Re: [Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default

On Mon, 2012-06-04 at 22:39 -0400, Rob Crittenden wrote: Martin Kosek wrote: For security reasons, dynamic updates are not enabled for new DNS zones. In order to enable the dynamic zone securely, user needs to allow dynamic updates and create a zone update policy. The policy is not easy

Re: [Freeipa-devel] [PATCH] 270 Improve migration NotFound error

On Mon, 2012-06-04 at 23:13 -0400, Rob Crittenden wrote: Martin Kosek wrote: When no user/group was found, migration plugin reported an ambiguous error about invalid container. But the root cause may be for example in a wrong list of user/group objectclasses. Report both in the error

Re: [Freeipa-devel] [PATCH] 262-265 Enable psearch by default

On Mon, 2012-06-04 at 23:49 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2012-05-25 at 17:14 +0200, Martin Kosek wrote: On Fri, 2012-05-25 at 09:25 -0400, Rob Crittenden wrote: Martin Kosek wrote: This set of patches handles enabling psearch both for new installations (patch

Re: [Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default

On Tue, 2012-06-05 at 14:44 +0930, William Brown wrote: I think the example should be something like: Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: ipa dnszone-mod example.com --dynamic-update=TRUE This is the equivalent of: ipa

Re: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users

On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: An update plugin needed root privileges, and aborted the update if an ordinary user user ran it. With this patch the plugin is skipped with a warning in that case.

[Freeipa-devel] [PATCH] 272 Fix dnszone-mod --forwader option help string

Pushed under the one-liner rule. --- Help should not point to global forwarders but rather to per-zone conditional forwarders. https://fedorahosted.org/freeipa/ticket/2717 From a39f4d0bebc1ff1d63099ca18fef3a52c595b6de Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 5

Re: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users

On 06/05/2012 10:06 AM, Martin Kosek wrote: On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: An update plugin needed root privileges, and aborted the update if an ordinary user user ran it. With this patch the plugin is skipped with a

Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)

On Mon, Jun 04, 2012 at 03:32:36PM +0300, Alexander Bokovoy wrote: On Mon, 04 Jun 2012, Martin Kosek wrote: I did another round of testing and this is what I found so far: 1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed that) 2) Unit tests need to be updated,

[Freeipa-devel] [PATCH] 0058 Prevent deletion of the last admin

Raise an error when trying to delete the last user from the 'admins' group The 'admin' group name seems like something that shouldn't be hardcoded, but that's how it's done in the webui and some of our ACIs, and I don't see another solution short of adding a new attribute.

Re: [Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC

On Mon, 2012-06-04 at 22:59 -0400, Rob Crittenden wrote: Simo Sorce wrote: The original ldap driver we used up to 2.2 had 2 options admins could set to limit the amount of writes to the database on certain auditing related operations. In particular disable_last_success is really important

Re: [Freeipa-devel] [PATCH] 147 Set network.http.sendRefererHeader to 2 on browser config

On 06/05/2012 05:01 AM, Rob Crittenden wrote: Petr Vobornik wrote: On 05/29/2012 11:29 PM, Rob Crittenden wrote: Petr Vobornik wrote: IPA web UI isn't functional when browser doesn't send http headers. This patch adds a functionality which sets Firefox network.http.sendRefererHeader

Re: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users

Martin Kosek wrote: On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: An update plugin needed root privileges, and aborted the update if an ordinary user user ran it. With this patch the plugin is skipped with a warning in that case.

Re: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users

Petr Viktorin wrote: On 06/05/2012 10:06 AM, Martin Kosek wrote: On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: An update plugin needed root privileges, and aborted the update if an ordinary user user ran it. With this patch the

Re: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users

On 06/05/2012 03:00 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 06/05/2012 10:06 AM, Martin Kosek wrote: On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: An update plugin needed root privileges, and aborted the update if an

Re: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users

Petr Viktorin wrote: On 06/05/2012 03:00 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 06/05/2012 10:06 AM, Martin Kosek wrote: On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: An update plugin needed root privileges, and

Re: [Freeipa-devel] About private ssh host keys in IPA

2012/6/5 Sigbjorn Lie sigbj...@nixtra.com On Fri, June 1, 2012 15:24, Simo Sorce wrote: This is about Ticket 1978 (originally rhbz746036). This RFE asks for storing private SSH Host Keys in FreeIPA. We have been triaging this ticket today, and I have to admit I am biased toward

Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)

- Original Message - On Mon, Jun 04, 2012 at 03:32:36PM +0300, Alexander Bokovoy wrote: On Mon, 04 Jun 2012, Martin Kosek wrote: I did another round of testing and this is what I found so far: 1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed that) 2)

Re: [Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users

On 06/05/2012 04:18 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 06/05/2012 03:00 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 06/05/2012 10:06 AM, Martin Kosek wrote: On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote: On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote: An

Re: [Freeipa-devel] [PATCH] 151, 152 Removal of illegal options in association dialog

If I understood correctly the json_exclude_attrs already defines the list of attributes to be excluded, so is it still necessary to define json_only_presence_options which basically will remove all attributes except name? Suppose later you're writing the UI console where you can type the CLI

[Freeipa-devel] [PATCH] 1023 tool for configuring automount

Here is a tool that can be used to configure automount in an IPA client. It can use either SSSD or autofs for automount. It also configures NFSv4 on the client so secure maps will work. rob From 4229bd509164ea2ae00a6fb76cfc3b2a174a4847 Mon Sep 17 00:00:00 2001 From: Rob Crittenden

Re: [Freeipa-devel] [PATCH] 41-2 During ipa-client-install verify forward and reverse dns lookup of server

JR Aquino wrote: On Feb 28, 2012, at 10:43 AM, JR Aquino wrote: On Feb 23, 2012, at 3:56 PM, JR Aquino wrote: ipa-server-install has a method for validating forward and reverse via ipaserver/install/installutils.py ipa-client-install does not currently have an equivalent This patch adds

Re: [Freeipa-devel] 43 Inherit nssldap security access settings during replica install

Rob Crittenden wrote: JR Aquino wrote: When making adjustments to increase the bind security settings of a FreeIPA server, it is best practice to inherit those settings when installing a new replica server. Inherit the following bind security settings when performing a replica install: