Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts

2014-04-17 Thread Martin Kosek
On 04/16/2014 06:56 PM, Sumit Bose wrote: On Wed, Apr 16, 2014 at 04:59:55PM +0300, Alexander Bokovoy wrote: On Wed, 16 Apr 2014, Simo Sorce wrote: ... Can you please list exactly which ones are needed ? ... - objectclass ipaIDRange - cn - ipaBaseID - ipaIDRangeSize -

Re: [Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions

2014-04-17 Thread Petr Viktorin
On 04/16/2014 03:58 PM, Martin Kosek wrote: On 04/16/2014 03:52 PM, Simo Sorce wrote: On Wed, 2014-04-16 at 10:35 +0200, Jan Cholasta wrote: On 11.4.2014 13:31, Petr Viktorin wrote: One of the default_attributes of permission is memberofindirect, a virtual attribute manufactured by ldap2,

Re: [Freeipa-devel] [RFC] Migrating existing environments to Trust

2014-04-17 Thread Sumit Bose
On Wed, Apr 16, 2014 at 09:02:00PM -0400, Dmitri Pal wrote: On 04/15/2014 05:13 AM, Sumit Bose wrote: Hi, I have started to write a design page for 'Migrating existing environments to Trust' http://www.freeipa.org/page/V3/Migrating_existing_environments_to_Trust It shall cover

Re: [Freeipa-devel] [PATCH] 0525 Add managed read permissions to automember

2014-04-17 Thread Petr Viktorin
On 04/16/2014 04:35 PM, Martin Kosek wrote: On 04/15/2014 02:33 PM, Petr Viktorin wrote: Read access to both rules and definitions is given to a new privilege, 'Automember Readers', as well as the existing 'Automember Task Administrator'. This needs a mild rebase in 40-delegation.update. When

Re: [Freeipa-devel] New ACIs for cn=etc

2014-04-17 Thread Petr Viktorin
On 04/16/2014 03:04 PM, Simo Sorce wrote: On Wed, 2014-04-16 at 15:00 +0200, Petr Viktorin wrote: Simo, Rob, would you be OK with changing virtual operation objectclass to our own one to have a better control over it? No, in general I am not ok to change objects that already exist in IPA

Re: [Freeipa-devel] Ipatests fixes

2014-04-17 Thread Tomas Babej
On 04/09/2014 01:33 PM, Petr Viktorin wrote: On 04/09/2014 12:07 PM, Tomas Babej wrote: Hi, the following batch deals with the following: * cleans up apache's semaphores prior to installing IPA (CA install can get stuck when IPA is reinstalled many times) What happens if Apache is running

Re: [Freeipa-devel] [RFC] Migrating existing environments to Trust

2014-04-17 Thread Alexander Bokovoy
On Thu, 17 Apr 2014, Sumit Bose wrote: On Wed, Apr 16, 2014 at 09:02:00PM -0400, Dmitri Pal wrote: On 04/15/2014 05:13 AM, Sumit Bose wrote: Hi, I have started to write a design page for 'Migrating existing environments to Trust'

Re: [Freeipa-devel] [PATCH] 0525 Add managed read permissions to automember

2014-04-17 Thread Martin Kosek
On 04/17/2014 12:03 PM, Petr Viktorin wrote: On 04/16/2014 04:35 PM, Martin Kosek wrote: On 04/15/2014 02:33 PM, Petr Viktorin wrote: Read access to both rules and definitions is given to a new privilege, 'Automember Readers', as well as the existing 'Automember Task Administrator'. This

Re: [Freeipa-devel] Draft: Read permissions for user

2014-04-17 Thread Petr Viktorin
On 04/16/2014 03:41 PM, Simo Sorce wrote: On Wed, 2014-04-16 at 15:08 +0200, Martin Kosek wrote: On 04/15/2014 04:55 PM, Petr Viktorin wrote: Hello, At Devconf, we decided what most of the default read permissions should look like, but we did not get to user. Here is a draft of 4 read

[Freeipa-devel] [PATCHES 0172-0176] ipa_range_check improvements

2014-04-17 Thread Tomas Babej
Hi, This set of patches deals with bugs and extensions of ipa_range_check plugin. See commit messages for details. Parts of: https://fedorahosted.org/freeipa/ticket/4137 -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org

