From ssorce at redhat.com Mon Dec 1 00:37:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 30 Nov 2008 19:37:14 -0500 Subject: [Freeipa-devel] Freeipa and Kerberos In-Reply-To: <4932EE14.4020805@redhat.com> References: <4930AC70.7030607@uiuc.edu> <4932087C.3020201@redhat.com> <49323D37.4000208@uiuc.edu> <4932EE14.4020805@redhat.com> Message-ID: <1228091834.2081.26.camel@localhost.localdomain> On Sun, 2008-11-30 at 12:48 -0700, Jason Gerard DeRose wrote: > One other thing: because our production version always runs behind > Apache, we send the Kerberos ticket in the HTTP headers (which is what > mod_auth_kerb expects). But if you aren't planning to run behind > Apache, > it will probably be more convenient for you (and for the consumers of > your XML-RPC API) to send the Kerberos ticket as an XML-RPC argument > (say the first argument). We perform kerberos authentication in apache useing RFC 4559 (IIRC). Any implementation that want's to easily interoperate should do the same. Besides letting others do all the challenge response stuff fro you is much easier. That said PyKerberos (found as python-kerberos) in Fedora, should be easy enough to use to implement RFC 4559 style implementation as that's what Apple built this module for afaik. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Dec 1 16:01:19 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 01 Dec 2008 11:01:19 -0500 Subject: [Freeipa-devel] [PATCH] tool to enable/disable the schema compat plugin Message-ID: <1228147279.2081.32.camel@localhost.localdomain> This patch also avoids enabling the plugin by default at install/upgrade time. Interested admins will need to enable the plugin using this tool on each server they want to have it working on. It is not necessary to have it running on all servers, just the ones that serve clients that need is. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-tool-to-enable-or-disable-the-schema-compatibili.patch Type: application/mbox Size: 11431 bytes Desc: not available URL: From nkinder at redhat.com Mon Dec 1 17:04:18 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 01 Dec 2008 09:04:18 -0800 Subject: [Freeipa-devel] [PATCH] tool to enable/disable the schema compat plugin In-Reply-To: <1228147279.2081.32.camel@localhost.localdomain> References: <1228147279.2081.32.camel@localhost.localdomain> Message-ID: <49341912.6030400@redhat.com> Simo Sorce wrote: > This patch also avoids enabling the plugin by default at install/upgrade > time. Interested admins will need to enable the plugin using this tool > on each server they want to have it working on. > It is not necessary to have it running on all servers, just the ones > that serve clients that need is. > It might be nice to add some sort of failure message if ld.update() fails in the "enable" case. Other than that, it looks good. ack. > Simo. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Mon Dec 1 17:34:33 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 01 Dec 2008 12:34:33 -0500 Subject: [Freeipa-devel] [PATCH] tool to enable/disable the schema compat plugin In-Reply-To: <49341912.6030400@redhat.com> References: <1228147279.2081.32.camel@localhost.localdomain> <49341912.6030400@redhat.com> Message-ID: <1228152873.2081.35.camel@localhost.localdomain> On Mon, 2008-12-01 at 09:04 -0800, Nathan Kinder wrote: > Simo Sorce wrote: > > This patch also avoids enabling the plugin by default at install/upgrade > > time. Interested admins will need to enable the plugin using this tool > > on each server they want to have it working on. > > It is not necessary to have it running on all servers, just the ones > > that serve clients that need is. > > > It might be nice to add some sort of failure message if ld.update() > fails in the "enable" case. Other than that, it looks good. I think we would get a stack trace at the very least. Not sure we want to catch anything more. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Dec 1 18:08:37 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 01 Dec 2008 13:08:37 -0500 Subject: [Freeipa-devel] Make ipa-replica-manage init description match command logic In-Reply-To: <492C994C.6030301@redhat.com> References: <492C994C.6030301@redhat.com> Message-ID: <1228154917.2081.39.camel@localhost.localdomain> On Tue, 2008-11-25 at 16:33 -0800, Nathan Kinder wrote: > The usage message and the manpage for ipa-replica-manage init had the > logic reversed from the actual code with regards to which server the > tool is initializing. This just fixes the manpage and usage message. ack -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Mon Dec 1 20:09:15 2008 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 01 Dec 2008 15:09:15 -0500 Subject: [Freeipa-devel] New design page on the site. Message-ID: <4934446B.1020808@redhat.com> Hi, A new page was added to the freeIPA site. http://www.freeipa.org/page/Certificate_Management It is dedicated to the integration of the CA into IPA. It is a first draft and will be updated in upcoming week(s). Thank you Dmitri From ssorce at redhat.com Mon Dec 1 20:11:23 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 01 Dec 2008 15:11:23 -0500 Subject: [Freeipa-devel] [PATCH] must have ca cert to create replicas Message-ID: <1228162283.2081.42.camel@localhost.localdomain> We need it anyway to be able to validate SSL connections between replicas. No reason to proceed otherwise, even if the CA is external. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-sure-the-CA-cert-is-copied-to-the-replica-fail.patch Type: application/mbox Size: 2710 bytes Desc: not available URL: From ssorce at redhat.com Mon Dec 1 20:40:04 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 01 Dec 2008 15:40:04 -0500 Subject: [Freeipa-devel] [PATCH] ldap updates missing on replica creation Message-ID: <1228164004.2081.44.camel@localhost.localdomain> Fixes $subj -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Run-updates-on-the-replica-too-otherwise-changes-to.patch Type: application/mbox Size: 925 bytes Desc: not available URL: From rcritten at redhat.com Mon Dec 1 21:17:56 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Dec 2008 16:17:56 -0500 Subject: [Freeipa-devel] [PATCH] ldap updates missing on replica creation In-Reply-To: <1228164004.2081.44.camel@localhost.localdomain> References: <1228164004.2081.44.camel@localhost.localdomain> Message-ID: <49345484.9050300@redhat.com> Simo Sorce wrote: > Fixes $subj > ack From dpal at redhat.com Mon Dec 1 21:41:57 2008 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 01 Dec 2008 16:41:57 -0500 Subject: [Freeipa-devel] New page has been created Message-ID: <49345A25.7030508@redhat.com> Hi, I created a new page with design proposal of the kerberos ticket renewal mechanism. Comments are welcome. http://www.freeipa.org/page/Automatic_Ticket_Renewal Thank you, Dmitri From nkinder at redhat.com Mon Dec 1 21:43:22 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 01 Dec 2008 13:43:22 -0800 Subject: [Freeipa-devel] [PATCH] must have ca cert to create replicas In-Reply-To: <1228162283.2081.42.camel@localhost.localdomain> References: <1228162283.2081.42.camel@localhost.localdomain> Message-ID: <49345A7A.5050509@redhat.com> Simo Sorce wrote: > We need it anyway to be able to validate SSL connections between > replicas. No reason to proceed otherwise, even if the CA is external. > ack. > Simo. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Mon Dec 1 22:24:21 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 01 Dec 2008 17:24:21 -0500 Subject: [Freeipa-devel] Pushed patches Message-ID: <1228170261.2081.56.camel@localhost.localdomain> Pushed the following patches to both master and ipa-1-2 Corrected usage messages and manpage to match the logic... Fix typo, thanks to Michele for pointing it out Run updates on the replica too, otherwise changes to... Make sure the CA cert is copied to the replica, fail... Add tool to enable or disable the schema compatibility... -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Mon Dec 1 23:03:35 2008 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 01 Dec 2008 18:03:35 -0500 Subject: [Freeipa-devel] Services in IPA v1 and migration to v2 - update Message-ID: <49346D47.5080709@redhat.com> Hi, One of the things I was supposed to research is the current (v1) implementation of the services in the IPA and how we need to change the service object to allow certificate publishing. I talked to Rob about it. Current implementation for service uses just a kerberos schema. A service in the DS looks like this: # host/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM, GSSLAB.RDU.REDHAT.COM, kerberos, gsslab.rdu.redhat.com dn: krbprincipalname=host/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM,cn=GSSLAB.RDU.REDHAT.COM,cn=kerberos,dc=gsslab,dc=rdu,dc=redhat,dc=com krbTicketFlags: 0 krbPrincipalName: host/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM krbLastPwdChange: 20080505185058Z krbExtraData:: AAISVx9Icm9vdC9hZG1pbkBHU1NMQUIuUkRVLlJFREhBVC5DT00A objectClass: krbprincipal objectClass: krbprincipalaux objectClass: krbTicketPolicyAux objectClass: top krbPasswordExpiration: 19700101000000Z or like this: # HTTP/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM, GSSLAB.RDU.REDHAT.COM, kerberos, gsslab.rdu.redhat.com dn: krbprincipalname=HTTP/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM,cn=GSSLAB.RDU.REDHAT.COM,cn=kerberos,dc=gsslab,dc=rdu,dc=redhat,dc=com krbTicketFlags: 0 krbPrincipalName: HTTP/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM krbLastPwdChange: 20080505185102Z krbExtraData:: AAIWVx9Icm9vdC9hZG1pbkBHU1NMQUIuUkRVLlJFREhBVC5DT00A objectClass: krbprincipal objectClass: krbprincipalaux objectClass: krbTicketPolicyAux objectClass: top krbPasswordExpiration: 19700101000000Z To be able to publish certs into the service entry we need to have both the kerberos attributes and attributes defined in the pkiUser object class (RFC 4523): ( 2.5.6.21 NAME 'pkiUser' DESC 'X.509 PKI User' SUP top AUXILIARY MAY userCertificate ) In IPA v1 when the entry is created it does not have any kerberos key material until the ipa-getkeytab utility is used to generate keytab for service. It seems that it would be a simple migration task to apply pkiUser object class to all entries in the services hive of the tree. This would allow later publishing a certificate into a service if needed. The management of the services would have to be changed also apply pkiUser object class when the service entry will be created via UI or CLI. If there are no objections or comments I will add this information to the design page that talks about services. Thanks Dmitri From dpal at redhat.com Mon Dec 1 23:50:32 2008 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 01 Dec 2008 18:50:32 -0500 Subject: [Freeipa-devel] Who can make the CA requests Message-ID: <49347848.4050304@redhat.com> Hi, We are building the integration of the CA into the IPA. The CA will be silently installed together with IPA. The CA will have access to the IPAs DS and will use it as its own back end storage. The interaction with CA will be done via RA (Registration Authority). The RA will have a secure connection to CA. There are several operations that can be performed against CA. Among them : a) Request a new certificate b) Renew a certificate c) Revoke certificate d) Check the status of the request (may be others, Andrew please confirm) The CA will perform the whatever action the RA has requested in v2. There is no CA management interface planned. Also there is no plan for approval process in v2. If the request made through the RA to CA it will be trusted and executed. These limitations create a requirement to validate user permissions before passing a request to RA in the XML-RPC back end. Since there would be no other way to call the RA and thus get access to CA, implementing access control enforcement point in the XML-RPC back end management plugin will be sufficient. The XML-RPC management plugin would have to check if the current user who runs the session is authorized to access RA and make calls to CA. There are different ways we can implement this access control enforcement check: a) We can define a special group that can perform certificate operations and hard code it in the management plugin. The management plugin will just check if the user is a member of the group and if he is it will proxy the request to RA and thus to CA. This approach is inflexible and not granular. Though it is simple it might not be acceptable for v2. b) The approach can be improved by creating an entry in the cn=config area that would contain the name of the group instead of hard coding the name of the group in the plugin. We can add more granularity by having an attribute per operation thus allowing grunting different right to different groups of people. This approach is generally better but still does not match the overall ACI based access control morel used in IPA. c) The ACI based approach can also be implemented in different ways. For example we can say that the operations mentioned above map in the following way to the DS permission on a attribute: * Request a new certificate - add an attribute * Renew a certificate - update an attribute * Revoke certificate - delete an attribute * Check the status of the request - read an attribute Using this approach we can define ACIs for example for the userCertificate attribute. When the user tries to ask for a new cert the managment plugin will get the rights regarding userCertificate attribute. If current user is allowed to add userCertificate attribute he will be allowed to request a new certificate via RA. If he is allowed to edit the userCertificate attribute the user will be allowed renew the cert and so on. Such approach will work for a special CA case but it is not generic. d) If we want to make the solution more generic and be able to handle other cases in a plaggable way we would need create a mapping between entry points advertised in the XML-RPC frame work and some attributes. In most cases we do not need this since the XML-RPC call will deal with the DS entry and its rights will dictate what a user can do. But in the case of where there is no actual direct DS modification happening we would need a mapping. We can create a configuration object with a multi valued attribute. This attribute will contain a triplet: entrypoint name; attribute; right The XML-RPC framework will read this configuration entry at the initialization moment and create an internal lookup table. For each XML RPC entry it will do a lookup in this table before executing the entry. If there is no mapping then the entry will be executed. If the entry is mapped to some attribute and the right the framework will check (using Get Effective Rights feature of DS) if the user has a specified right against the specified attribute. If the user has the right, the entry point will be invoked, if not then the exception will be risen and the event will be logged. This approach is generic and if implemented once inside the framework itself, there is no need to implement something like this for any other use case. It would be enough to just add an attribute with the mapping to the configuration entry. This will make the IPA management framework be attractive for additional extensions. Well the generic approach is most always more work. But it does not seem to be in this case and Jason most likely already thought about this issue. Does everybody agree that the d) approach is the way to go? Is userCertificate attribute the right attribute to map the access control decision to when we need to do a cert operation? May be it would be better to define a new attribute per operation and map the operations to those "virtual" attributes (and object class) rather than real attributes that can be defined in an entry. This way we would be able to accomplish maximum granularity. Any comments or suggestions are welcome! Thank you, Dmitri From ssorce at redhat.com Tue Dec 2 15:38:17 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Dec 2008 10:38:17 -0500 Subject: [Freeipa-devel] [PATCH] man page for ipa-compat-manage Message-ID: <1228232297.2081.69.camel@localhost.localdomain> I forgot to add a man page for this new command, here it is. