Fraser,
Continuing the discussion started previously, the question is whether
IPA should check for the presence of certain extensions.
There seem to be two kinds of problems which could be encountered here:
1. User could include a CSR which includes an extension that is not
valid for the profil
In order for IPA to use some new functionality in Profile Management and
Sub CAs, we need to add some additional schema to the Dogtag LDAP
instance.
Fraser has written a Dogtag upgrade script to do this upgrade, but this
script expects the DM password to be in password.conf. Some discussion
on th
been built. (pki-core-10.2.0-0.8.fc20) Please update your
Dogtag build to this version.
Thanks,
Ade
>From b039bc0a8ddc88e90830626f3b812e8ee29e7e08 Mon Sep 17 00:00:00 2001
From: Ade Lee
Date: Mon, 1 Sep 2014 22:49:54 -0400
Subject: [PATCH] Re-enable uninstall feature for ipa-kra-install
Looks good to me. Thanks.
Ade
On Tue, 2014-08-26 at 14:13 +0200, Petr Viktorin wrote:
> On 08/25/2014 06:37 PM, Ade Lee wrote:
> > New patch attached.
> > If OK, please commit for me.
> >
> > Thanks,
> > Ade
>
>
> I missed the argument list, where you
New patch attached.
If OK, please commit for me.
Thanks,
Ade
On Mon, 2014-08-25 at 18:25 +0200, Petr Viktorin wrote:
> On 08/25/2014 06:17 PM, Ade Lee wrote:
> > What if I add the following first paragraph?
> >
> > The KRA (Key Recovery Authority) is a component used to secur
, Petr Viktorin wrote:
> On 08/24/2014 06:28 PM, Ade Lee wrote:
> > Added man pages for ipa-kra-install. And its not even Tuesday yet :)
> >
> > Please review,
> > Ade
> >
>
> If I was new to this, I think I'd be quite lost.
>
> I think the man
We plan to do an alpha build of Dogtag 10.2 on Fedora 21 at the end of
this week.
Ade
On Mon, 2014-08-25 at 13:14 +0200, Petr Viktorin wrote:
> On 08/22/2014 03:28 PM, Petr Vobornik wrote:
> [...]
> > Should the requirement of Dogtag 10.2 be reflected in a spec file?
>
>
> Yes. Sorry for forget
Added man pages for ipa-kra-install. And its not even Tuesday yet :)
Please review,
Ade
>From 571c77102577321bb2a524873904a83581f85a32 Mon Sep 17 00:00:00 2001
From: Ade Lee
Date: Sun, 24 Aug 2014 12:19:55 -0400
Subject: [PATCH] Added man page for ipa-kra-install
---
freeipa.spec
On Thu, 2014-08-21 at 21:52 +0200, Martin Kosek wrote:
> On 08/21/2014 05:27 PM, Petr Viktorin wrote:
> > On 08/21/2014 03:48 PM, Ade Lee wrote:
> >> As agreed on #irc, disabling uninstallation for now.
> >> Please apply this new patch on top of the big one.
> >
As agreed on #irc, disabling uninstallation for now.
Please apply this new patch on top of the big one.
Ade
On Thu, 2014-08-21 at 01:15 -0400, Ade Lee wrote:
> On Wed, 2014-08-20 at 15:35 -0400, Rob Crittenden wrote:
> > Ade Lee wrote:
> > > On Thu, 2014-08-14 at 14:29 +0200, P
On Wed, 2014-08-20 at 15:35 -0400, Rob Crittenden wrote:
> Ade Lee wrote:
> > On Thu, 2014-08-14 at 14:29 +0200, Petr Viktorin wrote:
> >> On 08/14/2014 10:53 AM, Martin Kosek wrote:
> >>> On 08/13/2014 09:54 PM, Ade Lee wrote:
> >>>> In Dogtag, we have
run ipa-kra-install etc.
Please apply this on top of the previous patch. I'll go ahead and squash them
before commit.
