On 02/06/2013 07:23 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 02/06/2013 12:44 AM, Rob Crittenden wrote:
This adds a cert-find command for the dogtag backend.
Searches can be done by serial number, by subject, revocation reason,
issue date, notbefore, notafter and revocation dates.
I
The FreeIPA team is proud to announce version FreeIPA v2.2.2
This release contains Security Updates.
It can be downloaded from http://www.freeipa.org/page/Downloads.
A build is currently on the way to updates-testing for Fedora 17.
== Highlights ==
This release contains a Security Advisory:
*
On 01/29/2013 05:06 PM, Petr Viktorin wrote:
On 01/04/2013 07:20 PM, Petr Viktorin wrote:
On 12/14/2012 09:04 AM, Jan Cholasta wrote:
On 13.12.2012 18:09, Petr Viktorin wrote:
On 12/13/2012 04:43 PM, Martin Kosek wrote:
On 12/13/2012 10:59 AM, Petr Viktorin wrote:
It's time to give this to a
On 24.1.2013 10:43, Petr Viktorin wrote:
On 01/22/2013 04:04 PM, Petr Viktorin wrote:
On 01/21/2013 06:38 PM, Petr Viktorin wrote:
On 01/17/2013 06:27 PM, Petr Viktorin wrote:
Hello,
This is the first batch of changes aimed to consolidate our LDAP code.
Each should be a self-contained change t
On 01/18/2013 06:27 PM, Martin Kosek wrote:
> On 01/17/2013 04:15 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> Give a clear message about what is wrong with current Trust settings
>>> before letting AD to return a confusing error message.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3193
On 02/01/2013 01:35 PM, Martin Kosek wrote:
> On 01/24/2013 03:04 PM, Simo Sorce wrote:
>> On Thu, 2013-01-24 at 08:15 +0100, Martin Kosek wrote:
>>> On 01/23/2013 02:23 PM, Simo Sorce wrote:
On Wed, 2013-01-23 at 09:10 +0100, Martin Kosek wrote:
> On 01/19/2013 07:35 PM, Simo Sorce wrote:
On Wed, 13 Feb 2013, Martin Kosek wrote:
On 02/01/2013 01:35 PM, Martin Kosek wrote:
On 01/24/2013 03:04 PM, Simo Sorce wrote:
On Thu, 2013-01-24 at 08:15 +0100, Martin Kosek wrote:
On 01/23/2013 02:23 PM, Simo Sorce wrote:
On Wed, 2013-01-23 at 09:10 +0100, Martin Kosek wrote:
On 01/19/2013
On 02/12/2013 06:23 PM, Simo Sorce wrote:
On Tue, 2013-02-12 at 18:03 +0100, Tomas Babej wrote:
On 02/12/2013 05:50 PM, Tomas Babej wrote:
Hi,
This patch adds a check for krbprincipalexpiration attribute to
pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is
On Tue, 2013-02-12 at 19:30 -0500, Dmitri Pal wrote:
> It looks like thinks are starting to boil down to building a Kerberos proxy.
> Is this something that fits within your thesis agenda Ondra?
I guess that's for Ondrej to say, if it is too much we can simply start
working on the LDAP/replicatio
On Tue, 12 Feb 2013, Ana Krivokapic wrote:
Add new LDAP container to store the list of domains associated with IPA
realm.
Add two new ipa commands (ipa realmdomains-show and ipa
realmdomains-mod) to allow manipulation of the list of realm domains.
