On Fri, 2014-06-20 at 16:50 -0400, Nathaniel McCallum wrote:
> On Fri, 2014-06-20 at 16:05 -0400, Simo Sorce wrote:
> > On Fri, 2014-06-20 at 14:47 -0400, Nathaniel McCallum wrote:
> > > This change would have very small impact on your patch set, but would
> > > be
> > > much clearer for the future
On 06/20/2014 05:06 PM, Petr Viktorin wrote:
All these should be independent, except for conflicts in ACI.txt that are
easily solved by running makeaci.
Umh, now the fun begins as I see :) There will probably need to be some rebase,
it clashed with some other ACI patches in my tree (namely Hos
On Fri, 2014-06-20 at 16:05 -0400, Simo Sorce wrote:
> On Fri, 2014-06-20 at 14:47 -0400, Nathaniel McCallum wrote:
> > This change would have very small impact on your patch set, but would
> > be
> > much clearer for the future consumers of this protocol. Code can be
> > changed; protocols can't.
On 06/19/2014 01:41 PM, Petr Viktorin wrote:
On 06/18/2014 05:46 PM, Martin Kosek wrote:
On 06/11/2014 06:39 PM, Petr Viktorin wrote:
Patch 0578 does the conversion
Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides
permissions needed for automatic enrollment (from
http
On 06/20/2014 04:49 PM, Petr Viktorin wrote:
On 06/19/2014 02:13 PM, Martin Kosek wrote:
On 06/19/2014 12:52 PM, Petr Viktorin wrote:
I'll address the other issues separately.
On 06/18/2014 05:46 PM, Martin Kosek wrote:
3) I hit one issue when I open the Web UI host tab, I get "Insufficient
a
On Fri, 2014-06-20 at 15:55 -0400, Nathaniel McCallum wrote:
> On Fri, 2014-06-20 at 15:50 -0400, Nathaniel McCallum wrote:
> > On Mon, 2014-06-16 at 11:34 -0400, Simo Sorce wrote:
> > > Although the code is all done it would be nice to have a review of the
> > > feature, to see if it has all been
On Fri, 2014-06-20 at 15:50 -0400, Nathaniel McCallum wrote:
> On Mon, 2014-06-16 at 11:34 -0400, Simo Sorce wrote:
> > Although the code is all done it would be nice to have a review of the
> > feature, to see if it has all been captured:
> > http://www.freeipa.org/page/V4/Keytab_Retrieval
>
> Is
On Fri, 2014-06-20 at 15:50 -0400, Nathaniel McCallum wrote:
> On Mon, 2014-06-16 at 11:34 -0400, Simo Sorce wrote:
> > Although the code is all done it would be nice to have a review of the
> > feature, to see if it has all been captured:
> > http://www.freeipa.org/page/V4/Keytab_Retrieval
>
> Is
On Mon, 2014-06-16 at 11:34 -0400, Simo Sorce wrote:
> Although the code is all done it would be nice to have a review of the
> feature, to see if it has all been captured:
> http://www.freeipa.org/page/V4/Keytab_Retrieval
Is there any need to create different permissions for password
generation v
On 06/20/2014 05:59 PM, Simo Sorce wrote:
On Fri, 2014-06-20 at 11:56 -0400, Nathaniel McCallum wrote:
On Thu, 2014-06-19 at 12:43 -0400, Simo Sorce wrote:
On Thu, 2014-06-19 at 12:36 -0400, Nathaniel McCallum wrote:
This also fixes an error where the default value was not respecting
the KEY_L
On 06/20/2014 05:51 PM, Jakub Hrozek wrote:
On Fri, Jun 20, 2014 at 04:45:45PM +0200, Martin Kosek wrote:
On 06/20/2014 04:24 PM, Jakub Hrozek wrote:
On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote:
...