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-man-page-for-ipa-compat-manage.patch Type: application/mbox Size: 2345 bytes Desc: not available URL: From mnagy at redhat.com Tue Dec 2 16:46:53 2008 From: mnagy at redhat.com (Martin Nagy) Date: Tue, 2 Dec 2008 17:46:53 +0100 Subject: [Freeipa-devel] [PATCH] man page for ipa-compat-manage In-Reply-To: <1228232297.2081.69.camel@localhost.localdomain> References: <1228232297.2081.69.camel@localhost.localdomain> Message-ID: <20081202174653.3a3362dd@wolverine.englab.brq.redhat.com> On Tue, 02 Dec 2008 10:38:17 -0500, Simo Sorce wrote: > +Run the command with the \fBdisable\fR option to enable the compat You probably meant '..option to disable the..' on this line. > plugin. + > +In both cases the user will be prompted to provide the Directory > Manager's password unless option \fB\-y\fR is used. + > +Directory manager will need to be restarted after the schema > compatibility plugin has been enabled. + > +.SH "OPTIONS" > +.TP > +\fB\-d\fR, \fB\-\-debug\fR > +Enable debug logging when more verbose output is needed > +.TP > +\fB\-y\fR Can you list the argument (file) here? Other than that, ack. Martin From rcritten at redhat.com Tue Dec 2 16:47:53 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Dec 2008 11:47:53 -0500 Subject: [Freeipa-devel] [PATCH] man page for ipa-compat-manage In-Reply-To: <1228232297.2081.69.camel@localhost.localdomain> References: <1228232297.2081.69.camel@localhost.localdomain> Message-ID: <493566B9.3040008@redhat.com> Simo Sorce wrote: > I forgot to add a man page for this new command, here it is. > > Simo. I'm not sure if we should include slapi-nis in the man page. That is the package that provides the capability but the plugin is actually schemacompat-plugin. The disable description is swapped, it says use disable to enable the plugin. The DS will need to be restarted whenever the plugin state is changed. You also need to update ipa-server.spec.in to include the man page. rob From ssorce at redhat.com Tue Dec 2 20:15:34 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Dec 2008 15:15:34 -0500 Subject: [Freeipa-devel] [PATCH] fix makefiles Message-ID: <1228248934.2081.77.camel@localhost.localdomain> -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-makefiles-after-schema-compat-changes.patch Type: application/mbox Size: 1649 bytes Desc: not available URL: From nkinder at redhat.com Tue Dec 2 20:23:29 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 02 Dec 2008 12:23:29 -0800 Subject: [Freeipa-devel] [PATCH] fix makefiles In-Reply-To: <1228248934.2081.77.camel@localhost.localdomain> References: <1228248934.2081.77.camel@localhost.localdomain> Message-ID: <49359941.7010103@redhat.com> ack. Simo Sorce wrote: > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Tue Dec 2 20:31:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Dec 2008 15:31:51 -0500 Subject: [Freeipa-devel] [PATCH] man page for ipa-compat-manage In-Reply-To: <493566B9.3040008@redhat.com> References: <1228232297.2081.69.camel@localhost.localdomain> <493566B9.3040008@redhat.com> Message-ID: <1228249911.2081.80.camel@localhost.localdomain> On Tue, 2008-12-02 at 11:47 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > I forgot to add a man page for this new command, here it is. > > > > Simo. > > I'm not sure if we should include slapi-nis in the man page. That is the > package that provides the capability but the plugin is actually > schemacompat-plugin. Ok I will change that. > The disable description is swapped, it says use disable to enable the > plugin. Yeah Mnagy also pointed that out, fixin ... > The DS will need to be restarted whenever the plugin state is changed. I actually tested that as soon as you remove the entries, any search for cn=compat returns nothing. > You also need to update ipa-server.spec.in to include the man page. Right. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 2 20:33:40 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Dec 2008 15:33:40 -0500 Subject: [Freeipa-devel] [PATCH] man page for ipa-compat-manage In-Reply-To: <20081202174653.3a3362dd@wolverine.englab.brq.redhat.com> References: <1228232297.2081.69.camel@localhost.localdomain> <20081202174653.3a3362dd@wolverine.englab.brq.redhat.com> Message-ID: <1228250020.2081.82.camel@localhost.localdomain> On Tue, 2008-12-02 at 17:46 +0100, Martin Nagy wrote: > On Tue, 02 Dec 2008 10:38:17 -0500, Simo Sorce > wrote: > > > +Run the command with the \fBdisable\fR option to enable the compat > You probably meant '..option to disable the..' on this line. > > > plugin. + > > +In both cases the user will be prompted to provide the Directory > > Manager's password unless option \fB\-y\fR is used. + > > +Directory manager will need to be restarted after the schema > > compatibility plugin has been enabled. + > > +.SH "OPTIONS" > > +.TP > > +\fB\-d\fR, \fB\-\-debug\fR > > +Enable debug logging when more verbose output is needed > > +.TP > > +\fB\-y\fR > Can you list the argument (file) here? There is no file argument. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 2 20:35:12 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Dec 2008 15:35:12 -0500 Subject: [Freeipa-devel] [PATCH] man page for ipa-compat-manage In-Reply-To: <1228250020.2081.82.camel@localhost.localdomain> References: <1228232297.2081.69.camel@localhost.localdomain> <20081202174653.3a3362dd@wolverine.englab.brq.redhat.com> <1228250020.2081.82.camel@localhost.localdomain> Message-ID: <1228250112.2081.84.camel@localhost.localdomain> On Tue, 2008-12-02 at 15:33 -0500, Simo Sorce wrote: > > There is no file argument. I take that back :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 2 20:39:53 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Dec 2008 15:39:53 -0500 Subject: [Freeipa-devel] [PATCH] man page for ipa-compat-manage In-Reply-To: <1228249911.2081.80.camel@localhost.localdomain> References: <1228232297.2081.69.camel@localhost.localdomain> <493566B9.3040008@redhat.com> <1228249911.2081.80.camel@localhost.localdomain> Message-ID: <1228250393.2081.86.camel@localhost.localdomain> On Tue, 2008-12-02 at 15:31 -0500, Simo Sorce wrote: > On Tue, 2008-12-02 at 11:47 -0500, Rob Crittenden wrote: > > Simo Sorce wrote: > > > I forgot to add a man page for this new command, here it is. > > > > > > Simo. > > > > I'm not sure if we should include slapi-nis in the man page. That is the > > package that provides the capability but the plugin is actually > > schemacompat-plugin. > > Ok I will change that. > > > The disable description is swapped, it says use disable to enable the > > plugin. > > Yeah Mnagy also pointed that out, fixin ... > > > The DS will need to be restarted whenever the plugin state is changed. > > I actually tested that as soon as you remove the entries, any search for > cn=compat returns nothing. > > > You also need to update ipa-server.spec.in to include the man page. > > Right. Ok new patch attached. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-man-page-for-ipa-compat-manage.patch Type: application/mbox Size: 3086 bytes Desc: not available URL: From ssorce at redhat.com Tue Dec 2 21:25:38 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Dec 2008 16:25:38 -0500 Subject: [Freeipa-devel] [PATCH] man page for ipa-compat-manage In-Reply-To: <1228250393.2081.86.camel@localhost.localdomain> References: <1228232297.2081.69.camel@localhost.localdomain> <493566B9.3040008@redhat.com> <1228249911.2081.80.camel@localhost.localdomain> <1228250393.2081.86.camel@localhost.localdomain> Message-ID: <1228253138.2081.98.camel@localhost.localdomain> On Tue, 2008-12-02 at 15:39 -0500, Simo Sorce wrote: > On Tue, 2008-12-02 at 15:31 -0500, Simo Sorce wrote: > > On Tue, 2008-12-02 at 11:47 -0500, Rob Crittenden wrote: > > > Simo Sorce wrote: > > > > I forgot to add a man page for this new command, here it is. > > > > > > > > Simo. > > > > > > I'm not sure if we should include slapi-nis in the man page. That is the > > > package that provides the capability but the plugin is actually > > > schemacompat-plugin. > > > > Ok I will change that. > > > > > The disable description is swapped, it says use disable to enable the > > > plugin. > > > > Yeah Mnagy also pointed that out, fixin ... > > > > > The DS will need to be restarted whenever the plugin state is changed. > > > > I actually tested that as soon as you remove the entries, any search for > > cn=compat returns nothing. > > > > > You also need to update ipa-server.spec.in to include the man page. > > > > Right. > > Ok new patch attached. Three respins for a manpage ... I knew I shouldn't have written it :-) New and hopefully latest version: s/Directory Manager/Directory Server/ change bold 'filename' to underlined 'file' Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-man-page-for-ipa-compat-manage.patch Type: application/mbox Size: 3081 bytes Desc: not available URL: From mnagy at redhat.com Tue Dec 2 21:28:34 2008 From: mnagy at redhat.com (Martin Nagy) Date: Tue, 2 Dec 2008 22:28:34 +0100 Subject: [Freeipa-devel] [PATCH] man page for ipa-compat-manage In-Reply-To: <1228253138.2081.98.camel@localhost.localdomain> References: <1228232297.2081.69.camel@localhost.localdomain> <493566B9.3040008@redhat.com> <1228249911.2081.80.camel@localhost.localdomain> <1228250393.2081.86.camel@localhost.localdomain> <1228253138.2081.98.camel@localhost.localdomain> Message-ID: <20081202222834.0ebc3067@notas> Simo Sorce wrote: > On Tue, 2008-12-02 at 15:39 -0500, Simo Sorce wrote: > > On Tue, 2008-12-02 at 15:31 -0500, Simo Sorce wrote: > > > On Tue, 2008-12-02 at 11:47 -0500, Rob Crittenden wrote: > > > > Simo Sorce wrote: > > > > > I forgot to add a man page for this new command, here it is. > > > > > > > > > > Simo. > > > > > > > > I'm not sure if we should include slapi-nis in the man page. > > > > That is the package that provides the capability but the plugin > > > > is actually schemacompat-plugin. > > > > > > Ok I will change that. > > > > > > > The disable description is swapped, it says use disable to > > > > enable the plugin. > > > > > > Yeah Mnagy also pointed that out, fixin ... > > > > > > > The DS will need to be restarted whenever the plugin state is > > > > changed. > > > > > > I actually tested that as soon as you remove the entries, any > > > search for cn=compat returns nothing. > > > > > > > You also need to update ipa-server.spec.in to include the man > > > > page. > > > > > > Right. > > > > Ok new patch attached. > > Three respins for a manpage ... > I knew I shouldn't have written it :-) > > New and hopefully latest version: > s/Directory Manager/Directory Server/ > change bold 'filename' to underlined 'file' > > Simo. ack From ssorce at redhat.com Tue Dec 2 22:38:32 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Dec 2008 17:38:32 -0500 Subject: [Freeipa-devel] [PATCH] man page for ipa-compat-manage In-Reply-To: <20081202222834.0ebc3067@notas> References: <1228232297.2081.69.camel@localhost.localdomain> <493566B9.3040008@redhat.com> <1228249911.2081.80.camel@localhost.localdomain> <1228250393.2081.86.camel@localhost.localdomain> <1228253138.2081.98.camel@localhost.localdomain> <20081202222834.0ebc3067@notas> Message-ID: <1228257512.2081.112.camel@localhost.localdomain> On Tue, 2008-12-02 at 22:28 +0100, Martin Nagy wrote: > > ack pushed to master and ipa-1-2 -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 2 22:38:52 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Dec 2008 17:38:52 -0500 Subject: [Freeipa-devel] [PATCH] fix makefiles In-Reply-To: <49359941.7010103@redhat.com> References: <1228248934.2081.77.camel@localhost.localdomain> <49359941.7010103@redhat.com> Message-ID: <1228257532.2081.114.camel@localhost.localdomain> On Tue, 2008-12-02 at 12:23 -0800, Nathan Kinder wrote: > ack. pushed to master and ipa-1-2 -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 2 22:40:32 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Dec 2008 17:40:32 -0500 Subject: [Freeipa-devel] [PATCH] add index for memberuid Message-ID: <1228257632.2081.116.camel@localhost.localdomain> -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Adding-an-index-for-memberuid.patch Type: application/mbox Size: 1505 bytes Desc: not available URL: From nkinder at redhat.com Tue Dec 2 23:46:45 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 02 Dec 2008 15:46:45 -0800 Subject: [Freeipa-devel] [PATCH] add index for memberuid In-Reply-To: <1228257632.2081.116.camel@localhost.localdomain> References: <1228257632.2081.116.camel@localhost.localdomain> Message-ID: <4935C8E5.4040804@redhat.com> Ack. Don't forget to update the .spec file with the new indices.update file in the %files section. Simo Sorce wrote: > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Wed Dec 3 00:19:47 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Dec 2008 19:19:47 -0500 Subject: [Freeipa-devel] [PATCH] add index for memberuid In-Reply-To: <4935C8E5.4040804@redhat.com> References: <1228257632.2081.116.camel@localhost.localdomain> <4935C8E5.4040804@redhat.com> Message-ID: <1228263587.2081.121.camel@localhost.localdomain> On Tue, 2008-12-02 at 15:46 -0800, Nathan Kinder wrote: > Ack. Don't forget to update the .spec file with the new indices.update > file in the %files section. Didn't, the spec has a glorious updates/* :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Dec 3 00:31:40 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 02 Dec 2008 19:31:40 -0500 Subject: [Freeipa-devel] [PATCH] add index for memberuid In-Reply-To: <4935C8E5.4040804@redhat.com> References: <1228257632.2081.116.camel@localhost.localdomain> <4935C8E5.4040804@redhat.com> Message-ID: <1228264300.2081.129.camel@localhost.localdomain> On Tue, 2008-12-02 at 15:46 -0800, Nathan Kinder wrote: > Ack. Don't forget to update the .spec file with the new > indices.update > file in the %files section. pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Dec 3 14:12:30 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 03 Dec 2008 09:12:30 -0500 Subject: [Freeipa-devel] [PATCH] fix syntax for older versions of python Message-ID: <1228313550.2081.133.camel@localhost.localdomain> make it work with python 2.4 too add some error checking for LDAPError errors. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Change-ipa-compat-manage-to-work-on-older-python-ver.patch Type: application/mbox Size: 4873 bytes Desc: not available URL: From rcritten at redhat.com Wed Dec 3 15:54:03 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Dec 2008 10:54:03 -0500 Subject: [Freeipa-devel] [PATCH] fix syntax for older versions of python In-Reply-To: <1228313550.2081.133.camel@localhost.localdomain> References: <1228313550.2081.133.camel@localhost.localdomain> Message-ID: <4936AB9B.6080100@redhat.com> Simo Sorce wrote: > make it work with python 2.4 too > add some error checking for LDAPError errors. > > Simo. ack From ssorce at redhat.com Wed Dec 3 16:20:22 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 03 Dec 2008 11:20:22 -0500 Subject: [Freeipa-devel] [PATCH] fix syntax for older versions of python In-Reply-To: <4936AB9B.6080100@redhat.com> References: <1228313550.2081.133.camel@localhost.localdomain> <4936AB9B.6080100@redhat.com> Message-ID: <1228321222.2188.2.camel@localhost.localdomain> On Wed, 2008-12-03 at 10:54 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > make it work with python 2.4 too > > add some error checking for LDAPError errors. > > > > Simo. > > ack thanks pushed, together wityh a oneliner for ipa-server.spec.in and a version bump for ipa-1-2 Simo. -- Simo Sorce * Red Hat, Inc * New York From mendbayar_b at mongol.net Thu Dec 4 07:57:09 2008 From: mendbayar_b at mongol.net (Byambaa Mendbayar) Date: Thu, 04 Dec 2008 15:57:09 +0800 Subject: [Freeipa-devel] kinit problem Message-ID: <1228377429.3467.9.camel@mobile-workstation.site> Dear ?Rob and alls, I have trouble getting ticket from my freeIPA sever. My console output is following: -------------------------------------------------------------- bmendbayar at mobile-workstation:~> kinit admin Password for admin at RMWG.MN: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials bmendbayar at mobile-workstation:~> ?-------------------------------------------------------------- I have also attach krb5kdc.log file for investigation purpose. What's wrong of my situation? Thanks and regards, B.Mendbayar From mnagy at redhat.com Thu Dec 4 08:46:50 2008 From: mnagy at redhat.com (Martin Nagy) Date: Thu, 4 Dec 2008 09:46:50 +0100 Subject: [Freeipa-devel] kinit problem In-Reply-To: <1228377429.3467.9.camel@mobile-workstation.site> References: <1228377429.3467.9.camel@mobile-workstation.site> Message-ID: <20081204094650.21f1d170@notas> Hi, Byambaa Mendbayar wrote: > I have also attach krb5kdc.log file for investigation purpose. > > What's wrong of my situation? You forgot to attach it. Martin From mendbayar_b at e-map.mn Thu Dec 4 07:54:14 2008 From: mendbayar_b at e-map.mn (Byambaa Mendbayar) Date: Thu, 04 Dec 2008 15:54:14 +0800 Subject: [Freeipa-devel] kinit problem Message-ID: <1228377254.3467.8.camel@mobile-workstation.site> Dear ?Rob and alls, I have trouble getting ticket from my freeIPA sever. My console output is following: -------------------------------------------------------------- bmendbayar at mobile-workstation:~> kinit admin Password for admin at RMWG.MN: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials bmendbayar at mobile-workstation:~> ?