Levin Stanislav via FreeIPA-devel wrote: > Hello All. > > > Maybe you know, recently pytest 5 has been released. > > The major change is: > >> This release is a Python3.5+ only release. > https://docs.pytest.org/en/latest/py27-py34-deprecation.html > > > But FreeIPA utilizes pytest 3.9.3 and

[Freeipa-devel] Re: FreeIPA 4.8.0 release notes draft

Alexander Bokovoy via FreeIPA-devel wrote: > Hi, > > I've loaded the draft of 4.8.0 release notes to > https://www.freeipa.org/page/Releases/4.8.0 > > We need to add more substance to the highlights, enhancements, known > issues, and bugfixes. Please help me by going through the tickets you > wor

[Freeipa-devel] Re: Invalid link on FreeIPA home page...

Ian Nicholls via FreeIPA-devel wrote: > Not sure if this is the right group - but looked closest out of them! > > Starting to look at FreeIPA - so on https://www.freeipa.org/page/Main_Page > > I looked to join the mailing list "Freeipa-interest" but the link goes here - > https://lists.fedorapr

[Freeipa-devel] Re: [Draft] FreeIPA 4.8.0 rc1 release notes

Christian Heimes via FreeIPA-devel wrote: > On 23/04/2019 19.34, Alexander Bokovoy via FreeIPA-devel wrote: >> Hi, >> >> below is the first cut on 4.8.0 rc1 release notes. I had to modify >> release-notes.py from freeipa-tools quite a lot to get Pagure issues for >> git master branch pulled out of

[Freeipa-devel] Announcing freeIPA 4.6.5

The FreeIPA team would like to announce FreeIPA 4.6.5 release! It can be downloaded from http://www.freeipa.org/page/Downloads. == Highlights in 4.6.5 == === Enhancements === * Honor SRV record priority and weight * Support for the IPAddr SAN type * Added more indices to improve performance ==

[Freeipa-devel] [DRAFT] IPA 4.6.5 Release Notes

Please review. {{ReleaseDate|2019-03-18}} The FreeIPA team would like to announce FreeIPA 4.6.5 release! It can be downloaded from http://www.freeipa.org/page/Downloads. == Highlights in 4.6.5 == * Honor SRV record priority and weight * Support was added for the IPAddr SAN type * Added more ind

[Freeipa-devel] Re: Updates required for IPA-Windows mixed environment article

Mohan P N via FreeIPA-devel wrote: > I was going through the article "Implementing FreeIPA in a mixed Environment > (Windows/Linux) - Step by step" published at > https://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step > > I stumbled upon some comm

[Freeipa-devel] Re: [DESIGN] IPA healthcheck design

e journal. > --source, how will I know what are the available checks? In this case we can provide a list. > "Check certificate renewal", ... does it mean that the tool just > listed the checks or the tool ran them? If it was run, shouldn't it be > more like a: "Checking: c

[Freeipa-devel] Re: [DESIGN] IPA healthcheck design

Florence Blanc-Renaud wrote: > On 10/24/18 10:49 PM, Rob Crittenden via FreeIPA-devel wrote: >> I started a design of an IPA healthcheck framework at >> https://www.freeipa.org/page/V4/Healthcheck >> >> Have at it. >> >> Note that this concentrates more on h

[Freeipa-devel] Re: [DESIGN] IPA healthcheck design

he ipa-healthcheck command failed" mean that there were issues > when executing the checks (I assume this one) or that an issue was > found? > --source, how will I know what are the available checks? > > "Check certificate renewal", ... does it mean that the tool j

[Freeipa-devel] Re: [DESIGN] IPA healthcheck design

/V4/Healthcheck#CLI section and an installation section in https://www.freeipa.org/page/V4/Healthcheck#Installation > The example could be some check which will be implemented later. E.g. > expired RA certificate. I'm not sure I follow. rob > > Thank you > On Wed, Oct 24, 20

[Freeipa-devel] Re: vault implementation vs ACI to read ipaconfigstring

Petr Vobornik via FreeIPA-devel wrote: > On Mon, Nov 12, 2018 at 6:28 PM François Cami via FreeIPA-devel > wrote: >> >> Hi, >> >> While investigating why non-admin users having access to a shared >> vault got an error that stemmed from them not being able to find the >> KRA server to query (*), I

