Passing on recent event of CA.cfg being clobbered / corrupted / truncated by
patching process (yum update)
This took few hours to find for I did not expect this to happen to a file
that normally would not be changed.
The clobbered file, CA.cfg, was truncated by over 500 lines.
Errors that shows on
ctly touching cn=config and avoid the need for DM password is
> one of the main reasons to do this work ...
I'd just like to +1 / re-iterate this point...
In addition, thank you for hacking on this and for posting this for
early review.
Cheers,
James
___
:
https://github.com/purpleidea/puppet-ipa/tree/feat/yamldata
I'll rebase this branch as new patches are added, and I'll usually keep
it current against git master. Once someone ACK's that it is working
against another OS or version, then I'll maintain it in git master.
Thank
/puppet-ipa/commit/73712d1b051398c4193b081c3f35eddf679896e2
I define the topology shape algorithmic-ally (eg: ring, flat, star,
etc...) and the replica make it happen :)
Cheers,
James
>
> Thanks,
> Ludwig
>
> [1] http://www.freeipa.org/page/V4/Manage_replication_topology
>
&
On Thu, 2014-07-24 at 08:40 +0300, Alexander Bokovoy wrote:
> On Thu, 24 Jul 2014, James wrote:
> >Hi devel,
> >
> >It would be particularly useful if each FreeIPA entry (eg: user, host,
> >service, etc...) had creation and last modified timestamps. Do these
> >fie
recent activity
* and so on...
An example of how this could be specifically useful is explained in my
just published Puppet+FreeIPA article:
https://ttboj.wordpress.com/2014/07/24/hybrid-management-of-freeipa-types-with-puppet/
Thank you again,
James
signature.asc
Description: This is a
is list changes based on which $args are used to install FreeIPA,
let me know too.
These will get inserted here (if you're curious):
https://github.com/purpleidea/puppet-ipa/commit/31ede1a185f3d4bd5dd9848613e24a19f460f595#diff-e26063ec0e856ceac05cf5b4132f3330R61
Thanks!
James
signature.asc
De
?
In particular, I'm interested in knowing if there are repos with rpm's
for each version/os. (>=v.3.0.0 and Fedora/CentOS6+/RHEL6+)
Thanks,
James
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
27;m currently using ipa-server v 3.0.0
Thanks,
James
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I think it's kind of funny that the cert for: https://www.freeipa.org/
is invalid, particularly since this is a security product.
In any case, feel free to forward to whoever maintains this in case
someone thinks it matters.
Cheers,
James
___
Fr
On Fri, Jun 6, 2014 at 6:22 PM, Rich Megginson wrote:
>
> grep nsslapd-rootpw /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
>
> The pwdhash command can be used to create a hashed password.
Ah, brilliant, this works great, thanks!!
___
Freeipa-devel mailing li
On Fri, 2014-06-06 at 14:43 -0400, Simo Sorce wrote:
> On Fri, 2014-06-06 at 14:06 -0400, James wrote:
> > On Fri, 2014-06-06 at 08:51 -0400, Simo Sorce wrote:
> > > But let me ask a more important question, how do you distribute the
> > > public keys securely ? Is i
On Fri, 2014-06-06 at 15:10 +0200, Jan Pazdziora wrote:
> On Fri, Jun 06, 2014 at 08:51:39AM -0400, Simo Sorce wrote:
> >
> > Clearly puppet has root level access to the system so you do not (should
> > not ?) care much about preventing access to these systems, the aim is to
> > not inadvertently
On Fri, 2014-06-06 at 14:03 +0200, Jan Pazdziora wrote:
> On Fri, Jun 06, 2014 at 06:38:10AM -0400, James wrote:
> >
> > I've just announced the first sane implementation for secret handling
> > in puppet. Since everyone does this wrong, I thought I'd do it
On Fri, 2014-06-06 at 08:51 -0400, Simo Sorce wrote:
> On Fri, 2014-06-06 at 06:38 -0400, James wrote:
> > Hi FreeIPA,
> >
> > *intro*
> >
> > As some of you might know, I'm currently working on deploying
> > multi-master replicas with puppet. Si
On Fri, 2014-06-06 at 09:03 -0400, Simo Sorce wrote:
> On Fri, 2014-06-06 at 06:58 -0400, James wrote:
> > On Mon, Jun 2, 2014 at 4:46 AM, Ludwig Krispenz wrote:
> > > Ticket 4302 is a request for an enhancement: Move replication topology to
> > > the shared tree
>
hanging the algorithm would re-arrange the graph :)
Hope this made sense.
