On Fri, 2016-09-30 at 13:02 -0400, Robbie Harwood wrote:
> Nathaniel McCallum writes:
>
> > On Fri, 2016-09-30 at 14:19 +0200, Martin Kosek wrote:
> > > On 09/23/2016 09:54 AM, Jakub Hrozek wrote:
> > > > On Thu, Sep 22, 2016 at 06:09:43PM +0200, Petr Vobornik w
On Fri, 2016-09-30 at 15:10 +0200, Petr Vobornik wrote:
> On 09/28/2016 04:58 PM, Nathaniel McCallum wrote:
> > On Wed, 2016-09-28 at 08:03 +0300, Alexander Bokovoy wrote:
> > > On ti, 27 syys 2016, Nathaniel McCallum wrote:
> > > > In at least one case, when an LD
On Fri, 2016-09-30 at 14:19 +0200, Martin Kosek wrote:
> On 09/23/2016 09:54 AM, Jakub Hrozek wrote:
> > On Thu, Sep 22, 2016 at 06:09:43PM +0200, Petr Vobornik wrote:
> > > Hi all,
> > >
> > > As you know, FedoraHosted.org will be decommissioned.
> > > https://communityblog.fedoraproject.org/fed
On Wed, 2016-09-28 at 08:03 +0300, Alexander Bokovoy wrote:
> On ti, 27 syys 2016, Nathaniel McCallum wrote:
> > In at least one case, when an LDAP socket closes, a read event is
> > fired
> > rather than an error event. Without this patch, ipa-otpd silently
> > igno
actual read fail, we exit.From 43a8cd4f991115bcebcbe829b4b1be13849e288f Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Tue, 27 Sep 2016 14:34:05 -0400
Subject: [PATCH] Properly handle LDAP socket closures in ipa-otpd
In at least one case, when an LDAP socket closes, a read event is fired
> > > >
> > > > On 29.06.2016 15:52, Stanislav Laznicka wrote:
> > > > >
> > > > > On 06/24/2016 03:14 PM, Martin Basti wrote:
> > > > > >
> > > > > >
> > > > > &
https://fedorahosted.org/freeipa/ticket/433
From c7254a9dd182b34665b50c45c5ece42a3cbc56e2 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Tue, 21 Jun 2016 14:19:03 -0400
Subject: [PATCH] Add authentication indicators support to Host objects
https://fedorahosted.org/freeipa/ticket/433
On Tue, 2016-05-31 at 15:25 +0200, Petr Vobornik wrote:
> On 05/31/2016 02:49 PM, Nathaniel McCallum wrote:
> > On Mon, 2016-05-30 at 19:08 +0300, Alexander Bokovoy wrote:
> > > On Mon, 30 May 2016, Petr Vobornik wrote:
> > > > On 05/27/2016 06:00 PM, Nathaniel M
On Mon, 2016-05-30 at 19:08 +0300, Alexander Bokovoy wrote:
> On Mon, 30 May 2016, Petr Vobornik wrote:
> > On 05/27/2016 06:00 PM, Nathaniel McCallum wrote:
> > > Pavel, since we made the change here from a StrEnum to a Str, we
> > > need
> > > to update th
On Mon, 2016-05-30 at 19:08 +0300, Alexander Bokovoy wrote:
> On Mon, 30 May 2016, Petr Vobornik wrote:
> > On 05/27/2016 06:00 PM, Nathaniel McCallum wrote:
> > > Pavel, since we made the change here from a StrEnum to a Str, we
> > > need
> > > to update th
RADIUS is an acryonym. This patch fixes its usage to match our
capitalization of other acronyms, like OTP.From 33f10766a9793531984d3be3fb7ec12c8ab1cde0 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Fri, 27 May 2016 12:10:00 -0400
Subject: [PATCH] Fix RADIUS capitalization
RADIUS is an
Pavel, since we made the change here from a StrEnum to a Str, we need
to update the UI patch accordingly.