[Freeipa-devel] Re: Gating and nightly tests

Francisco Triviño García via FreeIPA-devel wrote: > > On 11/9/18 11:32 AM, Alexander Bokovoy via FreeIPA-devel wrote: >> On pe, 09 marras 2018, Florence Blanc-Renaud via FreeIPA-devel wrote: >>> Hi Developers, >>> >>> Currently our test suite contains 3 different test sets: >>> - gating: executed

[Freeipa-devel] Ticket cleanup

You may notice that over the next few weeks a LOT of issues on https://pagure.io/freeipa will close. Most of them fall into one or buckets: * seems like a good idea but we'll never get to it due to other priorities * is a great idea but is incredibly complex and we'll never get to it * was a fant

[Freeipa-devel] Re: FreeIPA demo: upgrading to Fedora 29 failed

Martin Kosek via FreeIPA-devel wrote: > On Fri, Oct 26, 2018 at 4:17 PM Rob Crittenden > wrote: > > Martin Kosek via FreeIPA-devel wrote: > > Hi all, > > > > So I tried today to upgrade FreeIPA demo [1] to Fedora 29 since I was > > touching the VM b

[Freeipa-devel] Re: FreeIPA demo: upgrading to Fedora 29 failed

Martin Kosek via FreeIPA-devel wrote: > Hi all, > > So I tried today to upgrade FreeIPA demo [1] to Fedora 29 since I was > touching the VM because of something else anyway. > > I was not successful yet, I hit following issues: > > 1) A packaging issue before I could upgrade the system, that I c

[Freeipa-devel] Re: [DESIGN] IPA healthcheck design

Fraser Tweedale wrote: > On Wed, Oct 24, 2018 at 04:49:21PM -0400, Rob Crittenden via FreeIPA-devel > wrote: >> I started a design of an IPA healthcheck framework at >> https://www.freeipa.org/page/V4/Healthcheck >> >> Have at it. >> >> Note that this

[Freeipa-devel] [DESIGN] IPA healthcheck design

I started a design of an IPA healthcheck framework at https://www.freeipa.org/page/V4/Healthcheck Have at it. Note that this concentrates more on how it will work big picture and less on individual checks that may be performed. I'm happy to add any ideas you come up with for specific tests. rob

[Freeipa-devel] Announcing freeIPA 4.7.1

The FreeIPA team would like to announce FreeIPA 4.7.1 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 29 and Fedora 28 will be available in the official [https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-7/ COPR repository]. == Highlights in 4

[Freeipa-devel] certificate checking tool

As part of a larger IPA "health" checker and driven largely by necessity I have the beginning of a certificate checking tool available at https://github.com/rcritten/checkcerts It works for me in IPA 4.5.4, IPA 4.6.0 and IPA master (basically 4.7+ patches) mostly with just a single-master install.

[Freeipa-devel] Re: ipa-replica-install failed with CA_UNREACHABLE -

Ilie Soltanici via FreeIPA-devel wrote: > Hi All, > Trying to install a replica for an already running ipa-server but it fails. > > IPA Main server is already running and properly configured. I'm trying to > setup the second server and replicate with the main server. > This is the command what i

[Freeipa-devel] Re: Compile freeipa 4.7 on CentOS 7 Error

his e-mail (including any attachments) are confidential and > may be legally privileged. If you are not the intended recipient of this > e-mail, any disclosure, copying, distribution or use of its contents is > strictly prohibited, and you should please notify the sender immed

[Freeipa-devel] Re: Compile freeipa 4.7 on CentOS 7 Error

Sven Vogel via FreeIPA-devel wrote: > Hi, > >   > > we compile freeipa 4.7 from git. We use 7.5.1804. > >   > > when we run ./configure we get the following error. > >   > > checking for a sed that does not truncate output... (cached) /bin/sed > > checking for msgattrib... /bin/msgattrib >

[Freeipa-devel] Re: SoftHSM and certmonger

Rob Crittenden via FreeIPA-devel wrote: > Alexander Bokovoy via FreeIPA-devel wrote: > < 0> rsa  f9119ce98a883f7f75a72fb32faed0125b1b31a3   my-cert > > Thanks for the script, easily reproducible. > > I'm not sure why Nalin makes it a requirement to authentic

[Freeipa-devel] Re: SoftHSM and certmonger

Alexander Bokovoy via FreeIPA-devel wrote: > Hi Rob, > > I was trying to set up a configuration where certmonger would generate > and track a key in an NSS database with an HSM token. I used SoftHSMv2 > for the token. > > The script roughly describing what I did is attached. You need to put > SEL

[Freeipa-devel] Re: How do replication should work?