Thanks,
Ade
- Original Message -
From: "Ade Lee"
To: "Petr Viktorin"
Cc: freeipa-devel@redhat.com
Sent: Wednesday, August 13, 2014 2:05:51
Design at:
http://pki.fedoraproject.org/wiki/Top-Level_Tree
This is a feature to change the tree structure of the Dogtag internal
database so that a new top level baseDN is available. This will
simplify the replication topology by allowing one to replicate all
subsystems in a tomcat instance with
iktorin wrote:
> > On 05/28/2014 08:48 AM, Fraser Tweedale wrote:
> >> On Tue, May 27, 2014 at 05:57:40PM -0400, Ade Lee wrote:
> >>> There have been a couple of changes in the Dogtag interface, that
> >>> require some changes in the IPA patches. Also, I ha
:00 2001
From: Ade Lee
Date: Wed, 30 Apr 2014 11:35:00 -0400
Subject: [PATCH 6/6] Added dogtag plugin for DRM
This is an initial commit providing the basic vault functionality.
This plugin will likely be modified as we create the code to call
some of these functions.
---
ipaserver/plugins/dogtag
Welcome Fraser,
To build dogtag, you should start here:
http://pki.fedoraproject.org/wiki/Building_Dogtag_10
and I happen to know you'll be working on IPA/PKI stuff, you'll be
interested in reviewing the links under:
http://pki.fedoraproject.org/wiki/Dogtag#Resources_for_Client_Developers
The
to applied on top of the previous one.
So, patch 2 and then patch 3.
I will create a patch to address the issues mentioned below, as well as
some other formatting issues reported by pycharm.
Thanks,
Ade
On Tue, 2014-04-15 at 11:41 -0400, Rob Crittenden wrote:
> Ade Lee wrote:
> > Attac
On Tue, 2014-04-08 at 09:52 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On 04/07/2014 10:40 PM, Rob Crittenden wrote:
> >> Ade Lee wrote:
> >>> This patch adds the capability of installing a Dogtag DRM
> >>> to an IPA instance.
On Mon, 2014-04-07 at 09:48 +0200, Martin Kosek wrote:
> Hi Rob, Ade and others,
>
> In the past, Rob was investigating enabling random certificate serial numbers
> for FreeIPA PKI [1]. We also have a ticket [2] planned to enable it for 4.0.
> Can we simply switch it on for PKI with pkispawn attr
CA), or an existing clone.
Please review,
Thanks,
Ade
>From 298aa20b554b5e17a0f7a1d4cf13e246fba9c8dc Mon Sep 17 00:00:00 2001
From: Ade Lee
Date: Tue, 18 Mar 2014 11:23:30 -0400
Subject: [PATCH] Add a DRM to IPA
This patch adds the capability of installing a Dogtag DRM
to an
The Dogtag team is proud to announce the release of Dogtag v10.1.0.
This release is being released in conjunction with the GA release of
Fedora 20.
Due to changes in the way tomcat is started in Fedora 20, and the
corresponding changes in the Dogtag init scripts, Dogtag 10.1 will only
be delive
The Dogtag team is proud to announce the sixth errata build for
Dogtag 10.0.
Builds are available for Fedora 18 and Fedora 19 in the updates-testing
repositories. Please try them out and provide karma to move them to the
F18 and F19 stable repositories. Karma can be provided at
https://admin.f
The Dogtag team is proud to announce the fifth errata build for
Dogtag 10.0.
Builds are available for Fedora 18 and Fedora 19 in the updates-testing
repositories. Please try them out and provide karma to move them to the
F18 and F19 stable repositories. Karma can be provided at
https://admin.f
On Mon, 2013-08-26 at 12:38 -0400, Adam Young wrote:
> Keystone needs signing certificates for Signing PKI tokens.
>
> In addition, CERN has a developed an approach that allows user to
> authenticate to Keystone via X509 for batch jobs. This requires Client
> Certs.