On Fri, 2016-05-27 at 11:55 -0400, Nathaniel McCallum wrote:
> On Fri, 2016-05-27 at 18:35 +0300, Alexander Bokovoy wrote:
> > On Fri, 27 May 2016, Nathaniel McCallum wrote:
>
On Fri, 2016-05-27 at 18:35 +0300, Alexander Bokovoy wrote:
> On Fri, 27 May 2016, Nathaniel McCallum wrote:
> > All core functionality for authentication indicators has already
> > been
> > merged. All that is left is the CLI and UI patches. Attached is the
> >
On Fri, 2016-05-27 at 17:43 +0200, Pavel Vomacka wrote:
>
> On 05/12/2016 11:13 PM, Nathaniel McCallum wrote:
> > On Wed, 2016-05-11 at 13:08 +0200, Pavel Vomacka wrote:
> > > Hi,
> > >
> > > the patch adds webui part for authentication indicators.
> &
On Tue, 2016-05-24 at 12:25 -0400, Nathaniel McCallum wrote:
> On Tue, 2016-05-24 at 11:01 -0400, Nathaniel McCallum wrote:
> > On Tue, 2016-05-24 at 16:55 +0200, Martin Kosek wrote:
> > > On 05/24/2016 04:29 PM, Nathaniel McCallum wrote:
> > > > Using a pragma instea
rom e5507c8c49cb50be247f23627bf58b6953d7b8a9 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Wed, 4 May 2016 17:08:45 -0400
Subject: [PATCH] Enable service authentication indicator management
https://fedorahosted.org/freeipa/ticket/433
---
API.txt | 9 ++---
VERSION |
Martin, can we get patches 1-4 pushed? I'll submit patch 5 again to the
list after a rebase for further discussion.
On Wed, 2016-05-25 at 13:32 +0200, Sumit Bose wrote:
> On Tue, May 24, 2016 at 12:21:43PM -0400, Nathaniel McCallum wrote:
> > New versions again. This time I just rem
On Tue, 2016-05-24 at 11:01 -0400, Nathaniel McCallum wrote:
> On Tue, 2016-05-24 at 16:55 +0200, Martin Kosek wrote:
> > On 05/24/2016 04:29 PM, Nathaniel McCallum wrote:
> > > Using a pragma instead of guards is easier to write, less error
> > > prone
> > >
New versions again. This time I just removed the stray "TODO: assign
OID" line in the commit as it no longer applies.
On Tue, 2016-05-24 at 12:08 -0400, Nathaniel McCallum wrote:
> I have attached new versions of the patches. Comments below.
>
> On Tue, 2016-05-24 at 15:2
I have attached new versions of the patches. Comments below.
On Tue, 2016-05-24 at 15:25 +0200, Sumit Bose wrote:
> On Thu, May 12, 2016 at 05:33:26PM -0400, Nathaniel McCallum wrote:
> > On Fri, 2016-05-06 at 14:44 +0200, Sumit Bose wrote:
> > > On Wed, May 04, 2016 a
On Tue, 2016-05-24 at 16:55 +0200, Martin Kosek wrote:
> On 05/24/2016 04:29 PM, Nathaniel McCallum wrote:
> > Using a pragma instead of guards is easier to write, less error
> > prone
> > and avoids name clashes (a source of very subtle bugs). This pragma
> > is suppor
On Tue, 2016-05-24 at 10:29 -0400, Nathaniel McCallum wrote:
> Using a pragma instead of guards is easier to write, less error prone
> and avoids name clashes (a source of very subtle bugs). This pragma
> is supported on almost all compilers, including all the compilers we
> care
29adf64e366535f087b607a093fd5f2e3b3631f9 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Tue, 24 May 2016 10:18:43 -0400
Subject: [PATCH] Migrate from #ifndef guards to #pragma once
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs
On Tue, 2016-05-24 at 15:25 +0200, Sumit Bose wrote:
> ACK, on the client krb5_responder_list_questions() return both
> "password" and "otp" if the user is configured for both.