I think we should just make a note to self to allow users to fix the
ACIs man
On Fri, 2014-06-20 at 14:38 -0400, Simo Sorce wrote:
> On Fri, 2014-06-20 at 14:30 -0400, Nathaniel McCallum wrote:
> > On Fri, 2014-06-20 at 14:10 -0400, Simo Sorce wrote:
> > > On Fri, 2014-06-20 at 14:05 -0400, Nathaniel McCallum wrote:
> > > > On Mon, 2014-06-16 at 11:34 -0400, Simo Sorce wrote
On Fri, 2014-06-20 at 14:30 -0400, Nathaniel McCallum wrote:
> On Fri, 2014-06-20 at 14:10 -0400, Simo Sorce wrote:
> > On Fri, 2014-06-20 at 14:05 -0400, Nathaniel McCallum wrote:
> > > On Mon, 2014-06-16 at 11:34 -0400, Simo Sorce wrote:
> > > > Although the code is all done it would be nice to h
On Fri, 2014-06-20 at 14:10 -0400, Simo Sorce wrote:
> On Fri, 2014-06-20 at 14:05 -0400, Nathaniel McCallum wrote:
> > On Mon, 2014-06-16 at 11:34 -0400, Simo Sorce wrote:
> > > Although the code is all done it would be nice to have a review of the
> > > feature, to see if it has all been captured
On Fri, 2014-06-20 at 20:04 +0200, Petr Spacek wrote:
> ipk11Private;privatekey: TRUE
> ipk11Private;publickey: FALSE
can these two ever hold a different value ?
ie a privatekey be FALSE and a publickey be TRUE ?
If not I suggest you do not add this attribute at all and assume their
value ?
(btw
On Fri, 2014-06-20 at 14:05 -0400, Nathaniel McCallum wrote:
> On Mon, 2014-06-16 at 11:34 -0400, Simo Sorce wrote:
> > Although the code is all done it would be nice to have a review of the
> > feature, to see if it has all been captured:
> > http://www.freeipa.org/page/V4/Keytab_Retrieval
>
> I'
On Mon, 2014-06-16 at 11:34 -0400, Simo Sorce wrote:
> Although the code is all done it would be nice to have a review of the
> feature, to see if it has all been captured:
> http://www.freeipa.org/page/V4/Keytab_Retrieval
I'm a bit confused about the behavior of enctypes in the Request.
"A list
On 12.6.2014 16:23, Petr Spacek wrote:
On 30.4.2014 18:19, Petr Spacek wrote:
following text summarizes schema & DIT layout for DNSSEC key storage in LDAP.
I have added object classes and default values for attributes I consider
important. This is final proposal for implementation. Please revi
On 6/18/2014 6:11 AM, Petr Vobornik wrote:
1. As discussed on IRC, the plugin is causing an error due to missing
extend.js. This needs to be fixed.
Fixed
4. I agree that the facet shouldn't define the hash. The hash should be
part of the plugin declaration.
Ideally, facet should be router
On Fri, 2014-06-20 at 11:56 -0400, Nathaniel McCallum wrote:
> On Thu, 2014-06-19 at 12:43 -0400, Simo Sorce wrote:
> > On Thu, 2014-06-19 at 12:36 -0400, Nathaniel McCallum wrote:
> > > This also fixes an error where the default value was not respecting
> > > the KEY_LENGTH variable.
> > >
> > >
On Thu, 2014-06-19 at 12:43 -0400, Simo Sorce wrote:
> On Thu, 2014-06-19 at 12:36 -0400, Nathaniel McCallum wrote:
> > This also fixes an error where the default value was not respecting
> > the KEY_LENGTH variable.
> >
> > (NOTE: the os.urandom() change should not change the security properties
On Fri, Jun 20, 2014 at 04:45:45PM +0200, Martin Kosek wrote:
> On 06/20/2014 04:24 PM, Jakub Hrozek wrote:
> > On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote:
> >> Hello all,
> >>
> >> I would like to discuss what should we do with the latest issue we found in
> >> SSSD-DS communicat
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
> This command behaves almost exactly like otptoken-add except:
> 1. The new token data is written directly to a YubiKey
> 2. The vendor/model/serial fields are populated from the YubiKey
>
> === NOTE ===
> 1. This patch depends on the n
On 11.6.2014 15:19, Petr Vobornik wrote:
Patch set contains both API/server and Web UI parts.