>
> Both of these use cas
The Dogtag team is proud to announce the fourth errata build for
Dogtag 10.0.
Builds are available for Fedora 18 and Fedora 19 in the updates-testing
repositories. Please try them out and provide karma to move them to the
F18 and F19 stable repositories.
== Build Versions ==
pki-core-10.0.4-1
On Mon, 2013-06-10 at 16:35 +0200, Ana Krivokapic wrote:
> On 06/07/2013 10:23 AM, Tomas Babej wrote:
>
> > On 05/15/2013 01:36 PM, Ana Krivokapic wrote:
> >
> > > On 05/15/2013 12:29 PM, Petr Viktorin wrote:
> > > > On 05/15/2013 12:04 PM, Tomas Babej wrote:
> > > > > On 05/15/2013 11:40 AM, Ana
The Dogtag team is proud to announce the third errata build for
Dogtag v10.0.0.
Builds are available for Fedora 18 and Fedora 19 in the updates-testing
repositories. Please try them out and provide karma to move them to the
F18 and F19 stable repositories.
== Build Versions ==
pki-core-10.0.3-
The Dogtag team is proud to announce the second errata build for
Dogtag v10.0.0.
Builds are available for Fedora 18 and Fedora 19 in the updates-testing
repo. Please try it out and provide karma to move them to the F18 and
F19 stable repos.
Daily developer builds for Fedora 17, 18 and 19 are a
--- Begin Message ---
The Dogtag team is proud to announce the first errata build for
Dogtag v10.0.0.
The only packages that are being modified are dogtag-pki and pki-core,
both of which are being released as version 10.0.1.
A build is available for Fedora 18 in the updates-testing repo. Plea
--- Begin Message ---
The Dogtag team is proud to announce the release of Dogtag v10.0.0.
This release is being bundled with the GA release of Fedora 18, and
marks the culmination of over a year of development by the Dogtag team.
== Build Versions ==
pki-core-10.0.0-2.fc18
pki-ra-10.0.0-1.fc18
p
On Wed, 2012-12-19 at 21:35 -0500, Simo Sorce wrote:
> On Wed, 2012-12-19 at 22:41 +, JR Aquino wrote:
> > On Dec 19, 2012, at 2:32 PM, Simo Sorce wrote:
> >
> > > On Wed, 2012-12-19 at 20:52 +, JR Aquino wrote:
> > >> Due to a limitation with 389 DS, the nsslapd-maxbersize cannot be set
--- Begin Message ---
The Dogtag team is proud to announce version Dogtag v10.0.0 Release
Candidate 1.
A build is available for Fedora 18 in the updates-testing repo. Please
try it out and provide karma to move it to the F18 stable repo.
Daily developer builds for Fedora 17 and 18 are available
--- Begin Message ---
The Dogtag team is proud to announce version Dogtag v10.0.0 beta 2.
A build is available for Fedora 18 in the updates-testing repo. Please
try it out and provide karma to move it to the F18 stable repo.
Daily developer builds for Fedora 17 and 18 are available at
http://nk
=
Please provide comments, bugs and other feedback via the pki-devel
mailing list: http://www.redhat.com/mailman/listinfo/pki-devel
== Detailed Changelog ==
Ade Lee (11):
5ef10ba Update selinux-policy version to fix error from latest policy
81596ba fix spec typo
919434b Added build requires for
On Fri, 2012-10-05 at 12:26 -0400, Simo Sorce wrote:
> On Fri, 2012-10-05 at 12:19 -0400, Ade Lee wrote:
> > On Fri, 2012-10-05 at 16:45 +0200, Martin Kosek wrote:
> > > On 10/05/2012 10:59 AM, Martin Kosek wrote:
> > > > On 10/04/2012 06:17 PM, Rob Crittenden wrote:
2012 10:04 PM, Ade Lee wrote:
> > Attached is a patch to handle the ipa-replica-conncheck issue. It
> > should be applied on top of your patch.