>
> Btw, what is the right way for a client to skip "otp" and only do
> "password" should something like krb5_responder_o
On Fri, 2016-05-06 at 14:44 +0200, Sumit Bose wrote:
> On Wed, May 04, 2016 at 05:33:55PM -0400, Nathaniel McCallum wrote:
> > This series of patches implements authentication indicator
> > insertion,
> > evaluation and management in FreeIPA. Besides these patches, two
>
On Wed, 2016-05-11 at 13:08 +0200, Pavel Vomacka wrote:
> Hi,
>
> the patch adds webui part for authentication indicators.
>
> Ticket: https://fedorahosted.org/freeipa/ticket/5872
The otp option displays as: OTP.
The radius option displays as: Radius.
However, both are acronyms. The capitalizat
(0089;
report_auth_method()).
Please review the approaches taken here. I plan to hit this hard on
Monday.
NathanielFrom 047a8846fb5582ac1a1451c106ebf74079c3609f Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Wed, 4 May 2016 17:08:45 -0400
Subject: [PATCH 5/5] Enable managing authentication indic
On Mon, 2016-05-02 at 18:27 +0200, Petr Vobornik wrote:
> Hi Matt, Nathaniel and Simo,
>
> I'd like to kindly check the status of this effort therefore
> resurrecting this thread.
>
> First, Is the design up to date? Are there still aspects which need
> to
> be figured out?
I do not believe ther
On Mon, 2016-04-11 at 10:41 -0400, Matt Rogers wrote:
> Hi,
>
> The attached patch is a part of the authentication indicator
> enhancements,
> adding indicator value storage and retrieval for the KDB driver.
>
> https://fedorahosted.org/freeipa/ticket/5782
Can you add some whitespace in next_att
On Mon, 2016-04-11 at 10:41 -0400, Matt Rogers wrote:
> Hi,
>
> The attached patch is a part of the authentication indicator
> enhancements,
> adding indicator value storage and retrieval for the KDB driver.
>
> https://fedorahosted.org/freeipa/ticket/5782
This patch is part of the authenticatio
On Wed, 2016-03-16 at 07:25 +0100, Jan Cholasta wrote:
> On 15.3.2016 22:22, Nathaniel McCallum wrote:
> >
> > On Tue, 2016-03-15 at 17:54 +0100, Martin Babinsky wrote:
> > >
> > > On 03/15/2016 03:36 PM, Martin Babinsky wrote:
> > > >
> > >
On Tue, 2016-03-15 at 17:54 +0100, Martin Babinsky wrote:
> On 03/15/2016 03:36 PM, Martin Babinsky wrote:
> >
> > On 03/09/2016 07:06 AM, Jan Cholasta wrote:
> > >
> > > On 8.3.2016 17:45, Martin Babinsky wrote:
> > > >
> > > > On 03/08/2016 05:35 PM, Jan Cholasta wrote:
> > > > >
> > > > > Hi
On Fri, 2016-02-26 at 09:00 +0100, Martin Kosek wrote:
> On 02/25/2016 10:51 PM, Simo Sorce wrote:
> >
> > On Thu, 2016-02-25 at 16:13 -0500, Nathaniel McCallum wrote:
> > >
> > > On Thu, 2016-02-25 at 12:19 -0500, Nathaniel McCallum wrote:
> > > &g
On Fri, 2016-02-26 at 11:20 -0500, Simo Sorce wrote:
> On Fri, 2016-02-26 at 10:24 -0500, Nathaniel McCallum wrote:
> > I was thinking:
> > 1. Bind as the entity validating the 2nd factor.
