Am Mon, Sep 16, 2024 at 09:35:00AM -0400 schrieb Rob Crittenden via
FreeIPA-devel:
> Oliver Kiddle via FreeIPA-devel wrote:
> > Using FreeIPA on RHEL 9, I have sudo rules and an HBAC rule. The HBAC
> > rules are there to disable all access to certain accounts on some
> > machines. Testing with:
>
URL: https://github.com/freeipa/freeipa/pull/5991
Author: sumit-bose
Title: #5991: extdom: return LDAP_NO_SUCH_OBJECT if domains differ
Action: opened
PR body:
"""
If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only f
URL: https://github.com/freeipa/freeipa/pull/4015
Author: sumit-bose
Title: #4015: ipa-kdd: Remove keys password auth is disabled
Action: opened
PR body:
"""
With commit 15ff9c8 a check was removed and as a result Kerberos keys
are unconditionally added to the user entry struct if they are
ava
URL: https://github.com/freeipa/freeipa/pull/3542
Author: sumit-bose
Title: #3542: extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT
Action: opened
PR body:
"""
A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a
URL: https://github.com/freeipa/freeipa/pull/2891
Author: sumit-bose
Title: #2891: ipa-extdom-exop: add instance counter and limit
Action: opened
PR body:
"""
The user and group lookups done by the extdom plugin might need some
time depending on the state of the service (typically SSSD) handli
URL: https://github.com/freeipa/freeipa/pull/2846
Author: sumit-bose
Title: #2846: ipa_sam: remove dependency to talloc_strackframe.h
Action: opened
PR body:
"""
Recent Samba versions removed some header files which did include
non-public APIs. As a result talloc_strackframe.h and memory.h (fo
URL: https://github.com/freeipa/freeipa/pull/1537
Author: sumit-bose
Title: #1537: ipa-kdb: use magic value to check if ipadb is used
Action: opened
PR body:
"""
The certauth plugin is configured in /etc/krb5.conf independently form
the database module. As a result the IPA certauth plugin can
URL: https://github.com/freeipa/freeipa/pull/1529
Author: sumit-bose
Title: #1529: ipa-kdb: update trust information in all workers
Action: opened
PR body:
"""
Currently there is already code to make sure that after trust is established an
AS-REQ of the local HTTP principal causes a refresh of
Hi,
please find attached a small python class (generated with asn1ate) which
might help to generate the needed data to send a request to the extdom
plugin directly. This might be useful to write tests.
To generate the base64 encoded data needed e.g. for the ldapexop command
I used:
from pyasn1.c
URL: https://github.com/freeipa/freeipa/pull/1115
Author: sumit-bose
Title: #1115: ipa-kdb: reinit trusted domain data for enterprise principals
Action: opened
PR body:
"""
While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipa
URL: https://github.com/freeipa/freeipa/pull/879
Title: #879: FIPS mode and NT hashes
sumit-bose commented:
"""
I just pushed a new version which include the upstream ticket reference in the
commit message, there are no changes to the code.
"""
See the full comment at
https://github.com/freei
URL: https://github.com/freeipa/freeipa/pull/879
Author: sumit-bose
Title: #879: FIPS mode and NT hashes
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/879/head:pr879
git checkout pr879
From 4d7f9b07832da3
URL: https://github.com/freeipa/freeipa/pull/879
Author: sumit-bose
Title: #879: FIPS mode and NT hashes
Action: opened
PR body:
"""
In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we
disable NT hashes in the password plugin even is they are allowed by IPA
configurat
URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
sumit-bose commented:
"""
> @sumit-bose I got confused by "periodically" in title and "every 5 minutes"
> in description. It works as expected.
ah, yes, I'm sorry the wording is
URL: https://github.com/freeipa/freeipa/pull/841
Author: sumit-bose
Title: #841: ipa-kdb: use canonical principal in certauth plugin
Action: opened
PR body:
"""
Currently the certauth plugin use the unmodified principal from the
request to lookup the user. This might fail if e.g. enterprise
pr
URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
sumit-bose commented:
"""
@dkupka, the reload only happens during processing the PKINIT request if the
rules are older than 5 minutes. It is not a timed event which runs all the
URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
sumit-bose commented:
"""
@dkupka, ah, this is a side effect of having multiple workers (3907-3912). The
IPA context is not share between the workers so each will load the certif
URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
sumit-bose commented:
"""
@dkupka, did you modify the rules so that PKINIT should fail or how did you
test. I tried to reproduce but according to the logs the rules are reloaded
URL: https://github.com/freeipa/freeipa/pull/823
Author: sumit-bose
Title: #823: ipa-kdb: reload certificate mapping rules periodically
Action: opened
PR body:
"""
With this patch the certificate mapping rules are reloaded every 5
minutes.
Resolves https://pagure.io/freeipa/issue/6963
"""
To
19 matches
Mail list logo