-------------------------------------------------------------- I have also attach krb5kdc.log file for investigation purpose. What's wrong of my situation? Thanks and regards, B.Mendbayar -------------- next part -------------- A non-text attachment was scrubbed... Name: krb5kdc.log Type: text/x-log Size: 1143 bytes Desc: not available URL: From ssorce at redhat.com Thu Dec 4 15:40:46 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 04 Dec 2008 10:40:46 -0500 Subject: [Freeipa-devel] kinit problem In-Reply-To: <1228377429.3467.9.camel@mobile-workstation.site> References: <1228377429.3467.9.camel@mobile-workstation.site> Message-ID: <1228405246.31951.2.camel@localhost.localdomain> On Thu, 2008-12-04 at 15:57 +0800, Byambaa Mendbayar wrote: > Dear ?Rob and alls, > > I have trouble getting ticket from my freeIPA sever. My console output > is following: > > -------------------------------------------------------------- > bmendbayar at mobile-workstation:~> kinit admin > Password for admin at RMWG.MN: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit(v5): Cannot contact any KDC for requested realm while getting > initial credentials > bmendbayar at mobile-workstation:~> > ?-------------------------------------------------------------- Usually this error means that your ipa_kpasswd daemon is not running or is having problems. > I have also attach krb5kdc.log file for investigation purpose. The krb5kdc.log may indeed help, but you didn't attach it. Simo. -- Simo Sorce * Red Hat, Inc * New York From mendbayar_b at mongol.net Fri Dec 5 08:46:01 2008 From: mendbayar_b at mongol.net (Byambaa Mendbayar) Date: Fri, 05 Dec 2008 16:46:01 +0800 Subject: [Freeipa-devel] kinit problem In-Reply-To: <20081204094650.21f1d170@notas> References: <1228377429.3467.9.camel@mobile-workstation.site> <20081204094650.21f1d170@notas> Message-ID: <1228466761.3560.4.camel@mobile-workstation.site> Hello Martin, Thanks for reply. Sorry I forgot log file for attaching. Now I attached it in this email. With best regards, B.Mendbayar On Thu, 2008-12-04 at 09:46 +0100, Martin Nagy wrote: > Hi, > > Byambaa Mendbayar wrote: > > I have also attach krb5kdc.log file for investigation purpose. > > > > What's wrong of my situation? > > You forgot to attach it. > > Martin > > -------------- next part -------------- A non-text attachment was scrubbed... Name: krb5kdc.log Type: text/x-log Size: 1143 bytes Desc: not available URL: From mendbayar_b at mongol.net Fri Dec 5 08:52:35 2008 From: mendbayar_b at mongol.net (Byambaa Mendbayar) Date: Fri, 05 Dec 2008 16:52:35 +0800 Subject: [Freeipa-devel] kinit problem In-Reply-To: <1228405246.31951.2.camel@localhost.localdomain> References: <1228377429.3467.9.camel@mobile-workstation.site> <1228405246.31951.2.camel@localhost.localdomain> Message-ID: <1228467155.3560.9.camel@mobile-workstation.site> Dear Simo, Thanks for your reply. Sorry for forgotten log file attachment. Please find it from attachment. I will check ?ipa_kpasswd daemon status and inform you about it. Thanks and best regards, B. Mendbayar On Thu, 2008-12-04 at 10:40 -0500, Simo Sorce wrote: > On Thu, 2008-12-04 at 15:57 +0800, Byambaa Mendbayar wrote: > > Dear ?Rob and alls, > > > > I have trouble getting ticket from my freeIPA sever. My console output > > is following: > > > > -------------------------------------------------------------- > > bmendbayar at mobile-workstation:~> kinit admin > > Password for admin at RMWG.MN: > > Password expired. You must change it now. > > Enter new password: > > Enter it again: > > kinit(v5): Cannot contact any KDC for requested realm while getting > > initial credentials > > bmendbayar at mobile-workstation:~> > > ?-------------------------------------------------------------- > > Usually this error means that your ipa_kpasswd daemon is not running or > is having problems. > > > I have also attach krb5kdc.log file for investigation purpose. > > The krb5kdc.log may indeed help, but you didn't attach it. > > Simo. > -------------- next part -------------- A non-text attachment was scrubbed... Name: krb5kdc.log Type: text/x-log Size: 1143 bytes Desc: not available URL: From ssorce at redhat.com Fri Dec 5 14:59:24 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 05 Dec 2008 14:59:24 +0000 Subject: [Freeipa-devel] [PATCH] fix ipa-compat-manage and ipa-ldap-updater Message-ID: <1228489164.31951.17.camel@localhost.localdomain> -y options produces a stack trace, this fixes it. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-read_file-was-a-remnant-of-the-conversion-of-ldapu.patch Type: application/mbox Size: 1370 bytes Desc: not available URL: From ssorce at redhat.com Fri Dec 5 15:00:39 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 05 Dec 2008 10:00:39 -0500 Subject: [Freeipa-devel] [PATCH] re-add indexing for memberof Message-ID: <1228489239.31951.20.camel@localhost.localdomain> So that freeipa can be installed against older versions of fds in case someone wants to do it. The add of the memberof index becomes conditional, it is performed only if the index is not already there. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Dec 5 15:10:55 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 05 Dec 2008 10:10:55 -0500 Subject: [Freeipa-devel] [PATCH] fix ipa-compat-manage and ipa-ldap-updater In-Reply-To: <1228489164.31951.17.camel@localhost.localdomain> References: <1228489164.31951.17.camel@localhost.localdomain> Message-ID: <4939447F.8020901@redhat.com> Simo Sorce wrote: > -y options produces a stack trace, this fixes it. > > ack From ssorce at redhat.com Fri Dec 5 15:42:28 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 05 Dec 2008 10:42:28 -0500 Subject: [Freeipa-devel] [PATCH] re-add indexing for memberof In-Reply-To: <1228489239.31951.20.camel@localhost.localdomain> References: <1228489239.31951.20.camel@localhost.localdomain> Message-ID: <1228491748.25085.0.camel@localhost.localdomain> With the patch this time On Fri, 2008-12-05 at 10:00 -0500, Simo Sorce wrote: > So that freeipa can be installed against older versions of fds in case > someone wants to do it. > The add of the memberof index becomes conditional, it is performed only > if the index is not already there. > > Simo. > -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-memberof-was-not-indexed-in-older-versions-of-fedora.patch Type: application/mbox Size: 984 bytes Desc: not available URL: From rcritten at redhat.com Fri Dec 5 15:46:25 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 05 Dec 2008 10:46:25 -0500 Subject: [Freeipa-devel] [PATCH] re-add indexing for memberof In-Reply-To: <1228491748.25085.0.camel@localhost.localdomain> References: <1228489239.31951.20.camel@localhost.localdomain> <1228491748.25085.0.camel@localhost.localdomain> Message-ID: <49394CD1.2020707@redhat.com> Simo Sorce wrote: > With the patch this time > > On Fri, 2008-12-05 at 10:00 -0500, Simo Sorce wrote: >> So that freeipa can be installed against older versions of fds in case >> someone wants to do it. >> The add of the memberof index becomes conditional, it is performed only >> if the index is not already there. >> >> Simo. ack From ssorce at redhat.com Fri Dec 5 23:19:33 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 05 Dec 2008 18:19:33 -0500 Subject: [Freeipa-devel] [PATCH] fix ipa-compat-manage and ipa-ldap-updater In-Reply-To: <4939447F.8020901@redhat.com> References: <1228489164.31951.17.camel@localhost.localdomain> <4939447F.8020901@redhat.com> Message-ID: <1228519173.25085.27.camel@localhost.localdomain> On Fri, 2008-12-05 at 10:10 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > -y options produces a stack trace, this fixes it. > > > > > > ack bah the patch had a bug. Here a respin that works for password longer than 1 char :-) Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-read_file-was-a-remnant-of-the-conversion-of-ldapu.patch Type: application/mbox Size: 1454 bytes Desc: not available URL: From ssorce at redhat.com Fri Dec 5 23:23:56 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 05 Dec 2008 18:23:56 -0500 Subject: [Freeipa-devel] [PATCH] re-add indexing for memberof In-Reply-To: <49394CD1.2020707@redhat.com> References: <1228489239.31951.20.camel@localhost.localdomain> <1228491748.25085.0.camel@localhost.localdomain> <49394CD1.2020707@redhat.com> Message-ID: <1228519436.25085.29.camel@localhost.localdomain> On Fri, 2008-12-05 at 10:46 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > With the patch this time > > > > On Fri, 2008-12-05 at 10:00 -0500, Simo Sorce wrote: > >> So that freeipa can be installed against older versions of fds in case > >> someone wants to do it. > >> The add of the memberof index becomes conditional, it is performed only > >> if the index is not already there. > >> > >> Simo. > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From mendbayar_b at e-map.mn Fri Dec 5 08:43:10 2008 From: mendbayar_b at e-map.mn (Byambaa Mendbayar) Date: Fri, 05 Dec 2008 16:43:10 +0800 Subject: [Freeipa-devel] [Fwd: kinit problem] Message-ID: <1228466590.3560.1.camel@mobile-workstation.site> -------- Forwarded Message -------- From: Byambaa Mendbayar Reply-To: mendbayar_b at mongol.net To: freeipa-devel at redhat.com Cc: rcritten at redhat.com Subject: kinit problem Date: Thu, 04 Dec 2008 15:57:10 +0800 Dear ?Rob and alls, I have trouble getting ticket from my freeIPA sever. My console output is following: -------------------------------------------------------------- bmendbayar at mobile-workstation:~> kinit admin Password for admin at RMWG.MN: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials bmendbayar at mobile-workstation:~> ?