> > 2. Extop which takes the:
> > * user dn
> > * type of 2n
On Fri, 2016-02-26 at 10:12 -0500, Simo Sorce wrote:
> On Fri, 2016-02-26 at 09:30 -0500, Nathaniel McCallum wrote:
> >
> > On Thu, 2016-02-25 at 16:51 -0500, Simo Sorce wrote:
> > > Questions:
> > > - Should the control specify what kind of auth specifical
On Thu, 2016-02-25 at 16:51 -0500, Simo Sorce wrote:
> On Thu, 2016-02-25 at 16:13 -0500, Nathaniel McCallum wrote:
> >
> > On Thu, 2016-02-25 at 12:19 -0500, Nathaniel McCallum wrote:
> > >
> > > On Thu, 2016-02-25 at 10:49 -0500, Simo Sorce wrote:
> > &
On Thu, 2016-02-25 at 12:19 -0500, Nathaniel McCallum wrote:
> On Thu, 2016-02-25 at 10:49 -0500, Simo Sorce wrote:
> >
> > On Thu, 2016-02-25 at 10:32 -0500, Nathaniel McCallum wrote:
> > >
> > >
> > > On Wed, 2016-02-24 at 09:55 -0500, Nathaniel Mc
On Thu, 2016-02-25 at 10:49 -0500, Simo Sorce wrote:
> On Thu, 2016-02-25 at 10:32 -0500, Nathaniel McCallum wrote:
> >
> > On Wed, 2016-02-24 at 09:55 -0500, Nathaniel McCallum wrote:
> > >
> > > On Sun, 2016-02-21 at 20:50 -0500, Simo Sorce wrote:
> > &
On Wed, 2016-02-24 at 09:55 -0500, Nathaniel McCallum wrote:
> On Sun, 2016-02-21 at 20:50 -0500, Simo Sorce wrote:
> >
> > On Sun, 2016-02-21 at 20:20 -0500, Nathaniel McCallum wrote:
> > >
> > >
> > > https://github.com/npmccallum/freeipa/pull/1
&g
On Sun, 2016-02-21 at 20:50 -0500, Simo Sorce wrote:
> On Sun, 2016-02-21 at 20:20 -0500, Nathaniel McCallum wrote:
> >
> > https://github.com/npmccallum/freeipa/pull/1
> >
> > The above (pseudo) pull request contains four patches against
> > FreeIPA
> > to
https://github.com/npmccallum/freeipa/pull/1
The above (pseudo) pull request contains four patches against FreeIPA
to enable the insertion of Authentication Indicators into Kerberos
tickets. The basic flow looks like this.
First, we patch ipa-pwd-extop to return a control indicating what
authenti
On Mon, 2016-01-11 at 17:45 +0100, Martin Basti wrote:
>
>
> On 14.12.2015 16:22, Nathaniel McCallum wrote:
> > We always have to call find_base() in order to force libldap to
> > open
> > the socket. However, if no base is actually required then there is
> > no
00:00:00 2001
From: Nathaniel McCallum
Date: Mon, 14 Dec 2015 10:12:26 -0500
Subject: [PATCH] Don't error when find_base() fails if a base is not required
We always have to call find_base() in order to force libldap to open
the socket. However, if no base is actually required then there
On Fri, 2015-09-25 at 18:29 +0200, Martin Babinsky wrote:
> On 09/25/2015 04:53 PM, Nathaniel McCallum wrote:
> > On Mon, 2015-08-31 at 11:08 -0400, Nathaniel McCallum wrote:
> > > https://fedorahosted.org/freeipa/ticket/5192
> > > --
> > > Manage your subscr
On Fri, 2015-09-25 at 12:18 -0400, Nathaniel McCallum wrote:
> Temporarily storing the offset time in an unsigned integer causes the
> value of the offset to underflow when a (valid) negative offset value
> is generated. Using a signed variable avoids this problem.