[PATCH] 659 ldap2: add otp support to modify_password
[PATCH] 660 rpcserver: add otp support to change_password handler
[PATCH] 661 ipa-passwd: add OTP support
[PATCH] 662 webui: support password change
Design at:
http://pki.fedoraproject.org/wiki/Top-Level_Tree
This is a feature to change the tree structure of the Dogtag internal
database so that a new top level baseDN is available. This will
simplify the replication topology by allowing one to replicate all
subsystems in a tomcat instance with
On Fri, 2014-06-20 at 16:45 +0200, Martin Kosek wrote:
> There is no impact on clients connected to the "fixed DS". This is the
> scenario
> I am concerned about:
>
> User has RHEL/CentOS 6.x IPA server and wants to try the new nice and
> shiny FreeIPA 4.0. He installs the FreeIPA 4.0 replica (wit
On 06/20/2014 04:45 PM, Martin Kosek wrote:
On 06/20/2014 04:24 PM, Jakub Hrozek wrote:
On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote:
Hello all,
I would like to discuss what should we do with the latest issue we found in
SSSD-DS communication which is broken after the ACI refa
On 06/19/2014 02:13 PM, Martin Kosek wrote:
On 06/19/2014 12:52 PM, Petr Viktorin wrote:
I'll address the other issues separately.
On 06/18/2014 05:46 PM, Martin Kosek wrote:
3) I hit one issue when I open the Web UI host tab, I get "Insufficient access:
No such virtual command" error triggere
On 06/20/2014 04:24 PM, Jakub Hrozek wrote:
> On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote:
>> Hello all,
>>
>> I would like to discuss what should we do with the latest issue we found in
>> SSSD-DS communication which is broken after the ACI refactoring.
>
> It's not just SSSD-DS
On 20.6.2014 15:23, Martin Basti wrote:
Patches attached
Petr please review WebUI patch.
Patch 72: ACK
Patch 73: ACK
Patch 74: ACK
Patch 75: ACK
pushed to master:
* 7cdc4178b0fb0972a7aed3e0604a835fc45ac7a8 DNSSEC: DLVRecord type added
* ee6e634c28b7261930c8cee556c8ebef9a01603e DNSSEC: Test:
On 06/20/2014 04:24 PM, Jakub Hrozek wrote:
On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote:
Hello all,
I would like to discuss what should we do with the latest issue we found in
SSSD-DS communication which is broken after the ACI refactoring.
It's not just SSSD-DS communication
On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote:
> Hello all,
>
> I would like to discuss what should we do with the latest issue we found in
> SSSD-DS communication which is broken after the ACI refactoring.
It's not just SSSD-DS communication, any client, including ldapsearch
curre
Hello all,
I would like to discuss what should we do with the latest issue we found in
SSSD-DS communication which is broken after the ACI refactoring.
I was working with Ludwig, there is a problem in the way how deref plugin
checks the access to the referenced entry. Instead of checking the targ
On 20.6.2014 15:30, Petr Vobornik wrote:
On 20.6.2014 14:35, Martin Basti wrote:
On Thu, 2014-06-19 at 18:37 +0200, Martin Basti wrote:
On Fri, 2014-06-13 at 09:55 +0200, Martin Basti wrote:
On Thu, 2014-06-12 at 16:20 +0200, Martin Basti wrote:
On Thu, 2014-06-12 at 13:17 +0200, Petr Voborni
Required patches: mbasti-0060, mbasti-0073
Patch attached.
--
Martin^2 Basti
>From 749807eef26245caec535d1da2ffb48cd69e30a0 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 20 Jun 2014 15:11:57 +0200
Subject: [PATCH] Fix: add dnssecinlinesigning attribute to ACI
---
ACI.txt
On 20.6.2014 14:35, Martin Basti wrote:
On Thu, 2014-06-19 at 18:37 +0200, Martin Basti wrote:
On Fri, 2014-06-13 at 09:55 +0200, Martin Basti wrote:
On Thu, 2014-06-12 at 16:20 +0200, Martin Basti wrote:
On Thu, 2014-06-12 at 13:17 +0200, Petr Vobornik wrote:
On 9.6.2014 17:28, Martin Basti
Patch attached.
Ticket:https://fedorahosted.org/freeipa/ticket/4383
--
Martin^2 Basti
>From a01f6f623e7cf9261fa0029f271f8a310812f895 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 20 Jun 2014 13:52:12 +0200
Subject: [PATCH] Fix incompatible DNS permission
dns(forward)zone-add/remove-per
Patches attached
Petr please review WebUI patch.