> >
> > Essentially, the fix is as follows:
> > A. If the DS_PORT = 7389, then we pass --check-ca in the
> > ipa-repli
On Fri, 2012-10-05 at 16:45 +0200, Martin Kosek wrote:
> On 10/05/2012 10:59 AM, Martin Kosek wrote:
> > On 10/04/2012 06:17 PM, Rob Crittenden wrote:
> >> This changes the way IPA generates CRLs for new installs only.
> >>
> >> The first master installed is configured as the CRL generator. An entr
-10-02 at 17:34 +0200, Petr Viktorin wrote:
> On 10/02/2012 03:02 PM, Petr Viktorin wrote:
> > On 10/01/2012 05:02 PM, Ade Lee wrote:
> >> On Mon, 2012-10-01 at 16:09 +0200, Martin Kosek wrote:
> >>> On 10/01/2012 03:35 PM, Petr Viktorin wrote:
> >>>>
pki-devel
mailing list: http://www.redhat.com/mailman/listinfo/pki-devel
== Detailed Changelog ==
Ade Lee (4):
761a047 Updated release to a2
854ecce fall back to old interface for installtoken if needed
11e05d3 Use getStatus servlet to provide startup status
e1666df Changes to use standard dbuser
On Mon, 2012-10-01 at 16:09 +0200, Martin Kosek wrote:
> On 10/01/2012 03:35 PM, Petr Viktorin wrote:
> > On 09/27/2012 10:26 AM, Petr Viktorin wrote:
> >> On 09/20/2012 05:58 AM, Ade Lee wrote:
> >>> Changes to use a single database for dogtag and IPA
> &g
ested. But as this will take awhile to get resolved, its
better to get this out for review as fast as possible.
Happy reviewing.
Ade
>From f827c0d744086a65c574de06ee3ff85083429f87 Mon Sep 17 00:00:00 2001
From: Ade Lee
Date: Wed, 19 Sep 2012 23:35:42 -0400
Subject: [PATCH] Changes to use
Its a bug. Basically, the d10 instance is trying to get an installation
token from the security domain, using a new restful interface. This, on
a dogtag 9 instance, results in a 404.
We need to change the d10 code to fall back to the old interface in case
the new one does not work.
Ade
On We
Its a bug. Basically, the d10 instance is trying to get an installation
token from the security domain, using a new restful interface. This, on
a dogtag 9 instance, results in a 404.
We need to change the d10 code to fall back to the old interface in case
the new one does not work.
https://fed
Its a bug. Basically, the d10 instance is trying to get an installation
token from the security domain, using a new restful interface. This, on
a dogtag 9 instance, results in a 404.
We need to change the d10 code to fall back to the old interface in case
the new one does not work.
https://fed
On Mon, 2012-09-17 at 14:32 +0200, Petr Viktorin wrote:
> On 09/14/2012 11:19 PM, Rob Crittenden wrote:
> > Petr Viktorin wrote:
> >> On 09/12/2012 06:40 PM, Petr Viktorin wrote:
> >>> A new Dogtag build with changed pkispawn/pkidestroy locations should be
> >>> out later today. The attached patch
On Mon, 2012-09-17 at 14:32 +0200, Petr Viktorin wrote:
> On 09/14/2012 11:19 PM, Rob Crittenden wrote:
> > Petr Viktorin wrote:
> >> On 09/12/2012 06:40 PM, Petr Viktorin wrote:
> >>> A new Dogtag build with changed pkispawn/pkidestroy locations should be
> >>> out later today. The attached patch
On Wed, 2012-09-12 at 18:43 +0200, Petr Viktorin wrote:
> On 09/11/2012 09:38 PM, Rob Crittenden wrote:
> > Rob Crittenden wrote:
> >> Rob Crittenden wrote:
> >>> Petr Viktorin wrote:
> >>>> On 09/11/2012 04:38 PM, Rob Crittenden wrote:
> >>&
On Tue, 2012-09-11 at 14:45 -0400, Rob Crittenden wrote:
> Petr Viktorin wrote:
> > On 09/11/2012 04:38 PM, Rob Crittenden wrote:
> >> Ade Lee wrote:
> >>> On Tue, 2012-09-11 at 08:59 -0400, Rob Crittenden wrote:
> >>>> Petr Viktorin wrote:
On Tue, 2012-09-11 at 08:59 -0400, Rob Crittenden wrote:
> Petr Viktorin wrote:
> > On 09/11/2012 04:04 AM, Ade Lee wrote:
> >> On Mon, 2012-09-10 at 16:58 -0400, Rob Crittenden wrote:
> >>> Petr Viktorin wrote:
> >>>> Attaching rebased and squashed pat
On Mon, 2012-09-10 at 16:58 -0400, Rob Crittenden wrote:
> Petr Viktorin wrote:
> > Attaching rebased and squashed patches. I've done some testing with them
> > but please test some more.