This new version
Temporarily storing the offset time in an unsigned integer causes the
value of the offset to underflow when a (valid) negative offset value
is generated. Using a signed variable avoids this problem.From 41682880a146951dab5d08ed940fb6c447957545 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
On Mon, 2015-08-31 at 11:08 -0400, Nathaniel McCallum wrote:
> https://fedorahosted.org/freeipa/ticket/5192
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/
https://fedorahosted.org/freeipa/ticket/5192From dec73420432015b45ead1474e87eda5fafb5ebe0 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Mon, 31 Aug 2015 10:46:19 -0400
Subject: [PATCH] Migrate OTP import script to python-cryptography
https://fedorahosted.org/freeipa/ticket/5192
On Thu, 2015-08-27 at 10:27 +0200, Petr Spacek wrote:
> On 15.7.2015 09:44, Jan Pazdziora wrote:
> > On Tue, Jul 14, 2015 at 12:49:23PM -0400, John Dennis wrote:
> > > On 07/14/2015 12:03 PM, Petr Spacek wrote:
> > > > Hello,
> > > >
> > > > Is anyone using repos
> > > > https://jdennis.fedorapeop
On Mon, 2015-08-10 at 17:43 +0200, Milan Kubík wrote:
> Hi all,
>
> this patch fixes problem described in the ticket [1]
> that caused the test run to fail completely at every other or so run.
> I took the liberty to fix most of the pep8 issues while I was at it.
>
> Thanks to Jan Cholasta for he
On Wed, 2015-07-22 at 20:47 +0200, Christian Heimes wrote:
> On 2015-07-22 20:38, Nathaniel McCallum wrote:
> > On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote:
> > > On 2015-07-22 20:23, Nathaniel McCallum wrote:
> > > > Related: CVE-2015-5159
> >
On Wed, 2015-07-22 at 14:38 -0400, Nathaniel McCallum wrote:
> On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote:
> > On 2015-07-22 20:23, Nathaniel McCallum wrote:
> > > Related: CVE-2015-5159
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1245200
>
On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote:
> On 2015-07-22 20:23, Nathaniel McCallum wrote:
> > Related: CVE-2015-5159
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1245200
>
> The patch prevents a flood attack but I consider more a workaround
> than
&
Related: CVE-2015-5159From b9595d34e36d967d57c0f72f26fca40b913c6d5e Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Wed, 22 Jul 2015 14:18:16 -0400
Subject: [PATCH] Limit request sizes to /KdcProxy
Related: CVE-2015-5159
---
install/conf/ipa-kdc-proxy.conf.template | 1 +
1 file changed
I definitely see both models finding use.
- Original Message -
> Yeah, user creation requires manual intervention; an admin has to move
> the user from staging to the main user tree.
>
> It could be pretty easily modified to allow totally automated self
> sign-up though
>
--
Manage you
I'm pretty excited about this.
As I see it right now user creation requires manual intervention. Is this
correct?
Is it possible to have a fully automated process where a token is generated and
mailed to the user to verify their email address?
- Original Message -
> Hi, all,
>
> I'm j
4.3 is going to be a very narrow feature release. Should we branch 4.3 early so
that we can still land new features on master during 4.3?
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeip
This LGTM. However, I’ll let Alexander give the ACK.
> On Jul 7, 2015, at 10:11 AM, Christian Heimes wrote:
>
> Hi,
>
> the patch addresses the error handling of ipa-httpd-kdcproxy as
> discussed in the other thread.
>
> Christian
> --
> Manage your subscription for the Freeipa-devel mailing
> On Jul 6, 2015, at 11:35 AM, Christian Heimes wrote:
>
> Hello,
>
> I like to ask for your opinion regarding the pre-exec hook
> 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error
> cases like LDAP connection timeout more gracefully. At the moment any
> error causes the
> On Jun 23, 2015, at 2:55 PM, Simo Sorce wrote:
>
> On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote:
>> +WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
>> + process-group=kdcproxy application-group=kdcproxy
>> +WSGIScriptAlias /KdcProxy
>> /usr/lib/python2.
I’m sold. ACK
Simo, speak now or forever hold your peace (or patch it later).