Unit test file covering these new commands was ad
Hello list,
with recently seen a few requests to add FreeIPA users via LDAP
directly. This is a common method supported by many meta-directory/HR
systems, however so far we cannot really recommend it because we add
quite a number of attributes automatically in our framework code when we
create use
On 02/13/2013 07:53 AM, Simo Sorce wrote:
Hello list,
with recently seen a few requests to add FreeIPA users via LDAP
directly. This is a common method supported by many meta-directory/HR
systems, however so far we cannot really recommend it because we add
quite a number of attributes automatica
On 02/13/2013 03:53 PM, Simo Sorce wrote:
Hello list,
with recently seen a few requests to add FreeIPA users via LDAP
directly. This is a common method supported by many meta-directory/HR
systems, however so far we cannot really recommend it because we add
quite a number of attributes automatica
On 13.2.2013 15:53, Simo Sorce wrote:
Hello list,
with recently seen a few requests to add FreeIPA users via LDAP
directly. This is a common method supported by many meta-directory/HR
systems, however so far we cannot really recommend it because we add
quite a number of attributes automatically
Petr Viktorin wrote:
On 02/13/2013 03:53 PM, Simo Sorce wrote:
Hello list,
with recently seen a few requests to add FreeIPA users via LDAP
directly. This is a common method supported by many meta-directory/HR
systems, however so far we cannot really recommend it because we add
quite a number of
On 02/13/2013 04:15 PM, Petr Spacek wrote:
On 13.2.2013 15:53, Simo Sorce wrote:
Hello list,
with recently seen a few requests to add FreeIPA users via LDAP
directly. This is a common method supported by many meta-directory/HR
systems, however so far we cannot really recommend it because we add
On 02/11/2013 11:17 AM, Tomas Babej wrote:
Hi,
The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.
https://fedorahosted.org/freeipa/ticket/3354
Tomas
We need a better general way
On 02/13/2013 02:14 PM, Alexander Bokovoy wrote:
> On Wed, 13 Feb 2013, Martin Kosek wrote:
>> On 02/01/2013 01:35 PM, Martin Kosek wrote:
>>> On 01/24/2013 03:04 PM, Simo Sorce wrote:
On Thu, 2013-01-24 at 08:15 +0100, Martin Kosek wrote:
> On 01/23/2013 02:23 PM, Simo Sorce wrote:
>>
On Wed, 2013-02-13 at 16:33 +0100, Petr Viktorin wrote:
> On 02/13/2013 04:15 PM, Petr Spacek wrote:
> > On 13.2.2013 15:53, Simo Sorce wrote:
> >> Hello list,
> >>
> >> with recently seen a few requests to add FreeIPA users via LDAP
> >> directly. This is a common method supported by many meta-dir
On Wed, 2013-02-13 at 16:12 +0100, Petr Viktorin wrote:
> Our own post-callback assumes the user is already in LDAP, and who
> knows what user-supplied callbacks will do. Keep in mind IPA is
> plugable; at least for outside plugins' sake (if not our own sanity's)
> we should keep the number of code
On Wed, 2013-02-13 at 11:27 -0500, Simo Sorce wrote:
> This is why I proposed a plugin that is limited to users and calls the
> framework so we can use common code.
> The *simpler* way would be to simply replicate the core framework
> login
> in the 389ds plugin or even *move* it there.
>
> But we
On Wed, 2013-02-13 at 08:08 -0700, Rich Megginson wrote:
> On 02/13/2013 07:53 AM, Simo Sorce wrote:
> > Hello list,
> >
> > with recently seen a few requests to add FreeIPA users via LDAP
> > directly. This is a common method supported by many meta-directory/HR
> > systems, however so far we canno
On Wed, 2013-02-13 at 11:44 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Wed, 2013-02-13 at 16:12 +0100, Petr Viktorin wrote:
> >> Our own post-callback assumes the user is already in LDAP, and who
> >> knows what user-supplied callbacks will do. Keep in mind IPA is
> >> plugable; at lea
On 02/13/2013 05:27 PM, Simo Sorce wrote:
[...]
I am sorry, but 'cleaner' is really the last word I'd use, 'hack' is
what comes to mind here to be honest.
Then I'm missing something. Thanks for your explanations.
What about small (optional) separate daemon?