> >
>
> Most of these aren't IPA issues, but dogtag issues. I'll try to split
> them out.
>
> IPA:
>
> For
On Wed, 2012-09-05 at 16:20 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On 08/31/2012 04:53 PM, Petr Viktorin wrote:
> >> On 08/28/2012 03:40 PM, Petr Viktorin wrote:
> >>> On 08/17/2012 06:04 PM, Ade Lee wrote:
> >>>> On Fri, 2012-08-17
On Wed, 2012-09-05 at 17:44 -0400, Simo Sorce wrote:
> On Wed, 2012-09-05 at 17:08 -0400, Ade Lee wrote:
> > On Wed, 2012-09-05 at 16:43 -0400, Nalin Dahyabhai wrote:
> > > On Wed, Aug 29, 2012 at 08:48:32AM -0400, Ade Lee wrote:
> > > > Incidentally, I ran this in
On Wed, 2012-09-05 at 16:43 -0400, Nalin Dahyabhai wrote:
> On Wed, Aug 29, 2012 at 08:48:32AM -0400, Ade Lee wrote:
> > Incidentally, I ran this in permmissive selinux mode. The following
> > rules are required to be added:
> >
> >
Incidentally, I ran this in permmissive selinux mode. The following
rules are required to be added:
#= certmonger_t ==
corenet_tcp_connect_http_cache_port(certmonger_t)
files_read_var_lib_symlinks(certmonger_t)
On Tue, 2012-08-28 at 23:53 -0400, Ade Lee wrote:
> I h
ote:
> > On 08/27/2012 02:39 PM, Dmitri Pal wrote:
> >> On 08/17/2012 12:06 PM, Rob Crittenden wrote:
> >>> Ade Lee wrote:
> >>>> On Fri, 2012-08-17 at 09:34 -0400, Ade Lee wrote:
> >>>>> On Thu, 2012-08-16 at 18:45 +0200, Martin Kosek wrote:
On Fri, 2012-08-17 at 09:34 -0400, Ade Lee wrote:
> On Thu, 2012-08-16 at 18:45 +0200, Martin Kosek wrote:
> > On 08/16/2012 01:28 PM, Ade Lee wrote:
> > > Patch attached this time. I should know better than to do this in the
> > > middle of the night ..
> > >
On Thu, 2012-08-16 at 18:45 +0200, Martin Kosek wrote:
> On 08/16/2012 01:28 PM, Ade Lee wrote:
> > Patch attached this time. I should know better than to do this in the
> > middle of the night ..
> >
> > On Thu, 2012-08-16 at 09:12 +0200, Martin Kosek wrote:
> >
On Thu, 2012-08-16 at 18:45 +0200, Martin Kosek wrote:
> On 08/16/2012 01:28 PM, Ade Lee wrote:
> > Patch attached this time. I should know better than to do this in the
> > middle of the night ..
> >
> > On Thu, 2012-08-16 at 09:12 +0200, Martin Kosek wrote:
> >
Patch attached this time. I should know better than to do this in the
middle of the night ..