> On Jun 23, 2015, at 2:20 PM, Christian Heimes wrote:
>
> On 2015-06-23 19:55, Nathaniel McCallum wrote:
>> The behavior I'm worried about here is this:
>> 1. Admin installs or updates
The behavior I'm worried about here is this:
1. Admin installs or updates FreeIPA (w/ kdcproxy)
2. Admin disables kdcproxy
3. Admin updates to the next version
After step #3, is kdcproxy enabled or disabled? I don't have a clear answer to
this (or at least I'm not seeing it).
Other than this, I'
typo: is_kdcprox_configured
You need to update the commit message (don't do changes since last patch).
Also, I'm pretty sure this is the case, but the code in
ipaserver/install/httpinstance.py only executes during initial installation,
right?
- Original Message -
> This is hopefully th
- Original Message -
> Ah, got it!
>
> What's the simplest way to download and test the new package on my VM?
Download the package from koji.
http://koji.fedoraproject.org/koji/packageinfo?packageID=19292
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.red
On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote:
> On 2015-06-23 14:58, Nathaniel McCallum wrote:
> > I agree. One other small nitpick is that the python-kdcproxy
> > dependency
> > is still wrong. Please make it depend on 0.3. 0.3 is already in
> > RH
On Tue, 2015-06-23 at 08:56 -0400, Simo Sorce wrote:
> On Tue, 2015-06-23 at 11:37 +0200, Christian Heimes wrote:
> > Hi,
> >
> > I've created a new patch that implements the KDC switch as a
> > ExecStartPre hook in httpd.service.
> >
> > Testing:
> > If you are doing an upgrade of an existing in
On Mon, 2015-06-22 at 10:10 -0400, Simo Sorce wrote:
> On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote:
> > I'd still prefer a user mapping to managing a keytab. This patch is
> > just way too complex for what it does.
>
> User mapping ?
EXTERNAL bind
I'd still prefer a user mapping to managing a keytab. This patch is just way
too complex for what it does.
- Original Message -
> I brought up your suggestion in today's IPA devel meeting. Simo
> explained that anonymous binding might not be available. Some customers
> disable it on their
On Wed, 2015-06-17 at 21:21 +0200, Christian Heimes wrote:
> On 2015-06-17 18:09, Nathaniel McCallum wrote:
> > On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote:
> >> On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
> >>> It doesn't apply again.
> >&
On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote:
> On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
> > It doesn't apply again.
> >
> > On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
> > > On 2015-05-27 15:16, Christian Heimes wrote:
> &g
Google Authenticator fails if the algorithm is not uppercase.
https://fedorahosted.org/freeipa/ticket/5047From 2d266d7f17ca5450253d7bcc2a2fe5cf4a5ed327 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Wed, 17 Jun 2015 10:21:55 -0400
Subject: [PATCH] Fix OTP token URI generation
Google
It doesn't apply again.
On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
> On 2015-05-27 15:16, Christian Heimes wrote:
> > Hello,
> >
> > here is my first patch for FreeIPA. The patch integrates python
> > -kdcproxy
> > for MS-KKDCP support (aka Kerberos over HTTPS).
> >
> > https://w
On Fri, 2015-05-29 at 08:11 +0200, Jan Cholasta wrote:
> Dne 29.5.2015 v 08:07 Nathaniel McCallum napsal(a):
> > On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote:
> > > Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a):
> > > > On Thu, 2015-05-28 at 16:34
On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote:
> Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a):
> > On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote:
> > > Jan has suggested to ipaConfigString=kdcProxyEnabled in
> > > cn=KDC,cn=$FQDN,cn=maste
On Thu, 2015-05-28 at 17:07 +0200, Christian Heimes wrote:
> On 2015-05-28 16:48, Nathaniel McCallum wrote:
> > An apache module would also provide similar benefits. I'm not sure
> > I
> > necessarily want to stick with python here if we're optimizing for
> >
On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote:
> Hello,
>
> thanks you for your input. The former thread has 58 messages in
> total.