Tibor Dudlák via FreeIPA-devel wrote: > Hello! > > I am trying to resolve a [1] issue and I just bumped into questions that > grinds my gears. > First of all after some effort spent by Christian, we had some patches > that helped parallel replication, but the PR2048 [2] brought to life a > regress

[Freeipa-devel] Announcing freeIPA 4.7.0

The FreeIPA team would like to announce FreeIPA 4.7.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. == Highlights in 4.7.0 == === Enhancements === mod_ssl = IPA has switched to mod_ssl as the crypto engine for Apache. This change will be made automatically

[Freeipa-devel] Consider the tree frozen

One final patch is going to be pushed this morning, Christian's KRA PR, and then consider the tree to be frozen until I can do the release work. thanks rob ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an ema

[Freeipa-devel] [DRAFT] 4.7.0 release notes

Draft 4.7.0 release notes. In particular please double check that I didn't miss any enhancements (and that I got the wording right). I can't think of any Known Issues worth highlighting. I could be wrong. - The FreeIPA team would like to announce FreeIPA 4.7.0 release! It can be downloaded

[Freeipa-devel] Re: Time for 4.7 GA?

Alexander Bokovoy wrote: > On ti, 17 heinä 2018, Rob Crittenden via FreeIPA-devel wrote: >> I want to take the pulse of opinion on 4.7 readiness. CI seems to >> looking pretty good and we have most of our goals reached. >> >> There are a number of interesting UI tr

[Freeipa-devel] Time for 4.7 GA?

I want to take the pulse of opinion on 4.7 readiness. CI seems to looking pretty good and we have most of our goals reached. There are a number of interesting UI translation-related PRs still outstanding. Do we want to try to get these in or wait for 4.7.1? * https://github.com/freeipa/freeipa/pu

[Freeipa-devel] [ANNOUNCE] IPA 4.6.4 release notes

The FreeIPA team would like to announce FreeIPA 4.6.4 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 27 will be available soon. == Highlights in 4.6.4 == * Several changes to upgrade process so it will be more robust: * The schema compat plugin is d

[Freeipa-devel] [DRAFT] IPA 4.6.4 release notes

{{ReleaseDate|2018-06-08}} The FreeIPA team would like to announce FreeIPA 4.6.4 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 27 will be available soon. == Highlights in 4.6.4 == * Several changes to upgrade process so it will be more robust: * Th

[Freeipa-devel] Re: [Design draft] Promoting replica to CRL master

Fraser Tweedale via FreeIPA-devel wrote: > On Thu, May 31, 2018 at 11:17:51AM -0400, Rob Crittenden via FreeIPA-devel > wrote: >> Standa Laznicka via FreeIPA-devel wrote: >>> Hello people of the freeipa-devel channel, >>> >>> Let me share a design that propo

[Freeipa-devel] Re: [Design draft] Promoting replica to CRL master

Standa Laznicka via FreeIPA-devel wrote: > Hello people of the freeipa-devel channel, > > Let me share a design that proposes a way of automating the way FreeIPA > replicas would be promoted to become a CRL master. Since the > configuration cannot be dynamically altered by modifying an entry in th

[Freeipa-devel] Re: broken freeipa client-only builds

Alexander Bokovoy wrote: > On ti, 15 touko 2018, Rob Crittenden via FreeIPA-devel wrote: >> I can't submit new builds to Fedora from master because a change was >> made to the provider of /usr/share/ipa in freeipa-common. >> >> This sub-package is also built for cli

[Freeipa-devel] Announcing FreeIPA v4.6.90.pre2 release

The FreeIPA team would like to announce FreeIPA 4.6.90.pre2 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 28 and rawhide will be available in the Fedora repositories. == Highlights in 4.6.90.pre2 == The major new features of this release are: * Switc

[Freeipa-devel] broken freeipa client-only builds

I can't submit new builds to Fedora from master because a change was made to the provider of /usr/share/ipa in freeipa-common. This sub-package is also built for client-only installs but nothing is creating /usr/share/ipa so packaging fails (and/or freeipa.template will be missing) I tried to wor

[Freeipa-devel] Re: Candidate PRs to close

Alexander Bokovoy via FreeIPA-devel wrote: On pe, 11 touko 2018, Rob Crittenden via FreeIPA-devel wrote: Ok thanks for the feedback. I removed from the list those that were mentioned. I'll close these some time on Monday afternoon EDT unless something changes in between. This is the li