Re: [Freeipa-devel] [PATCHES] 255-259 Framework tweaks

2014-04-17 Thread Tomas Babej
ACK for 256 - 259. On 04/01/2014 10:45 AM, Jan Cholasta wrote: Hi, while working with Martin Bašti on issues in his dns plugin patches we ran into several limitations in the framework. The attached patches remove these limitations. Also, Tomáš Babej pointed out that when using --raw, all

Re: [Freeipa-devel] [PATCHES 0172-0176] ipa_range_check improvements

2014-04-17 Thread Alexander Bokovoy
On Thu, 17 Apr 2014, Tomas Babej wrote: From 43cd26a0a42c3b18e4dbb5c6ed0f20ee1562b98a Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 16 Apr 2014 17:15:55 +0200 Subject: [PATCH] ipa_range_check: Use special attributes to determine presence of RID bases The

Re: [Freeipa-devel] [PATCHES 0172-0176] ipa_range_check improvements

2014-04-17 Thread Alexander Bokovoy
On Thu, 17 Apr 2014, Tomas Babej wrote: From d714f77f1f162d1c7daeecf7a340f95ed3368f2d Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 16 Apr 2014 17:20:55 +0200 Subject: [PATCH] ipa_range_check: Connect the new node of the linked list Part of:

Re: [Freeipa-devel] [PATCHES 0172-0176] ipa_range_check improvements

2014-04-17 Thread Alexander Bokovoy
On Thu, 17 Apr 2014, Tomas Babej wrote: From 632c0ed1fca2cb48b981f6daac55badd59c9c263 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 16 Apr 2014 17:22:46 +0200 Subject: [PATCH] ipa_range_check: Make a new copy of forest_root_id attribute for range_info struct Not

Re: [Freeipa-devel] [PATCHES 0172-0176] ipa_range_check improvements

2014-04-17 Thread Alexander Bokovoy
On Thu, 17 Apr 2014, Tomas Babej wrote: From ed60bd0e865aad85eb1ffa02d8aea7f76220c65c Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 16 Apr 2014 17:26:07 +0200 Subject: [PATCH] ipa_range_check: Do not fail when no trusted domain is available When building the domain to

[Freeipa-devel] [PATCH] 12 Call generate-rndc-key.sh during ipa-server-install

2014-04-17 Thread Misnyovszki Adam
Hi, this patch modifies ipa-server-install to warn the user, if there is a lack of entropy, also runs generate-rndc-key.sh before named restart, to ensure, that it can start before systemd timeouts. Thanks Adam From d405cea8dae5a03ab0f9d429d3251e8be9ae9fe2 Mon Sep 17 00:00:00 2001 From: Adam

[Freeipa-devel] Forward zone V4/Design draft

2014-04-17 Thread Martin Basti
Hello, I created draft to split forward and master zone. http://www.freeipa.org/page/V4/Forward_zones#Questions There is question: should it be implemented as new command set, or as --type={master|forward} parameter only. For details see link above in section Questions. Martin^2 Basti

Re: [Freeipa-devel] [PATCHES 0172-0176] ipa_range_check improvements

2014-04-17 Thread Alexander Bokovoy
On Thu, 17 Apr 2014, Tomas Babej wrote: From 96f27c06f062dcfaa40405c50ad087d6013dc62c Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 16 Apr 2014 17:28:34 +0200 Subject: [PATCH] ipa_range_check: Fix typo when comparing strings using strcasecmp Part of:

Re: [Freeipa-devel] Forward zone V4/Design draft

2014-04-17 Thread Martin Kosek
On 04/17/2014 02:51 PM, Martin Basti wrote: Hello, I created draft to split forward and master zone. http://www.freeipa.org/page/V4/Forward_zones#Questions There is question: should it be implemented as new command set, or as --type={master|forward} parameter only. For details see link

[Freeipa-devel] Managed permission versioning

2014-04-17 Thread Martin Kosek
I would like to discuss more on the managed read permissions upgrades [1]. Right now, we simply merge an old permission with the new one, making sure that we only add new attributes instead of just replacing them, to prevent a managed permission to be spoiled by a lower FreeIPA server version