Cheers,
James
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
tion, this would ensure that the configuration management itself
is HA. Without this type of functionality, then if the first ipa
server isn't available, then config management will be blocked. I
would appreciate any recommendations on how to convert a previou
On Fri, May 30, 2014 at 2:00 AM, Martin Kosek wrote:
> On 05/30/2014 06:14 AM, Dmitri Pal wrote:
>> On 05/29/2014 01:44 AM, James wrote:
>>> /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0:
>>> Invalid argument"
>> Looks like and A
bin/cat` --admin-password=`/bin/cat
'/var/lib/puppet/tmp/ipa/admin.password' | /bin/cat | /bin/cat |
/bin/cat` --idstart=16777216 --no-ntp --unattended
Thanks,
James
2014-05-29T03:06:30Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2014-05-29
On Fri, 2014-05-23 at 22:50 -0400, Simo Sorce wrote:
> No, but those need to be accessible to the user, I think you can
> create
> a meta-package that contains those password when you create the first
> master, encrypted in a gpg file with private keys only stored in the
> freeipa servers.
I do som
On Fri, May 23, 2014 at 7:49 PM, Simo Sorce wrote:
> On Fri, 2014-05-23 at 17:16 -0400, James wrote:
>> On Fri, 2014-05-23 at 15:44 +0200, Martin Kosek wrote:
>> > One cannot easily improve ipa-replica-prepare to work through LDAPI as
>> > we also
>> > need
rical with configuration management, my
puppet-gluster module does this.
Cheers, and thanks for reading.
James
signature.asc
Description: This is a digitally signed message part
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
On Fri, 2014-05-23 at 09:28 -0400, Dmitri Pal wrote:
> I guess the question is more:
> If I am root is there any way to do the operation without providing
> the
> password but rather using something like LDAPI to drive the operation.
> The issue is that if you use puppet there is no way to get the
On Fri, 2014-05-23 at 12:42 +0200, Martin Kosek wrote:
> On 05/23/2014 07:01 AM, James wrote:
> > I'm trying to understand some of the FreeIPA replication internals so
> > that I can better know how to do this properly in Puppet without
> > storing any secret informat
ss the whole cluster? Please
point me to a doc that explains this FAQ stuff if possible. Sorry for
the noise
Thanks again,
James
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
On Tue, May 13, 2014 at 10:36 AM, Dmitri Pal wrote:
> This is their problem. Why would we aid them to do wrong things and make it
> easier?
> I really miss the point. Why it is all needed?
> Why do you need to reset passwords in IPA through puppet?
> What is the use case?
Give me about a week and
On Mon, May 12, 2014 at 6:22 PM, Dmitri Pal wrote:
> On 05/12/2014 06:07 PM, James wrote:
>>
>> On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote:
>>>
>>> Is there any other attribute to look at?
>>> For example the timestamp when it was last set and
On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote:
> Is there any other attribute to look at?
> For example the timestamp when it was last set and base the update on
> that rather than on matching password values?
>
There are some other solutions, but they are less elegant or don't work
consist
On Mon, 2014-05-12 at 09:11 +0200, Martin Kosek wrote:
> 1) Get fbar1;s b64 encoded password hash:
>
> # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%
> 2fslapd-EXAMPLE-COM.socket -b
> 'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' userPassword
This seems to work great. I used user 'admin'.
On Mon, 2014-05-12 at 16:25 -0400, Dmitri Pal wrote:
> Yes and this was my point too. If you have root you do not need to
> know
> the old password. You can just reset the current one to what you want.
I agree, with you. This isn't about functionality, it's about automating
functionality. Puppet
On Sun, May 11, 2014 at 9:02 PM, Dmitri Pal wrote:
> On 05/11/2014 06:31 PM, James wrote:
>>
>> On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal wrote:
>>>
>>> This is scary.
>>> This means that you expecting to have a hash being stored somewhere else
>>
On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal wrote:
>
> This is scary.
> This means that you expecting to have a hash being stored somewhere else
> outside the DS.
Haha, I agree! Actually, worse! I will have the plain text password
stored somewhere outside the DS! Let me give you more background:
/usr/bin/ldappasswd -Y EXTERNAL -s `
${admin_password_exec}` -H ${ldapuri} uid=admin,cn=users,cn=accounts,
${suffix}"
I also have the same question for the DM password, however I don't yet
know how to set it. If someone has a script for that, I'd love that too!
Thanks again!
James
Not sure where to jump in but I had one comment:
Puppet-IPA [1] + Shorewall make a lovely pair :)
Cheers,
James
[1] https://github.com/purpleidea/puppet-ipa
On Mon, Apr 7, 2014 at 7:51 PM, Dmitri Pal wrote:
> On 04/07/2014 09:00 AM, Rob Crittenden wrote:
>>
>> Simo Sorce wr
ng too.
