Re: [Freeipa-devel] server install failing in F-20?

On 02/28/2014 11:05 PM, Alexander Bokovoy wrote: > On Fri, 28 Feb 2014, Rob Crittenden wrote: >> I'm seeing what looks like https://fedorahosted.org/freeipa/ticket/4084 in >> new F-20 install I stood up. I finally threw my hands up and configured >> system to use an environment file to work around

Re: [Freeipa-devel] [PATCH 0007][DOC] Tip on restoring admin account

On 03/02/2014 11:26 PM, Gabe Alford wrote: Here is an updated patch that merges the notes and adds info about preventing removal of the last admin. Gabe That looks misleading to me -- by default, the "group administrators" privilege actually excludes the right to modify admins. Only admins or

Re: [Freeipa-devel] [PATCHES] 0483-0485 Move ipalib.text to ipapython

Hi, On 28.2.2014 17:49, Petr Viktorin wrote: Hello! This moves ipalib.text to ipapython. Why do we want this? Firstly, it's a step towards breaking the ipapython dependency on ipalib, which is something we vaguely want to do in the long run for the sake of clean code and potential reuse. But

Re: [Freeipa-devel] [PATCH] 238 Fix modlist generation code not to generate empty replace mods

On 28.2.2014 16:29, Petr Viktorin wrote: On 02/04/2014 03:01 PM, Jan Cholasta wrote: Hi, the attached patch fixes . Honza Thanks, ACK. Here are some tests for this, do they look good? They look good to me, thanks. -- Jan Cholasta

Re: [Freeipa-devel] [PATCH] 238 Fix modlist generation code not to generate empty replace mods

On 03/03/2014 11:43 AM, Jan Cholasta wrote: On 28.2.2014 16:29, Petr Viktorin wrote: On 02/04/2014 03:01 PM, Jan Cholasta wrote: Hi, the attached patch fixes . Honza Thanks, ACK. Here are some tests for this, do they look good? They look good

[Freeipa-devel] LDAP schema for PKCS#11

Hi, starting a new thread, after a lot of discussion and feedback, which I tried to integrate into thecurrent draft at: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/pkcs11Schema Here are some design decisions I made and which need to be finally decided. 1] Add nss trust objects.

Re: [Freeipa-devel] [PATCH 0042] Rework how otptoken defaults are handled

On 21.2.2014 17:45, Nathaniel McCallum wrote: On Fri, 2014-02-21 at 16:29 +0100, Jan Cholasta wrote: Hi, On 21.2.2014 16:09, Nathaniel McCallum wrote: On Fri, 2014-02-21 at 09:45 -0500, Nathaniel McCallum wrote: We had originally decided to provide defaults on the server side so that they cou

Re: [Freeipa-devel] [PATCHES] 0337-0343 YAML test configuration

Finally got to this patchset! PATCH 337: ACK PATCH 338: ACK This prohibits us to use extra roles that end in digits. Can you put a note explaining that in http://www.freeipa.org/page/V3/Integration_testing#Host_configuration Also, this wiki page points out to environment variables so that it se

Re: [Freeipa-devel] LDAP schema for PKCS#11

Hi, adding Stef Walter to CC, as he has extensive knowledge of PKCS#11. On 3.3.2014 12:51, Ludwig Krispenz wrote: Hi, starting a new thread, after a lot of discussion and feedback, which I tried to integrate into thecurrent draft at: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/p

Re: [Freeipa-devel] server install failing in F-20?

On Friday, February 28, 2014 03:48:43 PM Rob Crittenden wrote: > I'm seeing what looks like https://fedorahosted.org/freeipa/ticket/4084 > in new F-20 install I stood up. I finally threw my hands up and > configured system to use an environment file to work around it. > > Not sure if anyone else

Re: [Freeipa-devel] LDAP schema for PKCS#11

On 3.3.2014 13:49, Jan Cholasta wrote: On 3.3.2014 12:51, Ludwig Krispenz wrote: starting a new thread, after a lot of discussion and feedback, which I tried to integrate into thecurrent draft at: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/pkcs11Schema I have added couple links a

Re: [Freeipa-devel] LDAP schema for PKCS#11

On 3.3.2014 14:52, Stef Walter wrote: On 03.03.2014 14:30, Petr Spacek wrote: On 3.3.2014 13:49, Jan Cholasta wrote: On 3.3.2014 12:51, Ludwig Krispenz wrote: starting a new thread, after a lot of discussion and feedback, which I tried to integrate into thecurrent draft at: https://fedorahoste

Re: [Freeipa-devel] server install failing in F-20?

On 02/28/2014 09:48 PM, Rob Crittenden wrote: I'm seeing what looks like https://fedorahosted.org/freeipa/ticket/4084 in new F-20 install I stood up. I finally threw my hands up and configured system to use an environment file to work around it. Not sure if anyone else is seeing this. rob I'm

Re: [Freeipa-devel] [PATCH 0007][DOC] Tip on restoring admin account

Yes, the attached patch looks good. I see what you are saying how it did look misleading. Thanks, Gabe On Mon, Mar 3, 2014 at 3:13 AM, Petr Viktorin wrote: > On 03/02/2014 11:26 PM, Gabe Alford wrote: > >> Here is an updated patch that merges the notes and adds info about >> preventing remova