One more moving part one additio
On 02/13/2013 09:53 AM, Simo Sorce wrote:
On Wed, 2013-02-13 at 08:08 -0700, Rich Megginson wrote:
On 02/13/2013 07:53 AM, Simo Sorce wrote:
Hello list,
with recently seen a few requests to add FreeIPA users via LDAP
directly. This is a common method supported by many meta-directory/HR
systems
On 02/13/2013 09:57 AM, Simo Sorce wrote:
On Wed, 2013-02-13 at 11:44 -0500, Rob Crittenden wrote:
Simo Sorce wrote:
On Wed, 2013-02-13 at 16:12 +0100, Petr Viktorin wrote:
Our own post-callback assumes the user is already in LDAP, and who
knows what user-supplied callbacks will do. Keep in mi
On 02/13/2013 05:57 PM, Simo Sorce wrote:
On Wed, 2013-02-13 at 11:44 -0500, Rob Crittenden wrote:
Simo Sorce wrote:
On Wed, 2013-02-13 at 16:12 +0100, Petr Viktorin wrote:
Our own post-callback assumes the user is already in LDAP, and who
knows what user-supplied callbacks will do. Keep in mi
Simo Sorce wrote:
On Wed, 2013-02-13 at 16:12 +0100, Petr Viktorin wrote:
Our own post-callback assumes the user is already in LDAP, and who
knows what user-supplied callbacks will do. Keep in mind IPA is
plugable; at least for outside plugins' sake (if not our own sanity's)
we should keep the n
On Wed, 2013-02-13 at 18:16 +0100, Petr Viktorin wrote:
> On 02/13/2013 05:57 PM, Simo Sorce wrote:
> > On Wed, 2013-02-13 at 11:44 -0500, Rob Crittenden wrote:
> >> Simo Sorce wrote:
> >>> On Wed, 2013-02-13 at 16:12 +0100, Petr Viktorin wrote:
> Our own post-callback assumes the user is alre
I appreciate Simo's concern for authorization and audit in this process,
we must solve that problem. If I understand the proposal correctly it's
akin to recording a macro that can be replayed. The framework executes
as normal but instead of issuing the LDAP modify commands we record
them. Then
On Wed, 2013-02-13 at 18:11 +0100, Petr Viktorin wrote:
> >>> 1. create some new subtree, e.g. cn=useradd-playground,dc=example,dc=com
> >
> > This has more consequences than you may think.
> > I do not like the separate field idea because you need to treat it in a
> > special way. We would probabl
On Wed, 2013-02-13 at 12:40 -0500, John Dennis wrote:
> I appreciate Simo's concern for authorization and audit in this process,
> we must solve that problem. If I understand the proposal correctly it's
> akin to recording a macro that can be replayed. The framework executes
> as normal but inst
On 02/13/2013 10:50 AM, Simo Sorce wrote:
On Wed, 2013-02-13 at 18:11 +0100, Petr Viktorin wrote:
1. create some new subtree, e.g. cn=useradd-playground,dc=example,dc=com
This has more consequences than you may think.
I do not like the separate field idea because you need to treat it in a
speci
On 02/13/2013 12:53 PM, Simo Sorce wrote:
If we can solve the looping and potential deadlocking concerns I think
we can avoid the json reply and let the framework do the actual final
ldap add.
Could you elaborate on your looping and deadlock concerns? I don't see
where they would arise if wha
On Wed, 2013-02-13 at 12:59 -0500, John Dennis wrote:
> On 02/13/2013 12:53 PM, Simo Sorce wrote:
>
> > If we can solve the looping and potential deadlocking concerns I think
> > we can avoid the json reply and let the framework do the actual final
> > ldap add.
>
> Could you elaborate on your lo
On Wed, 2013-02-13 at 10:57 -0700, Rich Megginson wrote:
> > Rich,
> > is there potential from deadlocking here due to the new transaction
> > stuff ? Or can we single out this plugin to run before *any*
> transaction
> > is started ?