Re: [Freeipa-devel] [PATCH] 12 Call generate-rndc-key.sh during ipa-server-install

2014-04-17 Thread Rob Crittenden
Misnyovszki Adam wrote: Hi, this patch modifies ipa-server-install to warn the user, if there is a lack of entropy, also runs generate-rndc-key.sh before named restart, to ensure, that it can start before systemd timeouts. I think the exception should be logged in check_entropy() in case this

Re: [Freeipa-devel] [PATCH] 12 Call generate-rndc-key.sh during ipa-server-install

2014-04-17 Thread Martin Kosek
On 04/17/2014 04:10 PM, Rob Crittenden wrote: Misnyovszki Adam wrote: Hi, this patch modifies ipa-server-install to warn the user, if there is a lack of entropy, also runs generate-rndc-key.sh before named restart, to ensure, that it can start before systemd timeouts. I think the exception

Re: [Freeipa-devel] [PATCH] 11 - CI - test_forced_client_reenrollment stability fix

2014-04-17 Thread Petr Viktorin
On 04/16/2014 04:21 PM, Misnyovszki Adam wrote: On Wed, 16 Apr 2014 07:59:39 +0200 Martin Kosek mko...@redhat.com wrote: On 04/15/2014 05:36 PM, Misnyovszki Adam wrote: On Tue, 15 Apr 2014 12:51:47 +0200 Petr Viktorin pvikt...@redhat.com wrote: On 04/15/2014 12:41 PM, Misnyovszki Adam

Re: [Freeipa-devel] [PATCH] 585 webui: fix OTP Token add regression

2014-04-17 Thread Petr Viktorin
On 04/15/2014 03:21 PM, Misnyovszki Adam wrote: On Tue, 15 Apr 2014 09:54:22 +0200 Petr Vobornik pvobo...@redhat.com wrote: OTP Token add failed because of invalid function call. qr_widget doesn't contain `on_value_changed` method since it inherits from `IPA.widget` and not from

Re: [Freeipa-devel] [PATCHES] 255-259 Framework tweaks

2014-04-17 Thread Petr Viktorin
On 04/17/2014 02:33 PM, Tomas Babej wrote: ACK for 256 - 259. On 04/01/2014 10:45 AM, Jan Cholasta wrote: Hi, while working with Martin Bašti on issues in his dns plugin patches we ran into several limitations in the framework. The attached patches remove these limitations. Also, Tomáš Babej

Re: [Freeipa-devel] [RFC] Migrating existing environments to Trust

2014-04-17 Thread Sumit Bose
On Thu, Apr 17, 2014 at 01:25:08PM +0300, Alexander Bokovoy wrote: On Thu, 17 Apr 2014, Sumit Bose wrote: On Wed, Apr 16, 2014 at 09:02:00PM -0400, Dmitri Pal wrote: On 04/15/2014 05:13 AM, Sumit Bose wrote: Hi, #* Shall we allow different UIDs/GIDs in different views? Yes. I hope

Re: [Freeipa-devel] [RFC] Migrating existing environments to Trust

2014-04-17 Thread Alexander Bokovoy
On Thu, 17 Apr 2014, Sumit Bose wrote: On Thu, Apr 17, 2014 at 01:25:08PM +0300, Alexander Bokovoy wrote: On Thu, 17 Apr 2014, Sumit Bose wrote: On Wed, Apr 16, 2014 at 09:02:00PM -0400, Dmitri Pal wrote: On 04/15/2014 05:13 AM, Sumit Bose wrote: Hi, #* Shall we allow different UIDs/GIDs in

Re: [Freeipa-devel] [RFC] Migrating existing environments to Trust

2014-04-17 Thread Simo Sorce
On Thu, 2014-04-17 at 17:20 +0200, Sumit Bose wrote: On Thu, Apr 17, 2014 at 01:25:08PM +0300, Alexander Bokovoy wrote: On Thu, 17 Apr 2014, Sumit Bose wrote: On Wed, Apr 16, 2014 at 09:02:00PM -0400, Dmitri Pal wrote: On 04/15/2014 05:13 AM, Sumit Bose wrote: Hi, #* Shall we

[Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name

2014-04-17 Thread Petr Viktorin
Hello, While working on the trust permissions I found a typo in the 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix. -- Petr³ From ef98055a524dffbe98098def896f40592a3fdac4 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 17 Apr 2014 19:06:52

[Freeipa-devel] [PATCH 0239-0243] Refactor ldap_parse_master_zoneentry()

2014-04-17 Thread Petr Spacek
Hello, This patch set attempts to move ldap_parse_master_zoneentry() a little bit closer to sane code. It is preparation for https://fedorahosted.org/bind-dyndb-ldap/ticket/56 -- Petr^2 Spacek From bfa03960c700bedda454bb7cef5c89bbfce1bbba Mon Sep 17 00:00:00 2001 From: Petr Spacek

Re: [Freeipa-devel] Managed permission versioning

2014-04-17 Thread Simo Sorce
On Thu, 2014-04-17 at 15:48 +0200, Martin Kosek wrote: I would like to discuss more on the managed read permissions upgrades [1]. Right now, we simply merge an old permission with the new one, making sure that we only add new attributes instead of just replacing them, to prevent a managed

Re: [Freeipa-devel] Managed permission versioning

2014-04-17 Thread Rob Crittenden
Simo Sorce wrote: On Thu, 2014-04-17 at 15:48 +0200, Martin Kosek wrote: I would like to discuss more on the managed read permissions upgrades [1]. Right now, we simply merge an old permission with the new one, making sure that we only add new attributes instead of just replacing them, to

Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name

2014-04-17 Thread Martin Kosek
On 04/17/2014 07:11 PM, Petr Viktorin wrote: Hello, While working on the trust permissions I found a typo in the 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix. I think the right question to ask - do we want to have ipanttrustauth{incoming,outgoing} in default

Re: [Freeipa-devel] Managed permission versioning

2014-04-17 Thread Simo Sorce
On Thu, 2014-04-17 at 15:00 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Thu, 2014-04-17 at 15:48 +0200, Martin Kosek wrote: I would like to discuss more on the managed read permissions upgrades [1]. Right now, we simply merge an old permission with the new one, making sure that

Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name

2014-04-17 Thread Simo Sorce
On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote: On 04/17/2014 07:11 PM, Petr Viktorin wrote: Hello, While working on the trust permissions I found a typo in the 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix. I think the right question to ask - do we

Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name

2014-04-17 Thread Alexander Bokovoy
On Thu, 17 Apr 2014, Simo Sorce wrote: On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote: On 04/17/2014 07:11 PM, Petr Viktorin wrote: Hello, While working on the trust permissions I found a typo in the 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix. I think

Re: [Freeipa-devel] Managed permission versioning

2014-04-17 Thread Rob Crittenden
Simo Sorce wrote: On Thu, 2014-04-17 at 15:00 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Thu, 2014-04-17 at 15:48 +0200, Martin Kosek wrote: I would like to discuss more on the managed read permissions upgrades [1]. Right now, we simply merge an old permission with the new one, making

Re: [Freeipa-devel] Managed permission versioning

2014-04-17 Thread Simo Sorce
On Thu, 2014-04-17 at 18:25 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Thu, 2014-04-17 at 15:00 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Thu, 2014-04-17 at 15:48 +0200, Martin Kosek wrote: I would like to discuss more on the managed read permissions upgrades [1].

Re: [Freeipa-devel] [RFC] Migrating existing environments to Trust

2014-04-17 Thread Dmitri Pal
On 04/17/2014 05:15 AM, Sumit Bose wrote: On Wed, Apr 16, 2014 at 09:02:00PM -0400, Dmitri Pal wrote: On 04/15/2014 05:13 AM, Sumit Bose wrote: Hi, I have started to write a design page for 'Migrating existing environments to Trust'

Re: [Freeipa-devel] [RFC] Migrating existing environments to Trust

2014-04-17 Thread Simo Sorce
On Thu, 2014-04-17 at 23:58 -0400, Dmitri Pal wrote: yes, this can already be controlled by the idrange type. But you have to choose either algorithmic or manual mapping you cannot have both in a given domain. What you can do is to create a domain in the AD forest for the old users and