Re: [Freeipa-devel] LDAP schema for PKCS#11

On 3.3.2014 15:07, Stef Walter wrote: On 03.03.2014 15:03, Jan Cholasta wrote: If you plug a PKCS#11 module into p11-kit, will p11-kit use NSS trust objects from the module? No. This is the spec for storing trust policy in PKCS#11 that we've been working on: http://p11-glue.freedesktop.org/do

Re: [Freeipa-devel] [PATCH 0007][DOC] Tip on restoring admin account

On 03/03/2014 03:16 PM, Gabe Alford wrote: Yes, the attached patch looks good. I see what you are saying how it did look misleading. Thanks, Gabe Thank you for your help! Pushed to docs master: dfb1b16b4b62e87540b34bae8b4454021f17fd71 On Mon, Mar 3, 2014 at 3:13 AM, Petr Viktorin mailto:p

Re: [Freeipa-devel] LDAP schema for PKCS#11

On 03.03.2014 15:03, Jan Cholasta wrote: >>> This link definitely should be somewhere in design docs. >>> BTW, there are some additional attributes defined in /usr/include/nss3/pkcs11n.h besides these mentioned in the link above: >>> And this too... Feel free to upload the file to wiki if

Re: [Freeipa-devel] LDAP schema for PKCS#11

On 03.03.2014 14:30, Petr Spacek wrote: > On 3.3.2014 13:49, Jan Cholasta wrote: >> On 3.3.2014 12:51, Ludwig Krispenz wrote: >>> starting a new thread, after a lot of discussion and feedback, which I >>> tried to integrate into thecurrent draft at: >>> https://fedorahosted.org/bind-dyndb-ldap/wiki

[Freeipa-devel] [PATCH] 0486 permission-mod: Remove attributelevelrights before reverting entry

Hello, This fixes issue #4212 which Petr¹ found in his Web UI work. [#4212] https://fedorahosted.org/freeipa/ticket/4212 -- Petr³ From 3fd6a68161cc267d59731cfb0257cc350acfc36f Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 3 Mar 2014 14:46:51 +0100 Subject: [PATCH] permission-mod: Remo

Re: [Freeipa-devel] [PATCHES] 0473-0477 Managed permission updater, part 1

On 02/28/2014 02:47 PM, Petr Viktorin wrote: On 02/28/2014 02:12 PM, Martin Kosek wrote: On 02/26/2014 10:44 AM, Petr Viktorin wrote: Hello, Here are a few fixes/improvements, and the first part of a managed permission updater. The patches should go in this order but don't need to be ACKed/pus

[Freeipa-devel] [PATCH 0045] Fix token secret length RFC compliance

RFC 4226 states the following in section 4: R6 - The algorithm MUST use a strong shared secret. The length of the shared secret MUST be at least 128 bits. This document RECOMMENDs a shared secret length of 160 bits. >From d75ea4ffded9e6f9e60702bf481dd7b9e5d201ac Mon Sep 17 00:00:00 2001

Re: [Freeipa-devel] [PATCH 0045] Fix token secret length RFC compliance

On 3.3.2014 17:13, Nathaniel McCallum wrote: RFC 4226 states the following in section 4: R6 - The algorithm MUST use a strong shared secret. The length of the shared secret MUST be at least 128 bits. This document RECOMMENDs a shared secret length of 160 bits. ACK. -- Jan Cholast

Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer

The updated patch addresses all the mentioned issues. Also enables systemd's specific domainname service instead of relying ypbind being present on the system. Please note that nisdomainname is not configured on boot time at the moment. The following bug is the cause: https://bugzilla.redhat.com

[Freeipa-devel] [PATCH 0157] ipa-client-install: Configure sudo to use SSSD as data source

Hi, Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | I

[Freeipa-devel] [PATCH 0008] Typo in warning message where IPA realm and domain name differ

Hi all, Quick one line change to fix. https://fedorahosted.org/freeipa/ticket/4211 Thanks, Gabe freeipa-rga-0008-Typo-in-warning-message-where-IPA-realm-and-domain-n.patch Description: Binary data ___ Freeipa-devel mailing list Freeipa-devel@redhat.

Re: [Freeipa-devel] [PATCH] 531-541 OTP UI

On 02/27/2014 11:42 AM, Nathaniel McCallum wrote: On Thu, 2014-02-27 at 17:29 +0100, Petr Vobornik wrote: On 27.2.2014 16:51, Nathaniel McCallum wrote: On Thu, 2014-02-27 at 13:35 +0100, Petr Vobornik wrote: On 21.2.2014 15:24, Petr Vobornik wrote: On 10.2.2014 14:12, Petr Vobornik wrote: On

Re: [Freeipa-devel] [PATCH 0008] Typo in warning message where IPA realm and domain name differ

On Mon, 2014-03-03 at 17:20 -0700, Gabe Alford wrote: > Hi all, > > Quick one line change to fix. > > https://fedorahosted.org/freeipa/ticket/4211 ACK Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat

Re: [Freeipa-devel] Client-side command in the IPA framework

On 03/01/2014 10:07 PM, Adam Young wrote: On 02/28/2014 10:21 AM, Petr Viktorin wrote: On 02/28/2014 04:15 PM, Alexander Bokovoy wrote: On Fri, 28 Feb 2014, Nathaniel McCallum wrote: On Fri, 2014-02-28 at 16:43 +0200, Alexander Bokovoy wrote: On Fri, 28 Feb 2014, Nathaniel McCallum wrote: >On