> If you do this in a "regular" pre-op, not a "betxn" pre-op,
Simo Sorce wrote:
On Wed, 2013-02-13 at 12:59 -0500, John Dennis wrote:
On 02/13/2013 12:53 PM, Simo Sorce wrote:
If we can solve the looping and potential deadlocking concerns I think
we can avoid the json reply and let the framework do the actual final
ldap add.
Could you elaborate on your
Dne 13.2.2013 14:36, Simo Sorce napsal(a):
On Tue, 2013-02-12 at 19:30 -0500, Dmitri Pal wrote:
It looks like thinks are starting to boil down to building a Kerberos proxy.
Is this something that fits within your thesis agenda Ondra?
I guess that's for Ondrej to say, if it is too much we can s
On Wed, 13 Feb 2013, Martin Kosek wrote:
On 02/13/2013 02:14 PM, Alexander Bokovoy wrote:
On Wed, 13 Feb 2013, Martin Kosek wrote:
On 02/01/2013 01:35 PM, Martin Kosek wrote:
On 01/24/2013 03:04 PM, Simo Sorce wrote:
On Thu, 2013-01-24 at 08:15 +0100, Martin Kosek wrote:
On 01/23/2013 02:23
On 02/13/2013 01:30 PM, Rob Crittenden wrote:
Simo Sorce wrote:
On Wed, 2013-02-13 at 12:59 -0500, John Dennis wrote:
On 02/13/2013 12:53 PM, Simo Sorce wrote:
If we can solve the looping and potential deadlocking concerns I think
we can avoid the json reply and let the framework do the actua
John Dennis wrote:
On 02/13/2013 01:30 PM, Rob Crittenden wrote:
Simo Sorce wrote:
On Wed, 2013-02-13 at 12:59 -0500, John Dennis wrote:
On 02/13/2013 12:53 PM, Simo Sorce wrote:
If we can solve the looping and potential deadlocking concerns I think
we can avoid the json reply and let the fr
On Wed, 2013-02-13 at 13:30 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Wed, 2013-02-13 at 12:59 -0500, John Dennis wrote:
> >> On 02/13/2013 12:53 PM, Simo Sorce wrote:
> >>
> >>> If we can solve the looping and potential deadlocking concerns I think
> >>> we can avoid the json reply a
On Wed, 2013-02-13 at 19:34 +0100, Ondrej Hamada wrote:
> Dne 13.2.2013 14:36, Simo Sorce napsal(a):
> > On Tue, 2013-02-12 at 19:30 -0500, Dmitri Pal wrote:
> >
> >> It looks like thinks are starting to boil down to building a Kerberos
> >> proxy.
> >> Is this something that fits within your thes
Hello,
When I try install from RPMs created from 'make rpms' on F18 I get the
following error:
2013-02-13T19:49:27Z INFO The ipa-server-install command failed, exception:
IndexError: list index out of range
Here are the few log entries before it:
2013-02-13T19:49:27Z INFO File
"/usr/lib/py
On 02/13/2013 02:59 PM, Brian Cook wrote:
Hello,
When I try install from RPMs created from 'make rpms' on F18 I get the
following error:
2013-02-13T19:49:27Z INFO The ipa-server-install command failed, exception:
IndexError: list index out of range
Here are the few log entries before it:
20
Brian Cook wrote:
Hello,
When I try install from RPMs created from 'make rpms' on F18 I get the
following error:
2013-02-13T19:49:27Z INFO The ipa-server-install command failed, exception:
IndexError: list index out of range
Here are the few log entries before it:
2013-02-13T19:49:27Z INFO
This is a patch for ticket 2575 on trac: [RFE] Installer wizard should prompt
for DNS. This is my first time submitting a patch so I was looking for
something that seemed relatively easy…
Thanks,
Brian
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 1559