-------------------------------------------------------------- I have also attach krb5kdc.log file for investigation purpose. What's wrong of my situation? Thanks and regards, B.Mendbayar -------------- next part -------------- A non-text attachment was scrubbed... Name: krb5kdc.log Type: text/x-log Size: 1143 bytes Desc: not available URL: From ssorce at redhat.com Sat Dec 6 17:55:58 2008 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 06 Dec 2008 12:55:58 -0500 Subject: Automatic_Ticket_Renewal [was: [Freeipa-devel] New page has been created] In-Reply-To: <49345A25.7030508@redhat.com> References: <49345A25.7030508@redhat.com> Message-ID: <1228586158.25085.53.camel@localhost.localdomain> On Mon, 2008-12-01 at 16:41 -0500, Dmitri Pal wrote: > Hi, > > I created a new page with design proposal of the kerberos ticket renewal > mechanism. Comments are welcome. > http://www.freeipa.org/page/Automatic_Ticket_Renewal I have updated the page and changed a bit the proposal. It was necessary to account for a misunderstanding on how kerberos ticket renewal happens and the meaning of renewal age. It also needed some adjustments to the second approach because of a misunderstanding on how offline logins happens and what data is available on the client in that case. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Mon Dec 8 05:54:21 2008 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 08 Dec 2008 00:54:21 -0500 Subject: [Freeipa-devel] Who can make the CA requests In-Reply-To: <49347848.4050304@redhat.com> References: <49347848.4050304@redhat.com> Message-ID: <493CB68D.809@redhat.com> Hi, Based on the feedback there is a new version of the CA integration design page http://www.freeipa.org/page/Certificate_Management. Thank you Dmitri From sgallagh at redhat.com Mon Dec 8 14:54:57 2008 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 08 Dec 2008 09:54:57 -0500 Subject: [Freeipa-devel] [PATCH] fix ipa-compat-manage and ipa-ldap-updater In-Reply-To: <1228519173.25085.27.camel@localhost.localdomain> References: <1228489164.31951.17.camel@localhost.localdomain> <4939447F.8020901@redhat.com> <1228519173.25085.27.camel@localhost.localdomain> Message-ID: <493D3541.6080205@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > bah the patch had a bug. > Here a respin that works for password longer than 1 char :-) > > Simo. ack - -- - -------------------- Stephen Gallagher RHCE 804006346421761 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkk9NUEACgkQeiVVYja6o6O4ugCbBDv8PNHUm7XFlC8CbSZxA8sg ElkAn2j7tM10XP+nGXlFvckPildB2a1s =XbHq -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Dec 8 16:57:06 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Dec 2008 11:57:06 -0500 Subject: [Freeipa-devel] [PATCH] switch to tempdir when calling certutil Message-ID: <493D51E2.40003@redhat.com> Change to a temporary directory when calling certutil. We already use this directory for some files but certutil creates its own temporary files in the current directory when issuing certificates. This lets us be more sure we are in a writable place (/var/lib/ipa). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-107-cert.patch Type: text/x-patch Size: 1375 bytes Desc: not available URL: From ssorce at redhat.com Tue Dec 9 14:34:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 09 Dec 2008 09:34:14 -0500 Subject: [Freeipa-devel] [PATCH] switch to tempdir when calling certutil In-Reply-To: <493D51E2.40003@redhat.com> References: <493D51E2.40003@redhat.com> Message-ID: <1228833254.8219.15.camel@localhost.localdomain> On Mon, 2008-12-08 at 11:57 -0500, Rob Crittenden wrote: > Change to a temporary directory when calling certutil. We already use > this directory for some files but certutil creates its own temporary > files in the current directory when issuing certificates. This lets us > be more sure we are in a writable place (/var/lib/ipa). ack -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Wed Dec 10 22:06:28 2008 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 10 Dec 2008 17:06:28 -0500 Subject: Automatic_Ticket_Renewal [was: [Freeipa-devel] New page has been created] In-Reply-To: <1228586158.25085.53.camel@localhost.localdomain> References: <49345A25.7030508@redhat.com> <1228586158.25085.53.camel@localhost.localdomain> Message-ID: <49403D64.6030901@redhat.com> Simo Sorce wrote: > On Mon, 2008-12-01 at 16:41 -0500, Dmitri Pal wrote: > >> Hi, >> >> I created a new page with design proposal of the kerberos ticket renewal >> mechanism. Comments are welcome. >> http://www.freeipa.org/page/Automatic_Ticket_Renewal >> > > I have updated the page and changed a bit the proposal. > It was necessary to account for a misunderstanding on how kerberos > ticket renewal happens and the meaning of renewal age. > It also needed some adjustments to the second approach because of a > misunderstanding on how offline logins happens and what data is > available on the client in that case. > > Simo. > > The page was modified to include "Suggested Solution" section. This what we plan to implement in v2. Thanks Dmitri From pmyers at redhat.com Fri Dec 12 03:21:58 2008 From: pmyers at redhat.com (Perry Myers) Date: Thu, 11 Dec 2008 22:21:58 -0500 Subject: [Freeipa-devel] freeipa cmdline tools failing Message-ID: <4941D8D6.90905@redhat.com> Simo, Follow up from the conversation we were having today on IRC in #ovirt So it looks like update to python-kerberos package broke freeipa... If I downgrade to python-kerberos-1.0-6.fc9.x86_64.rpm I can do: > [root at management ~]# ipa-finduser foo > No entries found for foo But if I upgrade to python-kerberos-1.1-1.fc10.x86_64.rpm I get: > [root at management ~]# ipa-finduser foo > Did not receive Kerberos credentials. Not sure if this is a problem with freeipa or python-kerberos... Could be they changed something (it wasn't a major version upgrade, but it was a 1.0 to 1.1 so likely they changed some interface and freeipa needs to be updated to work properly with it) Or could be that python-kerberos has a bug in it. In any case, if you could look try to replicate this let me know what you find out. Thanks! Perry -- |=- Red Hat, Engineering, Emerging Technologies, Boston -=| |=- Email: pmyers at redhat.com -=| |=- Office: +1 412 474 3552 Mobile: +1 703 362 9622 -=| |=- GnuPG: E65E4F3D 88F9 F1C9 C2F3 1303 01FE 817C C5D2 8B91 E65E 4F3D -=| From jboggs at redhat.com Fri Dec 12 03:36:48 2008 From: jboggs at redhat.com (Joey Boggs) Date: Thu, 11 Dec 2008 22:36:48 -0500 Subject: [Freeipa-devel] Re: [Ovirt-devel] freeipa cmdline tools failing In-Reply-To: <4941D8D6.90905@redhat.com> References: <4941D8D6.90905@redhat.com> Message-ID: <4941DC50.7070704@redhat.com> I'm hitting the same error when running ipa-adduser for an oVirt installation and can replicate it easily, what info do you need? Perry Myers wrote: > Simo, > > Follow up from the conversation we were having today on IRC in #ovirt > > So it looks like update to python-kerberos package broke freeipa... > > If I downgrade to python-kerberos-1.0-6.fc9.x86_64.rpm I can do: > >> [root at management ~]# ipa-finduser foo >> No entries found for foo > > But if I upgrade to python-kerberos-1.1-1.fc10.x86_64.rpm I get: > >> [root at management ~]# ipa-finduser foo >> Did not receive Kerberos credentials. > > Not sure if this is a problem with freeipa or python-kerberos... > Could be they changed something (it wasn't a major version upgrade, > but it was a 1.0 to 1.1 so likely they changed some interface and > freeipa needs to be updated to work properly with it) > > Or could be that python-kerberos has a bug in it. > > In any case, if you could look try to replicate this let me know what > you find out. > > Thanks! > > Perry > From rcritten at redhat.com Fri Dec 12 05:09:07 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Dec 