> Since last Friday we have came to an agreement in most points. I like
> to
> some up our decisions and focus on some minor details.
>
> decisions
>
On Wed, 2015-05-27 at 15:41 +0200, Petr Vobornik wrote:
> On 05/27/2015 03:34 PM, Christian Heimes wrote:
> > On 2015-05-27 14:47, Petr Vobornik wrote:
> > > Install/uninstall is not the same thing as enable/disable.
> > > Installation
> > > is a set of steps which first configures and then (optio
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
> > On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
> > > > >
> > > > > ipa config-mod --enable-kdcproxy=TRUE
> > > > > ipa config-mod --enable-kdcproxy=FALSE
> > >
> > > I don't li
On Tue, 2015-05-26 at 17:09 +0200, Christian Heimes wrote:
> On 2015-05-26 16:50, Nathaniel McCallum wrote:
> > Right. So as I see it, we have three options:
> > 1. Merge kdcproxy soon with a global switch.
> > A. Build per-replica switches later.
> > B. Never build
On Tue, 2015-05-26 at 16:43 +0200, Christian Heimes wrote:
> On 2015-05-26 16:24, Martin Kosek wrote:
> > On 05/26/2015 04:17 PM, Christian Heimes wrote:
> > > On 2015-05-26 15:57, Nathaniel McCallum wrote:
> > > > /KdcProxy
> > > >
> > > >
On Fri, 2015-05-22 at 12:24 +0200, Christian Heimes wrote:
> Here is what I have so far:
>
> 1) The FreeIPA webui already depends on Apache and mod_wsgi. KDC
> proxy
> will run from the same Apache HTTPD instance but it will use a
> different
> mod_wsgi daemon configuration. A second WSGI daemon
Nico Williams has made an interesting proposal on this topic:
http://marc.info/?l=openssl-users&m=143136162429551&w=2
It is probably worth discussing.
On Mon, 2015-05-11 at 10:09 -0400, Nathaniel McCallum wrote:
> Yes and no.
>
> The current Kerberos support is insecure and s
Yes and no.
The current Kerberos support is insecure and should not be used. The main
problem is that the session key is reused for all TLS connections. This
prevents perfect forward secrecy.
That being said, we have been toying around with the idea of making a new
standard for GSSAPI/TLS which u
This bug caused negative token windows to wrap-around, causing issues
with TOTP authentication and (especially) synchronization.
https://fedorahosted.org/freeipa/ticket/4990From 12fadccfbea009196e1e0f2efeee7258c68981ca Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Mon, 27 Apr 2015 10
On Thu, 2015-04-23 at 14:12 +0200, Petr Vobornik wrote:
> On 04/23/2015 12:24 PM, Petr Vobornik wrote:
> > If unbind was called when disconnected it raised:
> >AttributeError: 'NoneType' object has no attribute 'unbind_s'
> >
> > AttributeError is not a public error and therefore it prevented
On Tue, 2015-03-31 at 10:25 -0400, Nathaniel McCallum wrote:
> This change enables support for all current YubiKey hardware.
Can someone please review this patch?
Nathaniel
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-de
On Thu, 2015-04-16 at 09:12 +0200, Jan Cholasta wrote:
> Dne 9.4.2015 v 15:11 Luc de Louw napsal(a):
> >
> > On 04/09/2015 02:28 PM, Jan Cholasta wrote:
> > > > > > Let's say you now introduce --no-cr flag. What if we
> > > > > > decide to change
> > > > > > the default to False? How would you th
On Wed, 2015-04-08 at 17:53 +0200, Martin Basti wrote:
> On 08/04/15 17:46, Luc de Louw wrote:
> > On 04/08/2015 05:14 PM, Martin Basti wrote:
> > > On 08/04/15 17:12, Luc de Louw wrote:
> > > >
> > > > On 04/08/2015 05:05 PM, Martin Basti wrote:
>
On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote:
> Hi there,
>
> At the moment ipa otptoken-add-yubikey does not add the parameter
> "APPEND_CR". This prevents submit the password+OTP. APPEND_CR is
> usually
> very handy, most people use this functionality.