Hi,
I have set up a nightly development yum repository for 389 Directory
Server builds from "master". There are currently builds available for
Fedora 18 (x86_64 and i686). I will work on adding builds for rawhide
(F19) in the near future. New builds are made nightly from the "master"
branc
)
>
> bind.create_instance()
> @@ -1147,11 +1158,11 @@ def main():
> print "\t\t * 80, 443: HTTP/HTTPS"
> print "\t\t * 389, 636: LDAP/LDAPS"
> print "\t\t * 88, 464: kerberos"
> -if options.setup_dns:
> +if setup_d
On 02/13/2013 02:08 PM, Simo Sorce wrote:
> On Wed, 2013-02-13 at 13:30 -0500, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Wed, 2013-02-13 at 12:59 -0500, John Dennis wrote:
On 02/13/2013 12:53 PM, Simo Sorce wrote:
> If we can solve the looping and potential deadlocking concern
On 02/13/2013 06:18 PM, Dmitri Pal wrote:
On 02/13/2013 02:08 PM, Simo Sorce wrote:
On Wed, 2013-02-13 at 13:30 -0500, Rob Crittenden wrote:
Simo Sorce wrote:
On Wed, 2013-02-13 at 12:59 -0500, John Dennis wrote:
On 02/13/2013 12:53 PM, Simo Sorce wrote:
If we can solve the looping and pote
nt "Forwarders:%s" % ("No forwarders" if not dns_forwarders \
>> else ", ".join([str(ip) for ip in dns_forwarders]))
>> @@ -1102,7 +1113,7 @@ def main():
>>persistent_search=options.persistent_search,
>>
On 02/13/2013 09:48 PM, Nathan Kinder wrote:
> On 02/13/2013 06:18 PM, Dmitri Pal wrote:
>> On 02/13/2013 02:08 PM, Simo Sorce wrote:
>>> On Wed, 2013-02-13 at 13:30 -0500, Rob Crittenden wrote:
Simo Sorce wrote:
> On Wed, 2013-02-13 at 12:59 -0500, John Dennis wrote:
>> On 02/13/2013
On 02/13/2013 09:16 AM, Petr Viktorin wrote:
On 02/13/2013 05:57 PM, Simo Sorce wrote:
On Wed, 2013-02-13 at 11:44 -0500, Rob Crittenden wrote:
Simo Sorce wrote:
On Wed, 2013-02-13 at 16:12 +0100, Petr Viktorin wrote:
Our own post-callback assumes the user is already in LDAP, and who
knows wh
On 02/13/2013 10:40 PM, Nathan Kinder wrote:
With the DS plug-in approach that calls into the IPA framework with a
'mock add' to form the resulting entry at the pre-op stage, we could
take care of the initial ADD operation of the user entry. We would
still need to have a way to trigger the addit
On 02/13/2013 08:30 PM, John Dennis wrote:
On 02/13/2013 10:40 PM, Nathan Kinder wrote:
With the DS plug-in approach that calls into the IPA framework with a
'mock add' to form the resulting entry at the pre-op stage, we could
take care of the initial ADD operation of the user entry. We would
s
On 02/14/2013 12:16 AM, Nathan Kinder wrote:
On 02/13/2013 08:30 PM, John Dennis wrote:
On 02/13/2013 10:40 PM, Nathan Kinder wrote:
With the DS plug-in approach that calls into the IPA framework with a
'mock add' to form the resulting entry at the pre-op stage, we could
take care of the initia
>> elif options.forwarders:
>>> @@ -858,7 +869,7 @@ def main():
>>> print "Realm name:%s" % realm_name
>>> print
>>>
>>> -if options.s
On 02/13/2013 07:38 PM, Alexander Bokovoy wrote:
> On Wed, 13 Feb 2013, Martin Kosek wrote:
>> On 02/13/2013 02:14 PM, Alexander Bokovoy wrote:
>>> On Wed, 13 Feb 2013, Martin Kosek wrote:
On 02/01/2013 01:35 PM, Martin Kosek wrote:
> On 01/24/2013 03:04 PM, Simo Sorce wrote:
>> On Thu
59 matches
Mail list logo