On Thu, 2012-08-16 at 09:12 +0200, Martin Kosek wrote:
> On 08/16/2012 07:53 AM, Ade Lee wrote:
> > On Wed, 2012-08-15 at 23:41 -0400, Ade Lee wrote:
> >> On Wed, 2012-08-15 at 16:34 +
On Wed, 2012-08-15 at 23:41 -0400, Ade Lee wrote:
> On Wed, 2012-08-15 at 16:34 +0200, Martin Kosek wrote:
> > On 08/15/2012 03:54 PM, Ade Lee wrote:
> > > On Wed, 2012-08-15 at 13:24 +0200, Martin Kosek wrote:
> > >> On 08/08/2012 10:05 PM, Ade Lee wrote:
> > &
On Wed, 2012-08-15 at 16:34 +0200, Martin Kosek wrote:
> On 08/15/2012 03:54 PM, Ade Lee wrote:
> > On Wed, 2012-08-15 at 13:24 +0200, Martin Kosek wrote:
> >> On 08/08/2012 10:05 PM, Ade Lee wrote:
> >>> Hi,
> >>>
> >>> Dogtag 10 is b
On Wed, 2012-08-15 at 13:24 +0200, Martin Kosek wrote:
> On 08/08/2012 10:05 PM, Ade Lee wrote:
> > Hi,
> >
> > Dogtag 10 is being released on f18, and has a number of changes that
> > will affect IPA. In particular, the following changes will affect
> >
Sep 17 00:00:00 2001
From: Ade Lee
Date: Sun, 29 Jul 2012 14:07:31 -0400
Subject: [PATCH] Modifications to install scripts for dogtag 10
Dogtag 10 uses a new installer, new directory layout and new default
ports. This patch changes the ipa install code to integrate these changes.
---
install/c
Hi all,
Based on conversations with Adam, Simo and Rob, here are some thoughts
on $subject:
http://pki.fedoraproject.org/wiki/Merging_IPA_and_Dogtag_Databases
I'll probably add more later - like the details on how cloned instance
installation will run.
Comments are welcome.
Ade
_
On Thu, 2011-11-03 at 09:22 -0400, Rob Crittenden wrote:
> Ade Lee wrote:
> > On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote:
> >> To clarify: there are two types of Data stored in the PKI CA DS
> >> instances. One is Users and groups (IdM), and the other is
>
On Thu, 2011-11-03 at 09:20 -0400, Adam Young wrote:
> On 11/03/2011 12:56 AM, Simo Sorce wrote:
> > On Wed, 2011-11-02 at 20:25 -0400, Adam Young wrote:
> >> On 11/02/2011 06:19 PM, Rob Crittenden wrote:
> >>> Simo Sorce wrote:
> >>>> On Wed, 2011-11
On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote:
> To clarify: there are two types of Data stored in the PKI CA DS
> instances. One is Users and groups (IdM), and the other is
> certificates and requests.
>
> The CA currently administers its own users: creates, add deletes, add
> privs
On Tue, 2011-11-01 at 12:49 -0400, Simo Sorce wrote:
> On Tue, 2011-11-01 at 12:40 -0400, Richard Megginson wrote:
> > - Original Message -
> > >
> > >
> > >
> > > We had a brief discussion on unifying the PKI and IPA Directory
> > > Server instances. Here are my notes from it. Please fi
Hi,
With recent changes, Dogtag instances in IPA now reside behind an Apache
proxy and are accessed using ports 80 and 443. This is the default
configuration for any newly created instances.
Older instances that have been recently upgraded will need to run a
script to upgrade the Dogtag configu
ervice port (7389): OK
> PKI-CA: Agent secure port (9443): OK
> PKI-CA: EE secure port (9444): OK
> PKI-CA: Admin secure port (9445): OK
> PKI-CA: EE secure client auth port (9446): OK
> PKI-CA: Unsecure port (9180): OK
>
> Connection from master to replica is
70 matches
Mail list logo