[Freeipa-devel] Re: [DRAFT] Release notes for freeIPA 4.6.90.pre2

Robbie Harwood wrote: Rob Crittenden via FreeIPA-devel writes: Here are the draft release notes for the second pre-release of 4.7.0. Let me know if I've missed anything. The major new features of this release are: * Switch from using mod_nss for the Apache TLS engine to using mo

[Freeipa-devel] [DRAFT] Release notes for freeIPA 4.6.90.pre2

Here are the draft release notes for the second pre-release of 4.7.0. Let me know if I've missed anything. {{ReleaseDate|2018-05-14}} The FreeIPA team would like to announce FreeIPA 4.6.90.pre2 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 28 and r

[Freeipa-devel] Re: [BLOG/DESIGN] cert-request revocation changes

Simo Sorce wrote: On Fri, 2018-05-11 at 15:47 +1000, Fraser Tweedale via FreeIPA-devel wrote: Hi all, Ticket https://pagure.io/freeipa/issue/7482 made me think about the current revocation behaviour in `ipa cert-request`. For hosts and services, all old certificates get revoked. I wrote a blo

[Freeipa-devel] Re: Candidate PRs to close

Ok thanks for the feedback. I removed from the list those that were mentioned. I'll close these some time on Monday afternoon EDT unless something changes in between. This is the list of 16 I plan to close for inactivity: 1809 Fixes for test_server_del failures. https://github.com/freeipa/

[Freeipa-devel] Some Travis installs failing

I'm not sure where the travis code comes from but I've got a PR failing because both mod_nss and mod_ssl are installed for some reason when building on the ipa-4-6 branch. The PR is https://github.com/freeipa/freeipa/pull/1876 All of the travis run-tests have failed. If you pull the log tarba

[Freeipa-devel] Candidate PRs to close

There are a lot of old, outdated PRs. I think we need to close them and strive hard to keep the list of PRs very low so for this round, against my usual instincts, I propose we act on the harsher side. Note that I did __not__ review the patches in detail, I'm mostly look at at last touch and r

[Freeipa-devel] Re: Review of authconfig replacement

Florence Blanc-Renaud wrote: > On 04/04/2018 03:37 PM, Rob Crittenden wrote: >> Florence Blanc-Renaud via FreeIPA-devel wrote: >>> Hi all, >>> >>> I am currently reviewing the PR for authconfig replacement with >>> authselect (see [1]) but I am not 100% sure of the direction we should >>> aim for (

[Freeipa-devel] Re: Web assets in Fedora

Just saw this on the Fedora development list. Not sure if this would make sense for IPA to try to use. Doing so could impact other distros (it could make more work for them). rob Jakub Kadlcik wrote: > Hello, > I've written a blog post about web assets in Fedora. > > Do you bundle third-party li

[Freeipa-devel] Re: Review of authconfig replacement

Petr Vobornik wrote: > On Wed, Apr 4, 2018 at 3:37 PM, Rob Crittenden via FreeIPA-devel > wrote: >> Florence Blanc-Renaud via FreeIPA-devel wrote: >>> Hi all, >>> >>> I am currently reviewing the PR for authconfig replacement with >>> authselect (

[Freeipa-devel] Re: Review of authconfig replacement

Florence Blanc-Renaud via FreeIPA-devel wrote: > Hi all, > > I am currently reviewing the PR for authconfig replacement with > authselect (see [1]) but I am not 100% sure of the direction we should > aim for (many items were discussed in the mailing list but it's not > clear on which an agreement

[Freeipa-devel] Re: Lets Encrypt scripts for multiple principals and Web/LDAP

Antonia Stevens wrote: > Per previous suggestions I've created a proof of concept implementation > using Certmonger and Cerbot. > > At this stage I have a working prototype that can request certificates > and thought I'd solicit feedback before doing further work. > > The PoC can be found on my g

[Freeipa-devel] Release notes for freeIPA 4.6.90.pre1

The FreeIPA team would like to announce the FreeIPA 4.6.90.pre1 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 28 and rawhide will be available in the Fedora repositories. == Highlights in 4.6.90.pre1 == This release changes from using mod_nss for the

[Freeipa-devel] [DRAFT] Release notes for freeIPA 4.6.90.pre1

Here are the draft release notes for the first pre-release of 4.7.0. Let me know if I've mised anything. {{ReleaseDate|2018-03-16}} The FreeIPA team would like to announce the FreeIPA 4.6.90.pre1 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 28 and ra