2008 00:09:07 -0500 Subject: [Freeipa-devel] freeipa cmdline tools failing In-Reply-To: <4941D8D6.90905@redhat.com> References: <4941D8D6.90905@redhat.com> Message-ID: <4941F1F3.7050701@redhat.com> Perry Myers wrote: > Simo, > > Follow up from the conversation we were having today on IRC in #ovirt > > So it looks like update to python-kerberos package broke freeipa... > > If I downgrade to python-kerberos-1.0-6.fc9.x86_64.rpm I can do: > >> [root at management ~]# ipa-finduser foo >> No entries found for foo > > But if I upgrade to python-kerberos-1.1-1.fc10.x86_64.rpm I get: > >> [root at management ~]# ipa-finduser foo >> Did not receive Kerberos credentials. > > Not sure if this is a problem with freeipa or python-kerberos... Could > be they changed something (it wasn't a major version upgrade, but it was > a 1.0 to 1.1 so likely they changed some interface and freeipa needs to > be updated to work properly with it) > > Or could be that python-kerberos has a bug in it. > > In any case, if you could look try to replicate this let me know what > you find out. The problem is that PyKerberos doesn't support delegation. python-kerberos 1.0 had a patch which set the delegation flag on every request. A rather short-sighted fix, in retrospect. A slightly better fix, which will also require a change in freeipa, is attached. This adds an optional, unnamed argument to authGSSClientInit() to request delegation. The new call signature looks like: authGSSClientInit(service, False) The fix for freeipa is to add a second argument, True, to krbtransport.py, ~line 37. Should look something like this, minus proper spacing: rc, vc = kerberos.authGSSClientInit(service, True) I suppose the best solution is to provide a mechanism to set whatever flags one wants but my Python-to-C coding knowledge consists of about 10 minutes of reading the Python documentation so I'm not quite ready for that :-) This is briefly tested at best, so YMMV. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: delegate.patch Type: text/x-patch Size: 3517 bytes Desc: not available URL: From ssorce at redhat.com Fri Dec 12 06:12:59 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 12 Dec 2008 01:12:59 -0500 Subject: [Freeipa-devel] freeipa cmdline tools failing In-Reply-To: <4941D8D6.90905@redhat.com> References: <4941D8D6.90905@redhat.com> Message-ID: <1229062379.10907.47.camel@localhost.localdomain> On Thu, 2008-12-11 at 22:21 -0500, Perry Myers wrote: > Simo, > > Follow up from the conversation we were having today on IRC in #ovirt > > So it looks like update to python-kerberos package broke freeipa... > > If I downgrade to python-kerberos-1.0-6.fc9.x86_64.rpm I can do: > > > [root at management ~]# ipa-finduser foo > > No entries found for foo > > But if I upgrade to python-kerberos-1.1-1.fc10.x86_64.rpm I get: > > > [root at management ~]# ipa-finduser foo > > Did not receive Kerberos credentials. > > Not sure if this is a problem with freeipa or python-kerberos... Could be > they changed something (it wasn't a major version upgrade, but it was a > 1.0 to 1.1 so likely they changed some interface and freeipa needs to be > updated to work properly with it) > > Or could be that python-kerberos has a bug in it. > > In any case, if you could look try to replicate this let me know what you > find out. Ah haven't tested that yet, I thought mcepl built it only for rawhide. I will give it a look tomorrow. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Dec 12 22:33:14 2008 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 12 Dec 2008 17:33:14 -0500 Subject: [Freeipa-devel] Who can make the CA requests In-Reply-To: <493CB68D.809@redhat.com> References: <49347848.4050304@redhat.com> <493CB68D.809@redhat.com> Message-ID: <4942E6AA.1020207@redhat.com> Dmitri Pal wrote: > Hi, > > Based on the feedback there is a new version of the CA integration > design page http://www.freeipa.org/page/Certificate_Management. > The page has been updated once more. The following changes have been made: a) We defer the server side key generation use case b) We acknowledge that the command interfaces and python pluggble interface suggested are not complete. They do not take into the account out plan to allow issuing certs to services rather than just to hosts c) The object class was turned to structural d) We will use "member" attribute to point to the default group of users that can perform the certificate operations. It is my default listed as managed by referential integrity plugin. We can also use "manager" or "owner". The manager attribute so far is not listed in the ref integrity plugin. Should it? Is it a bug? e) We will use a special system account for CA to connect to DS. Did I miss anything? The only open issue so far is to check the publishing and unpublishing of the certificates into a multi value attribute. Andrew please perform these tests. You can just use extensible object on any entry and try publishing and unpublishing a certificate. If you have any questions about schema please ask Nathan. Thank you Dmitri > Thank you > Dmitri > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Sat Dec 13 01:18:54 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 12 Dec 2008 20:18:54 -0500 Subject: [Freeipa-devel] [PATCH] Enable the KDC to listen on TCP by default Message-ID: <1229131134.3687.44.camel@localhost.localdomain> Current default does not make the kdc listen on tcp, but we probably should. Only for new installs. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-KDC-listen-to-TCP-port-as-well-by-default.patch Type: application/mbox Size: 676 bytes Desc: not available URL: From sgallagh at redhat.com Mon Dec 15 13:41:27 2008 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 15 Dec 2008 08:41:27 -0500 Subject: [Freeipa-devel] [PATCH] Enable the KDC to listen on TCP by default In-Reply-To: <1229131134.3687.44.camel@localhost.localdomain> References: <1229131134.3687.44.camel@localhost.localdomain> Message-ID: <49465E87.5090608@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Current default does not make the kdc listen on tcp, but we probably > should. > > Only for new installs. > > Simo. ack - -- - -------------------- Stephen Gallagher RHCE 804006346421761 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklGXocACgkQeiVVYja6o6ORlwCgoNK714akTYt4TfwfRpvQuaV7 G2MAmwTnQF38KmMMniY1959pDvGJbtxs =HsT/ -----END PGP SIGNATURE----- From jboggs at redhat.com Mon Dec 15 18:12:54 2008 From: jboggs at redhat.com (Joey Boggs) Date: Mon, 15 Dec 2008 13:12:54 -0500 Subject: [Freeipa-devel] ipaMaxUsernameLength Message-ID: <49469E26.6040800@redhat.com> This script which used to work on ipa version 1.0 is now running into issues on 1.1, has the dn: changed for this modification, I can't seem to locate any documentation for ipaMaxUsernameLength ------------------ ldapmodify -h management.priv.ovirt.org -p 389 -Y GSSAPI < References: <49469E26.6040800@redhat.com> Message-ID: <4946A11F.8060003@redhat.com> Joey Boggs wrote: > This script which used to work on ipa version 1.0 is now running into > issues on 1.1, has the dn: changed for this modification, I can't seem > to locate any documentation for ipaMaxUsernameLength > > ------------------ > ldapmodify -h management.priv.ovirt.org -p 389 -Y GSSAPI < dn: cn=ipaConfig,cn=etc,dc=priv,dc=ovirt,dc=org > changetype: modify > replace: ipaMaxUsernameLength > ipaMaxUsernameLength: 12 > LDAP > ------------------ > > > [root at management ~]# /bin/sh > /usr/share/ace/modules/ovirt/files/ldapuserlength.sh > SASL/GSSAPI authentication started > SASL username: admin at PASSWORD > SASL SSF: 56 > SASL data security layer installed. > modifying entry "cn=ipaConfig,cn=etc,dc=priv,dc=ovirt,dc=org" > ldap_modify: No such object (32) Strange, that should work fine. IPA now provides a command-line program that can do this: % ipa-defaultoptions --maxusername=12 rob From jboggs at redhat.com Mon Dec 15 18:30:35 2008 From: jboggs at redhat.com (Joey Boggs) Date: Mon, 15 Dec 2008 13:30:35 -0500 Subject: [Freeipa-devel] ipaMaxUsernameLength In-Reply-To: <4946A11F.8060003@redhat.com> References: <49469E26.6040800@redhat.com> <4946A11F.8060003@redhat.com> Message-ID: <4946A24B.8090207@redhat.com> The new option is even better Thanks, Joey Rob Crittenden wrote: > Joey Boggs wrote: >> This script which used to work on ipa version 1.0 is now running into >> issues on 1.1, has the dn: changed for this modification, I can't >> seem to locate any documentation for ipaMaxUsernameLength >> >> ------------------ >> ldapmodify -h management.priv.ovirt.org -p 389 -Y GSSAPI <> dn: cn=ipaConfig,cn=etc,dc=priv,dc=ovirt,dc=org >> changetype: modify >> replace: ipaMaxUsernameLength >> ipaMaxUsernameLength: 12 >> LDAP >> ------------------ >> >> >> [root at management ~]# /bin/sh >> /usr/share/ace/modules/ovirt/files/ldapuserlength.sh >> SASL/GSSAPI authentication started >> SASL username: admin at PASSWORD >> SASL SSF: 56 >> SASL data security layer installed. >> modifying entry "cn=ipaConfig,cn=etc,dc=priv,dc=ovirt,dc=org" >> ldap_modify: No such object (32) > > Strange, that should work fine. IPA now provides a command-line > program that can do this: > > % ipa-defaultoptions --maxusername=12 > > rob From mendbayar_b at mongol.net Wed Dec 17 09:27:30 2008 From: mendbayar_b at mongol.net (Byambaa Mendbayar) Date: Wed, 17 Dec 2008 17:27:30 +0800 Subject: [Freeipa-devel] kinit problem In-Reply-To: <1228405246.31951.2.camel@localhost.localdomain> References: <1228377429.3467.9.camel@mobile-workstation.site> <1228405246.31951.2.camel@localhost.localdomain> Message-ID: <1229506050.9033.9.camel@mobile-workstation.site> Dear Simo, I have ?checked ipa_kpasswd daemon it was running but krb5kdc daemon was stopped. Then I have start ?krb5kdc daemon and I have still getting previous error messages. After that I have restart daemons following order: - /etc/init.d/?krb5kdc restart ? - /etc/init.d/?ipa_kpasswd restart ? Then the > kinit admin at RMWG.MN command was worked fine. The krb5kdc daemon is not working when I restart my freeIPA server. Then I have manually restart above 2 daemons after that I have success to access my freeIPA server. Simo, what I should do to solve my problem completely. Thanks and best regards, B. Mendbayar On Thu, 2008-12-04 at 10:40 -0500, Simo Sorce wrote: > On Thu, 2008-12-04 at 15:57 +0800, Byambaa Mendbayar wrote: > > Dear ?Rob and alls, > > > > I have trouble getting ticket from my freeIPA sever. My console output > > is following: > > > > -------------------------------------------------------------- > > bmendbayar at mobile-workstation:~> kinit admin > > Password for admin at RMWG.MN: > > Password expired. You must change it now. > > Enter new password: > > Enter it again: > > kinit(v5): Cannot contact any KDC for requested realm while getting > > initial credentials > > bmendbayar at mobile-workstation:~> > > ?-------------------------------------------------------------- > > Usually this error means that your ipa_kpasswd daemon is not running or > is having problems. > > > I have also attach krb5kdc.log file for investigation purpose. > > The krb5kdc.log may indeed help, but you didn't attach it. > > Simo. > From freeipa at olo.org.pl Wed Dec 17 11:33:28 2008 From: freeipa at olo.org.pl (Aleksander Adamowski) Date: Wed, 17 Dec 2008 12:33:28 +0100 Subject: [Freeipa-devel] [PATCH] A script to register Fedora Directory Admin Server with a FreeIPA-created Directory Server instance Message-ID: <1c690d740812170333o2ebd2725v5d2ba431856cd48b@mail.gmail.com> Hi! I've played around with the latest FreeIPA server (1.2.1) and wanted a comfortable method for customising the Directory Server schema, ACIs, et cetera. The ideal tool for this is the fedora-idm-console. However, it requires a working administration server instance and that the directory server instance is registered with it. There seem to be no existing tools for this task, so I took the setup-ds-admin.pl script, trimmed it down so that only the bits related to admin server instance creation are there (turned out quite short) and supplied my own setup .INF file to configure its invocation. It worked fine and now I can use fedora-idm-console with FreeIPA's directory server instance. So I've figured I could post back this trimmed down script and .INF file in case someone want to do a similar thing. The procedure is as follows: 1) Download the setup-register-admin.inf.txt, rename it to setup-register-admin.inf and customise it to your installation 2) Download setup-admin.pl and run it, specifying the inf file on command line: "..../setup-admin.pl --file=setup-register-admin.inf" 3) It should ask the usual setup questions. If all goes well, try accessing the admin server with fedora-idm-console (the administration URL will be http://YOUR_HOSTNAME:9830). 4) There might be no directory server instance visible in the servers tree (I don't remember whether setup-admin.pl registers FDS instance in configuration DS). If that's the case, run register-ds-admin.pl to register your directory server instance in configuration DS. The directory server should then appear in fedora-idm-console's server group tree. -- Best Regards, Aleksander Adamowski http://olo.org.pl -------------- next part -------------- A non-text attachment was scrubbed... Name: setup-admin.pl Type: application/octet-stream Size: 4211 bytes Desc: not available URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: setup-register-admin.inf.txt URL: From ssorce at redhat.com Fri Dec 19 02:31:47 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 18 Dec 2008 21:31:47 -0500 Subject: [Freeipa-devel] [PATCH] A script to register Fedora Directory Admin Server with a FreeIPA-created Directory Server instance In-Reply-To: <1c690d740812170333o2ebd2725v5d2ba431856cd48b@mail.gmail.com> References: <1c690d740812170333o2ebd2725v5d2ba431856cd48b@mail.gmail.com> Message-ID: <1229653907.27680.5.camel@localhost.localdomain> On Wed, 2008-12-17 at 12:33 +0100, Aleksander Adamowski wrote: > Hi! > > I've played around with the latest FreeIPA server (1.2.1) and wanted a > comfortable method for customising the Directory Server schema, ACIs, > et cetera. > > The ideal tool for this is the fedora-idm-console. However, it > requires a working administration server instance and that the > directory server instance is registered with it. > > There seem to be no existing tools for this task, so I took the > setup-ds-admin.pl script, trimmed it down so that only the bits > related to admin server instance creation are there (turned out quite > short) and supplied my own setup .INF file to configure its > invocation. > > It worked fine and now I can use fedora-idm-console with FreeIPA's > directory server instance. So I've figured I could post back this > trimmed down script and .INF file in case someone want to do a similar > thing. > > The procedure is as follows: > 1) Download the setup-register-admin.inf.txt, rename it to > setup-register-admin.inf and customise it to your installation > 2) Download setup-admin.pl and run it, specifying the inf file on > command line: "..../setup-admin.pl --file=setup-register-admin.inf" > 3) It should ask the usual setup questions. If all goes well, try > accessing the admin server with fedora-idm-console (the administration > URL will be http://YOUR_HOSTNAME:9830). > 4) There might be no directory server instance visible in the servers > tree (I don't remember whether setup-admin.pl registers FDS instance > in configuration DS). If that's the case, run register-ds-admin.pl to > register your directory server instance in configuration DS. The > directory server should then appear in fedora-idm-console's server > group tree. Thank you Aleksander, this is extremely cool. I wonder if we could automate the process through a python script to make the process easier. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Mon Dec 22 15:49:44 2008 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 22 Dec 2008 10:49:44 -0500 Subject: [Freeipa-devel] New design pages published Message-ID: <494FB718.5050300@redhat.com> Hello, These two pages summarize the data model that we plan to use in IPA v2. * DS Design Summary - base objects (stable version) * DS Design Summary 2 - policy objects (stable version) Other items on the page have been re-arranged a bit. Comments and suggestions are welcome. Thank you, Dmitri From dpal at redhat.com Tue Dec 23 19:42:16 2008 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 23 Dec 2008 14:42:16 -0500 Subject: [Freeipa-devel] DS schema for IPA v2 Message-ID: <49513F18.6030007@redhat.com> Hello, The development status page has been updated once again: http://freeipa.com/page/IPAv2_development_status. A new link http://freeipa.org/page/Schema_for_loading_and_processing was added to it to point to the place where one can find the schema LDIF files that will be used in IPA v2. This is a preliminary set of LDIFs and subject to changes as we move forward. Other files containing predefined entries will be added later. Thank you, Dmitri