Cheers,
James
On Wed, Dec 18, 2013 at 8:50 PM, Andrew Wnuk wrote:
> I have been exploring the possibilities of using FreeIPA CA as an external
> Puppet CA with the requirement that Puppet will stay unmodified.
> Here are some notes: http://www.freeipa.org/page/IPA_as_external
On Fri, Nov 15, 2013 at 8:26 AM, Petr Vobornik wrote:
> Example is at: <http://pvoborni.fedorapeople.org/rcue/>
And here I thought FreeIPA couldn't get any prettier...
Nice work. +1
James
___
Freeipa-devel mailing list
Freeipa-devel@re
ect by Colin Walters already solves. Under the hood package
installs are atomic. I don't know a lot of the technical details, but
he might be a good person to ask.
Cheers,
James
> Although to the end-user otopi can seem dense, complicated, and mysterious
> (e.g., its weird .conf fi
On Mon, 2013-09-16 at 09:31 +0200, Petr Spacek wrote:
> You are right, the scenario described by me doesn't require views.
> Please see
> reply from James in another part of this thread - his setup has shared
> host
> name (internal = external) but different IP addresse
ge? How should we
> handle the fact that internal and external names are different? Should we
> use some sort of referral mechanism?
>
>
> Cloud users, please speak now :-) Opinions are more than welcome!
Some comments are given above.
works" or at least mostly, feel free to ping me somehow.
HTH,
James
[1] https://github.com/purpleidea/puppet-ipa
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
On Fri, 2013-07-19 at 17:59 +0200, Petr Vobornik wrote:
> Hello,
>
> Note: the button is actually in a form of a link
I didn't notice this before.
Sorry for the noise.
James
>
> The approach you're proposing is often valid and a preferred one but
> I
> don
't cause users to "search" for a button that doesn't
exist...
Cheers,
James
>
> https://fedorahosted.org/freeipa/ticket/3799
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/m
nk to the ticket this refers
to... so just to be clear it's for this one:
https://fedorahosted.org/freeipa/ticket/3031
Cheers,
James
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
client DNS records and configures the value in
sssd.conf so that ongoing changes to IP use the TTL as desired.
Cheers,
James
Allow-TTL-to-be-configured-during-ipa-client-install.patch
Description: Binary data
___
Freeipa-devel mailing list
Freeipa-devel
On Tue, 2013-06-18 at 11:16 -0400, Simo Sorce wrote:
> On Tue, 2013-06-18 at 10:38 -0400, James wrote:
> > Hi freeipa-devel,
> >
> > I just joined today, I'd like to introduce myself, I'm James. Hi.
> >
> > I am currently working on (among other things)
Hi freeipa-devel,
I just joined today, I'd like to introduce myself, I'm James. Hi.
I am currently working on (among other things) a puppet module for
freeipa. I've just published an initial release:
https://github.com/purpleidea/puppet-ipa
It only has a few resource types at th
Hi freeipa-devel,
I just joined today, I'd like to introduce myself, I'm James. Hi.
I am currently working on (among other things) a puppet module for
freeipa. I've just published an initial release:
https://github.com/purpleidea/puppet-ipa
It only has a few resource types at th
hs ago...
The relevant ticket is https://fedorahosted.org/freeipa/ticket/3031 ...
Regards,
James
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
based infrastructure
when compared to a Windows one linked with AD thus much keen interest ;)
Regards,
James
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
next couple of weeks.
Kind regards,
James
0001-Allow-TTL-to-be-configured-dring-ipa-client-install.patch
Description: Binary data
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
t the TTL
will be if he enables updates in SSSD.
Until SSSD allows for the TTL to be set in sssd.conf (patch sent in
and pending review for possible future inclusion) this patch will only
affect the initial registration and not any ongoing changes.
Comments would be most welcome!
Kind regards,
can write up template
apache configs and step by step details?
Thanks,
James
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
a prototype, it is not well-tested,
nor DOS attack prove at all, so it could potentially harm or totally destroy
someone's authentication system. :(
Thanks.
--Gelen
From: Rob Crittenden
To: Gelen James
Cc: "freeipa-devel@redhat.com"
I've coded it with python-kerberos and it works. Pretty rough though.
--Gelen.
From: Gelen James
To: "freeipa-devel@redhat.com"
Sent: Sunday, May 20, 2012 2:22 AM
Subject: Feature request: Web UI for IPA users to reset their own expired
p
The currently assumption is that all IPA users can login into Unix/Linux
machines to change their IPA password, or reset their expired password.
But this is not available all the time, so a more general alternative -- web
UI -- will be more appreciated. The basic requirements are:
1, The web
56 matches
Mail list logo