>
> The patch changes the behav
This change enables support for all current YubiKey hardware.From 54f74bebe5149d3be4e2772cb0199dda30fb0088 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Tue, 31 Mar 2015 10:17:18 -0400
Subject: [PATCH] Update python-yubico dependency version
This change enables support for all current
On Mon, 2015-03-30 at 11:52 -0400, Simo Sorce wrote:
> Since we now merged in a change from mod_auth_kerb to
> mod_auth_gssapi I
> was wondering if we want to press further and emable by default the
> use
> of native mod_auth_gssapi sessions ?
>
> The old mod_auth_kerb didn't have this feature s
On Fri, 2015-03-20 at 09:58 -0400, Simo Sorce wrote:
> On Fri, 2015-03-20 at 14:38 +0100, Martin Kosek wrote:
> > On 03/20/2015 02:19 PM, Simo Sorce wrote:
> > > On Fri, 2015-03-20 at 14:13 +0100, Martin Kosek wrote:
> > > > Hi guys,
> > > >
> > > > I would like to resurrect the discussion we had
On Mon, 2015-03-09 at 22:02 +0200, Alexander Bokovoy wrote:
> On Mon, 09 Mar 2015, Simo Sorce wrote:
> > On Mon, 2015-03-09 at 20:55 +0200, Alexander Bokovoy wrote:
> > > On Mon, 09 Mar 2015, Nathaniel McCallum wrote:
> > > > On Mon, 2015-03-09 at 20:22 +0200, Alexand
On Mon, 2015-03-09 at 20:22 +0200, Alexander Bokovoy wrote:
> On Mon, 09 Mar 2015, Jakub Hrozek wrote:
> > On Mon, Mar 09, 2015 at 04:08:46PM +0100, Martin Kosek wrote:
> > > On 03/09/2015 03:58 PM, Alexander Bokovoy wrote:
> > > > On Mon, 09 Mar 2015, Martin Kosek wrote:
> > > ...
> > > > One of b
On Mon, 2015-03-09 at 08:00 +0100, Stanislav Láznička wrote:
> Hi!
>
> My name is Stanislav Laznicka and I am a student at Brno University
> of Technology. As a part of my Master's thesis, I am supposed to
> design and
> implement time-based account policies extensions for FreeIPA and
> SSSD.
>
On Fri, 2015-02-20 at 14:55 -0500, Simo Sorce wrote:
> On Fri, 2015-02-20 at 10:41 -0500, Stephen Gallagher wrote:
> > On Fri, 2015-02-20 at 09:34 -0500, Simo Sorce wrote:
> > > During internal conversations it occurred to me we link to
> > > OpenSSL but never provided the proper exception for dow
On Fri, 2015-02-20 at 09:35 -0500, Simo Sorce wrote:
> We do not use openssl/des.h anymore, stop checking and importing it.
ACK
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
On Mon, 2015-02-16 at 17:58 +0100, Petr Vobornik wrote:
> not consistent with others
ACK
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Attached is a new version which fixes most of the issues found.
Comments below.
On Mon, 2015-01-12 at 15:53 +0100, Petr Viktorin wrote:
> On 01/06/2015 03:26 AM, Nathaniel McCallum wrote:
> > On Thu, 2014-11-20 at 11:13 -0500, Nathaniel McCallum wrote:
> >> >This tests the
On Wed, 2015-01-14 at 17:49 +0100, Martin Babinsky wrote:
> On 01/14/2015 05:23 PM, Nathaniel McCallum wrote:
> > On Wed, 2015-01-14 at 16:49 +0100, Martin Babinsky wrote:
> >> Changing the owner of a token also implicitly sets the new owner as its
> >> manager if f
1 - 100 of 567 matches
Mail list logo