--
Martin^2 Basti
>From 5492f997702d8b773cd1675a320a79371f5e5b19 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Tue, 17 Jun 2014 17:04:46 +0200
Subject: [PATCH 1/4] DNSSEC: DLVRecord type added
Ticket: https://fedorahosted.org/freeipa/ticket/4
On Thu, 2014-06-19 at 18:37 +0200, Martin Basti wrote:
> On Fri, 2014-06-13 at 09:55 +0200, Martin Basti wrote:
> > On Thu, 2014-06-12 at 16:20 +0200, Martin Basti wrote:
> > > On Thu, 2014-06-12 at 13:17 +0200, Petr Vobornik wrote:
> > > > On 9.6.2014 17:28, Martin Basti wrote:
> > > > > Ticket: h
My patch 0580 was wrong; non-POSIX groups obviously lack the posixgroup
objectclass. Actually the only objectclasses that all groups share are
top and ipaobject.
This makes permission plugin & updater join multiple
permission_filter_objectclasses filters with OR, and changes the --type
group
On 06/20/2014 01:28 PM, Jan Cholasta wrote:
> On 20.6.2014 13:06, Martin Basti wrote:
>> Patch attached
>>
>
> ACK.
>
Pushed to master: 9f5e77f686a974b837da6eb92cec741fcbb33603
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://ww
On 20.6.2014 13:06, Martin Basti wrote:
Patch attached
ACK.
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
On 19.6.2014 16:55, Martin Basti wrote:
On Thu, 2014-06-19 at 15:16 +0200, Petr Vobornik wrote:
On 18.6.2014 13:42, Martin Basti wrote:
Rebased patches with pep8 fixes attached
git diff HEAD~4 -U0 | pep8 --diff --ignore=E501,E126,E128,E124
./ipalib/plugins/dns.py:1754:9: E265 block comment sh
Patch attached
--
Martin^2 Basti
>From a28ead1232de4cf84c31e942ed2be1ed4ab4a3b3 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 20 Jun 2014 12:53:06 +0200
Subject: [PATCH] Fix handle python-dns UnicodeError
---
ipapython/dnsutil.py | 9 +
1 file changed, 5 insertions(+), 4 deleti
On 06/20/2014 11:06 AM, Martin Basti wrote:
> On Wed, 2014-06-18 at 17:36 +0200, Petr Spacek wrote:
>> Hello,
>>
>> Clarify LDAPClient docstrings about get_entry, get_entries and find_entries.
>>
>>
>> BTW what is the purpose of size_limit in LDAPClient.get_entry()?
>>
>> def get_entry(self, dn, at
On 06/20/2014 11:06 AM, Martin Basti wrote:
On Wed, 2014-06-18 at 17:36 +0200, Petr Spacek wrote:
Hello,
Clarify LDAPClient docstrings about get_entry, get_entries and find_entries.
BTW what is the purpose of size_limit in LDAPClient.get_entry()?
def get_entry(self, dn, attrs_list=None, time
On Wed, 2014-06-18 at 17:36 +0200, Petr Spacek wrote:
> Hello,
>
> Clarify LDAPClient docstrings about get_entry, get_entries and find_entries.
>
>
> BTW what is the purpose of size_limit in LDAPClient.get_entry()?
>
> def get_entry(self, dn, attrs_list=None, time_limit=None,
>s
Hi,
On 19.6.2014 22:30, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
=== NOTE ===
1. This patch depends on the new Fedora package: p
On Fri, 2014-06-20 at 10:32 +0200, Jan Cholasta wrote:
> On 18.6.2014 16:49, Martin Basti wrote:
> > Due to compability with older versions, only IDNA domains should be
> > checked
> > Patch attached.
>
> I'm not particularly happy about the u'\xdf' special case. Isn't there a
> better way to do
On 18.6.2014 16:49, Martin Basti wrote:
Due to compability with older versions, only IDNA domains should be
checked
Patch attached.
I'm not particularly happy about the u'\xdf' special case. Isn't there a
better way to do this check?
(BTW I really think this should be a warning, not an error
50 matches
Mail list logo