[Freeipa-devel] Re: decision for F28

Alexander Bokovoy via FreeIPA-devel wrote: > On to, 15 maalis 2018, Rob Crittenden via FreeIPA-devel wrote: >> Christian Heimes wrote: >>> On 2018-03-15 14:19, Rob Crittenden via FreeIPA-devel wrote: >>>> freeIPA in Fedora 28 is currently broken for a number of reaso

[Freeipa-devel] Re: decision for F28

Christian Heimes wrote: > On 2018-03-15 14:19, Rob Crittenden via FreeIPA-devel wrote: >> freeIPA in Fedora 28 is currently broken for a number of reasons: >> >> - The NSS switch to sqlite >> - 389-ds now provides a default security entry >> - many changes in do

[Freeipa-devel] decision for F28

freeIPA in Fedora 28 is currently broken for a number of reasons: - The NSS switch to sqlite - 389-ds now provides a default security entry - many changes in dogtag FESCO has given us and dogtag a reprieve on the beta deadline but we need to get something working ASAP. The dogtag team has their

[Freeipa-devel] Re: Lets Encrypt scripts for multiple principals and Web/LDAP

Antonia Stevens wrote: > Per previous suggestions I've created a proof of concept implementation > using Certmonger and Cerbot. > > At this stage I have a working prototype that can request certificates > and thought I'd solicit feedback before doing further work. > > The PoC can be found on my g

[Freeipa-devel] Re: IP addresses in Subject Alt Name

Ian Pilcher via FreeIPA-devel wrote: > On 02/18/2018 07:22 PM, Fraser Tweedale wrote: >> Ultimately, the same problems exist for any kind of subject name and >> the only practical mitigation is short-lived certificates.  With >> that in mind, given that Ian's proposal is scoped to only validatate >

[Freeipa-devel] Re: FreeIPA nightly tests as PRs

Alexander Bokovoy via FreeIPA-devel wrote: > On pe, 23 helmi 2018, Petr Vobornik via FreeIPA-devel wrote: >> Hi all, >> >> Felipe made nightly testing working as PRs in freeipa main Git Hub repo. >> >> e.g.: >> https://github.com/freeipa/freeipa/pull/1624 >> https://github.com/freeipa/freeipa/pull/

[Freeipa-devel] Re: IPA's NTP service

Tibor Dudlák via FreeIPA-devel wrote: > Hello FreeIPA-devel listfellow beings! > > I would like to continue the discussion started in [1], and find > itssolution. > > While using the Single-Sign-on authentication provided via anMIT > Kerberos KDC  there must not be any significant clock skew betw

[Freeipa-devel] Re: Not able to renew certs using 'ipa-gertcert request'

Amit via FreeIPA-devel wrote: > Hello, > > _This command is executed at IPA Client_: > # date;ipa-getcert request -vvv -T SubjectAlternateNamesCert -R -K > TEST/$(hostname) -E <>@<> -f > opt/certs/test3.crt -k /opt/certs/test3.key -X BLE-IDM-SUB1 > Wed Feb 14 07:5

[Freeipa-devel] Re: authconfig replacement design

Standa Laznicka via FreeIPA-devel wrote: > On 02/21/2018 10:17 AM, Alexander Koksharov via FreeIPA-devel wrote: >> let me put >> ​ ​ >> a >> ​ ​ >> couple of scenarious here: >> - install server >>   install it and configure with authselect. there is no --no-sssd >> option for the server installati

[Freeipa-devel] IPA master now using mod_ssl

Heads up. A large patchset was pushed today that switches from using mod_nss as the TLS engine for Apache to using mod_ssl. Please watch out for any oddities, particularly related to upgrades. We spent a lot of time trying to get this right but it's very possible we missed something. This may also

[Freeipa-devel] Re: authconfig replacement design

Petr Vobornik via FreeIPA-devel wrote: > On Thu, Feb 15, 2018 at 4:47 PM, Jakub Hrozek via FreeIPA-devel > wrote: >> On Thu, Feb 15, 2018 at 08:57:55AM -0500, Rob Crittenden via FreeIPA-devel >> wrote: >>> Alexander Koksharov via FreeIPA-devel wrote: >>>> H

[Freeipa-devel] Re: authconfig replacement design

Alexander Koksharov via FreeIPA-devel wrote: > Hello, > > Please take a look on a design page here: > https://www.freeipa.org/page/V4/Authselect_migration > I would like to > ​ ​ > hear you critics and suggessions. On a non-technical note there are a number of spelling and grammatical errors. Y

  1   2   >